From a7d613b89f48e005a863ee7ac884d45b64173c3a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 31 May 2023 11:29:55 +0800 Subject: [PATCH 0001/1014] reopen for 42 dev (#8993) --- .github/actions/cache/action.yml | 2 +- CHANGELOG.rst | 8 ++++++++ pyproject.toml | 2 +- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 6 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 9b0c9271300d..cb6cc54e4a2b 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -47,7 +47,7 @@ runs: ~/.cargo/registry/cache/ src/rust/target/ ${{ inputs.additional-paths }} - key: cargo-pip-${{ runner.os }}-${{ runner.arch }}-${{ steps.normalized-key.outputs.key }}-6-${{ hashFiles('**/Cargo.lock', '**/*.rs') }}-${{ steps.rust-version.version }} + key: cargo-pip-${{ runner.os }}-${{ runner.arch }}-${{ steps.normalized-key.outputs.key }}-7-${{ hashFiles('**/Cargo.lock', '**/*.rs') }}-${{ steps.rust-version.version }} - name: Size of cache items run: | du -sh ~/.cargo/registry/index/ diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 95e2ab25c0d9..f023bcb89782 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,14 @@ Changelog ========= +.. _v42-0-0: + +42.0.0 - `main`_ +~~~~~~~~~~~~~~~~ + +.. note:: This version is not yet released and is under active development. + + .. _v41-0-0: 41.0.0 - 2023-05-30 diff --git a/pyproject.toml b/pyproject.toml index c9de27381328..c1701cbdbaf5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -11,7 +11,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "41.0.0" +version = "42.0.0.dev1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index b66e23c606ba..f9f2823b87a7 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "41.0.0" +__version__ = "42.0.0.dev1" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 6030fab339b0..bc114b667491 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "41.0.0" +__version__ = "42.0.0.dev1" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 44d517f0560e..8540516ace1a 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography_vectors" -version = "41.0.0" +version = "42.0.0.dev1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From dc7330e9f071d510227e625dfe134297276ef095 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 May 2023 23:30:02 -0400 Subject: [PATCH 0002/1014] Bump BoringSSL and/or OpenSSL in CI (#8992) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c0fe786454e4..49f881ad2c10 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of May 27, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b0a026f8541c551854efd617021bb276f1fe5c23"}} - # Latest commit on the OpenSSL master branch, as of May 30, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36424806d699233b9a90a3a97fff3011828e2548"}} + # Latest commit on the OpenSSL master branch, as of May 31, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a1c8edcfc907a84d2595bc52ea7a43f4b33c7339"}} # Builds with various Rust versions. Includes MSRV and potential # future MSRV: # 1.60 - pem 2.0.1 From 799fe35495c20c8933ffe794154ac2419adab36f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 31 May 2023 12:17:17 -0400 Subject: [PATCH 0003/1014] Bump rich from 13.3.5 to 13.4.0 (#8997) Bumps [rich](https://github.com/Textualize/rich) from 13.3.5 to 13.4.0. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.3.5...v13.4.0) --- updated-dependencies: - dependency-name: rich dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 009faa5e0bdc..940ca409bb52 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -136,7 +136,7 @@ requests-toolbelt==1.0.0 # via twine rfc3986==2.0.0 # via twine -rich==13.3.5 +rich==13.4.0 # via twine ruff==0.0.270 # via cryptography (pyproject.toml) From b1cfa3adef986ef3466b080263911e8d79ec6141 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 31 May 2023 16:27:10 -0400 Subject: [PATCH 0004/1014] pyo3 0.19 (#8999) * Bump pyo3 from 0.18.3 to 0.19.0 in /src/rust Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.18.3 to 0.19.0. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.18.3...v0.19.0) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * pyo3 0.19 --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 24 ++++++++++++------------ src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/src/x509/crl.rs | 2 +- src/rust/src/x509/extensions.rs | 2 +- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 47d972ff46ff..af6b9fa14018 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -147,9 +147,9 @@ dependencies = [ [[package]] name = "memoffset" -version = "0.8.0" +version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d61c719bcfbcf5d62b3a09efa6088de8c54bc0bfcd3ea7ae39fcc186108b8de1" +checksum = "5a634b1c61a95585bd15607c6ab0c4e5b226e695ff2800ba0cdccddf208c406c" dependencies = [ "autocfg", ] @@ -294,9 +294,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.18.3" +version = "0.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3b1ac5b3731ba34fdaa9785f8d74d17448cd18f30cf19e0c7e7b1fdb5272109" +checksum = "cffef52f74ec3b1a1baf295d9b8fcc3070327aefc39a6d00656b13c1d0b8885c" dependencies = [ "cfg-if", "indoc", @@ -311,9 +311,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.18.3" +version = "0.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9cb946f5ac61bb61a5014924910d936ebd2b23b705f7a4a3c40b05c720b079a3" +checksum = "713eccf888fb05f1a96eb78c0dbc51907fee42b3377272dc902eb38985f418d5" dependencies = [ "once_cell", "target-lexicon", @@ -321,9 +321,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.18.3" +version = "0.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd4d7c5337821916ea2a1d21d1092e8443cf34879e53a0ac653fbb98f44ff65c" +checksum = "5b2ecbdcfb01cbbf56e179ce969a048fd7305a66d4cdf3303e0da09d69afe4c3" dependencies = [ "libc", "pyo3-build-config", @@ -331,9 +331,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.18.3" +version = "0.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9d39c55dab3fc5a4b25bbd1ac10a2da452c4aca13bb450f22818a002e29648d" +checksum = "b78fdc0899f2ea781c463679b20cb08af9247febc8d052de941951024cd8aea0" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -343,9 +343,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.18.3" +version = "0.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97daff08a4c48320587b5224cc98d609e3c27b6d437315bd40b605c98eeb5918" +checksum = "60da7b84f1227c3e2fe7593505de274dcf4c8928b4e0a1c23d551a14e4e80a0f" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 2ca1d79d6802..5dae7b94b890 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.56.0" [dependencies] once_cell = "1" -pyo3 = { version = "0.18", features = ["abi3-py37"] } +pyo3 = { version = "0.19", features = ["abi3-py37"] } asn1 = { version = "0.15.2", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 65051c2a4627..24e53991b47b 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.56.0" [dependencies] -pyo3 = { version = "0.18", features = ["abi3-py37"] } +pyo3 = { version = "0.19", features = ["abi3-py37"] } openssl-sys = "0.9.88" [build-dependencies] diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 92301503563f..1380d6eb86b5 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -145,7 +145,7 @@ impl CertificateRevocationList { revoked_certs }); - if idx.is_instance_of::()? { + if idx.is_instance_of::() { let indices = idx .downcast::()? .indices(self.len().try_into().unwrap())?; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 98d1bd63b910..dcf28833f17f 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -211,7 +211,7 @@ fn encode_certificate_policies( let mut qualifiers = vec![]; for py_qualifier in py_policy_qualifiers.iter()? { let py_qualifier = py_qualifier?; - let qualifier = if py_qualifier.is_instance_of::()? { + let qualifier = if py_qualifier.is_instance_of::() { let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { Some(s) => s, None => { From 8d07486ac7665f414575d3a9856eef8a7f5849d3 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 1 Jun 2023 09:05:42 +0800 Subject: [PATCH 0005/1014] Bump BoringSSL and/or OpenSSL in CI (#9003) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 49f881ad2c10..30eb622ec087 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of May 27, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b0a026f8541c551854efd617021bb276f1fe5c23"}} - # Latest commit on the OpenSSL master branch, as of May 31, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a1c8edcfc907a84d2595bc52ea7a43f4b33c7339"}} + # Latest commit on the BoringSSL master branch, as of Jun 01, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "55b069de8d3ed53fe578fde5c15499cc4c177af5"}} + # Latest commit on the OpenSSL master branch, as of Jun 01, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bc07d371865095643ec4f7190f26b174830a2f02"}} # Builds with various Rust versions. Includes MSRV and potential # future MSRV: # 1.60 - pem 2.0.1 From 1355c2e4600ca1924855cc12136b54cf075c38cf Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 Jun 2023 11:21:28 +0800 Subject: [PATCH 0006/1014] tolerate NULL params in ECDSA SHA2 AlgorithmIdentifier (#9002) * tolerate NULL params in ECDSA SHA2 AlgorithmIdentifier Java 11 does this incorrectly. It was fixed in Java16+ and they are planning to do a backport, but we'll need to tolerate this invalid encoding for a while. * test both inner and outer --- docs/development/test-vectors.rst | 2 + src/rust/cryptography-x509/src/common.rs | 12 +++-- src/rust/src/x509/certificate.rs | 30 ++++++++++++- src/rust/src/x509/sign.rs | 44 ++++++++++++------- tests/x509/test_x509.py | 15 +++++++ .../x509/custom/ecdsa_null_alg.pem | 9 ++++ 6 files changed, 91 insertions(+), 21 deletions(-) create mode 100644 vectors/cryptography_vectors/x509/custom/ecdsa_null_alg.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 56bc9361c555..3e54c40ae43d 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -499,6 +499,8 @@ Custom X.509 Vectors * ``rsa_pss_sha256_no_null.pem`` - A certificate with an RSA PSS signature with no encoded ``NULL`` for the PSS hash algorithm parameters. This certificate was generated by LibreSSL. +* ``ecdsa_null_alg.pem`` - A certificate with an ECDSA signature with ``NULL`` + algorithm parameters. This encoding is invalid, but was generated by Java 11. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 466d4b5bd179..a882d985e9cb 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -45,14 +45,18 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::ED448_OID)] Ed448, + // These ECDSA algorithms should have no parameters, + // but Java 11 (up to at least 11.0.19) encodes them + // with NULL parameters. The JDK team is looking to + // backport the fix as of June 2023. #[defined_by(oid::ECDSA_WITH_SHA224_OID)] - EcDsaWithSha224, + EcDsaWithSha224(Option), #[defined_by(oid::ECDSA_WITH_SHA256_OID)] - EcDsaWithSha256, + EcDsaWithSha256(Option), #[defined_by(oid::ECDSA_WITH_SHA384_OID)] - EcDsaWithSha384, + EcDsaWithSha384(Option), #[defined_by(oid::ECDSA_WITH_SHA512_OID)] - EcDsaWithSha512, + EcDsaWithSha512(Option), #[defined_by(oid::ECDSA_WITH_SHA3_224_OID)] EcDsaWithSha3_224, diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 3446bbbbb604..9204d730ba03 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -8,7 +8,7 @@ use crate::asn1::{ use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{extensions, sct, sign}; use crate::{exceptions, x509}; -use cryptography_x509::common::Asn1ReadableOrWritable; +use cryptography_x509::common::{AlgorithmParameters, Asn1ReadableOrWritable}; use cryptography_x509::extensions::Extension; use cryptography_x509::extensions::{ AuthorityKeyIdentifier, BasicConstraints, DisplayText, DistributionPoint, @@ -391,6 +391,10 @@ fn load_der_x509_certificate( // determine if the serial is negative and raise a warning if it is. We want to drop support // for this sort of invalid encoding eventually. warn_if_negative_serial(py, raw.borrow_value().tbs_cert.serial.as_bytes())?; + // determine if the signature algorithm has incorrect parameters and raise a warning if it + // does. this is a bug in JDK11 and we want to drop support for it eventually. + warn_if_invalid_ecdsa_params(py, raw.borrow_value().signature_alg.params.clone())?; + warn_if_invalid_ecdsa_params(py, raw.borrow_value().tbs_cert.signature_alg.params.clone())?; Ok(Certificate { raw, @@ -413,6 +417,30 @@ fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyRes Ok(()) } +fn warn_if_invalid_ecdsa_params( + py: pyo3::Python<'_>, + params: AlgorithmParameters<'_>, +) -> pyo3::PyResult<()> { + match params { + AlgorithmParameters::EcDsaWithSha224(Some(..)) + | AlgorithmParameters::EcDsaWithSha256(Some(..)) + | AlgorithmParameters::EcDsaWithSha384(Some(..)) + | AlgorithmParameters::EcDsaWithSha512(Some(..)) => { + let cryptography_warning = py + .import(pyo3::intern!(py, "cryptography.utils"))? + .getattr(pyo3::intern!(py, "DeprecatedIn41"))?; + pyo3::PyErr::warn( + py, + cryptography_warning, + "The parsed certificate contains a NULL parameter value in its signature algorithm parameters. This is invalid and will be rejected in a future version of cryptography. If this certificate was created via Java, please upgrade to JDK16+ or the latest JDK11 once a fix is issued. If this certificate was created in some other fashion please report the issue to the cryptography issue tracker. See https://github.com/pyca/cryptography/issues/8996 for more details.", + 2, + )?; + } + _ => {} + } + Ok(()) +} + fn parse_display_text( py: pyo3::Python<'_>, text: DisplayText<'_>, diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index b3a799b8cb01..4b03a2d9ab8e 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -234,19 +234,19 @@ pub(crate) fn compute_signature_algorithm<'p>( (KeyType::Ec, HashType::Sha224) => Ok(common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), - params: common::AlgorithmParameters::EcDsaWithSha224, + params: common::AlgorithmParameters::EcDsaWithSha224(None), }), (KeyType::Ec, HashType::Sha256) => Ok(common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), - params: common::AlgorithmParameters::EcDsaWithSha256, + params: common::AlgorithmParameters::EcDsaWithSha256(None), }), (KeyType::Ec, HashType::Sha384) => Ok(common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), - params: common::AlgorithmParameters::EcDsaWithSha384, + params: common::AlgorithmParameters::EcDsaWithSha384(None), }), (KeyType::Ec, HashType::Sha512) => Ok(common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), - params: common::AlgorithmParameters::EcDsaWithSha512, + params: common::AlgorithmParameters::EcDsaWithSha512(None), }), (KeyType::Ec, HashType::Sha3_224) => Ok(common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), @@ -483,10 +483,10 @@ fn identify_key_type_for_algorithm_params( | common::AlgorithmParameters::RsaWithSha3_384(..) | common::AlgorithmParameters::RsaWithSha3_512(..) | common::AlgorithmParameters::RsaPss(..) => Ok(KeyType::Rsa), - common::AlgorithmParameters::EcDsaWithSha224 - | common::AlgorithmParameters::EcDsaWithSha256 - | common::AlgorithmParameters::EcDsaWithSha384 - | common::AlgorithmParameters::EcDsaWithSha512 + common::AlgorithmParameters::EcDsaWithSha224(..) + | common::AlgorithmParameters::EcDsaWithSha256(..) + | common::AlgorithmParameters::EcDsaWithSha384(..) + | common::AlgorithmParameters::EcDsaWithSha512(..) | common::AlgorithmParameters::EcDsaWithSha3_224 | common::AlgorithmParameters::EcDsaWithSha3_256 | common::AlgorithmParameters::EcDsaWithSha3_384 @@ -616,10 +616,10 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( .call0()?; Ok(pkcs) } - common::AlgorithmParameters::EcDsaWithSha224 - | common::AlgorithmParameters::EcDsaWithSha256 - | common::AlgorithmParameters::EcDsaWithSha384 - | common::AlgorithmParameters::EcDsaWithSha512 + common::AlgorithmParameters::EcDsaWithSha224(_) + | common::AlgorithmParameters::EcDsaWithSha256(_) + | common::AlgorithmParameters::EcDsaWithSha384(_) + | common::AlgorithmParameters::EcDsaWithSha512(_) | common::AlgorithmParameters::EcDsaWithSha3_224 | common::AlgorithmParameters::EcDsaWithSha3_256 | common::AlgorithmParameters::EcDsaWithSha3_384 @@ -682,10 +682,22 @@ mod tests { &common::AlgorithmParameters::RsaWithSha3_512(Some(())), KeyType::Rsa, ), - (&common::AlgorithmParameters::EcDsaWithSha224, KeyType::Ec), - (&common::AlgorithmParameters::EcDsaWithSha256, KeyType::Ec), - (&common::AlgorithmParameters::EcDsaWithSha384, KeyType::Ec), - (&common::AlgorithmParameters::EcDsaWithSha512, KeyType::Ec), + ( + &common::AlgorithmParameters::EcDsaWithSha224(None), + KeyType::Ec, + ), + ( + &common::AlgorithmParameters::EcDsaWithSha256(None), + KeyType::Ec, + ), + ( + &common::AlgorithmParameters::EcDsaWithSha384(None), + KeyType::Ec, + ), + ( + &common::AlgorithmParameters::EcDsaWithSha512(None), + KeyType::Ec, + ), (&common::AlgorithmParameters::EcDsaWithSha3_224, KeyType::Ec), (&common::AlgorithmParameters::EcDsaWithSha3_256, KeyType::Ec), (&common::AlgorithmParameters::EcDsaWithSha3_384, KeyType::Ec), diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 662cb9af2b8e..0bac1c271cfb 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -5199,6 +5199,21 @@ def test_load_ecdsa_cert(self, backend): cert.signature_algorithm_parameters, ) + def test_load_ecdsa_cert_null_alg_params(self, backend): + """ + This test verifies that we successfully load certificates with encoded + null parameters in the signature AlgorithmIdentifier. This is invalid, + but Java 11 (up to at least 11.0.19) generates certificates with this + encoding so we need to tolerate it at the moment. + """ + with pytest.warns(utils.DeprecatedIn41): + cert = _load_cert( + os.path.join("x509", "custom", "ecdsa_null_alg.pem"), + x509.load_pem_x509_certificate, + ) + assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) + assert isinstance(cert.public_key(), ec.EllipticCurvePublicKey) + def test_load_bitstring_dn(self, backend): cert = _load_cert( os.path.join("x509", "scottishpower-bitstring-dn.pem"), diff --git a/vectors/cryptography_vectors/x509/custom/ecdsa_null_alg.pem b/vectors/cryptography_vectors/x509/custom/ecdsa_null_alg.pem new file mode 100644 index 000000000000..327ad553ae7f --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/ecdsa_null_alg.pem @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE----- +MIIBNDCB2aADAgECAgRnI7YfMAwGCCqGSM49BAMCBQAwDzENMAsGA1UEAxMEdGVz +dDAeFw0yMzA1MzExMjI5MDNaFw0yNDA1MjUxMjI5MDNaMA8xDTALBgNVBAMTBHRl +c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS2LuMFnF5OcuYcldiufvppacg2 +8fF/KeJ/4QLMOTbnkatgx5wNPOUvlkzfT31MscwYyzkv1oTqe58iQ+R75C27oyEw +HzAdBgNVHQ4EFgQUD6COpW8C9Ns86r2BDE0jP0teCTswDAYIKoZIzj0EAwIFAANI +ADBFAiBKOlNsFpW6Bz7CK7Z5zXrCetnMiSH3NrbKSZBXJV62KQIhAKmjGu3rxlJr +xXpK+Uz8AsoFJ0BlgqPpdMtTGSrDq1AN +-----END CERTIFICATE----- From 58e9cc18740e697ca5a0d0bc6942d511f74bab8c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Jun 2023 11:40:50 +0000 Subject: [PATCH 0007/1014] Bump openssl from 0.10.53 to 0.10.54 in /src/rust (#9004) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.53 to 0.10.54. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.53...openssl-v0.10.54) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index af6b9fa14018..6a07f6f19f22 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -162,9 +162,9 @@ checksum = "9670a07f94779e00908f3e686eab508878ebb390ba6e604d3a284c00e8d0487b" [[package]] name = "openssl" -version = "0.10.53" +version = "0.10.54" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "12df40a956736488b7b44fe79fe12d4f245bb5b3f5a1f6095e499760015be392" +checksum = "69b3f656a17a6cbc115b5c7a40c616947d213ba182135b014d6051b73ab6f019" dependencies = [ "bitflags", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 5dae7b94b890..9dd060f8b600 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -16,7 +16,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } pem = "1.1" ouroboros = "0.15" -openssl = "0.10.53" +openssl = "0.10.54" openssl-sys = "0.9.88" foreign-types-shared = "0.1" diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 587a85909565..c85f406ae616 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.56.0" [dependencies] -openssl = "0.10.53" +openssl = "0.10.54" ffi = { package = "openssl-sys", version = "0.9.85" } foreign-types = "0.3" foreign-types-shared = "0.1" From 0cbf35ae8f1fd0009db5f99a100aa73c89d5a288 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Jun 2023 11:42:26 +0000 Subject: [PATCH 0008/1014] Bump rich from 13.4.0 to 13.4.1 (#9005) Bumps [rich](https://github.com/Textualize/rich) from 13.4.0 to 13.4.1. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.4.0...v13.4.1) --- updated-dependencies: - dependency-name: rich dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 940ca409bb52..0df4b6b48de8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -136,7 +136,7 @@ requests-toolbelt==1.0.0 # via twine rfc3986==2.0.0 # via twine -rich==13.4.0 +rich==13.4.1 # via twine ruff==0.0.270 # via cryptography (pyproject.toml) From 22f53ee1bf84f7b6eb7a0ad824f9a657ff0aeac7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 1 Jun 2023 07:54:49 -0400 Subject: [PATCH 0009/1014] Added tests for NUL bytes in PKCS8 passphrases (#9001) --- tests/hazmat/primitives/test_ed25519.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/hazmat/primitives/test_ed25519.py b/tests/hazmat/primitives/test_ed25519.py index 4b47e0a1657f..2501f1cf1bb1 100644 --- a/tests/hazmat/primitives/test_ed25519.py +++ b/tests/hazmat/primitives/test_ed25519.py @@ -245,6 +245,13 @@ def test_invalid_public_bytes(self, backend): None, serialization.load_der_private_key, ), + ( + serialization.Encoding.DER, + serialization.PrivateFormat.PKCS8, + serialization.BestAvailableEncryption(b"\x00"), + b"\x00", + serialization.load_der_private_key, + ), ], ) def test_round_trip_private_serialization( From 2246aa977572de73cb38448d6bf1c75fce2a2942 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 Jun 2023 20:33:05 +0800 Subject: [PATCH 0010/1014] port 41.0.1 changelog (#9009) --- CHANGELOG.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f023bcb89782..58a1e486d31a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,14 @@ Changelog .. note:: This version is not yet released and is under active development. +.. _v41-0-1: + +41.0.1 - 2023-06-01 +~~~~~~~~~~~~~~~~~~~ + +* Temporarily allow invalid ECDSA signature algorithm parameters in X.509 + certificates, which are generated by older versions of Java. +* Allow null bytes in pass phrases when serializing private keys. .. _v41-0-0: From bfe457df743680bc2bd07e245ebc6973e02c71d9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 1 Jun 2023 18:59:47 -0400 Subject: [PATCH 0011/1014] Rebuild cffi module if version changes (#9011) --- src/rust/cryptography-cffi/build.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 4a40990b9da4..07590ad2e593 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -27,6 +27,7 @@ fn main() { let python = env::var("PYO3_PYTHON").unwrap_or_else(|_| "python3".to_string()); println!("cargo:rerun-if-env-changed=PYO3_PYTHON"); println!("cargo:rerun-if-changed=../../_cffi_src/"); + println!("cargo:rerun-if-changed=../../cryptography/__about__.py"); let output = Command::new(&python) .env("OUT_DIR", &out_dir) .arg("../../_cffi_src/build_openssl.py") From 81238c8d14bf0eab0fb8b8715393f01c9dc8b009 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 2 Jun 2023 00:26:44 +0000 Subject: [PATCH 0012/1014] Bump BoringSSL and/or OpenSSL in CI (#9012) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30eb622ec087..bf58a5f0f934 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jun 01, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "55b069de8d3ed53fe578fde5c15499cc4c177af5"}} - # Latest commit on the OpenSSL master branch, as of Jun 01, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bc07d371865095643ec4f7190f26b174830a2f02"}} + # Latest commit on the BoringSSL master branch, as of Jun 02, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "28c24092e39bfd70852afa2923a3d12d2e9be2f5"}} + # Latest commit on the OpenSSL master branch, as of Jun 02, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fc570b2605b8eb18c3903543aaf0234b1f698c8e"}} # Builds with various Rust versions. Includes MSRV and potential # future MSRV: # 1.60 - pem 2.0.1 From cb8c68fbe154c8ee8ba3c1babad33fc6c63882e1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 1 Jun 2023 22:36:12 -0400 Subject: [PATCH 0013/1014] always run the backend error checks (#9014) --- tests/conftest.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/conftest.py b/tests/conftest.py index 0e128a16513e..d99bb76c1913 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -36,7 +36,7 @@ def pytest_runtest_setup(item): pytest.skip(marker.kwargs["reason"]) -@pytest.fixture() +@pytest.fixture(autouse=True) def backend(request): check_backend_support(openssl_backend, request) From 3dfb647c39d8979637264d34b095348518db2873 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Jun 2023 13:10:50 +0000 Subject: [PATCH 0014/1014] Bump typing-extensions from 4.6.2 to 4.6.3 (#9015) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.6.2 to 4.6.3. - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.6.2...4.6.3) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0df4b6b48de8..0a99bac434f3 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -179,7 +179,7 @@ tomli==2.0.1 # pytest twine==4.0.2 # via cryptography (pyproject.toml) -typing-extensions==4.6.2 +typing-extensions==4.6.3 # via mypy urllib3==2.0.2 # via From 88b0ed7242ad628e1120ad2cd1c77501bb6bffdd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 3 Jun 2023 00:17:00 +0000 Subject: [PATCH 0015/1014] Bump BoringSSL and/or OpenSSL in CI (#9018) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bf58a5f0f934..84731fda8aa1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jun 02, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "28c24092e39bfd70852afa2923a3d12d2e9be2f5"}} - # Latest commit on the OpenSSL master branch, as of Jun 02, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fc570b2605b8eb18c3903543aaf0234b1f698c8e"}} + # Latest commit on the BoringSSL master branch, as of Jun 03, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b0341041b03ea71d8371a9692aedae263fc06ee9"}} + # Latest commit on the OpenSSL master branch, as of Jun 03, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "26baecb28ce461696966dac9ac889629db0b3b96"}} # Builds with various Rust versions. Includes MSRV and potential # future MSRV: # 1.60 - pem 2.0.1 From 9db5126d0796fc08cb52db26c1a1c5448d8285b0 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sat, 3 Jun 2023 12:07:53 -0400 Subject: [PATCH 0016/1014] Slightly simplify build_openssl.sh (#9020) CMake 3.13 or later has a -B option which is much less tedious than making the build directory ahead of time and cd-ing. (I don't know what CMake versions your CI runs on, so it's possible this won't work.) --- .github/workflows/build_openssl.sh | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index 42357abae9fc..c7855a7f3278 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -72,13 +72,10 @@ elif [[ "${TYPE}" == "boringssl" ]]; then git clone https://boringssl.googlesource.com/boringssl pushd boringssl git checkout "${VERSION}" - mkdir build - pushd build - cmake .. -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" - make -j"$(nproc)" - make install + cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" + make -C build -j"$(nproc)" + make -C build install # delete binaries we don't need rm -rf "${OSSL_PATH}/bin" popd - popd fi From 5b4d0b7591c732e144f8f5a7968a27e8e19ea1d8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 3 Jun 2023 21:15:24 -0400 Subject: [PATCH 0017/1014] Bump BoringSSL and/or OpenSSL in CI (#9021) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 84731fda8aa1..3108de3aa359 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jun 03, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b0341041b03ea71d8371a9692aedae263fc06ee9"}} - # Latest commit on the OpenSSL master branch, as of Jun 03, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "26baecb28ce461696966dac9ac889629db0b3b96"}} + # Latest commit on the OpenSSL master branch, as of Jun 04, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4c56539cb338f1583289f93379ee254b45b66568"}} # Builds with various Rust versions. Includes MSRV and potential # future MSRV: # 1.60 - pem 2.0.1 From c10618135daae4ddd812d86e8844416740c872f7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 07:20:47 -0400 Subject: [PATCH 0018/1014] Attempt to use sccache (#8896) --- .github/actions/cache/action.yml | 10 +++------- .github/actions/mtime-fix/action.yml | 26 -------------------------- .github/workflows/ci.yml | 21 +++------------------ 3 files changed, 6 insertions(+), 51 deletions(-) delete mode 100644 .github/actions/mtime-fix/action.yml diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index cb6cc54e4a2b..15361a6b166f 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -19,10 +19,6 @@ runs: using: "composite" steps: - - name: Get rust version - id: rust-version - run: echo "version=$(rustc --version | sha256sum | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT - shell: bash - name: Get pip cache dir id: pip-cache run: | @@ -45,13 +41,13 @@ runs: ${{ steps.pip-cache.outputs.dir }} ~/.cargo/registry/index/ ~/.cargo/registry/cache/ - src/rust/target/ ${{ inputs.additional-paths }} - key: cargo-pip-${{ runner.os }}-${{ runner.arch }}-${{ steps.normalized-key.outputs.key }}-7-${{ hashFiles('**/Cargo.lock', '**/*.rs') }}-${{ steps.rust-version.version }} + key: cargo-pip-${{ runner.os }}-${{ runner.arch }}-${{ steps.normalized-key.outputs.key }}-7 - name: Size of cache items run: | du -sh ~/.cargo/registry/index/ du -sh ~/.cargo/registry/cache/ - du -sh src/rust/target/ shell: bash if: ${{ steps.cache.outputs.cache-hit }} + - name: Run sccache-cache + uses: mozilla-actions/sccache-action@8417cffc2ec64127ad83077aceaa8631f7cdc83e diff --git a/.github/actions/mtime-fix/action.yml b/.github/actions/mtime-fix/action.yml deleted file mode 100644 index 42779037ce87..000000000000 --- a/.github/actions/mtime-fix/action.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Fix mtime -description: Fixes mtime so cargo will reuse caches more effectively - -runs: - using: "composite" - - steps: - - run: | - GIT_WORKS=$(git rev-parse --is-inside-work-tree 2>/dev/null || true) - if [ "$GIT_WORKS" != "true" ]; then - echo "The git available is probably too old so checkout didn't create a real git clone, skipping mtime fix" - exit 0 - fi - ls -Rla src/rust src/_cffi_src - echo "Verifying commits are monotonic because if they're not caching gets wrecked" - COMMIT_ORDER=$(git log --pretty=format:%cd --date=format-local:%Y%m%d%H%M.%S -5) - SORTED_COMMIT_ORDER=$(git log --pretty=format:%cd --date=format-local:%Y%m%d%H%M.%S -5 | sort -rn) - if [ "$COMMIT_ORDER" != "$SORTED_COMMIT_ORDER" ]; then - echo "Commits are not monotonic, git may have changed how date formatting works" - exit 1 - fi - echo "Setting mtimes for dirs" - for f in $(git ls-tree -t -r --name-only HEAD src/rust src/_cffi_src); do touch -t $(git log --pretty=format:%cd --date=format-local:%Y%m%d%H%M.%S -1 HEAD -- "$f") "$f"; done - echo "Done" - ls -Rla src/rust src/_cffi_src - shell: bash diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3108de3aa359..90406aebe3c3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,9 @@ concurrency: env: CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse + SCCACHE_GHA_ENABLED: "true" + RUSTC_WRAPPER: "sccache" + CARGO_INCREMENTAL: 0 jobs: linux: @@ -59,9 +62,6 @@ jobs: timeout-minutes: 3 with: persist-credentials: false - fetch-depth: 0 - - name: set mtimes for rust dirs - uses: ./.github/actions/mtime-fix - name: Setup python id: setup-python uses: actions/setup-python@v4.6.1 @@ -179,12 +179,6 @@ jobs: timeout-minutes: 3 with: persist-credentials: false - fetch-depth: 0 - - name: git config shenanigans - run: | - git config --global --add safe.directory $(pwd) # needed for the mtime fix since git doesn't think it owns the files due to being in containers - - name: set mtimes for rust dirs - uses: ./.github/actions/mtime-fix - name: Cache rust and pip uses: ./.github/actions/cache timeout-minutes: 2 @@ -236,9 +230,6 @@ jobs: timeout-minutes: 3 with: persist-credentials: false - fetch-depth: 0 - - name: set mtimes for rust dirs - uses: ./.github/actions/mtime-fix - name: Cache rust and pip uses: ./.github/actions/cache timeout-minutes: 2 @@ -301,9 +292,6 @@ jobs: timeout-minutes: 3 with: persist-credentials: false - fetch-depth: 0 - - name: set mtimes for rust dirs - uses: ./.github/actions/mtime-fix - name: Setup python id: setup-python uses: actions/setup-python@v4.6.1 @@ -375,9 +363,6 @@ jobs: timeout-minutes: 3 with: persist-credentials: false - fetch-depth: 0 - - name: set mtimes for rust dirs - uses: ./.github/actions/mtime-fix - name: Cache rust and pip uses: ./.github/actions/cache timeout-minutes: 2 From 180fa051b15384619732cb5dacdbe2d0ada9ca48 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 4 Jun 2023 17:09:39 -0400 Subject: [PATCH 0019/1014] Fix linkcheck (#9022) --- .github/workflows/linkcheck.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 9a11f2a9fc70..b796a0e67284 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -10,6 +10,9 @@ permissions: env: CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse + SCCACHE_GHA_ENABLED: "true" + RUSTC_WRAPPER: "sccache" + CARGO_INCREMENTAL: 0 jobs: docs-linkcheck: @@ -21,9 +24,6 @@ jobs: - uses: actions/checkout@v3.5.2 with: persist-credentials: false - fetch-depth: 0 - - name: set mtimes for rust dirs - uses: ./.github/actions/mtime-fix - name: Setup python id: setup-python uses: actions/setup-python@v4.6.1 From 413e0734636f799d7c72b88b0d556bf80330c4c6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 5 Jun 2023 00:18:52 +0000 Subject: [PATCH 0020/1014] Bump BoringSSL and/or OpenSSL in CI (#9025) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 90406aebe3c3..47957a9b5862 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,8 +47,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jun 03, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b0341041b03ea71d8371a9692aedae263fc06ee9"}} - # Latest commit on the OpenSSL master branch, as of Jun 04, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4c56539cb338f1583289f93379ee254b45b66568"}} + # Latest commit on the OpenSSL master branch, as of Jun 05, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "80935bf5ad309bf6c03591acf1d48fe1db57b78f"}} # Builds with various Rust versions. Includes MSRV and potential # future MSRV: # 1.60 - pem 2.0.1 From c4fd4bb71c9f615a4f02eba424a78b04c17a9a74 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Jun 2023 08:30:12 +0000 Subject: [PATCH 0021/1014] Bump libc from 0.2.144 to 0.2.145 in /src/rust (#9026) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.144 to 0.2.145. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.144...0.2.145) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6a07f6f19f22..6f5ddd10108f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -131,9 +131,9 @@ checksum = "bfa799dd5ed20a7e349f3b4639aa80d74549c81716d9ec4f994c9b5815598306" [[package]] name = "libc" -version = "0.2.144" +version = "0.2.145" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b00cc1c228a6782d0f076e7b232802e0c5689d41bb5df366f2a6b6621cfdfe1" +checksum = "fc86cde3ff845662b8f4ef6cb50ea0e20c524eb3d29ae048287e06a1b3fa6a81" [[package]] name = "lock_api" From 3594d9ef3e5af8bc877d9b8a172b1f54892fc2d4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Jun 2023 08:33:56 +0000 Subject: [PATCH 0022/1014] Bump markupsafe from 2.1.2 to 2.1.3 (#9028) Bumps [markupsafe](https://github.com/pallets/markupsafe) from 2.1.2 to 2.1.3. - [Release notes](https://github.com/pallets/markupsafe/releases) - [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/markupsafe/compare/2.1.2...2.1.3) --- updated-dependencies: - dependency-name: markupsafe dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0a99bac434f3..18c41ceaf0b2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -62,7 +62,7 @@ keyring==23.13.1 # via twine markdown-it-py==2.2.0 # via rich -markupsafe==2.1.2 +markupsafe==2.1.3 # via jinja2 mdurl==0.1.2 # via markdown-it-py From 04c7050362b1640f4c1bb7670cd4d2ec4892d6b0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 5 Jun 2023 07:54:32 -0400 Subject: [PATCH 0023/1014] Added once_cell 1.18.0 to things that require Rust 1.60 (#9031) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 47957a9b5862..d1822ffd1680 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "80935bf5ad309bf6c03591acf1d48fe1db57b78f"}} # Builds with various Rust versions. Includes MSRV and potential # future MSRV: - # 1.60 - pem 2.0.1 + # 1.60 - pem 2.0.1, once_cell 1.18.0 - {VERSION: "3.11", NOXSESSION: "tests-nocoverage", RUST: "1.56.0"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.60.0"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "beta"} From 8b18199d4ee16cc0a66c6f91b5014a11b30ca193 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 5 Jun 2023 08:07:43 -0400 Subject: [PATCH 0024/1014] Remove now-unused DSA bindings (#9032) --- src/_cffi_src/openssl/dsa.py | 8 -------- src/_cffi_src/openssl/pem.py | 4 ---- src/_cffi_src/openssl/x509.py | 1 - 3 files changed, 13 deletions(-) diff --git a/src/_cffi_src/openssl/dsa.py b/src/_cffi_src/openssl/dsa.py index d91076393582..2188939948ed 100644 --- a/src/_cffi_src/openssl/dsa.py +++ b/src/_cffi_src/openssl/dsa.py @@ -16,15 +16,7 @@ int DSA_generate_key(DSA *); DSA *DSA_new(void); void DSA_free(DSA *); -DSA *DSAparams_dup(DSA *); -int DSA_size(const DSA *); -int DSA_sign(int, const unsigned char *, int, unsigned char *, unsigned int *, - DSA *); -int DSA_verify(int, const unsigned char *, int, const unsigned char *, int, - DSA *); -int DSA_set0_pqg(DSA *, BIGNUM *, BIGNUM *, BIGNUM *); -int DSA_set0_key(DSA *, BIGNUM *, BIGNUM *); int DSA_generate_parameters_ex(DSA *, int, unsigned char *, int, int *, unsigned long *, BN_GENCB *); """ diff --git a/src/_cffi_src/openssl/pem.py b/src/_cffi_src/openssl/pem.py index 950bd3780c9c..1488e0968840 100644 --- a/src/_cffi_src/openssl/pem.py +++ b/src/_cffi_src/openssl/pem.py @@ -45,10 +45,6 @@ DH *PEM_read_bio_DHparams(BIO *, DH **, pem_password_cb *, void *); -int PEM_write_bio_DSAPrivateKey(BIO *, DSA *, const EVP_CIPHER *, - unsigned char *, int, - pem_password_cb *, void *); - int PEM_write_bio_RSAPrivateKey(BIO *, RSA *, const EVP_CIPHER *, unsigned char *, int, pem_password_cb *, void *); diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 66e8592042fd..bb0d65e09858 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -145,7 +145,6 @@ int i2d_RSAPrivateKey_bio(BIO *, RSA *); RSA *d2i_RSAPublicKey_bio(BIO *, RSA **); int i2d_RSAPublicKey_bio(BIO *, RSA *); -int i2d_DSAPrivateKey_bio(BIO *, DSA *); int X509_get_ext_count(const X509 *); X509_EXTENSION *X509_get_ext(const X509 *, int); From 8ffe87b3ba657659fec4c5c0166de41bebd45347 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 6 Jun 2023 00:23:07 +0000 Subject: [PATCH 0025/1014] Bump BoringSSL and/or OpenSSL in CI (#9034) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d1822ffd1680..a76593caed8d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jun 03, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b0341041b03ea71d8371a9692aedae263fc06ee9"}} + # Latest commit on the BoringSSL master branch, as of Jun 06, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "4a0393fcf37d7dbd090a5bb2293601a9ec7605da"}} # Latest commit on the OpenSSL master branch, as of Jun 05, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "80935bf5ad309bf6c03591acf1d48fe1db57b78f"}} # Builds with various Rust versions. Includes MSRV and potential From 9bb3afb54fa8ca59a84f507982a2dd10845a5f4f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Jun 2023 00:48:04 +0000 Subject: [PATCH 0026/1014] Bump parking_lot_core from 0.9.7 to 0.9.8 in /src/rust (#9035) Bumps [parking_lot_core](https://github.com/Amanieu/parking_lot) from 0.9.7 to 0.9.8. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/core-0.9.7...core-0.9.8) --- updated-dependencies: - dependency-name: parking_lot_core dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 51 +++++++++++++++++++-------------------------- 1 file changed, 21 insertions(+), 30 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6f5ddd10108f..5a17f2be5260 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -233,15 +233,15 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.7" +version = "0.9.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9069cbb9f99e3a5083476ccb29ceb1de18b9118cafa53e90c9551235de2b9521" +checksum = "93f00c865fe7cabf650081affecd3871070f26767e7b2070a3ffae14c654b447" dependencies = [ "cfg-if", "libc", "redox_syscall", "smallvec", - "windows-sys", + "windows-targets", ] [[package]] @@ -363,9 +363,9 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.2.16" +version = "0.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a" +checksum = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29" dependencies = [ "bitflags", ] @@ -434,20 +434,11 @@ version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" -[[package]] -name = "windows-sys" -version = "0.45.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0" -dependencies = [ - "windows-targets", -] - [[package]] name = "windows-targets" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071" +checksum = "7b1eb6f0cd7c80c79759c929114ef071b87354ce476d9d94271031c0497adfd5" dependencies = [ "windows_aarch64_gnullvm", "windows_aarch64_msvc", @@ -460,42 +451,42 @@ dependencies = [ [[package]] name = "windows_aarch64_gnullvm" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8" +checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc" [[package]] name = "windows_aarch64_msvc" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43" +checksum = "b2ef27e0d7bdfcfc7b868b317c1d32c641a6fe4629c171b8928c7b08d98d7cf3" [[package]] name = "windows_i686_gnu" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f" +checksum = "622a1962a7db830d6fd0a69683c80a18fda201879f0f447f065a3b7467daa241" [[package]] name = "windows_i686_msvc" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060" +checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00" [[package]] name = "windows_x86_64_gnu" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36" +checksum = "ca2b8a661f7628cbd23440e50b05d705db3686f894fc9580820623656af974b1" [[package]] name = "windows_x86_64_gnullvm" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3" +checksum = "7896dbc1f41e08872e9d5e8f8baa8fdd2677f29468c4e156210174edc7f7b953" [[package]] name = "windows_x86_64_msvc" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0" +checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a" From fbe22d8862a4905f889e85a7cc52f5d4bf79330a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Jun 2023 00:55:57 +0000 Subject: [PATCH 0027/1014] Bump lock_api from 0.4.9 to 0.4.10 in /src/rust (#9036) Bumps [lock_api](https://github.com/Amanieu/parking_lot) from 0.4.9 to 0.4.10. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/lock_api-0.4.9...lock_api-0.4.10) --- updated-dependencies: - dependency-name: lock_api dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5a17f2be5260..9c8ef9ae5282 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -137,9 +137,9 @@ checksum = "fc86cde3ff845662b8f4ef6cb50ea0e20c524eb3d29ae048287e06a1b3fa6a81" [[package]] name = "lock_api" -version = "0.4.9" +version = "0.4.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "435011366fe56583b16cf956f9df0095b405b82d76425bc8981c0e22e60ec4df" +checksum = "c1cc9717a20b1bb222f333e6a92fd32f7d8a18ddc5a3191a11af45dcbf4dcd16" dependencies = [ "autocfg", "scopeguard", From 4e3d8a832ba879049efb60061a41ff2018d2ca30 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 7 Jun 2023 07:42:22 -0400 Subject: [PATCH 0028/1014] Added CI job for pypy 3.10 nightly (#9038) Refs #8933 --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a76593caed8d..382c226e1508 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,6 +34,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.1"}} - {VERSION: "pypy-3.8", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} + - {VERSION: "pypy-3.10-nightly", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1u"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.9"}} - {VERSION: "3.11", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.1"}} From 15eba7f0143b3b376f577c7416d875fa28d97ad4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 7 Jun 2023 13:09:29 +0000 Subject: [PATCH 0029/1014] Bump libc from 0.2.145 to 0.2.146 in /src/rust (#9039) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.145 to 0.2.146. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.145...0.2.146) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9c8ef9ae5282..b8445cb031f2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -131,9 +131,9 @@ checksum = "bfa799dd5ed20a7e349f3b4639aa80d74549c81716d9ec4f994c9b5815598306" [[package]] name = "libc" -version = "0.2.145" +version = "0.2.146" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc86cde3ff845662b8f4ef6cb50ea0e20c524eb3d29ae048287e06a1b3fa6a81" +checksum = "f92be4933c13fd498862a9e02a3055f8a8d9c039ce33db97306fd5a6caa7f29b" [[package]] name = "lock_api" From 634807b17c45aff6aaec575cdaa81dd9fbdad144 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Jun 2023 04:45:28 +0800 Subject: [PATCH 0030/1014] Bump ruff from 0.0.270 to 0.0.271 (#9040) Bumps [ruff](https://github.com/charliermarsh/ruff) from 0.0.270 to 0.0.271. - [Release notes](https://github.com/charliermarsh/ruff/releases) - [Changelog](https://github.com/charliermarsh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/charliermarsh/ruff/compare/v0.0.270...v0.0.271) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 18c41ceaf0b2..43766636871d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.4.1 # via twine -ruff==0.0.270 +ruff==0.0.271 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 9544e9ce8432512e10a8fd122b7a6fd79f7cd283 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Jun 2023 04:45:47 +0800 Subject: [PATCH 0031/1014] Bump urllib3 from 2.0.2 to 2.0.3 (#9041) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.2 to 2.0.3. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.2...2.0.3) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 43766636871d..f66af508623b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -181,7 +181,7 @@ twine==4.0.2 # via cryptography (pyproject.toml) typing-extensions==4.6.3 # via mypy -urllib3==2.0.2 +urllib3==2.0.3 # via # requests # twine From 6761d7614c8794f948c255335c97ba7fd86e79db Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 7 Jun 2023 21:19:30 -0400 Subject: [PATCH 0032/1014] Add 1.64 (maturin) to potential future MSRV list (#9042) --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 382c226e1508..06082d713a23 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -50,9 +50,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "4a0393fcf37d7dbd090a5bb2293601a9ec7605da"}} # Latest commit on the OpenSSL master branch, as of Jun 05, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "80935bf5ad309bf6c03591acf1d48fe1db57b78f"}} - # Builds with various Rust versions. Includes MSRV and potential - # future MSRV: + # Builds with various Rust versions. Includes MSRV and next + # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 + # 1.64 - maturin - {VERSION: "3.11", NOXSESSION: "tests-nocoverage", RUST: "1.56.0"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.60.0"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "beta"} From a0f1320e2fb2aaf5b0016209d489c04e50179611 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Jun 2023 13:09:44 +0000 Subject: [PATCH 0033/1014] Bump proc-macro2 from 1.0.59 to 1.0.60 in /src/rust (#9044) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.59 to 1.0.60. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.59...1.0.60) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b8445cb031f2..b467370ba0a3 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -285,9 +285,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.59" +version = "1.0.60" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6aeca18b86b413c660b781aa319e4e2648a3e6f9eadc9b47e9038e6fe9f3451b" +checksum = "dec2b086b7a862cf4de201096214fa870344cf922b2b30c167badb3af3195406" dependencies = [ "unicode-ident", ] From b69d22897ed0c28d846fcf8cfd03013a506c7bd4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Jun 2023 13:13:47 +0000 Subject: [PATCH 0034/1014] Bump sphinx-rtd-theme from 1.2.1 to 1.2.2 (#9045) Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 1.2.1 to 1.2.2. - [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst) - [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/1.2.1...1.2.2) --- updated-dependencies: - dependency-name: sphinx-rtd-theme dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f66af508623b..da1c062c70a8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ sphinx==6.2.1 # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx-rtd-theme==1.2.1 +sphinx-rtd-theme==1.2.2 # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.4 # via sphinx From b0b4b28df28eb3633786cf7ba6561b2ac8d9abd8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Jun 2023 13:23:07 +0000 Subject: [PATCH 0035/1014] Bump ruff from 0.0.271 to 0.0.272 (#9046) Bumps [ruff](https://github.com/charliermarsh/ruff) from 0.0.271 to 0.0.272. - [Release notes](https://github.com/charliermarsh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/charliermarsh/ruff/compare/v0.0.271...v0.0.272) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index da1c062c70a8..6c2d1e379648 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.4.1 # via twine -ruff==0.0.271 +ruff==0.0.272 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 91315dea9f3c295ba45dea863f76f5ad1d7dc1d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 10 Jun 2023 18:50:09 +0000 Subject: [PATCH 0036/1014] Bump actions/checkout from 3.5.2 to 3.5.3 (#9052) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.2 to 3.5.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.5.2...v3.5.3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/wheel-builder.yml | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 1643a283b934..1e5a3271240a 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -21,12 +21,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 timeout-minutes: 3 with: repository: "pyca/cryptography" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 0c0036e11cac..671d04d9fc36 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 06082d713a23..259a5645f641 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,7 +60,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 timeout-minutes: 3 with: persist-credentials: false @@ -177,7 +177,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 timeout-minutes: 3 with: persist-credentials: false @@ -228,7 +228,7 @@ jobs: RUNNER: {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 timeout-minutes: 3 with: persist-credentials: false @@ -290,7 +290,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 timeout-minutes: 3 with: persist-credentials: false @@ -361,7 +361,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 timeout-minutes: 3 with: persist-credentials: false @@ -401,7 +401,7 @@ jobs: needs: [linux, distros, macos, windows, linux-downstream] if: ${{ always() }} steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index b796a0e67284..1ee535180993 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -21,7 +21,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 677319b3fa5a..05f64b548981 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} From 9bba8a10113c8aa1d685dc25f7e35c78c6f01f48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 10 Jun 2023 18:50:18 +0000 Subject: [PATCH 0037/1014] Bump actions/checkout from 3.5.2 to 3.5.3 in /.github/actions/wycheproof (#9051) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.2 to 3.5.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.5.2...v3.5.3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/wycheproof/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/wycheproof/action.yml b/.github/actions/wycheproof/action.yml index 6ededc54b15d..52a6a93d0ca2 100644 --- a/.github/actions/wycheproof/action.yml +++ b/.github/actions/wycheproof/action.yml @@ -5,7 +5,7 @@ runs: using: "composite" steps: - - uses: actions/checkout@v3.5.2 + - uses: actions/checkout@v3.5.3 with: repository: "google/wycheproof" path: "wycheproof" From eb120966d03776b60139ddfa55c0be93e1e13b43 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 10 Jun 2023 18:57:11 +0000 Subject: [PATCH 0038/1014] Bump filelock from 3.12.0 to 3.12.1 (#9053) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.12.0 to 3.12.1. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/py-filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.12.0...3.12.1) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6c2d1e379648..dda344e1e4f5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -42,7 +42,7 @@ exceptiongroup==1.1.1 # via pytest execnet==1.9.0 # via pytest-xdist -filelock==3.12.0 +filelock==3.12.1 # via virtualenv idna==3.4 # via requests From 645069d21dfeee40e5ae3d8b96e13131aadc4d71 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 10 Jun 2023 18:57:21 +0000 Subject: [PATCH 0039/1014] Bump platformdirs from 3.5.1 to 3.5.3 (#9054) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 3.5.1 to 3.5.3. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/3.5.1...3.5.3) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index dda344e1e4f5..9fff68316063 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -89,7 +89,7 @@ pathspec==0.11.1 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==3.5.1 +platformdirs==3.5.3 # via # black # virtualenv From bab5cecd63f9ac8a0cb929627691145b8e8f26fb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 10 Jun 2023 15:26:33 -0400 Subject: [PATCH 0040/1014] Simplify debian rust instructions now that bookworm is out (#9050) --- docs/installation.rst | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/installation.rst b/docs/installation.rst index f35f270effea..7c3253707978 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -120,10 +120,9 @@ Debian/Ubuntu .. warning:: - The Rust available in most Debian versions is older than the minimum - supported version. Debian Bookworm is sufficiently new, but otherwise - please see the :ref:`Rust installation instructions ` - for information about installing a newer Rust. + The Rust available in Debian versions prior to Bookworm are older than the + minimum supported version. See the :ref:`Rust installation instructions + ` for information about installing a newer Rust. .. code-block:: console From 986f0b19b5ff6d1dfe5246b418ce65348a49c20d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 10 Jun 2023 15:35:24 -0400 Subject: [PATCH 0041/1014] Added several tests and cleanups for serialization and EC (#9049) --- .../hazmat/backends/openssl/backend.py | 18 ++++-- tests/hazmat/primitives/test_ec.py | 9 +++ tests/hazmat/primitives/test_ssh.py | 64 ++++++++++++------- tests/wycheproof/test_ecdsa.py | 11 ++-- 4 files changed, 68 insertions(+), 34 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 02d51094cfe5..598499a145c8 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -37,6 +37,9 @@ x448, x25519, ) +from cryptography.hazmat.primitives.asymmetric import ( + utils as asym_utils, +) from cryptography.hazmat.primitives.asymmetric.padding import ( MGF1, OAEP, @@ -990,6 +993,11 @@ def _handle_key_loading_error(self) -> typing.NoReturn: ) def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool: + if self._fips_enabled and not isinstance( + curve, self._fips_ecdh_curves + ): + return False + try: curve_nid = self._elliptic_curve_to_nid(curve) except UnsupportedAlgorithm: @@ -1014,7 +1022,10 @@ def elliptic_curve_signature_algorithm_supported( if not isinstance(signature_algorithm, ec.ECDSA): return False - return self.elliptic_curve_supported(curve) + return self.elliptic_curve_supported(curve) and ( + isinstance(signature_algorithm.algorithm, asym_utils.Prehashed) + or self.hash_supported(signature_algorithm.algorithm) + ) def generate_elliptic_curve_private_key( self, curve: ec.EllipticCurve @@ -1178,11 +1189,6 @@ def _ec_key_new_by_curve_nid(self, curve_nid: int): def elliptic_curve_exchange_algorithm_supported( self, algorithm: ec.ECDH, curve: ec.EllipticCurve ) -> bool: - if self._fips_enabled and not isinstance( - curve, self._fips_ecdh_curves - ): - return False - return self.elliptic_curve_supported(curve) and isinstance( algorithm, ec.ECDH ) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 601edcc48bd4..1120fa4be3a0 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -613,6 +613,8 @@ def test_public_key_equality(self, backend): assert key1 == key2 assert key1 != key3 assert key1 != object() + with pytest.raises(TypeError): + key1 < key2 # type: ignore[operator] class TestECSerialization: @@ -794,6 +796,13 @@ def test_private_bytes_traditional_der_encrypted_invalid(self, backend): serialization.BestAvailableEncryption(b"password"), ) + with pytest.raises(ValueError): + key.private_bytes( + serialization.Encoding.SMIME, + serialization.PrivateFormat.TraditionalOpenSSL, + serialization.NoEncryption(), + ) + def test_private_bytes_invalid_encoding(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) key = load_vectors_from_file( diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py index e5c58062d075..d55e148c7a3d 100644 --- a/tests/hazmat/primitives/test_ssh.py +++ b/tests/hazmat/primitives/test_ssh.py @@ -38,6 +38,9 @@ from ...utils import load_vectors_from_file, raises_unsupported_algorithm from .fixtures_rsa import RSA_KEY_2048 from .test_ec import _skip_curve_unsupported +from .test_rsa import rsa_key_2048 + +__all__ = ["rsa_key_2048"] class TestOpenSSHSerialization: @@ -589,7 +592,9 @@ def test_serialize_ssh_private_key_errors_bad_curve(self, backend): Encoding.PEM, PrivateFormat.OpenSSH, NoEncryption() ) - def test_serialize_ssh_private_key_errors(self, backend): + def test_serialize_ssh_private_key_errors( + self, rsa_key_2048: rsa.RSAPrivateKey, backend + ): # bad encoding private_key = ec.generate_private_key(ec.SECP256R1(), backend) with pytest.raises(ValueError): @@ -615,6 +620,11 @@ def test_serialize_ssh_private_key_errors(self, backend): DummyKeySerializationEncryption(), ) + with pytest.raises(ValueError): + rsa_key_2048.private_bytes( + Encoding.DER, PrivateFormat.OpenSSH, NoEncryption() + ) + @pytest.mark.supported( only_if=lambda backend: ssh._bcrypt_supported, skip_message="Requires that bcrypt exists", @@ -636,34 +646,40 @@ def test_serialize_ssh_private_key_errors(self, backend): ], ) def test_serialize_ssh_private_key_with_password( - self, password, kdf_rounds, backend + self, password, kdf_rounds, rsa_key_2048: rsa.RSAPrivateKey, backend ): - original_key = ec.generate_private_key(ec.SECP256R1(), backend) - encoded_key_data = original_key.private_bytes( - Encoding.PEM, - PrivateFormat.OpenSSH, - ( - PrivateFormat.OpenSSH.encryption_builder() - .kdf_rounds(kdf_rounds) - .build(password) - ), - ) + for original_key in [ + ec.generate_private_key(ec.SECP256R1(), backend), + rsa_key_2048, + ]: + assert isinstance( + original_key, (ec.EllipticCurvePrivateKey, rsa.RSAPrivateKey) + ) + encoded_key_data = original_key.private_bytes( + Encoding.PEM, + PrivateFormat.OpenSSH, + ( + PrivateFormat.OpenSSH.encryption_builder() + .kdf_rounds(kdf_rounds) + .build(password) + ), + ) - decoded_key = load_ssh_private_key( - data=encoded_key_data, - password=password, - backend=backend, - ) + decoded_key = load_ssh_private_key( + data=encoded_key_data, + password=password, + backend=backend, + ) - original_public_key = original_key.public_key().public_bytes( - Encoding.OpenSSH, PublicFormat.OpenSSH - ) + original_public_key = original_key.public_key().public_bytes( + Encoding.OpenSSH, PublicFormat.OpenSSH + ) - decoded_public_key = decoded_key.public_key().public_bytes( - Encoding.OpenSSH, PublicFormat.OpenSSH - ) + decoded_public_key = decoded_key.public_key().public_bytes( + Encoding.OpenSSH, PublicFormat.OpenSSH + ) - assert original_public_key == decoded_public_key + assert original_public_key == decoded_public_key @pytest.mark.supported( only_if=lambda backend: backend.dsa_supported(), diff --git a/tests/wycheproof/test_ecdsa.py b/tests/wycheproof/test_ecdsa.py index 0b0308393511..d853909fd577 100644 --- a/tests/wycheproof/test_ecdsa.py +++ b/tests/wycheproof/test_ecdsa.py @@ -79,8 +79,11 @@ def test_ecdsa_signature(backend, wycheproof): ) digest = _DIGESTS[wycheproof.testgroup["sha"]] - if not backend.hash_supported(digest): - pytest.skip(f"Hash {digest} not supported") + alg = ec.ECDSA(digest) + if not backend.elliptic_curve_signature_algorithm_supported( + alg, key.curve + ): + pytest.skip(f"Signature with {digest} and {key.curve} not supported") if wycheproof.valid or ( wycheproof.acceptable and not wycheproof.has_flag("MissingZero") @@ -88,12 +91,12 @@ def test_ecdsa_signature(backend, wycheproof): key.verify( binascii.unhexlify(wycheproof.testcase["sig"]), binascii.unhexlify(wycheproof.testcase["msg"]), - ec.ECDSA(digest), + alg, ) else: with pytest.raises(InvalidSignature): key.verify( binascii.unhexlify(wycheproof.testcase["sig"]), binascii.unhexlify(wycheproof.testcase["msg"]), - ec.ECDSA(digest), + alg, ) From 2baf62196fa822bcfcaf8ff70aeb16e6779450d7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 10 Jun 2023 16:12:44 -0400 Subject: [PATCH 0042/1014] fixes #9048 -- document where to find known vulnerabilities (#9055) --- docs/security.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/security.rst b/docs/security.rst index e1fba3a1ecec..3c750b805683 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -5,6 +5,13 @@ We take the security of ``cryptography`` seriously. The following are a set of policies we have adopted to ensure that security issues are addressed in a timely fashion. +Known vulnerabilities +--------------------- + +A list of all known vulnerabilities in ``cryptography`` can be found on +`osv.dev`_, as well as other ecosystem vulnerability databases. They can +automatically be scanned for using tools such as `pip-audit`_ or `osv-scan`_. + Infrastructure -------------- @@ -87,5 +94,8 @@ The steps for issuing a security release are described in our :doc:`/doing-a-release` documentation. +.. _`osv.dev`: https://osv.dev/list?ecosystem=PyPI&q=cryptography +.. _`pip-audit`: https://pypi.org/project/pip-audit/ +.. _`osv-scan`: https://google.github.io/osv-scanner/ .. _`security advisory page`: https://github.com/pyca/cryptography/security/advisories/new .. _`main`: https://github.com/pyca/cryptography From f481060baa48b188ee0c16bc4756718ab91a7467 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 10 Jun 2023 22:50:28 +0000 Subject: [PATCH 0043/1014] Bump pytest from 7.3.1 to 7.3.2 (#9056) Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.3.1 to 7.3.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/7.3.1...7.3.2) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9fff68316063..39d8634ab4ff 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -110,7 +110,7 @@ pygments==2.15.1 # sphinx pyproject-hooks==1.0.0 # via build -pytest==7.3.1 +pytest==7.3.2 # via # cryptography (pyproject.toml) # pytest-benchmark From 3a637e1da6dc9fc4da1a25f31be1e3462f0b8020 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 10 Jun 2023 22:55:08 +0000 Subject: [PATCH 0044/1014] Bump argcomplete from 3.0.8 to 3.1.0 (#9057) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.0.8 to 3.1.0. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.0.8...v3.1.0) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 39d8634ab4ff..00d6bba234f8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.13 # via sphinx -argcomplete==3.0.8 +argcomplete==3.1.0 # via nox babel==2.12.1 # via sphinx From 8e0815341f57c20616c0cb905925e52f2db2776d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 11 Jun 2023 03:00:54 -0400 Subject: [PATCH 0045/1014] Cleanup some code for old MSRV (#9058) --- src/rust/src/x509/common.rs | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 8ceb518846d1..f79c3e62057b 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -363,9 +363,7 @@ fn create_ip_network( } fn ipv4_netmask(num: u32) -> Result { - // we invert and check leading zeros because leading_ones wasn't stabilized - // until 1.46.0. When we raise our MSRV we should change this - if (!num).leading_zeros() + num.trailing_zeros() != 32 { + if num.leading_ones() + num.trailing_zeros() != 32 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Invalid netmask"), )); @@ -374,9 +372,7 @@ fn ipv4_netmask(num: u32) -> Result { } fn ipv6_netmask(num: u128) -> Result { - // we invert and check leading zeros because leading_ones wasn't stabilized - // until 1.46.0. When we raise our MSRV we should change this - if (!num).leading_zeros() + num.trailing_zeros() != 128 { + if num.leading_ones() + num.trailing_zeros() != 128 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Invalid netmask"), )); From 769d9ee7c2301f4c9e5aac70106dd238a9bd53b0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 12 Jun 2023 06:23:06 -0400 Subject: [PATCH 0046/1014] Switch from ourborous to self_cell (#8800) The motivation here is hopefully (?) to reduce compilation times. The updated motivation is ouroboros is officially unmaintained now --- src/rust/Cargo.lock | 73 ++----------------- src/rust/Cargo.toml | 2 +- src/rust/src/pkcs7.rs | 10 +-- src/rust/src/x509/certificate.rs | 100 +++++++++++++------------- src/rust/src/x509/crl.rs | 120 ++++++++++++++++++------------- src/rust/src/x509/csr.rs | 49 ++++++------- src/rust/src/x509/ocsp.rs | 6 +- src/rust/src/x509/ocsp_req.rs | 28 ++++---- src/rust/src/x509/ocsp_resp.rs | 84 +++++++++++----------- 9 files changed, 219 insertions(+), 253 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b467370ba0a3..39ad8af6b0bc 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -2,18 +2,6 @@ # It is not intended for manual editing. version = 3 -[[package]] -name = "Inflector" -version = "0.11.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fe438c63458706e03479442743baae6c88256498e6431708f6dfc520a26515d3" - -[[package]] -name = "aliasable" -version = "0.1.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "250f629c0161ad8107cf89319e990051fae62832fd343083bea452d93e2205fd" - [[package]] name = "asn1" version = "0.15.2" @@ -96,9 +84,9 @@ dependencies = [ "once_cell", "openssl", "openssl-sys", - "ouroboros", "pem", "pyo3", + "self_cell", ] [[package]] @@ -198,29 +186,6 @@ dependencies = [ "vcpkg", ] -[[package]] -name = "ouroboros" -version = "0.15.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e1358bd1558bd2a083fed428ffeda486fbfb323e698cdda7794259d592ca72db" -dependencies = [ - "aliasable", - "ouroboros_macro", -] - -[[package]] -name = "ouroboros_macro" -version = "0.15.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f7d21ccd03305a674437ee1248f3ab5d4b1db095cf1caf49f1713ddf61956b7" -dependencies = [ - "Inflector", - "proc-macro-error", - "proc-macro2", - "quote", - "syn 1.0.109", -] - [[package]] name = "parking_lot" version = "0.12.1" @@ -259,30 +224,6 @@ version = "0.3.27" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" -[[package]] -name = "proc-macro-error" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c" -dependencies = [ - "proc-macro-error-attr", - "proc-macro2", - "quote", - "syn 1.0.109", - "version_check", -] - -[[package]] -name = "proc-macro-error-attr" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869" -dependencies = [ - "proc-macro2", - "quote", - "version_check", -] - [[package]] name = "proc-macro2" version = "1.0.60" @@ -376,6 +317,12 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" +[[package]] +name = "self_cell" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4a3926e239738d36060909ffe6f511502f92149a45a1fade7fe031cb2d33e88b" + [[package]] name = "smallvec" version = "1.10.0" @@ -428,12 +375,6 @@ version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" -[[package]] -name = "version_check" -version = "0.9.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" - [[package]] name = "windows-targets" version = "0.48.0" diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 9dd060f8b600..0e82d86c8b10 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -15,10 +15,10 @@ cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } pem = "1.1" -ouroboros = "0.15" openssl = "0.10.54" openssl-sys = "0.9.88" foreign-types-shared = "0.1" +self_cell = "1" [build-dependencies] cc = "1.0.72" diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index d2c500a72de7..bc098a9d1367 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -46,7 +46,7 @@ fn serialize_certificates<'p>( let raw_certs = py_certs .iter() - .map(|c| c.raw.borrow_value_public()) + .map(|c| c.raw.borrow_dependent()) .collect::>(); let signed_data = pkcs7::SignedData { @@ -122,7 +122,7 @@ fn sign_and_serialize<'p>( let mut digest_algs = vec![]; let mut certs = py_certs .iter() - .map(|p| p.raw.borrow_value_public()) + .map(|p| p.raw.borrow_dependent()) .collect::>(); for (cert, py_private_key, py_hash_alg) in &py_signers { let (authenticated_attrs, signature) = if options @@ -199,13 +199,13 @@ fn sign_and_serialize<'p>( if !digest_algs.contains(&digest_alg) { digest_algs.push(digest_alg.clone()); } - certs.push(cert.raw.borrow_value_public()); + certs.push(cert.raw.borrow_dependent()); signer_infos.push(pkcs7::SignerInfo { version: 1, issuer_and_serial_number: pkcs7::IssuerAndSerialNumber { - issuer: cert.raw.borrow_value_public().tbs_cert.issuer.clone(), - serial_number: cert.raw.borrow_value_public().tbs_cert.serial, + issuer: cert.raw.borrow_dependent().tbs_cert.issuer.clone(), + serial_number: cert.raw.borrow_dependent().tbs_cert.serial, }, digest_algorithm: digest_alg, authenticated_attributes: authenticated_attrs, diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 9204d730ba03..448a4982f781 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -8,6 +8,7 @@ use crate::asn1::{ use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{extensions, sct, sign}; use crate::{exceptions, x509}; +use cryptography_x509::certificate::Certificate as RawCertificate; use cryptography_x509::common::{AlgorithmParameters, Asn1ReadableOrWritable}; use cryptography_x509::extensions::Extension; use cryptography_x509::extensions::{ @@ -21,31 +22,14 @@ use pyo3::{IntoPy, ToPyObject}; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -#[ouroboros::self_referencing] -pub(crate) struct OwnedCertificate { - data: pyo3::Py, - - #[borrows(data)] - #[covariant] - value: cryptography_x509::certificate::Certificate<'this>, -} +self_cell::self_cell!( + pub(crate) struct OwnedCertificate { + owner: pyo3::Py, -impl OwnedCertificate { - // Re-expose ::new with `pub(crate)` visibility. - pub(crate) fn new_public( - data: pyo3::Py, - value_ref_builder: impl for<'this> FnOnce( - &'this pyo3::Py, - ) - -> cryptography_x509::certificate::Certificate<'this>, - ) -> OwnedCertificate { - OwnedCertificate::new(data, value_ref_builder) + #[covariant] + dependent: RawCertificate, } - - pub(crate) fn borrow_value_public(&self) -> &cryptography_x509::certificate::Certificate<'_> { - self.borrow_value() - } -} +); #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] pub(crate) struct Certificate { @@ -57,7 +41,7 @@ pub(crate) struct Certificate { impl Certificate { fn __hash__(&self) -> u64 { let mut hasher = DefaultHasher::new(); - self.raw.borrow_value().hash(&mut hasher); + self.raw.borrow_dependent().hash(&mut hasher); hasher.finish() } @@ -67,8 +51,12 @@ impl Certificate { op: pyo3::basic::CompareOp, ) -> pyo3::PyResult { match op { - pyo3::basic::CompareOp::Eq => Ok(self.raw.borrow_value() == other.raw.borrow_value()), - pyo3::basic::CompareOp::Ne => Ok(self.raw.borrow_value() != other.raw.borrow_value()), + pyo3::basic::CompareOp::Eq => { + Ok(self.raw.borrow_dependent() == other.raw.borrow_dependent()) + } + pyo3::basic::CompareOp::Ne => { + Ok(self.raw.borrow_dependent() != other.raw.borrow_dependent()) + } _ => Err(pyo3::exceptions::PyTypeError::new_err( "Certificates cannot be ordered", )), @@ -89,7 +77,7 @@ impl Certificate { // This makes an unnecessary copy. It'd be nice to get rid of it. let serialized = pyo3::types::PyBytes::new( py, - &asn1::write_single(&self.raw.borrow_value().tbs_cert.spki)?, + &asn1::write_single(&self.raw.borrow_dependent().tbs_cert.spki)?, ); Ok(py .import(pyo3::intern!( @@ -111,7 +99,7 @@ impl Certificate { .call1((algorithm,))?; // This makes an unnecessary copy. It'd be nice to get rid of it. let serialized = - pyo3::types::PyBytes::new(py, &asn1::write_single(&self.raw.borrow_value())?); + pyo3::types::PyBytes::new(py, &asn1::write_single(&self.raw.borrow_dependent())?); hasher.call_method1(pyo3::intern!(py, "update"), (serialized,))?; Ok(hasher.call_method0(pyo3::intern!(py, "finalize"))?) } @@ -121,7 +109,7 @@ impl Certificate { py: pyo3::Python<'p>, encoding: &'p pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let result = asn1::write_single(self.raw.borrow_value())?; + let result = asn1::write_single(self.raw.borrow_dependent())?; encode_der_data(py, "CERTIFICATE".to_string(), result, encoding) } @@ -131,21 +119,21 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { - let bytes = self.raw.borrow_value().tbs_cert.serial.as_bytes(); + let bytes = self.raw.borrow_dependent().tbs_cert.serial.as_bytes(); warn_if_negative_serial(py, bytes)?; Ok(big_byte_slice_to_py_int(py, bytes)?) } #[getter] fn version<'p>(&self, py: pyo3::Python<'p>) -> Result<&'p pyo3::PyAny, CryptographyError> { - let version = &self.raw.borrow_value().tbs_cert.version; + let version = &self.raw.borrow_dependent().tbs_cert.version; cert_version(py, *version) } #[getter] fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { Ok( - x509::parse_name(py, &self.raw.borrow_value().tbs_cert.issuer) + x509::parse_name(py, &self.raw.borrow_dependent().tbs_cert.issuer) .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))?, ) } @@ -153,7 +141,7 @@ impl Certificate { #[getter] fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { Ok( - x509::parse_name(py, &self.raw.borrow_value().tbs_cert.subject) + x509::parse_name(py, &self.raw.borrow_dependent().tbs_cert.subject) .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))?, ) } @@ -163,7 +151,7 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let result = asn1::write_single(&self.raw.borrow_value().tbs_cert)?; + let result = asn1::write_single(&self.raw.borrow_dependent().tbs_cert)?; Ok(pyo3::types::PyBytes::new(py, &result)) } @@ -172,7 +160,7 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let val = self.raw.borrow_value(); + let val = self.raw.borrow_dependent(); let mut tbs_precert = val.tbs_cert.clone(); // Remove the SCT list extension match val.tbs_cert.extensions() { @@ -219,14 +207,14 @@ impl Certificate { #[getter] fn signature<'p>(&self, py: pyo3::Python<'p>) -> &'p pyo3::types::PyBytes { - pyo3::types::PyBytes::new(py, self.raw.borrow_value().signature.as_bytes()) + pyo3::types::PyBytes::new(py, self.raw.borrow_dependent().signature.as_bytes()) } #[getter] fn not_valid_before<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { let dt = &self .raw - .borrow_value() + .borrow_dependent() .tbs_cert .validity .not_before @@ -238,7 +226,7 @@ impl Certificate { fn not_valid_after<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { let dt = &self .raw - .borrow_value() + .borrow_dependent() .tbs_cert .validity .not_after @@ -251,12 +239,12 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { - sign::identify_signature_hash_algorithm(py, &self.raw.borrow_value().signature_alg) + sign::identify_signature_hash_algorithm(py, &self.raw.borrow_dependent().signature_alg) } #[getter] fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - oid_to_py_oid(py, self.raw.borrow_value().signature_alg.oid()) + oid_to_py_oid(py, self.raw.borrow_dependent().signature_alg.oid()) } #[getter] @@ -264,7 +252,10 @@ impl Certificate { &'p self, py: pyo3::Python<'p>, ) -> CryptographyResult<&'p pyo3::PyAny> { - sign::identify_signature_algorithm_parameters(py, &self.raw.borrow_value().signature_alg) + sign::identify_signature_algorithm_parameters( + py, + &self.raw.borrow_dependent().signature_alg, + ) } #[getter] @@ -273,7 +264,7 @@ impl Certificate { x509::parse_and_cache_extensions( py, &mut self.cached_extensions, - &self.raw.borrow_value().tbs_cert.raw_extensions, + &self.raw.borrow_dependent().tbs_cert.raw_extensions, |oid, ext_data| match *oid { oid::PRECERT_POISON_OID => { asn1::parse_single::<()>(ext_data)?; @@ -305,12 +296,16 @@ impl Certificate { py: pyo3::Python<'_>, issuer: pyo3::PyRef<'_, Certificate>, ) -> CryptographyResult<()> { - if self.raw.borrow_value().tbs_cert.signature_alg != self.raw.borrow_value().signature_alg { + if self.raw.borrow_dependent().tbs_cert.signature_alg + != self.raw.borrow_dependent().signature_alg + { return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err( "Inner and outer signature algorithms do not match. This is an invalid certificate." ))); }; - if self.raw.borrow_value().tbs_cert.issuer != issuer.raw.borrow_value().tbs_cert.subject { + if self.raw.borrow_dependent().tbs_cert.issuer + != issuer.raw.borrow_dependent().tbs_cert.subject + { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "Issuer certificate subject does not match certificate issuer.", @@ -320,9 +315,9 @@ impl Certificate { sign::verify_signature_with_signature_algorithm( py, issuer.public_key(py)?, - &self.raw.borrow_value().signature_alg, - self.raw.borrow_value().signature.as_bytes(), - &asn1::write_single(&self.raw.borrow_value().tbs_cert)?, + &self.raw.borrow_dependent().signature_alg, + self.raw.borrow_dependent().signature.as_bytes(), + &asn1::write_single(&self.raw.borrow_dependent().tbs_cert)?, ) } } @@ -387,14 +382,17 @@ fn load_der_x509_certificate( ) -> CryptographyResult { let raw = OwnedCertificate::try_new(data, |data| asn1::parse_single(data.as_bytes(py)))?; // Parse cert version immediately so we can raise error on parse if it is invalid. - cert_version(py, raw.borrow_value().tbs_cert.version)?; + cert_version(py, raw.borrow_dependent().tbs_cert.version)?; // determine if the serial is negative and raise a warning if it is. We want to drop support // for this sort of invalid encoding eventually. - warn_if_negative_serial(py, raw.borrow_value().tbs_cert.serial.as_bytes())?; + warn_if_negative_serial(py, raw.borrow_dependent().tbs_cert.serial.as_bytes())?; // determine if the signature algorithm has incorrect parameters and raise a warning if it // does. this is a bug in JDK11 and we want to drop support for it eventually. - warn_if_invalid_ecdsa_params(py, raw.borrow_value().signature_alg.params.clone())?; - warn_if_invalid_ecdsa_params(py, raw.borrow_value().tbs_cert.signature_alg.params.clone())?; + warn_if_invalid_ecdsa_params(py, raw.borrow_dependent().signature_alg.params.clone())?; + warn_if_invalid_ecdsa_params( + py, + raw.borrow_dependent().tbs_cert.signature_alg.params.clone(), + )?; Ok(Certificate { raw, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 1380d6eb86b5..b4b421d3f9bb 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -8,7 +8,14 @@ use crate::asn1::{ use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, extensions, sign}; use crate::{exceptions, x509}; -use cryptography_x509::{common, crl, name, oid}; +use cryptography_x509::{ + common, + crl::{ + self, CertificateRevocationList as RawCertificateRevocationList, + RevokedCertificate as RawRevokedCertificate, + }, + name, oid, +}; use pyo3::{IntoPy, ToPyObject}; use std::sync::Arc; @@ -21,7 +28,7 @@ fn load_der_x509_crl( asn1::parse_single(data.as_bytes(py)) })?; - let version = owned.borrow_value().tbs_cert_list.version.unwrap_or(1); + let version = owned.borrow_dependent().tbs_cert_list.version.unwrap_or(1); if version != 1 { return Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( @@ -54,13 +61,13 @@ fn load_pem_x509_crl( ) } -#[ouroboros::self_referencing] -struct OwnedCertificateRevocationList { - data: pyo3::Py, - #[borrows(data)] - #[covariant] - value: crl::CertificateRevocationList<'this>, -} +self_cell::self_cell!( + struct OwnedCertificateRevocationList { + owner: pyo3::Py, + #[covariant] + dependent: RawCertificateRevocationList, + } +); #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateRevocationList { @@ -72,7 +79,7 @@ struct CertificateRevocationList { impl CertificateRevocationList { fn public_bytes_der(&self) -> CryptographyResult> { - Ok(asn1::write_single(self.owned.borrow_value())?) + Ok(asn1::write_single(&self.owned.borrow_dependent())?) } fn revoked_cert(&self, py: pyo3::Python<'_>, idx: usize) -> RevokedCertificate { @@ -84,7 +91,7 @@ impl CertificateRevocationList { fn len(&self) -> usize { self.owned - .borrow_value() + .borrow_dependent() .tbs_cert_list .revoked_certificates .as_ref() @@ -101,10 +108,10 @@ impl CertificateRevocationList { ) -> pyo3::PyResult { match op { pyo3::basic::CompareOp::Eq => { - Ok(self.owned.borrow_value() == other.owned.borrow_value()) + Ok(self.owned.borrow_dependent() == other.owned.borrow_dependent()) } pyo3::basic::CompareOp::Ne => { - Ok(self.owned.borrow_value() != other.owned.borrow_value()) + Ok(self.owned.borrow_dependent() != other.owned.borrow_dependent()) } _ => Err(pyo3::exceptions::PyTypeError::new_err( "CRLs cannot be ordered", @@ -120,7 +127,7 @@ impl CertificateRevocationList { CRLIterator { contents: OwnedCRLIteratorData::try_new(Arc::clone(&self.owned), |v| { Ok::<_, ()>( - v.borrow_value() + v.borrow_dependent() .tbs_cert_list .revoked_certificates .as_ref() @@ -184,7 +191,7 @@ impl CertificateRevocationList { #[getter] fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - oid_to_py_oid(py, self.owned.borrow_value().signature_algorithm.oid()) + oid_to_py_oid(py, self.owned.borrow_dependent().signature_algorithm.oid()) } #[getter] @@ -201,14 +208,14 @@ impl CertificateRevocationList { Ok(v) => Ok(v), Err(_) => Err(exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", - self.owned.borrow_value().signature_algorithm.oid(), + self.owned.borrow_dependent().signature_algorithm.oid() ))), } } #[getter] fn signature(&self) -> &[u8] { - self.owned.borrow_value().signature_value.as_bytes() + self.owned.borrow_dependent().signature_value.as_bytes() } #[getter] @@ -216,7 +223,7 @@ impl CertificateRevocationList { &self, py: pyo3::Python<'p>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let b = asn1::write_single(&self.owned.borrow_value().tbs_cert_list)?; + let b = asn1::write_single(&self.owned.borrow_dependent().tbs_cert_list)?; Ok(pyo3::types::PyBytes::new(py, &b)) } @@ -225,7 +232,7 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, encoding: &'p pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let result = asn1::write_single(self.owned.borrow_value())?; + let result = asn1::write_single(&self.owned.borrow_dependent())?; encode_der_data(py, "X509 CRL".to_string(), result, encoding) } @@ -234,13 +241,13 @@ impl CertificateRevocationList { fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { Ok(x509::parse_name( py, - &self.owned.borrow_value().tbs_cert_list.issuer, + &self.owned.borrow_dependent().tbs_cert_list.issuer, )?) } #[getter] fn next_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - match &self.owned.borrow_value().tbs_cert_list.next_update { + match &self.owned.borrow_dependent().tbs_cert_list.next_update { Some(t) => x509::datetime_to_py(py, t.as_datetime()), None => Ok(py.None().into_ref(py)), } @@ -251,7 +258,7 @@ impl CertificateRevocationList { x509::datetime_to_py( py, self.owned - .borrow_value() + .borrow_dependent() .tbs_cert_list .this_update .as_datetime(), @@ -260,7 +267,7 @@ impl CertificateRevocationList { #[getter] fn extensions(&mut self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let tbs_cert_list = &self.owned.borrow_value().tbs_cert_list; + let tbs_cert_list = &self.owned.borrow_dependent().tbs_cert_list; let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( @@ -356,7 +363,7 @@ impl CertificateRevocationList { ) -> pyo3::PyResult> { let serial_bytes = py_uint_to_big_endian_bytes(py, serial)?; let owned = OwnedRevokedCertificate::try_new(Arc::clone(&self.owned), |v| { - let certs = match &v.borrow_value().tbs_cert_list.revoked_certificates { + let certs = match &v.borrow_dependent().tbs_cert_list.revoked_certificates { Some(certs) => certs.unwrap_read().clone(), None => return Err(()), }; @@ -383,8 +390,8 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, public_key: &'p pyo3::PyAny, ) -> CryptographyResult { - if slf.owned.borrow_value().tbs_cert_list.signature - != slf.owned.borrow_value().signature_algorithm + if slf.owned.borrow_dependent().tbs_cert_list.signature + != slf.owned.borrow_dependent().signature_algorithm { return Ok(false); }; @@ -396,21 +403,23 @@ impl CertificateRevocationList { Ok(sign::verify_signature_with_signature_algorithm( py, public_key, - &slf.owned.borrow_value().signature_algorithm, - slf.owned.borrow_value().signature_value.as_bytes(), - &asn1::write_single(&slf.owned.borrow_value().tbs_cert_list)?, + &slf.owned.borrow_dependent().signature_algorithm, + slf.owned.borrow_dependent().signature_value.as_bytes(), + &asn1::write_single(&slf.owned.borrow_dependent().tbs_cert_list)?, ) .is_ok()) } } -#[ouroboros::self_referencing] -struct OwnedCRLIteratorData { - data: Arc, - #[borrows(data)] - #[covariant] - value: Option>>, -} +type RawCRLIterator<'a> = Option>>; +self_cell::self_cell!( + struct OwnedCRLIteratorData { + owner: Arc, + + #[covariant] + dependent: RawCRLIterator, + } +); #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] struct CRLIterator { @@ -426,15 +435,18 @@ fn try_map_arc_data_mut_crl_iterator( &mut Option>>, ) -> Result, E>, ) -> Result { - OwnedRevokedCertificate::try_new(Arc::clone(it.borrow_data()), |inner_it| { - it.with_value_mut(|value| f(inner_it, unsafe { std::mem::transmute(value) })) + OwnedRevokedCertificate::try_new(Arc::clone(it.borrow_owner()), |inner_it| { + it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) })) }) } #[pyo3::prelude::pymethods] impl CRLIterator { fn __len__(&self) -> usize { - self.contents.borrow_value().clone().map_or(0, |v| v.len()) + self.contents + .borrow_dependent() + .clone() + .map_or(0, |v| v.len()) } fn __iter__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { @@ -457,13 +469,13 @@ impl CRLIterator { } } -#[ouroboros::self_referencing] -struct OwnedRevokedCertificate { - data: Arc, - #[borrows(data)] - #[covariant] - value: crl::RevokedCertificate<'this>, -} +self_cell::self_cell!( + struct OwnedRevokedCertificate { + owner: Arc, + #[covariant] + dependent: RawRevokedCertificate, + } +); impl Clone for OwnedRevokedCertificate { fn clone(&self) -> OwnedRevokedCertificate { @@ -471,8 +483,8 @@ impl Clone for OwnedRevokedCertificate { // Rust doesn't understand the lifetime relationship it produces. // Open-coded implementation of the API discussed in // https://github.com/joshua-maros/ouroboros/issues/38 - OwnedRevokedCertificate::new(Arc::clone(self.borrow_data()), |_| unsafe { - std::mem::transmute(self.borrow_value().clone()) + OwnedRevokedCertificate::new(Arc::clone(self.borrow_owner()), |_| unsafe { + std::mem::transmute(self.borrow_dependent().clone()) }) } } @@ -487,12 +499,18 @@ struct RevokedCertificate { impl RevokedCertificate { #[getter] fn serial_number<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - big_byte_slice_to_py_int(py, self.owned.borrow_value().user_certificate.as_bytes()) + big_byte_slice_to_py_int( + py, + self.owned.borrow_dependent().user_certificate.as_bytes(), + ) } #[getter] fn revocation_date<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - x509::datetime_to_py(py, self.owned.borrow_value().revocation_date.as_datetime()) + x509::datetime_to_py( + py, + self.owned.borrow_dependent().revocation_date.as_datetime(), + ) } #[getter] @@ -500,7 +518,7 @@ impl RevokedCertificate { x509::parse_and_cache_extensions( py, &mut self.cached_extensions, - &self.owned.borrow_value().raw_crl_entry_extensions, + &self.owned.borrow_dependent().raw_crl_entry_extensions, |oid, ext_data| parse_crl_entry_ext(py, oid.clone(), ext_data), ) } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 2e7797f49baa..ebd271848cce 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -13,13 +13,14 @@ use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -#[ouroboros::self_referencing] -struct OwnedCsr { - data: pyo3::Py, - #[borrows(data)] - #[covariant] - value: Csr<'this>, -} +self_cell::self_cell!( + struct OwnedCsr { + owner: pyo3::Py, + + #[covariant] + dependent: Csr, + } +); #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateSigningRequest { @@ -31,7 +32,7 @@ struct CertificateSigningRequest { impl CertificateSigningRequest { fn __hash__(&self, py: pyo3::Python<'_>) -> u64 { let mut hasher = DefaultHasher::new(); - self.raw.borrow_data().as_bytes(py).hash(&mut hasher); + self.raw.borrow_owner().as_bytes(py).hash(&mut hasher); hasher.finish() } @@ -43,10 +44,10 @@ impl CertificateSigningRequest { ) -> pyo3::PyResult { match op { pyo3::basic::CompareOp::Eq => { - Ok(self.raw.borrow_data().as_bytes(py) == other.raw.borrow_data().as_bytes(py)) + Ok(self.raw.borrow_owner().as_bytes(py) == other.raw.borrow_owner().as_bytes(py)) } pyo3::basic::CompareOp::Ne => { - Ok(self.raw.borrow_data().as_bytes(py) != other.raw.borrow_data().as_bytes(py)) + Ok(self.raw.borrow_owner().as_bytes(py) != other.raw.borrow_owner().as_bytes(py)) } _ => Err(pyo3::exceptions::PyTypeError::new_err( "CSRs cannot be ordered", @@ -58,7 +59,7 @@ impl CertificateSigningRequest { // This makes an unnecessary copy. It'd be nice to get rid of it. let serialized = pyo3::types::PyBytes::new( py, - &asn1::write_single(&self.raw.borrow_value().csr_info.spki)?, + &asn1::write_single(&self.raw.borrow_dependent().csr_info.spki)?, ); Ok(py .import(pyo3::intern!( @@ -73,7 +74,7 @@ impl CertificateSigningRequest { fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { Ok(x509::parse_name( py, - &self.raw.borrow_value().csr_info.subject, + &self.raw.borrow_dependent().csr_info.subject, )?) } @@ -82,13 +83,13 @@ impl CertificateSigningRequest { &self, py: pyo3::Python<'p>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let result = asn1::write_single(&self.raw.borrow_value().csr_info)?; + let result = asn1::write_single(&self.raw.borrow_dependent().csr_info)?; Ok(pyo3::types::PyBytes::new(py, &result)) } #[getter] fn signature<'p>(&self, py: pyo3::Python<'p>) -> &'p pyo3::types::PyBytes { - pyo3::types::PyBytes::new(py, self.raw.borrow_value().signature.as_bytes()) + pyo3::types::PyBytes::new(py, self.raw.borrow_dependent().signature.as_bytes()) } #[getter] @@ -105,7 +106,7 @@ impl CertificateSigningRequest { Err(_) => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", - self.raw.borrow_value().signature_alg.oid() + self.raw.borrow_dependent().signature_alg.oid() )), )), } @@ -113,7 +114,7 @@ impl CertificateSigningRequest { #[getter] fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - oid_to_py_oid(py, self.raw.borrow_value().signature_alg.oid()) + oid_to_py_oid(py, self.raw.borrow_dependent().signature_alg.oid()) } fn public_bytes<'p>( @@ -121,7 +122,7 @@ impl CertificateSigningRequest { py: pyo3::Python<'p>, encoding: &'p pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let result = asn1::write_single(self.raw.borrow_value())?; + let result = asn1::write_single(self.raw.borrow_dependent())?; encode_der_data(py, "CERTIFICATE REQUEST".to_string(), result, encoding) } @@ -143,7 +144,7 @@ impl CertificateSigningRequest { let rust_oid = py_oid_to_oid(oid)?; for attribute in self .raw - .borrow_value() + .borrow_dependent() .csr_info .attributes .unwrap_read() @@ -181,7 +182,7 @@ impl CertificateSigningRequest { let pyattrs = pyo3::types::PyList::empty(py); for attribute in self .raw - .borrow_value() + .borrow_dependent() .csr_info .attributes .unwrap_read() @@ -213,7 +214,7 @@ impl CertificateSigningRequest { fn extensions(&mut self, py: pyo3::Python<'_>) -> pyo3::PyResult { let raw_exts = self .raw - .borrow_value() + .borrow_dependent() .csr_info .get_extension_attribute() .map_err(|_| { @@ -239,9 +240,9 @@ impl CertificateSigningRequest { Ok(sign::verify_signature_with_signature_algorithm( py, public_key, - &slf.raw.borrow_value().signature_alg, - slf.raw.borrow_value().signature.as_bytes(), - &asn1::write_single(&slf.raw.borrow_value().csr_info)?, + &slf.raw.borrow_dependent().signature_alg, + slf.raw.borrow_dependent().signature.as_bytes(), + &asn1::write_single(&slf.raw.borrow_dependent().csr_info)?, ) .is_ok()) } @@ -272,7 +273,7 @@ fn load_der_x509_csr( ) -> CryptographyResult { let raw = OwnedCsr::try_new(data, |data| asn1::parse_single(data.as_bytes(py)))?; - let version = raw.borrow_value().csr_info.version; + let version = raw.borrow_dependent().csr_info.version; if version != 0 { return Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 05ea096078bb..ff832477ed6f 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -70,14 +70,14 @@ pub(crate) fn certid_new<'p>( issuer: &'p Certificate, hash_algorithm: &'p pyo3::PyAny, ) -> CryptographyResult> { - let issuer_der = asn1::write_single(&cert.raw.borrow_value_public().tbs_cert.issuer)?; + let issuer_der = asn1::write_single(&cert.raw.borrow_dependent().tbs_cert.issuer)?; let issuer_name_hash = hash_data(py, hash_algorithm, &issuer_der)?; let issuer_key_hash = hash_data( py, hash_algorithm, issuer .raw - .borrow_value_public() + .borrow_dependent() .tbs_cert .spki .subject_public_key @@ -91,7 +91,7 @@ pub(crate) fn certid_new<'p>( .clone(), issuer_name_hash, issuer_key_hash, - serial_number: cert.raw.borrow_value_public().tbs_cert.serial, + serial_number: cert.raw.borrow_dependent().tbs_cert.serial, }) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 1571524edfeb..10471857b69f 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -6,16 +6,20 @@ use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{extensions, ocsp}; use crate::{exceptions, x509}; -use cryptography_x509::{common, ocsp_req, oid}; +use cryptography_x509::{ + common, + ocsp_req::{self, OCSPRequest as RawOCSPRequest}, + oid, +}; use pyo3::IntoPy; -#[ouroboros::self_referencing] -struct OwnedOCSPRequest { - data: pyo3::Py, - #[borrows(data)] - #[covariant] - value: ocsp_req::OCSPRequest<'this>, -} +self_cell::self_cell!( + struct OwnedOCSPRequest { + owner: pyo3::Py, + #[covariant] + dependent: RawOCSPRequest, + } +); #[pyo3::prelude::pyfunction] fn load_der_ocsp_request( @@ -25,7 +29,7 @@ fn load_der_ocsp_request( let raw = OwnedOCSPRequest::try_new(data, |data| asn1::parse_single(data.as_bytes(py)))?; if raw - .borrow_value() + .borrow_dependent() .tbs_request .request_list .unwrap_read() @@ -55,7 +59,7 @@ struct OCSPRequest { impl OCSPRequest { fn cert_id(&self) -> ocsp_req::CertID<'_> { self.raw - .borrow_value() + .borrow_dependent() .tbs_request .request_list .unwrap_read() @@ -108,7 +112,7 @@ impl OCSPRequest { #[getter] fn extensions(&mut self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let tbs_request = &self.raw.borrow_value().tbs_request; + let tbs_request = &self.raw.borrow_dependent().tbs_request; let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( @@ -167,7 +171,7 @@ impl OCSPRequest { ) .into()); } - let result = asn1::write_single(self.raw.borrow_value())?; + let result = asn1::write_single(self.raw.borrow_dependent())?; Ok(pyo3::types::PyBytes::new(py, &result)) } } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 721e0313a613..1c929018d92c 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -7,7 +7,11 @@ use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, crl, extensions, ocsp, py_to_datetime, sct}; use crate::{exceptions, x509}; use cryptography_x509::ocsp_resp::SingleResponse; -use cryptography_x509::{common, ocsp_resp, oid}; +use cryptography_x509::{ + common, + ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, + oid, +}; use pyo3::IntoPy; use std::sync::Arc; @@ -20,7 +24,7 @@ fn load_der_ocsp_response( ) -> Result { let raw = OwnedOCSPResponse::try_new(data, |data| asn1::parse_single(data.as_bytes(py)))?; - let response = raw.borrow_value(); + let response = raw.borrow_dependent(); match response.response_status.value() { SUCCESSFUL_RESPONSE => match response.response_bytes { Some(ref bytes) => { @@ -58,13 +62,13 @@ fn load_der_ocsp_response( }) } -#[ouroboros::self_referencing] -struct OwnedOCSPResponse { - data: pyo3::Py, - #[borrows(data)] - #[covariant] - value: ocsp_resp::OCSPResponse<'this>, -} +self_cell::self_cell!( + struct OwnedOCSPResponse { + owner: pyo3::Py, + #[covariant] + dependent: RawOCSPResponse, + } +); #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPResponse { @@ -76,7 +80,7 @@ struct OCSPResponse { impl OCSPResponse { fn requires_successful_response(&self) -> pyo3::PyResult<&ocsp_resp::BasicOCSPResponse<'_>> { - match self.raw.borrow_value().response_bytes.as_ref() { + match self.raw.borrow_dependent().response_bytes.as_ref() { Some(b) => Ok(b.response.get()), None => Err(pyo3::exceptions::PyValueError::new_err( "OCSP response status is not successful so the property has no value", @@ -101,7 +105,7 @@ impl OCSPResponse { Ok(OCSPResponseIterator { contents: OwnedOCSPResponseIteratorData::try_new(Arc::clone(&self.raw), |v| { Ok::<_, ()>( - v.borrow_value() + v.borrow_dependent() .response_bytes .as_ref() .unwrap() @@ -119,7 +123,7 @@ impl OCSPResponse { #[getter] fn response_status<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let status = self.raw.borrow_value().response_status.value(); + let status = self.raw.borrow_dependent().response_status.value(); let attr = if status == SUCCESSFUL_RESPONSE { "SUCCESSFUL" } else if status == MALFORMED_REQUEST_RESPOSNE { @@ -319,7 +323,7 @@ impl OCSPResponse { let response_data = &self .raw - .borrow_value() + .borrow_dependent() .response_bytes .as_ref() .unwrap() @@ -357,7 +361,7 @@ impl OCSPResponse { self.requires_successful_response()?; let single_resp = single_response( self.raw - .borrow_value() + .borrow_dependent() .response_bytes .as_ref() .unwrap() @@ -403,7 +407,7 @@ impl OCSPResponse { ) .into()); } - let result = asn1::write_single(self.raw.borrow_value())?; + let result = asn1::write_single(self.raw.borrow_dependent())?; Ok(pyo3::types::PyBytes::new(py, &result)) } } @@ -418,11 +422,9 @@ fn map_arc_data_ocsp_response( &ocsp_resp::OCSPResponse<'this>, ) -> cryptography_x509::certificate::Certificate<'this>, ) -> certificate::OwnedCertificate { - certificate::OwnedCertificate::new_public(it.borrow_data().clone_ref(py), |inner_it| { - it.with(|value| { - f(inner_it.as_bytes(py), unsafe { - std::mem::transmute(value.value) - }) + certificate::OwnedCertificate::new(it.borrow_owner().clone_ref(py), |inner_it| { + it.with_dependent(|_, value| { + f(inner_it.as_bytes(py), unsafe { std::mem::transmute(value) }) }) }) } @@ -433,8 +435,8 @@ fn try_map_arc_data_mut_ocsp_response_iterator( &mut asn1::SequenceOf<'this, ocsp_resp::SingleResponse<'this>>, ) -> Result, E>, ) -> Result { - OwnedSingleResponse::try_new(Arc::clone(it.borrow_data()), |inner_it| { - it.with_value_mut(|value| f(inner_it, unsafe { std::mem::transmute(value) })) + OwnedSingleResponse::try_new(Arc::clone(it.borrow_owner()), |inner_it| { + it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) })) }) } @@ -648,7 +650,7 @@ fn create_ocsp_response( sha1, borrowed_cert .raw - .borrow_value_public() + .borrow_dependent() .tbs_cert .spki .subject_public_key @@ -658,7 +660,7 @@ fn create_ocsp_response( ocsp_resp::ResponderId::ByName( borrowed_cert .raw - .borrow_value_public() + .borrow_dependent() .tbs_cert .subject .clone(), @@ -710,7 +712,7 @@ fn create_ocsp_response( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new( py_certs .iter() - .map(|c| c.raw.borrow_value_public().clone()) + .map(|c| c.raw.borrow_dependent().clone()) .collect(), )) }); @@ -744,13 +746,15 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< Ok(()) } -#[ouroboros::self_referencing] -struct OwnedOCSPResponseIteratorData { - data: Arc, - #[borrows(data)] - #[covariant] - value: asn1::SequenceOf<'this, SingleResponse<'this>>, -} +type RawOCSPResponseIterator<'a> = asn1::SequenceOf<'a, SingleResponse<'a>>; + +self_cell::self_cell!( + struct OwnedOCSPResponseIteratorData { + owner: Arc, + #[covariant] + dependent: RawOCSPResponseIterator, + } +); #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPResponseIterator { @@ -776,13 +780,13 @@ impl OCSPResponseIterator { } } -#[ouroboros::self_referencing] -struct OwnedSingleResponse { - data: Arc, - #[borrows(data)] - #[covariant] - value: ocsp_resp::SingleResponse<'this>, -} +self_cell::self_cell!( + struct OwnedSingleResponse { + owner: Arc, + #[covariant] + dependent: RawSingleResponse, + } +); #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPSingleResponse { @@ -791,7 +795,7 @@ struct OCSPSingleResponse { impl OCSPSingleResponse { fn single_response(&self) -> &SingleResponse<'_> { - self.raw.borrow_value() + self.raw.borrow_dependent() } } From b9dc2aaa79a119e02b7b3d6fc4b0d7fe02df3b41 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Jun 2023 12:39:20 -0700 Subject: [PATCH 0047/1014] Bump argcomplete from 3.1.0 to 3.1.1 (#9059) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.1.0...v3.1.1) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 00d6bba234f8..5b0b0baa81ff 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.13 # via sphinx -argcomplete==3.1.0 +argcomplete==3.1.1 # via nox babel==2.12.1 # via sphinx From a00f17efc0be9e9cc5ad3fb0bace0e04f0f6123b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 12 Jun 2023 18:42:52 -0400 Subject: [PATCH 0048/1014] x509/common: make SPKI algorithm public (#9061) No functional changes; this will be needed for path validation. Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/common.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index a882d985e9cb..4a5d0ebe8bdf 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -111,7 +111,7 @@ pub enum AlgorithmParameters<'a> { #[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Clone)] pub struct SubjectPublicKeyInfo<'a> { - _algorithm: AlgorithmIdentifier<'a>, + pub algorithm: AlgorithmIdentifier<'a>, pub subject_public_key: asn1::BitString<'a>, } From 0f5071e25153cfde8b7208696722278b425cc74a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 12 Jun 2023 21:11:20 -0400 Subject: [PATCH 0049/1014] Test against Debian Trixie (#9062) --- .github/workflows/ci.yml | 1 + docs/installation.rst | 4 ++-- docs/spelling_wordlist.txt | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 259a5645f641..615bb9b761eb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -153,6 +153,7 @@ jobs: - {IMAGE: "buster", NOXSESSION: "tests-nocoverage", RUNNER: "ubuntu-latest"} - {IMAGE: "bullseye", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "bookworm", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} + - {IMAGE: "trixie", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "sid", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "ubuntu-focal", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "ubuntu-jammy", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} diff --git a/docs/installation.rst b/docs/installation.rst index 7c3253707978..38756ef418ee 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -23,8 +23,8 @@ operating systems. * ARM64 macOS 13 Ventura * x86-64 Ubuntu 20.04, 22.04, rolling * ARM64 Ubuntu 22.04 -* x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x) - and Sid (unstable) +* x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x), + Trixie (13.x), and Sid (unstable) * x86-64 Alpine (latest) * ARM64 Alpine (latest) * 32-bit and 64-bit Python on 64-bit Windows Server 2022 diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 62a62fb96e34..485f452db014 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -124,6 +124,7 @@ Thawte timestamp timestamps toolchain +Trixie tunable Ubuntu unencrypted From 22625af5373f81dc916daeb754b15160d480ee6d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Jun 2023 13:10:35 +0000 Subject: [PATCH 0050/1014] Bump self_cell from 1.0.0 to 1.0.1 in /src/rust (#9066) Bumps [self_cell](https://github.com/Voultapher/self_cell) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/Voultapher/self_cell/releases) - [Commits](https://github.com/Voultapher/self_cell/compare/v1.0.0...v1.0.1) --- updated-dependencies: - dependency-name: self_cell dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 39ad8af6b0bc..ce678513dc86 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -319,9 +319,9 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" [[package]] name = "self_cell" -version = "1.0.0" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a3926e239738d36060909ffe6f511502f92149a45a1fade7fe031cb2d33e88b" +checksum = "4c309e515543e67811222dbc9e3dd7e1056279b782e1dacffe4242b718734fb6" [[package]] name = "smallvec" From 1fd1bcef62e2a67d9cceded1102e8c0e36d31ece Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Jun 2023 13:14:44 +0000 Subject: [PATCH 0051/1014] Bump dessant/lock-threads from 4.0.0 to 4.0.1 (#9067) Bumps [dessant/lock-threads](https://github.com/dessant/lock-threads) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/dessant/lock-threads/releases) - [Changelog](https://github.com/dessant/lock-threads/blob/main/CHANGELOG.md) - [Commits](https://github.com/dessant/lock-threads/compare/c1b35aecc5cdb1a34539d14196df55838bb2f836...be8aa5be94131386884a6da4189effda9b14aa21) --- updated-dependencies: - dependency-name: dessant/lock-threads dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lock.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 951b70546066..20b334000abb 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -12,7 +12,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@c1b35aecc5cdb1a34539d14196df55838bb2f836 + - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 with: github-token: ${{ secrets.GITHUB_TOKEN }} issue-inactive-days: 90 From 9910436783192d61a118207b6496aa548465f0ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Jun 2023 13:22:16 +0000 Subject: [PATCH 0052/1014] Bump filelock from 3.12.1 to 3.12.2 (#9069) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.12.1 to 3.12.2. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/py-filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.12.1...3.12.2) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5b0b0baa81ff..68860f1e421e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -42,7 +42,7 @@ exceptiongroup==1.1.1 # via pytest execnet==1.9.0 # via pytest-xdist -filelock==3.12.1 +filelock==3.12.2 # via virtualenv idna==3.4 # via requests From ba775bebbd3bbf98ca010b6a9f140fa0a36e9cd1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Jun 2023 13:34:09 +0000 Subject: [PATCH 0053/1014] Bump rich from 13.4.1 to 13.4.2 (#9068) Bumps [rich](https://github.com/Textualize/rich) from 13.4.1 to 13.4.2. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.4.1...v13.4.2) --- updated-dependencies: - dependency-name: rich dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 68860f1e421e..dcc8422416b0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -136,7 +136,7 @@ requests-toolbelt==1.0.0 # via twine rfc3986==2.0.0 # via twine -rich==13.4.1 +rich==13.4.2 # via twine ruff==0.0.272 # via cryptography (pyproject.toml) From b508f528c098b0fc969afad023abc625b4f95033 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Jun 2023 13:47:14 +0000 Subject: [PATCH 0054/1014] Bump markdown-it-py from 2.2.0 to 3.0.0 (#9029) Bumps [markdown-it-py](https://github.com/executablebooks/markdown-it-py) from 2.2.0 to 3.0.0. - [Release notes](https://github.com/executablebooks/markdown-it-py/releases) - [Changelog](https://github.com/executablebooks/markdown-it-py/blob/master/CHANGELOG.md) - [Commits](https://github.com/executablebooks/markdown-it-py/compare/v2.2.0...v3.0.0) --- updated-dependencies: - dependency-name: markdown-it-py dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index dcc8422416b0..97aab53280b5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -60,7 +60,7 @@ jinja2==3.1.2 # via sphinx keyring==23.13.1 # via twine -markdown-it-py==2.2.0 +markdown-it-py==3.0.0 # via rich markupsafe==2.1.3 # via jinja2 From fe6a1f2a3aa658e73ff8de514a3ca5d8afae290c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Jun 2023 21:33:00 +0000 Subject: [PATCH 0055/1014] Bump asn1_derive from 0.15.2 to 0.15.3 in /src/rust (#9074) Bumps [asn1_derive](https://github.com/alex/rust-asn1) from 0.15.2 to 0.15.3. - [Commits](https://github.com/alex/rust-asn1/compare/0.15.2...0.15.3) --- updated-dependencies: - dependency-name: asn1_derive dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index ce678513dc86..8cfe5a59a94b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -13,9 +13,9 @@ dependencies = [ [[package]] name = "asn1_derive" -version = "0.15.2" +version = "0.15.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a045c3ccad89f244a86bd1e6cf1a7bf645296e7692698b056399b6efd4639407" +checksum = "fb0fc188bc971ced7223151060762f88849ad228b0f2df0d5e3f61893cdf29c1" dependencies = [ "proc-macro2", "quote", From 07f97d970614f9dd420cadd2000cd07528e769f2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Jun 2023 21:33:14 +0000 Subject: [PATCH 0056/1014] Bump asn1 from 0.15.2 to 0.15.3 in /src/rust (#9075) Bumps [asn1](https://github.com/alex/rust-asn1) from 0.15.2 to 0.15.3. - [Commits](https://github.com/alex/rust-asn1/compare/0.15.2...0.15.3) --- updated-dependencies: - dependency-name: asn1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 8cfe5a59a94b..95f0bb863b70 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,9 +4,9 @@ version = 3 [[package]] name = "asn1" -version = "0.15.2" +version = "0.15.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28c19b9324de5b815b6487e0f8098312791b09de0dbf3d5c2db1fe2d95bab973" +checksum = "634568f903dea9a0ba8225469fde6af27e0e34f2c4d66227b086a3375b69a87a" dependencies = [ "asn1_derive", ] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 0e82d86c8b10..36960b6303d0 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.56.0" [dependencies] once_cell = "1" pyo3 = { version = "0.19", features = ["abi3-py37"] } -asn1 = { version = "0.15.2", default-features = false } +asn1 = { version = "0.15.3", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 017d51dd44a3..7d5aeca8bdf2 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.56.0" [dependencies] -asn1 = { version = "0.15.2", default-features = false } +asn1 = { version = "0.15.3", default-features = false } From 81901f0eef6b8bf68f38c806b6951f785fa2201c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Jun 2023 21:33:43 +0000 Subject: [PATCH 0057/1014] Bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 (#9072) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.1 to 5.0.2. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/284f54f989303d2699d373481a0cfa13ad5a6666...153407881ec5c347639a548ade7d8ad1d6740e38) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 671d04d9fc36..504a71720860 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 with: commit-message: "Bump BoringSSL and/or OpenSSL in CI" title: "Bump BoringSSL and/or OpenSSL in CI" From 857181a0e41d81a9b6aa8b1eec8bac292e221386 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 14 Jun 2023 19:19:57 -0400 Subject: [PATCH 0058/1014] x509: Eq and Hash derives (#9076) Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/certificate.rs | 6 +++--- src/rust/cryptography-x509/src/common.rs | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/rust/cryptography-x509/src/certificate.rs b/src/rust/cryptography-x509/src/certificate.rs index 2a5616e93ef9..502ab5413372 100644 --- a/src/rust/cryptography-x509/src/certificate.rs +++ b/src/rust/cryptography-x509/src/certificate.rs @@ -7,14 +7,14 @@ use crate::extensions; use crate::extensions::Extensions; use crate::name; -#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Clone)] +#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Eq, Clone)] pub struct Certificate<'a> { pub tbs_cert: TbsCertificate<'a>, pub signature_alg: common::AlgorithmIdentifier<'a>, pub signature: asn1::BitString<'a>, } -#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Clone)] +#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Eq, Clone)] pub struct TbsCertificate<'a> { #[explicit(0)] #[default(0)] @@ -41,7 +41,7 @@ impl<'a> TbsCertificate<'a> { } } -#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Clone)] +#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Eq, Clone)] pub struct Validity { pub not_before: common::Time, pub not_after: common::Time, diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 4a5d0ebe8bdf..5b073da9f3c2 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -109,7 +109,7 @@ pub enum AlgorithmParameters<'a> { Other(asn1::ObjectIdentifier, Option>), } -#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Clone)] +#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Eq, Clone)] pub struct SubjectPublicKeyInfo<'a> { pub algorithm: AlgorithmIdentifier<'a>, pub subject_public_key: asn1::BitString<'a>, @@ -157,7 +157,7 @@ impl<'a> asn1::Asn1Writable for RawTlv<'a> { } } -#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash, Clone)] +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone)] pub enum Time { UtcTime(asn1::UtcTime), GeneralizedTime(asn1::GeneralizedTime), @@ -172,7 +172,7 @@ impl Time { } } -#[derive(Hash, PartialEq, Clone)] +#[derive(Hash, PartialEq, Eq, Clone)] pub enum Asn1ReadableOrWritable<'a, T, U> { Read(T, PhantomData<&'a ()>), Write(U, PhantomData<&'a ()>), From 0f51559ee2230130099c34d348b80fa5d2c8f00a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Jun 2023 18:49:35 +0000 Subject: [PATCH 0059/1014] Bump asn1_derive from 0.15.3 to 0.15.4 in /src/rust (#9079) Bumps [asn1_derive](https://github.com/alex/rust-asn1) from 0.15.3 to 0.15.4. - [Commits](https://github.com/alex/rust-asn1/compare/0.15.3...0.15.4) --- updated-dependencies: - dependency-name: asn1_derive dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 95f0bb863b70..c8b7af14a54d 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -13,9 +13,9 @@ dependencies = [ [[package]] name = "asn1_derive" -version = "0.15.3" +version = "0.15.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fb0fc188bc971ced7223151060762f88849ad228b0f2df0d5e3f61893cdf29c1" +checksum = "fc6da21a2122ddd982cab7a7a73b961d12398e96c2faae5cd4d62593a5e7342f" dependencies = [ "proc-macro2", "quote", From 0fc7e791d2340582d414df5d14c1a3bf206e4757 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Jun 2023 19:03:09 +0000 Subject: [PATCH 0060/1014] Bump asn1 from 0.15.3 to 0.15.4 in /src/rust (#9080) Bumps [asn1](https://github.com/alex/rust-asn1) from 0.15.3 to 0.15.4. - [Commits](https://github.com/alex/rust-asn1/compare/0.15.3...0.15.4) --- updated-dependencies: - dependency-name: asn1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c8b7af14a54d..3a15dc19e0ac 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,9 +4,9 @@ version = 3 [[package]] name = "asn1" -version = "0.15.3" +version = "0.15.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "634568f903dea9a0ba8225469fde6af27e0e34f2c4d66227b086a3375b69a87a" +checksum = "de594fb2adce376d7955c41e273e1ba22b0476b8763c383362b99c3d78fee593" dependencies = [ "asn1_derive", ] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 36960b6303d0..77a78ee856f5 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.56.0" [dependencies] once_cell = "1" pyo3 = { version = "0.19", features = ["abi3-py37"] } -asn1 = { version = "0.15.3", default-features = false } +asn1 = { version = "0.15.4", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 7d5aeca8bdf2..166682c4285e 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.56.0" [dependencies] -asn1 = { version = "0.15.3", default-features = false } +asn1 = { version = "0.15.4", default-features = false } From a623021e0f5390dc91e4ad5004a49fa07136ddfc Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 17 Jun 2023 08:24:33 -0400 Subject: [PATCH 0061/1014] extensions: add `Extensions::iter` (#9081) * extensions: add `Extensions::iter` This will make it easier to do criticality checks across the whole extensions sequence. Signed-off-by: William Woodruff * extensions: add an `Extensions::iter` test Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/extensions.rs | 31 ++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 51c283af352c..2191bc1da16c 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -56,6 +56,15 @@ impl<'a> Extensions<'a> { pub fn as_raw(&self) -> &Option> { &self.0 } + + /// Returns an iterator over the underlying extensions. + pub fn iter(&self) -> impl Iterator { + self.as_raw() + .clone() + .map(|raw| raw.unwrap_read().clone()) + .into_iter() + .flatten() + } } #[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone)] @@ -252,4 +261,26 @@ mod tests { .get_extension(&AUTHORITY_KEY_IDENTIFIER_OID) .is_none()); } + + #[test] + fn test_extensions_iter() { + let extension_value = BasicConstraints { + ca: true, + path_length: Some(3), + }; + let extension = Extension { + extn_id: BASIC_CONSTRAINTS_OID, + critical: true, + extn_value: &asn1::write_single(&extension_value).unwrap(), + }; + let extensions = SequenceOfWriter::new(vec![extension]); + + let der = asn1::write_single(&extensions).unwrap(); + + let extensions: Extensions = + Extensions::from_raw_extensions(Some(&asn1::parse_single(&der).unwrap())).unwrap(); + + let extension_list: Vec<_> = extensions.iter().collect(); + assert_eq!(extension_list.len(), 1); + } } From b0e31ed67446b94ae507f9f9b0b9aa6767b6b7c0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Jun 2023 08:56:40 -0400 Subject: [PATCH 0062/1014] Only check DH key validity when loading a private key. (#9071) Fixes #9063 --- src/rust/src/backend/dh.rs | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 7f523c09e594..d5993ff5a056 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -102,16 +102,7 @@ fn dh_parameters_from_numbers( .transpose()?; let g = utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "g"))?)?; - let dh = openssl::dh::Dh::from_pqg(p, q, g)?; - if !dh.check_key()? { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err( - "DH private numbers did not pass safety checks.", - ), - )); - } - - Ok(dh) + Ok(openssl::dh::Dh::from_pqg(p, q, g)?) } #[pyo3::prelude::pyfunction] @@ -127,7 +118,16 @@ fn from_private_numbers( let pub_key = utils::py_int_to_bn(py, public_numbers.getattr(pyo3::intern!(py, "y"))?)?; let priv_key = utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "x"))?)?; - let pkey = openssl::pkey::PKey::from_dh(dh.set_key(pub_key, priv_key)?)?; + let dh = dh.set_key(pub_key, priv_key)?; + if !dh.check_key()? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "DH private numbers did not pass safety checks.", + ), + )); + } + + let pkey = openssl::pkey::PKey::from_dh(dh)?; Ok(DHPrivateKey { pkey }) } From ed5ea40ed28e86d924c10ecb49fc647ef0a0dcfd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Jun 2023 09:26:03 -0400 Subject: [PATCH 0063/1014] Added PyPy 3.10 to CI (#8933) --- .github/workflows/ci.yml | 2 +- .github/workflows/wheel-builder.yml | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 615bb9b761eb..502b5051e400 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.1"}} - {VERSION: "pypy-3.8", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - - {VERSION: "pypy-3.10-nightly", NOXSESSION: "tests-nocoverage"} + - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1u"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.9"}} - {VERSION: "3.11", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.1"}} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 05f64b548981..96329a642b54 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -60,6 +60,7 @@ jobs: - { VERSION: "cp37-cp37m", ABI_VERSION: 'cp37' } - { VERSION: "pp38-pypy38_pp73" } - { VERSION: "pp39-pypy39_pp73" } + - { VERSION: "pp310-pypy310_pp73" } MANYLINUX: - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } - { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"} @@ -74,19 +75,27 @@ jobs: MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} + - PYTHON: { VERSION: "pp310-pypy310_pp73" } + MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp38-pypy38_pp73" } MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - PYTHON: { VERSION: "pp310-pypy310_pp73" } + MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} # We also don't build pypy wheels for anything except the latest manylinux - PYTHON: { VERSION: "pp38-pypy38_pp73" } MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} + - PYTHON: { VERSION: "pp310-pypy310_pp73" } + MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp38-pypy38_pp73" } MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - PYTHON: { VERSION: "pp310-pypy310_pp73" } + MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}" steps: - name: Ridiculous alpine workaround for actions support on arm64 @@ -175,6 +184,11 @@ jobs: DEPLOYMENT_TARGET: '10.12' _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' ARCHFLAGS: '-arch x86_64' + - VERSION: 'pypy-3.10' + BIN_PATH: 'pypy3' + DEPLOYMENT_TARGET: '10.12' + _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' + ARCHFLAGS: '-arch x86_64' name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - uses: actions/download-artifact@v3.0.2 @@ -253,12 +267,15 @@ jobs: - {VERSION: "3.11", "ABI_VERSION": "cp37"} - {VERSION: "pypy-3.8"} - {VERSION: "pypy-3.9"} + - {VERSION: "pypy-3.10"} exclude: # We need to exclude the below configuration because there is no 32-bit pypy3 - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} PYTHON: {VERSION: "pypy-3.8"} - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} PYTHON: {VERSION: "pypy-3.9"} + - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} + PYTHON: {VERSION: "pypy-3.10"} name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - uses: actions/download-artifact@v3.0.2 From 2455c6c4bd525eaea7c244e6e96368654978254a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Jun 2023 09:36:49 -0700 Subject: [PATCH 0064/1014] Use Extensions::iter (#9085) --- src/rust/src/x509/certificate.rs | 18 ++++++------------ src/rust/src/x509/common.rs | 32 +++++++++++++++----------------- tests/x509/test_x509.py | 2 +- 3 files changed, 22 insertions(+), 30 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 448a4982f781..bb5405c021b3 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -165,18 +165,12 @@ impl Certificate { // Remove the SCT list extension match val.tbs_cert.extensions() { Ok(extensions) => { - let readable_extensions = match extensions.as_raw() { - Some(raw_exts) => raw_exts.unwrap_read().clone(), - None => { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err( - "Could not find any extensions in TBS certificate", - ), - )) - } - }; - let ext_count = readable_extensions.len(); - let filtered_extensions: Vec> = readable_extensions + let ext_count = extensions + .as_raw() + .as_ref() + .map_or(0, |raw| raw.unwrap_read().len()); + let filtered_extensions: Vec> = extensions + .iter() .filter(|x| x.extn_id != oid::PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS_OID) .collect(); if filtered_extensions.len() == ext_count { diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index f79c3e62057b..d0c24c686b9e 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -406,23 +406,21 @@ pub(crate) fn parse_and_cache_extensions< let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let exts = pyo3::types::PyList::empty(py); - if let Some(extensions) = extensions.as_raw() { - for raw_ext in extensions.unwrap_read().clone() { - let oid_obj = oid_to_py_oid(py, &raw_ext.extn_id)?; - - let extn_value = match parse_ext(&raw_ext.extn_id, raw_ext.extn_value)? { - Some(e) => e, - None => x509_module.call_method1( - pyo3::intern!(py, "UnrecognizedExtension"), - (oid_obj, raw_ext.extn_value), - )?, - }; - let ext_obj = x509_module.call_method1( - pyo3::intern!(py, "Extension"), - (oid_obj, raw_ext.critical, extn_value), - )?; - exts.append(ext_obj)?; - } + for raw_ext in extensions.iter() { + let oid_obj = oid_to_py_oid(py, &raw_ext.extn_id)?; + + let extn_value = match parse_ext(&raw_ext.extn_id, raw_ext.extn_value)? { + Some(e) => e, + None => x509_module.call_method1( + pyo3::intern!(py, "UnrecognizedExtension"), + (oid_obj, raw_ext.extn_value), + )?, + }; + let ext_obj = x509_module.call_method1( + pyo3::intern!(py, "Extension"), + (oid_obj, raw_ext.critical, extn_value), + )?; + exts.append(ext_obj)?; } let extensions = x509_module .call_method1(pyo3::intern!(py, "Extensions"), (exts,))? diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 0bac1c271cfb..e9841eead9fc 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -1054,7 +1054,7 @@ def test_tbs_precertificate_bytes_no_extensions_raises(self, backend): with pytest.raises( ValueError, - match="Could not find any extensions in TBS certificate", + match="Could not find pre-certificate SCT list extension", ): cert.tbs_precertificate_bytes From 4b296ea3c3ad8e88d248d26540232a99d5d759c5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Jun 2023 09:39:26 -0700 Subject: [PATCH 0065/1014] Remove a bunch of pointless indirections (#9084) --- .../hazmat/backends/openssl/backend.py | 76 ------------------- .../hazmat/primitives/asymmetric/dh.py | 22 +----- .../hazmat/primitives/asymmetric/dsa.py | 31 +++----- .../hazmat/primitives/serialization/base.py | 9 +-- tests/hazmat/primitives/test_dh.py | 2 +- 5 files changed, 19 insertions(+), 121 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 598499a145c8..44cc77b3dd6f 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -29,7 +29,6 @@ from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding from cryptography.hazmat.primitives.asymmetric import ( dh, - dsa, ec, ed448, ed25519, @@ -686,43 +685,6 @@ def rsa_encryption_supported(self, padding: AsymmetricPadding) -> bool: else: return self.rsa_padding_supported(padding) - def generate_dsa_parameters(self, key_size: int) -> dsa.DSAParameters: - if key_size not in (1024, 2048, 3072, 4096): - raise ValueError( - "Key size must be 1024, 2048, 3072, or 4096 bits." - ) - - return rust_openssl.dsa.generate_parameters(key_size) - - def generate_dsa_private_key( - self, parameters: dsa.DSAParameters - ) -> dsa.DSAPrivateKey: - return parameters.generate_private_key() - - def generate_dsa_private_key_and_parameters( - self, key_size: int - ) -> dsa.DSAPrivateKey: - parameters = self.generate_dsa_parameters(key_size) - return self.generate_dsa_private_key(parameters) - - def load_dsa_private_numbers( - self, numbers: dsa.DSAPrivateNumbers - ) -> dsa.DSAPrivateKey: - dsa._check_dsa_private_numbers(numbers) - return rust_openssl.dsa.from_private_numbers(numbers) - - def load_dsa_public_numbers( - self, numbers: dsa.DSAPublicNumbers - ) -> dsa.DSAPublicKey: - dsa._check_dsa_parameters(numbers.parameter_numbers) - return rust_openssl.dsa.from_public_numbers(numbers) - - def load_dsa_parameter_numbers( - self, numbers: dsa.DSAParameterNumbers - ) -> dsa.DSAParameters: - dsa._check_dsa_parameters(numbers) - return rust_openssl.dsa.from_parameter_numbers(numbers) - def dsa_supported(self) -> bool: return ( not self._lib.CRYPTOGRAPHY_IS_BORINGSSL and not self._fips_enabled @@ -796,9 +758,6 @@ def load_pem_public_key(self, data: bytes) -> PublicKeyTypes: else: self._handle_key_loading_error() - def load_pem_parameters(self, data: bytes) -> dh.DHParameters: - return rust_openssl.dh.from_pem_parameters(data) - def load_der_private_key( self, data: bytes, @@ -862,9 +821,6 @@ def load_der_public_key(self, data: bytes) -> PublicKeyTypes: else: self._handle_key_loading_error() - def load_der_parameters(self, data: bytes) -> dh.DHParameters: - return rust_openssl.dh.from_der_parameters(data) - def _cert2ossl(self, cert: x509.Certificate) -> typing.Any: data = cert.public_bytes(serialization.Encoding.DER) mem_bio = self._bytes_to_bio(data) @@ -1455,38 +1411,6 @@ def _public_key_bytes( def dh_supported(self) -> bool: return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL - def generate_dh_parameters( - self, generator: int, key_size: int - ) -> dh.DHParameters: - return rust_openssl.dh.generate_parameters(generator, key_size) - - def generate_dh_private_key( - self, parameters: dh.DHParameters - ) -> dh.DHPrivateKey: - return parameters.generate_private_key() - - def generate_dh_private_key_and_parameters( - self, generator: int, key_size: int - ) -> dh.DHPrivateKey: - return self.generate_dh_private_key( - self.generate_dh_parameters(generator, key_size) - ) - - def load_dh_private_numbers( - self, numbers: dh.DHPrivateNumbers - ) -> dh.DHPrivateKey: - return rust_openssl.dh.from_private_numbers(numbers) - - def load_dh_public_numbers( - self, numbers: dh.DHPublicNumbers - ) -> dh.DHPublicKey: - return rust_openssl.dh.from_public_numbers(numbers) - - def load_dh_parameter_numbers( - self, numbers: dh.DHParameterNumbers - ) -> dh.DHParameters: - return rust_openssl.dh.from_parameter_numbers(numbers) - def dh_parameters_supported( self, p: int, g: int, q: typing.Optional[int] = None ) -> bool: diff --git a/src/cryptography/hazmat/primitives/asymmetric/dh.py b/src/cryptography/hazmat/primitives/asymmetric/dh.py index 751bcc402e94..488a7caf0506 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/dh.py +++ b/src/cryptography/hazmat/primitives/asymmetric/dh.py @@ -14,9 +14,7 @@ def generate_parameters( generator: int, key_size: int, backend: typing.Any = None ) -> DHParameters: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.generate_dh_parameters(generator, key_size) + return rust_openssl.dh.generate_parameters(generator, key_size) class DHParameterNumbers: @@ -48,11 +46,7 @@ def __eq__(self, other: object) -> bool: ) def parameters(self, backend: typing.Any = None) -> DHParameters: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - return ossl.load_dh_parameter_numbers(self) + return rust_openssl.dh.from_parameter_numbers(self) @property def p(self) -> int: @@ -90,11 +84,7 @@ def __eq__(self, other: object) -> bool: ) def public_key(self, backend: typing.Any = None) -> DHPublicKey: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - return ossl.load_dh_public_numbers(self) + return rust_openssl.dh.from_public_numbers(self) @property def y(self) -> int: @@ -128,11 +118,7 @@ def __eq__(self, other: object) -> bool: ) def private_key(self, backend: typing.Any = None) -> DHPrivateKey: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - return ossl.load_dh_private_numbers(self) + return rust_openssl.dh.from_private_numbers(self) @property def public_numbers(self) -> DHPublicNumbers: diff --git a/src/cryptography/hazmat/primitives/asymmetric/dsa.py b/src/cryptography/hazmat/primitives/asymmetric/dsa.py index a8c52de4fb49..0651d34ddc2e 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/dsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/dsa.py @@ -162,11 +162,8 @@ def g(self) -> int: return self._g def parameters(self, backend: typing.Any = None) -> DSAParameters: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - return ossl.load_dsa_parameter_numbers(self) + _check_dsa_parameters(self) + return rust_openssl.dsa.from_parameter_numbers(self) def __eq__(self, other: object) -> bool: if not isinstance(other, DSAParameterNumbers): @@ -203,11 +200,8 @@ def parameter_numbers(self) -> DSAParameterNumbers: return self._parameter_numbers def public_key(self, backend: typing.Any = None) -> DSAPublicKey: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - return ossl.load_dsa_public_numbers(self) + _check_dsa_parameters(self.parameter_numbers) + return rust_openssl.dsa.from_public_numbers(self) def __eq__(self, other: object) -> bool: if not isinstance(other, DSAPublicNumbers): @@ -246,11 +240,8 @@ def public_numbers(self) -> DSAPublicNumbers: return self._public_numbers def private_key(self, backend: typing.Any = None) -> DSAPrivateKey: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - return ossl.load_dsa_private_numbers(self) + _check_dsa_private_numbers(self) + return rust_openssl.dsa.from_private_numbers(self) def __eq__(self, other: object) -> bool: if not isinstance(other, DSAPrivateNumbers): @@ -264,17 +255,17 @@ def __eq__(self, other: object) -> bool: def generate_parameters( key_size: int, backend: typing.Any = None ) -> DSAParameters: - from cryptography.hazmat.backends.openssl.backend import backend as ossl + if key_size not in (1024, 2048, 3072, 4096): + raise ValueError("Key size must be 1024, 2048, 3072, or 4096 bits.") - return ossl.generate_dsa_parameters(key_size) + return rust_openssl.dsa.generate_parameters(key_size) def generate_private_key( key_size: int, backend: typing.Any = None ) -> DSAPrivateKey: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.generate_dsa_private_key_and_parameters(key_size) + parameters = generate_parameters(key_size) + return parameters.generate_private_key() def _check_dsa_parameters(parameters: DSAParameterNumbers) -> None: diff --git a/src/cryptography/hazmat/primitives/serialization/base.py b/src/cryptography/hazmat/primitives/serialization/base.py index 18a96ccfd5cd..606f6356e187 100644 --- a/src/cryptography/hazmat/primitives/serialization/base.py +++ b/src/cryptography/hazmat/primitives/serialization/base.py @@ -6,6 +6,7 @@ import typing +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives.asymmetric import dh from cryptography.hazmat.primitives.asymmetric.types import ( PrivateKeyTypes, @@ -38,9 +39,7 @@ def load_pem_public_key( def load_pem_parameters( data: bytes, backend: typing.Any = None ) -> dh.DHParameters: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.load_pem_parameters(data) + return rust_openssl.dh.from_pem_parameters(data) def load_der_private_key( @@ -68,6 +67,4 @@ def load_der_public_key( def load_der_parameters( data: bytes, backend: typing.Any = None ) -> dh.DHParameters: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.load_der_parameters(data) + return rust_openssl.dh.from_der_parameters(data) diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index 098d6e142b24..db3dcc30d809 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -224,7 +224,7 @@ def test_convert_to_numbers(self, backend, with_q): g = int(vector["g"], 16) q: typing.Optional[int] = int(vector["q"], 16) else: - parameters = backend.generate_dh_private_key_and_parameters(2, 512) + parameters = dh.generate_parameters(2, 512).generate_private_key() private = parameters.private_numbers() From add40e42fcb2a547d58ee06b6221646f94e6594d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Jun 2023 18:41:54 -0700 Subject: [PATCH 0066/1014] Remove unused indirections (#9086) --- .../hazmat/backends/openssl/backend.py | 56 +------------------ .../hazmat/primitives/asymmetric/ed25519.py | 6 +- .../hazmat/primitives/asymmetric/ed448.py | 7 ++- .../hazmat/primitives/asymmetric/x25519.py | 6 +- .../hazmat/primitives/asymmetric/x448.py | 7 ++- 5 files changed, 16 insertions(+), 66 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 44cc77b3dd6f..b4f9e9df4e17 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -27,18 +27,8 @@ from cryptography.hazmat.bindings.openssl import binding from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding -from cryptography.hazmat.primitives.asymmetric import ( - dh, - ec, - ed448, - ed25519, - rsa, - x448, - x25519, -) -from cryptography.hazmat.primitives.asymmetric import ( - utils as asym_utils, -) +from cryptography.hazmat.primitives.asymmetric import dh, ec, rsa +from cryptography.hazmat.primitives.asymmetric import utils as asym_utils from cryptography.hazmat.primitives.asymmetric.padding import ( MGF1, OAEP, @@ -1426,31 +1416,11 @@ def dh_parameters_supported( def dh_x942_serialization_supported(self) -> bool: return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1 - def x25519_load_public_bytes(self, data: bytes) -> x25519.X25519PublicKey: - return rust_openssl.x25519.from_public_bytes(data) - - def x25519_load_private_bytes( - self, data: bytes - ) -> x25519.X25519PrivateKey: - return rust_openssl.x25519.from_private_bytes(data) - - def x25519_generate_key(self) -> x25519.X25519PrivateKey: - return rust_openssl.x25519.generate_key() - def x25519_supported(self) -> bool: if self._fips_enabled: return False return not self._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 - def x448_load_public_bytes(self, data: bytes) -> x448.X448PublicKey: - return rust_openssl.x448.from_public_bytes(data) - - def x448_load_private_bytes(self, data: bytes) -> x448.X448PrivateKey: - return rust_openssl.x448.from_private_bytes(data) - - def x448_generate_key(self) -> x448.X448PrivateKey: - return rust_openssl.x448.generate_key() - def x448_supported(self) -> bool: if self._fips_enabled: return False @@ -1464,19 +1434,6 @@ def ed25519_supported(self) -> bool: return False return self._lib.CRYPTOGRAPHY_HAS_WORKING_ED25519 - def ed25519_load_public_bytes( - self, data: bytes - ) -> ed25519.Ed25519PublicKey: - return rust_openssl.ed25519.from_public_bytes(data) - - def ed25519_load_private_bytes( - self, data: bytes - ) -> ed25519.Ed25519PrivateKey: - return rust_openssl.ed25519.from_private_bytes(data) - - def ed25519_generate_key(self) -> ed25519.Ed25519PrivateKey: - return rust_openssl.ed25519.generate_key() - def ed448_supported(self) -> bool: if self._fips_enabled: return False @@ -1485,15 +1442,6 @@ def ed448_supported(self) -> bool: and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL ) - def ed448_load_public_bytes(self, data: bytes) -> ed448.Ed448PublicKey: - return rust_openssl.ed448.from_public_bytes(data) - - def ed448_load_private_bytes(self, data: bytes) -> ed448.Ed448PrivateKey: - return rust_openssl.ed448.from_private_bytes(data) - - def ed448_generate_key(self) -> ed448.Ed448PrivateKey: - return rust_openssl.ed448.generate_key() - def aead_cipher_supported(self, cipher) -> bool: return aead._aead_cipher_supported(self, cipher) diff --git a/src/cryptography/hazmat/primitives/asymmetric/ed25519.py b/src/cryptography/hazmat/primitives/asymmetric/ed25519.py index f26e54d24ec5..c06c2c86aac6 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ed25519.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ed25519.py @@ -22,7 +22,7 @@ def from_public_bytes(cls, data: bytes) -> Ed25519PublicKey: _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, ) - return backend.ed25519_load_public_bytes(data) + return rust_openssl.ed25519.from_public_bytes(data) @abc.abstractmethod def public_bytes( @@ -69,7 +69,7 @@ def generate(cls) -> Ed25519PrivateKey: _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, ) - return backend.ed25519_generate_key() + return rust_openssl.ed25519.generate_key() @classmethod def from_private_bytes(cls, data: bytes) -> Ed25519PrivateKey: @@ -81,7 +81,7 @@ def from_private_bytes(cls, data: bytes) -> Ed25519PrivateKey: _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, ) - return backend.ed25519_load_private_bytes(data) + return rust_openssl.ed25519.from_private_bytes(data) @abc.abstractmethod def public_key(self) -> Ed25519PublicKey: diff --git a/src/cryptography/hazmat/primitives/asymmetric/ed448.py b/src/cryptography/hazmat/primitives/asymmetric/ed448.py index a9a34b251b01..78c82c4a3c45 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ed448.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ed448.py @@ -22,7 +22,7 @@ def from_public_bytes(cls, data: bytes) -> Ed448PublicKey: _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, ) - return backend.ed448_load_public_bytes(data) + return rust_openssl.ed448.from_public_bytes(data) @abc.abstractmethod def public_bytes( @@ -68,7 +68,8 @@ def generate(cls) -> Ed448PrivateKey: "ed448 is not supported by this version of OpenSSL.", _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, ) - return backend.ed448_generate_key() + + return rust_openssl.ed448.generate_key() @classmethod def from_private_bytes(cls, data: bytes) -> Ed448PrivateKey: @@ -80,7 +81,7 @@ def from_private_bytes(cls, data: bytes) -> Ed448PrivateKey: _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, ) - return backend.ed448_load_private_bytes(data) + return rust_openssl.ed448.from_private_bytes(data) @abc.abstractmethod def public_key(self) -> Ed448PublicKey: diff --git a/src/cryptography/hazmat/primitives/asymmetric/x25519.py b/src/cryptography/hazmat/primitives/asymmetric/x25519.py index 699054c9689b..ac5e670c303f 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/x25519.py +++ b/src/cryptography/hazmat/primitives/asymmetric/x25519.py @@ -22,7 +22,7 @@ def from_public_bytes(cls, data: bytes) -> X25519PublicKey: _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM, ) - return backend.x25519_load_public_bytes(data) + return rust_openssl.x25519.from_public_bytes(data) @abc.abstractmethod def public_bytes( @@ -63,7 +63,7 @@ def generate(cls) -> X25519PrivateKey: "X25519 is not supported by this version of OpenSSL.", _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM, ) - return backend.x25519_generate_key() + return rust_openssl.x25519.generate_key() @classmethod def from_private_bytes(cls, data: bytes) -> X25519PrivateKey: @@ -75,7 +75,7 @@ def from_private_bytes(cls, data: bytes) -> X25519PrivateKey: _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM, ) - return backend.x25519_load_private_bytes(data) + return rust_openssl.x25519.from_private_bytes(data) @abc.abstractmethod def public_key(self) -> X25519PublicKey: diff --git a/src/cryptography/hazmat/primitives/asymmetric/x448.py b/src/cryptography/hazmat/primitives/asymmetric/x448.py index abf7848550b8..86086ab44855 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/x448.py +++ b/src/cryptography/hazmat/primitives/asymmetric/x448.py @@ -22,7 +22,7 @@ def from_public_bytes(cls, data: bytes) -> X448PublicKey: _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM, ) - return backend.x448_load_public_bytes(data) + return rust_openssl.x448.from_public_bytes(data) @abc.abstractmethod def public_bytes( @@ -62,7 +62,8 @@ def generate(cls) -> X448PrivateKey: "X448 is not supported by this version of OpenSSL.", _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM, ) - return backend.x448_generate_key() + + return rust_openssl.x448.generate_key() @classmethod def from_private_bytes(cls, data: bytes) -> X448PrivateKey: @@ -74,7 +75,7 @@ def from_private_bytes(cls, data: bytes) -> X448PrivateKey: _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM, ) - return backend.x448_load_private_bytes(data) + return rust_openssl.x448.from_private_bytes(data) @abc.abstractmethod def public_key(self) -> X448PublicKey: From 1eac213a967ef5dc3268eddd1dc81fb5ef64dfcb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Jun 2023 15:26:45 +0200 Subject: [PATCH 0067/1014] Bump importlib-metadata from 6.6.0 to 6.7.0 (#9087) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 6.6.0 to 6.7.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/CHANGES.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v6.6.0...v6.7.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 97aab53280b5..1da79ad1da68 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -48,7 +48,7 @@ idna==3.4 # via requests imagesize==1.4.1 # via sphinx -importlib-metadata==6.6.0 +importlib-metadata==6.7.0 # via # keyring # twine From 818c50d0a2fcd23ad505e6cdddb47c3232162b7e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Jun 2023 08:26:51 -0500 Subject: [PATCH 0068/1014] Bump pluggy from 1.0.0 to 1.1.0 (#9090) Bumps [pluggy](https://github.com/pytest-dev/pluggy) from 1.0.0 to 1.1.0. - [Changelog](https://github.com/pytest-dev/pluggy/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pluggy/compare/1.0.0...1.1.0) --- updated-dependencies: - dependency-name: pluggy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 1da79ad1da68..c9e82c7c3480 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -93,7 +93,7 @@ platformdirs==3.5.3 # via # black # virtualenv -pluggy==1.0.0 +pluggy==1.1.0 # via pytest pretend==1.0.9 # via cryptography (pyproject.toml) From 91a1423767931783cb29e223b716c1a797ae0b24 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Jun 2023 15:27:16 +0200 Subject: [PATCH 0069/1014] Bump platformdirs from 3.5.3 to 3.6.0 (#9088) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 3.5.3 to 3.6.0. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/3.5.3...3.6.0) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c9e82c7c3480..3762943142a7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -89,7 +89,7 @@ pathspec==0.11.1 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==3.5.3 +platformdirs==3.6.0 # via # black # virtualenv From dc3301a577b5f0e8d5ed7c9c9926346c1003f411 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Jun 2023 13:48:32 +0000 Subject: [PATCH 0070/1014] Bump virtualenv from 20.23.0 to 20.23.1 (#9089) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.23.0 to 20.23.1. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.23.0...20.23.1) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3762943142a7..aa36a247a0a7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -185,7 +185,7 @@ urllib3==2.0.3 # via # requests # twine -virtualenv==20.23.0 +virtualenv==20.23.1 # via nox webencodings==0.5.1 # via bleach From efc50c75926ad5141e0a5e87c09f6c5d97d0ccad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Jun 2023 13:17:57 +0000 Subject: [PATCH 0071/1014] Bump keyring from 23.13.1 to 24.0.0 (#9092) Bumps [keyring](https://github.com/jaraco/keyring) from 23.13.1 to 24.0.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/CHANGES.rst) - [Commits](https://github.com/jaraco/keyring/compare/v23.13.1...v24.0.0) --- updated-dependencies: - dependency-name: keyring dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index aa36a247a0a7..866e2e0a96e6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -58,7 +58,7 @@ jaraco-classes==3.2.3 # via keyring jinja2==3.1.2 # via sphinx -keyring==23.13.1 +keyring==24.0.0 # via twine markdown-it-py==3.0.0 # via rich From 48863e5bf3ee3068058d6d1f5b9ac914192315a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Jun 2023 13:20:03 +0000 Subject: [PATCH 0072/1014] Bump dtolnay/rust-toolchain (#9091) Bumps [dtolnay/rust-toolchain](https://github.com/dtolnay/rust-toolchain) from 52e69531e6f69a396bc9d1226284493a5db969ff to 1f5cdb56c8779e3efa22473ce181ff83143b172c. - [Release notes](https://github.com/dtolnay/rust-toolchain/releases) - [Commits](https://github.com/dtolnay/rust-toolchain/compare/52e69531e6f69a396bc9d1226284493a5db969ff...1f5cdb56c8779e3efa22473ce181ff83143b172c) --- updated-dependencies: - dependency-name: dtolnay/rust-toolchain dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 502b5051e400..aa5bb462db35 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -70,7 +70,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} - name: Setup rust - uses: dtolnay/rust-toolchain@52e69531e6f69a396bc9d1226284493a5db969ff + uses: dtolnay/rust-toolchain@1f5cdb56c8779e3efa22473ce181ff83143b172c with: toolchain: ${{ matrix.PYTHON.RUST }} components: rustfmt,clippy diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 96329a642b54..a949c5cac548 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -216,7 +216,7 @@ jobs: name: openssl-macos-universal2 path: "../openssl-macos-universal2/" github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: dtolnay/rust-toolchain@52e69531e6f69a396bc9d1226284493a5db969ff + - uses: dtolnay/rust-toolchain@1f5cdb56c8779e3efa22473ce181ff83143b172c with: toolchain: stable # Add the arm64 target in addition to the native arch (x86_64) @@ -287,7 +287,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} - - uses: dtolnay/rust-toolchain@52e69531e6f69a396bc9d1226284493a5db969ff + - uses: dtolnay/rust-toolchain@1f5cdb56c8779e3efa22473ce181ff83143b172c with: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} From b86c358fa5ab9dd6e386436ee2370670b5c1eb49 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Jun 2023 08:49:26 -0500 Subject: [PATCH 0073/1014] Added a timeout to the all-green job (#9094) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aa5bb462db35..e98409962487 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -401,6 +401,7 @@ jobs: runs-on: ubuntu-latest needs: [linux, distros, macos, windows, linux-downstream] if: ${{ always() }} + timeout-minutes: 3 steps: - uses: actions/checkout@v3.5.3 timeout-minutes: 3 From acabd1addeff4e8e24fc2b84906e798d9d42d3d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Jun 2023 13:52:06 +0000 Subject: [PATCH 0074/1014] Bump readme-renderer from 37.3 to 40.0 (#9093) Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 37.3 to 40.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/37.3...40.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 866e2e0a96e6..7b8a4e741290 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -125,7 +125,7 @@ pytest-randomly==3.12.0 # via cryptography (pyproject.toml) pytest-xdist==3.3.1 # via cryptography (pyproject.toml) -readme-renderer==37.3 +readme-renderer==40.0 # via twine requests==2.31.0 # via From 97e37c675aea5018d61a2783975008590a557367 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Jun 2023 21:57:30 +0000 Subject: [PATCH 0075/1014] Bump openssl-sys from 0.9.88 to 0.9.90 in /src/rust (#9100) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.88 to 0.9.90. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.88...openssl-sys-v0.9.90) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3a15dc19e0ac..c12799048f9d 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -176,9 +176,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.88" +version = "0.9.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2ce0f250f34a308dcfdbb351f511359857d4ed2134ba715a4eadd46e1ffd617" +checksum = "374533b0e45f3a7ced10fcaeccca020e66656bc03dac384f852e4e5a7a8104a6" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 77a78ee856f5..e5af5eba67e2 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -16,7 +16,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } pem = "1.1" openssl = "0.10.54" -openssl-sys = "0.9.88" +openssl-sys = "0.9.90" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 24e53991b47b..547d692b850e 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.56.0" [dependencies] pyo3 = { version = "0.19", features = ["abi3-py37"] } -openssl-sys = "0.9.88" +openssl-sys = "0.9.90" [build-dependencies] cc = "1.0.72" From ed0445787fdbfde9f456e9322f53479528f132e8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Jun 2023 22:04:10 +0000 Subject: [PATCH 0076/1014] Bump target-lexicon from 0.12.7 to 0.12.8 in /src/rust (#9096) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.7 to 0.12.8. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.7...v0.12.8) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c12799048f9d..9d13bad81dfc 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -353,9 +353,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.7" +version = "0.12.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd1ba337640d60c3e96bc6f0638a939b9c9a7f2c316a1598c279828b3d1dc8c5" +checksum = "1b1c7f239eb94671427157bd93b3694320f3668d4e1eff08c7285366fd777fac" [[package]] name = "unicode-ident" From 539d17b09a047ee6889fda37fa4cd43be4360963 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Jun 2023 22:40:47 +0000 Subject: [PATCH 0077/1014] Bump ruff from 0.0.272 to 0.0.273 (#9099) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.272 to 0.0.273. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.272...v0.0.273) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7b8a4e741290..2172996880fa 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.4.2 # via twine -ruff==0.0.272 +ruff==0.0.273 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 4a12cc55b0e0062879eeeedfd79b2fe8d8a0165f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Jun 2023 22:41:58 +0000 Subject: [PATCH 0078/1014] Bump mypy from 1.3.0 to 1.4.0 (#9098) Bumps [mypy](https://github.com/python/mypy) from 1.3.0 to 1.4.0. - [Commits](https://github.com/python/mypy/compare/v1.3.0...v1.4.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2172996880fa..9b9bb824e2ae 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ mdurl==0.1.2 # via markdown-it-py more-itertools==9.1.0 # via jaraco-classes -mypy==1.3.0 +mypy==1.4.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via From c52e192ed8504020e482a8d17d936df14cac25f2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Jun 2023 23:22:44 -0500 Subject: [PATCH 0079/1014] Update link (#9102) --- docs/hazmat/primitives/asymmetric/dsa.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hazmat/primitives/asymmetric/dsa.rst b/docs/hazmat/primitives/asymmetric/dsa.rst index 5df80149bb9b..bcd4c993d20a 100644 --- a/docs/hazmat/primitives/asymmetric/dsa.rst +++ b/docs/hazmat/primitives/asymmetric/dsa.rst @@ -409,4 +409,4 @@ Key interfaces .. _`public-key`: https://en.wikipedia.org/wiki/Public-key_cryptography .. _`FIPS 186-4`: https://csrc.nist.gov/publications/detail/fips/186/4/final .. _`at least 2048`: https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf -.. _`ongoing protestations`: https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-dsa-is-past-its-prime/ +.. _`ongoing protestations`: https://words.filippo.io/dispatches/dsa/ From aa8dbd81f0e4b11fb0028fe29c476e721e496483 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 21 Jun 2023 14:10:55 +0200 Subject: [PATCH 0080/1014] cryptography-cffi: substitute include path from target sysroot in cross builds (#9105) Existing code gets include path on the target device (e.g. where the code will run). For the cross build environments such as yocto, INCLUDEPY contains the correct value. Fixes #8867. Co-authored-by: Alexander Kanavin --- src/rust/cryptography-cffi/build.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 07590ad2e593..bd39fba9e33b 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -49,7 +49,7 @@ fn main() { println!("cargo:rustc-cfg=python_implementation=\"{}\"", python_impl); let python_include = run_python_script( &python, - "import sysconfig; print(sysconfig.get_path('include'), end='')", + "import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'), end='')", ) .unwrap(); let openssl_include = From 47105c6b7c4c72115919cc63767103c00043a50a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 21 Jun 2023 07:52:52 -0500 Subject: [PATCH 0081/1014] Don't build dh code on BoringSSL (#9103) It doesn't support DH via EVP --- src/rust/src/backend/dh.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index d5993ff5a056..9612106c5262 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -105,6 +105,7 @@ fn dh_parameters_from_numbers( Ok(openssl::dh::Dh::from_pqg(p, q, g)?) } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] #[pyo3::prelude::pyfunction] fn from_private_numbers( py: pyo3::Python<'_>, @@ -131,6 +132,7 @@ fn from_private_numbers( Ok(DHPrivateKey { pkey }) } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] #[pyo3::prelude::pyfunction] fn from_public_numbers( py: pyo3::Python<'_>, @@ -226,6 +228,7 @@ impl DHPrivateKey { )?) } + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn public_key(&self) -> CryptographyResult { let orig_dh = self.pkey.dh().unwrap(); let dh = clone_dh(&orig_dh)?; @@ -353,6 +356,7 @@ impl DHPublicKey { #[pyo3::prelude::pymethods] impl DHParameters { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn generate_private_key(&self) -> CryptographyResult { let dh = clone_dh(&self.dh)?.generate_key()?; Ok(DHPrivateKey { @@ -424,7 +428,9 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_der_parameters, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_pem_parameters, m)?)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_parameter_numbers, m)?)?; From 5a94e0bac224b6b74e044fe50420e2a1468a9249 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Jun 2023 13:11:57 +0000 Subject: [PATCH 0082/1014] Bump openssl from 0.10.54 to 0.10.55 in /src/rust (#9101) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.54 to 0.10.55. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.54...openssl-v0.10.55) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9d13bad81dfc..04fef310dc58 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -150,9 +150,9 @@ checksum = "9670a07f94779e00908f3e686eab508878ebb390ba6e604d3a284c00e8d0487b" [[package]] name = "openssl" -version = "0.10.54" +version = "0.10.55" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69b3f656a17a6cbc115b5c7a40c616947d213ba182135b014d6051b73ab6f019" +checksum = "345df152bc43501c5eb9e4654ff05f794effb78d4efe3d53abc158baddc0703d" dependencies = [ "bitflags", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e5af5eba67e2..7fc45add24b6 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } pem = "1.1" -openssl = "0.10.54" +openssl = "0.10.55" openssl-sys = "0.9.90" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index c85f406ae616..cc25950ea847 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.56.0" [dependencies] -openssl = "0.10.54" +openssl = "0.10.55" ffi = { package = "openssl-sys", version = "0.9.85" } foreign-types = "0.3" foreign-types-shared = "0.1" From 8482b3b8241a1566b7f9a7b5cece99d6241c5a00 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Jun 2023 13:19:37 +0000 Subject: [PATCH 0083/1014] Bump pluggy from 1.1.0 to 1.2.0 (#9107) Bumps [pluggy](https://github.com/pytest-dev/pluggy) from 1.1.0 to 1.2.0. - [Changelog](https://github.com/pytest-dev/pluggy/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pluggy/compare/1.1.0...1.2.0) --- updated-dependencies: - dependency-name: pluggy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9b9bb824e2ae..aeb0292dab9a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -93,7 +93,7 @@ platformdirs==3.6.0 # via # black # virtualenv -pluggy==1.1.0 +pluggy==1.2.0 # via pytest pretend==1.0.9 # via cryptography (pyproject.toml) From 4401b411693401e1a685bf0a1da56a2b775f2ee6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 21 Jun 2023 13:36:24 +0000 Subject: [PATCH 0084/1014] Bump BoringSSL and/or OpenSSL in CI (#9037) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e98409962487..df2ea3dfc78f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,10 +46,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jun 06, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "4a0393fcf37d7dbd090a5bb2293601a9ec7605da"}} - # Latest commit on the OpenSSL master branch, as of Jun 05, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "80935bf5ad309bf6c03591acf1d48fe1db57b78f"}} + # Latest commit on the BoringSSL master branch, as of Jun 21, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "9c30e5389c6878fc95d21e754df935a1d71f333d"}} + # Latest commit on the OpenSSL master branch, as of Jun 21, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7197abddb891933f52ec84dafb41b685d4a1d122"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 4aa15f4f08d98918543a2708e8209151c2110ef4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Jun 2023 13:36:55 +0000 Subject: [PATCH 0085/1014] Bump ruff from 0.0.273 to 0.0.274 (#9108) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.273 to 0.0.274. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.273...v0.0.274) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index aeb0292dab9a..b1a7f29e3376 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.4.2 # via twine -ruff==0.0.273 +ruff==0.0.274 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 46a63d0ced519eb98538dbdd31b5e6632055329e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Jun 2023 13:44:08 +0000 Subject: [PATCH 0086/1014] Bump platformdirs from 3.6.0 to 3.7.0 (#9106) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 3.6.0 to 3.7.0. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/3.6.0...3.7.0) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b1a7f29e3376..e8d627d35a4f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -89,7 +89,7 @@ pathspec==0.11.1 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==3.6.0 +platformdirs==3.7.0 # via # black # virtualenv From 3e7145d2394e55cae897cb750a533d3af6e6815b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Jun 2023 13:13:22 +0000 Subject: [PATCH 0087/1014] Bump keyring from 24.0.0 to 24.0.1 (#9112) Bumps [keyring](https://github.com/jaraco/keyring) from 24.0.0 to 24.0.1. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v24.0.0...v24.0.1) --- updated-dependencies: - dependency-name: keyring dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e8d627d35a4f..131e84495af2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -58,7 +58,7 @@ jaraco-classes==3.2.3 # via keyring jinja2==3.1.2 # via sphinx -keyring==24.0.0 +keyring==24.0.1 # via twine markdown-it-py==3.0.0 # via rich From 27f8745dc49644b3422b5c6634a5512afb97c3de Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Thu, 22 Jun 2023 15:20:46 -0300 Subject: [PATCH 0088/1014] ci: Update GitHub owned actions to be referenced by SHA. Work automated using StepSecurity (#9113) Signed-off-by: StepSecurity Bot Co-authored-by: StepSecurity Bot --- .github/workflows/auto-close-stale.yml | 2 +- .github/workflows/benchmark.yml | 6 ++-- .../workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 30 +++++++++---------- .github/workflows/linkcheck.yml | 4 +-- .github/workflows/wheel-builder.yml | 22 +++++++------- 6 files changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/workflows/auto-close-stale.yml b/.github/workflows/auto-close-stale.yml index 46b4d3e2a9cf..3da5e1924ad7 100644 --- a/.github/workflows/auto-close-stale.yml +++ b/.github/workflows/auto-close-stale.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/stale@v8.0.0 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: only-labels: waiting-on-reporter days-before-stale: 3 diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 1e5a3271240a..f0a44b9489c7 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -21,12 +21,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 timeout-minutes: 3 with: repository: "pyca/cryptography" @@ -35,7 +35,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@v4.6.1 + uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: "3.11" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 504a71720860..50aceca61a1d 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index df2ea3dfc78f..58988e37e281 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,13 +60,13 @@ jobs: - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 timeout-minutes: 3 with: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@v4.6.1 + uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: ${{ matrix.PYTHON.VERSION }} - name: Setup rust @@ -93,7 +93,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@v3.3.1 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 id: ossl-cache timeout-minutes: 2 with: @@ -178,7 +178,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 timeout-minutes: 3 with: persist-credentials: false @@ -229,7 +229,7 @@ jobs: RUNNER: {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 timeout-minutes: 3 with: persist-credentials: false @@ -240,7 +240,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@v4.6.1 + uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 @@ -291,13 +291,13 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 timeout-minutes: 3 with: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@v4.6.1 + uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -362,7 +362,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 timeout-minutes: 3 with: persist-credentials: false @@ -370,7 +370,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@v4.6.1 + uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: ${{ matrix.PYTHON }} - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install @@ -403,7 +403,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 timeout-minutes: 3 with: persist-credentials: false @@ -413,14 +413,14 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@v4.6.1 + uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: '3.11' - run: pip install -c ci-constraints-requirements.txt coverage[toml] if: ${{ always() }} - name: Download coverage data if: ${{ always() }} - uses: actions/download-artifact@v3.0.2 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: coverage-data - name: Combine coverage and fail if it's <100%. @@ -462,14 +462,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@v3.1.2 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@v3.1.2 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 1ee535180993..a69e123c07b3 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -21,12 +21,12 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@v4.6.1 + uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index a949c5cac548..3a1834666ee0 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -40,11 +40,11 @@ jobs: run: .venv/bin/python -m build --sdist - name: Make sdist and wheel (vectors) run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@v3.1.2 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@v3.1.2 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -107,7 +107,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.MANYLINUX.NAME == 'musllinux_1_1_aarch64' - - uses: actions/download-artifact@v3.0.2 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: cryptography-sdist @@ -140,7 +140,7 @@ jobs: .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - run: mkdir cryptography-wheelhouse - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@v3.1.2 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}" path: cryptography-wheelhouse/ @@ -191,7 +191,7 @@ jobs: ARCHFLAGS: '-arch x86_64' name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - - uses: actions/download-artifact@v3.0.2 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: cryptography-sdist @@ -203,7 +203,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@v4.6.1 + uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -249,7 +249,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@v3.1.2 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: cryptography-wheelhouse/ @@ -278,12 +278,12 @@ jobs: PYTHON: {VERSION: "pypy-3.10"} name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - - uses: actions/download-artifact@v3.0.2 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@v4.6.1 + uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -324,7 +324,7 @@ jobs: - run: mkdir cryptography-wheelhouse - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@v3.1.2 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION}}" path: cryptography-wheelhouse\ From 4ae49a46eceb8a12249086b942cb83f3fd328da9 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 23 Jun 2023 00:17:59 +0000 Subject: [PATCH 0089/1014] Bump BoringSSL and/or OpenSSL in CI (#9116) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58988e37e281..612ec21319d0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jun 21, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "9c30e5389c6878fc95d21e754df935a1d71f333d"}} + # Latest commit on the BoringSSL master branch, as of Jun 23, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a905bbb52a7bac5099f2cbee008c6f3eae96218c"}} # Latest commit on the OpenSSL master branch, as of Jun 21, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7197abddb891933f52ec84dafb41b685d4a1d122"}} # Builds with various Rust versions. Includes MSRV and next From 42acf4091c91e68cbd31e704f5af8be8ecfebc9b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 22 Jun 2023 23:25:46 -0400 Subject: [PATCH 0090/1014] Enable ruff's own ruleset (#9114) --- pyproject.toml | 2 +- setup.py | 2 +- src/cryptography/hazmat/backends/openssl/backend.py | 2 +- .../hazmat/primitives/serialization/pkcs7.py | 4 ++-- .../hazmat/primitives/serialization/ssh.py | 4 ++-- src/cryptography/utils.py | 2 +- src/cryptography/x509/base.py | 12 ++++++------ src/cryptography/x509/ocsp.py | 4 ++-- tests/hazmat/backends/test_openssl_memleak.py | 6 +----- tests/hazmat/primitives/test_aead.py | 2 +- tests/hazmat/primitives/test_dh.py | 8 +++----- tests/hazmat/primitives/test_dsa.py | 8 +++----- tests/hazmat/primitives/test_pkcs12.py | 4 ++-- tests/hazmat/primitives/test_rsa.py | 8 +++----- tests/hazmat/primitives/test_ssh.py | 4 ++-- tests/hazmat/primitives/test_x963_vectors.py | 4 +++- tests/x509/test_x509.py | 4 +++- 17 files changed, 37 insertions(+), 43 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index c1701cbdbaf5..ceb5009852f5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -138,7 +138,7 @@ exclude_lines = [ # UP006: Minimum Python 3.9 # UP007, UP038: Minimum Python 3.10 ignore = ['N818', 'UP006', 'UP007', 'UP038'] -select = ['E', 'F', 'I', 'N', 'W', 'UP'] +select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF'] line-length = 79 [tool.ruff.isort] diff --git a/setup.py b/setup.py index 4fe0c027c17c..87ca197207cc 100644 --- a/setup.py +++ b/setup.py @@ -58,7 +58,7 @@ ) ], ) -except: # noqa: E722 +except: # Note: This is a bare exception that re-raises so that we don't interfere # with anything the installation machinery might want to do. Because we # print this for any exception this msg can appear (e.g. in verbose logs) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index b4f9e9df4e17..ac741659e671 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -96,7 +96,7 @@ class Backend: # disallowed algorithms are still present in OpenSSL. They just error if # you try to use them. To avoid that we allowlist the algorithms in # FIPS 140-3. This isn't ideal, but FIPS 140-3 is trash so here we are. - _fips_aead = { + _fips_aead: typing.ClassVar[typing.Set[bytes]] = { b"aes-128-ccm", b"aes-192-ccm", b"aes-256-ccm", diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py index 9998bcaa1131..e06333a6d651 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py @@ -111,7 +111,7 @@ def add_signer( return PKCS7SignatureBuilder( self._data, - self._signers + [(certificate, private_key, hash_algorithm)], + [*self._signers, (certificate, private_key, hash_algorithm)], ) def add_certificate( @@ -121,7 +121,7 @@ def add_certificate( raise TypeError("certificate must be a x509.Certificate") return PKCS7SignatureBuilder( - self._data, self._signers, self._additional_certs + [certificate] + self._data, self._signers, [*self._additional_certs, certificate] ) def sign( diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index 7725c83543e8..c6177cf5630a 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -1356,7 +1356,7 @@ def add_critical_option( _valid_for_all_principals=self._valid_for_all_principals, _valid_before=self._valid_before, _valid_after=self._valid_after, - _critical_options=self._critical_options + [(name, value)], + _critical_options=[*self._critical_options, (name, value)], _extensions=self._extensions, ) @@ -1379,7 +1379,7 @@ def add_extension( _valid_before=self._valid_before, _valid_after=self._valid_after, _critical_options=self._critical_options, - _extensions=self._extensions + [(name, value)], + _extensions=[*self._extensions, (name, value)], ) def sign(self, private_key: SSHCertPrivateKeyTypes) -> SSHCertificate: diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index 719168168440..5facac1aef06 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -85,7 +85,7 @@ def __delattr__(self, attr: str) -> None: delattr(self._module, attr) def __dir__(self) -> typing.Sequence[str]: - return ["_module"] + dir(self._module) + return ["_module", *dir(self._module)] def deprecated( diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 576385e088d8..3d9d7c4228b3 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -664,7 +664,7 @@ def add_extension( return CertificateSigningRequestBuilder( self._subject_name, - self._extensions + [extension], + [*self._extensions, extension], self._attributes, ) @@ -697,7 +697,7 @@ def add_attribute( return CertificateSigningRequestBuilder( self._subject_name, self._extensions, - self._attributes + [(oid, value, tag)], + [*self._attributes, (oid, value, tag)], ) def sign( @@ -916,7 +916,7 @@ def add_extension( self._serial_number, self._not_valid_before, self._not_valid_after, - self._extensions + [extension], + [*self._extensions, extension], ) def sign( @@ -1057,7 +1057,7 @@ def add_extension( self._issuer_name, self._last_update, self._next_update, - self._extensions + [extension], + [*self._extensions, extension], self._revoked_certificates, ) @@ -1075,7 +1075,7 @@ def add_revoked_certificate( self._last_update, self._next_update, self._extensions, - self._revoked_certificates + [revoked_certificate], + [*self._revoked_certificates, revoked_certificate], ) def sign( @@ -1152,7 +1152,7 @@ def add_extension( return RevokedCertificateBuilder( self._serial_number, self._revocation_date, - self._extensions + [extension], + [*self._extensions, extension], ) def build(self, backend: typing.Any = None) -> RevokedCertificate: diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index 7054795fcda8..a3546230e2a7 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -478,7 +478,7 @@ def add_extension( _reject_duplicate_extension(extension, self._extensions) return OCSPRequestBuilder( - self._request, self._request_hash, self._extensions + [extension] + self._request, self._request_hash, [*self._extensions, extension] ) def build(self) -> OCSPRequest: @@ -583,7 +583,7 @@ def add_extension( self._response, self._responder_id, self._certs, - self._extensions + [extension], + [*self._extensions, extension], ) def sign( diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py index 05e8f9480356..371a7c990188 100644 --- a/tests/hazmat/backends/test_openssl_memleak.py +++ b/tests/hazmat/backends/test_openssl_memleak.py @@ -172,11 +172,7 @@ def assert_no_memory_leaks(s, argv=[]): env.pop("COV_CORE_DATAFILE", None) env.pop("COV_CORE_SOURCE", None) - argv = [ - sys.executable, - "-c", - f"{s}\n\n{MEMORY_LEAK_SCRIPT}", - ] + argv + argv = [sys.executable, "-c", f"{s}\n\n{MEMORY_LEAK_SCRIPT}", *argv] # Shell out to a fresh Python process because OpenSSL does not allow you to # install new memory hooks after the first malloc/free occurs. proc = subprocess.Popen( diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index c6811a496b24..5ae306254468 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -696,7 +696,7 @@ def test_vectors_invalid(self, backend, subtests): badkey = AESSIV(AESSIV.generate_key(256)) badkey.decrypt(ct, aad) with pytest.raises(InvalidTag): - aessiv.decrypt(ct, aad + [b""]) + aessiv.decrypt(ct, [*aad, b""]) with pytest.raises(InvalidTag): aessiv.decrypt(ct, [b"nonsense"]) with pytest.raises(InvalidTag): diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index db3dcc30d809..4a9afc15a560 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -932,9 +932,7 @@ def test_public_bytes_values( serialization.PublicFormat.SubjectPublicKeyInfo, ), (serialization.Encoding.Raw, serialization.PublicFormat.PKCS1), - ] - + list( - itertools.product( + *itertools.product( [ serialization.Encoding.Raw, serialization.Encoding.X962, @@ -946,8 +944,8 @@ def test_public_bytes_values( serialization.PublicFormat.UncompressedPoint, serialization.PublicFormat.CompressedPoint, ], - ) - ), + ), + ], ) def test_public_bytes_rejects_invalid(self, encoding, fmt, backend): parameters = FFDH3072_P.parameters(backend) diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index 00920868fc65..bf50c47c4295 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -988,9 +988,7 @@ def test_public_bytes_pkcs1_unsupported(self, backend): serialization.PublicFormat.SubjectPublicKeyInfo, ), (serialization.Encoding.Raw, serialization.PublicFormat.PKCS1), - ] - + list( - itertools.product( + *itertools.product( [ serialization.Encoding.Raw, serialization.Encoding.X962, @@ -1002,8 +1000,8 @@ def test_public_bytes_pkcs1_unsupported(self, backend): serialization.PublicFormat.UncompressedPoint, serialization.PublicFormat.CompressedPoint, ], - ) - ), + ), + ], ) def test_public_bytes_rejects_invalid(self, encoding, fmt, backend): key = DSA_KEY_2048.private_key(backend).public_key() diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index f44fdd115af3..0ff9f5693ad4 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -796,11 +796,11 @@ def test_certificate_repr(self, backend): cert = _load_cert(backend, os.path.join("x509", "cryptography.io.pem")) assert ( repr(PKCS12Certificate(cert, None)) - == f"" + == f"" ) assert ( repr(PKCS12Certificate(cert, b"a")) - == f"" + == f"" ) def test_key_and_certificates_constructor(self, backend): diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 017e02d424b2..85459a59461a 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -2740,9 +2740,7 @@ def test_public_bytes_invalid_format( serialization.PublicFormat.SubjectPublicKeyInfo, ), (serialization.Encoding.Raw, serialization.PublicFormat.PKCS1), - ] - + list( - itertools.product( + *itertools.product( [ serialization.Encoding.Raw, serialization.Encoding.X962, @@ -2754,8 +2752,8 @@ def test_public_bytes_invalid_format( serialization.PublicFormat.UncompressedPoint, serialization.PublicFormat.CompressedPoint, ], - ) - ), + ), + ], ) def test_public_bytes_rejects_invalid( self, rsa_key_2048: rsa.RSAPrivateKey, encoding, fmt, backend diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py index d55e148c7a3d..a0f6db2e7630 100644 --- a/tests/hazmat/primitives/test_ssh.py +++ b/tests/hazmat/primitives/test_ssh.py @@ -404,12 +404,12 @@ def make_file( priv_type = pub_type pub = ssh._FragList() - for elem in (pub_type,) + pub_fields: + for elem in (pub_type, *pub_fields): pub.put_sshstr(elem) secret = ssh._FragList([checkval1, checkval2]) for i in range(nkeys): - for elem in (priv_type,) + priv_fields + (comment,): + for elem in (priv_type, *priv_fields, comment): secret.put_sshstr(elem) if pad is None: diff --git a/tests/hazmat/primitives/test_x963_vectors.py b/tests/hazmat/primitives/test_x963_vectors.py index 92f396e2c508..7614c373c9ea 100644 --- a/tests/hazmat/primitives/test_x963_vectors.py +++ b/tests/hazmat/primitives/test_x963_vectors.py @@ -26,7 +26,9 @@ def _skip_hashfn_unsupported(backend, hashfn): class TestX963: - _algorithms_dict: typing.Dict[str, typing.Type[hashes.HashAlgorithm]] = { + _algorithms_dict: typing.ClassVar[ + typing.Dict[str, typing.Type[hashes.HashAlgorithm]] + ] = { "SHA-1": hashes.SHA1, "SHA-224": hashes.SHA224, "SHA-256": hashes.SHA256, diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index e9841eead9fc..188de07ac1a5 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -5437,7 +5437,9 @@ def test_bad_time_in_validity(self, backend): class TestNameAttribute: - EXPECTED_TYPES = [ + EXPECTED_TYPES: typing.ClassVar[ + typing.List[typing.Tuple[x509.ObjectIdentifier, _ASN1Type]] + ] = [ (NameOID.COMMON_NAME, _ASN1Type.UTF8String), (NameOID.COUNTRY_NAME, _ASN1Type.PrintableString), (NameOID.LOCALITY_NAME, _ASN1Type.UTF8String), From 31c3f2daf8d3e07f4b458138060276d7e968b2ca Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 22 Jun 2023 23:26:38 -0400 Subject: [PATCH 0091/1014] Attach version comments to all pinned actions (#9115) Excludes dtolnay/rust-toolchain since those are a commit on main --- .github/actions/cache/action.yml | 4 ++-- .github/actions/upload-coverage/action.yml | 2 +- .github/actions/wycheproof/action.yml | 2 +- .github/workflows/boring-open-version-bump.yml | 4 ++-- .github/workflows/ci.yml | 6 +++--- .github/workflows/lock.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 15361a6b166f..3e487eb934da 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -34,7 +34,7 @@ runs: id: normalized-key run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT shell: bash - - uses: actions/cache@v3.3.1 + - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 id: cache with: path: | @@ -50,4 +50,4 @@ runs: shell: bash if: ${{ steps.cache.outputs.cache-hit }} - name: Run sccache-cache - uses: mozilla-actions/sccache-action@8417cffc2ec64127ad83077aceaa8631f7cdc83e + uses: mozilla-actions/sccache-action@8417cffc2ec64127ad83077aceaa8631f7cdc83e # v0.0.3 diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 8fa9cca4e630..5f2a0add7799 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@v3.1.2 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: coverage-data path: | diff --git a/.github/actions/wycheproof/action.yml b/.github/actions/wycheproof/action.yml index 52a6a93d0ca2..0c0a9d329a06 100644 --- a/.github/actions/wycheproof/action.yml +++ b/.github/actions/wycheproof/action.yml @@ -5,7 +5,7 @@ runs: using: "composite" steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: repository: "google/wycheproof" path: "wycheproof" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 50aceca61a1d..fccc8a150753 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -51,14 +51,14 @@ jobs: sed -E -i "s/TYPE: \"openssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"openssl\", VERSION: \"${{ steps.check-sha-openssl.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml git status if: steps.check-sha-openssl.outputs.COMMIT_SHA - - uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 + - uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 id: generate-token with: app_id: ${{ secrets.BORINGBOT_APP_ID }} private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 with: commit-message: "Bump BoringSSL and/or OpenSSL in CI" title: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 612ec21319d0..e62ca7cb0c8e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -252,7 +252,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/wycheproof - - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 + - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -309,7 +309,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" - - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 + - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 with: repo: pyca/infra workflow: build-windows-openssl.yml @@ -408,7 +408,7 @@ jobs: with: persist-credentials: false - name: Decide whether the needed jobs succeeded or failed - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe + uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: jobs: ${{ toJSON(needs) }} - name: Setup python diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 20b334000abb..b934d29bcbca 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -12,7 +12,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 + - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4.0.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} issue-inactive-days: 90 diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index eed42830ecc7..96dad5f8a4d6 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -25,7 +25,7 @@ jobs: permissions: id-token: "write" steps: - - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 + - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 3a1834666ee0..495b8c77f999 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -207,7 +207,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 + - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -292,7 +292,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 + - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 with: repo: pyca/infra workflow: build-windows-openssl.yml From f38eb4a0e45645e6a43f8dd589f1d3ce1103e83c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 23 Jun 2023 00:36:41 -0400 Subject: [PATCH 0092/1014] Migrate EC support to Rust (#9024) --- .../hazmat/backends/openssl/backend.py | 261 +------- .../hazmat/backends/openssl/ec.py | 328 ---------- .../hazmat/backends/openssl/utils.py | 33 - .../bindings/_rust/openssl/__init__.pyi | 2 + .../hazmat/bindings/_rust/openssl/ec.pyi | 27 + .../hazmat/primitives/asymmetric/ec.py | 3 + src/rust/build.rs | 8 + src/rust/src/backend/ec.rs | 574 ++++++++++++++++++ src/rust/src/backend/mod.rs | 2 + src/rust/src/backend/utils.rs | 57 +- tests/hazmat/backends/test_openssl.py | 7 - tests/hazmat/primitives/test_ec.py | 7 +- 12 files changed, 695 insertions(+), 614 deletions(-) delete mode 100644 src/cryptography/hazmat/backends/openssl/ec.py create mode 100644 src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi create mode 100644 src/rust/src/backend/ec.rs diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index ac741659e671..b4294224035a 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -8,17 +8,12 @@ import contextlib import itertools import typing -from contextlib import contextmanager from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm, _Reasons from cryptography.hazmat.backends.openssl import aead from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.backends.openssl.cmac import _CMACContext -from cryptography.hazmat.backends.openssl.ec import ( - _EllipticCurvePrivateKey, - _EllipticCurvePublicKey, -) from cryptography.hazmat.backends.openssl.rsa import ( _RSAPrivateKey, _RSAPublicKey, @@ -542,10 +537,9 @@ def _evp_pkey_to_private_key( int(self._ffi.cast("uintptr_t", evp_pkey)) ) elif key_type == self._lib.EVP_PKEY_EC: - ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey) - self.openssl_assert(ec_cdata != self._ffi.NULL) - ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) - return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) + return rust_openssl.ec.private_key_from_ptr( + int(self._ffi.cast("uintptr_t", evp_pkey)) + ) elif key_type in self._dh_types: return rust_openssl.dh.private_key_from_ptr( int(self._ffi.cast("uintptr_t", evp_pkey)) @@ -603,12 +597,9 @@ def _evp_pkey_to_public_key(self, evp_pkey) -> PublicKeyTypes: int(self._ffi.cast("uintptr_t", evp_pkey)) ) elif key_type == self._lib.EVP_PKEY_EC: - ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey) - if ec_cdata == self._ffi.NULL: - errors = self._consume_errors() - raise ValueError("Unable to load EC key", errors) - ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) - return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey) + return rust_openssl.ec.public_key_from_ptr( + int(self._ffi.cast("uintptr_t", evp_pkey)) + ) elif key_type in self._dh_types: return rust_openssl.dh.public_key_from_ptr( int(self._ffi.cast("uintptr_t", evp_pkey)) @@ -944,20 +935,7 @@ def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool: ): return False - try: - curve_nid = self._elliptic_curve_to_nid(curve) - except UnsupportedAlgorithm: - curve_nid = self._lib.NID_undef - - group = self._lib.EC_GROUP_new_by_curve_name(curve_nid) - - if group == self._ffi.NULL: - self._consume_errors() - return False - else: - self.openssl_assert(curve_nid != self._lib.NID_undef) - self._lib.EC_GROUP_free(group) - return True + return rust_openssl.ec.curve_supported(curve) def elliptic_curve_signature_algorithm_supported( self, @@ -979,158 +957,27 @@ def generate_elliptic_curve_private_key( """ Generate a new private key on the named curve. """ - - if self.elliptic_curve_supported(curve): - ec_cdata = self._ec_key_new_by_curve(curve) - - res = self._lib.EC_KEY_generate_key(ec_cdata) - self.openssl_assert(res == 1) - - evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - - return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) - else: - raise UnsupportedAlgorithm( - f"Backend object does not support {curve.name}.", - _Reasons.UNSUPPORTED_ELLIPTIC_CURVE, - ) + return rust_openssl.ec.generate_private_key(curve) def load_elliptic_curve_private_numbers( self, numbers: ec.EllipticCurvePrivateNumbers ) -> ec.EllipticCurvePrivateKey: - public = numbers.public_numbers - - ec_cdata = self._ec_key_new_by_curve(public.curve) - - private_value = self._ffi.gc( - self._int_to_bn(numbers.private_value), self._lib.BN_clear_free - ) - res = self._lib.EC_KEY_set_private_key(ec_cdata, private_value) - if res != 1: - self._consume_errors() - raise ValueError("Invalid EC key.") - - with self._tmp_bn_ctx() as bn_ctx: - self._ec_key_set_public_key_affine_coordinates( - ec_cdata, public.x, public.y, bn_ctx - ) - # derive the expected public point and compare it to the one we - # just set based on the values we were given. If they don't match - # this isn't a valid key pair. - group = self._lib.EC_KEY_get0_group(ec_cdata) - self.openssl_assert(group != self._ffi.NULL) - set_point = backend._lib.EC_KEY_get0_public_key(ec_cdata) - self.openssl_assert(set_point != self._ffi.NULL) - computed_point = self._lib.EC_POINT_new(group) - self.openssl_assert(computed_point != self._ffi.NULL) - computed_point = self._ffi.gc( - computed_point, self._lib.EC_POINT_free - ) - res = self._lib.EC_POINT_mul( - group, - computed_point, - private_value, - self._ffi.NULL, - self._ffi.NULL, - bn_ctx, - ) - self.openssl_assert(res == 1) - if ( - self._lib.EC_POINT_cmp( - group, set_point, computed_point, bn_ctx - ) - != 0 - ): - raise ValueError("Invalid EC key.") - - evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - - return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) + return rust_openssl.ec.from_private_numbers(numbers) def load_elliptic_curve_public_numbers( self, numbers: ec.EllipticCurvePublicNumbers ) -> ec.EllipticCurvePublicKey: - ec_cdata = self._ec_key_new_by_curve(numbers.curve) - with self._tmp_bn_ctx() as bn_ctx: - self._ec_key_set_public_key_affine_coordinates( - ec_cdata, numbers.x, numbers.y, bn_ctx - ) - evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - - return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey) + return rust_openssl.ec.from_public_numbers(numbers) def load_elliptic_curve_public_bytes( self, curve: ec.EllipticCurve, point_bytes: bytes ) -> ec.EllipticCurvePublicKey: - ec_cdata = self._ec_key_new_by_curve(curve) - group = self._lib.EC_KEY_get0_group(ec_cdata) - self.openssl_assert(group != self._ffi.NULL) - point = self._lib.EC_POINT_new(group) - self.openssl_assert(point != self._ffi.NULL) - point = self._ffi.gc(point, self._lib.EC_POINT_free) - with self._tmp_bn_ctx() as bn_ctx: - res = self._lib.EC_POINT_oct2point( - group, point, point_bytes, len(point_bytes), bn_ctx - ) - if res != 1: - self._consume_errors() - raise ValueError("Invalid public bytes for the given curve") - - res = self._lib.EC_KEY_set_public_key(ec_cdata, point) - self.openssl_assert(res == 1) - evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey) + return rust_openssl.ec.from_public_bytes(curve, point_bytes) def derive_elliptic_curve_private_key( self, private_value: int, curve: ec.EllipticCurve ) -> ec.EllipticCurvePrivateKey: - ec_cdata = self._ec_key_new_by_curve(curve) - - group = self._lib.EC_KEY_get0_group(ec_cdata) - self.openssl_assert(group != self._ffi.NULL) - - point = self._lib.EC_POINT_new(group) - self.openssl_assert(point != self._ffi.NULL) - point = self._ffi.gc(point, self._lib.EC_POINT_free) - - value = self._int_to_bn(private_value) - value = self._ffi.gc(value, self._lib.BN_clear_free) - - with self._tmp_bn_ctx() as bn_ctx: - res = self._lib.EC_POINT_mul( - group, point, value, self._ffi.NULL, self._ffi.NULL, bn_ctx - ) - self.openssl_assert(res == 1) - - bn_x = self._lib.BN_CTX_get(bn_ctx) - bn_y = self._lib.BN_CTX_get(bn_ctx) - - res = self._lib.EC_POINT_get_affine_coordinates( - group, point, bn_x, bn_y, bn_ctx - ) - if res != 1: - self._consume_errors() - raise ValueError("Unable to derive key from private_value") - - res = self._lib.EC_KEY_set_public_key(ec_cdata, point) - self.openssl_assert(res == 1) - private = self._int_to_bn(private_value) - private = self._ffi.gc(private, self._lib.BN_clear_free) - res = self._lib.EC_KEY_set_private_key(ec_cdata, private) - self.openssl_assert(res == 1) - - evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - - return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) - - def _ec_key_new_by_curve(self, curve: ec.EllipticCurve): - curve_nid = self._elliptic_curve_to_nid(curve) - return self._ec_key_new_by_curve_nid(curve_nid) - - def _ec_key_new_by_curve_nid(self, curve_nid: int): - ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid) - self.openssl_assert(ec_cdata != self._ffi.NULL) - return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) + return rust_openssl.ec.derive_private_key(private_value, curve) def elliptic_curve_exchange_algorithm_supported( self, algorithm: ec.ECDH, curve: ec.EllipticCurve @@ -1139,73 +986,6 @@ def elliptic_curve_exchange_algorithm_supported( algorithm, ec.ECDH ) - def _ec_cdata_to_evp_pkey(self, ec_cdata): - evp_pkey = self._create_evp_pkey_gc() - res = self._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, ec_cdata) - self.openssl_assert(res == 1) - return evp_pkey - - def _elliptic_curve_to_nid(self, curve: ec.EllipticCurve) -> int: - """ - Get the NID for a curve name. - """ - - curve_aliases = {"secp192r1": "prime192v1", "secp256r1": "prime256v1"} - - curve_name = curve_aliases.get(curve.name, curve.name) - - curve_nid = self._lib.OBJ_sn2nid(curve_name.encode()) - if curve_nid == self._lib.NID_undef: - raise UnsupportedAlgorithm( - f"{curve.name} is not a supported elliptic curve", - _Reasons.UNSUPPORTED_ELLIPTIC_CURVE, - ) - return curve_nid - - @contextmanager - def _tmp_bn_ctx(self): - bn_ctx = self._lib.BN_CTX_new() - self.openssl_assert(bn_ctx != self._ffi.NULL) - bn_ctx = self._ffi.gc(bn_ctx, self._lib.BN_CTX_free) - self._lib.BN_CTX_start(bn_ctx) - try: - yield bn_ctx - finally: - self._lib.BN_CTX_end(bn_ctx) - - def _ec_key_set_public_key_affine_coordinates( - self, - ec_cdata, - x: int, - y: int, - bn_ctx, - ) -> None: - """ - Sets the public key point in the EC_KEY context to the affine x and y - values. - """ - - if x < 0 or y < 0: - raise ValueError( - "Invalid EC key. Both x and y must be non-negative." - ) - - x = self._ffi.gc(self._int_to_bn(x), self._lib.BN_free) - y = self._ffi.gc(self._int_to_bn(y), self._lib.BN_free) - group = self._lib.EC_KEY_get0_group(ec_cdata) - self.openssl_assert(group != self._ffi.NULL) - point = self._lib.EC_POINT_new(group) - self.openssl_assert(point != self._ffi.NULL) - point = self._ffi.gc(point, self._lib.EC_POINT_free) - res = self._lib.EC_POINT_set_affine_coordinates( - group, point, x, y, bn_ctx - ) - if res != 1: - self._consume_errors() - raise ValueError("Invalid EC key.") - res = self._lib.EC_KEY_set_public_key(ec_cdata, point) - self.openssl_assert(res == 1) - def _private_key_bytes( self, encoding: serialization.Encoding, @@ -1278,11 +1058,8 @@ def _private_key_bytes( key_type = self._lib.EVP_PKEY_id(evp_pkey) if encoding is serialization.Encoding.PEM: - if key_type == self._lib.EVP_PKEY_RSA: - write_bio = self._lib.PEM_write_bio_RSAPrivateKey - else: - assert key_type == self._lib.EVP_PKEY_EC - write_bio = self._lib.PEM_write_bio_ECPrivateKey + assert key_type == self._lib.EVP_PKEY_RSA + write_bio = self._lib.PEM_write_bio_RSAPrivateKey return self._private_key_bytes_via_bio( write_bio, cdata, password ) @@ -1293,11 +1070,8 @@ def _private_key_bytes( "Encryption is not supported for DER encoded " "traditional OpenSSL keys" ) - if key_type == self._lib.EVP_PKEY_RSA: - write_bio = self._lib.i2d_RSAPrivateKey_bio - else: - assert key_type == self._lib.EVP_PKEY_EC - write_bio = self._lib.i2d_ECPrivateKey_bio + assert key_type == self._lib.EVP_PKEY_RSA + write_bio = self._lib.i2d_RSAPrivateKey_bio return self._bio_func_output(write_bio, cdata) raise ValueError("Unsupported encoding for TraditionalOpenSSL") @@ -1374,8 +1148,7 @@ def _public_key_bytes( if format is serialization.PublicFormat.PKCS1: # Only RSA is supported here. key_type = self._lib.EVP_PKEY_id(evp_pkey) - if key_type != self._lib.EVP_PKEY_RSA: - raise ValueError("PKCS1 format is supported only for RSA keys") + self.openssl_assert(key_type == self._lib.EVP_PKEY_RSA) if encoding is serialization.Encoding.PEM: write_bio = self._lib.PEM_write_bio_RSAPublicKey diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py deleted file mode 100644 index 9821bd193e29..000000000000 --- a/src/cryptography/hazmat/backends/openssl/ec.py +++ /dev/null @@ -1,328 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -import typing - -from cryptography.exceptions import ( - InvalidSignature, - UnsupportedAlgorithm, - _Reasons, -) -from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, - _evp_pkey_derive, -) -from cryptography.hazmat.primitives import serialization -from cryptography.hazmat.primitives.asymmetric import ec - -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.backend import Backend - - -def _check_signature_algorithm( - signature_algorithm: ec.EllipticCurveSignatureAlgorithm, -) -> None: - if not isinstance(signature_algorithm, ec.ECDSA): - raise UnsupportedAlgorithm( - "Unsupported elliptic curve signature algorithm.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, - ) - - -def _ec_key_curve_sn(backend: Backend, ec_key) -> str: - group = backend._lib.EC_KEY_get0_group(ec_key) - backend.openssl_assert(group != backend._ffi.NULL) - - nid = backend._lib.EC_GROUP_get_curve_name(group) - # The following check is to find EC keys with unnamed curves and raise - # an error for now. - if nid == backend._lib.NID_undef: - raise ValueError( - "ECDSA keys with explicit parameters are unsupported at this time" - ) - - # This is like the above check, but it also catches the case where you - # explicitly encoded a curve with the same parameters as a named curve. - # Don't do that. - if ( - not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - and backend._lib.EC_GROUP_get_asn1_flag(group) == 0 - ): - raise ValueError( - "ECDSA keys with explicit parameters are unsupported at this time" - ) - - curve_name = backend._lib.OBJ_nid2sn(nid) - backend.openssl_assert(curve_name != backend._ffi.NULL) - - sn = backend._ffi.string(curve_name).decode("ascii") - return sn - - -def _mark_asn1_named_ec_curve(backend: Backend, ec_cdata): - """ - Set the named curve flag on the EC_KEY. This causes OpenSSL to - serialize EC keys along with their curve OID which makes - deserialization easier. - """ - - backend._lib.EC_KEY_set_asn1_flag( - ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE - ) - - -def _check_key_infinity(backend: Backend, ec_cdata) -> None: - point = backend._lib.EC_KEY_get0_public_key(ec_cdata) - backend.openssl_assert(point != backend._ffi.NULL) - group = backend._lib.EC_KEY_get0_group(ec_cdata) - backend.openssl_assert(group != backend._ffi.NULL) - if backend._lib.EC_POINT_is_at_infinity(group, point): - raise ValueError( - "Cannot load an EC public key where the point is at infinity" - ) - - -def _sn_to_elliptic_curve(backend: Backend, sn: str) -> ec.EllipticCurve: - try: - return ec._CURVE_TYPES[sn]() - except KeyError: - raise UnsupportedAlgorithm( - f"{sn} is not a supported elliptic curve", - _Reasons.UNSUPPORTED_ELLIPTIC_CURVE, - ) - - -def _ecdsa_sig_sign( - backend: Backend, private_key: _EllipticCurvePrivateKey, data: bytes -) -> bytes: - max_size = backend._lib.ECDSA_size(private_key._ec_key) - backend.openssl_assert(max_size > 0) - - sigbuf = backend._ffi.new("unsigned char[]", max_size) - siglen_ptr = backend._ffi.new("unsigned int[]", 1) - res = backend._lib.ECDSA_sign( - 0, data, len(data), sigbuf, siglen_ptr, private_key._ec_key - ) - backend.openssl_assert(res == 1) - return backend._ffi.buffer(sigbuf)[: siglen_ptr[0]] - - -def _ecdsa_sig_verify( - backend: Backend, - public_key: _EllipticCurvePublicKey, - signature: bytes, - data: bytes, -) -> None: - res = backend._lib.ECDSA_verify( - 0, data, len(data), signature, len(signature), public_key._ec_key - ) - if res != 1: - backend._consume_errors() - raise InvalidSignature - - -class _EllipticCurvePrivateKey(ec.EllipticCurvePrivateKey): - def __init__(self, backend: Backend, ec_key_cdata, evp_pkey): - self._backend = backend - self._ec_key = ec_key_cdata - self._evp_pkey = evp_pkey - - sn = _ec_key_curve_sn(backend, ec_key_cdata) - self._curve = _sn_to_elliptic_curve(backend, sn) - _mark_asn1_named_ec_curve(backend, ec_key_cdata) - _check_key_infinity(backend, ec_key_cdata) - - @property - def curve(self) -> ec.EllipticCurve: - return self._curve - - @property - def key_size(self) -> int: - return self.curve.key_size - - def exchange( - self, algorithm: ec.ECDH, peer_public_key: ec.EllipticCurvePublicKey - ) -> bytes: - if not ( - self._backend.elliptic_curve_exchange_algorithm_supported( - algorithm, self.curve - ) - ): - raise UnsupportedAlgorithm( - "This backend does not support the ECDH algorithm.", - _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM, - ) - - if peer_public_key.curve.name != self.curve.name: - raise ValueError( - "peer_public_key and self are not on the same curve" - ) - - return _evp_pkey_derive(self._backend, self._evp_pkey, peer_public_key) - - def public_key(self) -> ec.EllipticCurvePublicKey: - group = self._backend._lib.EC_KEY_get0_group(self._ec_key) - self._backend.openssl_assert(group != self._backend._ffi.NULL) - - curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group) - public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid) - - point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) - self._backend.openssl_assert(point != self._backend._ffi.NULL) - - res = self._backend._lib.EC_KEY_set_public_key(public_ec_key, point) - self._backend.openssl_assert(res == 1) - - evp_pkey = self._backend._ec_cdata_to_evp_pkey(public_ec_key) - - return _EllipticCurvePublicKey(self._backend, public_ec_key, evp_pkey) - - def private_numbers(self) -> ec.EllipticCurvePrivateNumbers: - bn = self._backend._lib.EC_KEY_get0_private_key(self._ec_key) - private_value = self._backend._bn_to_int(bn) - return ec.EllipticCurvePrivateNumbers( - private_value=private_value, - public_numbers=self.public_key().public_numbers(), - ) - - def private_bytes( - self, - encoding: serialization.Encoding, - format: serialization.PrivateFormat, - encryption_algorithm: serialization.KeySerializationEncryption, - ) -> bytes: - return self._backend._private_key_bytes( - encoding, - format, - encryption_algorithm, - self, - self._evp_pkey, - self._ec_key, - ) - - def sign( - self, - data: bytes, - signature_algorithm: ec.EllipticCurveSignatureAlgorithm, - ) -> bytes: - _check_signature_algorithm(signature_algorithm) - data, _ = _calculate_digest_and_algorithm( - data, - signature_algorithm.algorithm, - ) - return _ecdsa_sig_sign(self._backend, self, data) - - -class _EllipticCurvePublicKey(ec.EllipticCurvePublicKey): - def __init__(self, backend: Backend, ec_key_cdata, evp_pkey): - self._backend = backend - self._ec_key = ec_key_cdata - self._evp_pkey = evp_pkey - - sn = _ec_key_curve_sn(backend, ec_key_cdata) - self._curve = _sn_to_elliptic_curve(backend, sn) - _mark_asn1_named_ec_curve(backend, ec_key_cdata) - _check_key_infinity(backend, ec_key_cdata) - - @property - def curve(self) -> ec.EllipticCurve: - return self._curve - - @property - def key_size(self) -> int: - return self.curve.key_size - - def __eq__(self, other: object) -> bool: - if not isinstance(other, _EllipticCurvePublicKey): - return NotImplemented - - return ( - self._backend._lib.EVP_PKEY_cmp(self._evp_pkey, other._evp_pkey) - == 1 - ) - - def public_numbers(self) -> ec.EllipticCurvePublicNumbers: - group = self._backend._lib.EC_KEY_get0_group(self._ec_key) - self._backend.openssl_assert(group != self._backend._ffi.NULL) - - point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) - self._backend.openssl_assert(point != self._backend._ffi.NULL) - - with self._backend._tmp_bn_ctx() as bn_ctx: - bn_x = self._backend._lib.BN_CTX_get(bn_ctx) - bn_y = self._backend._lib.BN_CTX_get(bn_ctx) - - res = self._backend._lib.EC_POINT_get_affine_coordinates( - group, point, bn_x, bn_y, bn_ctx - ) - self._backend.openssl_assert(res == 1) - - x = self._backend._bn_to_int(bn_x) - y = self._backend._bn_to_int(bn_y) - - return ec.EllipticCurvePublicNumbers(x=x, y=y, curve=self._curve) - - def _encode_point(self, format: serialization.PublicFormat) -> bytes: - if format is serialization.PublicFormat.CompressedPoint: - conversion = self._backend._lib.POINT_CONVERSION_COMPRESSED - else: - assert format is serialization.PublicFormat.UncompressedPoint - conversion = self._backend._lib.POINT_CONVERSION_UNCOMPRESSED - - group = self._backend._lib.EC_KEY_get0_group(self._ec_key) - self._backend.openssl_assert(group != self._backend._ffi.NULL) - point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) - self._backend.openssl_assert(point != self._backend._ffi.NULL) - with self._backend._tmp_bn_ctx() as bn_ctx: - buflen = self._backend._lib.EC_POINT_point2oct( - group, point, conversion, self._backend._ffi.NULL, 0, bn_ctx - ) - self._backend.openssl_assert(buflen > 0) - buf = self._backend._ffi.new("char[]", buflen) - res = self._backend._lib.EC_POINT_point2oct( - group, point, conversion, buf, buflen, bn_ctx - ) - self._backend.openssl_assert(buflen == res) - - return self._backend._ffi.buffer(buf)[:] - - def public_bytes( - self, - encoding: serialization.Encoding, - format: serialization.PublicFormat, - ) -> bytes: - if ( - encoding is serialization.Encoding.X962 - or format is serialization.PublicFormat.CompressedPoint - or format is serialization.PublicFormat.UncompressedPoint - ): - if encoding is not serialization.Encoding.X962 or format not in ( - serialization.PublicFormat.CompressedPoint, - serialization.PublicFormat.UncompressedPoint, - ): - raise ValueError( - "X962 encoding must be used with CompressedPoint or " - "UncompressedPoint format" - ) - - return self._encode_point(format) - else: - return self._backend._public_key_bytes( - encoding, format, self, self._evp_pkey, None - ) - - def verify( - self, - signature: bytes, - data: bytes, - signature_algorithm: ec.EllipticCurveSignatureAlgorithm, - ) -> None: - _check_signature_algorithm(signature_algorithm) - data, _ = _calculate_digest_and_algorithm( - data, - signature_algorithm.algorithm, - ) - _ecdsa_sig_verify(self._backend, self, signature, data) diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py index 5b404defde33..570b776ef57d 100644 --- a/src/cryptography/hazmat/backends/openssl/utils.py +++ b/src/cryptography/hazmat/backends/openssl/utils.py @@ -9,39 +9,6 @@ from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.utils import Prehashed -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.backend import Backend - - -def _evp_pkey_derive(backend: Backend, evp_pkey, peer_public_key) -> bytes: - ctx = backend._lib.EVP_PKEY_CTX_new(evp_pkey, backend._ffi.NULL) - backend.openssl_assert(ctx != backend._ffi.NULL) - ctx = backend._ffi.gc(ctx, backend._lib.EVP_PKEY_CTX_free) - res = backend._lib.EVP_PKEY_derive_init(ctx) - backend.openssl_assert(res == 1) - - if backend._lib.Cryptography_HAS_EVP_PKEY_SET_PEER_EX: - res = backend._lib.EVP_PKEY_derive_set_peer_ex( - ctx, peer_public_key._evp_pkey, 0 - ) - else: - res = backend._lib.EVP_PKEY_derive_set_peer( - ctx, peer_public_key._evp_pkey - ) - backend.openssl_assert(res == 1) - - keylen = backend._ffi.new("size_t *") - res = backend._lib.EVP_PKEY_derive(ctx, backend._ffi.NULL, keylen) - backend.openssl_assert(res == 1) - backend.openssl_assert(keylen[0] > 0) - buf = backend._ffi.new("unsigned char[]", keylen[0]) - res = backend._lib.EVP_PKEY_derive(ctx, buf, keylen) - if res != 1: - errors = backend._consume_errors() - raise ValueError("Error computing shared key.", errors) - - return backend._ffi.buffer(buf, keylen[0])[:] - def _calculate_digest_and_algorithm( data: bytes, diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 82f30d20b0ab..d0e6ccaed238 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -7,6 +7,7 @@ import typing from cryptography.hazmat.bindings._rust.openssl import ( dh, dsa, + ec, ed448, ed25519, hashes, @@ -22,6 +23,7 @@ __all__ = [ "raise_openssl_error", "dh", "dsa", + "ec", "hashes", "hmac", "kdf", diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi new file mode 100644 index 000000000000..f4fdf3856fc3 --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi @@ -0,0 +1,27 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from cryptography.hazmat.primitives.asymmetric import ec + +class ECPrivateKey: ... +class ECPublicKey: ... + +def curve_supported(curve: ec.EllipticCurve) -> bool: ... +def private_key_from_ptr(ptr: int) -> ec.EllipticCurvePrivateKey: ... +def public_key_from_ptr(ptr: int) -> ec.EllipticCurvePublicKey: ... +def generate_private_key( + curve: ec.EllipticCurve, +) -> ec.EllipticCurvePrivateKey: ... +def from_private_numbers( + numbers: ec.EllipticCurvePrivateNumbers, +) -> ec.EllipticCurvePrivateKey: ... +def from_public_numbers( + numbers: ec.EllipticCurvePublicNumbers, +) -> ec.EllipticCurvePublicKey: ... +def from_public_bytes( + curve: ec.EllipticCurve, data: bytes +) -> ec.EllipticCurvePublicKey: ... +def derive_private_key( + private_value: int, curve: ec.EllipticCurve +) -> ec.EllipticCurvePrivateKey: ... diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py index ddfaabf4f3e4..3a5eb62573e0 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ec.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py @@ -9,6 +9,7 @@ from cryptography import utils from cryptography.hazmat._oid import ObjectIdentifier +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import _serialization, hashes from cryptography.hazmat.primitives.asymmetric import utils as asym_utils @@ -121,6 +122,7 @@ def private_bytes( EllipticCurvePrivateKeyWithSerialization = EllipticCurvePrivateKey +EllipticCurvePrivateKey.register(rust_openssl.ec.ECPrivateKey) class EllipticCurvePublicKey(metaclass=abc.ABCMeta): @@ -192,6 +194,7 @@ def __eq__(self, other: object) -> bool: EllipticCurvePublicKeyWithSerialization = EllipticCurvePublicKey +EllipticCurvePublicKey.register(rust_openssl.ec.ECPublicKey) class SECT571R1(EllipticCurve): diff --git a/src/rust/build.rs b/src/rust/build.rs index 574560394d88..49740fccecfb 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -6,6 +6,14 @@ use std::env; #[allow(clippy::unusual_byte_groupings)] fn main() { + if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") { + let version = u64::from_str_radix(&version, 16).unwrap(); + + if version >= 0x3_00_00_00_0 { + println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_300_OR_GREATER"); + } + } + if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { let version = u64::from_str_radix(&version, 16).unwrap(); diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs new file mode 100644 index 000000000000..6549663c3b0f --- /dev/null +++ b/src/rust/src/backend/ec.rs @@ -0,0 +1,574 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::backend::utils; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::exceptions; +use foreign_types_shared::ForeignTypeRef; +use pyo3::basic::CompareOp; +use pyo3::ToPyObject; + +#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.ec")] +struct ECPrivateKey { + pkey: openssl::pkey::PKey, + #[pyo3(get)] + curve: pyo3::Py, +} + +#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.ec")] +struct ECPublicKey { + pkey: openssl::pkey::PKey, + #[pyo3(get)] + curve: pyo3::Py, +} + +fn curve_from_py_curve( + py: pyo3::Python<'_>, + py_curve: &pyo3::PyAny, +) -> CryptographyResult { + let curve_name = py_curve.getattr(pyo3::intern!(py, "name"))?.extract()?; + let nid = match curve_name { + "secp192r1" => openssl::nid::Nid::X9_62_PRIME192V1, + "secp224r1" => openssl::nid::Nid::SECP224R1, + "secp256r1" => openssl::nid::Nid::X9_62_PRIME256V1, + "secp384r1" => openssl::nid::Nid::SECP384R1, + "secp521r1" => openssl::nid::Nid::SECP521R1, + + "secp256k1" => openssl::nid::Nid::SECP256K1, + + "sect233r1" => openssl::nid::Nid::SECT233R1, + "sect283r1" => openssl::nid::Nid::SECT283R1, + "sect409r1" => openssl::nid::Nid::SECT409R1, + "sect571r1" => openssl::nid::Nid::SECT571R1, + + "sect163r2" => openssl::nid::Nid::SECT163R2, + + "sect163k1" => openssl::nid::Nid::SECT163K1, + "sect233k1" => openssl::nid::Nid::SECT233K1, + "sect283k1" => openssl::nid::Nid::SECT283K1, + "sect409k1" => openssl::nid::Nid::SECT409K1, + "sect571k1" => openssl::nid::Nid::SECT571K1, + + #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] + "brainpoolP256r1" => openssl::nid::Nid::BRAINPOOL_P256R1, + #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] + "brainpoolP384r1" => openssl::nid::Nid::BRAINPOOL_P384R1, + #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] + "brainpoolP512r1" => openssl::nid::Nid::BRAINPOOL_P512R1, + + _ => { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + format!("Curve {} is not supported", curve_name), + exceptions::Reasons::UNSUPPORTED_ELLIPTIC_CURVE, + )), + )); + } + }; + + Ok(openssl::ec::EcGroup::from_curve_name(nid)?) +} + +fn py_curve_from_curve<'p>( + py: pyo3::Python<'p>, + curve: &openssl::ec::EcGroupRef, +) -> CryptographyResult<&'p pyo3::PyAny> { + let name = curve + .curve_name() + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err( + "ECDSA keys with explicit parameters are unsupported at this time", + ) + })? + .short_name()?; + + if curve.asn1_flag() == openssl::ec::Asn1Flag::EXPLICIT_CURVE { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "ECDSA keys with explicit parameters are unsupported at this time", + ), + )); + } + + Ok(py + .import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.ec" + ))? + .getattr(pyo3::intern!(py, "_CURVE_TYPES"))? + .extract::<&pyo3::types::PyDict>()? + .get_item(name) + .ok_or_else(|| { + CryptographyError::from(exceptions::UnsupportedAlgorithm::new_err(( + format!("{} is not a supported elliptic curve", name), + exceptions::Reasons::UNSUPPORTED_ELLIPTIC_CURVE, + ))) + })? + .call0()?) +} + +fn check_key_infinity( + ec: &openssl::ec::EcKeyRef, +) -> CryptographyResult<()> { + if ec.public_key().is_infinity(ec.group()) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Cannot load an EC public key where the point is at infinity", + ), + )); + } + Ok(()) +} + +#[pyo3::prelude::pyfunction] +fn curve_supported(py: pyo3::Python<'_>, py_curve: &pyo3::PyAny) -> bool { + curve_from_py_curve(py, py_curve).is_ok() +} + +#[pyo3::prelude::pyfunction] +fn private_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult { + let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; + let curve = py_curve_from_curve(py, pkey.ec_key().unwrap().group())?; + check_key_infinity(&pkey.ec_key().unwrap())?; + Ok(ECPrivateKey { + pkey: pkey.to_owned(), + curve: curve.into(), + }) +} + +#[pyo3::prelude::pyfunction] +fn public_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult { + let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; + let ec = pkey.ec_key().map_err(|e| { + pyo3::exceptions::PyValueError::new_err(format!("Unable to load EC key: {}", e)) + })?; + let curve = py_curve_from_curve(py, ec.group())?; + check_key_infinity(&ec)?; + Ok(ECPublicKey { + pkey: pkey.to_owned(), + curve: curve.into(), + }) +} +#[pyo3::prelude::pyfunction] +fn generate_private_key( + py: pyo3::Python<'_>, + py_curve: &pyo3::PyAny, +) -> CryptographyResult { + let curve = curve_from_py_curve(py, py_curve)?; + let key = openssl::ec::EcKey::generate(&curve)?; + + Ok(ECPrivateKey { + pkey: openssl::pkey::PKey::from_ec_key(key)?, + curve: py_curve.into(), + }) +} + +#[pyo3::prelude::pyfunction] +fn derive_private_key( + py: pyo3::Python<'_>, + py_private_value: &pyo3::types::PyLong, + py_curve: &pyo3::PyAny, +) -> CryptographyResult { + let curve = curve_from_py_curve(py, py_curve)?; + let private_value = utils::py_int_to_bn(py, py_private_value)?; + + let mut point = openssl::ec::EcPoint::new(&curve)?; + let bn_ctx = openssl::bn::BigNumContext::new()?; + point.mul_generator(&curve, &private_value, &bn_ctx)?; + let ec = openssl::ec::EcKey::from_private_components(&curve, &private_value, &point) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid EC key"))?; + check_key_infinity(&ec)?; + let pkey = openssl::pkey::PKey::from_ec_key(ec)?; + + Ok(ECPrivateKey { + pkey, + curve: py_curve.into(), + }) +} + +#[pyo3::prelude::pyfunction] +fn from_public_bytes( + py: pyo3::Python<'_>, + py_curve: &pyo3::PyAny, + data: &[u8], +) -> CryptographyResult { + let curve = curve_from_py_curve(py, py_curve)?; + + let mut bn_ctx = openssl::bn::BigNumContext::new()?; + let point = openssl::ec::EcPoint::from_bytes(&curve, data, &mut bn_ctx) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid EC key."))?; + let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?; + let pkey = openssl::pkey::PKey::from_ec_key(ec)?; + + Ok(ECPublicKey { + pkey, + curve: py_curve.into(), + }) +} + +fn public_key_from_numbers( + py: pyo3::Python<'_>, + numbers: &pyo3::PyAny, + curve: &openssl::ec::EcGroupRef, +) -> CryptographyResult> { + let py_x = numbers.getattr(pyo3::intern!(py, "x"))?; + let py_y = numbers.getattr(pyo3::intern!(py, "y"))?; + + let zero = (0).to_object(py); + if py_x.rich_compare(&zero, CompareOp::Lt)?.is_true()? + || py_y.rich_compare(&zero, CompareOp::Lt)?.is_true()? + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Invalid EC key. Both x and y must be non-negative.", + ), + )); + } + + let x = utils::py_int_to_bn(py, py_x)?; + let y = utils::py_int_to_bn(py, py_y)?; + + let mut point = openssl::ec::EcPoint::new(curve)?; + let mut bn_ctx = openssl::bn::BigNumContext::new()?; + point + .set_affine_coordinates_gfp(curve, &x, &y, &mut bn_ctx) + .map_err(|_| { + pyo3::exceptions::PyValueError::new_err( + "Invalid EC key. Point is not on the curve specified.", + ) + })?; + + Ok(openssl::ec::EcKey::from_public_key(curve, &point)?) +} + +#[pyo3::prelude::pyfunction] +fn from_private_numbers( + py: pyo3::Python<'_>, + numbers: &pyo3::PyAny, +) -> CryptographyResult { + let public_numbers = numbers.getattr(pyo3::intern!(py, "public_numbers"))?; + let py_curve = public_numbers.getattr(pyo3::intern!(py, "curve"))?; + + let curve = curve_from_py_curve(py, py_curve)?; + let public_key = public_key_from_numbers(py, public_numbers, &curve)?; + let private_value = + utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "private_value"))?)?; + + let mut bn_ctx = openssl::bn::BigNumContext::new()?; + let mut expected_pub = openssl::ec::EcPoint::new(&curve)?; + expected_pub.mul_generator(&curve, &private_value, &bn_ctx)?; + if !expected_pub.eq(&curve, public_key.public_key(), &mut bn_ctx)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Invalid EC key."), + )); + } + + let private_key = openssl::ec::EcKey::from_private_components( + &curve, + &private_value, + public_key.public_key(), + ) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid EC key."))?; + + let pkey = openssl::pkey::PKey::from_ec_key(private_key)?; + + Ok(ECPrivateKey { + pkey, + curve: py_curve.into(), + }) +} + +#[pyo3::prelude::pyfunction] +fn from_public_numbers( + py: pyo3::Python<'_>, + numbers: &pyo3::PyAny, +) -> CryptographyResult { + let py_curve = numbers.getattr(pyo3::intern!(py, "curve"))?; + + let curve = curve_from_py_curve(py, py_curve)?; + let public_key = public_key_from_numbers(py, numbers, &curve)?; + + let pkey = openssl::pkey::PKey::from_ec_key(public_key)?; + + Ok(ECPublicKey { + pkey, + curve: py_curve.into(), + }) +} + +#[pyo3::prelude::pymethods] +impl ECPrivateKey { + #[getter] + fn key_size<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + self.curve.as_ref(py).getattr(pyo3::intern!(py, "key_size")) + } + + fn exchange<'p>( + &self, + py: pyo3::Python<'p>, + algorithm: &pyo3::PyAny, + public_key: &ECPublicKey, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let ecdh_class: &pyo3::types::PyType = py + .import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.ec" + ))? + .getattr(pyo3::intern!(py, "ECDH"))? + .extract()?; + + if !algorithm.is_instance(ecdh_class)? { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "Unsupported EC exchange algorithm", + exceptions::Reasons::UNSUPPORTED_EXCHANGE_ALGORITHM, + )), + )); + } + + let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; + // If `set_peer_ex` is available, we don't valid the key. This is + // because we already validated it sufficiently when we created the + // ECPublicKey object. + #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] + deriver + .set_peer_ex(&public_key.pkey, false) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; + + #[cfg(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER))] + deriver + .set_peer(&public_key.pkey) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; + + Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { + let n = deriver.derive(b).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Error computing shared key.") + })?; + assert_eq!(n, b.len()); + Ok(()) + })?) + } + + fn sign<'p>( + &self, + py: pyo3::Python<'p>, + data: &pyo3::types::PyBytes, + algorithm: &pyo3::PyAny, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let ecdsa_class: &pyo3::types::PyType = py + .import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.ec" + ))? + .getattr(pyo3::intern!(py, "ECDSA"))? + .extract()?; + + if !algorithm.is_instance(ecdsa_class)? { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "Unsupported elliptic curve signature algorithm", + exceptions::Reasons::UNSUPPORTED_PUBLIC_KEY_ALGORITHM, + )), + )); + } + + let (data, _): (&[u8], &pyo3::PyAny) = py + .import(pyo3::intern!( + py, + "cryptography.hazmat.backends.openssl.utils" + ))? + .call_method1( + pyo3::intern!(py, "_calculate_digest_and_algorithm"), + (data, algorithm.getattr(pyo3::intern!(py, "algorithm"))?), + )? + .extract()?; + + let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; + signer.sign_init()?; + // XXX: single allocation + let mut sig = vec![]; + signer.sign_to_vec(data, &mut sig)?; + Ok(pyo3::types::PyBytes::new(py, &sig)) + } + + fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { + let orig_ec = self.pkey.ec_key().unwrap(); + let ec = openssl::ec::EcKey::from_public_key(orig_ec.group(), orig_ec.public_key())?; + let pkey = openssl::pkey::PKey::from_ec_key(ec)?; + + Ok(ECPublicKey { + pkey, + curve: self.curve.clone_ref(py), + }) + } + + fn private_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + let ec = self.pkey.ec_key().unwrap(); + + let mut bn_ctx = openssl::bn::BigNumContext::new()?; + let mut x = openssl::bn::BigNum::new()?; + let mut y = openssl::bn::BigNum::new()?; + ec.public_key() + .affine_coordinates(ec.group(), &mut x, &mut y, &mut bn_ctx)?; + let py_x = utils::bn_to_py_int(py, &x)?; + let py_y = utils::bn_to_py_int(py, &y)?; + + let py_private_key = utils::bn_to_py_int(py, ec.private_key())?; + + let ec_mod = py.import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.ec" + ))?; + + let public_numbers = ec_mod.call_method1( + pyo3::intern!(py, "EllipticCurvePublicNumbers"), + (py_x, py_y, self.curve.clone_ref(py)), + )?; + + Ok(ec_mod.call_method1( + pyo3::intern!(py, "EllipticCurvePrivateNumbers"), + (py_private_key, public_numbers), + )?) + } + + fn private_bytes<'p>( + slf: &pyo3::PyCell, + py: pyo3::Python<'p>, + encoding: &pyo3::PyAny, + format: &pyo3::PyAny, + encryption_algorithm: &pyo3::PyAny, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + utils::pkey_private_bytes( + py, + slf, + &slf.borrow().pkey, + encoding, + format, + encryption_algorithm, + true, + false, + ) + } +} + +#[pyo3::prelude::pymethods] +impl ECPublicKey { + #[getter] + fn key_size<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + self.curve.as_ref(py).getattr(pyo3::intern!(py, "key_size")) + } + + fn verify( + &self, + py: pyo3::Python<'_>, + signature: &[u8], + data: &pyo3::types::PyBytes, + signature_algorithm: &pyo3::PyAny, + ) -> CryptographyResult<()> { + let ecdsa_class: &pyo3::types::PyType = py + .import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.ec" + ))? + .getattr(pyo3::intern!(py, "ECDSA"))? + .extract()?; + + if !signature_algorithm.is_instance(ecdsa_class)? { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "Unsupported elliptic curve signature algorithm", + exceptions::Reasons::UNSUPPORTED_PUBLIC_KEY_ALGORITHM, + )), + )); + } + + let (data, _): (&[u8], &pyo3::PyAny) = py + .import(pyo3::intern!( + py, + "cryptography.hazmat.backends.openssl.utils" + ))? + .call_method1( + pyo3::intern!(py, "_calculate_digest_and_algorithm"), + ( + data, + signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, + ), + )? + .extract()?; + + let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; + verifier.verify_init()?; + let valid = verifier.verify(data, signature).unwrap_or(false); + // TODO: Empty the error stack. BoringSSL leaves one in the event of + // signature validation failure. Upstream to rust-openssl? + #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] + openssl::error::ErrorStack::get(); + if !valid { + return Err(CryptographyError::from( + exceptions::InvalidSignature::new_err(()), + )); + } + + Ok(()) + } + + fn public_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + let ec = self.pkey.ec_key().unwrap(); + + let mut bn_ctx = openssl::bn::BigNumContext::new()?; + let mut x = openssl::bn::BigNum::new()?; + let mut y = openssl::bn::BigNum::new()?; + ec.public_key() + .affine_coordinates(ec.group(), &mut x, &mut y, &mut bn_ctx)?; + let py_x = utils::bn_to_py_int(py, &x)?; + let py_y = utils::bn_to_py_int(py, &y)?; + + let ec_mod = py.import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.ec" + ))?; + + Ok(ec_mod.call_method1( + pyo3::intern!(py, "EllipticCurvePublicNumbers"), + (py_x, py_y, self.curve.clone_ref(py)), + )?) + } + + fn public_bytes<'p>( + slf: &pyo3::PyCell, + py: pyo3::Python<'p>, + encoding: &pyo3::PyAny, + format: &pyo3::PyAny, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) + } + + fn __richcmp__( + &self, + other: pyo3::PyRef<'_, ECPublicKey>, + op: pyo3::basic::CompareOp, + ) -> pyo3::PyResult { + match op { + pyo3::basic::CompareOp::Eq => Ok(self.pkey.public_eq(&other.pkey)), + pyo3::basic::CompareOp::Ne => Ok(!self.pkey.public_eq(&other.pkey)), + _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), + } + } +} +pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { + let m = pyo3::prelude::PyModule::new(py, "ec")?; + m.add_function(pyo3::wrap_pyfunction!(curve_supported, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(generate_private_key, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(derive_private_key, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?; + + m.add_class::()?; + m.add_class::()?; + + Ok(m) +} diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 765b0ab199f4..b032aaac4404 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -4,6 +4,7 @@ pub(crate) mod dh; pub(crate) mod dsa; +pub(crate) mod ec; #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] pub(crate) mod ed25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] @@ -21,6 +22,7 @@ pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_submodule(dh::create_module(module.py())?)?; module.add_submodule(dsa::create_module(module.py())?)?; + module.add_submodule(ec::create_module(module.py())?)?; #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] module.add_submodule(ed25519::create_module(module.py())?)?; diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index dea36117182b..086f88ab9360 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -67,6 +67,9 @@ pub(crate) fn pkey_private_bytes<'p>( let best_available_encryption_class: &pyo3::types::PyType = serialization_mod .getattr(pyo3::intern!(py, "BestAvailableEncryption"))? .extract()?; + let encryption_builder_class: &pyo3::types::PyType = serialization_mod + .getattr(pyo3::intern!(py, "_KeySerializationEncryption"))? + .extract()?; if !encoding.is_instance(encoding_class)? { return Err(CryptographyError::from( @@ -109,7 +112,12 @@ pub(crate) fn pkey_private_bytes<'p>( let password = if encryption_algorithm.is_instance(no_encryption_class)? { b"" - } else if encryption_algorithm.is_instance(best_available_encryption_class)? { + } else if encryption_algorithm.is_instance(best_available_encryption_class)? + || (encryption_algorithm.is_instance(encryption_builder_class)? + && encryption_algorithm + .getattr(pyo3::intern!(py, "_format"))? + .is(format)) + { encryption_algorithm .getattr(pyo3::intern!(py, "password"))? .extract::<&[u8]>()? @@ -178,6 +186,29 @@ pub(crate) fn pkey_private_bytes<'p>( let der_bytes = dsa.private_key_to_der()?; return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } + } else if let Ok(ec) = pkey.ec_key() { + if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { + let pem_bytes = if password.is_empty() { + ec.private_key_to_pem()? + } else { + ec.private_key_to_pem_passphrase( + openssl::symm::Cipher::aes_256_cbc(), + password, + )? + }; + return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + } else if encoding.is(encoding_class.getattr(pyo3::intern!(py, "DER"))?) { + if !password.is_empty() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Encryption is not supported for DER encoded traditional OpenSSL keys", + ), + )); + } + + let der_bytes = ec.private_key_to_der()?; + return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + } } } @@ -277,6 +308,30 @@ pub(crate) fn pkey_public_bytes<'p>( )); } + if let Ok(ec) = pkey.ec_key() { + if encoding.is(encoding_class.getattr(pyo3::intern!(py, "X962"))?) { + let point_form = if format + .is(public_format_class.getattr(pyo3::intern!(py, "UncompressedPoint"))?) + { + openssl::ec::PointConversionForm::UNCOMPRESSED + } else if format.is(public_format_class.getattr(pyo3::intern!(py, "CompressedPoint"))?) + { + openssl::ec::PointConversionForm::COMPRESSED + } else { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "X962 encoding must be used with CompressedPoint or UncompressedPoint format" + ) + )); + }; + let mut bn_ctx = openssl::bn::BigNumContext::new()?; + let data = ec + .public_key() + .to_bytes(ec.group(), point_form, &mut bn_ctx)?; + return Ok(pyo3::types::PyBytes::new(py, &data)); + } + } + // OpenSSH + OpenSSH if openssh_allowed && format.is(public_format_class.getattr(pyo3::intern!(py, "OpenSSH"))?) { if encoding.is(encoding_class.getattr(pyo3::intern!(py, "OpenSSH"))?) { diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index c8fa1efa21f5..b0058e8a4bac 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -11,7 +11,6 @@ from cryptography.exceptions import InternalError, _Reasons from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends.openssl.backend import backend -from cryptography.hazmat.backends.openssl.ec import _sn_to_elliptic_curve from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives.ciphers import Cipher @@ -346,12 +345,6 @@ def test_very_long_pem_serialization_password(self): ) -class TestOpenSSLEllipticCurve: - def test_sn_to_elliptic_curve_not_supported(self): - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_ELLIPTIC_CURVE): - _sn_to_elliptic_curve(backend, "fake") - - class TestRSAPEMSerialization: def test_password_length_limit(self, rsa_key_2048): password = b"x" * 1024 diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 1120fa4be3a0..beb5739b22c0 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -134,7 +134,12 @@ def test_derive_point_at_infinity(backend): _skip_curve_unsupported(backend, curve) # order of the curve q = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 - with pytest.raises(ValueError, match="Unable to derive"): + # BoringSSL rejects infinity points before it ever gets to us, so it + # uses a more generic error message. + match = ( + "infinity" if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid" + ) + with pytest.raises(ValueError, match=match): ec.derive_private_key(q, ec.SECP256R1()) From 380652e6213c4c2b408b3b5f817c1b5f3dcb211f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 23 Jun 2023 01:40:14 -0400 Subject: [PATCH 0093/1014] Remove many unused EC bindings (#9117) --- src/_cffi_src/build_openssl.py | 1 - src/_cffi_src/openssl/bignum.py | 7 --- src/_cffi_src/openssl/ec.py | 44 ------------------- src/_cffi_src/openssl/ecdsa.py | 24 ---------- src/_cffi_src/openssl/evp.py | 16 ------- src/_cffi_src/openssl/objects.py | 1 - src/_cffi_src/openssl/pem.py | 3 -- src/_cffi_src/openssl/x509.py | 2 - .../hazmat/bindings/openssl/_conditional.py | 9 +--- 9 files changed, 1 insertion(+), 106 deletions(-) delete mode 100644 src/_cffi_src/openssl/ecdsa.py diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 6c4fd90e143b..361473679ece 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -31,7 +31,6 @@ "dh", "dsa", "ec", - "ecdsa", "engine", "err", "evp", diff --git a/src/_cffi_src/openssl/bignum.py b/src/_cffi_src/openssl/bignum.py index 044403325582..82979d5c7800 100644 --- a/src/_cffi_src/openssl/bignum.py +++ b/src/_cffi_src/openssl/bignum.py @@ -28,13 +28,6 @@ int BN_rand_range(BIGNUM *, const BIGNUM *); -BN_CTX *BN_CTX_new(void); -void BN_CTX_free(BN_CTX *); - -void BN_CTX_start(BN_CTX *); -BIGNUM *BN_CTX_get(BN_CTX *); -void BN_CTX_end(BN_CTX *); - BN_MONT_CTX *BN_MONT_CTX_new(void); int BN_MONT_CTX_set(BN_MONT_CTX *, const BIGNUM *, BN_CTX *); void BN_MONT_CTX_free(BN_MONT_CTX *); diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index 0e3604d1d29a..8b9558f8d311 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -10,8 +10,6 @@ """ TYPES = """ -static const int OPENSSL_EC_NAMED_CURVE; - typedef ... EC_KEY; typedef ... EC_GROUP; typedef ... EC_POINT; @@ -19,58 +17,16 @@ int nid; const char *comment; } EC_builtin_curve; -typedef enum { - POINT_CONVERSION_COMPRESSED, - POINT_CONVERSION_UNCOMPRESSED, - ... -} point_conversion_form_t; """ FUNCTIONS = """ -void EC_GROUP_free(EC_GROUP *); - -EC_GROUP *EC_GROUP_new_by_curve_name(int); - -int EC_GROUP_get_curve_name(const EC_GROUP *); - size_t EC_get_builtin_curves(EC_builtin_curve *, size_t); void EC_KEY_free(EC_KEY *); EC_KEY *EC_KEY_new_by_curve_name(int); -const EC_GROUP *EC_KEY_get0_group(const EC_KEY *); -const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *); -int EC_KEY_set_private_key(EC_KEY *, const BIGNUM *); -const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *); -int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *); -void EC_KEY_set_asn1_flag(EC_KEY *, int); -int EC_KEY_generate_key(EC_KEY *); - -EC_POINT *EC_POINT_new(const EC_GROUP *); -void EC_POINT_free(EC_POINT *); -int EC_POINT_cmp(const EC_GROUP *, const EC_POINT *, const EC_POINT *, - BN_CTX *); - -int EC_POINT_set_affine_coordinates(const EC_GROUP *, EC_POINT *, - const BIGNUM *, const BIGNUM *, BN_CTX *); -int EC_POINT_get_affine_coordinates(const EC_GROUP *, const EC_POINT *, - BIGNUM *, BIGNUM *, BN_CTX *); - -size_t EC_POINT_point2oct(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t, - unsigned char *, size_t, BN_CTX *); - -int EC_POINT_oct2point(const EC_GROUP *, EC_POINT *, - const unsigned char *, size_t, BN_CTX *); - -int EC_POINT_is_at_infinity(const EC_GROUP *, const EC_POINT *); - -int EC_POINT_mul(const EC_GROUP *, EC_POINT *, const BIGNUM *, - const EC_POINT *, const BIGNUM *, BN_CTX *); const char *EC_curve_nid2nist(int); - -int EC_GROUP_get_asn1_flag(const EC_GROUP *); """ CUSTOMIZATIONS = """ diff --git a/src/_cffi_src/openssl/ecdsa.py b/src/_cffi_src/openssl/ecdsa.py deleted file mode 100644 index 716b5d03016f..000000000000 --- a/src/_cffi_src/openssl/ecdsa.py +++ /dev/null @@ -1,24 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -INCLUDES = """ -#include -""" - -TYPES = """ -""" - -FUNCTIONS = """ -int ECDSA_sign(int, const unsigned char *, int, unsigned char *, - unsigned int *, EC_KEY *); -int ECDSA_verify(int, const unsigned char *, int, const unsigned char *, int, - EC_KEY *); -int ECDSA_size(const EC_KEY *); - -""" - -CUSTOMIZATIONS = """ -""" diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index ce54fd9fe931..20607b194df8 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -39,7 +39,6 @@ static const long Cryptography_HAS_300_FIPS; static const long Cryptography_HAS_300_EVP_CIPHER; static const long Cryptography_HAS_EVP_PKEY_DH; -static const long Cryptography_HAS_EVP_PKEY_SET_PEER_EX; """ FUNCTIONS = """ @@ -102,11 +101,6 @@ int EVP_PKEY_cmp(const EVP_PKEY *, const EVP_PKEY *); -int EVP_PKEY_derive_init(EVP_PKEY_CTX *); -int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *, EVP_PKEY *); -int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *, EVP_PKEY *, int); -int EVP_PKEY_derive(EVP_PKEY_CTX *, unsigned char *, size_t *); - int EVP_PKEY_id(const EVP_PKEY *); EVP_MD_CTX *EVP_MD_CTX_new(void); @@ -116,9 +110,6 @@ int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); -EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *); -int EVP_PKEY_set1_EC_KEY(EVP_PKEY *, EC_KEY *); - int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *, const EVP_MD *); @@ -169,13 +160,6 @@ static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1; #endif -#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -static const long Cryptography_HAS_EVP_PKEY_SET_PEER_EX = 1; -#else -static const long Cryptography_HAS_EVP_PKEY_SET_PEER_EX = 0; -int (*EVP_PKEY_derive_set_peer_ex)(EVP_PKEY_CTX *, EVP_PKEY *, int) = NULL; -#endif - /* This is tied to X25519 support so we reuse the Cryptography_HAS_X25519 conditional to remove it. OpenSSL 1.1.0 didn't have this define, but 1.1.1 will when it is released. We can remove this in the distant diff --git a/src/_cffi_src/openssl/objects.py b/src/_cffi_src/openssl/objects.py index 5f9bdb3361d0..cf79cfa208ae 100644 --- a/src/_cffi_src/openssl/objects.py +++ b/src/_cffi_src/openssl/objects.py @@ -15,7 +15,6 @@ const char *OBJ_nid2ln(int); const char *OBJ_nid2sn(int); int OBJ_obj2nid(const ASN1_OBJECT *); -int OBJ_sn2nid(const char *); int OBJ_txt2nid(const char *); """ diff --git a/src/_cffi_src/openssl/pem.py b/src/_cffi_src/openssl/pem.py index 1488e0968840..93c5a9955ba0 100644 --- a/src/_cffi_src/openssl/pem.py +++ b/src/_cffi_src/openssl/pem.py @@ -55,9 +55,6 @@ EVP_PKEY *PEM_read_bio_PUBKEY(BIO *, EVP_PKEY **, pem_password_cb *, void *); int PEM_write_bio_PUBKEY(BIO *, EVP_PKEY *); -int PEM_write_bio_ECPrivateKey(BIO *, EC_KEY *, const EVP_CIPHER *, - unsigned char *, int, pem_password_cb *, - void *); """ CUSTOMIZATIONS = """ diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index bb0d65e09858..f071be3d231a 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -190,8 +190,6 @@ int X509_CRL_set1_lastUpdate(X509_CRL *, const ASN1_TIME *); int X509_CRL_set1_nextUpdate(X509_CRL *, const ASN1_TIME *); -int i2d_ECPrivateKey_bio(BIO *, EC_KEY *); - const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *); const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *); """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 5e8ecd04182c..ef95760c3b4e 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -258,10 +258,6 @@ def cryptography_has_get_extms_support() -> typing.List[str]: return ["SSL_get_extms_support"] -def cryptography_has_evp_pkey_set_peer_ex() -> typing.List[str]: - return ["EVP_PKEY_derive_set_peer_ex"] - - def cryptography_has_evp_aead() -> typing.List[str]: return [ "EVP_aead_chacha20_poly1305", @@ -322,8 +318,5 @@ def cryptography_has_evp_aead() -> typing.List[str]: cryptography_has_ssl_op_ignore_unexpected_eof ), "Cryptography_HAS_GET_EXTMS_SUPPORT": cryptography_has_get_extms_support, - "Cryptography_HAS_EVP_PKEY_SET_PEER_EX": ( - cryptography_has_evp_pkey_set_peer_ex - ), - "Cryptography_HAS_EVP_AEAD": (cryptography_has_evp_aead), + "Cryptography_HAS_EVP_AEAD": cryptography_has_evp_aead, } From 8ebd0b38d68d6fecc01d84adbba539f390f01e96 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 23 Jun 2023 13:05:02 +0200 Subject: [PATCH 0094/1014] remove more BN bindings (#9118) --- src/_cffi_src/openssl/bignum.py | 23 +++---------------- .../hazmat/bindings/openssl/_conditional.py | 6 ++--- 2 files changed, 5 insertions(+), 24 deletions(-) diff --git a/src/_cffi_src/openssl/bignum.py b/src/_cffi_src/openssl/bignum.py index 82979d5c7800..d1682ba8aaf1 100644 --- a/src/_cffi_src/openssl/bignum.py +++ b/src/_cffi_src/openssl/bignum.py @@ -9,29 +9,20 @@ """ TYPES = """ -static const long Cryptography_HAS_BN_FLAGS; +static const long Cryptography_HAS_PRIME_CHECKS; typedef ... BN_CTX; -typedef ... BN_MONT_CTX; typedef ... BIGNUM; typedef int... BN_ULONG; """ FUNCTIONS = """ -#define BN_FLG_CONSTTIME ... - -void BN_set_flags(BIGNUM *, int); - BIGNUM *BN_new(void); void BN_free(BIGNUM *); void BN_clear_free(BIGNUM *); int BN_rand_range(BIGNUM *, const BIGNUM *); -BN_MONT_CTX *BN_MONT_CTX_new(void); -int BN_MONT_CTX_set(BN_MONT_CTX *, const BIGNUM *, BN_CTX *); -void BN_MONT_CTX_free(BN_MONT_CTX *); - int BN_set_word(BIGNUM *, BN_ULONG); char *BN_bn2hex(const BIGNUM *); @@ -44,11 +35,6 @@ int BN_is_negative(const BIGNUM *); int BN_is_odd(const BIGNUM *); -int BN_mod_exp_mont(BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *, - BN_CTX *, BN_MONT_CTX *); -int BN_mod_exp_mont_consttime(BIGNUM *, const BIGNUM *, const BIGNUM *, - const BIGNUM *, BN_CTX *, BN_MONT_CTX *); -BIGNUM *BN_mod_inverse(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int BN_num_bytes(const BIGNUM *); @@ -61,12 +47,9 @@ CUSTOMIZATIONS = """ #if CRYPTOGRAPHY_IS_BORINGSSL -static const long Cryptography_HAS_BN_FLAGS = 0; - -static const int BN_FLG_CONSTTIME = 0; -void (*BN_set_flags)(BIGNUM *, int) = NULL; +static const long Cryptography_HAS_PRIME_CHECKS = 0; int (*BN_prime_checks_for_size)(int) = NULL; #else -static const long Cryptography_HAS_BN_FLAGS = 1; +static const long Cryptography_HAS_PRIME_CHECKS = 1; #endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index ef95760c3b4e..58e6cceae4fe 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -222,10 +222,8 @@ def cryptography_has_pkcs7_funcs() -> typing.List[str]: ] -def cryptography_has_bn_flags() -> typing.List[str]: +def cryptography_has_prime_checks() -> typing.List[str]: return [ - "BN_FLG_CONSTTIME", - "BN_set_flags", "BN_prime_checks_for_size", ] @@ -307,7 +305,7 @@ def cryptography_has_evp_aead() -> typing.List[str]: "Cryptography_HAS_300_FIPS": cryptography_has_300_fips, "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, - "Cryptography_HAS_BN_FLAGS": cryptography_has_bn_flags, + "Cryptography_HAS_PRIME_CHECKS": cryptography_has_prime_checks, "Cryptography_HAS_EVP_PKEY_DH": cryptography_has_evp_pkey_dh, "Cryptography_HAS_300_EVP_CIPHER": cryptography_has_300_evp_cipher, "Cryptography_HAS_UNEXPECTED_EOF_WHILE_READING": ( From cd9137adbdaee3d2134dcc5943ef252fa55c3d8b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 23 Jun 2023 08:18:30 -0400 Subject: [PATCH 0095/1014] Removed unused conditional bindings (#9121) --- src/_cffi_src/openssl/evp.py | 40 ------------------- .../hazmat/bindings/openssl/_conditional.py | 26 ------------ 2 files changed, 66 deletions(-) diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 20607b194df8..4eada83bf9fd 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -34,11 +34,8 @@ static const int Cryptography_HAS_SCRYPT; static const int Cryptography_HAS_EVP_PKEY_DHX; -static const long Cryptography_HAS_RAW_KEY; -static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF; static const long Cryptography_HAS_300_FIPS; static const long Cryptography_HAS_300_EVP_CIPHER; -static const long Cryptography_HAS_EVP_PKEY_DH; """ FUNCTIONS = """ @@ -57,7 +54,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *, int); -int EVP_DigestFinalXOF(EVP_MD_CTX *, unsigned char *, size_t); const EVP_MD *EVP_get_digestbyname(const char *); EVP_PKEY *EVP_PKEY_new(void); @@ -97,7 +93,6 @@ int EVP_PKEY_set1_RSA(EVP_PKEY *, RSA *); int EVP_PKEY_set1_DSA(EVP_PKEY *, DSA *); -int EVP_PKEY_set1_DH(EVP_PKEY *, DH *); int EVP_PKEY_cmp(const EVP_PKEY *, const EVP_PKEY *); @@ -114,13 +109,6 @@ int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *, const EVP_MD *); -EVP_PKEY *EVP_PKEY_new_raw_private_key(int, ENGINE *, const unsigned char *, - size_t); -EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *, - size_t); -int EVP_PKEY_get_raw_private_key(const EVP_PKEY *, unsigned char *, size_t *); -int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *); - int EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX *); int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); """ @@ -139,27 +127,6 @@ static const long Cryptography_HAS_SCRYPT = 1; #endif -#if CRYPTOGRAPHY_IS_LIBRESSL -static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0; -int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL; -#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 -static const long Cryptography_HAS_RAW_KEY = 0; -EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *, - size_t) = NULL; -EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *, - size_t) = NULL; -int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *, - size_t *) = NULL; -int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *, - size_t *) = NULL; -#else -static const long Cryptography_HAS_RAW_KEY = 1; -#endif -#else -static const long Cryptography_HAS_RAW_KEY = 1; -static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1; -#endif - /* This is tied to X25519 support so we reuse the Cryptography_HAS_X25519 conditional to remove it. OpenSSL 1.1.0 didn't have this define, but 1.1.1 will when it is released. We can remove this in the distant @@ -205,11 +172,4 @@ const char *) = NULL; void (*EVP_CIPHER_free)(EVP_CIPHER *) = NULL; #endif - -#if CRYPTOGRAPHY_IS_BORINGSSL -static const long Cryptography_HAS_EVP_PKEY_DH = 0; -int (*EVP_PKEY_set1_DH)(EVP_PKEY *, DH *) = NULL; -#else -static const long Cryptography_HAS_EVP_PKEY_DH = 1; -#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 58e6cceae4fe..3b8b6556b9c6 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -69,12 +69,6 @@ def cryptography_has_poly1305() -> typing.List[str]: ] -def cryptography_has_evp_digestfinal_xof() -> typing.List[str]: - return [ - "EVP_DigestFinalXOF", - ] - - def cryptography_has_fips() -> typing.List[str]: return [ "FIPS_mode_set", @@ -130,15 +124,6 @@ def cryptography_has_tlsv13_functions() -> typing.List[str]: ] -def cryptography_has_raw_key() -> typing.List[str]: - return [ - "EVP_PKEY_new_raw_private_key", - "EVP_PKEY_new_raw_public_key", - "EVP_PKEY_get_raw_private_key", - "EVP_PKEY_get_raw_public_key", - ] - - def cryptography_has_engine() -> typing.List[str]: return [ "ENGINE_by_id", @@ -228,12 +213,6 @@ def cryptography_has_prime_checks() -> typing.List[str]: ] -def cryptography_has_evp_pkey_dh() -> typing.List[str]: - return [ - "EVP_PKEY_set1_DH", - ] - - def cryptography_has_300_evp_cipher() -> typing.List[str]: return ["EVP_CIPHER_fetch", "EVP_CIPHER_free"] @@ -290,10 +269,6 @@ def cryptography_has_evp_aead() -> typing.List[str]: "Cryptography_HAS_PSK_TLSv1_3": cryptography_has_psk_tlsv13, "Cryptography_HAS_CUSTOM_EXT": cryptography_has_custom_ext, "Cryptography_HAS_TLSv1_3_FUNCTIONS": cryptography_has_tlsv13_functions, - "Cryptography_HAS_RAW_KEY": cryptography_has_raw_key, - "Cryptography_HAS_EVP_DIGESTFINAL_XOF": ( - cryptography_has_evp_digestfinal_xof - ), "Cryptography_HAS_ENGINE": cryptography_has_engine, "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, "Cryptography_HAS_SRTP": cryptography_has_srtp, @@ -306,7 +281,6 @@ def cryptography_has_evp_aead() -> typing.List[str]: "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, "Cryptography_HAS_PRIME_CHECKS": cryptography_has_prime_checks, - "Cryptography_HAS_EVP_PKEY_DH": cryptography_has_evp_pkey_dh, "Cryptography_HAS_300_EVP_CIPHER": cryptography_has_300_evp_cipher, "Cryptography_HAS_UNEXPECTED_EOF_WHILE_READING": ( cryptography_has_unexpected_eof_while_reading From 9b4472513d7f68c49d1a5ebcf66f0699adb74a09 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Jun 2023 14:21:41 +0000 Subject: [PATCH 0096/1014] Bump keyring from 24.0.1 to 24.1.0 (#9124) Bumps [keyring](https://github.com/jaraco/keyring) from 24.0.1 to 24.1.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v24.0.1...v24.1.0) --- updated-dependencies: - dependency-name: keyring dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 131e84495af2..837a0f31dcf8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -58,7 +58,7 @@ jaraco-classes==3.2.3 # via keyring jinja2==3.1.2 # via sphinx -keyring==24.0.1 +keyring==24.1.0 # via twine markdown-it-py==3.0.0 # via rich From da7bd1d5ffe932dba5145e1324c5473fde7c8886 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Jun 2023 14:21:56 +0000 Subject: [PATCH 0097/1014] Bump pytest from 7.3.2 to 7.4.0 (#9125) Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.3.2 to 7.4.0. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/7.3.2...7.4.0) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 837a0f31dcf8..921c2388cbb6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -110,7 +110,7 @@ pygments==2.15.1 # sphinx pyproject-hooks==1.0.0 # via build -pytest==7.3.2 +pytest==7.4.0 # via # cryptography (pyproject.toml) # pytest-benchmark From 66515932c59c6d100a1d56c1640179ddbf65fb71 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Jun 2023 14:29:53 +0000 Subject: [PATCH 0098/1014] Bump ruff from 0.0.274 to 0.0.275 (#9127) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.274 to 0.0.275. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.274...v0.0.275) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 921c2388cbb6..2be8c84bd361 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.4.2 # via twine -ruff==0.0.274 +ruff==0.0.275 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 2efee2873cced3f6b60e69c5514e70972626e539 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Jun 2023 14:37:31 +0000 Subject: [PATCH 0099/1014] Bump platformdirs from 3.7.0 to 3.8.0 (#9123) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 3.7.0 to 3.8.0. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/3.7.0...3.8.0) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2be8c84bd361..2a222b051169 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -89,7 +89,7 @@ pathspec==0.11.1 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==3.7.0 +platformdirs==3.8.0 # via # black # virtualenv From 4806828ebf9a34c8a1ec669cd8e1b1db0dc68297 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 24 Jun 2023 00:25:12 +0000 Subject: [PATCH 0100/1014] Bump BoringSSL and/or OpenSSL in CI (#9130) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e62ca7cb0c8e..dcb0d74fb8a3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,10 +46,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jun 23, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a905bbb52a7bac5099f2cbee008c6f3eae96218c"}} - # Latest commit on the OpenSSL master branch, as of Jun 21, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7197abddb891933f52ec84dafb41b685d4a1d122"}} + # Latest commit on the BoringSSL master branch, as of Jun 24, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "824f0e9113916d0258ce515079492f43d3ed67c3"}} + # Latest commit on the OpenSSL master branch, as of Jun 24, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a9e6100bc98439ca787aa1fce541550ad1ff3e84"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 562b2d973123ac385e1f2638a9db1841884ccbf2 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Sat, 24 Jun 2023 20:17:32 +0200 Subject: [PATCH 0101/1014] Revert "cryptography-cffi: substitute include path from target sysroot in cross builds (#9105)" (#9131) The original code was right all along: it uses the official API for obtaining header locations, and it is on the build environment to ensure python supplies that in cross-build scenarios (another option is to apply a custom patch, however any such patch is not eligible for upstream submission due to its specificity). Further info: https://github.com/pyca/cryptography/pull/9129 Co-authored-by: Alexander Kanavin --- src/rust/cryptography-cffi/build.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index bd39fba9e33b..07590ad2e593 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -49,7 +49,7 @@ fn main() { println!("cargo:rustc-cfg=python_implementation=\"{}\"", python_impl); let python_include = run_python_script( &python, - "import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'), end='')", + "import sysconfig; print(sysconfig.get_path('include'), end='')", ) .unwrap(); let openssl_include = From 313dd9d33fe368ab5ea2b6bb8d1a54b7161aa4cf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Jun 2023 13:23:38 -0400 Subject: [PATCH 0102/1014] Added another potential future MSRV (#9126) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dcb0d74fb8a3..e798e8a7539a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,6 +54,7 @@ jobs: # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 # 1.64 - maturin + # 1.65 - Generic associated types (GATs) - {VERSION: "3.11", NOXSESSION: "tests-nocoverage", RUST: "1.56.0"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.60.0"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "beta"} From 93a6a3528e5c6c580fdb73ba6ac9fc5918bb99df Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Jun 2023 13:24:39 -0400 Subject: [PATCH 0103/1014] Stop caching cargo and pip dirs (#9128) They're of very limited value (I think), and they're some of the most unreliable parts of our infra. --- .github/actions/cache/action.yml | 30 ------------------------------ .github/workflows/ci.yml | 10 ++++++++++ 2 files changed, 10 insertions(+), 30 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 3e487eb934da..53941b1628d7 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -19,35 +19,5 @@ runs: using: "composite" steps: - - name: Get pip cache dir - id: pip-cache - run: | - # Determine the path to our Python. It's in venv for our containers - # but just standard $PATH for setup-python pythons. - if [[ -f "/venv/bin/python" ]]; then - echo "dir=$(/venv/bin/python -m pip cache dir)" >> $GITHUB_OUTPUT - elif which python >/dev/null; then - echo "dir=$(python -m pip cache dir)" >> $GITHUB_OUTPUT - fi - shell: bash - - name: Normalize key - id: normalized-key - run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT - shell: bash - - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 - id: cache - with: - path: | - ${{ steps.pip-cache.outputs.dir }} - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - ${{ inputs.additional-paths }} - key: cargo-pip-${{ runner.os }}-${{ runner.arch }}-${{ steps.normalized-key.outputs.key }}-7 - - name: Size of cache items - run: | - du -sh ~/.cargo/registry/index/ - du -sh ~/.cargo/registry/cache/ - shell: bash - if: ${{ steps.cache.outputs.cache-hit }} - name: Run sccache-cache uses: mozilla-actions/sccache-action@8417cffc2ec64127ad83077aceaa8631f7cdc83e # v0.0.3 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e798e8a7539a..d93c86ca8cbd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -70,6 +70,8 @@ jobs: uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: ${{ matrix.PYTHON.VERSION }} + cache: pip + cache-dependency-path: ci-constraints-requirements.txt - name: Setup rust uses: dtolnay/rust-toolchain@1f5cdb56c8779e3efa22473ce181ff83143b172c with: @@ -245,6 +247,8 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 + cache: pip + cache-dependency-path: ci-constraints-requirements.txt - run: rustup component add llvm-tools-preview - run: python -m pip install -c ci-constraints-requirements.txt 'nox' @@ -302,6 +306,8 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} + cache: pip + cache-dependency-path: ci-constraints-requirements.txt - run: rustup component add llvm-tools-preview - name: Cache rust and pip uses: ./.github/actions/cache @@ -374,6 +380,8 @@ jobs: uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: ${{ matrix.PYTHON }} + cache: pip + cache-dependency-path: ci-constraints-requirements.txt - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install - run: pip install . env: @@ -417,6 +425,8 @@ jobs: uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: '3.11' + cache: pip + cache-dependency-path: ci-constraints-requirements.txt - run: pip install -c ci-constraints-requirements.txt coverage[toml] if: ${{ always() }} - name: Download coverage data From 2f9cd402d3293f6efe0f3ac06f17c6c14edbed86 Mon Sep 17 00:00:00 2001 From: James Hilliard Date: Sun, 25 Jun 2023 17:39:19 -0600 Subject: [PATCH 0104/1014] Fix include directory when cross compiling (#9129) --- src/rust/cryptography-cffi/build.rs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 07590ad2e593..384af1ddb114 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -47,9 +47,14 @@ fn main() { ) .unwrap(); println!("cargo:rustc-cfg=python_implementation=\"{}\"", python_impl); - let python_include = run_python_script( + let python_includes = run_python_script( &python, - "import sysconfig; print(sysconfig.get_path('include'), end='')", + "import os; \ + import setuptools.dist; \ + import setuptools.command.build_ext; \ + b = setuptools.command.build_ext.build_ext(setuptools.dist.Distribution()); \ + b.finalize_options(); \ + print(os.pathsep.join(b.include_dirs), end='')", ) .unwrap(); let openssl_include = @@ -59,12 +64,15 @@ fn main() { let mut build = cc::Build::new(); build .file(openssl_c) - .include(python_include) .include(openssl_include) .flag_if_supported("-Wconversion") .flag_if_supported("-Wno-error=sign-conversion") .flag_if_supported("-Wno-unused-parameter"); + for python_include in env::split_paths(&python_includes) { + build.include(python_include); + } + // Enable abi3 mode if we're not using PyPy. if python_impl != "PyPy" { // cp37 (Python 3.7 to help our grep when we some day drop 3.7 support) From 66b68ba191f905b1991192195da752b017b2d340 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 25 Jun 2023 20:21:36 -0400 Subject: [PATCH 0105/1014] Bump BoringSSL and/or OpenSSL in CI (#9134) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d93c86ca8cbd..dd5d546ceed3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -48,8 +48,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jun 24, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "824f0e9113916d0258ce515079492f43d3ed67c3"}} - # Latest commit on the OpenSSL master branch, as of Jun 24, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a9e6100bc98439ca787aa1fce541550ad1ff3e84"}} + # Latest commit on the OpenSSL master branch, as of Jun 26, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "43596b306b1fe06da3b1a99e07c0cf235898010d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From c2c1590668099071e376809cdd09c415053abeb9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Jun 2023 03:32:57 +0000 Subject: [PATCH 0106/1014] Bump dtolnay/rust-toolchain (#9136) Bumps [dtolnay/rust-toolchain](https://github.com/dtolnay/rust-toolchain) from 1f5cdb56c8779e3efa22473ce181ff83143b172c to 0e66bd3e6b38ec0ad5312288c83e47c143e6b09e. - [Release notes](https://github.com/dtolnay/rust-toolchain/releases) - [Commits](https://github.com/dtolnay/rust-toolchain/compare/1f5cdb56c8779e3efa22473ce181ff83143b172c...0e66bd3e6b38ec0ad5312288c83e47c143e6b09e) --- updated-dependencies: - dependency-name: dtolnay/rust-toolchain dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dd5d546ceed3..ec83ac5de764 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -73,7 +73,7 @@ jobs: cache: pip cache-dependency-path: ci-constraints-requirements.txt - name: Setup rust - uses: dtolnay/rust-toolchain@1f5cdb56c8779e3efa22473ce181ff83143b172c + uses: dtolnay/rust-toolchain@0e66bd3e6b38ec0ad5312288c83e47c143e6b09e with: toolchain: ${{ matrix.PYTHON.RUST }} components: rustfmt,clippy diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 495b8c77f999..39481f1da1f1 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -216,7 +216,7 @@ jobs: name: openssl-macos-universal2 path: "../openssl-macos-universal2/" github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: dtolnay/rust-toolchain@1f5cdb56c8779e3efa22473ce181ff83143b172c + - uses: dtolnay/rust-toolchain@0e66bd3e6b38ec0ad5312288c83e47c143e6b09e with: toolchain: stable # Add the arm64 target in addition to the native arch (x86_64) @@ -287,7 +287,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} - - uses: dtolnay/rust-toolchain@1f5cdb56c8779e3efa22473ce181ff83143b172c + - uses: dtolnay/rust-toolchain@0e66bd3e6b38ec0ad5312288c83e47c143e6b09e with: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} From 8bc9eff9b96e36a30ab76fbd61c359a1398ac832 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Jun 2023 03:36:19 +0000 Subject: [PATCH 0107/1014] Bump keyring from 24.1.0 to 24.2.0 (#9137) Bumps [keyring](https://github.com/jaraco/keyring) from 24.1.0 to 24.2.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v24.1.0...v24.2.0) --- updated-dependencies: - dependency-name: keyring dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2a222b051169..77e98ff606e0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -58,7 +58,7 @@ jaraco-classes==3.2.3 # via keyring jinja2==3.1.2 # via sphinx -keyring==24.1.0 +keyring==24.2.0 # via twine markdown-it-py==3.0.0 # via rich From c4e7e5f6a75e1c55c0d5aaf808f6ae5521e40cca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Jun 2023 03:40:34 +0000 Subject: [PATCH 0108/1014] Bump mypy from 1.4.0 to 1.4.1 (#9138) Bumps [mypy](https://github.com/python/mypy) from 1.4.0 to 1.4.1. - [Commits](https://github.com/python/mypy/compare/v1.4.0...v1.4.1) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 77e98ff606e0..3d05e0a63106 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ mdurl==0.1.2 # via markdown-it-py more-itertools==9.1.0 # via jaraco-classes -mypy==1.4.0 +mypy==1.4.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via From dd587c9f1552e25d6ab66c54774c6ff6b9c0bfb1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Jun 2023 04:32:57 +0000 Subject: [PATCH 0109/1014] Bump libc from 0.2.146 to 0.2.147 in /src/rust (#9140) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.146 to 0.2.147. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.146...0.2.147) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 04fef310dc58..5f89597e66bf 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -119,9 +119,9 @@ checksum = "bfa799dd5ed20a7e349f3b4639aa80d74549c81716d9ec4f994c9b5815598306" [[package]] name = "libc" -version = "0.2.146" +version = "0.2.147" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f92be4933c13fd498862a9e02a3055f8a8d9c039ce33db97306fd5a6caa7f29b" +checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3" [[package]] name = "lock_api" From d729efe3eb2c2df764fdeff0f11fc881ffc87ba9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 26 Jun 2023 00:33:12 -0400 Subject: [PATCH 0110/1014] Update comment to be more precise (#9135) --- src/rust/src/backend/ec.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 6549663c3b0f..59351b721a49 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -386,7 +386,10 @@ impl ECPrivateKey { let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; - // XXX: single allocation + // TODO: This does an extra allocation and copy. This can't easily use + // `PyBytes::new_with` because the exact length of the signature isn't + // easily known a priori (if `r` or `s` has a leading 0, the signature + // will be a byte or two shorter than the maximum possible length). let mut sig = vec![]; signer.sign_to_vec(data, &mut sig)?; Ok(pyo3::types::PyBytes::new(py, &sig)) From 140022ca4ddaa136b1a5c5bab7fe14749c09adf4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Jun 2023 06:33:38 +0200 Subject: [PATCH 0111/1014] Bump proc-macro2 from 1.0.60 to 1.0.63 in /src/rust (#9139) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.60 to 1.0.63. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.60...1.0.63) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5f89597e66bf..5052b5a81361 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -226,9 +226,9 @@ checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" [[package]] name = "proc-macro2" -version = "1.0.60" +version = "1.0.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dec2b086b7a862cf4de201096214fa870344cf922b2b30c167badb3af3195406" +checksum = "7b368fba921b0dce7e60f5e04ec15e565b3303972b42bcfde1d0713b881959eb" dependencies = [ "unicode-ident", ] From 05f5219917990575b8ee826e6701aeb7a955dc4d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 26 Jun 2023 10:23:39 -0400 Subject: [PATCH 0112/1014] Remove explicit enablement of sparse registry from wheel builder (#9141) Its on by default in rust starting with 1.70. Note: I'm not removing it from ci.yml until our MSRV is 1.70, as there are older builders. However, wheel-builder.yml always builds with the latest rustc, so it can safely be removed. --- .github/workflows/wheel-builder.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 39481f1da1f1..eeaf5cc4221a 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -19,9 +19,6 @@ on: - pyproject.toml - vectors/pyproject.toml -env: - CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse - jobs: sdist: runs-on: ubuntu-latest From 35219339d937b35435813d0995b5573a1d665cf2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 26 Jun 2023 20:37:30 -0400 Subject: [PATCH 0113/1014] Bump BoringSSL and/or OpenSSL in CI (#9142) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ec83ac5de764..f2a3b7fb85f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,10 +46,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jun 24, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "824f0e9113916d0258ce515079492f43d3ed67c3"}} - # Latest commit on the OpenSSL master branch, as of Jun 26, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "43596b306b1fe06da3b1a99e07c0cf235898010d"}} + # Latest commit on the BoringSSL master branch, as of Jun 27, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6f13380d27835e70ec7caf807da7a1f239b10da6"}} + # Latest commit on the OpenSSL master branch, as of Jun 27, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "810f7dc1c7cc5441097b398f753e33652848a4cc"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 16ee22f6b8452db44cf9d2209474e8b3fbdaa56b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 27 Jun 2023 16:22:54 -0400 Subject: [PATCH 0114/1014] Try using the rust cache action (#9145) * Try using the rust cache action * Trigger CI to test cache --- .github/actions/cache/action.yml | 18 ++++++------------ .github/workflows/ci.yml | 2 -- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 53941b1628d7..8eebf7ab82b7 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -1,23 +1,17 @@ -name: Cache rust and pip -description: Caches rust and pip data to speed builds +name: Cache +description: Caches build data to speed builds inputs: - additional-paths: - description: 'Additional paths to add to the cache' - required: false - default: '' key: description: 'extra cache key components' required: false default: '' -outputs: - cache-hit: - description: 'Was the cache hit?' - value: ${{ steps.cache.outputs.cache-hit }} runs: using: "composite" steps: - - name: Run sccache-cache - uses: mozilla-actions/sccache-action@8417cffc2ec64127ad83077aceaa8631f7cdc83e # v0.0.3 + - uses: Swatinem/rust-cache@2656b87321093db1cb55fbd73183d195214fdfd1 # v2.5.0 + with: + key: ${{ inputs.key }} + workspaces: "./src/rust/ -> target" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f2a3b7fb85f8..0d6d3da51ec6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,8 +18,6 @@ concurrency: env: CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse - SCCACHE_GHA_ENABLED: "true" - RUSTC_WRAPPER: "sccache" CARGO_INCREMENTAL: 0 jobs: From 1eb823a0585caea4c33bc53356214e64a144c381 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 27 Jun 2023 16:31:34 -0400 Subject: [PATCH 0115/1014] Stop explicitly enabling RSA blinding (#9143) It is on by default in OpenSSL, going back at least as far 1.1.1d, and probably much farther. --- .../hazmat/backends/openssl/rsa.py | 25 ------------ tests/hazmat/primitives/test_rsa.py | 39 ------------------- 2 files changed, 64 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index ef27d4ead570..b9c96a78faa1 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -4,7 +4,6 @@ from __future__ import annotations -import threading import typing from cryptography.exceptions import ( @@ -400,9 +399,6 @@ def __init__( self._backend = backend self._rsa_cdata = rsa_cdata self._evp_pkey = evp_pkey - # Used for lazy blinding - self._blinded = False - self._blinding_lock = threading.Lock() n = self._backend._ffi.new("BIGNUM **") self._backend._lib.RSA_get0_key( @@ -414,31 +410,11 @@ def __init__( self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) self._key_size = self._backend._lib.BN_num_bits(n[0]) - def _enable_blinding(self) -> None: - # If you call blind on an already blinded RSA key OpenSSL will turn - # it off and back on, which is a performance hit we want to avoid. - if not self._blinded: - with self._blinding_lock: - self._non_threadsafe_enable_blinding() - - def _non_threadsafe_enable_blinding(self) -> None: - # This is only a separate function to allow for testing to cover both - # branches. It should never be invoked except through _enable_blinding. - # Check if it's not True again in case another thread raced past the - # first non-locked check. - if not self._blinded: - res = self._backend._lib.RSA_blinding_on( - self._rsa_cdata, self._backend._ffi.NULL - ) - self._backend.openssl_assert(res == 1) - self._blinded = True - @property def key_size(self) -> int: return self._key_size def decrypt(self, ciphertext: bytes, padding: AsymmetricPadding) -> bytes: - self._enable_blinding() key_size_bytes = (self.key_size + 7) // 8 if key_size_bytes != len(ciphertext): raise ValueError("Ciphertext length must be equal to key size.") @@ -508,7 +484,6 @@ def sign( padding: AsymmetricPadding, algorithm: typing.Union[asym_utils.Prehashed, hashes.HashAlgorithm], ) -> bytes: - self._enable_blinding() data, algorithm = _calculate_digest_and_algorithm(data, algorithm) return _rsa_sig_sign(self._backend, padding, algorithm, self, data) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 85459a59461a..753feca37923 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -451,45 +451,6 @@ def test_oaep_wrong_label(self, rsa_key_2048, enclabel, declabel, backend): ), ) - @pytest.mark.supported( - only_if=lambda backend: backend.rsa_encryption_supported( - padding.PKCS1v15() - ), - skip_message="Does not support PKCS1v1.5.", - ) - def test_lazy_blinding(self, backend): - # We don't want to reuse the rsa_key_2048 fixture here because lazy - # blinding mutates the object to add the blinding factor on - # the first call to decrypt/sign. Since we reuse rsa_key_2048 in - # many tests we can't properly test blinding, which will (likely) - # already be set on the fixture. - private_key = RSA_KEY_2048.private_key( - unsafe_skip_rsa_key_validation=True - ) - public_key = private_key.public_key() - msg = b"encrypt me!" - ct = public_key.encrypt( - msg, - padding.PKCS1v15(), - ) - assert private_key._blinded is False # type: ignore[attr-defined] - pt = private_key.decrypt( - ct, - padding.PKCS1v15(), - ) - assert private_key._blinded is True # type: ignore[attr-defined] - # Call a second time to cover the branch where blinding - # has already occurred and we don't want to do it again. - pt2 = private_key.decrypt( - ct, - padding.PKCS1v15(), - ) - assert pt == pt2 - assert private_key._blinded is True - # Private method call to cover the racy branch within the lock - private_key._non_threadsafe_enable_blinding() - assert private_key._blinded is True - class TestRSASignature: @pytest.mark.supported( From 204b6a937e3a8624949bddd3f1466f81964c7530 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 28 Jun 2023 00:17:36 +0000 Subject: [PATCH 0116/1014] Bump BoringSSL and/or OpenSSL in CI (#9147) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0d6d3da51ec6..b432072538d2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jun 27, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6f13380d27835e70ec7caf807da7a1f239b10da6"}} - # Latest commit on the OpenSSL master branch, as of Jun 27, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "810f7dc1c7cc5441097b398f753e33652848a4cc"}} + # Latest commit on the BoringSSL master branch, as of Jun 28, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "28e4a1b838b2ffbf9e2151ae5fcfffe5ab0ffac0"}} + # Latest commit on the OpenSSL master branch, as of Jun 28, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9f0cc5d09a89731f1cd9b111f12aa3ac9667b6a0"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 420d94586991bf614d7620efb6f192105f2a23ce Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 28 Jun 2023 00:05:13 -0400 Subject: [PATCH 0117/1014] fixed linkcheck build (#9148) --- .github/workflows/linkcheck.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index a69e123c07b3..56731d755c76 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -9,9 +9,6 @@ permissions: contents: read env: - CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse - SCCACHE_GHA_ENABLED: "true" - RUSTC_WRAPPER: "sccache" CARGO_INCREMENTAL: 0 jobs: @@ -43,4 +40,4 @@ jobs: env: CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - name: linkcheck - run: nox --no-install -s docs-linkcheck -- --color=yes \ No newline at end of file + run: nox --no-install -s docs-linkcheck -- --color=yes From 4f05a71fa36dff78ef040ff1b467eab890bf9cda Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 28 Jun 2023 23:30:58 +0000 Subject: [PATCH 0118/1014] Bump windows-targets from 0.48.0 to 0.48.1 in /src/rust (#9149) Bumps [windows-targets](https://github.com/microsoft/windows-rs) from 0.48.0 to 0.48.1. - [Release notes](https://github.com/microsoft/windows-rs/releases) - [Commits](https://github.com/microsoft/windows-rs/compare/0.48.0...windows-targets-0.48.1) --- updated-dependencies: - dependency-name: windows-targets dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5052b5a81361..7dfc38848a81 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" [[package]] name = "windows-targets" -version = "0.48.0" +version = "0.48.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b1eb6f0cd7c80c79759c929114ef071b87354ce476d9d94271031c0497adfd5" +checksum = "05d4b17490f70499f20b9e791dcf6a299785ce8af4d709018206dc5b4953e95f" dependencies = [ "windows_aarch64_gnullvm", "windows_aarch64_msvc", From 8d729cf986a3ce29b91f954679c65a37186b21e8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 28 Jun 2023 23:32:28 +0000 Subject: [PATCH 0119/1014] Bump typing-extensions from 4.6.3 to 4.7.0 (#9150) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.6.3 to 4.7.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.6.3...4.7.0) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3d05e0a63106..e1a668041610 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -179,7 +179,7 @@ tomli==2.0.1 # pytest twine==4.0.2 # via cryptography (pyproject.toml) -typing-extensions==4.6.3 +typing-extensions==4.7.0 # via mypy urllib3==2.0.3 # via From 3ddf7dadc609205a5f787174edc6980f0ac5bec4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 29 Jun 2023 00:18:07 +0000 Subject: [PATCH 0120/1014] Bump BoringSSL and/or OpenSSL in CI (#9151) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b432072538d2..a6179afacaf3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jun 28, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "28e4a1b838b2ffbf9e2151ae5fcfffe5ab0ffac0"}} - # Latest commit on the OpenSSL master branch, as of Jun 28, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9f0cc5d09a89731f1cd9b111f12aa3ac9667b6a0"}} + # Latest commit on the OpenSSL master branch, as of Jun 29, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "58cd83f83cb0fb4c0eaf97aef1c65996c0936a7d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 470c9929d3003cf9e6fc65ff92c30da9da712515 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 29 Jun 2023 12:54:16 +0000 Subject: [PATCH 0121/1014] Bump quote from 1.0.28 to 1.0.29 in /src/rust (#9153) Bumps [quote](https://github.com/dtolnay/quote) from 1.0.28 to 1.0.29. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.28...1.0.29) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 7dfc38848a81..b7b574c726e2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -295,9 +295,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.28" +version = "1.0.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b9ab9c7eadfd8df19006f1cf1a4aed13540ed5cbc047010ece5826e10825488" +checksum = "573015e8ab27661678357f27dc26460738fd2b6c86e46f386fde94cb5d913105" dependencies = [ "proc-macro2", ] From 0fe6a4120d30e1d312ad20a704e09e4aceffa91d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 29 Jun 2023 09:58:14 -0400 Subject: [PATCH 0122/1014] Test unsupported PSS MGF with a key of valid size (#9154) --- tests/hazmat/primitives/test_rsa.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 753feca37923..3cb3b17efb22 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -708,9 +708,9 @@ def test_padding_incorrect_type( skip_message="Does not support PSS.", ) def test_unsupported_pss_mgf( - self, rsa_key_512: rsa.RSAPrivateKey, backend + self, rsa_key_2048: rsa.RSAPrivateKey, backend ): - private_key = rsa_key_512 + private_key = rsa_key_2048 with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_MGF): private_key.sign( b"msg", From 543d09cc6020afa6b23a25aecd44569cd2a64ba2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 29 Jun 2023 15:23:26 -0400 Subject: [PATCH 0123/1014] Use valid RSA key size in test of MGF1 with MD5 (#9155) * Use valid RSA key size in test of MGF1 with MD5 * Update test_openssl.py --- tests/hazmat/backends/test_openssl.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index b0058e8a4bac..68f3d1a5fb24 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -24,7 +24,7 @@ DummyHashAlgorithm, DummyMode, ) -from ...hazmat.primitives.test_rsa import rsa_key_512, rsa_key_2048 +from ...hazmat.primitives.test_rsa import rsa_key_2048 from ...utils import ( load_vectors_from_file, raises_unsupported_algorithm, @@ -32,7 +32,7 @@ # Make ruff happy since we're importing fixtures that pytest patches in as # func args -__all__ = ["rsa_key_512", "rsa_key_2048"] +__all__ = ["rsa_key_2048"] def skip_if_libre_ssl(openssl_version): @@ -270,10 +270,10 @@ def test_rsa_padding_unsupported_mgf(self): is False ) - def test_unsupported_mgf1_hash_algorithm_md5_decrypt(self, rsa_key_512): + def test_unsupported_mgf1_hash_algorithm_md5_decrypt(self, rsa_key_2048): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): - rsa_key_512.decrypt( - b"0" * 64, + rsa_key_2048.decrypt( + b"0" * 256, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.MD5()), algorithm=hashes.MD5(), From 8ed8e54b9097326b8ef93be87f171fabf20605a5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 29 Jun 2023 20:33:03 -0400 Subject: [PATCH 0124/1014] Bump BoringSSL and/or OpenSSL in CI (#9157) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6179afacaf3..8faa3580808a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jun 28, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "28e4a1b838b2ffbf9e2151ae5fcfffe5ab0ffac0"}} - # Latest commit on the OpenSSL master branch, as of Jun 29, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "58cd83f83cb0fb4c0eaf97aef1c65996c0936a7d"}} + # Latest commit on the BoringSSL master branch, as of Jun 30, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "9c0f22cdfbb696bcba8cbf02ae5737df15aae704"}} + # Latest commit on the OpenSSL master branch, as of Jun 30, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "55d3a6be6ba3af9781631e74833ea1dcbd4008e6"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 09a499d93d0dfd45988c7ab426975fcfe7cacbc4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 30 Jun 2023 08:33:46 -0400 Subject: [PATCH 0125/1014] Normalize keys in cache (#9158) Commas cause it to not cache --- .github/actions/cache/action.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 8eebf7ab82b7..5303aa80a625 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -11,7 +11,11 @@ runs: using: "composite" steps: + - name: Normalize key + id: normalized-key + run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT + shell: bash - uses: Swatinem/rust-cache@2656b87321093db1cb55fbd73183d195214fdfd1 # v2.5.0 with: - key: ${{ inputs.key }} + key: ${{ steps.normalized-key.outputs.key }} workspaces: "./src/rust/ -> target" From f71704fd555ae36ce1e81a3919996d4ff3420ca1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 1 Jul 2023 00:19:37 +0000 Subject: [PATCH 0126/1014] Bump BoringSSL and/or OpenSSL in CI (#9159) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8faa3580808a..e6a743656e08 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jun 30, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "9c0f22cdfbb696bcba8cbf02ae5737df15aae704"}} - # Latest commit on the OpenSSL master branch, as of Jun 30, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "55d3a6be6ba3af9781631e74833ea1dcbd4008e6"}} + # Latest commit on the BoringSSL master branch, as of Jul 01, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5eab868eaa5f7a975d50579182e26902441342be"}} + # Latest commit on the OpenSSL master branch, as of Jul 01, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "500e479db1beae5fa5691d40b866329d2fdc62e7"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 6f54e3a8b4d2ec3ed962bc483eb890598f2272cb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 1 Jul 2023 02:38:08 -0400 Subject: [PATCH 0127/1014] When hashing in Rust, just use the Rust API (#9160) --- src/rust/src/backend/hashes.rs | 16 +++++++++++----- src/rust/src/x509/certificate.rs | 17 +++++++---------- src/rust/src/x509/crl.rs | 14 ++++++-------- src/rust/src/x509/ocsp.rs | 10 ++++------ 4 files changed, 28 insertions(+), 29 deletions(-) diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index d9157d6e8a18..8da7fa53a365 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -8,7 +8,7 @@ use crate::exceptions; use std::borrow::Cow; #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.hashes")] -struct Hash { +pub(crate) struct Hash { #[pyo3(get)] algorithm: pyo3::Py, ctx: Option, @@ -72,11 +72,18 @@ pub(crate) fn message_digest_from_algorithm( } } +impl Hash { + pub(crate) fn update_bytes(&mut self, data: &[u8]) -> CryptographyResult<()> { + self.get_mut_ctx()?.update(data)?; + Ok(()) + } +} + #[pyo3::pymethods] impl Hash { #[new] #[pyo3(signature = (algorithm, backend=None))] - fn new( + pub(crate) fn new( py: pyo3::Python<'_>, algorithm: &pyo3::PyAny, backend: Option<&pyo3::PyAny>, @@ -93,11 +100,10 @@ impl Hash { } fn update(&mut self, data: CffiBuf<'_>) -> CryptographyResult<()> { - self.get_mut_ctx()?.update(data.as_bytes())?; - Ok(()) + self.update_bytes(data.as_bytes()) } - fn finalize<'p>( + pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index bb5405c021b3..a4e62255d05e 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -5,6 +5,7 @@ use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, }; +use crate::backend::hashes; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{extensions, sct, sign}; use crate::{exceptions, x509}; @@ -91,17 +92,13 @@ impl Certificate { fn fingerprint<'p>( &self, py: pyo3::Python<'p>, - algorithm: pyo3::PyObject, + algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::PyAny> { - let hasher = py - .import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))? - .getattr(pyo3::intern!(py, "Hash"))? - .call1((algorithm,))?; - // This makes an unnecessary copy. It'd be nice to get rid of it. - let serialized = - pyo3::types::PyBytes::new(py, &asn1::write_single(&self.raw.borrow_dependent())?); - hasher.call_method1(pyo3::intern!(py, "update"), (serialized,))?; - Ok(hasher.call_method0(pyo3::intern!(py, "finalize"))?) + let serialized = asn1::write_single(&self.raw.borrow_dependent())?; + + let mut h = hashes::Hash::new(py, algorithm, None)?; + h.update_bytes(&serialized)?; + Ok(h.finalize(py)?) } fn public_bytes<'p>( diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index b4b421d3f9bb..51495411490c 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -5,6 +5,7 @@ use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, }; +use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, extensions, sign}; use crate::{exceptions, x509}; @@ -177,16 +178,13 @@ impl CertificateRevocationList { fn fingerprint<'p>( &self, py: pyo3::Python<'p>, - algorithm: pyo3::PyObject, + algorithm: &pyo3::PyAny, ) -> pyo3::PyResult<&'p pyo3::PyAny> { - let hashes_mod = py.import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))?; - let h = hashes_mod - .getattr(pyo3::intern!(py, "Hash"))? - .call1((algorithm,))?; - let data = self.public_bytes_der()?; - h.call_method1(pyo3::intern!(py, "update"), (data.as_slice(),))?; - h.call_method0(pyo3::intern!(py, "finalize")) + + let mut h = Hash::new(py, algorithm, None)?; + h.update_bytes(&data)?; + Ok(h.finalize(py)?) } #[getter] diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index ff832477ed6f..81163964b677 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::backend::hashes::Hash; use crate::error::CryptographyResult; use crate::x509; use crate::x509::certificate::Certificate; @@ -118,10 +119,7 @@ pub(crate) fn hash_data<'p>( py_hash_alg: &'p pyo3::PyAny, data: &[u8], ) -> pyo3::PyResult<&'p [u8]> { - let hash = py - .import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))? - .getattr(pyo3::intern!(py, "Hash"))? - .call1((py_hash_alg,))?; - hash.call_method1(pyo3::intern!(py, "update"), (data,))?; - hash.call_method0(pyo3::intern!(py, "finalize"))?.extract() + let mut h = Hash::new(py, py_hash_alg, None)?; + h.update_bytes(data)?; + Ok(h.finalize(py)?.as_bytes()) } From aaca24827c8118db57f72d4c71934e6f7c4a8977 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 1 Jul 2023 09:21:37 -0400 Subject: [PATCH 0128/1014] Simplify code for getting an extension (#9161) --- src/rust/cryptography-x509/src/extensions.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 2191bc1da16c..41c36e3b77f0 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -47,9 +47,7 @@ impl<'a> Extensions<'a> { /// Retrieves the extension identified by the given OID, /// or None if the extension is not present (or no extensions are present). pub fn get_extension(&self, oid: &asn1::ObjectIdentifier) -> Option { - self.0 - .as_ref() - .and_then(|exts| exts.unwrap_read().clone().find(|ext| &ext.extn_id == oid)) + self.iter().find(|ext| &ext.extn_id == oid) } /// Returns a reference to the underlying extensions. From 1ad21a58e6f186149738009938f518b20b2677a5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 1 Jul 2023 09:22:18 -0400 Subject: [PATCH 0129/1014] Avoid rebuilding everything just to run rust tests (#9162) --- noxfile.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index 86a6a68b61a8..717c06726aa0 100644 --- a/noxfile.py +++ b/noxfile.py @@ -177,7 +177,10 @@ def rust(session: nox.Session) -> None: } ) - install(session, ".") + # Just install the dependencies needed for the Rust build.rs + # TODO: Ideally there'd be a pip flag to install just our dependencies, + # but not install us. + install(session, "cffi") with session.chdir("src/rust/"): session.run("cargo", "fmt", "--all", "--", "--check", external=True) From c3a313acc2887572750a961d3ac90cf95bf1720d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 1 Jul 2023 20:21:08 -0400 Subject: [PATCH 0130/1014] Bump BoringSSL and/or OpenSSL in CI (#9164) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e6a743656e08..1c7677448aa9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jul 01, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5eab868eaa5f7a975d50579182e26902441342be"}} - # Latest commit on the OpenSSL master branch, as of Jul 01, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "500e479db1beae5fa5691d40b866329d2fdc62e7"}} + # Latest commit on the OpenSSL master branch, as of Jul 02, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6be83ac172aac93b49ae0b847fd5ac9de6ab3ff5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 724ad1fb8f8293637b632fa92a1908ed0ab15543 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 2 Jul 2023 20:24:19 -0400 Subject: [PATCH 0131/1014] Bump BoringSSL and/or OpenSSL in CI (#9166) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1c7677448aa9..37e0ff4bca1f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jul 01, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5eab868eaa5f7a975d50579182e26902441342be"}} - # Latest commit on the OpenSSL master branch, as of Jul 02, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6be83ac172aac93b49ae0b847fd5ac9de6ab3ff5"}} + # Latest commit on the OpenSSL master branch, as of Jul 03, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "42926ca7f237126331a46cad159e6d31e2eafcc8"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From dc3efd4acdb3899f15e671cfeb479efe358925d1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Jul 2023 12:37:43 +0000 Subject: [PATCH 0132/1014] Bump typing-extensions from 4.7.0 to 4.7.1 (#9167) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.7.0 to 4.7.1. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.7.0...4.7.1) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e1a668041610..bec3bd93eb27 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -179,7 +179,7 @@ tomli==2.0.1 # pytest twine==4.0.2 # via cryptography (pyproject.toml) -typing-extensions==4.7.0 +typing-extensions==4.7.1 # via mypy urllib3==2.0.3 # via From facb6dfdbf27171a416e42b7c0c5453841a81e65 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Jul 2023 12:43:03 +0000 Subject: [PATCH 0133/1014] Bump exceptiongroup from 1.1.1 to 1.1.2 (#9168) Bumps [exceptiongroup](https://github.com/agronholm/exceptiongroup) from 1.1.1 to 1.1.2. - [Changelog](https://github.com/agronholm/exceptiongroup/blob/main/CHANGES.rst) - [Commits](https://github.com/agronholm/exceptiongroup/compare/1.1.1...1.1.2) --- updated-dependencies: - dependency-name: exceptiongroup dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bec3bd93eb27..77f98ee10842 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -38,7 +38,7 @@ docutils==0.18.1 # readme-renderer # sphinx # sphinx-rtd-theme -exceptiongroup==1.1.1 +exceptiongroup==1.1.2 # via pytest execnet==1.9.0 # via pytest-xdist From 4987b5f23e311e1b96fef98aaecdb75144b5bf44 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Jul 2023 15:55:02 +0000 Subject: [PATCH 0134/1014] Bump pyo3 from 0.19.0 to 0.19.1 in /src/rust (#9169) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.19.0 to 0.19.1. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.19.1/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.19.0...v0.19.1) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b7b574c726e2..3bf86983b57a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -235,9 +235,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.19.0" +version = "0.19.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cffef52f74ec3b1a1baf295d9b8fcc3070327aefc39a6d00656b13c1d0b8885c" +checksum = "ffb88ae05f306b4bfcde40ac4a51dc0b05936a9207a4b75b798c7729c4258a59" dependencies = [ "cfg-if", "indoc", @@ -252,9 +252,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.19.0" +version = "0.19.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "713eccf888fb05f1a96eb78c0dbc51907fee42b3377272dc902eb38985f418d5" +checksum = "554db24f0b3c180a9c0b1268f91287ab3f17c162e15b54caaae5a6b3773396b0" dependencies = [ "once_cell", "target-lexicon", @@ -262,9 +262,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.19.0" +version = "0.19.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b2ecbdcfb01cbbf56e179ce969a048fd7305a66d4cdf3303e0da09d69afe4c3" +checksum = "922ede8759e8600ad4da3195ae41259654b9c55da4f7eec84a0ccc7d067a70a4" dependencies = [ "libc", "pyo3-build-config", @@ -272,9 +272,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.19.0" +version = "0.19.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b78fdc0899f2ea781c463679b20cb08af9247febc8d052de941951024cd8aea0" +checksum = "8a5caec6a1dd355964a841fcbeeb1b89fe4146c87295573f94228911af3cc5a2" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -284,9 +284,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.19.0" +version = "0.19.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "60da7b84f1227c3e2fe7593505de274dcf4c8928b4e0a1c23d551a14e4e80a0f" +checksum = "e0b78ccbb160db1556cdb6fd96c50334c5d4ec44dc5e0a968d0a1208fa0efa8b" dependencies = [ "proc-macro2", "quote", From 290a58a46c50ee3621c1270fb9df96eef90ec7d1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Jul 2023 15:55:18 +0000 Subject: [PATCH 0135/1014] Bump pyo3-build-config from 0.19.0 to 0.19.1 in /src/rust (#9170) Bumps [pyo3-build-config](https://github.com/pyo3/pyo3) from 0.19.0 to 0.19.1. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.19.1/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.19.0...v0.19.1) --- updated-dependencies: - dependency-name: pyo3-build-config dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> From 34c2f024141e40232bf1de238bd6a4b8480cefa7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jul 2023 14:02:09 -0400 Subject: [PATCH 0136/1014] Trim some more unused bindings (#9165) --- src/_cffi_src/openssl/dh.py | 2 -- src/_cffi_src/openssl/evp.py | 13 ++----------- src/_cffi_src/openssl/nid.py | 6 ------ src/_cffi_src/openssl/rsa.py | 1 - .../hazmat/bindings/openssl/_conditional.py | 11 ----------- 5 files changed, 2 insertions(+), 31 deletions(-) diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py index b4a42e7f6058..a3bf23335dc1 100644 --- a/src/_cffi_src/openssl/dh.py +++ b/src/_cffi_src/openssl/dh.py @@ -10,8 +10,6 @@ TYPES = """ typedef ... DH; - -const long DH_NOT_SUITABLE_GENERATOR; """ FUNCTIONS = """ diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 4eada83bf9fd..35e2110c38b6 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -26,7 +26,6 @@ static const int EVP_PKEY_ED25519; static const int EVP_PKEY_X448; static const int EVP_PKEY_ED448; -static const int EVP_PKEY_POLY1305; static const int EVP_MAX_MD_SIZE; static const int EVP_CTRL_AEAD_SET_IVLEN; static const int EVP_CTRL_AEAD_GET_TAG; @@ -109,7 +108,6 @@ int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *, const EVP_MD *); -int EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX *); int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); """ @@ -145,19 +143,13 @@ /* This is tied to ED25519 support so we reuse the Cryptography_HAS_ED25519 conditional to remove it. */ #ifndef EVP_PKEY_ED25519 -#define EVP_PKEY_ED25519 NID_ED25519 +#define EVP_PKEY_ED25519 0 #endif /* This is tied to ED448 support so we reuse the Cryptography_HAS_ED448 conditional to remove it. */ #ifndef EVP_PKEY_ED448 -#define EVP_PKEY_ED448 NID_ED448 -#endif - -/* This is tied to poly1305 support so we reuse the Cryptography_HAS_POLY1305 - conditional to remove it. */ -#ifndef EVP_PKEY_POLY1305 -#define EVP_PKEY_POLY1305 NID_poly1305 +#define EVP_PKEY_ED448 0 #endif #if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER @@ -166,7 +158,6 @@ #else static const long Cryptography_HAS_300_FIPS = 0; static const long Cryptography_HAS_300_EVP_CIPHER = 0; -int (*EVP_default_properties_is_fips_enabled)(OSSL_LIB_CTX *) = NULL; int (*EVP_default_properties_enable_fips)(OSSL_LIB_CTX *, int) = NULL; EVP_CIPHER * (*EVP_CIPHER_fetch)(OSSL_LIB_CTX *, const char *, const char *) = NULL; diff --git a/src/_cffi_src/openssl/nid.py b/src/_cffi_src/openssl/nid.py index 7f6cb62303af..b35a70464ae6 100644 --- a/src/_cffi_src/openssl/nid.py +++ b/src/_cffi_src/openssl/nid.py @@ -16,9 +16,6 @@ static const int NID_undef; static const int NID_aes_256_cbc; static const int NID_pbe_WithSHA1And3_Key_TripleDES_CBC; -static const int NID_ED25519; -static const int NID_ED448; -static const int NID_poly1305; static const int NID_subject_alt_name; static const int NID_crl_reason; @@ -32,19 +29,16 @@ CUSTOMIZATIONS = """ #ifndef NID_ED25519 static const long Cryptography_HAS_ED25519 = 0; -static const int NID_ED25519 = 0; #else static const long Cryptography_HAS_ED25519 = 1; #endif #ifndef NID_ED448 static const long Cryptography_HAS_ED448 = 0; -static const int NID_ED448 = 0; #else static const long Cryptography_HAS_ED448 = 1; #endif #ifndef NID_poly1305 static const long Cryptography_HAS_POLY1305 = 0; -static const int NID_poly1305 = 0; #else static const long Cryptography_HAS_POLY1305 = 1; #endif diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py index eea6e396e3fb..9ae7365b1ec7 100644 --- a/src/_cffi_src/openssl/rsa.py +++ b/src/_cffi_src/openssl/rsa.py @@ -26,7 +26,6 @@ int RSA_generate_key_ex(RSA *, int, BIGNUM *, BN_GENCB *); int RSA_check_key(const RSA *); RSA *RSAPublicKey_dup(RSA *); -int RSA_blinding_on(RSA *, BN_CTX *); int RSA_print(BIO *, const RSA *, int); int RSA_set0_key(RSA *, BIGNUM *, BIGNUM *, BIGNUM *); diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 3b8b6556b9c6..2ca0d91c8d24 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -51,24 +51,15 @@ def cryptography_has_x509_store_ctx_get_issuer() -> typing.List[str]: def cryptography_has_ed448() -> typing.List[str]: return [ "EVP_PKEY_ED448", - "NID_ED448", ] def cryptography_has_ed25519() -> typing.List[str]: return [ - "NID_ED25519", "EVP_PKEY_ED25519", ] -def cryptography_has_poly1305() -> typing.List[str]: - return [ - "NID_poly1305", - "EVP_PKEY_POLY1305", - ] - - def cryptography_has_fips() -> typing.List[str]: return [ "FIPS_mode_set", @@ -181,7 +172,6 @@ def cryptography_has_dtls_get_data_mtu() -> typing.List[str]: def cryptography_has_300_fips() -> typing.List[str]: return [ - "EVP_default_properties_is_fips_enabled", "EVP_default_properties_enable_fips", ] @@ -262,7 +252,6 @@ def cryptography_has_evp_aead() -> typing.List[str]: ), "Cryptography_HAS_ED448": cryptography_has_ed448, "Cryptography_HAS_ED25519": cryptography_has_ed25519, - "Cryptography_HAS_POLY1305": cryptography_has_poly1305, "Cryptography_HAS_FIPS": cryptography_has_fips, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, "Cryptography_HAS_PSK": cryptography_has_psk, From 654dccb8e9d26f4b95e19831f976fc53bef98544 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jul 2023 14:06:00 -0400 Subject: [PATCH 0137/1014] remove X509_V_FLAG_NOTIFY_POLICY (#9163) Recently removed from pyOpenSSL https://github.com/pyca/pyopenssl/pull/1213 closes #8769 --- src/_cffi_src/openssl/x509_vfy.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py index f1ea8ee6af82..d32b0d7abc29 100644 --- a/src/_cffi_src/openssl/x509_vfy.py +++ b/src/_cffi_src/openssl/x509_vfy.py @@ -103,7 +103,6 @@ static const long X509_V_FLAG_POLICY_CHECK; static const long X509_V_FLAG_EXPLICIT_POLICY; static const long X509_V_FLAG_INHIBIT_MAP; -static const long X509_V_FLAG_NOTIFY_POLICY; static const long X509_V_FLAG_CHECK_SS_SIGNATURE; static const long X509_V_FLAG_PARTIAL_CHAIN; From 525147cb48b768afb8825b4702a9c8e9d95915c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Jul 2023 20:11:04 +0000 Subject: [PATCH 0138/1014] Bump unicode-ident from 1.0.9 to 1.0.10 in /src/rust (#9171) Bumps [unicode-ident](https://github.com/dtolnay/unicode-ident) from 1.0.9 to 1.0.10. - [Release notes](https://github.com/dtolnay/unicode-ident/releases) - [Commits](https://github.com/dtolnay/unicode-ident/compare/1.0.9...1.0.10) --- updated-dependencies: - dependency-name: unicode-ident dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3bf86983b57a..c903528aaa5c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "1b1c7f239eb94671427157bd93b3694320f3668d4e1eff08c7285366fd777fac" [[package]] name = "unicode-ident" -version = "1.0.9" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b15811caf2415fb889178633e7724bad2509101cde276048e013b9def5e51fa0" +checksum = "22049a19f4a68748a168c0fc439f9516686aa045927ff767eca0a85101fb6e73" [[package]] name = "unindent" From 45161f3b30c07e930658bef442d92910e999b3e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Jul 2023 20:12:36 +0000 Subject: [PATCH 0139/1014] Bump Swatinem/rust-cache from 2.5.0 to 2.5.1 in /.github/actions/cache (#9172) Bumps [Swatinem/rust-cache](https://github.com/swatinem/rust-cache) from 2.5.0 to 2.5.1. - [Release notes](https://github.com/swatinem/rust-cache/releases) - [Changelog](https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md) - [Commits](https://github.com/swatinem/rust-cache/compare/2656b87321093db1cb55fbd73183d195214fdfd1...dd05243424bd5c0e585e4b55eb2d7615cdd32f1f) --- updated-dependencies: - dependency-name: Swatinem/rust-cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/cache/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 5303aa80a625..1102852be84a 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -15,7 +15,7 @@ runs: id: normalized-key run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT shell: bash - - uses: Swatinem/rust-cache@2656b87321093db1cb55fbd73183d195214fdfd1 # v2.5.0 + - uses: Swatinem/rust-cache@dd05243424bd5c0e585e4b55eb2d7615cdd32f1f # v2.5.1 with: key: ${{ steps.normalized-key.outputs.key }} workspaces: "./src/rust/ -> target" From 44e049cc2d2f208d206b27447448a5c3bea95ebd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Jul 2023 20:19:47 +0000 Subject: [PATCH 0140/1014] Bump ruff from 0.0.275 to 0.0.276 (#9173) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.275 to 0.0.276. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.275...v0.0.276) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 77f98ee10842..4cab633c2302 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.4.2 # via twine -ruff==0.0.275 +ruff==0.0.276 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From e9f735794341dfacc6aab6070fba6c281c3e4bb6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 4 Jul 2023 00:17:40 +0000 Subject: [PATCH 0141/1014] Bump BoringSSL and/or OpenSSL in CI (#9174) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 37e0ff4bca1f..1a417d8604f0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 01, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5eab868eaa5f7a975d50579182e26902441342be"}} - # Latest commit on the OpenSSL master branch, as of Jul 03, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "42926ca7f237126331a46cad159e6d31e2eafcc8"}} + # Latest commit on the BoringSSL master branch, as of Jul 04, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "63f4b806d6085c1a75e40da7d2de972e781ef588"}} + # Latest commit on the OpenSSL master branch, as of Jul 04, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c3c8369f3b42ce4b816606bb9bbad00c664a416"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 4cf714717a207e55384e6162cf3c610df41c31ee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Jul 2023 23:40:47 +0000 Subject: [PATCH 0142/1014] Bump ruff from 0.0.276 to 0.0.277 (#9179) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.276 to 0.0.277. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.276...v0.0.277) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4cab633c2302..dd2ec9df4e9b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.4.2 # via twine -ruff==0.0.276 +ruff==0.0.277 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 60d82af135baf369873e64b201d620725995aee8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 5 Jul 2023 00:19:11 +0000 Subject: [PATCH 0143/1014] Bump BoringSSL and/or OpenSSL in CI (#9180) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a417d8604f0..274771fca344 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jul 04, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "63f4b806d6085c1a75e40da7d2de972e781ef588"}} - # Latest commit on the OpenSSL master branch, as of Jul 04, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c3c8369f3b42ce4b816606bb9bbad00c664a416"}} + # Latest commit on the OpenSSL master branch, as of Jul 05, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "db2f98c4ebb17a60307f70c330834beffb8f1253"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 596e8fbb480f5278dbbccc221fb18bb8b03b802c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 4 Jul 2023 23:12:58 -0400 Subject: [PATCH 0144/1014] Alter tests to not rely on len() of a bytes subclass (#9178) * Alter tests to not rely on len() of a bytes subclass * Trigger RTD * Trigger RTD --- tests/hazmat/primitives/test_aead.py | 56 ++++++++++++++++++++-------- 1 file changed, 41 insertions(+), 15 deletions(-) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 5ae306254468..79d077065a68 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -4,7 +4,9 @@ import binascii +import mmap import os +import sys import pytest @@ -26,11 +28,6 @@ from .utils import _load_all_params -class FakeData(bytes): - def __len__(self): - return 2**31 - - def _aead_supported(cls): try: cls(b"0" * 32) @@ -39,6 +36,10 @@ def _aead_supported(cls): return False +def large_mmap(): + return mmap.mmap(-1, 2**32, prot=mmap.PROT_READ) + + @pytest.mark.skipif( _aead_supported(ChaCha20Poly1305), reason="Requires OpenSSL without ChaCha20Poly1305 support", @@ -53,16 +54,21 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): reason="Does not support ChaCha20Poly1305", ) class TestChaCha20Poly1305: + @pytest.mark.skipif( + sys.platform not in {"linux", "darwin"}, reason="mmap required" + ) def test_data_too_large(self): key = ChaCha20Poly1305.generate_key() chacha = ChaCha20Poly1305(key) nonce = b"0" * 12 + large_data = large_mmap() + with pytest.raises(OverflowError): - chacha.encrypt(nonce, FakeData(), b"") + chacha.encrypt(nonce, large_data, b"") with pytest.raises(OverflowError): - chacha.encrypt(nonce, b"", FakeData()) + chacha.encrypt(nonce, b"", large_data) def test_generate_key(self): key = ChaCha20Poly1305.generate_key() @@ -189,16 +195,21 @@ def test_buffer_protocol(self, backend): reason="Does not support AESCCM", ) class TestAESCCM: + @pytest.mark.skipif( + sys.platform not in {"linux", "darwin"}, reason="mmap required" + ) def test_data_too_large(self): key = AESCCM.generate_key(128) aesccm = AESCCM(key) nonce = b"0" * 12 + large_data = large_mmap() + with pytest.raises(OverflowError): - aesccm.encrypt(nonce, FakeData(), b"") + aesccm.encrypt(nonce, large_data, b"") with pytest.raises(OverflowError): - aesccm.encrypt(nonce, b"", FakeData()) + aesccm.encrypt(nonce, b"", large_data) def test_default_tag_length(self, backend): key = AESCCM.generate_key(128) @@ -362,16 +373,21 @@ def _load_gcm_vectors(): class TestAESGCM: + @pytest.mark.skipif( + sys.platform not in {"linux", "darwin"}, reason="mmap required" + ) def test_data_too_large(self): key = AESGCM.generate_key(128) aesgcm = AESGCM(key) nonce = b"0" * 12 + large_data = large_mmap() + with pytest.raises(OverflowError): - aesgcm.encrypt(nonce, FakeData(), b"") + aesgcm.encrypt(nonce, large_data, b"") with pytest.raises(OverflowError): - aesgcm.encrypt(nonce, b"", FakeData()) + aesgcm.encrypt(nonce, b"", large_data) def test_vectors(self, backend, subtests): vectors = _load_gcm_vectors() @@ -496,16 +512,21 @@ def test_aesocb3_unsupported_on_older_openssl(backend): reason="Does not support AESOCB3", ) class TestAESOCB3: + @pytest.mark.skipif( + sys.platform not in {"linux", "darwin"}, reason="mmap required" + ) def test_data_too_large(self): key = AESOCB3.generate_key(128) aesocb3 = AESOCB3(key) nonce = b"0" * 12 + large_data = large_mmap() + with pytest.raises(OverflowError): - aesocb3.encrypt(nonce, FakeData(), b"") + aesocb3.encrypt(nonce, large_data, b"") with pytest.raises(OverflowError): - aesocb3.encrypt(nonce, b"", FakeData()) + aesocb3.encrypt(nonce, b"", large_data) def test_vectors(self, backend, subtests): vectors = [] @@ -629,15 +650,20 @@ def test_buffer_protocol(self, backend): reason="Does not support AESSIV", ) class TestAESSIV: + @pytest.mark.skipif( + sys.platform not in {"linux", "darwin"}, reason="mmap required" + ) def test_data_too_large(self): key = AESSIV.generate_key(256) aessiv = AESSIV(key) + large_data = large_mmap() + with pytest.raises(OverflowError): - aessiv.encrypt(FakeData(), None) + aessiv.encrypt(large_data, None) with pytest.raises(OverflowError): - aessiv.encrypt(b"irrelevant", [FakeData()]) + aessiv.encrypt(b"irrelevant", [large_data]) def test_no_empty_encryption(self): key = AESSIV.generate_key(256) From f0a6899767c0b3deb13a6417d5b360ff32e93278 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 6 Jul 2023 00:17:26 +0000 Subject: [PATCH 0145/1014] Bump BoringSSL and/or OpenSSL in CI (#9183) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 274771fca344..88c68fc795f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 04, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "63f4b806d6085c1a75e40da7d2de972e781ef588"}} + # Latest commit on the BoringSSL master branch, as of Jul 06, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "72540c1049732f30bb84e6e5a43f0dd55191cd63"}} # Latest commit on the OpenSSL master branch, as of Jul 05, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "db2f98c4ebb17a60307f70c330834beffb8f1253"}} # Builds with various Rust versions. Includes MSRV and next From 3fd136607f06c08a9664d33888f044eb80581091 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 Jul 2023 03:18:28 +0000 Subject: [PATCH 0146/1014] Bump smallvec from 1.10.0 to 1.11.0 in /src/rust (#9184) Bumps [smallvec](https://github.com/servo/rust-smallvec) from 1.10.0 to 1.11.0. - [Release notes](https://github.com/servo/rust-smallvec/releases) - [Commits](https://github.com/servo/rust-smallvec/compare/v1.10.0...v1.11.0) --- updated-dependencies: - dependency-name: smallvec dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c903528aaa5c..bc985672ffca 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -325,9 +325,9 @@ checksum = "4c309e515543e67811222dbc9e3dd7e1056279b782e1dacffe4242b718734fb6" [[package]] name = "smallvec" -version = "1.10.0" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a507befe795404456341dfab10cef66ead4c041f62b8b11bbb92bffe5d0953e0" +checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9" [[package]] name = "syn" From 4e3120c0e50851930aa21c1786da305cfc9c283e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 7 Jul 2023 00:17:57 +0000 Subject: [PATCH 0147/1014] Bump BoringSSL and/or OpenSSL in CI (#9187) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 88c68fc795f8..014191d4cf89 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 06, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "72540c1049732f30bb84e6e5a43f0dd55191cd63"}} - # Latest commit on the OpenSSL master branch, as of Jul 05, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "db2f98c4ebb17a60307f70c330834beffb8f1253"}} + # Latest commit on the BoringSSL master branch, as of Jul 07, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "80dcb67d4481fb1194b9669917e35580c32dc388"}} + # Latest commit on the OpenSSL master branch, as of Jul 07, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "61cc84d9f9d8ad3f918d5bd908096d39b72c3969"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 6787a771e0477d19f03490aa020ab59bbe76ddec Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 6 Jul 2023 21:09:09 -0400 Subject: [PATCH 0148/1014] Added missing testcase for AESGCM (#9188) --- tests/hazmat/primitives/test_aead.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 79d077065a68..0ea84d0d4070 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -389,6 +389,12 @@ def test_data_too_large(self): with pytest.raises(OverflowError): aesgcm.encrypt(nonce, b"", large_data) + def test_decrypt_data_too_short(self): + key = AESGCM.generate_key(128) + aesgcm = AESGCM(key) + with pytest.raises(InvalidTag): + aesgcm.decrypt(b"0" * 12, b"0", None) + def test_vectors(self, backend, subtests): vectors = _load_gcm_vectors() for vector in vectors: From 7d3a27343a071b2452516eb84585f40b360c4f87 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 7 Jul 2023 13:09:20 +0000 Subject: [PATCH 0149/1014] Bump execnet from 1.9.0 to 2.0.0 (#9189) Bumps [execnet](https://github.com/pytest-dev/execnet) from 1.9.0 to 2.0.0. - [Changelog](https://github.com/pytest-dev/execnet/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/execnet/compare/v1.9.0...v2.0.0) --- updated-dependencies: - dependency-name: execnet dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index dd2ec9df4e9b..f1245da0e842 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ docutils==0.18.1 # sphinx-rtd-theme exceptiongroup==1.1.2 # via pytest -execnet==1.9.0 +execnet==2.0.0 # via pytest-xdist filelock==3.12.2 # via virtualenv From 2d3354331b88217dd2ffece8a4c16ceb7173d6d4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 7 Jul 2023 13:13:28 +0000 Subject: [PATCH 0150/1014] Bump platformdirs from 3.8.0 to 3.8.1 (#9190) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 3.8.0 to 3.8.1. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/3.8.0...3.8.1) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f1245da0e842..ea08fd86b45a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -89,7 +89,7 @@ pathspec==0.11.1 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==3.8.0 +platformdirs==3.8.1 # via # black # virtualenv From f4b7707af56ec0706af56337d1845d277b795a04 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 7 Jul 2023 17:59:23 +0200 Subject: [PATCH 0151/1014] Fixes for ChaCha20 documentation (#9192) * Restore missing section from ChaCha20 docs This change fixes the indentation of a note inside the ChaCha20 section of the docs, which caused the note to not render in the resulting HTML. * Fix ChaCha20 docs to specify non RFC-compliance Currently, cryptography uses OpenSSL's ChaCha20 implementation, which is based on the original algorithm designed by Daniel J. Bernstein rather than the later standardized version (RFC 7539). Since the documentation does not reflect this (it describes the RFC version of the algorithm, rather than the original version we use), this change fixes that. * Remove random counter from ChaCha20 example docs This changes the ChaCha20 example in the documentation to use a normal user-defined variable for the counter part of the nonce, rather than a randomized counter. --- .../primitives/symmetric-encryption.rst | 39 +++++++++++-------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 2bf7a88cb0a4..e89b8acb0abb 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -140,38 +140,44 @@ Algorithms :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305` does this for you. - ChaCha20 is a stream cipher used in several IETF protocols. It is - standardized in :rfc:`7539`. + ChaCha20 is a stream cipher used in several IETF protocols. While it is + standardized in :rfc:`7539`, **this implementation is not RFC-compliant**. + This implementation uses a ``64`` :term:`bits` counter and a ``64`` + :term:`bits` nonce as defined in the `original version`_ of the algorithm, + rather than the ``32/96`` counter/nonce split defined in :rfc:`7539`. :param key: The secret key. This must be kept secret. ``256`` :term:`bits` (32 bytes) in length. :type key: :term:`bytes-like` :param nonce: Should be unique, a :term:`nonce`. It is - critical to never reuse a ``nonce`` with a given key. Any reuse of a + critical to never reuse a ``nonce`` with a given key. Any reuse of a nonce with the same key compromises the security of every message encrypted with that key. The nonce does not need to be kept secret and may be included with the ciphertext. This must be ``128`` - :term:`bits` in length. The 128-bit value is a concatenation of 4-byte - little-endian counter and the 12-byte nonce (as described in - :rfc:`7539`). + :term:`bits` in length. The 128-bit value is a concatenation of the + 8-byte little-endian counter and the 8-byte nonce. :type nonce: :term:`bytes-like` - .. note:: + .. note:: + + In the `original version`_ of the algorithm the nonce is defined as a + 64-bit value that is later concatenated with a block counter (encoded + as a 64-bit little-endian). If you have a separate nonce and block + counter you will need to concatenate it yourself before passing it. + For example, if you have an initial block counter of 2 and a 64-bit + nonce the concatenated nonce would be + ``struct.pack(">> import struct, os >>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes - >>> nonce = os.urandom(16) - >>> algorithm = algorithms.ChaCha20(key, nonce) + >>> nonce = os.urandom(8) + >>> counter = 0 + >>> full_nonce = struct.pack(">> algorithm = algorithms.ChaCha20(key, full_nonce) >>> cipher = Cipher(algorithm, mode=None) >>> encryptor = cipher.encryptor() >>> ct = encryptor.update(b"a secret message") @@ -845,6 +851,7 @@ Exceptions .. _`Communications Security Establishment`: https://www.cse-cst.gc.ca .. _`encrypt`: https://ssd.eff.org/en/module/what-should-i-know-about-encryption .. _`CRYPTREC`: https://www.cryptrec.go.jp/english/ +.. _`original version`: https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant .. _`significant patterns in the output`: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_(ECB) .. _`International Data Encryption Algorithm`: https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm .. _`OpenPGP`: https://www.openpgp.org/ From b5709f7d18d2e2ac883f4223777edeee9cc22b85 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 7 Jul 2023 11:32:58 -0500 Subject: [PATCH 0152/1014] update linkcheck (#9193) --- .github/workflows/linkcheck.yml | 6 ++++-- docs/conf.py | 3 +++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 56731d755c76..eb2376378ef8 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -1,6 +1,9 @@ name: linkcheck on: - pull_request: {} + pull_request: + paths: + - docs/conf.py + - .github/workflows/linkcheck.yml push: branches: - main @@ -13,7 +16,6 @@ env: jobs: docs-linkcheck: - if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'pull_request' && contains(github.event.pull_request.title, 'linkcheck')) runs-on: ubuntu-latest name: "linkcheck" timeout-minutes: 10 diff --git a/docs/conf.py b/docs/conf.py index 4cbbde37b7ce..1ee7eabf1208 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -202,6 +202,9 @@ r"https://www.oscca.gov.cn", # Cloudflare returns 403s for all non-browser requests r"https://speakerdeck.com", + # GitHub changed how they do page renders so anchor detection + # no longer works in source view + r"https://github.com/.*/blob/.*#L\d+", ] autosectionlabel_prefix_document = True From 69d8c3a5b1d3ca9fcc9cdf7902cc22d04fbf9e6c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 8 Jul 2023 00:17:28 +0000 Subject: [PATCH 0153/1014] Bump BoringSSL and/or OpenSSL in CI (#9195) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 014191d4cf89..e74f784a231f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jul 07, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "80dcb67d4481fb1194b9669917e35580c32dc388"}} - # Latest commit on the OpenSSL master branch, as of Jul 07, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "61cc84d9f9d8ad3f918d5bd908096d39b72c3969"}} + # Latest commit on the OpenSSL master branch, as of Jul 08, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0345cac6d29da328739e8b06b02260b63d4a91e9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From db946be8e99f51085d66109ec4291c125822d2b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 9 Jul 2023 22:48:19 +0000 Subject: [PATCH 0154/1014] Bump proc-macro2 from 1.0.63 to 1.0.64 in /src/rust (#9197) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.63 to 1.0.64. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.63...1.0.64) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index bc985672ffca..68fed89ef9ec 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -226,9 +226,9 @@ checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" [[package]] name = "proc-macro2" -version = "1.0.63" +version = "1.0.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b368fba921b0dce7e60f5e04ec15e565b3303972b42bcfde1d0713b881959eb" +checksum = "78803b62cbf1f46fde80d7c0e803111524b9877184cfe7c3033659490ac7a7da" dependencies = [ "unicode-ident", ] From cebc40acd39212a7843223b15eaf46b3ec8d8952 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 9 Jul 2023 22:48:39 +0000 Subject: [PATCH 0155/1014] Bump jaraco-classes from 3.2.3 to 3.3.0 (#9198) Bumps [jaraco-classes](https://github.com/jaraco/jaraco.classes) from 3.2.3 to 3.3.0. - [Release notes](https://github.com/jaraco/jaraco.classes/releases) - [Changelog](https://github.com/jaraco/jaraco.classes/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.classes/compare/v3.2.3...v3.3.0) --- updated-dependencies: - dependency-name: jaraco-classes dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ea08fd86b45a..b60a39e70c35 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -54,7 +54,7 @@ importlib-metadata==6.7.0 # twine iniconfig==2.0.0 # via pytest -jaraco-classes==3.2.3 +jaraco-classes==3.3.0 # via keyring jinja2==3.1.2 # via sphinx From 1da41bcafa29292c99b932b28a5f1644d24db5de Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 9 Jul 2023 22:56:36 +0000 Subject: [PATCH 0156/1014] Bump charset-normalizer from 3.1.0 to 3.2.0 (#9201) Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/Ousret/charset_normalizer/releases) - [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/Ousret/charset_normalizer/compare/3.1.0...3.2.0) --- updated-dependencies: - dependency-name: charset-normalizer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b60a39e70c35..dc89705d6778 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -21,7 +21,7 @@ build==0.10.0 # cryptography (pyproject.toml) certifi==2023.5.7 # via requests -charset-normalizer==3.1.0 +charset-normalizer==3.2.0 # via requests check-sdist==0.1.2 # via cryptography (pyproject.toml) From 4390020a6f4fba7464c3769c28535cf6456337b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 9 Jul 2023 22:56:51 +0000 Subject: [PATCH 0157/1014] Bump execnet from 2.0.0 to 2.0.2 (#9202) Bumps [execnet](https://github.com/pytest-dev/execnet) from 2.0.0 to 2.0.2. - [Changelog](https://github.com/pytest-dev/execnet/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/execnet/compare/v2.0.0...v2.0.2) --- updated-dependencies: - dependency-name: execnet dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index dc89705d6778..7b1fd9a52bda 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ docutils==0.18.1 # sphinx-rtd-theme exceptiongroup==1.1.2 # via pytest -execnet==2.0.0 +execnet==2.0.2 # via pytest-xdist filelock==3.12.2 # via virtualenv From d0dda5d53789273772b26bb03e234480a0ba1d15 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 10 Jul 2023 00:18:03 +0000 Subject: [PATCH 0158/1014] Bump BoringSSL and/or OpenSSL in CI (#9205) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e74f784a231f..789ac9da1dee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jul 07, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "80dcb67d4481fb1194b9669917e35580c32dc388"}} - # Latest commit on the OpenSSL master branch, as of Jul 08, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0345cac6d29da328739e8b06b02260b63d4a91e9"}} + # Latest commit on the OpenSSL master branch, as of Jul 10, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "780b2527476a60f4a2bb791c2d4b1b72f6f0b423"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From dbeaa8b6cefcf4c45efd00882b5c34533f04bf83 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 9 Jul 2023 21:57:27 -0400 Subject: [PATCH 0159/1014] Added python_version conditions to two CI pins (#9203) See: - https://github.com/pyca/cryptography/pull/9200 - https://github.com/pyca/cryptography/pull/9199 --- ci-constraints-requirements.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7b1fd9a52bda..3f83c5847879 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -48,7 +48,7 @@ idna==3.4 # via requests imagesize==1.4.1 # via sphinx -importlib-metadata==6.7.0 +importlib-metadata==6.7.0; python_version >= "3.8" # via # keyring # twine @@ -189,7 +189,7 @@ virtualenv==20.23.1 # via nox webencodings==0.5.1 # via bleach -zipp==3.15.0 +zipp==3.15.0; python_version >= "3.8" # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: From 6e2da68baa9f8ec6bbd996fddd98e1d0507bd811 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jul 2023 02:08:35 +0000 Subject: [PATCH 0160/1014] Bump zipp from 3.15.0 to 3.16.0 (#9199) Bumps [zipp](https://github.com/jaraco/zipp) from 3.15.0 to 3.16.0. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.15.0...v3.16.0) --- updated-dependencies: - dependency-name: zipp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3f83c5847879..28433f23b7b6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -189,7 +189,7 @@ virtualenv==20.23.1 # via nox webencodings==0.5.1 # via bleach -zipp==3.15.0; python_version >= "3.8" +zipp==3.16.0; python_version >= "3.8" # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: From 44b7b9a0ba9dd1c5d8b511eb6264ea911f1cb0af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jul 2023 02:25:37 +0000 Subject: [PATCH 0161/1014] Bump importlib-metadata from 6.7.0 to 6.8.0 (#9200) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 6.7.0 to 6.8.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v6.7.0...v6.8.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 28433f23b7b6..6b3f6e6f3d4b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -48,7 +48,7 @@ idna==3.4 # via requests imagesize==1.4.1 # via sphinx -importlib-metadata==6.7.0; python_version >= "3.8" +importlib-metadata==6.8.0; python_version >= "3.8" # via # keyring # twine From 50932e2f154ae7ded7c9bd25186bae9b51d8377c Mon Sep 17 00:00:00 2001 From: Magnus Watn Date: Mon, 10 Jul 2023 13:05:11 +0200 Subject: [PATCH 0162/1014] Add organizationIdentifier Name OID (2.5.4.97) (#9206) --- docs/x509/reference.rst | 6 ++++++ src/cryptography/hazmat/_oid.py | 1 + 2 files changed, 7 insertions(+) diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index e14c8ffc1093..87ebe62f2669 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -3076,6 +3076,12 @@ instances. The following common OIDs are available as constants. Corresponds to the dotted string ``"2.5.4.9"``. + .. attribute:: ORGANIZATION_IDENTIFIER + + .. versionadded:: 42.0.0 + + Corresponds to the dotted string ``"2.5.4.97"``. + .. attribute:: ORGANIZATION_NAME Corresponds to the dotted string ``"2.5.4.10"``. diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index 01d4b3406062..0af19e0ce222 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -60,6 +60,7 @@ class NameOID: LOCALITY_NAME = ObjectIdentifier("2.5.4.7") STATE_OR_PROVINCE_NAME = ObjectIdentifier("2.5.4.8") STREET_ADDRESS = ObjectIdentifier("2.5.4.9") + ORGANIZATION_IDENTIFIER = ObjectIdentifier("2.5.4.97") ORGANIZATION_NAME = ObjectIdentifier("2.5.4.10") ORGANIZATIONAL_UNIT_NAME = ObjectIdentifier("2.5.4.11") SERIAL_NUMBER = ObjectIdentifier("2.5.4.5") From 1ca7adc97b76a9dfbd3d850628b613eb93b78fc3 Mon Sep 17 00:00:00 2001 From: jeanluc <2163936+lkubb@users.noreply.github.com> Date: Mon, 10 Jul 2023 16:50:49 +0000 Subject: [PATCH 0163/1014] Fix encoding of SSH certs with critical options (#9208) * Add tests for issue #9207 * Fix encoding of SSH certs with critical options * Test unexpected additional values for crit opts/exts --- docs/development/test-vectors.rst | 4 + .../hazmat/primitives/serialization/ssh.py | 18 +++- tests/hazmat/primitives/test_ssh.py | 86 ++++++++++++------- ...p256-ed25519-non-singular-crit-opt-val.pub | 1 + .../p256-ed25519-non-singular-ext-val.pub | 1 + 5 files changed, 76 insertions(+), 34 deletions(-) create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 3e54c40ae43d..cfab7edcca69 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -866,6 +866,10 @@ Custom OpenSSH Certificate Test Vectors critical option. * ``p256-p256-non-lexical-crit-opts.pub`` - A certificate with critical options in non-lexical order. +* ``p256-ed25519-non-singular-crit-opt-val.pub`` - A certificate with + a critical option that contains more than one value. +* ``p256-ed25519-non-singular-ext-val.pub`` - A certificate with + an extension that contains more than one value. * ``dsa-p256.pub`` - A certificate with a DSA public key signed by a P256 CA. * ``p256-dsa.pub`` - A certificate with a P256 public key signed by a DSA diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index c6177cf5630a..bcc5582bbed0 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -1063,6 +1063,10 @@ def _parse_exts_opts(exts_opts: memoryview) -> typing.Dict[bytes, bytes]: if last_name is not None and bname < last_name: raise ValueError("Fields not lexically sorted") value, exts_opts = _get_sshstr(exts_opts) + if len(value) > 0: + value, extra = _get_sshstr(value) + if len(extra) > 0: + raise ValueError("Unexpected extra data after value") result[bname] = bytes(value) last_name = bname return result @@ -1450,12 +1454,22 @@ def sign(self, private_key: SSHCertPrivateKeyTypes) -> SSHCertificate: fcrit = _FragList() for name, value in self._critical_options: fcrit.put_sshstr(name) - fcrit.put_sshstr(value) + if len(value) > 0: + foptval = _FragList() + foptval.put_sshstr(value) + fcrit.put_sshstr(foptval.tobytes()) + else: + fcrit.put_sshstr(value) f.put_sshstr(fcrit.tobytes()) fext = _FragList() for name, value in self._extensions: fext.put_sshstr(name) - fext.put_sshstr(value) + if len(value) > 0: + fextval = _FragList() + fextval.put_sshstr(value) + fext.put_sshstr(fextval.tobytes()) + else: + fext.put_sshstr(value) f.put_sshstr(fext.tobytes()) f.put_sshstr(b"") # RESERVED FIELD # encode CA public key diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py index a0f6db2e7630..6369ba67639e 100644 --- a/tests/hazmat/primitives/test_ssh.py +++ b/tests/hazmat/primitives/test_ssh.py @@ -1131,26 +1131,28 @@ def test_loads_ssh_cert(self, backend): # secp256r1 public key, ed25519 signing key cert = load_ssh_public_identity( b"ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbm" - b"lzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgtdU+dl9vD4xPi8afxERYo" - b"s0c0d9/3m7XGY6fGeSkqn0AAAAIbmlzdHAyNTYAAABBBAsuVFNNj/mMyFm2xB99" - b"G4xiaUJE1lZNjcp+S2tXYW5KorcHpusSlSqOkUPZ2l0644dgiNPDKR/R+BtYENC" - b"8aq8AAAAAAAAAAAAAAAEAAAAUdGVzdEBjcnlwdG9ncmFwaHkuaW8AAAAaAAAACm" - b"NyeXB0b3VzZXIAAAAIdGVzdHVzZXIAAAAAY7KyZAAAAAB2frXAAAAAAAAAAIIAA" - b"AAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9y" - b"d2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGV" - b"ybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3" - b"NoLWVkMjU1MTkAAAAg3P0eyGf2crKGwSlnChbLzTVOFKwQELE1Ve+EZ6rXF18AA" - b"ABTAAAAC3NzaC1lZDI1NTE5AAAAQKoij8BsPj/XLb45+wHmRWKNqXeZYXyDIj8J" - b"IE6dIymjEqq0TP6ntu5t59hTmWlDO85GnMXAVGBjFbeikBMfAQc= reaperhulk" - b"@despoina.local" + b"lzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLfsFv9Gbc6LZSiJFWdYQl" + b"IMNI50GExXW0fBpgGVf+Y4AAAAIbmlzdHAyNTYAAABBBIzVyRgVLR4F38bIOLBN" + b"8CNm8Nf+eBHCVkKDKb9WDyLLD61CEmzjK/ORwFuSE4N60eIGbFidBf0D0xh7G6o" + b"TNxsAAAAAAAAAAAAAAAEAAAAUdGVzdEBjcnlwdG9ncmFwaHkuaW8AAAAaAAAACm" + b"NyeXB0b3VzZXIAAAAIdGVzdHVzZXIAAAAAY7KyZAAAAAB2frXAAAAAWAAAAA1mb" + b"3JjZS1jb21tYW5kAAAALAAAAChlY2hvIGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh" + b"YWFhYWFhYWFhYWFhAAAAD3ZlcmlmeS1yZXF1aXJlZAAAAAAAAACCAAAAFXBlcm1" + b"pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbm" + b"cAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wd" + b"HkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1" + b"NTE5AAAAICH6csEOmGbOfT2B/S/FJg3uyPsaPSZUZk2SVYlfs0KLAAAAUwAAAAt" + b"zc2gtZWQyNTUxOQAAAEDz2u7X5/TFbN7Ms7DP4yArhz1oWWYKkdAk7FGFkHfjtY" + b"/YfNQ8Oky3dCZRi7PnSzScEEjos7723dhF8/y99WwH reaperhulk@despoina." + b"local" ) assert isinstance(cert, SSHCertificate) cert.verify_cert_signature() signature_key = cert.signature_key() assert isinstance(signature_key, ed25519.Ed25519PublicKey) assert cert.nonce == ( - b"\xb5\xd5>v_o\x0f\x8cO\x8b\xc6\x9f\xc4DX\xa2\xcd\x1c\xd1\xdf" - b"\x7f\xden\xd7\x19\x8e\x9f\x19\xe4\xa4\xaa}" + b'-\xfb\x05\xbf\xd1\x9bs\xa2\xd9J"EY\xd6\x10\x94\x83\r#\x9d' + b"\x06\x13\x15\xd6\xd1\xf0i\x80e_\xf9\x8e" ) public_key = cert.public_key() assert isinstance(public_key, ec.EllipticCurvePublicKey) @@ -1161,7 +1163,10 @@ def test_loads_ssh_cert(self, backend): assert cert.valid_principals == [b"cryptouser", b"testuser"] assert cert.valid_before == 1988015552 assert cert.valid_after == 1672655460 - assert cert.critical_options == {} + assert cert.critical_options == { + b"force-command": b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + b"verify-required": b"", + } assert cert.extensions == { b"permit-X11-forwarding": b"", b"permit-agent-forwarding": b"", @@ -1283,6 +1288,8 @@ def test_invalid_cert_type(self): "p256-p256-non-lexical-extensions.pub", "p256-p256-duplicate-crit-opts.pub", "p256-p256-non-lexical-crit-opts.pub", + "p256-ed25519-non-singular-crit-opt-val.pub", + "p256-ed25519-non-singular-ext-val.pub", ], ) def test_invalid_encodings(self, filename): @@ -1709,6 +1716,11 @@ def test_sign_and_byte_compare_rsa(self, monkeypatch): .valid_after(1672531200) .valid_before(1672617600) .type(SSHCertificateType.USER) + .add_extension(b"permit-pty", b"") + .add_critical_option( + b"force-command", b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + ) + .add_critical_option(b"verify-required", b"") ) cert = builder.sign(private_key) sig_key = cert.signature_key() @@ -1723,19 +1735,21 @@ def test_sign_and_byte_compare_rsa(self, monkeypatch): b"4kyHpbLEIVloBjzetoqXK6u8Hjz/APuagONypNDCySDR6M7jM85HDcLoFFrbBb8" b"pruHSTxQejMeEmJxYf8b7rNl58/IWPB1ymbNlvHL/4oSOlnrtHkjcxRWzpQ7U3g" b"T9BThGyhCiI7EMyEHMgP3r7kTzEUwT6IavWDAAAAAAAAAAAAAAABAAAAAAAAAAA" - b"AAAAAY7DNAAAAAABjsh6AAAAAAAAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAw" - b"EAAQAAAQEAwXr8fndHTKpaqDA2FYo/+/e1IWhRuiIw5dar/MHGz+9Z6SPqEzC8W" - b"TtzgCq2CKbkozBlI6MRa6WqOWYUUXThO2xJ6beAYuRJ1y77EP1J6R+gi5bQUeeC" - b"6fWrxbWm95hIJ6245z2gDyKy79zbduq0btrZjtZWYnQ/3GwOM2pdDNuqfcKeU2N" - b"eJMh6WyxCFZaAY83raKlyurvB48/wD7moDjcqTQwskg0ejO4zPORw3C6BRa2wW/" - b"Ka7h0k8UHozHhJicWH/G+6zZefPyFjwdcpmzZbxy/+KEjpZ67R5I3MUVs6UO1N4" - b"E/QU4RsoQoiOxDMhBzID96+5E8xFME+iGr1gwAAARQAAAAMcnNhLXNoYTItNTEy" - b"AAABAKCRnfhn6MZs3jRgIDICUpUyWrDCbpStEbdzhmoxF8w2m8klR7owRH/rxOf" - b"nWhKMGnXnoERS+az3Zh9ckiQPujkuEToORKpzu6CEWlzHSzyK1o2X548KkW76HJ" - b"gqzwMas94HY7UOJUgKSFUI0S3jAgqXAKSa1DxvJBu5/n57aUqPq+BmAtoI8uNBo" - b"x4F1pNEop38+oD7rUt8bZ8K0VcrubJZz806K8UNiK0mOahaEIkvZXBfzPGvSNRj" - b"0OjDl1dLUZaP8C1o5lVRomEm7pLcgE9i+ZDq5iz+mvQrSBStlpQ5hPGuUOrZ/oY" - b"ZLZ1G30R5tWj212MHoNZjxFxM8+f2OT4=" + b"AAAAAY7DNAAAAAABjsh6AAAAAWAAAAA1mb3JjZS1jb21tYW5kAAAALAAAAChlY2" + b"hvIGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhAAAAD3Zlcmlme" + b"S1yZXF1aXJlZAAAAAAAAAASAAAACnBlcm1pdC1wdHkAAAAAAAAAAAAAARcAAAAH" + b"c3NoLXJzYQAAAAMBAAEAAAEBAMF6/H53R0yqWqgwNhWKP/v3tSFoUboiMOXWq/z" + b"Bxs/vWekj6hMwvFk7c4Aqtgim5KMwZSOjEWulqjlmFFF04TtsSem3gGLkSdcu+x" + b"D9SekfoIuW0FHngun1q8W1pveYSCetuOc9oA8isu/c23bqtG7a2Y7WVmJ0P9xsD" + b"jNqXQzbqn3CnlNjXiTIelssQhWWgGPN62ipcrq7wePP8A+5qA43Kk0MLJINHozu" + b"MzzkcNwugUWtsFvymu4dJPFB6Mx4SYnFh/xvus2Xnz8hY8HXKZs2W8cv/ihI6We" + b"u0eSNzFFbOlDtTeBP0FOEbKEKIjsQzIQcyA/evuRPMRTBPohq9YMAAAEUAAAADH" + b"JzYS1zaGEyLTUxMgAAAQCYbbNzhflDqZAxyBpdLIX0nLAdnTeFNBudMqgo3KGND" + b"WlU9N17hqBEmcvIOrtNi+JKuKZW89zZrbORHvdjv6NjGSKzJD/XA25YrX1KgMEO" + b"wt5pzMZX+100drwrjQo+vZqeIN3FJNmT3wssge73v+JsxQrdIAz7YM2OZrFr5HM" + b"qZEZ5tMvAf/s5YEMDttEU4zMtmjubQyDM5KyYnZdoDT4sKi2rB8gfaigc4IdI/K" + b"8oXL/3Y7rHuOtejl3lUK4v6DxeRl4aqGYWmhUJc++Rh0cbDgC2S6Cq7gAfG2tND" + b"zbwL217Q93R08bJn1hDWuiTiaHGauSy2gPUI+cnkvlEocHM" ) @pytest.mark.supported( @@ -1761,6 +1775,11 @@ def test_sign_and_byte_compare_ed25519(self, monkeypatch, backend): .valid_after(1672531200) .valid_before(1672617600) .type(SSHCertificateType.USER) + .add_extension(b"permit-pty", b"") + .add_critical_option( + b"force-command", b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + ) + .add_critical_option(b"verify-required", b"") ) cert = builder.sign(private_key) sig_key = cert.signature_key() @@ -1770,8 +1789,11 @@ def test_sign_and_byte_compare_ed25519(self, monkeypatch, backend): b"ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdj" b"AxQG9wZW5zc2guY29tAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" b"AAAAAAAINdamAGCsQq31Uv+08lkBzoO4XLz2qYjJa8CGmj3B1EaAAAAAAAAAAAA" - b"AAABAAAAAAAAAAAAAAAAY7DNAAAAAABjsh6AAAAAAAAAAAAAAAAAAAAAMwAAAAt" - b"zc2gtZWQyNTUxOQAAACDXWpgBgrEKt9VL/tPJZAc6DuFy89qmIyWvAhpo9wdRGg" - b"AAAFMAAAALc3NoLWVkMjU1MTkAAABAAlF6Lxabxs+8fkOr7KjKYei9konIG13cQ" - b"gJ2tWf3yFcg3OuV5s/AkRmKdwHlQfTUrhRdOmDnGxeLEB0mvkVFCw==" + b"AAABAAAAAAAAAAAAAAAAY7DNAAAAAABjsh6AAAAAWAAAAA1mb3JjZS1jb21tYW5" + b"kAAAALAAAAChlY2hvIGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYW" + b"FhAAAAD3ZlcmlmeS1yZXF1aXJlZAAAAAAAAAASAAAACnBlcm1pdC1wdHkAAAAAA" + b"AAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg11qYAYKxCrfVS/7TyWQHOg7hcvPa" + b"piMlrwIaaPcHURoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQL2aUjeD60C2FrbgHcN" + b"t8yRa8IRbxvOyA9TZYDGG1dRE3DiR0fuudU20v6vqfTd1gx0S5QyEdECXLl9ZI3" + b"AwZgc=" ) diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub new file mode 100644 index 000000000000..5510bd5f0f35 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIbmlzdHAyNTYAAABBBCZWRs4GYIHGJpyXuqvfFGWN49dnJRkZJLDkFrHf6mNHhIMI3vtrLfCZwxPSfnCYWK6YofssZ1FYA6TkVJq8Xi8AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAABjsM0AAAAAAGOyHoAAAABtAAAADWZvcmNlLWNvbW1hbmQAAABBAAAAKGVjaG8gYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWEAAAARaW52YWxpZF9taXNjX2RhdGEAAAAPdmVyaWZ5LXJlcXVpcmVkAAAAAAAAABIAAAAKcGVybWl0LXB0eQAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACDdZgztgAFFC7T5PifrUy/kMu0Pnwq1au3vStKHe7FFMAAAAFMAAAALc3NoLWVkMjU1MTkAAABAt/0pBSDBFy1crBPHOBoKFoxRjKd1tKVdOrD3QVgbBfpaHfxi4vrgYe6JfQ54+vu5P+8yrMyACekT8H6hhvxHDw== \ No newline at end of file diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub new file mode 100644 index 000000000000..c44b49fceccd --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIbmlzdHAyNTYAAABBBCZWRs4GYIHGJpyXuqvfFGWN49dnJRkZJLDkFrHf6mNHhIMI3vtrLfCZwxPSfnCYWK6YofssZ1FYA6TkVJq8Xi8AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAABjsM0AAAAAAGOyHoAAAAAXAAAAD3ZlcmlmeS1yZXF1aXJlZAAAAAAAAAAvAAAAFGNvbnRhaW5zLWV4dHJhLXZhbHVlAAAAEwAAAAVoZWxsbwAAAAYgd29ybGQAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACDdZgztgAFFC7T5PifrUy/kMu0Pnwq1au3vStKHe7FFMAAAAFMAAAALc3NoLWVkMjU1MTkAAABAY80oIEvooz/k3x9a+yVkjSNRfi4y/q87wVYiT7keTpP4n9JV/Vlc0u7O2QYOHfb4DUkcrvbsksKVsiqoQu5qDg== \ No newline at end of file From 769baf3cd7f378aa7d3162d8ea3fe8569af2b476 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 10 Jul 2023 15:33:22 -0400 Subject: [PATCH 0164/1014] oid: add more extension, EKU OIDs (#9212) Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/oid.rs | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/rust/cryptography-x509/src/oid.rs b/src/rust/cryptography-x509/src/oid.rs index ac80b9a31365..f77524418860 100644 --- a/src/rust/cryptography-x509/src/oid.rs +++ b/src/rust/cryptography-x509/src/oid.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +// X.509v3 extensions pub const EXTENSION_REQUEST: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 14); pub const MS_EXTENSION_REQUEST: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 4, 1, 311, 2, 1, 14); @@ -21,6 +22,7 @@ pub const CP_CPS_URI_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, pub const CP_USER_NOTICE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 2, 2); pub const NONCE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 2); pub const OCSP_NO_CHECK_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 5); +pub const SUBJECT_DIRECTORY_ATTRIBUTES_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 9); pub const SUBJECT_KEY_IDENTIFIER_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 14); pub const KEY_USAGE_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 15); pub const SUBJECT_ALTERNATIVE_NAME_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 17); @@ -97,3 +99,14 @@ pub const SHA3_512_OID: asn1::ObjectIdentifier = pub const MGF1_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 1, 8); pub const RSASSA_PSS_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 1, 10); + +// Extended key usages +pub const EKU_SERVER_AUTH_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 3, 1); +pub const EKU_CLIENT_AUTH_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 3, 2); +pub const EKU_CODE_SIGNING_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 3, 3); +pub const EKU_EMAIL_PROTECTION_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 3, 4); +pub const EKU_TIME_STAMPING_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 3, 8); +pub const EKU_OCSP_SIGNING_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 3, 9); +pub const EKU_ANY_KEY_USAGE_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 37, 0); +pub const EKU_CERTIFICATE_TRANSPARENCY_OID: asn1::ObjectIdentifier = + asn1::oid!(1, 3, 6, 1, 4, 1, 11129, 2, 4, 4); From ce9df6387015f36169fec0ccdf4736f3147eacc7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 11 Jul 2023 00:18:48 +0000 Subject: [PATCH 0165/1014] Bump BoringSSL and/or OpenSSL in CI (#9214) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 789ac9da1dee..d2504b0561d4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 07, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "80dcb67d4481fb1194b9669917e35580c32dc388"}} - # Latest commit on the OpenSSL master branch, as of Jul 10, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "780b2527476a60f4a2bb791c2d4b1b72f6f0b423"}} + # Latest commit on the BoringSSL master branch, as of Jul 11, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c807a2371449998cd767826ba06adc3e122e6d4a"}} + # Latest commit on the OpenSSL master branch, as of Jul 11, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ff9728c6d5d23ebaa73cb729c8110c0582e66280"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 290b370b33d0eb7e833201e3ddf65f00ae281fce Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 10 Jul 2023 20:28:23 -0500 Subject: [PATCH 0166/1014] port 41.0.2 changelog to main (#9216) --- CHANGELOG.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 58a1e486d31a..43bc4323a138 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,18 @@ Changelog .. note:: This version is not yet released and is under active development. + +.. _v41-0-2: + +41.0.2 - 2023-07-10 +~~~~~~~~~~~~~~~~~~~ + +* Fixed bugs in creating and parsing SSH certificates where critical options + with values were handled incorrectly. Certificates are now created correctly + and parsing accepts correct values as well as the previously generated + invalid forms with a warning. In the next release, support for parsing these + invalid forms will be removed. + .. _v41-0-1: 41.0.1 - 2023-06-01 From 718a60bcf5af30579767fcb2997d23a3830816c1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 10 Jul 2023 23:15:33 -0400 Subject: [PATCH 0167/1014] Refs #9186 -- fix warnings from `utcnow()` in test suite (#9217) There's still a few remaining callers that need to be fixed. --- tests/hazmat/primitives/test_pkcs12.py | 8 +-- tests/x509/test_ocsp.py | 78 +++++++++++++++++++------- tests/x509/test_x509.py | 4 +- tests/x509/test_x509_crlbuilder.py | 6 +- 4 files changed, 71 insertions(+), 25 deletions(-) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 0ff9f5693ad4..79f54e495241 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -4,7 +4,7 @@ import os -from datetime import datetime +from datetime import datetime, timezone import pytest @@ -356,7 +356,7 @@ def test_generate_each_supported_keytype( assert isinstance(key, ktype) cacert, cakey = _load_ca(backend) - now = datetime.utcnow() + now = datetime.now(timezone.utc).replace(tzinfo=None) cert = ( x509.CertificateBuilder() .subject_name(cacert.subject) @@ -600,7 +600,7 @@ def test_key_serialization_encryption( encryption = builder.build(b"password") key = ec.generate_private_key(ec.SECP256R1()) cacert, cakey = _load_ca(backend) - now = datetime.utcnow() + now = datetime.now(timezone.utc).replace(tzinfo=None) cert = ( x509.CertificateBuilder() .subject_name(cacert.subject) @@ -701,7 +701,7 @@ def make_cert(name): x509.NameAttribute(x509.NameOID.COMMON_NAME, name), ] ) - now = datetime.utcnow() + now = datetime.now(timezone.utc).replace(tzinfo=None) cert = ( x509.CertificateBuilder() .subject_name(subject) diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 2c595db324f5..3ebb3576694b 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -355,7 +355,9 @@ def test_add_response_twice(self): def test_invalid_add_response(self): cert, issuer = _cert_and_issuer() - time = datetime.datetime.utcnow() + time = datetime.datetime.now(datetime.timezone.utc).replace( + tzinfo=None + ) reason = x509.ReasonFlags.cessation_of_operation builder = ocsp.OCSPResponseBuilder() with pytest.raises(TypeError): @@ -520,7 +522,11 @@ def test_invalid_extension(self): def test_unsupported_extension(self): root_cert, private_key = _generate_root() cert, issuer = _cert_and_issuer() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -555,7 +561,9 @@ def test_sign_no_responder_id(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() _, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = builder.add_response( @@ -575,7 +583,9 @@ def test_sign_invalid_hash_algorithm(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = builder.responder_id( @@ -597,7 +607,9 @@ def test_sign_good_cert(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = builder.responder_id( @@ -633,7 +645,9 @@ def test_sign_revoked_cert(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) revoked_date = this_update - datetime.timedelta(days=300) @@ -663,7 +677,9 @@ def test_sign_unknown_cert(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = builder.responder_id( @@ -690,7 +706,9 @@ def test_sign_with_appended_certs(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = ( @@ -714,7 +732,9 @@ def test_sign_revoked_no_next_update(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) revoked_date = this_update - datetime.timedelta(days=300) builder = builder.responder_id( @@ -743,7 +763,9 @@ def test_sign_revoked_with_reason(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) revoked_date = this_update - datetime.timedelta(days=300) @@ -773,7 +795,9 @@ def test_sign_responder_id_key_hash(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = builder.responder_id( @@ -801,7 +825,9 @@ def test_invalid_sign_responder_cert_does_not_match_private_key(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = builder.responder_id( @@ -826,7 +852,9 @@ def test_sign_with_extension(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = ( @@ -882,7 +910,9 @@ def test_sign_unknown_private_key(self, backend): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, _ = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = builder.responder_id( @@ -910,7 +940,9 @@ def test_sign_unrecognized_hash_algorithm(self, backend): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = builder.responder_id( @@ -933,7 +965,9 @@ def test_sign_none_hash_not_eddsa(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) builder = builder.responder_id( @@ -1380,7 +1414,9 @@ def test_invalid_algorithm(self, backend): cert, issuer = _cert_and_issuer() private_key = ed25519.Ed25519PrivateKey.generate() root_cert, _ = _generate_root(private_key, None) - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) revoked_date = this_update - datetime.timedelta(days=300) @@ -1408,7 +1444,9 @@ def test_sign_ed25519(self, backend): cert, issuer = _cert_and_issuer() private_key = ed25519.Ed25519PrivateKey.generate() root_cert, _ = _generate_root(private_key, None) - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) revoked_date = this_update - datetime.timedelta(days=300) @@ -1447,7 +1485,9 @@ def test_sign_ed448(self, backend): cert, issuer = _cert_and_issuer() private_key = ed448.Ed448PrivateKey.generate() root_cert, _ = _generate_root(private_key, None) - current_time = datetime.datetime.utcnow().replace(microsecond=0) + current_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) revoked_date = this_update - datetime.timedelta(days=300) diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 188de07ac1a5..a821f7de90ab 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -6075,7 +6075,9 @@ def test_csr_signing_check(self, backend): def test_crl_signing_check(self, backend): private_key = self.load_key(backend) - last_time = datetime.datetime.utcnow().replace(microsecond=0) + last_time = ( + datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + ) next_time = last_time builder = ( x509.CertificateRevocationListBuilder() diff --git a/tests/x509/test_x509_crlbuilder.py b/tests/x509/test_x509_crlbuilder.py index 95c0677bb777..e7ae0a0a475e 100644 --- a/tests/x509/test_x509_crlbuilder.py +++ b/tests/x509/test_x509_crlbuilder.py @@ -402,7 +402,11 @@ def test_add_unsupported_entry_extension( .add_revoked_certificate( x509.RevokedCertificateBuilder() .serial_number(1234) - .revocation_date(datetime.datetime.utcnow()) + .revocation_date( + datetime.datetime.now(datetime.timezone.utc).replace( + tzinfo=None + ) + ) .add_extension(DummyExtension(), critical=False) .build() ) From 46f6c17f61779651fddec82ff715f30b7d1c1743 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 11 Jul 2023 08:05:42 -0500 Subject: [PATCH 0168/1014] Bump pytest-randomly from 3.12.0 to 3.13.0 (#9219) Bumps [pytest-randomly](https://github.com/pytest-dev/pytest-randomly) from 3.12.0 to 3.13.0. - [Changelog](https://github.com/pytest-dev/pytest-randomly/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-randomly/compare/3.12.0...3.13.0) --- updated-dependencies: - dependency-name: pytest-randomly dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6b3f6e6f3d4b..74cbc7f329d0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -121,7 +121,7 @@ pytest-benchmark==4.0.0 # via cryptography (pyproject.toml) pytest-cov==4.1.0 # via cryptography (pyproject.toml) -pytest-randomly==3.12.0 +pytest-randomly==3.13.0 # via cryptography (pyproject.toml) pytest-xdist==3.3.1 # via cryptography (pyproject.toml) From 086f03cd5e48e716ecf804e8e35075f88f42ffc2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 11 Jul 2023 08:06:00 -0500 Subject: [PATCH 0169/1014] Bump black from 23.3.0 to 23.7.0 (#9220) Bumps [black](https://github.com/psf/black) from 23.3.0 to 23.7.0. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](https://github.com/psf/black/compare/23.3.0...23.7.0) --- updated-dependencies: - dependency-name: black dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 74cbc7f329d0..ba67d42cff75 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.1.1 # via nox babel==2.12.1 # via sphinx -black==23.3.0 +black==23.7.0 # via cryptography (pyproject.toml) bleach==6.0.0 # via readme-renderer From 7d6233254270a27acb0118294ba19ddc72254dfb Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Tue, 11 Jul 2023 15:19:45 -0300 Subject: [PATCH 0170/1014] CI: Update build and release dependencies to be referenced by SHA (#9177) * ci: Update GitHub owned actions to be referenced by SHA. Work automated using StepSecurity Signed-off-by: StepSecurity Bot * ci: create hash-pinned requirements files for build and publish processes Signed-off-by: Diogo Teles Sant'Anna * ci: change ci files to install build and publish dependencies using hashes Signed-off-by: Diogo Teles Sant'Anna * ci: fix path to requirements files Signed-off-by: Diogo Teles Sant'Anna * ci: rebuild the requirement.txt files using `--allow-unsafe` The flag is needed to create hash-pinned requirements for pip and setup-tools. Find more information about this at these issues from [pip-tools](https://github.com/jazzband/pip-tools/issues/806) and from [pip](https://github.com/pypa/pip/issues/6459). Signed-off-by: Diogo Teles Sant'Anna * refactor(workflows): move build requirements files to a separated folder Signed-off-by: Diogo Teles Sant'Anna * fix(workflow): requirements download was erasing work from previous steps Using the actions/checkout to download the requirements.txt was erasing some necessary files that came from previous steps. Thus, this commit changes moves the checkout action to the beginnig of the jobs. Signed-off-by: Diogo Teles Sant'Anna * ci: remove reference to inexistent input in pypi-publish.yml * docs(workflows): remove comment related to a line already delated from code Signed-off-by: Diogo Teles Sant'Anna * refactor(workflows): use a workflow-level env var to define path to build requirements file Signed-off-by: Diogo Teles Sant'Anna * fix(workflows): refer to env vars using ${{ }} sintax Signed-off-by: Diogo Teles Sant'Anna * refactor(workflows): move build and publish requirements files Moved from .github/workflows/requirements/ to .github/requirements/ Signed-off-by: Diogo Teles Sant'Anna * docs(workflows): add comments on requirements files explaining their relation Signed-off-by: Diogo Teles Sant'Anna * ci(workflows): update build dependencies to match exactly the ones at pyproject.toml Signed-off-by: Diogo Teles Sant'Anna * ci: remove unnecessary parameter When calling actions/checkout , we were passing the `ref` parameter as `github.ref`, but it will likely be always main, or the vary same value as the default for this parameter. * Update dependabot config to cover build/publish dependencies --------- Signed-off-by: StepSecurity Bot Signed-off-by: Diogo Teles Sant'Anna Co-authored-by: StepSecurity Bot --- .github/dependabot.yml | 6 + .github/requirements/build-requirements.in | 8 + .github/requirements/build-requirements.txt | 100 ++++ .github/requirements/publish-requirements.in | 6 + .github/requirements/publish-requirements.txt | 459 ++++++++++++++++++ .github/workflows/pypi-publish.yml | 14 +- .github/workflows/wheel-builder.yml | 54 ++- pyproject.toml | 1 + 8 files changed, 635 insertions(+), 13 deletions(-) create mode 100644 .github/requirements/build-requirements.in create mode 100644 .github/requirements/build-requirements.txt create mode 100644 .github/requirements/publish-requirements.in create mode 100644 .github/requirements/publish-requirements.txt diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 273a64e735bc..865653e8f1f1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -36,3 +36,9 @@ updates: schedule: interval: daily open-pull-requests-limit: 1024 + + - package-ecosystem: pip + directory: ".github/requirements" + schedule: + interval: daily + open-pull-requests-limit: 1024 diff --git a/.github/requirements/build-requirements.in b/.github/requirements/build-requirements.in new file mode 100644 index 000000000000..bdf6916690ca --- /dev/null +++ b/.github/requirements/build-requirements.in @@ -0,0 +1,8 @@ +# Must be kept sync with build-system.requires at pyproject.toml +setuptools>=61.0.0 +wheel +cffi>=1.12; platform_python_implementation != 'PyPy' +setuptools-rust>=0.11.4 + +# WARN: changing the requirements here DOES NOT update the dependencies used for building at the github workflow, as the build process used build-requirements.txt +# To update build-requirements.txt according to the dependencies here, run pip-compile --allow-unsafe --generate-hashes build-requirements.in diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt new file mode 100644 index 000000000000..474f31a29b0b --- /dev/null +++ b/.github/requirements/build-requirements.txt @@ -0,0 +1,100 @@ +# +# This file is autogenerated by pip-compile with Python 3.10 +# by the following command: +# +# pip-compile --allow-unsafe --generate-hashes build-requirements.in +# +cffi==1.15.1 ; platform_python_implementation != "PyPy" \ + --hash=sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5 \ + --hash=sha256:03425bdae262c76aad70202debd780501fabeaca237cdfddc008987c0e0f59ef \ + --hash=sha256:04ed324bda3cda42b9b695d51bb7d54b680b9719cfab04227cdd1e04e5de3104 \ + --hash=sha256:0e2642fe3142e4cc4af0799748233ad6da94c62a8bec3a6648bf8ee68b1c7426 \ + --hash=sha256:173379135477dc8cac4bc58f45db08ab45d228b3363adb7af79436135d028405 \ + --hash=sha256:198caafb44239b60e252492445da556afafc7d1e3ab7a1fb3f0584ef6d742375 \ + --hash=sha256:1e74c6b51a9ed6589199c787bf5f9875612ca4a8a0785fb2d4a84429badaf22a \ + --hash=sha256:2012c72d854c2d03e45d06ae57f40d78e5770d252f195b93f581acf3ba44496e \ + --hash=sha256:21157295583fe8943475029ed5abdcf71eb3911894724e360acff1d61c1d54bc \ + --hash=sha256:2470043b93ff09bf8fb1d46d1cb756ce6132c54826661a32d4e4d132e1977adf \ + --hash=sha256:285d29981935eb726a4399badae8f0ffdff4f5050eaa6d0cfc3f64b857b77185 \ + --hash=sha256:30d78fbc8ebf9c92c9b7823ee18eb92f2e6ef79b45ac84db507f52fbe3ec4497 \ + --hash=sha256:320dab6e7cb2eacdf0e658569d2575c4dad258c0fcc794f46215e1e39f90f2c3 \ + --hash=sha256:33ab79603146aace82c2427da5ca6e58f2b3f2fb5da893ceac0c42218a40be35 \ + --hash=sha256:3548db281cd7d2561c9ad9984681c95f7b0e38881201e157833a2342c30d5e8c \ + --hash=sha256:3799aecf2e17cf585d977b780ce79ff0dc9b78d799fc694221ce814c2c19db83 \ + --hash=sha256:39d39875251ca8f612b6f33e6b1195af86d1b3e60086068be9cc053aa4376e21 \ + --hash=sha256:3b926aa83d1edb5aa5b427b4053dc420ec295a08e40911296b9eb1b6170f6cca \ + --hash=sha256:3bcde07039e586f91b45c88f8583ea7cf7a0770df3a1649627bf598332cb6984 \ + --hash=sha256:3d08afd128ddaa624a48cf2b859afef385b720bb4b43df214f85616922e6a5ac \ + --hash=sha256:3eb6971dcff08619f8d91607cfc726518b6fa2a9eba42856be181c6d0d9515fd \ + --hash=sha256:40f4774f5a9d4f5e344f31a32b5096977b5d48560c5592e2f3d2c4374bd543ee \ + --hash=sha256:4289fc34b2f5316fbb762d75362931e351941fa95fa18789191b33fc4cf9504a \ + --hash=sha256:470c103ae716238bbe698d67ad020e1db9d9dba34fa5a899b5e21577e6d52ed2 \ + --hash=sha256:4f2c9f67e9821cad2e5f480bc8d83b8742896f1242dba247911072d4fa94c192 \ + --hash=sha256:50a74364d85fd319352182ef59c5c790484a336f6db772c1a9231f1c3ed0cbd7 \ + --hash=sha256:54a2db7b78338edd780e7ef7f9f6c442500fb0d41a5a4ea24fff1c929d5af585 \ + --hash=sha256:5635bd9cb9731e6d4a1132a498dd34f764034a8ce60cef4f5319c0541159392f \ + --hash=sha256:59c0b02d0a6c384d453fece7566d1c7e6b7bae4fc5874ef2ef46d56776d61c9e \ + --hash=sha256:5d598b938678ebf3c67377cdd45e09d431369c3b1a5b331058c338e201f12b27 \ + --hash=sha256:5df2768244d19ab7f60546d0c7c63ce1581f7af8b5de3eb3004b9b6fc8a9f84b \ + --hash=sha256:5ef34d190326c3b1f822a5b7a45f6c4535e2f47ed06fec77d3d799c450b2651e \ + --hash=sha256:6975a3fac6bc83c4a65c9f9fcab9e47019a11d3d2cf7f3c0d03431bf145a941e \ + --hash=sha256:6c9a799e985904922a4d207a94eae35c78ebae90e128f0c4e521ce339396be9d \ + --hash=sha256:70df4e3b545a17496c9b3f41f5115e69a4f2e77e94e1d2a8e1070bc0c38c8a3c \ + --hash=sha256:7473e861101c9e72452f9bf8acb984947aa1661a7704553a9f6e4baa5ba64415 \ + --hash=sha256:8102eaf27e1e448db915d08afa8b41d6c7ca7a04b7d73af6514df10a3e74bd82 \ + --hash=sha256:87c450779d0914f2861b8526e035c5e6da0a3199d8f1add1a665e1cbc6fc6d02 \ + --hash=sha256:8b7ee99e510d7b66cdb6c593f21c043c248537a32e0bedf02e01e9553a172314 \ + --hash=sha256:91fc98adde3d7881af9b59ed0294046f3806221863722ba7d8d120c575314325 \ + --hash=sha256:94411f22c3985acaec6f83c6df553f2dbe17b698cc7f8ae751ff2237d96b9e3c \ + --hash=sha256:98d85c6a2bef81588d9227dde12db8a7f47f639f4a17c9ae08e773aa9c697bf3 \ + --hash=sha256:9ad5db27f9cabae298d151c85cf2bad1d359a1b9c686a275df03385758e2f914 \ + --hash=sha256:a0b71b1b8fbf2b96e41c4d990244165e2c9be83d54962a9a1d118fd8657d2045 \ + --hash=sha256:a0f100c8912c114ff53e1202d0078b425bee3649ae34d7b070e9697f93c5d52d \ + --hash=sha256:a591fe9e525846e4d154205572a029f653ada1a78b93697f3b5a8f1f2bc055b9 \ + --hash=sha256:a5c84c68147988265e60416b57fc83425a78058853509c1b0629c180094904a5 \ + --hash=sha256:a66d3508133af6e8548451b25058d5812812ec3798c886bf38ed24a98216fab2 \ + --hash=sha256:a8c4917bd7ad33e8eb21e9a5bbba979b49d9a97acb3a803092cbc1133e20343c \ + --hash=sha256:b3bbeb01c2b273cca1e1e0c5df57f12dce9a4dd331b4fa1635b8bec26350bde3 \ + --hash=sha256:cba9d6b9a7d64d4bd46167096fc9d2f835e25d7e4c121fb2ddfc6528fb0413b2 \ + --hash=sha256:cc4d65aeeaa04136a12677d3dd0b1c0c94dc43abac5860ab33cceb42b801c1e8 \ + --hash=sha256:ce4bcc037df4fc5e3d184794f27bdaab018943698f4ca31630bc7f84a7b69c6d \ + --hash=sha256:cec7d9412a9102bdc577382c3929b337320c4c4c4849f2c5cdd14d7368c5562d \ + --hash=sha256:d400bfb9a37b1351253cb402671cea7e89bdecc294e8016a707f6d1d8ac934f9 \ + --hash=sha256:d61f4695e6c866a23a21acab0509af1cdfd2c013cf256bbf5b6b5e2695827162 \ + --hash=sha256:db0fbb9c62743ce59a9ff687eb5f4afbe77e5e8403d6697f7446e5f609976f76 \ + --hash=sha256:dd86c085fae2efd48ac91dd7ccffcfc0571387fe1193d33b6394db7ef31fe2a4 \ + --hash=sha256:e00b098126fd45523dd056d2efba6c5a63b71ffe9f2bbe1a4fe1716e1d0c331e \ + --hash=sha256:e229a521186c75c8ad9490854fd8bbdd9a0c9aa3a524326b55be83b54d4e0ad9 \ + --hash=sha256:e263d77ee3dd201c3a142934a086a4450861778baaeeb45db4591ef65550b0a6 \ + --hash=sha256:ed9cb427ba5504c1dc15ede7d516b84757c3e3d7868ccc85121d9310d27eed0b \ + --hash=sha256:fa6693661a4c91757f4412306191b6dc88c1703f780c8234035eac011922bc01 \ + --hash=sha256:fcd131dd944808b5bdb38e6f5b53013c5aa4f334c5cad0c72742f6eba4b73db0 + # via -r build-requirements.in +pycparser==2.21 \ + --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ + --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 + # via cffi +semantic-version==2.10.0 \ + --hash=sha256:bdabb6d336998cbb378d4b9db3a4b56a1e3235701dc05ea2690d9a997ed5041c \ + --hash=sha256:de78a3b8e0feda74cabc54aab2da702113e33ac9d9eb9d2389bcf1f58b7d9177 + # via setuptools-rust +setuptools-rust==1.6.0 \ + --hash=sha256:c86e734deac330597998bfbc08da45187e6b27837e23bd91eadb320732392262 \ + --hash=sha256:e28ae09fb7167c44ab34434eb49279307d611547cb56cb9789955cdb54a1aed9 + # via -r build-requirements.in +typing-extensions==4.7.1 \ + --hash=sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36 \ + --hash=sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2 + # via setuptools-rust +wheel==0.40.0 \ + --hash=sha256:cd1196f3faee2b31968d626e1731c94f99cbdb67cf5a46e4f5656cbee7738873 \ + --hash=sha256:d236b20e7cb522daf2390fa84c55eea81c5c30190f90f29ae2ca1ad8355bf247 + # via -r build-requirements.in + +# The following packages are considered to be unsafe in a requirements file: +setuptools==68.0.0 \ + --hash=sha256:11e52c67415a381d10d6b462ced9cfb97066179f0e871399e006c4ab101fc85f \ + --hash=sha256:baf1fdb41c6da4cd2eae722e135500da913332ab3f2f5c7d33af9b492acb5235 + # via + # -r build-requirements.in + # setuptools-rust diff --git a/.github/requirements/publish-requirements.in b/.github/requirements/publish-requirements.in new file mode 100644 index 000000000000..dd98b8990e7b --- /dev/null +++ b/.github/requirements/publish-requirements.in @@ -0,0 +1,6 @@ +twine +requests +sigstore + +# WARN: changing the requirements here DOES NOT update the dependencies used for publishing at the github workflow, as the process used publish-requirements.txt +# To update publish-requirements.txt according to the dependencies here, run pip-compile --allow-unsafe --generate-hashes publish-requirements.in \ No newline at end of file diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt new file mode 100644 index 000000000000..0aea81f52b99 --- /dev/null +++ b/.github/requirements/publish-requirements.txt @@ -0,0 +1,459 @@ +# +# This file is autogenerated by pip-compile with Python 3.10 +# by the following command: +# +# pip-compile --generate-hashes publish-requirements.in +# +appdirs==1.4.4 \ + --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ + --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 + # via sigstore +betterproto==2.0.0b5 \ + --hash=sha256:00a301c70a2db4d3cdd2b261522ae1d34972fb04b655a154d67daaaf4131102e \ + --hash=sha256:d3e6115c7d5136f1d5974e565b7560273f66b43065e74218e472321ee1258f4c + # via sigstore-protobuf-specs +bleach==6.0.0 \ + --hash=sha256:1a1a85c1595e07d8db14c5f09f09e6433502c51c595970edc090551f0db99414 \ + --hash=sha256:33c16e3353dbd13028ab4799a0f89a83f113405c766e9c122df8a06f5b85b3f4 + # via readme-renderer +certifi==2023.5.7 \ + --hash=sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7 \ + --hash=sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716 + # via requests +cffi==1.15.1 \ + --hash=sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5 \ + --hash=sha256:03425bdae262c76aad70202debd780501fabeaca237cdfddc008987c0e0f59ef \ + --hash=sha256:04ed324bda3cda42b9b695d51bb7d54b680b9719cfab04227cdd1e04e5de3104 \ + --hash=sha256:0e2642fe3142e4cc4af0799748233ad6da94c62a8bec3a6648bf8ee68b1c7426 \ + --hash=sha256:173379135477dc8cac4bc58f45db08ab45d228b3363adb7af79436135d028405 \ + --hash=sha256:198caafb44239b60e252492445da556afafc7d1e3ab7a1fb3f0584ef6d742375 \ + --hash=sha256:1e74c6b51a9ed6589199c787bf5f9875612ca4a8a0785fb2d4a84429badaf22a \ + --hash=sha256:2012c72d854c2d03e45d06ae57f40d78e5770d252f195b93f581acf3ba44496e \ + --hash=sha256:21157295583fe8943475029ed5abdcf71eb3911894724e360acff1d61c1d54bc \ + --hash=sha256:2470043b93ff09bf8fb1d46d1cb756ce6132c54826661a32d4e4d132e1977adf \ + --hash=sha256:285d29981935eb726a4399badae8f0ffdff4f5050eaa6d0cfc3f64b857b77185 \ + --hash=sha256:30d78fbc8ebf9c92c9b7823ee18eb92f2e6ef79b45ac84db507f52fbe3ec4497 \ + --hash=sha256:320dab6e7cb2eacdf0e658569d2575c4dad258c0fcc794f46215e1e39f90f2c3 \ + --hash=sha256:33ab79603146aace82c2427da5ca6e58f2b3f2fb5da893ceac0c42218a40be35 \ + --hash=sha256:3548db281cd7d2561c9ad9984681c95f7b0e38881201e157833a2342c30d5e8c \ + --hash=sha256:3799aecf2e17cf585d977b780ce79ff0dc9b78d799fc694221ce814c2c19db83 \ + --hash=sha256:39d39875251ca8f612b6f33e6b1195af86d1b3e60086068be9cc053aa4376e21 \ + --hash=sha256:3b926aa83d1edb5aa5b427b4053dc420ec295a08e40911296b9eb1b6170f6cca \ + --hash=sha256:3bcde07039e586f91b45c88f8583ea7cf7a0770df3a1649627bf598332cb6984 \ + --hash=sha256:3d08afd128ddaa624a48cf2b859afef385b720bb4b43df214f85616922e6a5ac \ + --hash=sha256:3eb6971dcff08619f8d91607cfc726518b6fa2a9eba42856be181c6d0d9515fd \ + --hash=sha256:40f4774f5a9d4f5e344f31a32b5096977b5d48560c5592e2f3d2c4374bd543ee \ + --hash=sha256:4289fc34b2f5316fbb762d75362931e351941fa95fa18789191b33fc4cf9504a \ + --hash=sha256:470c103ae716238bbe698d67ad020e1db9d9dba34fa5a899b5e21577e6d52ed2 \ + --hash=sha256:4f2c9f67e9821cad2e5f480bc8d83b8742896f1242dba247911072d4fa94c192 \ + --hash=sha256:50a74364d85fd319352182ef59c5c790484a336f6db772c1a9231f1c3ed0cbd7 \ + --hash=sha256:54a2db7b78338edd780e7ef7f9f6c442500fb0d41a5a4ea24fff1c929d5af585 \ + --hash=sha256:5635bd9cb9731e6d4a1132a498dd34f764034a8ce60cef4f5319c0541159392f \ + --hash=sha256:59c0b02d0a6c384d453fece7566d1c7e6b7bae4fc5874ef2ef46d56776d61c9e \ + --hash=sha256:5d598b938678ebf3c67377cdd45e09d431369c3b1a5b331058c338e201f12b27 \ + --hash=sha256:5df2768244d19ab7f60546d0c7c63ce1581f7af8b5de3eb3004b9b6fc8a9f84b \ + --hash=sha256:5ef34d190326c3b1f822a5b7a45f6c4535e2f47ed06fec77d3d799c450b2651e \ + --hash=sha256:6975a3fac6bc83c4a65c9f9fcab9e47019a11d3d2cf7f3c0d03431bf145a941e \ + --hash=sha256:6c9a799e985904922a4d207a94eae35c78ebae90e128f0c4e521ce339396be9d \ + --hash=sha256:70df4e3b545a17496c9b3f41f5115e69a4f2e77e94e1d2a8e1070bc0c38c8a3c \ + --hash=sha256:7473e861101c9e72452f9bf8acb984947aa1661a7704553a9f6e4baa5ba64415 \ + --hash=sha256:8102eaf27e1e448db915d08afa8b41d6c7ca7a04b7d73af6514df10a3e74bd82 \ + --hash=sha256:87c450779d0914f2861b8526e035c5e6da0a3199d8f1add1a665e1cbc6fc6d02 \ + --hash=sha256:8b7ee99e510d7b66cdb6c593f21c043c248537a32e0bedf02e01e9553a172314 \ + --hash=sha256:91fc98adde3d7881af9b59ed0294046f3806221863722ba7d8d120c575314325 \ + --hash=sha256:94411f22c3985acaec6f83c6df553f2dbe17b698cc7f8ae751ff2237d96b9e3c \ + --hash=sha256:98d85c6a2bef81588d9227dde12db8a7f47f639f4a17c9ae08e773aa9c697bf3 \ + --hash=sha256:9ad5db27f9cabae298d151c85cf2bad1d359a1b9c686a275df03385758e2f914 \ + --hash=sha256:a0b71b1b8fbf2b96e41c4d990244165e2c9be83d54962a9a1d118fd8657d2045 \ + --hash=sha256:a0f100c8912c114ff53e1202d0078b425bee3649ae34d7b070e9697f93c5d52d \ + --hash=sha256:a591fe9e525846e4d154205572a029f653ada1a78b93697f3b5a8f1f2bc055b9 \ + --hash=sha256:a5c84c68147988265e60416b57fc83425a78058853509c1b0629c180094904a5 \ + --hash=sha256:a66d3508133af6e8548451b25058d5812812ec3798c886bf38ed24a98216fab2 \ + --hash=sha256:a8c4917bd7ad33e8eb21e9a5bbba979b49d9a97acb3a803092cbc1133e20343c \ + --hash=sha256:b3bbeb01c2b273cca1e1e0c5df57f12dce9a4dd331b4fa1635b8bec26350bde3 \ + --hash=sha256:cba9d6b9a7d64d4bd46167096fc9d2f835e25d7e4c121fb2ddfc6528fb0413b2 \ + --hash=sha256:cc4d65aeeaa04136a12677d3dd0b1c0c94dc43abac5860ab33cceb42b801c1e8 \ + --hash=sha256:ce4bcc037df4fc5e3d184794f27bdaab018943698f4ca31630bc7f84a7b69c6d \ + --hash=sha256:cec7d9412a9102bdc577382c3929b337320c4c4c4849f2c5cdd14d7368c5562d \ + --hash=sha256:d400bfb9a37b1351253cb402671cea7e89bdecc294e8016a707f6d1d8ac934f9 \ + --hash=sha256:d61f4695e6c866a23a21acab0509af1cdfd2c013cf256bbf5b6b5e2695827162 \ + --hash=sha256:db0fbb9c62743ce59a9ff687eb5f4afbe77e5e8403d6697f7446e5f609976f76 \ + --hash=sha256:dd86c085fae2efd48ac91dd7ccffcfc0571387fe1193d33b6394db7ef31fe2a4 \ + --hash=sha256:e00b098126fd45523dd056d2efba6c5a63b71ffe9f2bbe1a4fe1716e1d0c331e \ + --hash=sha256:e229a521186c75c8ad9490854fd8bbdd9a0c9aa3a524326b55be83b54d4e0ad9 \ + --hash=sha256:e263d77ee3dd201c3a142934a086a4450861778baaeeb45db4591ef65550b0a6 \ + --hash=sha256:ed9cb427ba5504c1dc15ede7d516b84757c3e3d7868ccc85121d9310d27eed0b \ + --hash=sha256:fa6693661a4c91757f4412306191b6dc88c1703f780c8234035eac011922bc01 \ + --hash=sha256:fcd131dd944808b5bdb38e6f5b53013c5aa4f334c5cad0c72742f6eba4b73db0 + # via cryptography +charset-normalizer==3.1.0 \ + --hash=sha256:04afa6387e2b282cf78ff3dbce20f0cc071c12dc8f685bd40960cc68644cfea6 \ + --hash=sha256:04eefcee095f58eaabe6dc3cc2262f3bcd776d2c67005880894f447b3f2cb9c1 \ + --hash=sha256:0be65ccf618c1e7ac9b849c315cc2e8a8751d9cfdaa43027d4f6624bd587ab7e \ + --hash=sha256:0c95f12b74681e9ae127728f7e5409cbbef9cd914d5896ef238cc779b8152373 \ + --hash=sha256:0ca564606d2caafb0abe6d1b5311c2649e8071eb241b2d64e75a0d0065107e62 \ + --hash=sha256:10c93628d7497c81686e8e5e557aafa78f230cd9e77dd0c40032ef90c18f2230 \ + --hash=sha256:11d117e6c63e8f495412d37e7dc2e2fff09c34b2d09dbe2bee3c6229577818be \ + --hash=sha256:11d3bcb7be35e7b1bba2c23beedac81ee893ac9871d0ba79effc7fc01167db6c \ + --hash=sha256:12a2b561af122e3d94cdb97fe6fb2bb2b82cef0cdca131646fdb940a1eda04f0 \ + --hash=sha256:12d1a39aa6b8c6f6248bb54550efcc1c38ce0d8096a146638fd4738e42284448 \ + --hash=sha256:1435ae15108b1cb6fffbcea2af3d468683b7afed0169ad718451f8db5d1aff6f \ + --hash=sha256:1c60b9c202d00052183c9be85e5eaf18a4ada0a47d188a83c8f5c5b23252f649 \ + --hash=sha256:1e8fcdd8f672a1c4fc8d0bd3a2b576b152d2a349782d1eb0f6b8e52e9954731d \ + --hash=sha256:20064ead0717cf9a73a6d1e779b23d149b53daf971169289ed2ed43a71e8d3b0 \ + --hash=sha256:21fa558996782fc226b529fdd2ed7866c2c6ec91cee82735c98a197fae39f706 \ + --hash=sha256:22908891a380d50738e1f978667536f6c6b526a2064156203d418f4856d6e86a \ + --hash=sha256:3160a0fd9754aab7d47f95a6b63ab355388d890163eb03b2d2b87ab0a30cfa59 \ + --hash=sha256:322102cdf1ab682ecc7d9b1c5eed4ec59657a65e1c146a0da342b78f4112db23 \ + --hash=sha256:34e0a2f9c370eb95597aae63bf85eb5e96826d81e3dcf88b8886012906f509b5 \ + --hash=sha256:3573d376454d956553c356df45bb824262c397c6e26ce43e8203c4c540ee0acb \ + --hash=sha256:3747443b6a904001473370d7810aa19c3a180ccd52a7157aacc264a5ac79265e \ + --hash=sha256:38e812a197bf8e71a59fe55b757a84c1f946d0ac114acafaafaf21667a7e169e \ + --hash=sha256:3a06f32c9634a8705f4ca9946d667609f52cf130d5548881401f1eb2c39b1e2c \ + --hash=sha256:3a5fc78f9e3f501a1614a98f7c54d3969f3ad9bba8ba3d9b438c3bc5d047dd28 \ + --hash=sha256:3d9098b479e78c85080c98e1e35ff40b4a31d8953102bb0fd7d1b6f8a2111a3d \ + --hash=sha256:3dc5b6a8ecfdc5748a7e429782598e4f17ef378e3e272eeb1340ea57c9109f41 \ + --hash=sha256:4155b51ae05ed47199dc5b2a4e62abccb274cee6b01da5b895099b61b1982974 \ + --hash=sha256:49919f8400b5e49e961f320c735388ee686a62327e773fa5b3ce6721f7e785ce \ + --hash=sha256:53d0a3fa5f8af98a1e261de6a3943ca631c526635eb5817a87a59d9a57ebf48f \ + --hash=sha256:5f008525e02908b20e04707a4f704cd286d94718f48bb33edddc7d7b584dddc1 \ + --hash=sha256:628c985afb2c7d27a4800bfb609e03985aaecb42f955049957814e0491d4006d \ + --hash=sha256:65ed923f84a6844de5fd29726b888e58c62820e0769b76565480e1fdc3d062f8 \ + --hash=sha256:6734e606355834f13445b6adc38b53c0fd45f1a56a9ba06c2058f86893ae8017 \ + --hash=sha256:6baf0baf0d5d265fa7944feb9f7451cc316bfe30e8df1a61b1bb08577c554f31 \ + --hash=sha256:6f4f4668e1831850ebcc2fd0b1cd11721947b6dc7c00bf1c6bd3c929ae14f2c7 \ + --hash=sha256:6f5c2e7bc8a4bf7c426599765b1bd33217ec84023033672c1e9a8b35eaeaaaf8 \ + --hash=sha256:6f6c7a8a57e9405cad7485f4c9d3172ae486cfef1344b5ddd8e5239582d7355e \ + --hash=sha256:7381c66e0561c5757ffe616af869b916c8b4e42b367ab29fedc98481d1e74e14 \ + --hash=sha256:73dc03a6a7e30b7edc5b01b601e53e7fc924b04e1835e8e407c12c037e81adbd \ + --hash=sha256:74db0052d985cf37fa111828d0dd230776ac99c740e1a758ad99094be4f1803d \ + --hash=sha256:75f2568b4189dda1c567339b48cba4ac7384accb9c2a7ed655cd86b04055c795 \ + --hash=sha256:78cacd03e79d009d95635e7d6ff12c21eb89b894c354bd2b2ed0b4763373693b \ + --hash=sha256:80d1543d58bd3d6c271b66abf454d437a438dff01c3e62fdbcd68f2a11310d4b \ + --hash=sha256:830d2948a5ec37c386d3170c483063798d7879037492540f10a475e3fd6f244b \ + --hash=sha256:891cf9b48776b5c61c700b55a598621fdb7b1e301a550365571e9624f270c203 \ + --hash=sha256:8f25e17ab3039b05f762b0a55ae0b3632b2e073d9c8fc88e89aca31a6198e88f \ + --hash=sha256:9a3267620866c9d17b959a84dd0bd2d45719b817245e49371ead79ed4f710d19 \ + --hash=sha256:a04f86f41a8916fe45ac5024ec477f41f886b3c435da2d4e3d2709b22ab02af1 \ + --hash=sha256:aaf53a6cebad0eae578f062c7d462155eada9c172bd8c4d250b8c1d8eb7f916a \ + --hash=sha256:abc1185d79f47c0a7aaf7e2412a0eb2c03b724581139193d2d82b3ad8cbb00ac \ + --hash=sha256:ac0aa6cd53ab9a31d397f8303f92c42f534693528fafbdb997c82bae6e477ad9 \ + --hash=sha256:ac3775e3311661d4adace3697a52ac0bab17edd166087d493b52d4f4f553f9f0 \ + --hash=sha256:b06f0d3bf045158d2fb8837c5785fe9ff9b8c93358be64461a1089f5da983137 \ + --hash=sha256:b116502087ce8a6b7a5f1814568ccbd0e9f6cfd99948aa59b0e241dc57cf739f \ + --hash=sha256:b82fab78e0b1329e183a65260581de4375f619167478dddab510c6c6fb04d9b6 \ + --hash=sha256:bd7163182133c0c7701b25e604cf1611c0d87712e56e88e7ee5d72deab3e76b5 \ + --hash=sha256:c36bcbc0d5174a80d6cccf43a0ecaca44e81d25be4b7f90f0ed7bcfbb5a00909 \ + --hash=sha256:c3af8e0f07399d3176b179f2e2634c3ce9c1301379a6b8c9c9aeecd481da494f \ + --hash=sha256:c84132a54c750fda57729d1e2599bb598f5fa0344085dbde5003ba429a4798c0 \ + --hash=sha256:cb7b2ab0188829593b9de646545175547a70d9a6e2b63bf2cd87a0a391599324 \ + --hash=sha256:cca4def576f47a09a943666b8f829606bcb17e2bc2d5911a46c8f8da45f56755 \ + --hash=sha256:cf6511efa4801b9b38dc5546d7547d5b5c6ef4b081c60b23e4d941d0eba9cbeb \ + --hash=sha256:d16fd5252f883eb074ca55cb622bc0bee49b979ae4e8639fff6ca3ff44f9f854 \ + --hash=sha256:d2686f91611f9e17f4548dbf050e75b079bbc2a82be565832bc8ea9047b61c8c \ + --hash=sha256:d7fc3fca01da18fbabe4625d64bb612b533533ed10045a2ac3dd194bfa656b60 \ + --hash=sha256:dd5653e67b149503c68c4018bf07e42eeed6b4e956b24c00ccdf93ac79cdff84 \ + --hash=sha256:de5695a6f1d8340b12a5d6d4484290ee74d61e467c39ff03b39e30df62cf83a0 \ + --hash=sha256:e0ac8959c929593fee38da1c2b64ee9778733cdf03c482c9ff1d508b6b593b2b \ + --hash=sha256:e1b25e3ad6c909f398df8921780d6a3d120d8c09466720226fc621605b6f92b1 \ + --hash=sha256:e633940f28c1e913615fd624fcdd72fdba807bf53ea6925d6a588e84e1151531 \ + --hash=sha256:e89df2958e5159b811af9ff0f92614dabf4ff617c03a4c1c6ff53bf1c399e0e1 \ + --hash=sha256:ea9f9c6034ea2d93d9147818f17c2a0860d41b71c38b9ce4d55f21b6f9165a11 \ + --hash=sha256:f645caaf0008bacf349875a974220f1f1da349c5dbe7c4ec93048cdc785a3326 \ + --hash=sha256:f8303414c7b03f794347ad062c0516cee0e15f7a612abd0ce1e25caf6ceb47df \ + --hash=sha256:fca62a8301b605b954ad2e9c3666f9d97f63872aa4efcae5492baca2056b74ab + # via requests +cryptography==41.0.1 \ + --hash=sha256:059e348f9a3c1950937e1b5d7ba1f8e968508ab181e75fc32b879452f08356db \ + --hash=sha256:1a5472d40c8f8e91ff7a3d8ac6dfa363d8e3138b961529c996f3e2df0c7a411a \ + --hash=sha256:1a8e6c2de6fbbcc5e14fd27fb24414507cb3333198ea9ab1258d916f00bc3039 \ + --hash=sha256:1fee5aacc7367487b4e22484d3c7e547992ed726d14864ee33c0176ae43b0d7c \ + --hash=sha256:5d092fdfedaec4cbbffbf98cddc915ba145313a6fdaab83c6e67f4e6c218e6f3 \ + --hash=sha256:5f0ff6e18d13a3de56f609dd1fd11470918f770c6bd5d00d632076c727d35485 \ + --hash=sha256:7bfc55a5eae8b86a287747053140ba221afc65eb06207bedf6e019b8934b477c \ + --hash=sha256:7fa01527046ca5facdf973eef2535a27fec4cb651e4daec4d043ef63f6ecd4ca \ + --hash=sha256:8dde71c4169ec5ccc1087bb7521d54251c016f126f922ab2dfe6649170a3b8c5 \ + --hash=sha256:8f4ab7021127a9b4323537300a2acfb450124b2def3756f64dc3a3d2160ee4b5 \ + --hash=sha256:948224d76c4b6457349d47c0c98657557f429b4e93057cf5a2f71d603e2fc3a3 \ + --hash=sha256:9a6c7a3c87d595608a39980ebaa04d5a37f94024c9f24eb7d10262b92f739ddb \ + --hash=sha256:b46e37db3cc267b4dea1f56da7346c9727e1209aa98487179ee8ebed09d21e43 \ + --hash=sha256:b4ceb5324b998ce2003bc17d519080b4ec8d5b7b70794cbd2836101406a9be31 \ + --hash=sha256:cb33ccf15e89f7ed89b235cff9d49e2e62c6c981a6061c9c8bb47ed7951190bc \ + --hash=sha256:d198820aba55660b4d74f7b5fd1f17db3aa5eb3e6893b0a41b75e84e4f9e0e4b \ + --hash=sha256:d34579085401d3f49762d2f7d6634d6b6c2ae1242202e860f4d26b046e3a1006 \ + --hash=sha256:eb8163f5e549a22888c18b0d53d6bb62a20510060a22fd5a995ec8a05268df8a \ + --hash=sha256:f73bff05db2a3e5974a6fd248af2566134d8981fd7ab012e5dd4ddb1d9a70699 + # via + # pyopenssl + # sigstore +docutils==0.20.1 \ + --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ + --hash=sha256:f08a4e276c3a1583a86dce3e34aba3fe04d02bba2dd51ed16106244e8a923e3b + # via readme-renderer +grpclib==0.4.5 \ + --hash=sha256:bf83ed55aca59497e168761d9555056efc54a8f865316c3b39becd007e9f9a73 + # via betterproto +h2==4.1.0 \ + --hash=sha256:03a46bcf682256c95b5fd9e9a99c1323584c3eec6440d379b9903d709476bc6d \ + --hash=sha256:a83aca08fbe7aacb79fec788c9c0bac936343560ed9ec18b82a13a12c28d2abb + # via grpclib +hpack==4.0.0 \ + --hash=sha256:84a076fad3dc9a9f8063ccb8041ef100867b1878b25ef0ee63847a5d53818a6c \ + --hash=sha256:fc41de0c63e687ebffde81187a948221294896f6bdc0ae2312708df339430095 + # via h2 +hyperframe==6.0.1 \ + --hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \ + --hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914 + # via h2 +id==1.0.0 \ + --hash=sha256:8822ba0454bb8660c4fff439eadbf06236cc354dcabd7ae00d907143d92215f5 \ + --hash=sha256:d4b3e75ce0d5f38c9e467826436babe8b9bc5f78e22bae716a22a6a0add570ea + # via sigstore +idna==3.4 \ + --hash=sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4 \ + --hash=sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2 + # via requests +importlib-metadata==6.7.0 \ + --hash=sha256:1aaf550d4f73e5d6783e7acb77aec43d49da8017410afae93822cc9cca98c4d4 \ + --hash=sha256:cb52082e659e97afc5dac71e79de97d8681de3aa07ff18578330904a9d18e5b5 + # via + # keyring + # twine +importlib-resources==5.12.0 \ + --hash=sha256:4be82589bf5c1d7999aedf2a45159d10cb3ca4f19b2271f8792bc8e6da7b22f6 \ + --hash=sha256:7b1deeebbf351c7578e09bf2f63fa2ce8b5ffec296e0d349139d43cca061a81a + # via sigstore +jaraco-classes==3.2.3 \ + --hash=sha256:2353de3288bc6b82120752201c6b1c1a14b058267fa424ed5ce5984e3b922158 \ + --hash=sha256:89559fa5c1d3c34eff6f631ad80bb21f378dbcbb35dd161fd2c6b93f5be2f98a + # via keyring +keyring==24.2.0 \ + --hash=sha256:4901caaf597bfd3bbd78c9a0c7c4c29fcd8310dab2cffefe749e916b6527acd6 \ + --hash=sha256:ca0746a19ec421219f4d713f848fa297a661a8a8c1504867e55bfb5e09091509 + # via twine +markdown-it-py==3.0.0 \ + --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ + --hash=sha256:e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb + # via rich +mdurl==0.1.2 \ + --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ + --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba + # via markdown-it-py +more-itertools==9.1.0 \ + --hash=sha256:cabaa341ad0389ea83c17a94566a53ae4c9d07349861ecb14dc6d0345cf9ac5d \ + --hash=sha256:d2bc7f02446e86a68911e58ded76d6561eea00cddfb2a91e7019bbb586c799f3 + # via jaraco-classes +multidict==6.0.4 \ + --hash=sha256:01a3a55bd90018c9c080fbb0b9f4891db37d148a0a18722b42f94694f8b6d4c9 \ + --hash=sha256:0b1a97283e0c85772d613878028fec909f003993e1007eafa715b24b377cb9b8 \ + --hash=sha256:0dfad7a5a1e39c53ed00d2dd0c2e36aed4650936dc18fd9a1826a5ae1cad6f03 \ + --hash=sha256:11bdf3f5e1518b24530b8241529d2050014c884cf18b6fc69c0c2b30ca248710 \ + --hash=sha256:1502e24330eb681bdaa3eb70d6358e818e8e8f908a22a1851dfd4e15bc2f8161 \ + --hash=sha256:16ab77bbeb596e14212e7bab8429f24c1579234a3a462105cda4a66904998664 \ + --hash=sha256:16d232d4e5396c2efbbf4f6d4df89bfa905eb0d4dc5b3549d872ab898451f569 \ + --hash=sha256:21a12c4eb6ddc9952c415f24eef97e3e55ba3af61f67c7bc388dcdec1404a067 \ + --hash=sha256:27c523fbfbdfd19c6867af7346332b62b586eed663887392cff78d614f9ec313 \ + --hash=sha256:281af09f488903fde97923c7744bb001a9b23b039a909460d0f14edc7bf59706 \ + --hash=sha256:33029f5734336aa0d4c0384525da0387ef89148dc7191aae00ca5fb23d7aafc2 \ + --hash=sha256:3601a3cece3819534b11d4efc1eb76047488fddd0c85a3948099d5da4d504636 \ + --hash=sha256:3666906492efb76453c0e7b97f2cf459b0682e7402c0489a95484965dbc1da49 \ + --hash=sha256:36c63aaa167f6c6b04ef2c85704e93af16c11d20de1d133e39de6a0e84582a93 \ + --hash=sha256:39ff62e7d0f26c248b15e364517a72932a611a9b75f35b45be078d81bdb86603 \ + --hash=sha256:43644e38f42e3af682690876cff722d301ac585c5b9e1eacc013b7a3f7b696a0 \ + --hash=sha256:4372381634485bec7e46718edc71528024fcdc6f835baefe517b34a33c731d60 \ + --hash=sha256:458f37be2d9e4c95e2d8866a851663cbc76e865b78395090786f6cd9b3bbf4f4 \ + --hash=sha256:45e1ecb0379bfaab5eef059f50115b54571acfbe422a14f668fc8c27ba410e7e \ + --hash=sha256:4b9d9e4e2b37daddb5c23ea33a3417901fa7c7b3dee2d855f63ee67a0b21e5b1 \ + --hash=sha256:4ceef517eca3e03c1cceb22030a3e39cb399ac86bff4e426d4fc6ae49052cc60 \ + --hash=sha256:4d1a3d7ef5e96b1c9e92f973e43aa5e5b96c659c9bc3124acbbd81b0b9c8a951 \ + --hash=sha256:4dcbb0906e38440fa3e325df2359ac6cb043df8e58c965bb45f4e406ecb162cc \ + --hash=sha256:509eac6cf09c794aa27bcacfd4d62c885cce62bef7b2c3e8b2e49d365b5003fe \ + --hash=sha256:52509b5be062d9eafc8170e53026fbc54cf3b32759a23d07fd935fb04fc22d95 \ + --hash=sha256:52f2dffc8acaba9a2f27174c41c9e57f60b907bb9f096b36b1a1f3be71c6284d \ + --hash=sha256:574b7eae1ab267e5f8285f0fe881f17efe4b98c39a40858247720935b893bba8 \ + --hash=sha256:5979b5632c3e3534e42ca6ff856bb24b2e3071b37861c2c727ce220d80eee9ed \ + --hash=sha256:59d43b61c59d82f2effb39a93c48b845efe23a3852d201ed2d24ba830d0b4cf2 \ + --hash=sha256:5a4dcf02b908c3b8b17a45fb0f15b695bf117a67b76b7ad18b73cf8e92608775 \ + --hash=sha256:5cad9430ab3e2e4fa4a2ef4450f548768400a2ac635841bc2a56a2052cdbeb87 \ + --hash=sha256:5fc1b16f586f049820c5c5b17bb4ee7583092fa0d1c4e28b5239181ff9532e0c \ + --hash=sha256:62501642008a8b9871ddfccbf83e4222cf8ac0d5aeedf73da36153ef2ec222d2 \ + --hash=sha256:64bdf1086b6043bf519869678f5f2757f473dee970d7abf6da91ec00acb9cb98 \ + --hash=sha256:64da238a09d6039e3bd39bb3aee9c21a5e34f28bfa5aa22518581f910ff94af3 \ + --hash=sha256:666daae833559deb2d609afa4490b85830ab0dfca811a98b70a205621a6109fe \ + --hash=sha256:67040058f37a2a51ed8ea8f6b0e6ee5bd78ca67f169ce6122f3e2ec80dfe9b78 \ + --hash=sha256:6748717bb10339c4760c1e63da040f5f29f5ed6e59d76daee30305894069a660 \ + --hash=sha256:6b181d8c23da913d4ff585afd1155a0e1194c0b50c54fcfe286f70cdaf2b7176 \ + --hash=sha256:6ed5f161328b7df384d71b07317f4d8656434e34591f20552c7bcef27b0ab88e \ + --hash=sha256:7582a1d1030e15422262de9f58711774e02fa80df0d1578995c76214f6954988 \ + --hash=sha256:7d18748f2d30f94f498e852c67d61261c643b349b9d2a581131725595c45ec6c \ + --hash=sha256:7d6ae9d593ef8641544d6263c7fa6408cc90370c8cb2bbb65f8d43e5b0351d9c \ + --hash=sha256:81a4f0b34bd92df3da93315c6a59034df95866014ac08535fc819f043bfd51f0 \ + --hash=sha256:8316a77808c501004802f9beebde51c9f857054a0c871bd6da8280e718444449 \ + --hash=sha256:853888594621e6604c978ce2a0444a1e6e70c8d253ab65ba11657659dcc9100f \ + --hash=sha256:99b76c052e9f1bc0721f7541e5e8c05db3941eb9ebe7b8553c625ef88d6eefde \ + --hash=sha256:a2e4369eb3d47d2034032a26c7a80fcb21a2cb22e1173d761a162f11e562caa5 \ + --hash=sha256:ab55edc2e84460694295f401215f4a58597f8f7c9466faec545093045476327d \ + --hash=sha256:af048912e045a2dc732847d33821a9d84ba553f5c5f028adbd364dd4765092ac \ + --hash=sha256:b1a2eeedcead3a41694130495593a559a668f382eee0727352b9a41e1c45759a \ + --hash=sha256:b1e8b901e607795ec06c9e42530788c45ac21ef3aaa11dbd0c69de543bfb79a9 \ + --hash=sha256:b41156839806aecb3641f3208c0dafd3ac7775b9c4c422d82ee2a45c34ba81ca \ + --hash=sha256:b692f419760c0e65d060959df05f2a531945af31fda0c8a3b3195d4efd06de11 \ + --hash=sha256:bc779e9e6f7fda81b3f9aa58e3a6091d49ad528b11ed19f6621408806204ad35 \ + --hash=sha256:bf6774e60d67a9efe02b3616fee22441d86fab4c6d335f9d2051d19d90a40063 \ + --hash=sha256:c048099e4c9e9d615545e2001d3d8a4380bd403e1a0578734e0d31703d1b0c0b \ + --hash=sha256:c5cb09abb18c1ea940fb99360ea0396f34d46566f157122c92dfa069d3e0e982 \ + --hash=sha256:cc8e1d0c705233c5dd0c5e6460fbad7827d5d36f310a0fadfd45cc3029762258 \ + --hash=sha256:d5e3fc56f88cc98ef8139255cf8cd63eb2c586531e43310ff859d6bb3a6b51f1 \ + --hash=sha256:d6aa0418fcc838522256761b3415822626f866758ee0bc6632c9486b179d0b52 \ + --hash=sha256:d6c254ba6e45d8e72739281ebc46ea5eb5f101234f3ce171f0e9f5cc86991480 \ + --hash=sha256:d6d635d5209b82a3492508cf5b365f3446afb65ae7ebd755e70e18f287b0adf7 \ + --hash=sha256:dcfe792765fab89c365123c81046ad4103fcabbc4f56d1c1997e6715e8015461 \ + --hash=sha256:ddd3915998d93fbcd2566ddf9cf62cdb35c9e093075f862935573d265cf8f65d \ + --hash=sha256:ddff9c4e225a63a5afab9dd15590432c22e8057e1a9a13d28ed128ecf047bbdc \ + --hash=sha256:e41b7e2b59679edfa309e8db64fdf22399eec4b0b24694e1b2104fb789207779 \ + --hash=sha256:e69924bfcdda39b722ef4d9aa762b2dd38e4632b3641b1d9a57ca9cd18f2f83a \ + --hash=sha256:ea20853c6dbbb53ed34cb4d080382169b6f4554d394015f1bef35e881bf83547 \ + --hash=sha256:ee2a1ece51b9b9e7752e742cfb661d2a29e7bcdba2d27e66e28a99f1890e4fa0 \ + --hash=sha256:eeb6dcc05e911516ae3d1f207d4b0520d07f54484c49dfc294d6e7d63b734171 \ + --hash=sha256:f70b98cd94886b49d91170ef23ec5c0e8ebb6f242d734ed7ed677b24d50c82cf \ + --hash=sha256:fc35cb4676846ef752816d5be2193a1e8367b4c1397b74a565a9d0389c433a1d \ + --hash=sha256:ff959bee35038c4624250473988b24f846cbeb2c6639de3602c073f10410ceba + # via grpclib +pkginfo==1.9.6 \ + --hash=sha256:4b7a555a6d5a22169fcc9cf7bfd78d296b0361adad412a346c1226849af5e546 \ + --hash=sha256:8fd5896e8718a4372f0ea9cc9d96f6417c9b986e23a4d116dda26b62cc29d046 + # via twine +pycparser==2.21 \ + --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ + --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 + # via cffi +pydantic==1.10.10 \ + --hash=sha256:20a3b30fd255eeeb63caa9483502ba96b7795ce5bf895c6a179b3d909d9f53a6 \ + --hash=sha256:2b71bd504d1573b0b722ae536e8ffb796bedeef978979d076bf206e77dcc55a5 \ + --hash=sha256:3403a090db45d4027d2344859d86eb797484dfda0706cf87af79ace6a35274ef \ + --hash=sha256:37ebddef68370e6f26243acc94de56d291e01227a67b2ace26ea3543cf53dd5f \ + --hash=sha256:3b8d5bd97886f9eb59260594207c9f57dce14a6f869c6ceea90188715d29921a \ + --hash=sha256:409b810f387610cc7405ab2fa6f62bdf7ea485311845a242ebc0bd0496e7e5ac \ + --hash=sha256:4870f13a4fafd5bc3e93cff3169222534fad867918b188e83ee0496452978437 \ + --hash=sha256:566a04ba755e8f701b074ffb134ddb4d429f75d5dced3fbd829a527aafe74c71 \ + --hash=sha256:67b3714b97ff84b2689654851c2426389bcabfac9080617bcf4306c69db606f6 \ + --hash=sha256:6dab5219659f95e357d98d70577b361383057fb4414cfdb587014a5f5c595f7b \ + --hash=sha256:748d10ab6089c5d196e1c8be9de48274f71457b01e59736f7a09c9dc34f51887 \ + --hash=sha256:762aa598f79b4cac2f275d13336b2dd8662febee2a9c450a49a2ab3bec4b385f \ + --hash=sha256:7a26841be620309a9697f5b1ffc47dce74909e350c5315ccdac7a853484d468a \ + --hash=sha256:7a7db03339893feef2092ff7b1afc9497beed15ebd4af84c3042a74abce02d48 \ + --hash=sha256:7aa75d1bd9cc275cf9782f50f60cddaf74cbaae19b6ada2a28e737edac420312 \ + --hash=sha256:86936c383f7c38fd26d35107eb669c85d8f46dfceae873264d9bab46fe1c7dde \ + --hash=sha256:88546dc10a40b5b52cae87d64666787aeb2878f9a9b37825aedc2f362e7ae1da \ + --hash=sha256:8c40964596809eb616d94f9c7944511f620a1103d63d5510440ed2908fc410af \ + --hash=sha256:990027e77cda6072a566e433b6962ca3b96b4f3ae8bd54748e9d62a58284d9d7 \ + --hash=sha256:9965e49c6905840e526e5429b09e4c154355b6ecc0a2f05492eda2928190311d \ + --hash=sha256:9f62a727f5c590c78c2d12fda302d1895141b767c6488fe623098f8792255fe5 \ + --hash=sha256:a2d5be50ac4a0976817144c7d653e34df2f9436d15555189f5b6f61161d64183 \ + --hash=sha256:a5939ec826f7faec434e2d406ff5e4eaf1716eb1f247d68cd3d0b3612f7b4c8a \ + --hash=sha256:aac218feb4af73db8417ca7518fb3bade4534fcca6e3fb00f84966811dd94450 \ + --hash=sha256:adad1ee4ab9888f12dac2529276704e719efcf472e38df7813f5284db699b4ec \ + --hash=sha256:b69f9138dec566962ec65623c9d57bee44412d2fc71065a5f3ebb3820bdeee96 \ + --hash=sha256:c41bbaae89e32fc582448e71974de738c055aef5ab474fb25692981a08df808a \ + --hash=sha256:c62376890b819bebe3c717a9ac841a532988372b7e600e76f75c9f7c128219d5 \ + --hash=sha256:ce937a2a2c020bcad1c9fde02892392a1123de6dda906ddba62bfe8f3e5989a2 \ + --hash=sha256:db4c7f7e60ca6f7d6c1785070f3e5771fcb9b2d88546e334d2f2c3934d949028 \ + --hash=sha256:e0014e29637125f4997c174dd6167407162d7af0da73414a9340461ea8573252 \ + --hash=sha256:e088e3865a2270ecbc369924cd7d9fbc565667d9158e7f304e4097ebb9cf98dd \ + --hash=sha256:ea9eebc2ebcba3717e77cdeee3f6203ffc0e78db5f7482c68b1293e8cc156e5e \ + --hash=sha256:edfdf0a5abc5c9bf2052ebaec20e67abd52e92d257e4f2d30e02c354ed3e6030 \ + --hash=sha256:f3d4ee957a727ccb5a36f1b0a6dbd9fad5dedd2a41eada99a8df55c12896e18d \ + --hash=sha256:f79db3652ed743309f116ba863dae0c974a41b688242482638b892246b7db21d + # via + # id + # sigstore +pygments==2.15.1 \ + --hash=sha256:8ace4d3c1dd481894b2005f560ead0f9f19ee64fe983366be1a21e171d12775c \ + --hash=sha256:db2db3deb4b4179f399a09054b023b6a586b76499d36965813c71aa8ed7b5fd1 + # via + # readme-renderer + # rich +pyjwt==2.7.0 \ + --hash=sha256:ba2b425b15ad5ef12f200dc67dd56af4e26de2331f965c5439994dad075876e1 \ + --hash=sha256:bd6ca4a3c4285c1a2d4349e5a035fdf8fb94e04ccd0fcbe6ba289dae9cc3e074 + # via sigstore +pyopenssl==23.2.0 \ + --hash=sha256:24f0dc5227396b3e831f4c7f602b950a5e9833d292c8e4a2e06b709292806ae2 \ + --hash=sha256:276f931f55a452e7dea69c7173e984eb2a4407ce413c918aa34b55f82f9b8bac + # via sigstore +python-dateutil==2.8.2 \ + --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ + --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9 + # via betterproto +readme-renderer==40.0 \ + --hash=sha256:9f77b519d96d03d7d7dce44977ba543090a14397c4f60de5b6eb5b8048110aa4 \ + --hash=sha256:e18feb2a1e7706f2865b81ebb460056d93fb29d69daa10b223c00faa7bd9a00a + # via twine +requests==2.31.0 \ + --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \ + --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1 + # via + # -r publish-requirements.in + # id + # requests-toolbelt + # sigstore + # tuf + # twine +requests-toolbelt==1.0.0 \ + --hash=sha256:7681a0a3d047012b5bdc0ee37d7f8f07ebe76ab08caeccfc3921ce23c88d5bc6 \ + --hash=sha256:cccfdd665f0a24fcf4726e690f65639d272bb0637b9b92dfd91a5568ccf6bd06 + # via twine +rfc3986==2.0.0 \ + --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ + --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c + # via twine +rich==13.4.2 \ + --hash=sha256:8f87bc7ee54675732fa66a05ebfe489e27264caeeff3728c945d25971b6485ec \ + --hash=sha256:d653d6bccede5844304c605d5aac802c7cf9621efd700b46c7ec2b51ea914898 + # via twine +securesystemslib==0.28.0 \ + --hash=sha256:9e6b9abe36a511d4f52c759069db8f6f650362ba82d6efc7bc7466a458b3f499 \ + --hash=sha256:a27e519247576f2a77b97fb03267d8eeb88eba715d12da64109e845616f919c6 + # via + # sigstore + # tuf +sigstore==1.1.2 \ + --hash=sha256:1252c34b6bf0f5c0680dffe36e1961bd23da9dd77838fc8ece35bcf87a3bf6df \ + --hash=sha256:1f5d74006073a4bc1572290fb133418c25ff76c5a02fcb567c3feb238d425ab3 + # via -r publish-requirements.in +sigstore-protobuf-specs==0.1.0 \ + --hash=sha256:0e7766add04b5bd145181936e6fedbb2609d7e959f2740051cbca12572b277a2 \ + --hash=sha256:622b2d231613a28ed3e6660acd87818675b4e83486f49a0f0c198ac5475fcb81 + # via sigstore +six==1.16.0 \ + --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ + --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 + # via + # bleach + # python-dateutil +tuf==2.1.0 \ + --hash=sha256:ab22d1143d4d8aa20c94d243de27eedc8cd517e251ddaf4a88c10952358a13ea \ + --hash=sha256:dbfe18fbdeba6d76144931db88b76e473fa40c431b60d25b455a9adbb07c2397 + # via sigstore +twine==4.0.2 \ + --hash=sha256:929bc3c280033347a00f847236564d1c52a3e61b1ac2516c97c48f3ceab756d8 \ + --hash=sha256:9e102ef5fdd5a20661eb88fad46338806c3bd32cf1db729603fe3697b1bc83c8 + # via -r publish-requirements.in +typing-extensions==4.7.1 \ + --hash=sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36 \ + --hash=sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2 + # via pydantic +urllib3==2.0.3 \ + --hash=sha256:48e7fafa40319d358848e1bc6809b208340fafe2096f1725d05d67443d0483d1 \ + --hash=sha256:bee28b5e56addb8226c96f7f13ac28cb4c301dd5ea8a6ca179c0b9835e032825 + # via + # requests + # twine +webencodings==0.5.1 \ + --hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \ + --hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923 + # via bleach +zipp==3.15.0 \ + --hash=sha256:112929ad649da941c23de50f356a2b5570c954b65150642bccdd66bf194d224b \ + --hash=sha256:48904fc76a60e542af151aded95726c1a5c34ed43ab4134b597665c86d7ad556 + # via importlib-metadata diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 96dad5f8a4d6..9f941fa8903a 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -15,6 +15,9 @@ on: workflows: ["Wheel Builder"] types: [completed] +env: + PUBLISH_REQUIREMENTS_PATH: .github/requirements/publish-requirements.txt + jobs: publish: runs-on: ubuntu-latest @@ -25,11 +28,20 @@ jobs: permissions: id-token: "write" steps: + - name: Get publish-requirements.txt from repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + sparse-checkout: | + ${{ env.PUBLISH_REQUIREMENTS_PATH }} + sparse-checkout-cone-mode: false + persist-credentials: false + - name: Install Python dependencies + run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} + - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} - - run: pip install twine requests sigstore - run: | echo "OIDC_AUDIENCE=pypi" >> $GITHUB_ENV diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index eeaf5cc4221a..94a541bb646f 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -19,6 +19,9 @@ on: - pyproject.toml - vectors/pyproject.toml +env: + BUILD_REQUIREMENTS_PATH: .github/requirements/build-requirements.txt + jobs: sdist: runs-on: ubuntu-latest @@ -104,13 +107,22 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.MANYLINUX.NAME == 'musllinux_1_1_aarch64' - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - name: Get build-requirements.txt from repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: - name: cryptography-sdist - + # The tag to build or the tag received by the tag event + ref: ${{ github.event.inputs.version || github.ref }} + persist-credentials: false + sparse-checkout: | + ${{ env.BUILD_REQUIREMENTS_PATH }} + sparse-checkout-cone-mode: false - run: /opt/python/${{ matrix.PYTHON.VERSION }}/bin/python -m venv .venv - name: Install Python dependencies - run: .venv/bin/pip install -U pip wheel cffi setuptools-rust + run: .venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} + + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: cryptography-sdist - run: mkdir tmpwheelhouse - name: Build the wheel run: | @@ -188,10 +200,15 @@ jobs: ARCHFLAGS: '-arch x86_64' name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - name: Get build-requirements.txt from repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: - name: cryptography-sdist - + # The tag to build or the tag received by the tag event + ref: ${{ github.event.inputs.version || github.ref }} + persist-credentials: false + sparse-checkout: | + ${{ env.BUILD_REQUIREMENTS_PATH }} + sparse-checkout-cone-mode: false - name: Setup python run: | curl "$PYTHON_DOWNLOAD_URL" -o python.pkg @@ -218,9 +235,13 @@ jobs: toolchain: stable # Add the arm64 target in addition to the native arch (x86_64) target: aarch64-apple-darwin - - run: ${{ matrix.PYTHON.BIN_PATH }} -m venv venv - - run: venv/bin/pip install -U pip wheel cffi setuptools-rust + - name: Install Python dependencies + run: venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} + + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: cryptography-sdist - run: mkdir wheelhouse - name: Build the wheel run: | @@ -275,6 +296,16 @@ jobs: PYTHON: {VERSION: "pypy-3.10"} name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: + - name: Get build-requirements.txt from repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + # The tag to build or the tag received by the tag event + ref: ${{ github.event.inputs.version || github.ref }} + persist-credentials: false + sparse-checkout: | + ${{ env.BUILD_REQUIREMENTS_PATH }} + sparse-checkout-cone-mode: false + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: cryptography-sdist @@ -303,9 +334,8 @@ jobs: echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV echo "OPENSSL_STATIC=1" >> $GITHUB_ENV shell: bash - - - run: python -m pip install -U pip wheel - - run: python -m pip install cffi setuptools-rust + - name: Install Python dependencies + run: python -m pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - run: mkdir wheelhouse - run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then diff --git a/pyproject.toml b/pyproject.toml index ceb5009852f5..560f022c8387 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,4 +1,5 @@ [build-system] +# These requirements must be kept sync with the requirements on ./github/requirements/build-requirements files requires = [ # First version of setuptools to support pyproject.toml configuration "setuptools>=61.0.0", From 55d5e2cd9ccb9c8b58140dd237bb4bb502cbb7ea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 11 Jul 2023 14:20:09 -0400 Subject: [PATCH 0171/1014] Try using macos-13 in CI (#9218) --- .github/workflows/ci.yml | 2 +- .github/workflows/wheel-builder.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d2504b0561d4..2152f51de9c1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -219,7 +219,7 @@ jobs: fail-fast: false matrix: RUNNER: - - {OS: 'macos-12', ARCH: 'x86_64'} + - {OS: 'macos-13', ARCH: 'x86_64'} - {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} PYTHON: - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 94a541bb646f..6bfd388e2587 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -156,7 +156,7 @@ jobs: macos: needs: [sdist] - runs-on: macos-12 + runs-on: macos-13 strategy: fail-fast: false matrix: From ac406026e82d57ebe8d0da06a66feb17a1c14695 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 11 Jul 2023 18:34:39 +0000 Subject: [PATCH 0172/1014] Bump target-lexicon from 0.12.8 to 0.12.9 in /src/rust (#9223) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.8 to 0.12.9. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.8...v0.12.9) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 68fed89ef9ec..0e8f518e259c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -353,9 +353,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.8" +version = "0.12.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b1c7f239eb94671427157bd93b3694320f3668d4e1eff08c7285366fd777fac" +checksum = "df8e77cb757a61f51b947ec4a7e3646efd825b73561db1c232a8ccb639e611a0" [[package]] name = "unicode-ident" From 058e21b64473508e7e751a1def6b70a989069132 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 11 Jul 2023 18:25:44 -0400 Subject: [PATCH 0173/1014] x509: more extension APIs (#9213) * certificate, extensions: avoid clones Signed-off-by: William Woodruff * extensions: SAN, EKU aliases Signed-off-by: William Woodruff * extensions: KeyUsage Signed-off-by: William Woodruff * extensions: add `Extension::value` Signed-off-by: William Woodruff * extensions: cleanup Signed-off-by: William Woodruff * extensions: fix test Signed-off-by: William Woodruff * extensions: `Extensions::value` test Signed-off-by: William Woodruff * extensions: KeyUsage test Signed-off-by: William Woodruff * extensions: remove derives Unneeded. Signed-off-by: William Woodruff * certificate, extensions: remove excess lifetimes Clones are cheap here. Signed-off-by: William Woodruff * extensions: zeroed -> is_zeroed Signed-off-by: William Woodruff * rust: rewrite to use Extension::value Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/certificate.rs | 4 +- src/rust/cryptography-x509/src/extensions.rs | 128 +++++++++++++++--- src/rust/src/x509/certificate.rs | 111 +++++++-------- src/rust/src/x509/common.rs | 4 +- src/rust/src/x509/crl.rs | 36 +++-- src/rust/src/x509/csr.rs | 9 +- src/rust/src/x509/ocsp_req.rs | 10 +- src/rust/src/x509/ocsp_resp.rs | 12 +- 8 files changed, 196 insertions(+), 118 deletions(-) diff --git a/src/rust/cryptography-x509/src/certificate.rs b/src/rust/cryptography-x509/src/certificate.rs index 502ab5413372..06fc3a3ba4df 100644 --- a/src/rust/cryptography-x509/src/certificate.rs +++ b/src/rust/cryptography-x509/src/certificate.rs @@ -35,8 +35,8 @@ pub struct TbsCertificate<'a> { pub raw_extensions: Option>, } -impl<'a> TbsCertificate<'a> { - pub fn extensions(&'a self) -> Result, asn1::ObjectIdentifier> { +impl TbsCertificate<'_> { + pub fn extensions(&self) -> Result, asn1::ObjectIdentifier> { Extensions::from_raw_extensions(self.raw_extensions.as_ref()) } } diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 41c36e3b77f0..187250c349a0 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -51,14 +51,13 @@ impl<'a> Extensions<'a> { } /// Returns a reference to the underlying extensions. - pub fn as_raw(&self) -> &Option> { - &self.0 + pub fn as_raw(&self) -> Option<&RawExtensions<'_>> { + self.0.as_ref() } /// Returns an iterator over the underlying extensions. pub fn iter(&self) -> impl Iterator { self.as_raw() - .clone() .map(|raw| raw.unwrap_read().clone()) .into_iter() .flatten() @@ -73,6 +72,12 @@ pub struct Extension<'a> { pub extn_value: &'a [u8], } +impl<'a> Extension<'a> { + pub fn value>(&'a self) -> asn1::ParseResult { + asn1::parse_single(self.extn_value) + } +} + #[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct PolicyConstraints { #[implicit(0)] @@ -228,31 +233,85 @@ pub struct BasicConstraints { pub path_length: Option, } +pub type SubjectAlternativeName<'a> = asn1::SequenceOf<'a, name::GeneralName<'a>>; +pub type IssuerAlternativeName<'a> = asn1::SequenceOf<'a, name::GeneralName<'a>>; +pub type ExtendedKeyUsage<'a> = asn1::SequenceOf<'a, asn1::ObjectIdentifier>; + +pub struct KeyUsage<'a>(asn1::BitString<'a>); + +impl<'a> asn1::SimpleAsn1Readable<'a> for KeyUsage<'a> { + const TAG: asn1::Tag = asn1::BitString::TAG; + + fn parse_data(data: &'a [u8]) -> asn1::ParseResult { + asn1::BitString::parse_data(data).map(Self) + } +} + +impl KeyUsage<'_> { + pub fn is_zeroed(&self) -> bool { + self.0.as_bytes().iter().all(|&b| b == 0) + } + + pub fn digital_signature(&self) -> bool { + self.0.has_bit_set(0) + } + + pub fn content_comitment(&self) -> bool { + self.0.has_bit_set(1) + } + + pub fn key_encipherment(&self) -> bool { + self.0.has_bit_set(2) + } + + pub fn data_encipherment(&self) -> bool { + self.0.has_bit_set(3) + } + + pub fn key_agreement(&self) -> bool { + self.0.has_bit_set(4) + } + + pub fn key_cert_sign(&self) -> bool { + self.0.has_bit_set(5) + } + + pub fn crl_sign(&self) -> bool { + self.0.has_bit_set(6) + } + + pub fn encipher_only(&self) -> bool { + self.0.has_bit_set(7) + } + + pub fn decipher_only(&self) -> bool { + self.0.has_bit_set(8) + } +} + #[cfg(test)] mod tests { - use asn1::SequenceOfWriter; - use crate::oid::{AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID}; - use super::{BasicConstraints, Extension, Extensions}; + use super::{BasicConstraints, Extension, Extensions, KeyUsage}; #[test] fn test_get_extension() { - let extension_value = BasicConstraints { + let bc = BasicConstraints { ca: true, path_length: Some(3), }; let extension = Extension { extn_id: BASIC_CONSTRAINTS_OID, critical: true, - extn_value: &asn1::write_single(&extension_value).unwrap(), + extn_value: &asn1::write_single(&bc).unwrap(), }; - let extensions = SequenceOfWriter::new(vec![extension]); + let extensions = asn1::SequenceOfWriter::new(vec![extension]); let der = asn1::write_single(&extensions).unwrap(); + let raw = asn1::parse_single(&der).unwrap(); - let extensions: Extensions = - Extensions::from_raw_extensions(Some(&asn1::parse_single(&der).unwrap())).unwrap(); + let extensions: Extensions = Extensions::from_raw_extensions(Some(&raw)).unwrap(); assert!(&extensions.get_extension(&BASIC_CONSTRAINTS_OID).is_some()); assert!(&extensions @@ -262,23 +321,60 @@ mod tests { #[test] fn test_extensions_iter() { - let extension_value = BasicConstraints { + let bc = BasicConstraints { ca: true, path_length: Some(3), }; let extension = Extension { extn_id: BASIC_CONSTRAINTS_OID, critical: true, - extn_value: &asn1::write_single(&extension_value).unwrap(), + extn_value: &asn1::write_single(&bc).unwrap(), }; - let extensions = SequenceOfWriter::new(vec![extension]); + let extensions = asn1::SequenceOfWriter::new(vec![extension]); let der = asn1::write_single(&extensions).unwrap(); + let parsed = asn1::parse_single(&der).unwrap(); - let extensions: Extensions = - Extensions::from_raw_extensions(Some(&asn1::parse_single(&der).unwrap())).unwrap(); + let extensions: Extensions = Extensions::from_raw_extensions(Some(&parsed)).unwrap(); let extension_list: Vec<_> = extensions.iter().collect(); assert_eq!(extension_list.len(), 1); } + + #[test] + fn test_extension_value() { + let bc = BasicConstraints { + ca: true, + path_length: Some(3), + }; + let extension = Extension { + extn_id: BASIC_CONSTRAINTS_OID, + critical: true, + extn_value: &asn1::write_single(&bc).unwrap(), + }; + + let extracted: BasicConstraints = extension.value().unwrap(); + assert_eq!(bc.ca, extracted.ca); + assert_eq!(bc.path_length, extracted.path_length); + } + + #[test] + fn test_keyusage() { + // let ku: KeyUsage = asn1::parse_single(data) + let ku_bits = [0b1111_1111u8, 0b1000_0000u8]; + let ku_bitstring = asn1::BitString::new(&ku_bits, 7).unwrap(); + let asn1 = asn1::write_single(&ku_bitstring).unwrap(); + + let ku: KeyUsage = asn1::parse_single(&asn1).unwrap(); + assert!(!ku.is_zeroed()); + assert!(ku.digital_signature()); + assert!(ku.content_comitment()); + assert!(ku.key_encipherment()); + assert!(ku.data_encipherment()); + assert!(ku.key_agreement()); + assert!(ku.key_cert_sign()); + assert!(ku.crl_sign()); + assert!(ku.encipher_only()); + assert!(ku.decipher_only()); + } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index a4e62255d05e..2b9e9d69e9ba 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -11,14 +11,14 @@ use crate::x509::{extensions, sct, sign}; use crate::{exceptions, x509}; use cryptography_x509::certificate::Certificate as RawCertificate; use cryptography_x509::common::{AlgorithmParameters, Asn1ReadableOrWritable}; -use cryptography_x509::extensions::Extension; use cryptography_x509::extensions::{ AuthorityKeyIdentifier, BasicConstraints, DisplayText, DistributionPoint, - DistributionPointName, MSCertificateTemplate, NameConstraints, PolicyConstraints, - PolicyInformation, PolicyQualifierInfo, Qualifier, RawExtensions, SequenceOfAccessDescriptions, - SequenceOfSubtrees, UserNotice, + DistributionPointName, IssuerAlternativeName, KeyUsage, MSCertificateTemplate, NameConstraints, + PolicyConstraints, PolicyInformation, PolicyQualifierInfo, Qualifier, RawExtensions, + SequenceOfAccessDescriptions, SequenceOfSubtrees, UserNotice, }; -use cryptography_x509::{common, name, oid}; +use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; +use cryptography_x509::{common, oid}; use pyo3::{IntoPy, ToPyObject}; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -256,9 +256,9 @@ impl Certificate { py, &mut self.cached_extensions, &self.raw.borrow_dependent().tbs_cert.raw_extensions, - |oid, ext_data| match *oid { + |ext| match ext.extn_id { oid::PRECERT_POISON_OID => { - asn1::parse_single::<()>(ext_data)?; + ext.value::<()>()?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "PrecertPoison"))? @@ -266,7 +266,7 @@ impl Certificate { )) } oid::PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS_OID => { - let contents = asn1::parse_single::<&[u8]>(ext_data)?; + let contents = ext.value::<&[u8]>()?; let scts = sct::parse_scts(py, contents, sct::LogEntryType::PreCertificate)?; Ok(Some( x509_module @@ -277,7 +277,7 @@ impl Certificate { .call1((scts,))?, )) } - _ => parse_cert_ext(py, oid.clone(), ext_data), + _ => parse_cert_ext(py, ext), }, ) } @@ -525,8 +525,11 @@ fn parse_policy_qualifiers<'a>( Ok(py_pq.to_object(py)) } -fn parse_cp(py: pyo3::Python<'_>, ext_data: &[u8]) -> Result { - let cp = asn1::parse_single::>>(ext_data)?; +fn parse_cp( + py: pyo3::Python<'_>, + ext: &Extension<'_>, +) -> Result { + let cp = ext.value::>>()?; let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let certificate_policies = pyo3::types::PyList::empty(py); for policyinfo in cp { @@ -594,9 +597,9 @@ fn parse_distribution_point( pub(crate) fn parse_distribution_points( py: pyo3::Python<'_>, - data: &[u8], + ext: &Extension<'_>, ) -> Result { - let dps = asn1::parse_single::>>(data)?; + let dps = ext.value::>>()?; let py_dps = pyo3::types::PyList::empty(py); for dp in dps { let py_dp = parse_distribution_point(py, dp)?; @@ -650,10 +653,10 @@ pub(crate) fn encode_distribution_point_reasons( pub(crate) fn parse_authority_key_identifier<'p>( py: pyo3::Python<'p>, - ext_data: &[u8], + ext: &Extension<'_>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; - let aki = asn1::parse_single::>(ext_data)?; + let aki = ext.value::>()?; let serial = match aki.authority_cert_serial_number { Some(biguint) => big_byte_slice_to_py_int(py, biguint.as_bytes())?.to_object(py), None => py.None(), @@ -669,11 +672,11 @@ pub(crate) fn parse_authority_key_identifier<'p>( pub(crate) fn parse_access_descriptions( py: pyo3::Python<'_>, - ext_data: &[u8], + ext: &Extension<'_>, ) -> Result { let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let ads = pyo3::types::PyList::empty(py); - let parsed = asn1::parse_single::>(ext_data)?; + let parsed = ext.value::>()?; for access in parsed.unwrap_read().clone() { let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); let gn = x509::parse_general_name(py, access.access_location)?; @@ -688,14 +691,12 @@ pub(crate) fn parse_access_descriptions( pub fn parse_cert_ext<'p>( py: pyo3::Python<'p>, - oid: asn1::ObjectIdentifier, - ext_data: &[u8], + ext: &Extension<'_>, ) -> CryptographyResult> { let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; - match oid { + match ext.extn_id { oid::SUBJECT_ALTERNATIVE_NAME_OID => { - let gn_seq = - asn1::parse_single::>>(ext_data)?; + let gn_seq = ext.value::>()?; let sans = x509::parse_general_names(py, &gn_seq)?; Ok(Some( x509_module @@ -704,8 +705,7 @@ pub fn parse_cert_ext<'p>( )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { - let gn_seq = - asn1::parse_single::>>(ext_data)?; + let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( x509_module @@ -719,7 +719,7 @@ pub fn parse_cert_ext<'p>( .getattr(pyo3::intern!(py, "_TLS_FEATURE_TYPE_TO_ENUM"))?; let features = pyo3::types::PyList::empty(py); - for feature in asn1::parse_single::>(ext_data)? { + for feature in ext.value::>()? { let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; features.append(py_feature)?; } @@ -730,7 +730,7 @@ pub fn parse_cert_ext<'p>( )) } oid::SUBJECT_KEY_IDENTIFIER_OID => { - let identifier = asn1::parse_single::<&[u8]>(ext_data)?; + let identifier = ext.value::<&[u8]>()?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "SubjectKeyIdentifier"))? @@ -739,8 +739,7 @@ pub fn parse_cert_ext<'p>( } oid::EXTENDED_KEY_USAGE_OID => { let ekus = pyo3::types::PyList::empty(py); - for oid in asn1::parse_single::>(ext_data)? - { + for oid in ext.value::>()? { let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; } @@ -751,32 +750,24 @@ pub fn parse_cert_ext<'p>( )) } oid::KEY_USAGE_OID => { - let kus = asn1::parse_single::>(ext_data)?; - let digital_signature = kus.has_bit_set(0); - let content_comitment = kus.has_bit_set(1); - let key_encipherment = kus.has_bit_set(2); - let data_encipherment = kus.has_bit_set(3); - let key_agreement = kus.has_bit_set(4); - let key_cert_sign = kus.has_bit_set(5); - let crl_sign = kus.has_bit_set(6); - let encipher_only = kus.has_bit_set(7); - let decipher_only = kus.has_bit_set(8); + let kus = ext.value::>()?; + Ok(Some( x509_module.getattr(pyo3::intern!(py, "KeyUsage"))?.call1(( - digital_signature, - content_comitment, - key_encipherment, - data_encipherment, - key_agreement, - key_cert_sign, - crl_sign, - encipher_only, - decipher_only, + kus.digital_signature(), + kus.content_comitment(), + kus.key_encipherment(), + kus.data_encipherment(), + kus.key_agreement(), + kus.key_cert_sign(), + kus.crl_sign(), + kus.encipher_only(), + kus.decipher_only(), ))?, )) } oid::AUTHORITY_INFORMATION_ACCESS_OID => { - let ads = parse_access_descriptions(py, ext_data)?; + let ads = parse_access_descriptions(py, ext)?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "AuthorityInformationAccess"))? @@ -784,7 +775,7 @@ pub fn parse_cert_ext<'p>( )) } oid::SUBJECT_INFORMATION_ACCESS_OID => { - let ads = parse_access_descriptions(py, ext_data)?; + let ads = parse_access_descriptions(py, ext)?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "SubjectInformationAccess"))? @@ -792,14 +783,14 @@ pub fn parse_cert_ext<'p>( )) } oid::CERTIFICATE_POLICIES_OID => { - let cp = parse_cp(py, ext_data)?; + let cp = parse_cp(py, ext)?; Ok(Some(x509_module.call_method1( pyo3::intern!(py, "CertificatePolicies"), (cp,), )?)) } oid::POLICY_CONSTRAINTS_OID => { - let pc = asn1::parse_single::(ext_data)?; + let pc = ext.value::()?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "PolicyConstraints"))? @@ -807,7 +798,7 @@ pub fn parse_cert_ext<'p>( )) } oid::OCSP_NO_CHECK_OID => { - asn1::parse_single::<()>(ext_data)?; + ext.value::<()>()?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "OCSPNoCheck"))? @@ -815,7 +806,7 @@ pub fn parse_cert_ext<'p>( )) } oid::INHIBIT_ANY_POLICY_OID => { - let bignum = asn1::parse_single::>(ext_data)?; + let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; Ok(Some( x509_module @@ -824,18 +815,16 @@ pub fn parse_cert_ext<'p>( )) } oid::BASIC_CONSTRAINTS_OID => { - let bc = asn1::parse_single::(ext_data)?; + let bc = ext.value::()?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "BasicConstraints"))? .call1((bc.ca, bc.path_length))?, )) } - oid::AUTHORITY_KEY_IDENTIFIER_OID => { - Ok(Some(parse_authority_key_identifier(py, ext_data)?)) - } + oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some(parse_authority_key_identifier(py, ext)?)), oid::CRL_DISTRIBUTION_POINTS_OID => { - let dp = parse_distribution_points(py, ext_data)?; + let dp = parse_distribution_points(py, ext)?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "CRLDistributionPoints"))? @@ -843,7 +832,7 @@ pub fn parse_cert_ext<'p>( )) } oid::FRESHEST_CRL_OID => { - let dp = parse_distribution_points(py, ext_data)?; + let dp = parse_distribution_points(py, ext)?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "FreshestCRL"))? @@ -851,7 +840,7 @@ pub fn parse_cert_ext<'p>( )) } oid::NAME_CONSTRAINTS_OID => { - let nc = asn1::parse_single::>(ext_data)?; + let nc = ext.value::>()?; let permitted_subtrees = match nc.permitted_subtrees { Some(data) => parse_general_subtrees(py, data)?, None => py.None(), @@ -867,7 +856,7 @@ pub fn parse_cert_ext<'p>( )) } oid::MS_CERTIFICATE_TEMPLATE => { - let ms_cert_tpl = asn1::parse_single::(ext_data)?; + let ms_cert_tpl = ext.value::()?; let py_oid = oid_to_py_oid(py, &ms_cert_tpl.template_id)?; Ok(Some( x509_module diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index d0c24c686b9e..c367632810ac 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -382,7 +382,7 @@ fn ipv6_netmask(num: u128) -> Result { pub(crate) fn parse_and_cache_extensions< 'p, - F: Fn(&asn1::ObjectIdentifier, &[u8]) -> Result, CryptographyError>, + F: Fn(&Extension<'_>) -> Result, CryptographyError>, >( py: pyo3::Python<'p>, cached_extensions: &mut Option, @@ -409,7 +409,7 @@ pub(crate) fn parse_and_cache_extensions< for raw_ext in extensions.iter() { let oid_obj = oid_to_py_oid(py, &raw_ext.extn_id)?; - let extn_value = match parse_ext(&raw_ext.extn_id, raw_ext.extn_value)? { + let extn_value = match parse_ext(&raw_ext)? { Some(e) => e, None => x509_module.call_method1( pyo3::intern!(py, "UnrecognizedExtension"), diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 51495411490c..fbb7b4668bb1 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -9,6 +9,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, extensions, sign}; use crate::{exceptions, x509}; +use cryptography_x509::extensions::{Extension, IssuerAlternativeName}; use cryptography_x509::{ common, crl::{ @@ -272,9 +273,9 @@ impl CertificateRevocationList { py, &mut self.cached_extensions, &tbs_cert_list.raw_crl_extensions, - |oid, ext_data| match *oid { + |ext| match ext.extn_id { oid::CRL_NUMBER_OID => { - let bignum = asn1::parse_single::>(ext_data)?; + let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; Ok(Some( x509_module @@ -283,7 +284,7 @@ impl CertificateRevocationList { )) } oid::DELTA_CRL_INDICATOR_OID => { - let bignum = asn1::parse_single::>(ext_data)?; + let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; Ok(Some( x509_module @@ -292,9 +293,7 @@ impl CertificateRevocationList { )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { - let gn_seq = asn1::parse_single::>>( - ext_data, - )?; + let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( x509_module @@ -303,18 +302,18 @@ impl CertificateRevocationList { )) } oid::AUTHORITY_INFORMATION_ACCESS_OID => { - let ads = certificate::parse_access_descriptions(py, ext_data)?; + let ads = certificate::parse_access_descriptions(py, ext)?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "AuthorityInformationAccess"))? .call1((ads,))?, )) } - oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some( - certificate::parse_authority_key_identifier(py, ext_data)?, - )), + oid::AUTHORITY_KEY_IDENTIFIER_OID => { + Ok(Some(certificate::parse_authority_key_identifier(py, ext)?)) + } oid::ISSUING_DISTRIBUTION_POINT_OID => { - let idp = asn1::parse_single::>(ext_data)?; + let idp = ext.value::>()?; let (full_name, relative_name) = match idp.distribution_point { Some(data) => certificate::parse_distribution_point_name(py, data)?, None => (py.None(), py.None()), @@ -342,7 +341,7 @@ impl CertificateRevocationList { )) } oid::FRESHEST_CRL_OID => { - let dp = certificate::parse_distribution_points(py, ext_data)?; + let dp = certificate::parse_distribution_points(py, ext)?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "FreshestCRL"))? @@ -517,7 +516,7 @@ impl RevokedCertificate { py, &mut self.cached_extensions, &self.owned.borrow_dependent().raw_crl_entry_extensions, - |oid, ext_data| parse_crl_entry_ext(py, oid.clone(), ext_data), + |ext| parse_crl_entry_ext(py, ext), ) } } @@ -554,13 +553,12 @@ pub(crate) fn parse_crl_reason_flags<'p>( pub fn parse_crl_entry_ext<'p>( py: pyo3::Python<'p>, - oid: asn1::ObjectIdentifier, - data: &[u8], + ext: &Extension<'_>, ) -> CryptographyResult> { let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; - match oid { + match ext.extn_id { oid::CRL_REASON_OID => { - let flags = parse_crl_reason_flags(py, &asn1::parse_single::(data)?)?; + let flags = parse_crl_reason_flags(py, &ext.value::()?)?; Ok(Some( x509_module .getattr(pyo3::intern!(py, "CRLReason"))? @@ -568,7 +566,7 @@ pub fn parse_crl_entry_ext<'p>( )) } oid::CERTIFICATE_ISSUER_OID => { - let gn_seq = asn1::parse_single::>>(data)?; + let gn_seq = ext.value::>>()?; let gns = x509::parse_general_names(py, &gn_seq)?; Ok(Some( x509_module @@ -577,7 +575,7 @@ pub fn parse_crl_entry_ext<'p>( )) } oid::INVALIDITY_DATE_OID => { - let time = asn1::parse_single::(data)?; + let time = ext.value::()?; let py_dt = x509::datetime_to_py(py, time.as_datetime())?; Ok(Some( x509_module diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index ebd271848cce..0df274c3e693 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -223,12 +223,9 @@ impl CertificateSigningRequest { ) })?; - x509::parse_and_cache_extensions( - py, - &mut self.cached_extensions, - &raw_exts, - |oid, ext_data| certificate::parse_cert_ext(py, oid.clone(), ext_data), - ) + x509::parse_and_cache_extensions(py, &mut self.cached_extensions, &raw_exts, |ext| { + certificate::parse_cert_ext(py, ext) + }) } #[getter] diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 10471857b69f..b77aacc215fa 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -119,8 +119,8 @@ impl OCSPRequest { py, &mut self.cached_extensions, &tbs_request.raw_request_extensions, - |oid, value| { - match *oid { + |ext| { + match ext.extn_id { oid::NONCE_OID => { // This is a disaster. RFC 2560 says that the contents of the nonce is // just the raw extension value. This is nonsense, since they're always @@ -128,15 +128,13 @@ impl OCSPRequest { // nonce is an OCTET STRING, and so you should unwrap the TLV to get // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. - let nonce = asn1::parse_single::<&[u8]>(value).unwrap_or(value); + let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); Ok(Some( x509_module.call_method1(pyo3::intern!(py, "OCSPNonce"), (nonce,))?, )) } oid::ACCEPTABLE_RESPONSES_OID => { - let oids = asn1::parse_single::< - asn1::SequenceOf<'_, asn1::ObjectIdentifier>, - >(value)?; + let oids = ext.value::>()?; let py_oids = pyo3::types::PyList::empty(py); for oid in oids { py_oids.append(oid_to_py_oid(py, &oid)?)?; diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 1c929018d92c..abb32d526392 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -336,8 +336,8 @@ impl OCSPResponse { py, &mut self.cached_extensions, &response_data.raw_response_extensions, - |oid, ext_data| { - match oid { + |ext| { + match &ext.extn_id { &oid::NONCE_OID => { // This is a disaster. RFC 2560 says that the contents of the nonce is // just the raw extension value. This is nonsense, since they're always @@ -345,7 +345,7 @@ impl OCSPResponse { // nonce is an OCTET STRING, and so you should unwrap the TLV to get // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. - let nonce = asn1::parse_single::<&[u8]>(ext_data).unwrap_or(ext_data); + let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); Ok(Some( x509_module.call_method1(pyo3::intern!(py, "OCSPNonce"), (nonce,))?, )) @@ -374,9 +374,9 @@ impl OCSPResponse { py, &mut self.cached_single_extensions, &single_resp.raw_single_extensions, - |oid, ext_data| match oid { + |ext| match &ext.extn_id { &oid::SIGNED_CERTIFICATE_TIMESTAMPS_OID => { - let contents = asn1::parse_single::<&[u8]>(ext_data)?; + let contents = ext.value::<&[u8]>()?; let scts = sct::parse_scts(py, contents, sct::LogEntryType::Certificate)?; Ok(Some( x509_module @@ -384,7 +384,7 @@ impl OCSPResponse { .call1((scts,))?, )) } - _ => crl::parse_crl_entry_ext(py, oid.clone(), ext_data), + _ => crl::parse_crl_entry_ext(py, ext), }, ) } From 2e65d562c63eceb02e393819960dc574c8babe79 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 12 Jul 2023 00:21:47 +0000 Subject: [PATCH 0174/1014] Bump BoringSSL and/or OpenSSL in CI (#9224) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2152f51de9c1..9af6a42ebad6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 11, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c807a2371449998cd767826ba06adc3e122e6d4a"}} - # Latest commit on the OpenSSL master branch, as of Jul 11, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ff9728c6d5d23ebaa73cb729c8110c0582e66280"}} + # Latest commit on the BoringSSL master branch, as of Jul 12, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "690dcdf5c9792f7ab4ca6e3e009a6e0da9ebe933"}} + # Latest commit on the OpenSSL master branch, as of Jul 12, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0a3733babbbb4e297ccfbc3ece29e95cafca5f2d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From c997baff10ffb7635b855e9caaf435f3fce0bdf1 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 11 Jul 2023 20:22:09 -0400 Subject: [PATCH 0175/1014] extensions: explicit lifetimes (#9225) This fixes some lifetime mismatches that the compiler can't figure out. Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/extensions.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 187250c349a0..cf48fdbf6087 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -46,17 +46,17 @@ impl<'a> Extensions<'a> { /// Retrieves the extension identified by the given OID, /// or None if the extension is not present (or no extensions are present). - pub fn get_extension(&self, oid: &asn1::ObjectIdentifier) -> Option { + pub fn get_extension(&self, oid: &asn1::ObjectIdentifier) -> Option> { self.iter().find(|ext| &ext.extn_id == oid) } /// Returns a reference to the underlying extensions. - pub fn as_raw(&self) -> Option<&RawExtensions<'_>> { + pub fn as_raw(&self) -> Option<&RawExtensions<'a>> { self.0.as_ref() } /// Returns an iterator over the underlying extensions. - pub fn iter(&self) -> impl Iterator { + pub fn iter(&self) -> impl Iterator> { self.as_raw() .map(|raw| raw.unwrap_read().clone()) .into_iter() From 7aa4518a04a62567ce2c3e480c1083e63d0e9857 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 13 Jul 2023 00:19:11 +0000 Subject: [PATCH 0176/1014] Bump BoringSSL and/or OpenSSL in CI (#9226) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9af6a42ebad6..f6bbceff1ac0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 12, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "690dcdf5c9792f7ab4ca6e3e009a6e0da9ebe933"}} - # Latest commit on the OpenSSL master branch, as of Jul 12, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0a3733babbbb4e297ccfbc3ece29e95cafca5f2d"}} + # Latest commit on the BoringSSL master branch, as of Jul 13, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b98ce18c5b3f0c28bd64b27b6494f176404da4e4"}} + # Latest commit on the OpenSSL master branch, as of Jul 13, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "66f61ece724a54253da36f70274bc320faf9f4e2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From e949b2e15c65262a38b3e3d410c469bf1e4e6c0e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 12 Jul 2023 22:40:26 -0400 Subject: [PATCH 0177/1014] Prepare for new ruff release (#9227) --- .../development/custom-vectors/arc4/generate_arc4.py | 4 +--- .../custom-vectors/cast5/generate_cast5.py | 4 +--- src/cryptography/hazmat/backends/openssl/backend.py | 4 +--- src/cryptography/hazmat/backends/openssl/rsa.py | 4 +--- src/cryptography/x509/extensions.py | 12 +++--------- src/cryptography/x509/general_name.py | 4 +--- tests/hazmat/primitives/test_ec.py | 8 ++------ tests/hazmat/primitives/test_pkcs12.py | 4 +--- tests/hazmat/primitives/test_x963_vectors.py | 4 +--- 9 files changed, 12 insertions(+), 36 deletions(-) diff --git a/docs/development/custom-vectors/arc4/generate_arc4.py b/docs/development/custom-vectors/arc4/generate_arc4.py index 2ca919b40858..208d18585ac6 100644 --- a/docs/development/custom-vectors/arc4/generate_arc4.py +++ b/docs/development/custom-vectors/arc4/generate_arc4.py @@ -69,9 +69,7 @@ def _build_vectors(): for offset in _RFC6229_OFFSETS: if offset % 16 != 0: raise ValueError( - "Offset {} is not evenly divisible by 16".format( - offset - ) + f"Offset {offset} is not evenly divisible by 16" ) while current_offset < offset: encryptor.update(plaintext) diff --git a/docs/development/custom-vectors/cast5/generate_cast5.py b/docs/development/custom-vectors/cast5/generate_cast5.py index 27fb4634e295..38d68c0b6df7 100644 --- a/docs/development/custom-vectors/cast5/generate_cast5.py +++ b/docs/development/custom-vectors/cast5/generate_cast5.py @@ -31,9 +31,7 @@ def build_vectors(mode, filename): if line.startswith("KEY"): if count != 0: output.append( - "CIPHERTEXT = {}".format( - encrypt(mode, key, iv, plaintext) - ) + f"CIPHERTEXT = {encrypt(mode, key, iv, plaintext)}" ) output.append(f"\nCOUNT = {count}") count += 1 diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index b4294224035a..3319e8f3a18f 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -242,9 +242,7 @@ def cipher_supported(self, cipher: CipherAlgorithm, mode: Mode) -> bool: def register_cipher_adapter(self, cipher_cls, mode_cls, adapter) -> None: if (cipher_cls, mode_cls) in self._cipher_registry: raise ValueError( - "Duplicate registration for: {} {}.".format( - cipher_cls, mode_cls - ) + f"Duplicate registration for: {cipher_cls} {mode_cls}." ) self._cipher_registry[cipher_cls, mode_cls] = adapter diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index b9c96a78faa1..3a99fbfa80cf 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -242,9 +242,7 @@ def _rsa_sig_setup( if res <= 0: backend._consume_errors() raise UnsupportedAlgorithm( - "{} is not supported for the RSA signature operation.".format( - padding.name - ), + f"{padding.name} is not supported for the RSA signature operation", _Reasons.UNSUPPORTED_PADDING, ) if isinstance(padding, PSS): diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index ac99592f55a7..f3cd53059849 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -104,9 +104,7 @@ def public_bytes(self) -> bytes: Serializes the extension type to DER. """ raise NotImplementedError( - "public_bytes is not implemented for extension type {!r}".format( - self - ) + f"public_bytes is not implemented for extension type {self!r}" ) @@ -1795,9 +1793,7 @@ def __init__(self, invalidity_date: datetime.datetime) -> None: self._invalidity_date = invalidity_date def __repr__(self) -> str: - return "".format( - self._invalidity_date - ) + return f"" def __eq__(self, other: object) -> bool: if not isinstance(other, InvalidityDate): @@ -1841,9 +1837,7 @@ def __init__( ) def __repr__(self) -> str: - return "".format( - list(self) - ) + return f"" def __hash__(self) -> int: return hash(tuple(self._signed_certificate_timestamps)) diff --git a/src/cryptography/x509/general_name.py b/src/cryptography/x509/general_name.py index 79271afbf91e..672f28759cb0 100644 --- a/src/cryptography/x509/general_name.py +++ b/src/cryptography/x509/general_name.py @@ -269,9 +269,7 @@ def value(self) -> bytes: return self._value def __repr__(self) -> str: - return "".format( - self.type_id, self.value - ) + return f"" def __eq__(self, other: object) -> bool: if not isinstance(other, OtherName): diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index beb5739b22c0..1da36b86abf8 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -55,9 +55,7 @@ def _skip_ecdsa_vector(backend, curve_type, hash_type): def _skip_curve_unsupported(backend, curve): if not backend.elliptic_curve_supported(curve): pytest.skip( - "Curve {} is not supported by this backend {}".format( - curve.name, backend - ) + f"Curve {curve.name} is not supported by this backend {backend}" ) @@ -66,9 +64,7 @@ def _skip_exchange_algorithm_unsupported(backend, algorithm, curve): algorithm, curve ): pytest.skip( - "Exchange with {} curve is not supported by {}".format( - curve.name, backend - ) + f"Exchange with {curve.name} curve is not supported by {backend}" ) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 79f54e495241..0cd3111bc2b7 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -40,9 +40,7 @@ def _skip_curve_unsupported(backend, curve): if not backend.elliptic_curve_supported(curve): pytest.skip( - "Curve {} is not supported by this backend {}".format( - curve.name, backend - ) + f"Curve {curve.name} is not supported by this backend {backend}" ) diff --git a/tests/hazmat/primitives/test_x963_vectors.py b/tests/hazmat/primitives/test_x963_vectors.py index 7614c373c9ea..fcb3d8b02b56 100644 --- a/tests/hazmat/primitives/test_x963_vectors.py +++ b/tests/hazmat/primitives/test_x963_vectors.py @@ -19,9 +19,7 @@ def _skip_hashfn_unsupported(backend, hashfn): if not backend.hash_supported(hashfn): pytest.skip( - "Hash {} is not supported by this backend {}".format( - hashfn.name, backend - ) + f"Hash {hashfn.name} is not supported by this backend {backend}" ) From 023cd95ed20619bf4daf6c7c73b6ffe6efd0cd30 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jul 2023 06:29:08 -0700 Subject: [PATCH 0178/1014] Bump ruff from 0.0.277 to 0.0.278 (#9229) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.277 to 0.0.278. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.277...v0.0.278) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ba67d42cff75..edbecf93be29 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.4.2 # via twine -ruff==0.0.277 +ruff==0.0.278 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From a0c21832e4490b6d00364bc266cd165879d466b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jul 2023 06:29:24 -0700 Subject: [PATCH 0179/1014] Bump zipp from 3.16.0 to 3.16.1 (#9228) Bumps [zipp](https://github.com/jaraco/zipp) from 3.16.0 to 3.16.1. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.16.0...v3.16.1) --- updated-dependencies: - dependency-name: zipp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index edbecf93be29..9fdf767f2e23 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -189,7 +189,7 @@ virtualenv==20.23.1 # via nox webencodings==0.5.1 # via bleach -zipp==3.16.0; python_version >= "3.8" +zipp==3.16.1; python_version >= "3.8" # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: From 6857d2e1460670ae857f4a6d28c811ba6e735a2e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 14 Jul 2023 00:19:12 +0000 Subject: [PATCH 0180/1014] Bump BoringSSL and/or OpenSSL in CI (#9230) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f6bbceff1ac0..c7112731668e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 13, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b98ce18c5b3f0c28bd64b27b6494f176404da4e4"}} - # Latest commit on the OpenSSL master branch, as of Jul 13, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "66f61ece724a54253da36f70274bc320faf9f4e2"}} + # Latest commit on the BoringSSL master branch, as of Jul 14, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "26ecb2a275ca7444d10899b8a3fe76d84831fca4"}} + # Latest commit on the OpenSSL master branch, as of Jul 14, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7a3d32ae4602eb4d09c6d998b2b1ba4b81ec1f54"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 23cea5894051b717c2225effbc12aed6628ca21f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 13 Jul 2023 20:45:22 -0400 Subject: [PATCH 0181/1014] Try enabling coverage on aarch64 musl (#9231) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c7112731668e..2635479f8400 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -165,7 +165,7 @@ jobs: - {IMAGE: "centos-stream9-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - {IMAGE: "ubuntu-jammy:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} - - {IMAGE: "alpine:aarch64", NOXSESSION: "tests-nocoverage", RUNNER: [self-hosted, Linux, ARM64]} + - {IMAGE: "alpine:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} timeout-minutes: 15 env: RUSTUP_HOME: /root/.rustup From dd2175859c2299fd0b0f5266c17bf807bbef7bbd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 13 Jul 2023 22:55:05 -0400 Subject: [PATCH 0182/1014] Add CHANGELOG entry (#9232) --- CHANGELOG.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 43bc4323a138..4690c6d4a460 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,8 @@ Changelog .. note:: This version is not yet released and is under active development. +* Parsing SSH certificates no longer permits malformed critical options with + values, as documented in the 41.0.2 release notes. .. _v41-0-2: From 04c4ea58b46aae7b19f3bd28aea674ee7e21da15 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Jul 2023 12:37:22 +0000 Subject: [PATCH 0183/1014] Bump actions/setup-python from 4.6.1 to 4.7.0 (#9233) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.1 to 4.7.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/bd6b4b6205c4dbad673328db7b31b7fab9e241c0...61a6322f88396a6271a6ee3565807d608ecaddd1) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/linkcheck.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index f0a44b9489c7..e943b6b00cb8 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -35,7 +35,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2635479f8400..748837c11089 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -65,7 +65,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -241,7 +241,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 @@ -300,7 +300,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -375,7 +375,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: ${{ matrix.PYTHON }} cache: pip @@ -420,7 +420,7 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: '3.11' cache: pip diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index eb2376378ef8..2d959ccd9e87 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 6bfd388e2587..c134d3cf2efb 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -217,7 +217,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -311,7 +311,7 @@ jobs: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From 39561b97f714d573763e8aaf3c680e3d7aa665b2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 14 Jul 2023 20:19:56 -0400 Subject: [PATCH 0184/1014] Bump BoringSSL and/or OpenSSL in CI (#9237) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 748837c11089..0a091960d6ea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 14, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "26ecb2a275ca7444d10899b8a3fe76d84831fca4"}} - # Latest commit on the OpenSSL master branch, as of Jul 14, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7a3d32ae4602eb4d09c6d998b2b1ba4b81ec1f54"}} + # Latest commit on the BoringSSL master branch, as of Jul 15, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a4f8755f8e66b77ca2230f376bc5d5d54b28544e"}} + # Latest commit on the OpenSSL master branch, as of Jul 15, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1e398bec538978b9957e69bf9e12b3c626290bea"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 42c7d70e00f2391e2fe7fd81f92b454c0adf9e09 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 14 Jul 2023 21:07:03 -0400 Subject: [PATCH 0185/1014] Run wheel-builder on changes to requirements it uses (#9239) * Run wheel-builder on changes to requirements it uses * Update wheel-builder.yml --- .github/workflows/wheel-builder.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index c134d3cf2efb..3747eb106d0f 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -15,6 +15,7 @@ on: pull_request: paths: - .github/workflows/wheel-builder.yml + - .github/requirements/** - setup.py - pyproject.toml - vectors/pyproject.toml From 0bcdb12556894f8d897dc451757d68fd98417662 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 15 Jul 2023 12:31:54 +0000 Subject: [PATCH 0186/1014] Bump virtualenv from 20.23.1 to 20.24.0 (#9240) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.23.1 to 20.24.0. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.23.1...20.24.0) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9fdf767f2e23..0b72fb04e941 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -185,7 +185,7 @@ urllib3==2.0.3 # via # requests # twine -virtualenv==20.23.1 +virtualenv==20.24.0 # via nox webencodings==0.5.1 # via bleach From 6ab8211b0604159f16b9efb1e7ec65d43960438a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 15 Jul 2023 12:35:04 +0000 Subject: [PATCH 0187/1014] Bump unicode-ident from 1.0.10 to 1.0.11 in /src/rust (#9241) Bumps [unicode-ident](https://github.com/dtolnay/unicode-ident) from 1.0.10 to 1.0.11. - [Release notes](https://github.com/dtolnay/unicode-ident/releases) - [Commits](https://github.com/dtolnay/unicode-ident/compare/1.0.10...1.0.11) --- updated-dependencies: - dependency-name: unicode-ident dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0e8f518e259c..f62a3deb7f76 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "df8e77cb757a61f51b947ec4a7e3646efd825b73561db1c232a8ccb639e611a0" [[package]] name = "unicode-ident" -version = "1.0.10" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22049a19f4a68748a168c0fc439f9516686aa045927ff767eca0a85101fb6e73" +checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c" [[package]] name = "unindent" From 6eba985bfbfef83330b8ecde3f04c2838e6ca590 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 15 Jul 2023 12:37:32 +0000 Subject: [PATCH 0188/1014] Bump zipp from 3.16.1 to 3.16.2 (#9242) Bumps [zipp](https://github.com/jaraco/zipp) from 3.16.1 to 3.16.2. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.16.1...v3.16.2) --- updated-dependencies: - dependency-name: zipp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0b72fb04e941..26dc478a4f98 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -189,7 +189,7 @@ virtualenv==20.24.0 # via nox webencodings==0.5.1 # via bleach -zipp==3.16.1; python_version >= "3.8" +zipp==3.16.2; python_version >= "3.8" # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: From 60f586cd85fa436f5fd63848e55312196c7bdde1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 15 Jul 2023 21:48:00 +0000 Subject: [PATCH 0189/1014] Bump quote from 1.0.29 to 1.0.30 in /src/rust (#9243) Bumps [quote](https://github.com/dtolnay/quote) from 1.0.29 to 1.0.30. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.29...1.0.30) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f62a3deb7f76..ce0db0b2864f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -295,9 +295,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.29" +version = "1.0.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "573015e8ab27661678357f27dc26460738fd2b6c86e46f386fde94cb5d913105" +checksum = "5907a1b7c277254a8b15170f6e7c97cfa60ee7872a3217663bb81151e48184bb" dependencies = [ "proc-macro2", ] From 7b03e4cb0a2e5ef7eed6f8a1fef61200555fc9cb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 15 Jul 2023 21:49:03 +0000 Subject: [PATCH 0190/1014] Bump proc-macro2 from 1.0.64 to 1.0.65 in /src/rust (#9244) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.64 to 1.0.65. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.64...1.0.65) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index ce0db0b2864f..3ce77f97fc1e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -226,9 +226,9 @@ checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" [[package]] name = "proc-macro2" -version = "1.0.64" +version = "1.0.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78803b62cbf1f46fde80d7c0e803111524b9877184cfe7c3033659490ac7a7da" +checksum = "92de25114670a878b1261c79c9f8f729fb97e95bac93f6312f583c60dd6a1dfe" dependencies = [ "unicode-ident", ] From d8b266bc1c2c5fdab56a6cd9ef52601a19087822 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 15 Jul 2023 21:54:40 +0000 Subject: [PATCH 0191/1014] Bump platformdirs from 3.8.1 to 3.9.0 (#9245) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 3.8.1 to 3.9.0. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/3.8.1...3.9.0) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 26dc478a4f98..b2cee83ed08c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -89,7 +89,7 @@ pathspec==0.11.1 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==3.8.1 +platformdirs==3.9.0 # via # black # virtualenv From b7aa59fd18d13b1e52f4bbfde05cdfabe9f5e6a0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 15 Jul 2023 23:11:23 -0400 Subject: [PATCH 0192/1014] Bump publish requirements (#9246) --- .github/dependabot.yml | 2 +- .github/requirements/publish-requirements.txt | 294 +++++++++--------- 2 files changed, 150 insertions(+), 146 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 865653e8f1f1..4d5d2dace0c2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -38,7 +38,7 @@ updates: open-pull-requests-limit: 1024 - package-ecosystem: pip - directory: ".github/requirements" + directory: "/.github/requirements/" schedule: interval: daily open-pull-requests-limit: 1024 diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 0aea81f52b99..f7f2e141b5b7 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -86,103 +86,107 @@ cffi==1.15.1 \ --hash=sha256:fa6693661a4c91757f4412306191b6dc88c1703f780c8234035eac011922bc01 \ --hash=sha256:fcd131dd944808b5bdb38e6f5b53013c5aa4f334c5cad0c72742f6eba4b73db0 # via cryptography -charset-normalizer==3.1.0 \ - --hash=sha256:04afa6387e2b282cf78ff3dbce20f0cc071c12dc8f685bd40960cc68644cfea6 \ - --hash=sha256:04eefcee095f58eaabe6dc3cc2262f3bcd776d2c67005880894f447b3f2cb9c1 \ - --hash=sha256:0be65ccf618c1e7ac9b849c315cc2e8a8751d9cfdaa43027d4f6624bd587ab7e \ - --hash=sha256:0c95f12b74681e9ae127728f7e5409cbbef9cd914d5896ef238cc779b8152373 \ - --hash=sha256:0ca564606d2caafb0abe6d1b5311c2649e8071eb241b2d64e75a0d0065107e62 \ - --hash=sha256:10c93628d7497c81686e8e5e557aafa78f230cd9e77dd0c40032ef90c18f2230 \ - --hash=sha256:11d117e6c63e8f495412d37e7dc2e2fff09c34b2d09dbe2bee3c6229577818be \ - --hash=sha256:11d3bcb7be35e7b1bba2c23beedac81ee893ac9871d0ba79effc7fc01167db6c \ - --hash=sha256:12a2b561af122e3d94cdb97fe6fb2bb2b82cef0cdca131646fdb940a1eda04f0 \ - --hash=sha256:12d1a39aa6b8c6f6248bb54550efcc1c38ce0d8096a146638fd4738e42284448 \ - --hash=sha256:1435ae15108b1cb6fffbcea2af3d468683b7afed0169ad718451f8db5d1aff6f \ - --hash=sha256:1c60b9c202d00052183c9be85e5eaf18a4ada0a47d188a83c8f5c5b23252f649 \ - --hash=sha256:1e8fcdd8f672a1c4fc8d0bd3a2b576b152d2a349782d1eb0f6b8e52e9954731d \ - --hash=sha256:20064ead0717cf9a73a6d1e779b23d149b53daf971169289ed2ed43a71e8d3b0 \ - --hash=sha256:21fa558996782fc226b529fdd2ed7866c2c6ec91cee82735c98a197fae39f706 \ - --hash=sha256:22908891a380d50738e1f978667536f6c6b526a2064156203d418f4856d6e86a \ - --hash=sha256:3160a0fd9754aab7d47f95a6b63ab355388d890163eb03b2d2b87ab0a30cfa59 \ - --hash=sha256:322102cdf1ab682ecc7d9b1c5eed4ec59657a65e1c146a0da342b78f4112db23 \ - --hash=sha256:34e0a2f9c370eb95597aae63bf85eb5e96826d81e3dcf88b8886012906f509b5 \ - --hash=sha256:3573d376454d956553c356df45bb824262c397c6e26ce43e8203c4c540ee0acb \ - --hash=sha256:3747443b6a904001473370d7810aa19c3a180ccd52a7157aacc264a5ac79265e \ - --hash=sha256:38e812a197bf8e71a59fe55b757a84c1f946d0ac114acafaafaf21667a7e169e \ - --hash=sha256:3a06f32c9634a8705f4ca9946d667609f52cf130d5548881401f1eb2c39b1e2c \ - --hash=sha256:3a5fc78f9e3f501a1614a98f7c54d3969f3ad9bba8ba3d9b438c3bc5d047dd28 \ - --hash=sha256:3d9098b479e78c85080c98e1e35ff40b4a31d8953102bb0fd7d1b6f8a2111a3d \ - --hash=sha256:3dc5b6a8ecfdc5748a7e429782598e4f17ef378e3e272eeb1340ea57c9109f41 \ - --hash=sha256:4155b51ae05ed47199dc5b2a4e62abccb274cee6b01da5b895099b61b1982974 \ - --hash=sha256:49919f8400b5e49e961f320c735388ee686a62327e773fa5b3ce6721f7e785ce \ - --hash=sha256:53d0a3fa5f8af98a1e261de6a3943ca631c526635eb5817a87a59d9a57ebf48f \ - --hash=sha256:5f008525e02908b20e04707a4f704cd286d94718f48bb33edddc7d7b584dddc1 \ - --hash=sha256:628c985afb2c7d27a4800bfb609e03985aaecb42f955049957814e0491d4006d \ - --hash=sha256:65ed923f84a6844de5fd29726b888e58c62820e0769b76565480e1fdc3d062f8 \ - --hash=sha256:6734e606355834f13445b6adc38b53c0fd45f1a56a9ba06c2058f86893ae8017 \ - --hash=sha256:6baf0baf0d5d265fa7944feb9f7451cc316bfe30e8df1a61b1bb08577c554f31 \ - --hash=sha256:6f4f4668e1831850ebcc2fd0b1cd11721947b6dc7c00bf1c6bd3c929ae14f2c7 \ - --hash=sha256:6f5c2e7bc8a4bf7c426599765b1bd33217ec84023033672c1e9a8b35eaeaaaf8 \ - --hash=sha256:6f6c7a8a57e9405cad7485f4c9d3172ae486cfef1344b5ddd8e5239582d7355e \ - --hash=sha256:7381c66e0561c5757ffe616af869b916c8b4e42b367ab29fedc98481d1e74e14 \ - --hash=sha256:73dc03a6a7e30b7edc5b01b601e53e7fc924b04e1835e8e407c12c037e81adbd \ - --hash=sha256:74db0052d985cf37fa111828d0dd230776ac99c740e1a758ad99094be4f1803d \ - --hash=sha256:75f2568b4189dda1c567339b48cba4ac7384accb9c2a7ed655cd86b04055c795 \ - --hash=sha256:78cacd03e79d009d95635e7d6ff12c21eb89b894c354bd2b2ed0b4763373693b \ - --hash=sha256:80d1543d58bd3d6c271b66abf454d437a438dff01c3e62fdbcd68f2a11310d4b \ - --hash=sha256:830d2948a5ec37c386d3170c483063798d7879037492540f10a475e3fd6f244b \ - --hash=sha256:891cf9b48776b5c61c700b55a598621fdb7b1e301a550365571e9624f270c203 \ - --hash=sha256:8f25e17ab3039b05f762b0a55ae0b3632b2e073d9c8fc88e89aca31a6198e88f \ - --hash=sha256:9a3267620866c9d17b959a84dd0bd2d45719b817245e49371ead79ed4f710d19 \ - --hash=sha256:a04f86f41a8916fe45ac5024ec477f41f886b3c435da2d4e3d2709b22ab02af1 \ - --hash=sha256:aaf53a6cebad0eae578f062c7d462155eada9c172bd8c4d250b8c1d8eb7f916a \ - --hash=sha256:abc1185d79f47c0a7aaf7e2412a0eb2c03b724581139193d2d82b3ad8cbb00ac \ - --hash=sha256:ac0aa6cd53ab9a31d397f8303f92c42f534693528fafbdb997c82bae6e477ad9 \ - --hash=sha256:ac3775e3311661d4adace3697a52ac0bab17edd166087d493b52d4f4f553f9f0 \ - --hash=sha256:b06f0d3bf045158d2fb8837c5785fe9ff9b8c93358be64461a1089f5da983137 \ - --hash=sha256:b116502087ce8a6b7a5f1814568ccbd0e9f6cfd99948aa59b0e241dc57cf739f \ - --hash=sha256:b82fab78e0b1329e183a65260581de4375f619167478dddab510c6c6fb04d9b6 \ - --hash=sha256:bd7163182133c0c7701b25e604cf1611c0d87712e56e88e7ee5d72deab3e76b5 \ - --hash=sha256:c36bcbc0d5174a80d6cccf43a0ecaca44e81d25be4b7f90f0ed7bcfbb5a00909 \ - --hash=sha256:c3af8e0f07399d3176b179f2e2634c3ce9c1301379a6b8c9c9aeecd481da494f \ - --hash=sha256:c84132a54c750fda57729d1e2599bb598f5fa0344085dbde5003ba429a4798c0 \ - --hash=sha256:cb7b2ab0188829593b9de646545175547a70d9a6e2b63bf2cd87a0a391599324 \ - --hash=sha256:cca4def576f47a09a943666b8f829606bcb17e2bc2d5911a46c8f8da45f56755 \ - --hash=sha256:cf6511efa4801b9b38dc5546d7547d5b5c6ef4b081c60b23e4d941d0eba9cbeb \ - --hash=sha256:d16fd5252f883eb074ca55cb622bc0bee49b979ae4e8639fff6ca3ff44f9f854 \ - --hash=sha256:d2686f91611f9e17f4548dbf050e75b079bbc2a82be565832bc8ea9047b61c8c \ - --hash=sha256:d7fc3fca01da18fbabe4625d64bb612b533533ed10045a2ac3dd194bfa656b60 \ - --hash=sha256:dd5653e67b149503c68c4018bf07e42eeed6b4e956b24c00ccdf93ac79cdff84 \ - --hash=sha256:de5695a6f1d8340b12a5d6d4484290ee74d61e467c39ff03b39e30df62cf83a0 \ - --hash=sha256:e0ac8959c929593fee38da1c2b64ee9778733cdf03c482c9ff1d508b6b593b2b \ - --hash=sha256:e1b25e3ad6c909f398df8921780d6a3d120d8c09466720226fc621605b6f92b1 \ - --hash=sha256:e633940f28c1e913615fd624fcdd72fdba807bf53ea6925d6a588e84e1151531 \ - --hash=sha256:e89df2958e5159b811af9ff0f92614dabf4ff617c03a4c1c6ff53bf1c399e0e1 \ - --hash=sha256:ea9f9c6034ea2d93d9147818f17c2a0860d41b71c38b9ce4d55f21b6f9165a11 \ - --hash=sha256:f645caaf0008bacf349875a974220f1f1da349c5dbe7c4ec93048cdc785a3326 \ - --hash=sha256:f8303414c7b03f794347ad062c0516cee0e15f7a612abd0ce1e25caf6ceb47df \ - --hash=sha256:fca62a8301b605b954ad2e9c3666f9d97f63872aa4efcae5492baca2056b74ab +charset-normalizer==3.2.0 \ + --hash=sha256:04e57ab9fbf9607b77f7d057974694b4f6b142da9ed4a199859d9d4d5c63fe96 \ + --hash=sha256:09393e1b2a9461950b1c9a45d5fd251dc7c6f228acab64da1c9c0165d9c7765c \ + --hash=sha256:0b87549028f680ca955556e3bd57013ab47474c3124dc069faa0b6545b6c9710 \ + --hash=sha256:1000fba1057b92a65daec275aec30586c3de2401ccdcd41f8a5c1e2c87078706 \ + --hash=sha256:1249cbbf3d3b04902ff081ffbb33ce3377fa6e4c7356f759f3cd076cc138d020 \ + --hash=sha256:1920d4ff15ce893210c1f0c0e9d19bfbecb7983c76b33f046c13a8ffbd570252 \ + --hash=sha256:193cbc708ea3aca45e7221ae58f0fd63f933753a9bfb498a3b474878f12caaad \ + --hash=sha256:1a100c6d595a7f316f1b6f01d20815d916e75ff98c27a01ae817439ea7726329 \ + --hash=sha256:1f30b48dd7fa1474554b0b0f3fdfdd4c13b5c737a3c6284d3cdc424ec0ffff3a \ + --hash=sha256:203f0c8871d5a7987be20c72442488a0b8cfd0f43b7973771640fc593f56321f \ + --hash=sha256:246de67b99b6851627d945db38147d1b209a899311b1305dd84916f2b88526c6 \ + --hash=sha256:2dee8e57f052ef5353cf608e0b4c871aee320dd1b87d351c28764fc0ca55f9f4 \ + --hash=sha256:2efb1bd13885392adfda4614c33d3b68dee4921fd0ac1d3988f8cbb7d589e72a \ + --hash=sha256:2f4ac36d8e2b4cc1aa71df3dd84ff8efbe3bfb97ac41242fbcfc053c67434f46 \ + --hash=sha256:3170c9399da12c9dc66366e9d14da8bf7147e1e9d9ea566067bbce7bb74bd9c2 \ + --hash=sha256:3b1613dd5aee995ec6d4c69f00378bbd07614702a315a2cf6c1d21461fe17c23 \ + --hash=sha256:3bb3d25a8e6c0aedd251753a79ae98a093c7e7b471faa3aa9a93a81431987ace \ + --hash=sha256:3bb7fda7260735efe66d5107fb7e6af6a7c04c7fce9b2514e04b7a74b06bf5dd \ + --hash=sha256:41b25eaa7d15909cf3ac4c96088c1f266a9a93ec44f87f1d13d4a0e86c81b982 \ + --hash=sha256:45de3f87179c1823e6d9e32156fb14c1927fcc9aba21433f088fdfb555b77c10 \ + --hash=sha256:46fb8c61d794b78ec7134a715a3e564aafc8f6b5e338417cb19fe9f57a5a9bf2 \ + --hash=sha256:48021783bdf96e3d6de03a6e39a1171ed5bd7e8bb93fc84cc649d11490f87cea \ + --hash=sha256:4957669ef390f0e6719db3613ab3a7631e68424604a7b448f079bee145da6e09 \ + --hash=sha256:5e86d77b090dbddbe78867a0275cb4df08ea195e660f1f7f13435a4649e954e5 \ + --hash=sha256:6339d047dab2780cc6220f46306628e04d9750f02f983ddb37439ca47ced7149 \ + --hash=sha256:681eb3d7e02e3c3655d1b16059fbfb605ac464c834a0c629048a30fad2b27489 \ + --hash=sha256:6c409c0deba34f147f77efaa67b8e4bb83d2f11c8806405f76397ae5b8c0d1c9 \ + --hash=sha256:7095f6fbfaa55defb6b733cfeb14efaae7a29f0b59d8cf213be4e7ca0b857b80 \ + --hash=sha256:70c610f6cbe4b9fce272c407dd9d07e33e6bf7b4aa1b7ffb6f6ded8e634e3592 \ + --hash=sha256:72814c01533f51d68702802d74f77ea026b5ec52793c791e2da806a3844a46c3 \ + --hash=sha256:7a4826ad2bd6b07ca615c74ab91f32f6c96d08f6fcc3902ceeedaec8cdc3bcd6 \ + --hash=sha256:7c70087bfee18a42b4040bb9ec1ca15a08242cf5867c58726530bdf3945672ed \ + --hash=sha256:855eafa5d5a2034b4621c74925d89c5efef61418570e5ef9b37717d9c796419c \ + --hash=sha256:8700f06d0ce6f128de3ccdbc1acaea1ee264d2caa9ca05daaf492fde7c2a7200 \ + --hash=sha256:89f1b185a01fe560bc8ae5f619e924407efca2191b56ce749ec84982fc59a32a \ + --hash=sha256:8b2c760cfc7042b27ebdb4a43a4453bd829a5742503599144d54a032c5dc7e9e \ + --hash=sha256:8c2f5e83493748286002f9369f3e6607c565a6a90425a3a1fef5ae32a36d749d \ + --hash=sha256:8e098148dd37b4ce3baca71fb394c81dc5d9c7728c95df695d2dca218edf40e6 \ + --hash=sha256:94aea8eff76ee6d1cdacb07dd2123a68283cb5569e0250feab1240058f53b623 \ + --hash=sha256:95eb302ff792e12aba9a8b8f8474ab229a83c103d74a750ec0bd1c1eea32e669 \ + --hash=sha256:9bd9b3b31adcb054116447ea22caa61a285d92e94d710aa5ec97992ff5eb7cf3 \ + --hash=sha256:9e608aafdb55eb9f255034709e20d5a83b6d60c054df0802fa9c9883d0a937aa \ + --hash=sha256:a103b3a7069b62f5d4890ae1b8f0597618f628b286b03d4bc9195230b154bfa9 \ + --hash=sha256:a386ebe437176aab38c041de1260cd3ea459c6ce5263594399880bbc398225b2 \ + --hash=sha256:a38856a971c602f98472050165cea2cdc97709240373041b69030be15047691f \ + --hash=sha256:a401b4598e5d3f4a9a811f3daf42ee2291790c7f9d74b18d75d6e21dda98a1a1 \ + --hash=sha256:a7647ebdfb9682b7bb97e2a5e7cb6ae735b1c25008a70b906aecca294ee96cf4 \ + --hash=sha256:aaf63899c94de41fe3cf934601b0f7ccb6b428c6e4eeb80da72c58eab077b19a \ + --hash=sha256:b0dac0ff919ba34d4df1b6131f59ce95b08b9065233446be7e459f95554c0dc8 \ + --hash=sha256:baacc6aee0b2ef6f3d308e197b5d7a81c0e70b06beae1f1fcacffdbd124fe0e3 \ + --hash=sha256:bf420121d4c8dce6b889f0e8e4ec0ca34b7f40186203f06a946fa0276ba54029 \ + --hash=sha256:c04a46716adde8d927adb9457bbe39cf473e1e2c2f5d0a16ceb837e5d841ad4f \ + --hash=sha256:c0b21078a4b56965e2b12f247467b234734491897e99c1d51cee628da9786959 \ + --hash=sha256:c1c76a1743432b4b60ab3358c937a3fe1341c828ae6194108a94c69028247f22 \ + --hash=sha256:c4983bf937209c57240cff65906b18bb35e64ae872da6a0db937d7b4af845dd7 \ + --hash=sha256:c4fb39a81950ec280984b3a44f5bd12819953dc5fa3a7e6fa7a80db5ee853952 \ + --hash=sha256:c57921cda3a80d0f2b8aec7e25c8aa14479ea92b5b51b6876d975d925a2ea346 \ + --hash=sha256:c8063cf17b19661471ecbdb3df1c84f24ad2e389e326ccaf89e3fb2484d8dd7e \ + --hash=sha256:ccd16eb18a849fd8dcb23e23380e2f0a354e8daa0c984b8a732d9cfaba3a776d \ + --hash=sha256:cd6dbe0238f7743d0efe563ab46294f54f9bc8f4b9bcf57c3c666cc5bc9d1299 \ + --hash=sha256:d62e51710986674142526ab9f78663ca2b0726066ae26b78b22e0f5e571238dd \ + --hash=sha256:db901e2ac34c931d73054d9797383d0f8009991e723dab15109740a63e7f902a \ + --hash=sha256:e03b8895a6990c9ab2cdcd0f2fe44088ca1c65ae592b8f795c3294af00a461c3 \ + --hash=sha256:e1c8a2f4c69e08e89632defbfabec2feb8a8d99edc9f89ce33c4b9e36ab63037 \ + --hash=sha256:e4b749b9cc6ee664a3300bb3a273c1ca8068c46be705b6c31cf5d276f8628a94 \ + --hash=sha256:e6a5bf2cba5ae1bb80b154ed68a3cfa2fa00fde979a7f50d6598d3e17d9ac20c \ + --hash=sha256:e857a2232ba53ae940d3456f7533ce6ca98b81917d47adc3c7fd55dad8fab858 \ + --hash=sha256:ee4006268ed33370957f55bf2e6f4d263eaf4dc3cfc473d1d90baff6ed36ce4a \ + --hash=sha256:eef9df1eefada2c09a5e7a40991b9fc6ac6ef20b1372abd48d2794a316dc0449 \ + --hash=sha256:f058f6963fd82eb143c692cecdc89e075fa0828db2e5b291070485390b2f1c9c \ + --hash=sha256:f25c229a6ba38a35ae6e25ca1264621cc25d4d38dca2942a7fce0b67a4efe918 \ + --hash=sha256:f2a1d0fd4242bd8643ce6f98927cf9c04540af6efa92323e9d3124f57727bfc1 \ + --hash=sha256:f7560358a6811e52e9c4d142d497f1a6e10103d3a6881f18d04dbce3729c0e2c \ + --hash=sha256:f779d3ad205f108d14e99bb3859aa7dd8e9c68874617c72354d7ecaec2a054ac \ + --hash=sha256:f87f746ee241d30d6ed93969de31e5ffd09a2961a051e60ae6bddde9ec3583aa # via requests -cryptography==41.0.1 \ - --hash=sha256:059e348f9a3c1950937e1b5d7ba1f8e968508ab181e75fc32b879452f08356db \ - --hash=sha256:1a5472d40c8f8e91ff7a3d8ac6dfa363d8e3138b961529c996f3e2df0c7a411a \ - --hash=sha256:1a8e6c2de6fbbcc5e14fd27fb24414507cb3333198ea9ab1258d916f00bc3039 \ - --hash=sha256:1fee5aacc7367487b4e22484d3c7e547992ed726d14864ee33c0176ae43b0d7c \ - --hash=sha256:5d092fdfedaec4cbbffbf98cddc915ba145313a6fdaab83c6e67f4e6c218e6f3 \ - --hash=sha256:5f0ff6e18d13a3de56f609dd1fd11470918f770c6bd5d00d632076c727d35485 \ - --hash=sha256:7bfc55a5eae8b86a287747053140ba221afc65eb06207bedf6e019b8934b477c \ - --hash=sha256:7fa01527046ca5facdf973eef2535a27fec4cb651e4daec4d043ef63f6ecd4ca \ - --hash=sha256:8dde71c4169ec5ccc1087bb7521d54251c016f126f922ab2dfe6649170a3b8c5 \ - --hash=sha256:8f4ab7021127a9b4323537300a2acfb450124b2def3756f64dc3a3d2160ee4b5 \ - --hash=sha256:948224d76c4b6457349d47c0c98657557f429b4e93057cf5a2f71d603e2fc3a3 \ - --hash=sha256:9a6c7a3c87d595608a39980ebaa04d5a37f94024c9f24eb7d10262b92f739ddb \ - --hash=sha256:b46e37db3cc267b4dea1f56da7346c9727e1209aa98487179ee8ebed09d21e43 \ - --hash=sha256:b4ceb5324b998ce2003bc17d519080b4ec8d5b7b70794cbd2836101406a9be31 \ - --hash=sha256:cb33ccf15e89f7ed89b235cff9d49e2e62c6c981a6061c9c8bb47ed7951190bc \ - --hash=sha256:d198820aba55660b4d74f7b5fd1f17db3aa5eb3e6893b0a41b75e84e4f9e0e4b \ - --hash=sha256:d34579085401d3f49762d2f7d6634d6b6c2ae1242202e860f4d26b046e3a1006 \ - --hash=sha256:eb8163f5e549a22888c18b0d53d6bb62a20510060a22fd5a995ec8a05268df8a \ - --hash=sha256:f73bff05db2a3e5974a6fd248af2566134d8981fd7ab012e5dd4ddb1d9a70699 +cryptography==41.0.2 \ + --hash=sha256:01f1d9e537f9a15b037d5d9ee442b8c22e3ae11ce65ea1f3316a41c78756b711 \ + --hash=sha256:079347de771f9282fbfe0e0236c716686950c19dee1b76240ab09ce1624d76d7 \ + --hash=sha256:182be4171f9332b6741ee818ec27daff9fb00349f706629f5cbf417bd50e66fd \ + --hash=sha256:192255f539d7a89f2102d07d7375b1e0a81f7478925b3bc2e0549ebf739dae0e \ + --hash=sha256:2a034bf7d9ca894720f2ec1d8b7b5832d7e363571828037f9e0c4f18c1b58a58 \ + --hash=sha256:342f3767e25876751e14f8459ad85e77e660537ca0a066e10e75df9c9e9099f0 \ + --hash=sha256:439c3cc4c0d42fa999b83ded80a9a1fb54d53c58d6e59234cfe97f241e6c781d \ + --hash=sha256:49c3222bb8f8e800aead2e376cbef687bc9e3cb9b58b29a261210456a7783d83 \ + --hash=sha256:674b669d5daa64206c38e507808aae49904c988fa0a71c935e7006a3e1e83831 \ + --hash=sha256:7a9a3bced53b7f09da251685224d6a260c3cb291768f54954e28f03ef14e3766 \ + --hash=sha256:7af244b012711a26196450d34f483357e42aeddb04128885d95a69bd8b14b69b \ + --hash=sha256:7d230bf856164de164ecb615ccc14c7fc6de6906ddd5b491f3af90d3514c925c \ + --hash=sha256:84609ade00a6ec59a89729e87a503c6e36af98ddcd566d5f3be52e29ba993182 \ + --hash=sha256:9a6673c1828db6270b76b22cc696f40cde9043eb90373da5c2f8f2158957f42f \ + --hash=sha256:9b6d717393dbae53d4e52684ef4f022444fc1cce3c48c38cb74fca29e1f08eaa \ + --hash=sha256:9c3fe6534d59d071ee82081ca3d71eed3210f76ebd0361798c74abc2bcf347d4 \ + --hash=sha256:a719399b99377b218dac6cf547b6ec54e6ef20207b6165126a280b0ce97e0d2a \ + --hash=sha256:b332cba64d99a70c1e0836902720887fb4529ea49ea7f5462cf6640e095e11d2 \ + --hash=sha256:d124682c7a23c9764e54ca9ab5b308b14b18eba02722b8659fb238546de83a76 \ + --hash=sha256:d73f419a56d74fef257955f51b18d046f3506270a5fd2ac5febbfa259d6c0fa5 \ + --hash=sha256:f0dc40e6f7aa37af01aba07277d3d64d5a03dc66d682097541ec4da03cc140ee \ + --hash=sha256:f14ad275364c8b4e525d018f6716537ae7b6d369c094805cae45300847e0894f \ + --hash=sha256:f772610fe364372de33d76edcd313636a25684edb94cee53fd790195f5989d14 # via # pyopenssl # sigstore @@ -213,19 +217,19 @@ idna==3.4 \ --hash=sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4 \ --hash=sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2 # via requests -importlib-metadata==6.7.0 \ - --hash=sha256:1aaf550d4f73e5d6783e7acb77aec43d49da8017410afae93822cc9cca98c4d4 \ - --hash=sha256:cb52082e659e97afc5dac71e79de97d8681de3aa07ff18578330904a9d18e5b5 +importlib-metadata==6.8.0 \ + --hash=sha256:3ebb78df84a805d7698245025b975d9d67053cd94c79245ba4b3eb694abe68bb \ + --hash=sha256:dbace7892d8c0c4ac1ad096662232f831d4e64f4c4545bd53016a3e9d4654743 # via # keyring # twine -importlib-resources==5.12.0 \ - --hash=sha256:4be82589bf5c1d7999aedf2a45159d10cb3ca4f19b2271f8792bc8e6da7b22f6 \ - --hash=sha256:7b1deeebbf351c7578e09bf2f63fa2ce8b5ffec296e0d349139d43cca061a81a +importlib-resources==5.13.0 \ + --hash=sha256:82d5c6cca930697dbbd86c93333bb2c2e72861d4789a11c2662b933e5ad2b528 \ + --hash=sha256:9f7bd0c97b79972a6cce36a366356d16d5e13b09679c11a58f1014bfdf8e64b2 # via sigstore -jaraco-classes==3.2.3 \ - --hash=sha256:2353de3288bc6b82120752201c6b1c1a14b058267fa424ed5ce5984e3b922158 \ - --hash=sha256:89559fa5c1d3c34eff6f631ad80bb21f378dbcbb35dd161fd2c6b93f5be2f98a +jaraco-classes==3.3.0 \ + --hash=sha256:10afa92b6743f25c0cf5f37c6bb6e18e2c5bb84a16527ccfc0040ea377e7aaeb \ + --hash=sha256:c063dd08e89217cee02c8d5e5ec560f2c8ce6cdc2fcdc2e68f7b2e5547ed3621 # via keyring keyring==24.2.0 \ --hash=sha256:4901caaf597bfd3bbd78c9a0c7c4c29fcd8310dab2cffefe749e916b6527acd6 \ @@ -327,43 +331,43 @@ pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 # via cffi -pydantic==1.10.10 \ - --hash=sha256:20a3b30fd255eeeb63caa9483502ba96b7795ce5bf895c6a179b3d909d9f53a6 \ - --hash=sha256:2b71bd504d1573b0b722ae536e8ffb796bedeef978979d076bf206e77dcc55a5 \ - --hash=sha256:3403a090db45d4027d2344859d86eb797484dfda0706cf87af79ace6a35274ef \ - --hash=sha256:37ebddef68370e6f26243acc94de56d291e01227a67b2ace26ea3543cf53dd5f \ - --hash=sha256:3b8d5bd97886f9eb59260594207c9f57dce14a6f869c6ceea90188715d29921a \ - --hash=sha256:409b810f387610cc7405ab2fa6f62bdf7ea485311845a242ebc0bd0496e7e5ac \ - --hash=sha256:4870f13a4fafd5bc3e93cff3169222534fad867918b188e83ee0496452978437 \ - --hash=sha256:566a04ba755e8f701b074ffb134ddb4d429f75d5dced3fbd829a527aafe74c71 \ - --hash=sha256:67b3714b97ff84b2689654851c2426389bcabfac9080617bcf4306c69db606f6 \ - --hash=sha256:6dab5219659f95e357d98d70577b361383057fb4414cfdb587014a5f5c595f7b \ - --hash=sha256:748d10ab6089c5d196e1c8be9de48274f71457b01e59736f7a09c9dc34f51887 \ - --hash=sha256:762aa598f79b4cac2f275d13336b2dd8662febee2a9c450a49a2ab3bec4b385f \ - --hash=sha256:7a26841be620309a9697f5b1ffc47dce74909e350c5315ccdac7a853484d468a \ - --hash=sha256:7a7db03339893feef2092ff7b1afc9497beed15ebd4af84c3042a74abce02d48 \ - --hash=sha256:7aa75d1bd9cc275cf9782f50f60cddaf74cbaae19b6ada2a28e737edac420312 \ - --hash=sha256:86936c383f7c38fd26d35107eb669c85d8f46dfceae873264d9bab46fe1c7dde \ - --hash=sha256:88546dc10a40b5b52cae87d64666787aeb2878f9a9b37825aedc2f362e7ae1da \ - --hash=sha256:8c40964596809eb616d94f9c7944511f620a1103d63d5510440ed2908fc410af \ - --hash=sha256:990027e77cda6072a566e433b6962ca3b96b4f3ae8bd54748e9d62a58284d9d7 \ - --hash=sha256:9965e49c6905840e526e5429b09e4c154355b6ecc0a2f05492eda2928190311d \ - --hash=sha256:9f62a727f5c590c78c2d12fda302d1895141b767c6488fe623098f8792255fe5 \ - --hash=sha256:a2d5be50ac4a0976817144c7d653e34df2f9436d15555189f5b6f61161d64183 \ - --hash=sha256:a5939ec826f7faec434e2d406ff5e4eaf1716eb1f247d68cd3d0b3612f7b4c8a \ - --hash=sha256:aac218feb4af73db8417ca7518fb3bade4534fcca6e3fb00f84966811dd94450 \ - --hash=sha256:adad1ee4ab9888f12dac2529276704e719efcf472e38df7813f5284db699b4ec \ - --hash=sha256:b69f9138dec566962ec65623c9d57bee44412d2fc71065a5f3ebb3820bdeee96 \ - --hash=sha256:c41bbaae89e32fc582448e71974de738c055aef5ab474fb25692981a08df808a \ - --hash=sha256:c62376890b819bebe3c717a9ac841a532988372b7e600e76f75c9f7c128219d5 \ - --hash=sha256:ce937a2a2c020bcad1c9fde02892392a1123de6dda906ddba62bfe8f3e5989a2 \ - --hash=sha256:db4c7f7e60ca6f7d6c1785070f3e5771fcb9b2d88546e334d2f2c3934d949028 \ - --hash=sha256:e0014e29637125f4997c174dd6167407162d7af0da73414a9340461ea8573252 \ - --hash=sha256:e088e3865a2270ecbc369924cd7d9fbc565667d9158e7f304e4097ebb9cf98dd \ - --hash=sha256:ea9eebc2ebcba3717e77cdeee3f6203ffc0e78db5f7482c68b1293e8cc156e5e \ - --hash=sha256:edfdf0a5abc5c9bf2052ebaec20e67abd52e92d257e4f2d30e02c354ed3e6030 \ - --hash=sha256:f3d4ee957a727ccb5a36f1b0a6dbd9fad5dedd2a41eada99a8df55c12896e18d \ - --hash=sha256:f79db3652ed743309f116ba863dae0c974a41b688242482638b892246b7db21d +pydantic==1.10.11 \ + --hash=sha256:008c5e266c8aada206d0627a011504e14268a62091450210eda7c07fabe6963e \ + --hash=sha256:0588788a9a85f3e5e9ebca14211a496409cb3deca5b6971ff37c556d581854e7 \ + --hash=sha256:08a6c32e1c3809fbc49debb96bf833164f3438b3696abf0fbeceb417d123e6eb \ + --hash=sha256:16928fdc9cb273c6af00d9d5045434c39afba5f42325fb990add2c241402d151 \ + --hash=sha256:174899023337b9fc685ac8adaa7b047050616136ccd30e9070627c1aaab53a13 \ + --hash=sha256:192c608ad002a748e4a0bed2ddbcd98f9b56df50a7c24d9a931a8c5dd053bd3d \ + --hash=sha256:1954f8778489a04b245a1e7b8b22a9d3ea8ef49337285693cf6959e4b757535e \ + --hash=sha256:2417de68290434461a266271fc57274a138510dca19982336639484c73a07af6 \ + --hash=sha256:265a60da42f9f27e0b1014eab8acd3e53bd0bad5c5b4884e98a55f8f596b2c19 \ + --hash=sha256:331c031ba1554b974c98679bd0780d89670d6fd6f53f5d70b10bdc9addee1713 \ + --hash=sha256:373c0840f5c2b5b1ccadd9286782852b901055998136287828731868027a724f \ + --hash=sha256:3f34739a89260dfa420aa3cbd069fbcc794b25bbe5c0a214f8fb29e363484b66 \ + --hash=sha256:41e0bb6efe86281623abbeeb0be64eab740c865388ee934cd3e6a358784aca6e \ + --hash=sha256:4400015f15c9b464c9db2d5d951b6a780102cfa5870f2c036d37c23b56f7fc1b \ + --hash=sha256:44e51ba599c3ef227e168424e220cd3e544288c57829520dc90ea9cb190c3248 \ + --hash=sha256:469adf96c8e2c2bbfa655fc7735a2a82f4c543d9fee97bd113a7fb509bf5e622 \ + --hash=sha256:5b02d24f7b2b365fed586ed73582c20f353a4c50e4be9ba2c57ab96f8091ddae \ + --hash=sha256:7522a7666157aa22b812ce14c827574ddccc94f361237ca6ea8bb0d5c38f1629 \ + --hash=sha256:787cf23e5a0cde753f2eabac1b2e73ae3844eb873fd1f5bdbff3048d8dbb7604 \ + --hash=sha256:8268a735a14c308923e8958363e3a3404f6834bb98c11f5ab43251a4e410170c \ + --hash=sha256:8dc77064471780262b6a68fe67e013298d130414d5aaf9b562c33987dbd2cf4f \ + --hash=sha256:a451ccab49971af043ec4e0d207cbc8cbe53dbf148ef9f19599024076fe9c25b \ + --hash=sha256:a6c098d4ab5e2d5b3984d3cb2527e2d6099d3de85630c8934efcfdc348a9760e \ + --hash=sha256:abade85268cc92dff86d6effcd917893130f0ff516f3d637f50dadc22ae93999 \ + --hash=sha256:bc64eab9b19cd794a380179ac0e6752335e9555d214cfcb755820333c0784cb3 \ + --hash=sha256:c3339a46bbe6013ef7bdd2844679bfe500347ac5742cd4019a88312aa58a9847 \ + --hash=sha256:d185819a7a059550ecb85d5134e7d40f2565f3dd94cfd870132c5f91a89cf58c \ + --hash=sha256:d7781f1d13b19700b7949c5a639c764a077cbbdd4322ed505b449d3ca8edcb36 \ + --hash=sha256:e297897eb4bebde985f72a46a7552a7556a3dd11e7f76acda0c1093e3dbcf216 \ + --hash=sha256:e6cbfbd010b14c8a905a7b10f9fe090068d1744d46f9e0c021db28daeb8b6de1 \ + --hash=sha256:e9738b0f2e6c70f44ee0de53f2089d6002b10c33264abee07bdb5c7f03038303 \ + --hash=sha256:e9baf78b31da2dc3d3f346ef18e58ec5f12f5aaa17ac517e2ffd026a92a87588 \ + --hash=sha256:ef55392ec4bb5721f4ded1096241e4b7151ba6d50a50a80a2526c854f42e6a2f \ + --hash=sha256:f66d479cf7eb331372c470614be6511eae96f1f120344c25f3f9bb59fb1b5528 \ + --hash=sha256:fe429898f2c9dd209bd0632a606bddc06f8bce081bbd03d1c775a45886e2c1cb \ + --hash=sha256:ff44c5e89315b15ff1f7fdaf9853770b810936d6b01a7bcecaa227d2f8fe444f # via # id # sigstore @@ -453,7 +457,7 @@ webencodings==0.5.1 \ --hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \ --hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923 # via bleach -zipp==3.15.0 \ - --hash=sha256:112929ad649da941c23de50f356a2b5570c954b65150642bccdd66bf194d224b \ - --hash=sha256:48904fc76a60e542af151aded95726c1a5c34ed43ab4134b597665c86d7ad556 +zipp==3.16.2 \ + --hash=sha256:679e51dd4403591b2d6838a48de3d283f3d188412a9782faadf845f298736ba0 \ + --hash=sha256:ebc15946aa78bd63458992fc81ec3b6f7b1e92d51c35e6de1c3804e73b799147 # via importlib-metadata From e24e0ed2647e5043d04503d83faf379d22faa209 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Jul 2023 03:22:14 +0000 Subject: [PATCH 0193/1014] Bump platformdirs from 3.9.0 to 3.9.1 (#9247) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 3.9.0 to 3.9.1. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/3.9.0...3.9.1) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b2cee83ed08c..d20ac8525ea1 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -89,7 +89,7 @@ pathspec==0.11.1 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==3.9.0 +platformdirs==3.9.1 # via # black # virtualenv From ebe432ddda02b51ffa5983a9b276d559dfbf1d15 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 16 Jul 2023 11:13:31 -0400 Subject: [PATCH 0194/1014] remove weird parens (#9248) --- src/cryptography/hazmat/_oid.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index 0af19e0ce222..ff92bb3de13e 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -283,7 +283,7 @@ class AttributeOID: ExtensionOID.EXTENDED_KEY_USAGE: "extendedKeyUsage", ExtensionOID.FRESHEST_CRL: "freshestCRL", ExtensionOID.INHIBIT_ANY_POLICY: "inhibitAnyPolicy", - ExtensionOID.ISSUING_DISTRIBUTION_POINT: ("issuingDistributionPoint"), + ExtensionOID.ISSUING_DISTRIBUTION_POINT: "issuingDistributionPoint", ExtensionOID.AUTHORITY_INFORMATION_ACCESS: "authorityInfoAccess", ExtensionOID.SUBJECT_INFORMATION_ACCESS: "subjectInfoAccess", ExtensionOID.OCSP_NO_CHECK: "OCSPNoCheck", From e5f4ff17b987e4a3debf474723dc65f2adf2954a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 16 Jul 2023 17:35:15 -0700 Subject: [PATCH 0195/1014] Bump BoringSSL and/or OpenSSL in CI (#9249) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a091960d6ea..780b79d3cd48 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 15, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a4f8755f8e66b77ca2230f376bc5d5d54b28544e"}} - # Latest commit on the OpenSSL master branch, as of Jul 15, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1e398bec538978b9957e69bf9e12b3c626290bea"}} + # Latest commit on the BoringSSL master branch, as of Jul 17, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "23d6e4cce97a9b66a53fb4286341fd02d2b99e40"}} + # Latest commit on the OpenSSL master branch, as of Jul 17, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3d2f96e2c867fa3e79a453639304b70ba0508076"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 1c650dd731ae6419ceb4441b3c96c048e7c90ddb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:36:32 +0000 Subject: [PATCH 0196/1014] Bump distlib from 0.3.6 to 0.3.7 (#9250) Bumps [distlib](https://github.com/pypa/distlib) from 0.3.6 to 0.3.7. - [Release notes](https://github.com/pypa/distlib/releases) - [Changelog](https://github.com/pypa/distlib/blob/master/CHANGES.rst) - [Commits](https://github.com/pypa/distlib/compare/0.3.6...0.3.7) --- updated-dependencies: - dependency-name: distlib dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d20ac8525ea1..ec8917878cd8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -31,7 +31,7 @@ colorlog==6.7.0 # via nox coverage==7.2.7 # via pytest-cov -distlib==0.3.6 +distlib==0.3.7 # via virtualenv docutils==0.18.1 # via From e25b400dec632efeb275f55c4e94faf00e491e23 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jul 2023 07:55:53 -0500 Subject: [PATCH 0197/1014] Bump quote from 1.0.30 to 1.0.31 in /src/rust (#9252) Bumps [quote](https://github.com/dtolnay/quote) from 1.0.30 to 1.0.31. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.30...1.0.31) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3ce77f97fc1e..c792f38fae82 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -226,9 +226,9 @@ checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" [[package]] name = "proc-macro2" -version = "1.0.65" +version = "1.0.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "92de25114670a878b1261c79c9f8f729fb97e95bac93f6312f583c60dd6a1dfe" +checksum = "18fb31db3f9bddb2ea821cde30a9f70117e3f119938b5ee630b7403aa6e2ead9" dependencies = [ "unicode-ident", ] @@ -295,9 +295,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.30" +version = "1.0.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5907a1b7c277254a8b15170f6e7c97cfa60ee7872a3217663bb81151e48184bb" +checksum = "5fe8a65d69dd0808184ebb5f836ab526bb259db23c657efa38711b1072ee47f0" dependencies = [ "proc-macro2", ] From 524c9eb10c1387eb3c2bf6e7f7b01505516b759f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jul 2023 07:56:25 -0500 Subject: [PATCH 0198/1014] Bump proc-macro2 from 1.0.65 to 1.0.66 in /src/rust (#9251) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.65 to 1.0.66. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.65...1.0.66) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> From 0e940bdfa2161e074e120ea97584058e5da2d103 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 18 Jul 2023 00:24:32 +0000 Subject: [PATCH 0199/1014] Bump BoringSSL and/or OpenSSL in CI (#9258) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 780b79d3cd48..7866e56a61f1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 17, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "23d6e4cce97a9b66a53fb4286341fd02d2b99e40"}} + # Latest commit on the BoringSSL master branch, as of Jul 18, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "cb974884b68b7b2001dfcd8f46c446c0ff8c6336"}} # Latest commit on the OpenSSL master branch, as of Jul 17, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3d2f96e2c867fa3e79a453639304b70ba0508076"}} # Builds with various Rust versions. Includes MSRV and next From 0bb2fe81a1c768c4569c30dd8e50418488daab16 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 18 Jul 2023 08:20:38 -0400 Subject: [PATCH 0200/1014] resolve new clippy warnings (#9261) --- src/rust/src/asn1.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index bf17a5952f29..12827ccca5a3 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -148,7 +148,7 @@ struct TestCertificate { subject_value_tags: Vec, } -fn parse_name_value_tags(rdns: &mut Name<'_>) -> Vec { +fn parse_name_value_tags(rdns: &Name<'_>) -> Vec { let mut tags = vec![]; for rdn in rdns.unwrap_read().clone() { let mut attributes = rdn.collect::>(); @@ -168,13 +168,13 @@ fn time_tag(t: &Time) -> u8 { #[pyo3::prelude::pyfunction] fn test_parse_certificate(data: &[u8]) -> Result { - let mut cert = asn1::parse_single::>(data)?; + let cert = asn1::parse_single::>(data)?; Ok(TestCertificate { not_before_tag: time_tag(&cert.tbs_cert.validity.not_before), not_after_tag: time_tag(&cert.tbs_cert.validity.not_after), - issuer_value_tags: parse_name_value_tags(&mut cert.tbs_cert.issuer), - subject_value_tags: parse_name_value_tags(&mut cert.tbs_cert.subject), + issuer_value_tags: parse_name_value_tags(&cert.tbs_cert.issuer), + subject_value_tags: parse_name_value_tags(&cert.tbs_cert.subject), }) } From 10813b0bedd98849b5d1f45f0201b41b2f811ada Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 18 Jul 2023 08:37:00 -0400 Subject: [PATCH 0201/1014] Finish replacing utcnow (#9260) refs #9186 --- docs/x509/tutorial.rst | 4 ++-- src/rust/src/x509/common.rs | 9 +++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst index f5ca416ceb9f..57693a79d176 100644 --- a/docs/x509/tutorial.rst +++ b/docs/x509/tutorial.rst @@ -134,10 +134,10 @@ Then we generate the certificate itself: ... ).serial_number( ... x509.random_serial_number() ... ).not_valid_before( - ... datetime.datetime.utcnow() + ... datetime.datetime.now(datetime.timezone.utc) ... ).not_valid_after( ... # Our certificate will be valid for 10 days - ... datetime.datetime.utcnow() + datetime.timedelta(days=10) + ... datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10) ... ).add_extension( ... x509.SubjectAlternativeName([x509.DNSName(u"localhost")]), ... critical=False, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index c367632810ac..e38f9b321730 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -540,11 +540,16 @@ pub(crate) fn py_to_datetime( } pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult { + let datetime_module = py.import(pyo3::intern!(py, "datetime"))?; + let utc = datetime_module + .getattr(pyo3::intern!(py, "timezone"))? + .getattr(pyo3::intern!(py, "utc"))?; + py_to_datetime( py, - py.import(pyo3::intern!(py, "datetime"))? + datetime_module .getattr(pyo3::intern!(py, "datetime"))? - .call_method0(pyo3::intern!(py, "utcnow"))?, + .call_method1(pyo3::intern!(py, "now"), (utc,))?, ) } From d5bd6478575f110a03d8628eafd916229e61b3b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Jul 2023 08:53:44 -0500 Subject: [PATCH 0202/1014] Bump scopeguard from 1.1.0 to 1.2.0 in /src/rust (#9262) Bumps [scopeguard](https://github.com/bluss/scopeguard) from 1.1.0 to 1.2.0. - [Commits](https://github.com/bluss/scopeguard/compare/v1.1.0...v1.2.0) --- updated-dependencies: - dependency-name: scopeguard dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c792f38fae82..a1488b90f4fb 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -313,9 +313,9 @@ dependencies = [ [[package]] name = "scopeguard" -version = "1.1.0" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" +checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "self_cell" From 85997bc1395d646ac9be0a9b22941b8d518c3b22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Jul 2023 22:48:27 +0000 Subject: [PATCH 0203/1014] Bump target-lexicon from 0.12.9 to 0.12.10 in /src/rust (#9263) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.9 to 0.12.10. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.9...v0.12.10) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a1488b90f4fb..cf4bce0eb213 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -353,9 +353,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.9" +version = "0.12.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df8e77cb757a61f51b947ec4a7e3646efd825b73561db1c232a8ccb639e611a0" +checksum = "1d2faeef5759ab89935255b1a4cd98e0baf99d1085e37d36599c625dac49ae8e" [[package]] name = "unicode-ident" From e9ad6cb0a7195810b8e937543f8dea1f54c9e5c6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Jul 2023 22:53:03 +0000 Subject: [PATCH 0204/1014] Bump click from 8.1.3 to 8.1.6 (#9264) Bumps [click](https://github.com/pallets/click) from 8.1.3 to 8.1.6. - [Release notes](https://github.com/pallets/click/releases) - [Changelog](https://github.com/pallets/click/blob/8.1.6/CHANGES.rst) - [Commits](https://github.com/pallets/click/compare/8.1.3...8.1.6) --- updated-dependencies: - dependency-name: click dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ec8917878cd8..f9c5ca022b22 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ charset-normalizer==3.2.0 # via requests check-sdist==0.1.2 # via cryptography (pyproject.toml) -click==8.1.3 +click==8.1.6 # via black colorlog==6.7.0 # via nox From 0671d4e4c637ab048b76c48acf42f9afb6cb4043 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 18 Jul 2023 21:16:10 -0400 Subject: [PATCH 0205/1014] Bump BoringSSL and/or OpenSSL in CI (#9265) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7866e56a61f1..a6472c91a905 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 18, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "cb974884b68b7b2001dfcd8f46c446c0ff8c6336"}} - # Latest commit on the OpenSSL master branch, as of Jul 17, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3d2f96e2c867fa3e79a453639304b70ba0508076"}} + # Latest commit on the BoringSSL master branch, as of Jul 19, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "68beac6373aeee787e0919b240c1a8177554cac8"}} + # Latest commit on the OpenSSL master branch, as of Jul 19, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7b2a3a1e9d5246fb0f2935f152d0daec715f79f9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From aea7535ca088fb16dca9786c5dea4e1af1330750 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 20 Jul 2023 00:18:11 +0000 Subject: [PATCH 0206/1014] Bump BoringSSL and/or OpenSSL in CI (#9266) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6472c91a905..26729d197d9c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 19, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "68beac6373aeee787e0919b240c1a8177554cac8"}} - # Latest commit on the OpenSSL master branch, as of Jul 19, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7b2a3a1e9d5246fb0f2935f152d0daec715f79f9"}} + # Latest commit on the BoringSSL master branch, as of Jul 20, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e8dab191c0e2ceba37dcb28d37c50e01a6c2bf3b"}} + # Latest commit on the OpenSSL master branch, as of Jul 20, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5be15438fc0bcb81fdf22dee6c7801ca3089fb74"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From c5c99b2d1cac1bd3a74dae0de1bd4c689665c98b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 20 Jul 2023 22:07:58 +1200 Subject: [PATCH 0207/1014] fix a link from the NIST CSRC migration (#9267) --- docs/hazmat/primitives/key-derivation-functions.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index 7c5c643e2218..769ad266ad48 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -1026,7 +1026,7 @@ Interface .. [#nist] See `NIST SP 800-132`_. .. _`NIST SP 800-132`: https://csrc.nist.gov/publications/detail/sp/800-132/final -.. _`NIST SP 800-108`: https://csrc.nist.gov/publications/detail/sp/800-108/final +.. _`NIST SP 800-108`: https://csrc.nist.gov/pubs/sp/800/108/r1/final .. _`NIST SP 800-56Ar2`: https://csrc.nist.gov/publications/detail/sp/800-56a/rev-2/final .. _`ANSI X9.63:2001`: https://webstore.ansi.org .. _`SEC 1 v2.0`: https://www.secg.org/sec1-v2.pdf From 4c84e56d1c1d2ab0d4342e81ddc43e1bc7c681e1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Jul 2023 12:40:28 +0000 Subject: [PATCH 0208/1014] Bump virtualenv from 20.24.0 to 20.24.1 (#9268) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.24.0 to 20.24.1. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.24.0...20.24.1) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f9c5ca022b22..b24022befa4a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -185,7 +185,7 @@ urllib3==2.0.3 # via # requests # twine -virtualenv==20.24.0 +virtualenv==20.24.1 # via nox webencodings==0.5.1 # via bleach From a019e88b2b2e21d5218b6a8c1a5a21245a068511 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Jul 2023 12:52:03 +0000 Subject: [PATCH 0209/1014] Bump urllib3 from 2.0.3 to 2.0.4 (#9269) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.3 to 2.0.4. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.3...2.0.4) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b24022befa4a..918c5bf75dfc 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -181,7 +181,7 @@ twine==4.0.2 # via cryptography (pyproject.toml) typing-extensions==4.7.1 # via mypy -urllib3==2.0.3 +urllib3==2.0.4 # via # requests # twine From b2abc35bdaf5115b316369c021cb7599e13ce747 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 21 Jul 2023 08:27:44 +1200 Subject: [PATCH 0210/1014] fix another NIST link (#9270) --- docs/conf.py | 1 - docs/hazmat/primitives/asymmetric/ec.rst | 7 +++---- docs/hazmat/primitives/key-derivation-functions.rst | 4 ++-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/docs/conf.py b/docs/conf.py index 1ee7eabf1208..6cc82a032997 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -# # Cryptography documentation build configuration file, created by # sphinx-quickstart on Tue Aug 6 19:19:14 2013. # diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 5842e9ca1667..c75e46b7e3a5 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -220,8 +220,8 @@ Elliptic Curve Key Exchange algorithm .. versionadded:: 1.1 - The Elliptic Curve Diffie-Hellman Key Exchange algorithm first standardized - in NIST publication `800-56A`_, and later in `800-56Ar2`_. + The Elliptic Curve Diffie-Hellman Key Exchange algorithm standardized + in NIST publication `800-56A`_. For most applications the ``shared_key`` should be passed to a key derivation function. This allows mixing of additional information into the @@ -911,8 +911,7 @@ Elliptic Curve Object Identifiers .. _`FIPS 186-3`: https://csrc.nist.gov/csrc/media/publications/fips/186/3/archive/2009-06-25/documents/fips_186-3.pdf .. _`FIPS 186-4`: https://csrc.nist.gov/publications/detail/fips/186/4/final -.. _`800-56A`: https://csrc.nist.gov/publications/detail/sp/800-56a/revised/archive/2007-03-14 -.. _`800-56Ar2`: https://csrc.nist.gov/publications/detail/sp/800-56a/rev-2/final +.. _`800-56A`: https://csrc.nist.gov/pubs/sp/800/56/a/r3/final .. _`some concern`: https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters .. _`less than 224 bits`: https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf .. _`elliptic curve diffie-hellman is faster than diffie-hellman`: https://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=1100&context=cseconfwork diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index 769ad266ad48..f96ae426cbbf 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -247,7 +247,7 @@ ConcatKDF .. versionadded:: 1.0 ConcatKDFHash (Concatenation Key Derivation Function) is defined by the - NIST Special Publication `NIST SP 800-56Ar2`_ document, to be used to + NIST Special Publication `NIST SP 800-56Ar3`_ document, to be used to derive keys for use after a Key Exchange negotiation operation. .. warning:: @@ -1027,7 +1027,7 @@ Interface .. _`NIST SP 800-132`: https://csrc.nist.gov/publications/detail/sp/800-132/final .. _`NIST SP 800-108`: https://csrc.nist.gov/pubs/sp/800/108/r1/final -.. _`NIST SP 800-56Ar2`: https://csrc.nist.gov/publications/detail/sp/800-56a/rev-2/final +.. _`NIST SP 800-56Ar3`: https://csrc.nist.gov/pubs/sp/800/56/a/r3/final .. _`ANSI X9.63:2001`: https://webstore.ansi.org .. _`SEC 1 v2.0`: https://www.secg.org/sec1-v2.pdf .. _`more detailed description`: https://security.stackexchange.com/a/3993/43116 From 1b4bbea0083812d3ba3373b51103542d3e277996 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 21 Jul 2023 09:10:15 +1200 Subject: [PATCH 0211/1014] tolerate (with warning) invalid DSA params encoding in X.509 (#9271) fixes #9253 --- docs/development/test-vectors.rst | 2 ++ src/rust/cryptography-x509/src/common.rs | 8 ++--- src/rust/src/x509/certificate.rs | 17 +++++---- src/rust/src/x509/sign.rs | 36 ++++++++++++------- tests/x509/test_x509.py | 15 ++++++++ .../x509/custom/dsa_null_alg_params.pem | 25 +++++++++++++ 6 files changed, 81 insertions(+), 22 deletions(-) create mode 100644 vectors/cryptography_vectors/x509/custom/dsa_null_alg_params.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index cfab7edcca69..4e9811332c18 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -501,6 +501,8 @@ Custom X.509 Vectors was generated by LibreSSL. * ``ecdsa_null_alg.pem`` - A certificate with an ECDSA signature with ``NULL`` algorithm parameters. This encoding is invalid, but was generated by Java 11. +* ``dsa_null_alg_params.pem`` - A certificate with a DSA signature with ``NULL`` + algorithm parameters. This encoding is invalid, but was generated by Java 20. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 5b073da9f3c2..00e7136eccdd 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -97,13 +97,13 @@ pub enum AlgorithmParameters<'a> { RsaPss(Option>>), #[defined_by(oid::DSA_WITH_SHA224_OID)] - DsaWithSha224, + DsaWithSha224(Option), #[defined_by(oid::DSA_WITH_SHA256_OID)] - DsaWithSha256, + DsaWithSha256(Option), #[defined_by(oid::DSA_WITH_SHA384_OID)] - DsaWithSha384, + DsaWithSha384(Option), #[defined_by(oid::DSA_WITH_SHA512_OID)] - DsaWithSha512, + DsaWithSha512(Option), #[default] Other(asn1::ObjectIdentifier, Option>), diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 2b9e9d69e9ba..c085ab683820 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -378,9 +378,10 @@ fn load_der_x509_certificate( // for this sort of invalid encoding eventually. warn_if_negative_serial(py, raw.borrow_dependent().tbs_cert.serial.as_bytes())?; // determine if the signature algorithm has incorrect parameters and raise a warning if it - // does. this is a bug in JDK11 and we want to drop support for it eventually. - warn_if_invalid_ecdsa_params(py, raw.borrow_dependent().signature_alg.params.clone())?; - warn_if_invalid_ecdsa_params( + // does. this is a bug in the JDK and we want to drop support for it eventually. + // ECDSA was fixed in Java 16, DSA in Java 21. + warn_if_invalid_params(py, raw.borrow_dependent().signature_alg.params.clone())?; + warn_if_invalid_params( py, raw.borrow_dependent().tbs_cert.signature_alg.params.clone(), )?; @@ -406,7 +407,7 @@ fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyRes Ok(()) } -fn warn_if_invalid_ecdsa_params( +fn warn_if_invalid_params( py: pyo3::Python<'_>, params: AlgorithmParameters<'_>, ) -> pyo3::PyResult<()> { @@ -414,14 +415,18 @@ fn warn_if_invalid_ecdsa_params( AlgorithmParameters::EcDsaWithSha224(Some(..)) | AlgorithmParameters::EcDsaWithSha256(Some(..)) | AlgorithmParameters::EcDsaWithSha384(Some(..)) - | AlgorithmParameters::EcDsaWithSha512(Some(..)) => { + | AlgorithmParameters::EcDsaWithSha512(Some(..)) + | AlgorithmParameters::DsaWithSha224(Some(..)) + | AlgorithmParameters::DsaWithSha256(Some(..)) + | AlgorithmParameters::DsaWithSha384(Some(..)) + | AlgorithmParameters::DsaWithSha512(Some(..)) => { let cryptography_warning = py .import(pyo3::intern!(py, "cryptography.utils"))? .getattr(pyo3::intern!(py, "DeprecatedIn41"))?; pyo3::PyErr::warn( py, cryptography_warning, - "The parsed certificate contains a NULL parameter value in its signature algorithm parameters. This is invalid and will be rejected in a future version of cryptography. If this certificate was created via Java, please upgrade to JDK16+ or the latest JDK11 once a fix is issued. If this certificate was created in some other fashion please report the issue to the cryptography issue tracker. See https://github.com/pyca/cryptography/issues/8996 for more details.", + "The parsed certificate contains a NULL parameter value in its signature algorithm parameters. This is invalid and will be rejected in a future version of cryptography. If this certificate was created via Java, please upgrade to JDK21+ or the latest JDK11/17 once a fix is issued. If this certificate was created in some other fashion please report the issue to the cryptography issue tracker. See https://github.com/pyca/cryptography/issues/8996 and https://github.com/pyca/cryptography/issues/9253 for more details.", 2, )?; } diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 4b03a2d9ab8e..0e3c1bc728b2 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -300,19 +300,19 @@ pub(crate) fn compute_signature_algorithm<'p>( (KeyType::Dsa, HashType::Sha224) => Ok(common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), - params: common::AlgorithmParameters::DsaWithSha224, + params: common::AlgorithmParameters::DsaWithSha224(None), }), (KeyType::Dsa, HashType::Sha256) => Ok(common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), - params: common::AlgorithmParameters::DsaWithSha256, + params: common::AlgorithmParameters::DsaWithSha256(None), }), (KeyType::Dsa, HashType::Sha384) => Ok(common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), - params: common::AlgorithmParameters::DsaWithSha384, + params: common::AlgorithmParameters::DsaWithSha384(None), }), (KeyType::Dsa, HashType::Sha512) => Ok(common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), - params: common::AlgorithmParameters::DsaWithSha512, + params: common::AlgorithmParameters::DsaWithSha512(None), }), ( KeyType::Dsa, @@ -493,10 +493,10 @@ fn identify_key_type_for_algorithm_params( | common::AlgorithmParameters::EcDsaWithSha3_512 => Ok(KeyType::Ec), common::AlgorithmParameters::Ed25519 => Ok(KeyType::Ed25519), common::AlgorithmParameters::Ed448 => Ok(KeyType::Ed448), - common::AlgorithmParameters::DsaWithSha224 - | common::AlgorithmParameters::DsaWithSha256 - | common::AlgorithmParameters::DsaWithSha384 - | common::AlgorithmParameters::DsaWithSha512 => Ok(KeyType::Dsa), + common::AlgorithmParameters::DsaWithSha224(..) + | common::AlgorithmParameters::DsaWithSha256(..) + | common::AlgorithmParameters::DsaWithSha384(..) + | common::AlgorithmParameters::DsaWithSha512(..) => Ok(KeyType::Dsa), _ => Err(pyo3::exceptions::PyValueError::new_err( "Unsupported signature algorithm", )), @@ -704,10 +704,22 @@ mod tests { (&common::AlgorithmParameters::EcDsaWithSha3_512, KeyType::Ec), (&common::AlgorithmParameters::Ed25519, KeyType::Ed25519), (&common::AlgorithmParameters::Ed448, KeyType::Ed448), - (&common::AlgorithmParameters::DsaWithSha224, KeyType::Dsa), - (&common::AlgorithmParameters::DsaWithSha256, KeyType::Dsa), - (&common::AlgorithmParameters::DsaWithSha384, KeyType::Dsa), - (&common::AlgorithmParameters::DsaWithSha512, KeyType::Dsa), + ( + &common::AlgorithmParameters::DsaWithSha224(None), + KeyType::Dsa, + ), + ( + &common::AlgorithmParameters::DsaWithSha256(None), + KeyType::Dsa, + ), + ( + &common::AlgorithmParameters::DsaWithSha384(None), + KeyType::Dsa, + ), + ( + &common::AlgorithmParameters::DsaWithSha512(None), + KeyType::Dsa, + ), ] { assert_eq!( identify_key_type_for_algorithm_params(params).unwrap(), diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index a821f7de90ab..2698c564fc32 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -4982,6 +4982,21 @@ def test_load_dsa_cert(self, backend): "822ff5d234e073b901cf5941f58e1f538e71d40d", 16 ) + def test_load_dsa_cert_null_alg_params(self, backend): + """ + This test verifies that we successfully load certificates with encoded + null parameters in the signature AlgorithmIdentifier. This is invalid, + but all versions of Java less than 21 generate certificates with this + encoding so we need to tolerate it at the moment. + """ + with pytest.warns(utils.DeprecatedIn41): + cert = _load_cert( + os.path.join("x509", "custom", "dsa_null_alg_params.pem"), + x509.load_pem_x509_certificate, + ) + assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) + assert isinstance(cert.public_key(), dsa.DSAPublicKey) + def test_signature(self, backend): cert = _load_cert( os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), diff --git a/vectors/cryptography_vectors/x509/custom/dsa_null_alg_params.pem b/vectors/cryptography_vectors/x509/custom/dsa_null_alg_params.pem new file mode 100644 index 000000000000..724aafac3c7d --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/dsa_null_alg_params.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJDCCA9CgAwIBAgIJANXeXtYKjIwEMA0GCWCGSAFlAwQDAgUAMBIxEDAOBgNV +BAMTB2V4YW1wbGUwHhcNMjMwNzE4MTQ0OTEwWhcNMjMxMDE2MTQ0OTEwWjASMRAw +DgYDVQQDEwdleGFtcGxlMIIDQjCCAjUGByqGSM44BAEwggIoAoIBAQCPeTXZuarp +v6vtiHrPSVG28y7FnjuvNxjo6sSWHz79NgbnQ1GpxBgzObgJ58KuHFObp0dbhdAR +rbi0eYd1SYRpXKwOjxSzNggooi/6JxEKPWKpk0U0CaD+aWxGWPhL3SCBnDcJoBBX +sZWtzQAjPbpUhLYpH51kjviDRIZ3l5zsBLQ0pqwudemYXeI9sCkvwRGMn/qdgYHn +M423krcw17njSVkvaAmYchU5Feo9a4tGU8YzRY+AOzKkwuDycpAlbk4/ijsIOKHE +UOThjBopo33fXqFD3ktm/wSQPtXPFiPhWNSHxgjpfyEc2B3KI8tuOAdl+CLjQr5I +TAV2OTlgHNZnAh0AuvaWpoV499/e5/pnyXfHhe8ysjO65YDAvNVpXQKCAQAWplxY +IEhQcE51AqOXVwQNNNo6NHjBVNTkpcAtJC7gT5bmHkvQkEq9rI837rHgnzGC0jyQ +Q8tkL4gAQWDt+coJsyB2p5wypifyRz6Rh5uixOdEvSCBVEy1W4AsNo0fqD7UielO +D6BojjJCilx4xHjGjQUntxyaOrsLC+EsRGiWOefTznTbEBplqiuH9kxoJts+xy9L +VZmDS7TtsC98kOmkltOlXVNb6/xF1PYZ9j897buHOSXC8iTgdzEpbaiH7B5HSPh+ ++1/et1SEMWsiMt7lU92vAhErDR8C2jCXMiT+J67ai51LKSLZuovjntnhA6Y8UoEL +xoi34u1DFuHvF9veA4IBBQACggEASGXf9G1yAHOU7G/su00m3SricigX9zPfUh89 +sl9lj5Ht6c545WGSkg2vjPbK4KFfDeWTzz2neKoM9xWxJUjGBfURX3+b6BpAj86x ++vQok87c16mpw8Cf3MtAgc0oHOM1I7pGDO/9/ZvKbSMMB0S7Sv5Q99VYWGN2od+m +yVzz/oYNy9IRSFfNaHPOweMP7oQFYNNfoc9jXCXayICoj9IDFDSvvtC71wc8Z7Ey +b2VAUUMwpSQ+3nrurTCfoCkE9MQSC01GICeIK8Es+EUuV8jUfV+XAmBpul8jwsxi ++XcM4arXoru/9V8qaS+qGsz1dCqAp4hcqq3D20OkJvI3JMu316MhMB8wHQYDVR0O +BBYEFMaC7UTR+brmFDATYd5Oss2eshvCMA0GCWCGSAFlAwQDAgUAAz8AMDwCHFqb +CNDLKq90HzhWw88QgwcwlGnu6W5RCeS8PCICHGqdeHyfftezEfGWp3qIpzlUa2oG +GizOpATUqSQ= +-----END CERTIFICATE----- From 58624864f58a441fab8360810a3f2a8dddb96b74 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 21 Jul 2023 09:50:28 +1200 Subject: [PATCH 0212/1014] actually use utc time when creating the naive datetimes in ocsp tests (#9273) --- tests/x509/test_ocsp.py | 60 ++++++++++++++++++++++++++++++----------- 1 file changed, 45 insertions(+), 15 deletions(-) diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 3ebb3576694b..e2a62f0ca53d 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -608,7 +608,9 @@ def test_sign_good_cert(self): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -646,7 +648,9 @@ def test_sign_revoked_cert(self): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -678,7 +682,9 @@ def test_sign_unknown_cert(self): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -707,7 +713,9 @@ def test_sign_with_appended_certs(self): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -733,7 +741,9 @@ def test_sign_revoked_no_next_update(self): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) revoked_date = this_update - datetime.timedelta(days=300) @@ -764,7 +774,9 @@ def test_sign_revoked_with_reason(self): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -796,7 +808,9 @@ def test_sign_responder_id_key_hash(self): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -826,7 +840,9 @@ def test_invalid_sign_responder_cert_does_not_match_private_key(self): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -853,7 +869,9 @@ def test_sign_with_extension(self): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -911,7 +929,9 @@ def test_sign_unknown_private_key(self, backend): cert, issuer = _cert_and_issuer() root_cert, _ = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -941,7 +961,9 @@ def test_sign_unrecognized_hash_algorithm(self, backend): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -966,7 +988,9 @@ def test_sign_none_hash_not_eddsa(self): cert, issuer = _cert_and_issuer() root_cert, private_key = _generate_root() current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -1415,7 +1439,9 @@ def test_invalid_algorithm(self, backend): private_key = ed25519.Ed25519PrivateKey.generate() root_cert, _ = _generate_root(private_key, None) current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -1445,7 +1471,9 @@ def test_sign_ed25519(self, backend): private_key = ed25519.Ed25519PrivateKey.generate() root_cert, _ = _generate_root(private_key, None) current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) @@ -1486,7 +1514,9 @@ def test_sign_ed448(self, backend): private_key = ed448.Ed448PrivateKey.generate() root_cert, _ = _generate_root(private_key, None) current_time = ( - datetime.datetime.now().replace(tzinfo=None).replace(microsecond=0) + datetime.datetime.now(datetime.timezone.utc) + .replace(tzinfo=None) + .replace(microsecond=0) ) this_update = current_time - datetime.timedelta(days=1) next_update = this_update + datetime.timedelta(days=7) From cf41dc71fb7440ccc32099752703927de158990f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 21 Jul 2023 00:17:07 +0000 Subject: [PATCH 0213/1014] Bump BoringSSL and/or OpenSSL in CI (#9274) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 26729d197d9c..24161b6ebb14 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 20, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e8dab191c0e2ceba37dcb28d37c50e01a6c2bf3b"}} + # Latest commit on the BoringSSL master branch, as of Jul 21, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e9f816b12b3e68de575d21e2a9b7d76e4e5c58ac"}} # Latest commit on the OpenSSL master branch, as of Jul 20, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5be15438fc0bcb81fdf22dee6c7801ca3089fb74"}} # Builds with various Rust versions. Includes MSRV and next From 6e1066bf1be36979787e468f3c0cb7b644912754 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 22 Jul 2023 00:16:44 +0000 Subject: [PATCH 0214/1014] Bump BoringSSL and/or OpenSSL in CI (#9275) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 24161b6ebb14..05816641174e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jul 21, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e9f816b12b3e68de575d21e2a9b7d76e4e5c58ac"}} - # Latest commit on the OpenSSL master branch, as of Jul 20, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5be15438fc0bcb81fdf22dee6c7801ca3089fb74"}} + # Latest commit on the OpenSSL master branch, as of Jul 22, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9c8d04dbec03172d6ffe4eaa38ea4b1ac2741f26"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From c95e87769de1a4f8920ee073b837c738fd134696 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 22 Jul 2023 13:59:55 +0000 Subject: [PATCH 0215/1014] Bump certifi from 2023.5.7 to 2023.7.22 (#9278) Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.5.7 to 2023.7.22. - [Commits](https://github.com/certifi/python-certifi/compare/2023.05.07...2023.07.22) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 918c5bf75dfc..0b467bf30ace 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -19,7 +19,7 @@ build==0.10.0 # via # check-sdist # cryptography (pyproject.toml) -certifi==2023.5.7 +certifi==2023.7.22 # via requests charset-normalizer==3.2.0 # via requests From bb970d830eed837bb00ea675f3fe68b733a864af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 22 Jul 2023 10:00:54 -0400 Subject: [PATCH 0216/1014] Bump wheel from 0.40.0 to 0.41.0 in /.github/requirements (#9276) Bumps [wheel](https://github.com/pypa/wheel) from 0.40.0 to 0.41.0. - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](https://github.com/pypa/wheel/compare/0.40.0...0.41.0) --- updated-dependencies: - dependency-name: wheel dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 474f31a29b0b..2c3639b67df3 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -86,9 +86,9 @@ typing-extensions==4.7.1 \ --hash=sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36 \ --hash=sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2 # via setuptools-rust -wheel==0.40.0 \ - --hash=sha256:cd1196f3faee2b31968d626e1731c94f99cbdb67cf5a46e4f5656cbee7738873 \ - --hash=sha256:d236b20e7cb522daf2390fa84c55eea81c5c30190f90f29ae2ca1ad8355bf247 +wheel==0.41.0 \ + --hash=sha256:55a0f0a5a84869bce5ba775abfd9c462e3a6b1b7b7ec69d72c0b83d673a5114d \ + --hash=sha256:7e9be3bbd0078f6147d82ed9ed957e323e7708f57e134743d2edef3a7b7972a9 # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: From 1c2c25ff020da0d46738d58f470ce6bcc686af6d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 22 Jul 2023 13:18:18 -0400 Subject: [PATCH 0217/1014] style fix for latest ruff (#9279) --- tests/x509/test_x509_ext.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index fd7ff957b1dd..7d45d3308a35 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -2670,7 +2670,7 @@ def test_other_name(self, backend): x509.ObjectIdentifier("1.2.3.4"), b"\x16\x0bHello World" ) assert len(ext.value) == 1 - assert list(ext.value)[0] == expected + assert next(iter(ext.value)) == expected othernames = ext.value.get_values_for_type(x509.OtherName) assert othernames == [expected] From cd0afcc327eaa16f01f15e6a69b690378286f1bf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 22 Jul 2023 17:32:35 +0000 Subject: [PATCH 0218/1014] Bump ruff from 0.0.278 to 0.0.280 (#9277) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.278 to 0.0.280. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.278...v0.0.280) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0b467bf30ace..89c233c8e10e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.4.2 # via twine -ruff==0.0.278 +ruff==0.0.280 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From d2df27b93d17ab9d8f933985f4f92ff07ec3393b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 24 Jul 2023 00:18:12 +0000 Subject: [PATCH 0219/1014] Bump BoringSSL and/or OpenSSL in CI (#9280) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 05816641174e..9b31885b5159 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jul 21, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e9f816b12b3e68de575d21e2a9b7d76e4e5c58ac"}} - # Latest commit on the OpenSSL master branch, as of Jul 22, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9c8d04dbec03172d6ffe4eaa38ea4b1ac2741f26"}} + # Latest commit on the OpenSSL master branch, as of Jul 24, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6cac1ce47128f5095b1f0b99f304589db034c305"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 175effa91ed72de63afc6540ad4f29de22e3236b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 06:14:34 +1200 Subject: [PATCH 0220/1014] Bump quote from 1.0.31 to 1.0.32 in /src/rust (#9281) Bumps [quote](https://github.com/dtolnay/quote) from 1.0.31 to 1.0.32. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.31...1.0.32) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index cf4bce0eb213..ab7005b71283 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -295,9 +295,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.31" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fe8a65d69dd0808184ebb5f836ab526bb259db23c657efa38711b1072ee47f0" +checksum = "50f3b39ccfb720540debaa0164757101c08ecb8d326b15358ce76a62c7e85965" dependencies = [ "proc-macro2", ] From fae78322dadf3f8952a4c240a2d24ce75e6d4d39 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 00:18:59 +0000 Subject: [PATCH 0221/1014] Bump BoringSSL and/or OpenSSL in CI (#9284) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9b31885b5159..3449479d2e45 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 21, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e9f816b12b3e68de575d21e2a9b7d76e4e5c58ac"}} - # Latest commit on the OpenSSL master branch, as of Jul 24, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6cac1ce47128f5095b1f0b99f304589db034c305"}} + # Latest commit on the BoringSSL master branch, as of Jul 25, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "20a06474c0b4a16779311bfe98ba69dc2402101d"}} + # Latest commit on the OpenSSL master branch, as of Jul 25, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "06a0d40322e96dbba816b35f82226871f635ec5a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 03556dfd8e09e98579b504110503a801dabb1391 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 24 Jul 2023 20:26:11 -0400 Subject: [PATCH 0222/1014] name: devolve `NameReadable` variant (#9282) Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/name.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509/src/name.rs b/src/rust/cryptography-x509/src/name.rs index f53e342cbf33..5c53c76c6844 100644 --- a/src/rust/cryptography-x509/src/name.rs +++ b/src/rust/cryptography-x509/src/name.rs @@ -4,9 +4,11 @@ use crate::common; +pub type NameReadable<'a> = asn1::SequenceOf<'a, asn1::SetOf<'a, common::AttributeTypeValue<'a>>>; + pub type Name<'a> = common::Asn1ReadableOrWritable< 'a, - asn1::SequenceOf<'a, asn1::SetOf<'a, common::AttributeTypeValue<'a>>>, + NameReadable<'a>, asn1::SequenceOfWriter< 'a, asn1::SetOfWriter<'a, common::AttributeTypeValue<'a>, Vec>>, From b8379284e1924c63f2da561c32e3ca7487b000f1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 24 Jul 2023 23:51:01 -0400 Subject: [PATCH 0223/1014] update indirect deps for pip packages (#9285) --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4d5d2dace0c2..45e0817cd3ce 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -35,10 +35,16 @@ updates: directory: "/" schedule: interval: daily + allow: + # Also update indirect dependencies + - dependency-type: all open-pull-requests-limit: 1024 - package-ecosystem: pip directory: "/.github/requirements/" schedule: interval: daily + allow: + # Also update indirect dependencies + - dependency-type: all open-pull-requests-limit: 1024 From 2bcb9590b49143dbb8726b73192b95a44697ea48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 16:26:07 +1200 Subject: [PATCH 0224/1014] Bump virtualenv from 20.24.1 to 20.24.2 (#9287) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.24.1 to 20.24.2. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.24.1...20.24.2) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 89c233c8e10e..bdd0a54a93d7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -185,7 +185,7 @@ urllib3==2.0.4 # via # requests # twine -virtualenv==20.24.1 +virtualenv==20.24.2 # via nox webencodings==0.5.1 # via bleach From 600e96009e3b357436148e6095b74d50307b8cea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 16:26:32 +1200 Subject: [PATCH 0225/1014] Bump more-itertools from 9.1.0 to 10.0.0 (#9288) Bumps [more-itertools](https://github.com/more-itertools/more-itertools) from 9.1.0 to 10.0.0. - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/compare/v9.1.0...v10.0.0) --- updated-dependencies: - dependency-name: more-itertools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bdd0a54a93d7..f097902c2dcc 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -66,7 +66,7 @@ markupsafe==2.1.3 # via jinja2 mdurl==0.1.2 # via markdown-it-py -more-itertools==9.1.0 +more-itertools==10.0.0 # via jaraco-classes mypy==1.4.1 # via cryptography (pyproject.toml) From fd4cee9436e5ed7b5ff2cc00f147afff7f506a48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 16:27:11 +1200 Subject: [PATCH 0226/1014] Bump certifi from 2023.5.7 to 2023.7.22 in /.github/requirements (#9289) Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.5.7 to 2023.7.22. - [Commits](https://github.com/certifi/python-certifi/compare/2023.05.07...2023.07.22) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f7f2e141b5b7..faee8ea65696 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -16,9 +16,9 @@ bleach==6.0.0 \ --hash=sha256:1a1a85c1595e07d8db14c5f09f09e6433502c51c595970edc090551f0db99414 \ --hash=sha256:33c16e3353dbd13028ab4799a0f89a83f113405c766e9c122df8a06f5b85b3f4 # via readme-renderer -certifi==2023.5.7 \ - --hash=sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7 \ - --hash=sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716 +certifi==2023.7.22 \ + --hash=sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082 \ + --hash=sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9 # via requests cffi==1.15.1 \ --hash=sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5 \ @@ -189,6 +189,7 @@ cryptography==41.0.2 \ --hash=sha256:f772610fe364372de33d76edcd313636a25684edb94cee53fd790195f5989d14 # via # pyopenssl + # secretstorage # sigstore docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ @@ -223,14 +224,16 @@ importlib-metadata==6.8.0 \ # via # keyring # twine -importlib-resources==5.13.0 \ - --hash=sha256:82d5c6cca930697dbbd86c93333bb2c2e72861d4789a11c2662b933e5ad2b528 \ - --hash=sha256:9f7bd0c97b79972a6cce36a366356d16d5e13b09679c11a58f1014bfdf8e64b2 - # via sigstore jaraco-classes==3.3.0 \ --hash=sha256:10afa92b6743f25c0cf5f37c6bb6e18e2c5bb84a16527ccfc0040ea377e7aaeb \ --hash=sha256:c063dd08e89217cee02c8d5e5ec560f2c8ce6cdc2fcdc2e68f7b2e5547ed3621 # via keyring +jeepney==0.8.0 \ + --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ + --hash=sha256:c0a454ad016ca575060802ee4d590dd912e35c122fa04e70306de3d076cce755 + # via + # keyring + # secretstorage keyring==24.2.0 \ --hash=sha256:4901caaf597bfd3bbd78c9a0c7c4c29fcd8310dab2cffefe749e916b6527acd6 \ --hash=sha256:ca0746a19ec421219f4d713f848fa297a661a8a8c1504867e55bfb5e09091509 @@ -415,6 +418,10 @@ rich==13.4.2 \ --hash=sha256:8f87bc7ee54675732fa66a05ebfe489e27264caeeff3728c945d25971b6485ec \ --hash=sha256:d653d6bccede5844304c605d5aac802c7cf9621efd700b46c7ec2b51ea914898 # via twine +secretstorage==3.3.3 \ + --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ + --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 + # via keyring securesystemslib==0.28.0 \ --hash=sha256:9e6b9abe36a511d4f52c759069db8f6f650362ba82d6efc7bc7466a458b3f499 \ --hash=sha256:a27e519247576f2a77b97fb03267d8eeb88eba715d12da64109e845616f919c6 From 2202792e4452b1253aeb823aac32198a93d32c7c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 16:28:00 +1200 Subject: [PATCH 0227/1014] Bump pyjwt from 2.7.0 to 2.8.0 in /.github/requirements (#9290) Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.7.0 to 2.8.0. - [Release notes](https://github.com/jpadilla/pyjwt/releases) - [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst) - [Commits](https://github.com/jpadilla/pyjwt/compare/2.7.0...2.8.0) --- updated-dependencies: - dependency-name: pyjwt dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index faee8ea65696..a7bc21cb187e 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -380,9 +380,9 @@ pygments==2.15.1 \ # via # readme-renderer # rich -pyjwt==2.7.0 \ - --hash=sha256:ba2b425b15ad5ef12f200dc67dd56af4e26de2331f965c5439994dad075876e1 \ - --hash=sha256:bd6ca4a3c4285c1a2d4349e5a035fdf8fb94e04ccd0fcbe6ba289dae9cc3e074 +pyjwt==2.8.0 \ + --hash=sha256:57e28d156e3d5c10088e0c68abb90bfac3df82b40a71bd0daa20c65ccd5c23de \ + --hash=sha256:59127c392cc44c2da5bb3192169a91f429924e17aff6534d70fdc02ab3e04320 # via sigstore pyopenssl==23.2.0 \ --hash=sha256:24f0dc5227396b3e831f4c7f602b950a5e9833d292c8e4a2e06b709292806ae2 \ From d4abd1b8e05e3851ebe9cee3609ab78bcd4ca774 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 05:08:48 +0000 Subject: [PATCH 0228/1014] Bump more-itertools from 9.1.0 to 10.0.0 in /.github/requirements (#9292) Bumps [more-itertools](https://github.com/more-itertools/more-itertools) from 9.1.0 to 10.0.0. - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/compare/v9.1.0...v10.0.0) --- updated-dependencies: - dependency-name: more-itertools dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index a7bc21cb187e..ddacbfdef435 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -246,9 +246,9 @@ mdurl==0.1.2 \ --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba # via markdown-it-py -more-itertools==9.1.0 \ - --hash=sha256:cabaa341ad0389ea83c17a94566a53ae4c9d07349861ecb14dc6d0345cf9ac5d \ - --hash=sha256:d2bc7f02446e86a68911e58ded76d6561eea00cddfb2a91e7019bbb586c799f3 +more-itertools==10.0.0 \ + --hash=sha256:928d514ffd22b5b0a8fce326d57f423a55d2ff783b093bab217eda71e732330f \ + --hash=sha256:cd65437d7c4b615ab81c0640c0480bc29a550ea032891977681efd28344d51e1 # via jaraco-classes multidict==6.0.4 \ --hash=sha256:01a3a55bd90018c9c080fbb0b9f4891db37d148a0a18722b42f94694f8b6d4c9 \ From 80215003f5504eb13c4557a9748c9cf3843d6018 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 05:11:26 +0000 Subject: [PATCH 0229/1014] Bump urllib3 from 2.0.3 to 2.0.4 in /.github/requirements (#9291) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.3 to 2.0.4. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.3...2.0.4) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index ddacbfdef435..f3b767108e0d 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -454,9 +454,9 @@ typing-extensions==4.7.1 \ --hash=sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36 \ --hash=sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2 # via pydantic -urllib3==2.0.3 \ - --hash=sha256:48e7fafa40319d358848e1bc6809b208340fafe2096f1725d05d67443d0483d1 \ - --hash=sha256:bee28b5e56addb8226c96f7f13ac28cb4c301dd5ea8a6ca179c0b9835e032825 +urllib3==2.0.4 \ + --hash=sha256:8d22f86aae8ef5e410d4f539fde9ce6b2113a001bb4d189e0aed70642d602b11 \ + --hash=sha256:de7df1803967d2c2a98e4b11bb7d6bd9210474c46e8a0401514e3a42a75ebde4 # via # requests # twine From dd002ac7f312dbe8d6d05157c2312368f6184c48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 09:24:37 +0000 Subject: [PATCH 0230/1014] Bump pydantic from 1.10.11 to 1.10.12 in /.github/requirements (#9293) Bumps [pydantic](https://github.com/pydantic/pydantic) from 1.10.11 to 1.10.12. - [Release notes](https://github.com/pydantic/pydantic/releases) - [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md) - [Commits](https://github.com/pydantic/pydantic/compare/v1.10.11...v1.10.12) --- updated-dependencies: - dependency-name: pydantic dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 74 +++++++++---------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f3b767108e0d..18b40725b405 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -334,43 +334,43 @@ pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 # via cffi -pydantic==1.10.11 \ - --hash=sha256:008c5e266c8aada206d0627a011504e14268a62091450210eda7c07fabe6963e \ - --hash=sha256:0588788a9a85f3e5e9ebca14211a496409cb3deca5b6971ff37c556d581854e7 \ - --hash=sha256:08a6c32e1c3809fbc49debb96bf833164f3438b3696abf0fbeceb417d123e6eb \ - --hash=sha256:16928fdc9cb273c6af00d9d5045434c39afba5f42325fb990add2c241402d151 \ - --hash=sha256:174899023337b9fc685ac8adaa7b047050616136ccd30e9070627c1aaab53a13 \ - --hash=sha256:192c608ad002a748e4a0bed2ddbcd98f9b56df50a7c24d9a931a8c5dd053bd3d \ - --hash=sha256:1954f8778489a04b245a1e7b8b22a9d3ea8ef49337285693cf6959e4b757535e \ - --hash=sha256:2417de68290434461a266271fc57274a138510dca19982336639484c73a07af6 \ - --hash=sha256:265a60da42f9f27e0b1014eab8acd3e53bd0bad5c5b4884e98a55f8f596b2c19 \ - --hash=sha256:331c031ba1554b974c98679bd0780d89670d6fd6f53f5d70b10bdc9addee1713 \ - --hash=sha256:373c0840f5c2b5b1ccadd9286782852b901055998136287828731868027a724f \ - --hash=sha256:3f34739a89260dfa420aa3cbd069fbcc794b25bbe5c0a214f8fb29e363484b66 \ - --hash=sha256:41e0bb6efe86281623abbeeb0be64eab740c865388ee934cd3e6a358784aca6e \ - --hash=sha256:4400015f15c9b464c9db2d5d951b6a780102cfa5870f2c036d37c23b56f7fc1b \ - --hash=sha256:44e51ba599c3ef227e168424e220cd3e544288c57829520dc90ea9cb190c3248 \ - --hash=sha256:469adf96c8e2c2bbfa655fc7735a2a82f4c543d9fee97bd113a7fb509bf5e622 \ - --hash=sha256:5b02d24f7b2b365fed586ed73582c20f353a4c50e4be9ba2c57ab96f8091ddae \ - --hash=sha256:7522a7666157aa22b812ce14c827574ddccc94f361237ca6ea8bb0d5c38f1629 \ - --hash=sha256:787cf23e5a0cde753f2eabac1b2e73ae3844eb873fd1f5bdbff3048d8dbb7604 \ - --hash=sha256:8268a735a14c308923e8958363e3a3404f6834bb98c11f5ab43251a4e410170c \ - --hash=sha256:8dc77064471780262b6a68fe67e013298d130414d5aaf9b562c33987dbd2cf4f \ - --hash=sha256:a451ccab49971af043ec4e0d207cbc8cbe53dbf148ef9f19599024076fe9c25b \ - --hash=sha256:a6c098d4ab5e2d5b3984d3cb2527e2d6099d3de85630c8934efcfdc348a9760e \ - --hash=sha256:abade85268cc92dff86d6effcd917893130f0ff516f3d637f50dadc22ae93999 \ - --hash=sha256:bc64eab9b19cd794a380179ac0e6752335e9555d214cfcb755820333c0784cb3 \ - --hash=sha256:c3339a46bbe6013ef7bdd2844679bfe500347ac5742cd4019a88312aa58a9847 \ - --hash=sha256:d185819a7a059550ecb85d5134e7d40f2565f3dd94cfd870132c5f91a89cf58c \ - --hash=sha256:d7781f1d13b19700b7949c5a639c764a077cbbdd4322ed505b449d3ca8edcb36 \ - --hash=sha256:e297897eb4bebde985f72a46a7552a7556a3dd11e7f76acda0c1093e3dbcf216 \ - --hash=sha256:e6cbfbd010b14c8a905a7b10f9fe090068d1744d46f9e0c021db28daeb8b6de1 \ - --hash=sha256:e9738b0f2e6c70f44ee0de53f2089d6002b10c33264abee07bdb5c7f03038303 \ - --hash=sha256:e9baf78b31da2dc3d3f346ef18e58ec5f12f5aaa17ac517e2ffd026a92a87588 \ - --hash=sha256:ef55392ec4bb5721f4ded1096241e4b7151ba6d50a50a80a2526c854f42e6a2f \ - --hash=sha256:f66d479cf7eb331372c470614be6511eae96f1f120344c25f3f9bb59fb1b5528 \ - --hash=sha256:fe429898f2c9dd209bd0632a606bddc06f8bce081bbd03d1c775a45886e2c1cb \ - --hash=sha256:ff44c5e89315b15ff1f7fdaf9853770b810936d6b01a7bcecaa227d2f8fe444f +pydantic==1.10.12 \ + --hash=sha256:0fe8a415cea8f340e7a9af9c54fc71a649b43e8ca3cc732986116b3cb135d303 \ + --hash=sha256:1289c180abd4bd4555bb927c42ee42abc3aee02b0fb2d1223fb7c6e5bef87dbe \ + --hash=sha256:1eb2085c13bce1612da8537b2d90f549c8cbb05c67e8f22854e201bde5d98a47 \ + --hash=sha256:2031de0967c279df0d8a1c72b4ffc411ecd06bac607a212892757db7462fc494 \ + --hash=sha256:2a7bac939fa326db1ab741c9d7f44c565a1d1e80908b3797f7f81a4f86bc8d33 \ + --hash=sha256:2d5a58feb9a39f481eda4d5ca220aa8b9d4f21a41274760b9bc66bfd72595b86 \ + --hash=sha256:2f9a6fab5f82ada41d56b0602606a5506aab165ca54e52bc4545028382ef1c5d \ + --hash=sha256:2fcfb5296d7877af406ba1547dfde9943b1256d8928732267e2653c26938cd9c \ + --hash=sha256:549a8e3d81df0a85226963611950b12d2d334f214436a19537b2efed61b7639a \ + --hash=sha256:598da88dfa127b666852bef6d0d796573a8cf5009ffd62104094a4fe39599565 \ + --hash=sha256:5d1197e462e0364906cbc19681605cb7c036f2475c899b6f296104ad42b9f5fb \ + --hash=sha256:69328e15cfda2c392da4e713443c7dbffa1505bc9d566e71e55abe14c97ddc62 \ + --hash=sha256:6a9dfa722316f4acf4460afdf5d41d5246a80e249c7ff475c43a3a1e9d75cf62 \ + --hash=sha256:6b30bcb8cbfccfcf02acb8f1a261143fab622831d9c0989707e0e659f77a18e0 \ + --hash=sha256:6c076be61cd0177a8433c0adcb03475baf4ee91edf5a4e550161ad57fc90f523 \ + --hash=sha256:771735dc43cf8383959dc9b90aa281f0b6092321ca98677c5fb6125a6f56d58d \ + --hash=sha256:795e34e6cc065f8f498c89b894a3c6da294a936ee71e644e4bd44de048af1405 \ + --hash=sha256:87afda5539d5140cb8ba9e8b8c8865cb5b1463924d38490d73d3ccfd80896b3f \ + --hash=sha256:8fb2aa3ab3728d950bcc885a2e9eff6c8fc40bc0b7bb434e555c215491bcf48b \ + --hash=sha256:a1fcb59f2f355ec350073af41d927bf83a63b50e640f4dbaa01053a28b7a7718 \ + --hash=sha256:a5e7add47a5b5a40c49b3036d464e3c7802f8ae0d1e66035ea16aa5b7a3923ed \ + --hash=sha256:a73f489aebd0c2121ed974054cb2759af8a9f747de120acd2c3394cf84176ccb \ + --hash=sha256:ab26038b8375581dc832a63c948f261ae0aa21f1d34c1293469f135fa92972a5 \ + --hash=sha256:b0d191db0f92dfcb1dec210ca244fdae5cbe918c6050b342d619c09d31eea0cc \ + --hash=sha256:b749a43aa51e32839c9d71dc67eb1e4221bb04af1033a32e3923d46f9effa942 \ + --hash=sha256:b7ccf02d7eb340b216ec33e53a3a629856afe1c6e0ef91d84a4e6f2fb2ca70fe \ + --hash=sha256:ba5b2e6fe6ca2b7e013398bc7d7b170e21cce322d266ffcd57cca313e54fb246 \ + --hash=sha256:ba5c4a8552bff16c61882db58544116d021d0b31ee7c66958d14cf386a5b5350 \ + --hash=sha256:c79e6a11a07da7374f46970410b41d5e266f7f38f6a17a9c4823db80dadf4303 \ + --hash=sha256:ca48477862372ac3770969b9d75f1bf66131d386dba79506c46d75e6b48c1e09 \ + --hash=sha256:dea7adcc33d5d105896401a1f37d56b47d443a2b2605ff8a969a0ed5543f7e33 \ + --hash=sha256:e0a16d274b588767602b7646fa05af2782576a6cf1022f4ba74cbb4db66f6ca8 \ + --hash=sha256:e4129b528c6baa99a429f97ce733fff478ec955513630e61b49804b6cf9b224a \ + --hash=sha256:e5f805d2d5d0a41633651a73fa4ecdd0b3d7a49de4ec3fadf062fe16501ddbf1 \ + --hash=sha256:ef6c96b2baa2100ec91a4b428f80d8f28a3c9e53568219b6c298c1125572ebc6 \ + --hash=sha256:fdbdd1d630195689f325c9ef1a12900524dceb503b00a987663ff4f58669b93d # via # id # sigstore From a48516129de516049b9095f519e65d9e920c8e33 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 26 Jul 2023 00:18:04 +0000 Subject: [PATCH 0231/1014] Bump BoringSSL and/or OpenSSL in CI (#9294) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3449479d2e45..32b1ad8d82c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 25, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "20a06474c0b4a16779311bfe98ba69dc2402101d"}} - # Latest commit on the OpenSSL master branch, as of Jul 25, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "06a0d40322e96dbba816b35f82226871f635ec5a"}} + # Latest commit on the BoringSSL master branch, as of Jul 26, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e4acd6cb568214b1c7db4e59ce54ea2e1deae1f5"}} + # Latest commit on the OpenSSL master branch, as of Jul 26, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bc5d9cc8711e86d5c25b81c58dfae531536e61fc"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 0071b3eea8823a3ecb64419f50c8f85b4994ab66 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 26 Jul 2023 07:13:03 -0400 Subject: [PATCH 0232/1014] Migrate more types (#9254) * x509: migrate more types Signed-off-by: William Woodruff * common: clean up DNSName/Pattern types Cleans up the types a bit; patterns are now their own type, simplifying our matching logic. Signed-off-by: William Woodruff * common: clippy Signed-off-by: William Woodruff * common: round out coverage Signed-off-by: William Woodruff * common: remove owned type, case cmp Signed-off-by: William Woodruff * common: update docs Signed-off-by: William Woodruff * name: remove type breakout Signed-off-by: William Woodruff * common: doctests Signed-off-by: William Woodruff * common: coverage Signed-off-by: William Woodruff * Update src/rust/cryptography-x509/src/common.rs Co-authored-by: Alex Gaynor * Update src/rust/cryptography-x509/src/common.rs * crate skeleton, move to validation Signed-off-by: William Woodruff * types: remove duped whitespace check Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff Co-authored-by: Alex Gaynor --- src/rust/Cargo.lock | 9 + src/rust/Cargo.toml | 7 +- .../cryptography-x509-validation/Cargo.toml | 15 ++ .../cryptography-x509-validation/src/lib.rs | 7 + .../cryptography-x509-validation/src/types.rs | 248 ++++++++++++++++++ 5 files changed, 285 insertions(+), 1 deletion(-) create mode 100644 src/rust/cryptography-x509-validation/Cargo.toml create mode 100644 src/rust/cryptography-x509-validation/src/lib.rs create mode 100644 src/rust/cryptography-x509-validation/src/types.rs diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index ab7005b71283..b5db3648b99c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -96,6 +96,15 @@ dependencies = [ "asn1", ] +[[package]] +name = "cryptography-x509-validation" +version = "0.1.0" +dependencies = [ + "asn1", + "cryptography-x509", + "pem", +] + [[package]] name = "foreign-types" version = "0.3.2" diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 7fc45add24b6..a8b53a9a87c7 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -35,4 +35,9 @@ crate-type = ["cdylib"] overflow-checks = true [workspace] -members = ["cryptography-cffi", "cryptography-openssl", "cryptography-x509"] +members = [ + "cryptography-cffi", + "cryptography-openssl", + "cryptography-x509", + "cryptography-x509-validation", +] diff --git a/src/rust/cryptography-x509-validation/Cargo.toml b/src/rust/cryptography-x509-validation/Cargo.toml new file mode 100644 index 000000000000..16bfc8ac5211 --- /dev/null +++ b/src/rust/cryptography-x509-validation/Cargo.toml @@ -0,0 +1,15 @@ +[package] +name = "cryptography-x509-validation" +version = "0.1.0" +authors = ["The cryptography developers "] +edition = "2021" +publish = false +# This specifies the MSRV +rust-version = "1.56.0" + +[dependencies] +asn1 = { version = "0.15.0", default-features = false } +cryptography-x509 = { path = "../cryptography-x509" } + +[dev-dependencies] +pem = "1.1" diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs new file mode 100644 index 000000000000..764c699e7fa4 --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -0,0 +1,7 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +#![forbid(unsafe_code)] + +pub mod types; diff --git a/src/rust/cryptography-x509-validation/src/types.rs b/src/rust/cryptography-x509-validation/src/types.rs new file mode 100644 index 000000000000..bc729736b118 --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/types.rs @@ -0,0 +1,248 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +/// A `DNSName` is an `asn1::IA5String` with additional invariant preservations +/// per [RFC 5280 4.2.1.6], which in turn uses the preferred name syntax defined +/// in [RFC 1034 3.5] and amended in [RFC 1123 2.1]. +/// +/// Non-ASCII domain names (i.e., internationalized names) must be pre-encoded; +/// comparisons are case-insensitive. +/// +/// [RFC 5280 4.2.1.6]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 +/// [RFC 1034 3.5]: https://datatracker.ietf.org/doc/html/rfc1034#section-3.5 +/// [RFC 1123 2.1]: https://datatracker.ietf.org/doc/html/rfc1123#section-2.1 +/// +/// ```rust +/// # use cryptography_x509_validation::types::DNSName; +/// assert_eq!(DNSName::new("foo.com").unwrap(), DNSName::new("FOO.com").unwrap()); +/// ``` +#[derive(Debug)] +pub struct DNSName<'a>(asn1::IA5String<'a>); + +impl<'a> DNSName<'a> { + pub fn new(value: &'a str) -> Option { + // Domains cannot be empty and must (practically) + // be less than 253 characters (255 in RFC 1034's octet encoding). + if value.is_empty() || value.len() > 253 { + None + } else { + for label in value.split('.') { + // Individual labels cannot be empty; cannot exceed 63 characters; + // cannot start or end with `-`. + // NOTE: RFC 1034's grammar prohibits consecutive hyphens, but these + // are used as part of the IDN prefix (e.g. `xn--`)'; we allow them here. + if label.is_empty() + || label.len() > 63 + || label.starts_with('-') + || label.ends_with('-') + { + return None; + } + + // Labels must only contain `a-zA-Z0-9-`. + if !label.chars().all(|c| c.is_ascii_alphanumeric() || c == '-') { + return None; + } + } + asn1::IA5String::new(value).map(Self) + } + } + + pub fn as_str(&self) -> &'a str { + self.0.as_str() + } + + /// Return this `DNSName`'s parent domain, if it has one. + /// + /// ```rust + /// # use cryptography_x509_validation::types::DNSName; + /// let domain = DNSName::new("foo.example.com").unwrap(); + /// assert_eq!(domain.parent().unwrap().as_str(), "example.com"); + /// ``` + pub fn parent(&self) -> Option { + match self.as_str().split_once('.') { + Some((_, parent)) => Self::new(parent), + None => None, + } + } +} + +impl PartialEq for DNSName<'_> { + fn eq(&self, other: &Self) -> bool { + // DNS names are always case-insensitive. + self.as_str().eq_ignore_ascii_case(other.as_str()) + } +} + +/// A `DNSPattern` represents a subset of the domain name wildcard matching +/// behavior defined in [RFC 6125 6.4.3]. In particular, all DNS patterns +/// must either be exact matches (post-normalization) *or* a single wildcard +/// matching a full label in the left-most label position. Partial label matching +/// (e.g. `f*o.example.com`) is not supported, nor is non-left-most matching +/// (e.g. `foo.*.example.com`). +/// +/// [RFC 6125 6.4.3]: https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3 +#[derive(Debug, PartialEq)] +pub enum DNSPattern<'a> { + Exact(DNSName<'a>), + Wildcard(DNSName<'a>), +} + +impl<'a> DNSPattern<'a> { + pub fn new(pat: &'a str) -> Option { + if let Some(pat) = pat.strip_prefix("*.") { + DNSName::new(pat).map(Self::Wildcard) + } else { + DNSName::new(pat).map(Self::Exact) + } + } + + pub fn matches(&self, name: &DNSName) -> bool { + match self { + Self::Exact(pat) => pat == name, + Self::Wildcard(pat) => match name.parent() { + Some(ref parent) => pat == parent, + // No parent means we have a single label; wildcards cannot match single labels. + None => false, + }, + } + } +} + +#[cfg(test)] +mod tests { + use crate::types::{DNSName, DNSPattern}; + + #[test] + fn test_dnsname_debug_trait() { + // Just to get coverage on the `Debug` derive. + assert_eq!( + "DNSName(IA5String(\"example.com\"))", + format!("{:?}", DNSName::new("example.com").unwrap()) + ); + } + + #[test] + fn test_dnsname_new() { + assert_eq!(DNSName::new(""), None); + assert_eq!(DNSName::new("."), None); + assert_eq!(DNSName::new(".."), None); + assert_eq!(DNSName::new(".a."), None); + assert_eq!(DNSName::new("a.a."), None); + assert_eq!(DNSName::new(".a"), None); + assert_eq!(DNSName::new("a."), None); + assert_eq!(DNSName::new("a.."), None); + assert_eq!(DNSName::new(" "), None); + assert_eq!(DNSName::new("\t"), None); + assert_eq!(DNSName::new(" whitespace "), None); + assert_eq!(DNSName::new("white. space"), None); + assert_eq!(DNSName::new("!badlabel!"), None); + assert_eq!(DNSName::new("bad!label"), None); + assert_eq!(DNSName::new("goodlabel.!badlabel!"), None); + assert_eq!(DNSName::new("-foo.bar.example.com"), None); + assert_eq!(DNSName::new("foo-.bar.example.com"), None); + assert_eq!(DNSName::new("foo.-bar.example.com"), None); + assert_eq!(DNSName::new("foo.bar-.example.com"), None); + assert_eq!(DNSName::new(&"a".repeat(64)), None); + assert_eq!(DNSName::new("⚠️"), None); + + let long_valid_label = "a".repeat(63); + let long_name = std::iter::repeat(long_valid_label) + .take(5) + .collect::>() + .join("."); + assert_eq!(DNSName::new(&long_name), None); + + assert_eq!( + DNSName::new(&"a".repeat(63)).unwrap().as_str(), + "a".repeat(63) + ); + assert_eq!(DNSName::new("example.com").unwrap().as_str(), "example.com"); + assert_eq!( + DNSName::new("123.example.com").unwrap().as_str(), + "123.example.com" + ); + assert_eq!(DNSName::new("EXAMPLE.com").unwrap().as_str(), "EXAMPLE.com"); + assert_eq!(DNSName::new("EXAMPLE.COM").unwrap().as_str(), "EXAMPLE.COM"); + assert_eq!( + DNSName::new("xn--bcher-kva.example").unwrap().as_str(), + "xn--bcher-kva.example" + ); + } + + #[test] + fn test_dnsname_equality() { + assert_ne!( + DNSName::new("foo.example.com").unwrap(), + DNSName::new("example.com").unwrap() + ); + + // DNS name comparisons are case insensitive. + assert_eq!( + DNSName::new("EXAMPLE.COM").unwrap(), + DNSName::new("example.com").unwrap() + ); + assert_eq!( + DNSName::new("ExAmPLe.CoM").unwrap(), + DNSName::new("eXaMplE.cOm").unwrap() + ); + } + + #[test] + fn test_dnsname_parent() { + assert_eq!(DNSName::new("localhost").unwrap().parent(), None); + assert_eq!( + DNSName::new("example.com").unwrap().parent().unwrap(), + DNSName::new("com").unwrap() + ); + assert_eq!( + DNSName::new("foo.example.com").unwrap().parent().unwrap(), + DNSName::new("example.com").unwrap() + ); + } + + #[test] + fn test_dnspattern_new() { + assert_eq!(DNSPattern::new("*"), None); + assert_eq!(DNSPattern::new("*."), None); + assert_eq!(DNSPattern::new("f*o.example.com"), None); + assert_eq!(DNSPattern::new("*oo.example.com"), None); + assert_eq!(DNSPattern::new("fo*.example.com"), None); + assert_eq!(DNSPattern::new("foo.*.example.com"), None); + assert_eq!(DNSPattern::new("*.foo.*.example.com"), None); + + assert_eq!( + DNSPattern::new("example.com").unwrap(), + DNSPattern::Exact(DNSName::new("example.com").unwrap()) + ); + assert_eq!( + DNSPattern::new("*.example.com").unwrap(), + DNSPattern::Wildcard(DNSName::new("example.com").unwrap()) + ); + } + + #[test] + fn test_dnspattern_matches() { + let exactly_localhost = DNSPattern::new("localhost").unwrap(); + let any_localhost = DNSPattern::new("*.localhost").unwrap(); + let exactly_example_com = DNSPattern::new("example.com").unwrap(); + let any_example_com = DNSPattern::new("*.example.com").unwrap(); + + // Exact patterns match only the exact name. + assert!(exactly_localhost.matches(&DNSName::new("localhost").unwrap())); + assert!(exactly_localhost.matches(&DNSName::new("LOCALHOST").unwrap())); + assert!(exactly_example_com.matches(&DNSName::new("example.com").unwrap())); + assert!(exactly_example_com.matches(&DNSName::new("EXAMPLE.com").unwrap())); + assert!(!exactly_example_com.matches(&DNSName::new("foo.example.com").unwrap())); + + // Wildcard patterns match any subdomain, but not the parent or nested subdomains. + assert!(any_example_com.matches(&DNSName::new("foo.example.com").unwrap())); + assert!(any_example_com.matches(&DNSName::new("bar.example.com").unwrap())); + assert!(any_example_com.matches(&DNSName::new("BAZ.example.com").unwrap())); + assert!(!any_example_com.matches(&DNSName::new("example.com").unwrap())); + assert!(!any_example_com.matches(&DNSName::new("foo.bar.example.com").unwrap())); + assert!(!any_example_com.matches(&DNSName::new("foo.bar.baz.example.com").unwrap())); + assert!(!any_localhost.matches(&DNSName::new("localhost").unwrap())); + } +} From 1fac99a4276ccf5eaec3b36b8fcb9eb1792c335f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 26 Jul 2023 14:28:06 -0400 Subject: [PATCH 0233/1014] Remove dependency that isn't used yet (#9296) --- src/rust/cryptography-x509-validation/Cargo.toml | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/rust/cryptography-x509-validation/Cargo.toml b/src/rust/cryptography-x509-validation/Cargo.toml index 16bfc8ac5211..d9117890bded 100644 --- a/src/rust/cryptography-x509-validation/Cargo.toml +++ b/src/rust/cryptography-x509-validation/Cargo.toml @@ -10,6 +10,3 @@ rust-version = "1.56.0" [dependencies] asn1 = { version = "0.15.0", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } - -[dev-dependencies] -pem = "1.1" From 1e246068a259faeb03be0f5ce0123524bce54a9c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 26 Jul 2023 14:29:34 -0400 Subject: [PATCH 0234/1014] validation: add CryptoOps trait (#9297) * validation: add CryptoOps trait Signed-off-by: William Woodruff * validation: rename: backend -> ops Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 1 + .../cryptography-x509-validation/src/ops.rs | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 src/rust/cryptography-x509-validation/src/ops.rs diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 764c699e7fa4..212642f6d428 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -4,4 +4,5 @@ #![forbid(unsafe_code)] +pub mod ops; pub mod types; diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs new file mode 100644 index 000000000000..6d5b27e0a4ce --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -0,0 +1,18 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use cryptography_x509::certificate::Certificate; + +pub trait CryptoOps { + /// A public key type for this cryptographic backend. + type Key; + + /// Extracts the public key from the given `Certificate` in + /// a `Key` format known by the cryptographic backend. + fn public_key(&self, cert: &Certificate) -> Self::Key; + + /// Verifies the signature on `Certificate` using the given + /// `Key`. + fn is_signed_by(&self, cert: &Certificate, key: Self::Key) -> bool; +} From 50ae9623df9181e5d08bbca0791ae69af4d3d446 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 26 Jul 2023 14:48:51 -0400 Subject: [PATCH 0235/1014] rust: update lockfile (#9298) Per #9296. Signed-off-by: William Woodruff --- src/rust/Cargo.lock | 1 - 1 file changed, 1 deletion(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b5db3648b99c..f78123504797 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -102,7 +102,6 @@ version = "0.1.0" dependencies = [ "asn1", "cryptography-x509", - "pem", ] [[package]] From 25d75f0af3b96d5f138816fee2e3d0fc7af0c195 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 26 Jul 2023 19:20:08 -0400 Subject: [PATCH 0236/1014] Certificate: useful APIs (#9300) * certificate: new APIs Signed-off-by: William Woodruff * certificate: docs Signed-off-by: William Woodruff * certificate: remove some APIs Signed-off-by: William Woodruff * remove import Signed-off-by: William Woodruff * rust: fixup error types Signed-off-by: William Woodruff * extensions: Debug Signed-off-by: William Woodruff * certificate: remove CertificateError Signed-off-by: William Woodruff * rename error Signed-off-by: William Woodruff * rust: nicer error unpacking Signed-off-by: William Woodruff * certificate: use extensions() Signed-off-by: William Woodruff * rust: use subject() and issuer() APIs Signed-off-by: William Woodruff * certificate: rm `is_self_issued` Signed-off-by: William Woodruff * clippage Signed-off-by: William Woodruff * fmt Signed-off-by: William Woodruff * extensions: remove Debug Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/certificate.rs | 22 +++++++++++++++- src/rust/cryptography-x509/src/extensions.rs | 10 +++++--- src/rust/src/x509/certificate.rs | 25 ++++++++----------- src/rust/src/x509/common.rs | 16 ++++++------ src/rust/src/x509/crl.rs | 6 ++++- src/rust/src/x509/csr.rs | 2 +- src/rust/src/x509/ocsp_resp.rs | 4 ++- 7 files changed, 56 insertions(+), 29 deletions(-) diff --git a/src/rust/cryptography-x509/src/certificate.rs b/src/rust/cryptography-x509/src/certificate.rs index 06fc3a3ba4df..d5b48a537194 100644 --- a/src/rust/cryptography-x509/src/certificate.rs +++ b/src/rust/cryptography-x509/src/certificate.rs @@ -4,8 +4,10 @@ use crate::common; use crate::extensions; +use crate::extensions::DuplicateExtensionsError; use crate::extensions::Extensions; use crate::name; +use crate::name::NameReadable; #[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Eq, Clone)] pub struct Certificate<'a> { @@ -14,6 +16,24 @@ pub struct Certificate<'a> { pub signature: asn1::BitString<'a>, } +impl Certificate<'_> { + /// Returns the certificate's issuer. + pub fn issuer(&self) -> &NameReadable<'_> { + self.tbs_cert.issuer.unwrap_read() + } + + /// Returns the certificate's subject. + pub fn subject(&self) -> &NameReadable<'_> { + self.tbs_cert.subject.unwrap_read() + } + + /// Returns an iterable container over the certificate's extension, or + /// an error if the extension set contains a duplicate extension. + pub fn extensions(&self) -> Result, DuplicateExtensionsError> { + self.tbs_cert.extensions() + } +} + #[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, PartialEq, Eq, Clone)] pub struct TbsCertificate<'a> { #[explicit(0)] @@ -36,7 +56,7 @@ pub struct TbsCertificate<'a> { } impl TbsCertificate<'_> { - pub fn extensions(&self) -> Result, asn1::ObjectIdentifier> { + pub fn extensions(&self) -> Result, DuplicateExtensionsError> { Extensions::from_raw_extensions(self.raw_extensions.as_ref()) } } diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index cf48fdbf6087..cb24682a3b7b 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -8,6 +8,8 @@ use crate::common; use crate::crl; use crate::name; +pub struct DuplicateExtensionsError(pub asn1::ObjectIdentifier); + pub type RawExtensions<'a> = common::Asn1ReadableOrWritable< 'a, asn1::SequenceOf<'a, Extension<'a>>, @@ -27,14 +29,14 @@ impl<'a> Extensions<'a> { /// OID, if there are any duplicates. pub fn from_raw_extensions( raw: Option<&RawExtensions<'a>>, - ) -> Result { + ) -> Result { match raw { Some(raw_exts) => { let mut seen_oids = HashSet::new(); for ext in raw_exts.unwrap_read().clone() { if !seen_oids.insert(ext.extn_id.clone()) { - return Err(ext.extn_id); + return Err(DuplicateExtensionsError(ext.extn_id)); } } @@ -311,7 +313,7 @@ mod tests { let der = asn1::write_single(&extensions).unwrap(); let raw = asn1::parse_single(&der).unwrap(); - let extensions: Extensions = Extensions::from_raw_extensions(Some(&raw)).unwrap(); + let extensions: Extensions = Extensions::from_raw_extensions(Some(&raw)).ok().unwrap(); assert!(&extensions.get_extension(&BASIC_CONSTRAINTS_OID).is_some()); assert!(&extensions @@ -335,7 +337,7 @@ mod tests { let der = asn1::write_single(&extensions).unwrap(); let parsed = asn1::parse_single(&der).unwrap(); - let extensions: Extensions = Extensions::from_raw_extensions(Some(&parsed)).unwrap(); + let extensions: Extensions = Extensions::from_raw_extensions(Some(&parsed)).ok().unwrap(); let extension_list: Vec<_> = extensions.iter().collect(); assert_eq!(extension_list.len(), 1); diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index c085ab683820..49b048207f06 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -13,9 +13,10 @@ use cryptography_x509::certificate::Certificate as RawCertificate; use cryptography_x509::common::{AlgorithmParameters, Asn1ReadableOrWritable}; use cryptography_x509::extensions::{ AuthorityKeyIdentifier, BasicConstraints, DisplayText, DistributionPoint, - DistributionPointName, IssuerAlternativeName, KeyUsage, MSCertificateTemplate, NameConstraints, - PolicyConstraints, PolicyInformation, PolicyQualifierInfo, Qualifier, RawExtensions, - SequenceOfAccessDescriptions, SequenceOfSubtrees, UserNotice, + DistributionPointName, DuplicateExtensionsError, IssuerAlternativeName, KeyUsage, + MSCertificateTemplate, NameConstraints, PolicyConstraints, PolicyInformation, + PolicyQualifierInfo, Qualifier, RawExtensions, SequenceOfAccessDescriptions, + SequenceOfSubtrees, UserNotice, }; use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; @@ -129,18 +130,14 @@ impl Certificate { #[getter] fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - Ok( - x509::parse_name(py, &self.raw.borrow_dependent().tbs_cert.issuer) - .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))?, - ) + Ok(x509::parse_name(py, self.raw.borrow_dependent().issuer()) + .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))?) } #[getter] fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - Ok( - x509::parse_name(py, &self.raw.borrow_dependent().tbs_cert.subject) - .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))?, - ) + Ok(x509::parse_name(py, self.raw.borrow_dependent().subject()) + .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))?) } #[getter] @@ -160,7 +157,7 @@ impl Certificate { let val = self.raw.borrow_dependent(); let mut tbs_precert = val.tbs_cert.clone(); // Remove the SCT list extension - match val.tbs_cert.extensions() { + match val.extensions() { Ok(extensions) => { let ext_count = extensions .as_raw() @@ -185,10 +182,10 @@ impl Certificate { let result = asn1::write_single(&tbs_precert)?; Ok(pyo3::types::PyBytes::new(py, &result)) } - Err(oid) => { + Err(DuplicateExtensionsError(oid)) => { let oid_obj = oid_to_py_oid(py, &oid)?; Err(exceptions::DuplicateExtension::new_err(( - format!("Duplicate {} extension found", oid), + format!("Duplicate {} extension found", &oid), oid_obj.into_py(py), )) .into()) diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index e38f9b321730..81bf25326ab7 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -6,8 +6,10 @@ use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, x509}; use cryptography_x509::common::{Asn1ReadableOrWritable, AttributeTypeValue, RawTlv}; -use cryptography_x509::extensions::{AccessDescription, Extension, Extensions, RawExtensions}; -use cryptography_x509::name::{GeneralName, Name, OtherName, UnvalidatedIA5String}; +use cryptography_x509::extensions::{ + AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, +}; +use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; use pyo3::types::IntoPyDict; use pyo3::{IntoPy, ToPyObject}; @@ -173,11 +175,11 @@ pub(crate) fn encode_access_descriptions<'a>( pub(crate) fn parse_name<'p>( py: pyo3::Python<'p>, - name: &Name<'_>, + name: &NameReadable<'_>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let py_rdns = pyo3::types::PyList::empty(py); - for rdn in name.unwrap_read().clone() { + for rdn in name.clone() { let py_rdn = parse_rdn(py, &rdn)?; py_rdns.append(py_rdn)?; } @@ -272,7 +274,7 @@ pub(crate) fn parse_general_name( .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DirectoryName(data) => { - let py_name = parse_name(py, &data)?; + let py_name = parse_name(py, data.unwrap_read())?; x509_module .call_method1(pyo3::intern!(py, "DirectoryName"), (py_name,))? .to_object(py) @@ -395,10 +397,10 @@ pub(crate) fn parse_and_cache_extensions< let extensions = match Extensions::from_raw_extensions(raw_extensions.as_ref()) { Ok(extensions) => extensions, - Err(oid) => { + Err(DuplicateExtensionsError(oid)) => { let oid_obj = oid_to_py_oid(py, &oid)?; return Err(exceptions::DuplicateExtension::new_err(( - format!("Duplicate {} extension found", oid), + format!("Duplicate {} extension found", &oid), oid_obj.into_py(py), ))); } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index fbb7b4668bb1..807d3ddc1270 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -240,7 +240,11 @@ impl CertificateRevocationList { fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { Ok(x509::parse_name( py, - &self.owned.borrow_dependent().tbs_cert_list.issuer, + self.owned + .borrow_dependent() + .tbs_cert_list + .issuer + .unwrap_read(), )?) } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 0df274c3e693..0a0941265216 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -74,7 +74,7 @@ impl CertificateSigningRequest { fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { Ok(x509::parse_name( py, - &self.raw.borrow_dependent().csr_info.subject, + self.raw.borrow_dependent().csr_info.subject.unwrap_read(), )?) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index abb32d526392..49cd67fda8aa 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -147,7 +147,9 @@ impl OCSPResponse { fn responder_name<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { let resp = self.requires_successful_response()?; match resp.tbs_response_data.responder_id { - ocsp_resp::ResponderId::ByName(ref name) => Ok(x509::parse_name(py, name)?), + ocsp_resp::ResponderId::ByName(ref name) => { + Ok(x509::parse_name(py, name.unwrap_read())?) + } ocsp_resp::ResponderId::ByKey(_) => Ok(py.None().into_ref(py)), } } From 0d213f339146212f517e293f3cf0443931a2701e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 27 Jul 2023 00:16:34 +0000 Subject: [PATCH 0237/1014] Bump BoringSSL and/or OpenSSL in CI (#9301) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 32b1ad8d82c4..348b860ae130 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jul 26, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e4acd6cb568214b1c7db4e59ce54ea2e1deae1f5"}} - # Latest commit on the OpenSSL master branch, as of Jul 26, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bc5d9cc8711e86d5c25b81c58dfae531536e61fc"}} + # Latest commit on the OpenSSL master branch, as of Jul 27, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "81d10e61a4b7d5394d08a718bf7d6bae20e818fc"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From d43586fc3799a9428b1e9b2cfce1a68a2dcfb1ca Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Thu, 27 Jul 2023 23:39:49 +0200 Subject: [PATCH 0238/1014] add `SSL_OP_LEGACY_SERVER_CONNECT` binding (#9303) This is useful to expose in pyOpenSSL so that it can be referenced downstream for `Context.set_options`. (https://github.com/mitmproxy/mitmproxy/pull/6281) --- src/_cffi_src/openssl/ssl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index dfab7f651341..73221219b83e 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -72,6 +72,7 @@ static const long SSL_OP_ALL; static const long SSL_OP_SINGLE_ECDH_USE; static const long SSL_OP_IGNORE_UNEXPECTED_EOF; +static const long SSL_OP_LEGACY_SERVER_CONNECT; static const long SSL_VERIFY_PEER; static const long SSL_VERIFY_FAIL_IF_NO_PEER_CERT; static const long SSL_VERIFY_CLIENT_ONCE; From 223db54bf40edeff69815a4661ac74c7cb66d40d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 28 Jul 2023 12:33:00 +1200 Subject: [PATCH 0239/1014] Bump BoringSSL and/or OpenSSL in CI (#9304) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 348b860ae130..e2764fd37992 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Jul 26, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e4acd6cb568214b1c7db4e59ce54ea2e1deae1f5"}} - # Latest commit on the OpenSSL master branch, as of Jul 27, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "81d10e61a4b7d5394d08a718bf7d6bae20e818fc"}} + # Latest commit on the OpenSSL master branch, as of Jul 28, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ae29622f39f7deb0599624cc7a771bfc05f1353f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From ead26aedf003f07f0edd45a721e1b3d80f1a1213 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 28 Jul 2023 22:48:16 +1200 Subject: [PATCH 0240/1014] fix the memory leak in fixedpool (#9272) * fix the memory leak in fixedpool fixes #9255 * simplify fix --- src/rust/src/pool.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/rust/src/pool.rs b/src/rust/src/pool.rs index b9e6e27cd4af..0f45bed4640d 100644 --- a/src/rust/src/pool.rs +++ b/src/rust/src/pool.rs @@ -52,6 +52,11 @@ impl FixedPool { }) } } + + fn __traverse__(&self, visit: pyo3::PyVisit<'_>) -> Result<(), pyo3::PyTraverseError> { + visit.call(&self.create_fn)?; + Ok(()) + } } #[pyo3::pymethods] From f10c82181173a2806b035ed39bb705f1bf745d52 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 29 Jul 2023 00:18:11 +0000 Subject: [PATCH 0241/1014] Bump BoringSSL and/or OpenSSL in CI (#9307) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e2764fd37992..3719c8f7154e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 26, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e4acd6cb568214b1c7db4e59ce54ea2e1deae1f5"}} - # Latest commit on the OpenSSL master branch, as of Jul 28, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ae29622f39f7deb0599624cc7a771bfc05f1353f"}} + # Latest commit on the BoringSSL master branch, as of Jul 29, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "d95b03c315bac8c44d3ce062053d3a5817915d91"}} + # Latest commit on the OpenSSL master branch, as of Jul 29, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fbd23b929609c0b2fe22da97ac349fae5a385027"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 7735fffa7b6b5ee99bdedcc3a0dfbf5f01554fe1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 28 Jul 2023 23:51:11 -0400 Subject: [PATCH 0242/1014] Mark the majority of our Rust types as frozen (#9306) This tells pyo3 that they are immutable, which makes them marginally cheaper. There's a handful of places where types _should_ be immutable, but aren't. For those I added `TODO` comments. --- src/rust/src/asn1.rs | 2 +- src/rust/src/backend/dh.rs | 6 +++--- src/rust/src/backend/dsa.rs | 3 +++ src/rust/src/backend/ec.rs | 4 ++-- src/rust/src/backend/ed25519.rs | 4 ++-- src/rust/src/backend/ed448.rs | 4 ++-- src/rust/src/backend/x25519.rs | 4 ++-- src/rust/src/backend/x448.rs | 4 ++-- src/rust/src/exceptions.rs | 1 + src/rust/src/lib.rs | 2 +- src/rust/src/oid.rs | 2 +- src/rust/src/pool.rs | 4 ++-- src/rust/src/x509/certificate.rs | 1 + src/rust/src/x509/crl.rs | 2 ++ src/rust/src/x509/csr.rs | 1 + src/rust/src/x509/ocsp_req.rs | 1 + src/rust/src/x509/ocsp_resp.rs | 3 ++- src/rust/src/x509/sct.rs | 2 +- 18 files changed, 30 insertions(+), 20 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 12827ccca5a3..3dd12ed070c1 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -136,7 +136,7 @@ fn encode_dss_signature( Ok(pyo3::types::PyBytes::new(py, &result).to_object(py)) } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.asn1")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.asn1")] struct TestCertificate { #[pyo3(get)] not_before_tag: u8, diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 9612106c5262..9bb736a9c545 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -11,17 +11,17 @@ use foreign_types_shared::ForeignTypeRef; const MIN_MODULUS_SIZE: u32 = 512; -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.dh")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] struct DHPrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.dh")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] struct DHPublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.dh")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] struct DHParameters { dh: openssl::dh::Dh, } diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 59a5a676d5d5..db328336ebe5 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -8,6 +8,7 @@ use crate::exceptions; use foreign_types_shared::ForeignTypeRef; #[pyo3::prelude::pyclass( + frozen, module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAPrivateKey" )] @@ -16,6 +17,7 @@ struct DsaPrivateKey { } #[pyo3::prelude::pyclass( + frozen, module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAPublicKey" )] @@ -24,6 +26,7 @@ struct DsaPublicKey { } #[pyo3::prelude::pyclass( + frozen, module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAParameters" )] diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 59351b721a49..766094b2a89a 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -9,14 +9,14 @@ use foreign_types_shared::ForeignTypeRef; use pyo3::basic::CompareOp; use pyo3::ToPyObject; -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.ec")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] struct ECPrivateKey { pkey: openssl::pkey::PKey, #[pyo3(get)] curve: pyo3::Py, } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.ec")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] struct ECPublicKey { pkey: openssl::pkey::PKey, #[pyo3(get)] diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 7bee88104482..d0baba7e49bb 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -8,12 +8,12 @@ use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use foreign_types_shared::ForeignTypeRef; -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] struct Ed25519PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] struct Ed25519PublicKey { pkey: openssl::pkey::PKey, } diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index c0c621a321c3..25d782fd3e8f 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -8,12 +8,12 @@ use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use foreign_types_shared::ForeignTypeRef; -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.ed448")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] struct Ed448PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.ed448")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] struct Ed448PublicKey { pkey: openssl::pkey::PKey, } diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index f27c0594ab3c..728f0231cb61 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -7,12 +7,12 @@ use crate::buf::CffiBuf; use crate::error::CryptographyResult; use foreign_types_shared::ForeignTypeRef; -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.x25519")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] struct X25519PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.x25519")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] struct X25519PublicKey { pkey: openssl::pkey::PKey, } diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 97e52ee6cc95..4c6da8c7d4cc 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -7,12 +7,12 @@ use crate::buf::CffiBuf; use crate::error::CryptographyResult; use foreign_types_shared::ForeignTypeRef; -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.x448")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] struct X448PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.x448")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] struct X448PublicKey { pkey: openssl::pkey::PKey, } diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index ec1e18c7ff9c..e3feb38d1d8c 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -3,6 +3,7 @@ // for complete details. #[pyo3::prelude::pyclass( + frozen, module = "cryptography.hazmat.bindings._rust.exceptions", name = "_Reasons" )] diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 4d88e2813b50..c8d92f511b7f 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -85,7 +85,7 @@ fn raise_openssl_error() -> crate::error::CryptographyResult<()> { Err(openssl::error::ErrorStack::get().into()) } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl")] struct OpenSSLError { e: openssl::error::Error, } diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index f6dae6122bbf..fd7b17cf9183 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -6,7 +6,7 @@ use crate::error::CryptographyResult; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] pub(crate) struct ObjectIdentifier { pub(crate) oid: asn1::ObjectIdentifier, } diff --git a/src/rust/src/pool.rs b/src/rust/src/pool.rs index 0f45bed4640d..c8d029bdc3ce 100644 --- a/src/rust/src/pool.rs +++ b/src/rust/src/pool.rs @@ -7,14 +7,14 @@ use std::cell::Cell; // An object pool that can contain a single object and will dynamically // allocate new objects to fulfill requests if the pool'd object is already in // use. -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] pub(crate) struct FixedPool { create_fn: pyo3::PyObject, value: Cell>, } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] struct PoolAcquisition { pool: pyo3::Py, diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 49b048207f06..1201180d5335 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -33,6 +33,7 @@ self_cell::self_cell!( } ); +// TODO: can't be frozen because extensions takes `&mut self` #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] pub(crate) struct Certificate { pub(crate) raw: OwnedCertificate, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 807d3ddc1270..dbbd1f912340 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -71,6 +71,7 @@ self_cell::self_cell!( } ); +// TODO: can't be frozen because extensions required `&mut self`. #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateRevocationList { owned: Arc, @@ -490,6 +491,7 @@ impl Clone for OwnedRevokedCertificate { } } +// TODO: can't be frozen because extensions required `&mut self`. #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] struct RevokedCertificate { owned: OwnedRevokedCertificate, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 0a0941265216..62bf6e33080e 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -22,6 +22,7 @@ self_cell::self_cell!( } ); +// TODO: can't be frozen extensions take `&mut self` #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateSigningRequest { raw: OwnedCsr, diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index b77aacc215fa..d2206420761f 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -49,6 +49,7 @@ fn load_der_ocsp_request( }) } +// TODO: can't be frozen because extensions takes `&mut self` #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPRequest { raw: OwnedOCSPRequest, diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 49cd67fda8aa..4427ebf3655a 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -70,6 +70,7 @@ self_cell::self_cell!( } ); +// TODO: can't be frozen extensions and single_extensions take `&mut self` #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPResponse { raw: Arc, @@ -790,7 +791,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPSingleResponse { raw: OwnedSingleResponse, } diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index a13785bf3fb1..22eaed817e57 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -127,7 +127,7 @@ impl TryFrom for SignatureAlgorithm { } } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] pub(crate) struct Sct { log_id: [u8; 32], timestamp: u64, From 543cf431790c489fba9bd616b04c75785e2b19f2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 29 Jul 2023 00:02:30 -0400 Subject: [PATCH 0243/1014] Mark the majority of the remaining Rust types as frozen (#9308) These types only required mutability for an interior cache. By using `GILOnceCell` we don't require an `&mut` reference for this. --- src/rust/src/x509/certificate.rs | 11 +++-- src/rust/src/x509/common.rs | 76 ++++++++++++++++---------------- src/rust/src/x509/crl.rs | 28 ++++++------ src/rust/src/x509/csr.rs | 13 +++--- src/rust/src/x509/ocsp_req.rs | 11 +++-- src/rust/src/x509/ocsp_resp.rs | 21 +++++---- 6 files changed, 76 insertions(+), 84 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 1201180d5335..d4a540cd15ad 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -33,11 +33,10 @@ self_cell::self_cell!( } ); -// TODO: can't be frozen because extensions takes `&mut self` -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] pub(crate) struct Certificate { pub(crate) raw: OwnedCertificate, - pub(crate) cached_extensions: Option, + pub(crate) cached_extensions: pyo3::once_cell::GILOnceCell, } #[pyo3::prelude::pymethods] @@ -248,11 +247,11 @@ impl Certificate { } #[getter] - fn extensions(&mut self, py: pyo3::Python<'_>) -> pyo3::PyResult { + fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( py, - &mut self.cached_extensions, + &self.cached_extensions, &self.raw.borrow_dependent().tbs_cert.raw_extensions, |ext| match ext.extn_id { oid::PRECERT_POISON_OID => { @@ -386,7 +385,7 @@ fn load_der_x509_certificate( Ok(Certificate { raw, - cached_extensions: None, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), }) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 81bf25326ab7..3c64b2f6829c 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -387,48 +387,46 @@ pub(crate) fn parse_and_cache_extensions< F: Fn(&Extension<'_>) -> Result, CryptographyError>, >( py: pyo3::Python<'p>, - cached_extensions: &mut Option, + cached_extensions: &pyo3::once_cell::GILOnceCell, raw_extensions: &Option>, parse_ext: F, ) -> pyo3::PyResult { - if let Some(cached) = cached_extensions { - return Ok(cached.clone_ref(py)); - } - - let extensions = match Extensions::from_raw_extensions(raw_extensions.as_ref()) { - Ok(extensions) => extensions, - Err(DuplicateExtensionsError(oid)) => { - let oid_obj = oid_to_py_oid(py, &oid)?; - return Err(exceptions::DuplicateExtension::new_err(( - format!("Duplicate {} extension found", &oid), - oid_obj.into_py(py), - ))); - } - }; - - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; - let exts = pyo3::types::PyList::empty(py); - for raw_ext in extensions.iter() { - let oid_obj = oid_to_py_oid(py, &raw_ext.extn_id)?; - - let extn_value = match parse_ext(&raw_ext)? { - Some(e) => e, - None => x509_module.call_method1( - pyo3::intern!(py, "UnrecognizedExtension"), - (oid_obj, raw_ext.extn_value), - )?, - }; - let ext_obj = x509_module.call_method1( - pyo3::intern!(py, "Extension"), - (oid_obj, raw_ext.critical, extn_value), - )?; - exts.append(ext_obj)?; - } - let extensions = x509_module - .call_method1(pyo3::intern!(py, "Extensions"), (exts,))? - .to_object(py); - *cached_extensions = Some(extensions.clone_ref(py)); - Ok(extensions) + cached_extensions + .get_or_try_init(py, || { + let extensions = match Extensions::from_raw_extensions(raw_extensions.as_ref()) { + Ok(extensions) => extensions, + Err(DuplicateExtensionsError(oid)) => { + let oid_obj = oid_to_py_oid(py, &oid)?; + return Err(exceptions::DuplicateExtension::new_err(( + format!("Duplicate {} extension found", &oid), + oid_obj.into_py(py), + ))); + } + }; + + let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; + let exts = pyo3::types::PyList::empty(py); + for raw_ext in extensions.iter() { + let oid_obj = oid_to_py_oid(py, &raw_ext.extn_id)?; + + let extn_value = match parse_ext(&raw_ext)? { + Some(e) => e, + None => x509_module.call_method1( + pyo3::intern!(py, "UnrecognizedExtension"), + (oid_obj, raw_ext.extn_value), + )?, + }; + let ext_obj = x509_module.call_method1( + pyo3::intern!(py, "Extension"), + (oid_obj, raw_ext.critical, extn_value), + )?; + exts.append(ext_obj)?; + } + Ok(x509_module + .call_method1(pyo3::intern!(py, "Extensions"), (exts,))? + .to_object(py)) + }) + .map(|p| p.clone_ref(py)) } pub(crate) fn encode_extensions< diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index dbbd1f912340..126561a1d055 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -43,7 +43,7 @@ fn load_der_x509_crl( Ok(CertificateRevocationList { owned: Arc::new(owned), revoked_certs: pyo3::once_cell::GILOnceCell::new(), - cached_extensions: None, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), }) } @@ -71,13 +71,12 @@ self_cell::self_cell!( } ); -// TODO: can't be frozen because extensions required `&mut self`. -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateRevocationList { owned: Arc, revoked_certs: pyo3::once_cell::GILOnceCell>, - cached_extensions: Option, + cached_extensions: pyo3::once_cell::GILOnceCell, } impl CertificateRevocationList { @@ -88,7 +87,7 @@ impl CertificateRevocationList { fn revoked_cert(&self, py: pyo3::Python<'_>, idx: usize) -> RevokedCertificate { RevokedCertificate { owned: self.revoked_certs.get(py).unwrap()[idx].clone(), - cached_extensions: None, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), } } @@ -270,13 +269,13 @@ impl CertificateRevocationList { } #[getter] - fn extensions(&mut self, py: pyo3::Python<'_>) -> pyo3::PyResult { + fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let tbs_cert_list = &self.owned.borrow_dependent().tbs_cert_list; let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( py, - &mut self.cached_extensions, + &self.cached_extensions, &tbs_cert_list.raw_crl_extensions, |ext| match ext.extn_id { oid::CRL_NUMBER_OID => { @@ -359,7 +358,7 @@ impl CertificateRevocationList { } fn get_revoked_certificate_by_serial_number( - &mut self, + &self, py: pyo3::Python<'_>, serial: &pyo3::types::PyLong, ) -> pyo3::PyResult> { @@ -381,7 +380,7 @@ impl CertificateRevocationList { match owned { Ok(o) => Ok(Some(RevokedCertificate { owned: o, - cached_extensions: None, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), })), Err(()) => Ok(None), } @@ -466,7 +465,7 @@ impl CRLIterator { .ok()?; Some(RevokedCertificate { owned: revoked, - cached_extensions: None, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), }) } } @@ -491,11 +490,10 @@ impl Clone for OwnedRevokedCertificate { } } -// TODO: can't be frozen because extensions required `&mut self`. -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct RevokedCertificate { owned: OwnedRevokedCertificate, - cached_extensions: Option, + cached_extensions: pyo3::once_cell::GILOnceCell, } #[pyo3::prelude::pymethods] @@ -517,10 +515,10 @@ impl RevokedCertificate { } #[getter] - fn extensions(&mut self, py: pyo3::Python<'_>) -> pyo3::PyResult { + fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { x509::parse_and_cache_extensions( py, - &mut self.cached_extensions, + &self.cached_extensions, &self.owned.borrow_dependent().raw_crl_entry_extensions, |ext| parse_crl_entry_ext(py, ext), ) diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 62bf6e33080e..d0a27705e006 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -22,11 +22,10 @@ self_cell::self_cell!( } ); -// TODO: can't be frozen extensions take `&mut self` -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateSigningRequest { raw: OwnedCsr, - cached_extensions: Option, + cached_extensions: pyo3::once_cell::GILOnceCell, } #[pyo3::prelude::pymethods] @@ -179,7 +178,7 @@ impl CertificateSigningRequest { } #[getter] - fn attributes<'p>(&mut self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn attributes<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { let pyattrs = pyo3::types::PyList::empty(py); for attribute in self .raw @@ -212,7 +211,7 @@ impl CertificateSigningRequest { } #[getter] - fn extensions(&mut self, py: pyo3::Python<'_>) -> pyo3::PyResult { + fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let raw_exts = self .raw .borrow_dependent() @@ -224,7 +223,7 @@ impl CertificateSigningRequest { ) })?; - x509::parse_and_cache_extensions(py, &mut self.cached_extensions, &raw_exts, |ext| { + x509::parse_and_cache_extensions(py, &self.cached_extensions, &raw_exts, |ext| { certificate::parse_cert_ext(py, ext) }) } @@ -283,7 +282,7 @@ fn load_der_x509_csr( Ok(CertificateSigningRequest { raw, - cached_extensions: None, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), }) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index d2206420761f..38704613fa9e 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -45,16 +45,15 @@ fn load_der_ocsp_request( Ok(OCSPRequest { raw, - cached_extensions: None, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), }) } -// TODO: can't be frozen because extensions takes `&mut self` -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPRequest { raw: OwnedOCSPRequest, - cached_extensions: Option, + cached_extensions: pyo3::once_cell::GILOnceCell, } impl OCSPRequest { @@ -112,13 +111,13 @@ impl OCSPRequest { } #[getter] - fn extensions(&mut self, py: pyo3::Python<'_>) -> pyo3::PyResult { + fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let tbs_request = &self.raw.borrow_dependent().tbs_request; let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( py, - &mut self.cached_extensions, + &self.cached_extensions, &tbs_request.raw_request_extensions, |ext| { match ext.extn_id { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 4427ebf3655a..e6e8f77851fe 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -57,8 +57,8 @@ fn load_der_ocsp_response( }; Ok(OCSPResponse { raw: Arc::new(raw), - cached_extensions: None, - cached_single_extensions: None, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), + cached_single_extensions: pyo3::once_cell::GILOnceCell::new(), }) } @@ -70,13 +70,12 @@ self_cell::self_cell!( } ); -// TODO: can't be frozen extensions and single_extensions take `&mut self` -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPResponse { raw: Arc, - cached_extensions: Option, - cached_single_extensions: Option, + cached_extensions: pyo3::once_cell::GILOnceCell, + cached_single_extensions: pyo3::once_cell::GILOnceCell, } impl OCSPResponse { @@ -247,7 +246,7 @@ impl OCSPResponse { py, x509::certificate::Certificate { raw: raw_cert, - cached_extensions: None, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), }, )?)?; } @@ -321,7 +320,7 @@ impl OCSPResponse { } #[getter] - fn extensions(&mut self, py: pyo3::Python<'_>) -> pyo3::PyResult { + fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { self.requires_successful_response()?; let response_data = &self @@ -337,7 +336,7 @@ impl OCSPResponse { let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( py, - &mut self.cached_extensions, + &self.cached_extensions, &response_data.raw_response_extensions, |ext| { match &ext.extn_id { @@ -360,7 +359,7 @@ impl OCSPResponse { } #[getter] - fn single_extensions(&mut self, py: pyo3::Python<'_>) -> pyo3::PyResult { + fn single_extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { self.requires_successful_response()?; let single_resp = single_response( self.raw @@ -375,7 +374,7 @@ impl OCSPResponse { let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( py, - &mut self.cached_single_extensions, + &self.cached_single_extensions, &single_resp.raw_single_extensions, |ext| match &ext.extn_id { &oid::SIGNED_CERTIFICATE_TIMESTAMPS_OID => { From 602efbca2e6ec8889f37c6c25c7e966e979da023 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 29 Jul 2023 16:15:40 -0400 Subject: [PATCH 0244/1014] musllinux 1.2 wheels (#9310) * musllinux 1.2 wheels * Update wheel-builder.yml * wtf? * Update wheel-builder.yml --- .github/workflows/wheel-builder.yml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 3747eb106d0f..07218bb45765 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -66,10 +66,12 @@ jobs: - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } - { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"} - { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} + - { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64] } - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} exclude: # There are no readily available musllinux PyPy distributions - PYTHON: { VERSION: "pp38-pypy38_pp73" } @@ -84,7 +86,21 @@ jobs: MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - # We also don't build pypy wheels for anything except the latest manylinux + + - PYTHON: { VERSION: "pp38-pypy38_pp73" } + MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} + - PYTHON: { VERSION: "pp39-pypy39_pp73" } + MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} + - PYTHON: { VERSION: "pp310-pypy310_pp73" } + MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} + - PYTHON: { VERSION: "pp38-pypy38_pp73" } + MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - PYTHON: { VERSION: "pp39-pypy39_pp73" } + MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + - PYTHON: { VERSION: "pp310-pypy310_pp73" } + MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} + + # We also don't build pypy wheels for anything except the latest manylinux - PYTHON: { VERSION: "pp38-pypy38_pp73" } MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp39-pypy39_pp73" } @@ -106,7 +122,7 @@ jobs: # then use a glibc nodejs, which works fine when gcompat # is installed in the container (which it is) sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release - if: matrix.MANYLINUX.NAME == 'musllinux_1_1_aarch64' + if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 From 845b392474a489f45eb0d9b6b042ca7d9f7d66dc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 30 Jul 2023 02:33:08 +0000 Subject: [PATCH 0245/1014] Bump rich from 13.4.2 to 13.5.0 (#9311) Bumps [rich](https://github.com/Textualize/rich) from 13.4.2 to 13.5.0. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.4.2...v13.5.0) --- updated-dependencies: - dependency-name: rich dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f097902c2dcc..fc0a495936b6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -136,7 +136,7 @@ requests-toolbelt==1.0.0 # via twine rfc3986==2.0.0 # via twine -rich==13.4.2 +rich==13.5.0 # via twine ruff==0.0.280 # via cryptography (pyproject.toml) From 245429860553681a45237381b511d9f66f631edf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 30 Jul 2023 02:33:50 +0000 Subject: [PATCH 0246/1014] Bump pathspec from 0.11.1 to 0.11.2 (#9312) Bumps [pathspec](https://github.com/cpburnz/python-pathspec) from 0.11.1 to 0.11.2. - [Release notes](https://github.com/cpburnz/python-pathspec/releases) - [Changelog](https://github.com/cpburnz/python-pathspec/blob/master/CHANGES.rst) - [Commits](https://github.com/cpburnz/python-pathspec/compare/v0.11.1...v0.11.2) --- updated-dependencies: - dependency-name: pathspec dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index fc0a495936b6..69fa82973d3e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -83,7 +83,7 @@ packaging==23.1 # nox # pytest # sphinx -pathspec==0.11.1 +pathspec==0.11.2 # via # black # check-sdist From 8df3b4f6a3602b6bec53e6817af5991a9def7142 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 30 Jul 2023 02:35:56 +0000 Subject: [PATCH 0247/1014] Bump platformdirs from 3.9.1 to 3.10.0 (#9313) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 3.9.1 to 3.10.0. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/3.9.1...3.10.0) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 69fa82973d3e..c8af091aff68 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -89,7 +89,7 @@ pathspec==0.11.2 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==3.9.1 +platformdirs==3.10.0 # via # black # virtualenv From d672a463f942a4740b627ad41aeae0ae75d49464 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 29 Jul 2023 23:02:01 -0400 Subject: [PATCH 0248/1014] Bump rich from 13.4.2 to 13.5.0 in /.github/requirements (#9314) Bumps [rich](https://github.com/Textualize/rich) from 13.4.2 to 13.5.0. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.4.2...v13.5.0) --- updated-dependencies: - dependency-name: rich dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 18b40725b405..8bf266fb4d8a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -414,9 +414,9 @@ rfc3986==2.0.0 \ --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c # via twine -rich==13.4.2 \ - --hash=sha256:8f87bc7ee54675732fa66a05ebfe489e27264caeeff3728c945d25971b6485ec \ - --hash=sha256:d653d6bccede5844304c605d5aac802c7cf9621efd700b46c7ec2b51ea914898 +rich==13.5.0 \ + --hash=sha256:62c81e88dc078d2372858660e3d5566746870133e51321f852ccc20af5c7e7b2 \ + --hash=sha256:996670a7618ccce27c55ba6fc0142e6e343773e11d34c96566a17b71b0e6f179 # via twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ From 62c45a8507dfd00603dad4a95f69c665fb475c46 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 31 Jul 2023 13:55:55 -0400 Subject: [PATCH 0249/1014] Drop PyPy 3.8 (#9315) They're no longer advertised on the PyPy website --- .github/workflows/ci.yml | 1 - .github/workflows/wheel-builder.yml | 21 --------------------- 2 files changed, 22 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3719c8f7154e..559251156cd7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,6 @@ jobs: - {VERSION: "3.11", NOXSESSION: "flake"} - {VERSION: "3.11", NOXSESSION: "rust"} - {VERSION: "3.11", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.1"}} - - {VERSION: "pypy-3.8", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1u"}} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 07218bb45765..36d6dea8d796 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -59,7 +59,6 @@ jobs: matrix: PYTHON: - { VERSION: "cp37-cp37m", ABI_VERSION: 'cp37' } - - { VERSION: "pp38-pypy38_pp73" } - { VERSION: "pp39-pypy39_pp73" } - { VERSION: "pp310-pypy310_pp73" } MANYLINUX: @@ -74,41 +73,29 @@ jobs: - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} exclude: # There are no readily available musllinux PyPy distributions - - PYTHON: { VERSION: "pp38-pypy38_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp38-pypy38_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - PYTHON: { VERSION: "pp38-pypy38_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp38-pypy38_pp73" } - MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} # We also don't build pypy wheels for anything except the latest manylinux - - PYTHON: { VERSION: "pp38-pypy38_pp73" } - MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp310-pypy310_pp73" } MANYLINUX: { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp38-pypy38_pp73" } - MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} - PYTHON: { VERSION: "pp310-pypy310_pp73" } @@ -200,11 +187,6 @@ jobs: # requires a 21.x pip) ARCHFLAGS: '-arch x86_64' _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' - - VERSION: 'pypy-3.8' - BIN_PATH: 'pypy3' - DEPLOYMENT_TARGET: '10.12' - _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' - ARCHFLAGS: '-arch x86_64' - VERSION: 'pypy-3.9' BIN_PATH: 'pypy3' DEPLOYMENT_TARGET: '10.12' @@ -300,13 +282,10 @@ jobs: - {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'} PYTHON: - {VERSION: "3.11", "ABI_VERSION": "cp37"} - - {VERSION: "pypy-3.8"} - {VERSION: "pypy-3.9"} - {VERSION: "pypy-3.10"} exclude: # We need to exclude the below configuration because there is no 32-bit pypy3 - - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} - PYTHON: {VERSION: "pypy-3.8"} - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} PYTHON: {VERSION: "pypy-3.9"} - WINDOWS: {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} From 1961fdb264eb46ea09de858460694fae308aa712 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 1 Aug 2023 09:41:15 +1200 Subject: [PATCH 0250/1014] update pypy supported versions in the docs (#9318) * update tested pypy version * update pypy supported version --- README.rst | 2 +- docs/installation.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.rst b/README.rst index d71765b8dba3..3e573ae0a272 100644 --- a/README.rst +++ b/README.rst @@ -15,7 +15,7 @@ pyca/cryptography ``cryptography`` is a package which provides cryptographic recipes and primitives to Python developers. Our goal is for it to be your "cryptographic -standard library". It supports Python 3.7+ and PyPy3 7.3.10+. +standard library". It supports Python 3.7+ and PyPy3 7.3.11+. ``cryptography`` includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and diff --git a/docs/installation.rst b/docs/installation.rst index 38756ef418ee..04fc3ce3d18e 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -13,7 +13,7 @@ single most common cause of installation problems. Supported platforms ------------------- -Currently we test ``cryptography`` on Python 3.7+ and PyPy3 7.3.10+ on these +Currently we test ``cryptography`` on Python 3.7+ and PyPy3 7.3.11+ on these operating systems. * x86-64 RHEL 8.x From 1372f0c4767e39ebb4f0b964203c017e99424089 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Jul 2023 17:42:18 -0400 Subject: [PATCH 0251/1014] Bump rich from 13.5.0 to 13.5.1 (#9316) Bumps [rich](https://github.com/Textualize/rich) from 13.5.0 to 13.5.1. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.5.0...v13.5.1) --- updated-dependencies: - dependency-name: rich dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c8af091aff68..99cd235fad87 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -136,7 +136,7 @@ requests-toolbelt==1.0.0 # via twine rfc3986==2.0.0 # via twine -rich==13.5.0 +rich==13.5.1 # via twine ruff==0.0.280 # via cryptography (pyproject.toml) From 4045e87692c8d672999bf7c437517d19a00a5aac Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Jul 2023 17:42:30 -0400 Subject: [PATCH 0252/1014] Bump rich from 13.5.0 to 13.5.1 in /.github/requirements (#9317) Bumps [rich](https://github.com/Textualize/rich) from 13.5.0 to 13.5.1. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.5.0...v13.5.1) --- updated-dependencies: - dependency-name: rich dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8bf266fb4d8a..23489ae93e4b 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -414,9 +414,9 @@ rfc3986==2.0.0 \ --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c # via twine -rich==13.5.0 \ - --hash=sha256:62c81e88dc078d2372858660e3d5566746870133e51321f852ccc20af5c7e7b2 \ - --hash=sha256:996670a7618ccce27c55ba6fc0142e6e343773e11d34c96566a17b71b0e6f179 +rich==13.5.1 \ + --hash=sha256:881653ee7037803559d8eae98f145e0a4c4b0ec3ff0300d2cc8d479c71fc6819 \ + --hash=sha256:b97381b204a206e1be618f5e1215a57174a1a7732490b3bf6668cf41d30bc72d # via twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ From 7a500d9de93e2a90e227649d31c06b789ec0c2a0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 31 Jul 2023 20:22:25 -0400 Subject: [PATCH 0253/1014] Bump BoringSSL and/or OpenSSL in CI (#9321) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 559251156cd7..a4f8018e6133 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Jul 29, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "d95b03c315bac8c44d3ce062053d3a5817915d91"}} - # Latest commit on the OpenSSL master branch, as of Jul 29, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fbd23b929609c0b2fe22da97ac349fae5a385027"}} + # Latest commit on the BoringSSL master branch, as of Aug 01, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8dec463a609706480a6ae9057702ec662843acc2"}} + # Latest commit on the OpenSSL master branch, as of Aug 01, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e3d897d3fa3b48bb835fab0665a435469beea7ae"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 2854469fce7af900bc390f46ef56408ac0f0495d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:25:32 +0000 Subject: [PATCH 0254/1014] Bump ruff from 0.0.280 to 0.0.281 (#9322) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.280 to 0.0.281. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.280...v0.0.281) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 99cd235fad87..af3f85eda607 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.1 # via twine -ruff==0.0.280 +ruff==0.0.281 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 115835cdc0559f798e1d0ddd666f3cc81f74a880 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:44:36 +0000 Subject: [PATCH 0255/1014] Bump pyo3 from 0.19.1 to 0.19.2 in /src/rust (#9324) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.19.1 to 0.19.2. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.19.1...v0.19.2) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f78123504797..c25625d0b22c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -243,9 +243,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.19.1" +version = "0.19.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffb88ae05f306b4bfcde40ac4a51dc0b05936a9207a4b75b798c7729c4258a59" +checksum = "e681a6cfdc4adcc93b4d3cf993749a4552018ee0a9b65fc0ccfad74352c72a38" dependencies = [ "cfg-if", "indoc", @@ -260,9 +260,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.19.1" +version = "0.19.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "554db24f0b3c180a9c0b1268f91287ab3f17c162e15b54caaae5a6b3773396b0" +checksum = "076c73d0bc438f7a4ef6fdd0c3bb4732149136abd952b110ac93e4edb13a6ba5" dependencies = [ "once_cell", "target-lexicon", @@ -270,9 +270,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.19.1" +version = "0.19.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "922ede8759e8600ad4da3195ae41259654b9c55da4f7eec84a0ccc7d067a70a4" +checksum = "e53cee42e77ebe256066ba8aa77eff722b3bb91f3419177cf4cd0f304d3284d9" dependencies = [ "libc", "pyo3-build-config", @@ -280,9 +280,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.19.1" +version = "0.19.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a5caec6a1dd355964a841fcbeeb1b89fe4146c87295573f94228911af3cc5a2" +checksum = "dfeb4c99597e136528c6dd7d5e3de5434d1ceaf487436a3f03b2d56b6fc9efd1" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -292,9 +292,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.19.1" +version = "0.19.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0b78ccbb160db1556cdb6fd96c50334c5d4ec44dc5e0a968d0a1208fa0efa8b" +checksum = "947dc12175c254889edc0c02e399476c2f652b4b9ebd123aa655c224de259536" dependencies = [ "proc-macro2", "quote", From 3521d169af9ab18aece5d6ee1de7f82e573bd6fa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:58:21 +0000 Subject: [PATCH 0256/1014] Bump target-lexicon from 0.12.10 to 0.12.11 in /src/rust (#9325) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.10 to 0.12.11. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.10...v0.12.11) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c25625d0b22c..98036e950f76 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -361,9 +361,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.10" +version = "0.12.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1d2faeef5759ab89935255b1a4cd98e0baf99d1085e37d36599c625dac49ae8e" +checksum = "9d0e916b1148c8e263850e1ebcbd046f333e0683c724876bb0da63ea4373dc8a" [[package]] name = "unicode-ident" From 2c9eb8363f7239d6d10f88d0aec1aed2106ac175 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 1 Aug 2023 15:12:17 -0400 Subject: [PATCH 0257/1014] attempted workaround for GHA breakage (#9329) * attempted workaround for GHA breakage * Update ci.yml --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a4f8018e6133..b1cb8d84cceb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -239,6 +239,10 @@ jobs: with: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} + # Attempted work around for https://github.com/actions/setup-python/issues/709 + - run: brew install openssl@1.1 + if: matrix.PYTHON.VERSION == '3.7' + - name: Setup python uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: From cfdffb57ce6411064f74fd3d7daa5946c5ecf0f1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 1 Aug 2023 15:12:43 -0400 Subject: [PATCH 0258/1014] fix link in issue template (#9327) --- .github/ISSUE_TEMPLATE/openssl-release.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/openssl-release.md b/.github/ISSUE_TEMPLATE/openssl-release.md index 110d06d09c52..1b0cadc1018a 100644 --- a/.github/ISSUE_TEMPLATE/openssl-release.md +++ b/.github/ISSUE_TEMPLATE/openssl-release.md @@ -1,5 +1,5 @@ - [ ] Windows, macOS, `manylinux` - - [ ] Send a pull request to `pyca/infra` updating the [version and hash](https://github.com/pyca/infra/blob/main/cryptography-manylinux/openssl-version.sh) + - [ ] Send a pull request to `pyca/infra` updating the [version and hash](https://github.com/pyca/infra/blob/main/cryptography-linux/openssl-version.sh) - [ ] Wait for it to be merged - [ ] Wait for the Github Actions job to complete - [ ] Changelog entry From ef621da1f832a6612177fdba40635784e5c6db17 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 1 Aug 2023 15:25:36 -0400 Subject: [PATCH 0259/1014] bump openssl versions in ci (#9328) --- .github/workflows/ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b1cb8d84cceb..eb5eeb864c79 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,15 +29,15 @@ jobs: PYTHON: - {VERSION: "3.11", NOXSESSION: "flake"} - {VERSION: "3.11", NOXSESSION: "rust"} - - {VERSION: "3.11", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.1"}} + - {VERSION: "3.11", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1u"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.9"}} - - {VERSION: "3.11", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.1"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.1"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1v"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.10"}} + - {VERSION: "3.11", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.2"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} From fd65b5a0950028efa227747b80f6cadd6315432d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 2 Aug 2023 08:18:54 +1200 Subject: [PATCH 0260/1014] port changelog for 41.0.3 (#9331) --- CHANGELOG.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4690c6d4a460..0cc6f0e7e091 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -11,6 +11,16 @@ Changelog * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. +.. _v41-0-3: + +41.0.3 - 2023-08-01 +~~~~~~~~~~~~~~~~~~~ + +* Fixed performance regression loading DH public keys. +* Fixed a memory leak when using + :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`. +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.2. + .. _v41-0-2: 41.0.2 - 2023-07-10 From 8c491e1adcfe452d8d6fadd07ad97f49717ca9af Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 1 Aug 2023 16:33:40 -0400 Subject: [PATCH 0261/1014] fix publish requirements (#9332) --- .github/requirements/publish-requirements.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 23489ae93e4b..6684c01b2db7 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -224,6 +224,10 @@ importlib-metadata==6.8.0 \ # via # keyring # twine +importlib-resources==5.13.0 \ + --hash=sha256:82d5c6cca930697dbbd86c93333bb2c2e72861d4789a11c2662b933e5ad2b528 \ + --hash=sha256:9f7bd0c97b79972a6cce36a366356d16d5e13b09679c11a58f1014bfdf8e64b2 + # via sigstore jaraco-classes==3.3.0 \ --hash=sha256:10afa92b6743f25c0cf5f37c6bb6e18e2c5bb84a16527ccfc0040ea377e7aaeb \ --hash=sha256:c063dd08e89217cee02c8d5e5ec560f2c8ce6cdc2fcdc2e68f7b2e5547ed3621 From 20d66cc5b6f5763eacb4c4f7d1bc074413aac5d7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 2 Aug 2023 00:17:04 +0000 Subject: [PATCH 0262/1014] Bump BoringSSL and/or OpenSSL in CI (#9333) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eb5eeb864c79..625c0fe37734 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 01, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8dec463a609706480a6ae9057702ec662843acc2"}} - # Latest commit on the OpenSSL master branch, as of Aug 01, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e3d897d3fa3b48bb835fab0665a435469beea7ae"}} + # Latest commit on the BoringSSL master branch, as of Aug 02, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "04487c4e98fd34f1bfcc7ae3757efbaff7b26e4e"}} + # Latest commit on the OpenSSL master branch, as of Aug 02, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a1c87f64dd6d6b0f1c8b276dc415f69e1102f930"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.60 - pem 2.0.1, once_cell 1.18.0 From 6d3a6c87e0e8a0f0e04c4d3bc32caef18c086024 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 1 Aug 2023 20:34:11 -0400 Subject: [PATCH 0263/1014] Bump cryptography dep in publish-requirements (#9335) --- .github/requirements/publish-requirements.txt | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 6684c01b2db7..1632b862a479 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -163,30 +163,30 @@ charset-normalizer==3.2.0 \ --hash=sha256:f779d3ad205f108d14e99bb3859aa7dd8e9c68874617c72354d7ecaec2a054ac \ --hash=sha256:f87f746ee241d30d6ed93969de31e5ffd09a2961a051e60ae6bddde9ec3583aa # via requests -cryptography==41.0.2 \ - --hash=sha256:01f1d9e537f9a15b037d5d9ee442b8c22e3ae11ce65ea1f3316a41c78756b711 \ - --hash=sha256:079347de771f9282fbfe0e0236c716686950c19dee1b76240ab09ce1624d76d7 \ - --hash=sha256:182be4171f9332b6741ee818ec27daff9fb00349f706629f5cbf417bd50e66fd \ - --hash=sha256:192255f539d7a89f2102d07d7375b1e0a81f7478925b3bc2e0549ebf739dae0e \ - --hash=sha256:2a034bf7d9ca894720f2ec1d8b7b5832d7e363571828037f9e0c4f18c1b58a58 \ - --hash=sha256:342f3767e25876751e14f8459ad85e77e660537ca0a066e10e75df9c9e9099f0 \ - --hash=sha256:439c3cc4c0d42fa999b83ded80a9a1fb54d53c58d6e59234cfe97f241e6c781d \ - --hash=sha256:49c3222bb8f8e800aead2e376cbef687bc9e3cb9b58b29a261210456a7783d83 \ - --hash=sha256:674b669d5daa64206c38e507808aae49904c988fa0a71c935e7006a3e1e83831 \ - --hash=sha256:7a9a3bced53b7f09da251685224d6a260c3cb291768f54954e28f03ef14e3766 \ - --hash=sha256:7af244b012711a26196450d34f483357e42aeddb04128885d95a69bd8b14b69b \ - --hash=sha256:7d230bf856164de164ecb615ccc14c7fc6de6906ddd5b491f3af90d3514c925c \ - --hash=sha256:84609ade00a6ec59a89729e87a503c6e36af98ddcd566d5f3be52e29ba993182 \ - --hash=sha256:9a6673c1828db6270b76b22cc696f40cde9043eb90373da5c2f8f2158957f42f \ - --hash=sha256:9b6d717393dbae53d4e52684ef4f022444fc1cce3c48c38cb74fca29e1f08eaa \ - --hash=sha256:9c3fe6534d59d071ee82081ca3d71eed3210f76ebd0361798c74abc2bcf347d4 \ - --hash=sha256:a719399b99377b218dac6cf547b6ec54e6ef20207b6165126a280b0ce97e0d2a \ - --hash=sha256:b332cba64d99a70c1e0836902720887fb4529ea49ea7f5462cf6640e095e11d2 \ - --hash=sha256:d124682c7a23c9764e54ca9ab5b308b14b18eba02722b8659fb238546de83a76 \ - --hash=sha256:d73f419a56d74fef257955f51b18d046f3506270a5fd2ac5febbfa259d6c0fa5 \ - --hash=sha256:f0dc40e6f7aa37af01aba07277d3d64d5a03dc66d682097541ec4da03cc140ee \ - --hash=sha256:f14ad275364c8b4e525d018f6716537ae7b6d369c094805cae45300847e0894f \ - --hash=sha256:f772610fe364372de33d76edcd313636a25684edb94cee53fd790195f5989d14 +cryptography==41.0.3 \ + --hash=sha256:0d09fb5356f975974dbcb595ad2d178305e5050656affb7890a1583f5e02a306 \ + --hash=sha256:23c2d778cf829f7d0ae180600b17e9fceea3c2ef8b31a99e3c694cbbf3a24b84 \ + --hash=sha256:3fb248989b6363906827284cd20cca63bb1a757e0a2864d4c1682a985e3dca47 \ + --hash=sha256:41d7aa7cdfded09b3d73a47f429c298e80796c8e825ddfadc84c8a7f12df212d \ + --hash=sha256:42cb413e01a5d36da9929baa9d70ca90d90b969269e5a12d39c1e0d475010116 \ + --hash=sha256:4c2f0d35703d61002a2bbdcf15548ebb701cfdd83cdc12471d2bae80878a4207 \ + --hash=sha256:4fd871184321100fb400d759ad0cddddf284c4b696568204d281c902fc7b0d81 \ + --hash=sha256:5259cb659aa43005eb55a0e4ff2c825ca111a0da1814202c64d28a985d33b087 \ + --hash=sha256:57a51b89f954f216a81c9d057bf1a24e2f36e764a1ca9a501a6964eb4a6800dd \ + --hash=sha256:652627a055cb52a84f8c448185922241dd5217443ca194d5739b44612c5e6507 \ + --hash=sha256:67e120e9a577c64fe1f611e53b30b3e69744e5910ff3b6e97e935aeb96005858 \ + --hash=sha256:6af1c6387c531cd364b72c28daa29232162010d952ceb7e5ca8e2827526aceae \ + --hash=sha256:6d192741113ef5e30d89dcb5b956ef4e1578f304708701b8b73d38e3e1461f34 \ + --hash=sha256:7efe8041897fe7a50863e51b77789b657a133c75c3b094e51b5e4b5cec7bf906 \ + --hash=sha256:84537453d57f55a50a5b6835622ee405816999a7113267739a1b4581f83535bd \ + --hash=sha256:8f09daa483aedea50d249ef98ed500569841d6498aa9c9f4b0531b9964658922 \ + --hash=sha256:95dd7f261bb76948b52a5330ba5202b91a26fbac13ad0e9fc8a3ac04752058c7 \ + --hash=sha256:a74fbcdb2a0d46fe00504f571a2a540532f4c188e6ccf26f1f178480117b33c4 \ + --hash=sha256:a983e441a00a9d57a4d7c91b3116a37ae602907a7618b882c8013b5762e80574 \ + --hash=sha256:ab8de0d091acbf778f74286f4989cf3d1528336af1b59f3e5d2ebca8b5fe49e1 \ + --hash=sha256:aeb57c421b34af8f9fe830e1955bf493a86a7996cc1338fe41b30047d16e962c \ + --hash=sha256:ce785cf81a7bdade534297ef9e490ddff800d956625020ab2ec2780a556c313e \ + --hash=sha256:d0d651aa754ef58d75cec6edfbd21259d93810b73f6ec246436a21b7841908de # via # pyopenssl # secretstorage From 366c977bfdd30db83e096ef340b7415d17c20430 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 2 Aug 2023 12:51:59 +1200 Subject: [PATCH 0264/1014] use setup-python in our pypi-publish action to get 3.11 as default (#9336) --- .github/workflows/pypi-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 9f941fa8903a..6ae41538c2dd 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -28,6 +28,9 @@ jobs: permissions: id-token: "write" steps: + - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + with: + python-version: "3.11" - name: Get publish-requirements.txt from repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: From a0c4fd2dbec7cdc310501f37cb0ff3a006c9598b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 1 Aug 2023 21:02:19 -0400 Subject: [PATCH 0265/1014] Build publish-requirements.txt for python3.11 (#9337) --- .github/requirements/publish-requirements.txt | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 1632b862a479..1c1cf86c24cd 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.10 +# This file is autogenerated by pip-compile with Python 3.11 # by the following command: # # pip-compile --generate-hashes publish-requirements.in @@ -224,10 +224,6 @@ importlib-metadata==6.8.0 \ # via # keyring # twine -importlib-resources==5.13.0 \ - --hash=sha256:82d5c6cca930697dbbd86c93333bb2c2e72861d4789a11c2662b933e5ad2b528 \ - --hash=sha256:9f7bd0c97b79972a6cce36a366356d16d5e13b09679c11a58f1014bfdf8e64b2 - # via sigstore jaraco-classes==3.3.0 \ --hash=sha256:10afa92b6743f25c0cf5f37c6bb6e18e2c5bb84a16527ccfc0040ea377e7aaeb \ --hash=sha256:c063dd08e89217cee02c8d5e5ec560f2c8ce6cdc2fcdc2e68f7b2e5547ed3621 From caeafe6c4a726cf706345f26ce58f648e66ff548 Mon Sep 17 00:00:00 2001 From: Jean Paul Galea Date: Wed, 2 Aug 2023 09:02:56 +0200 Subject: [PATCH 0266/1014] docs: fix broken link to https://ed25519.cr.yp.to/software.html (#9338) --- docs/development/test-vectors.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 4e9811332c18..7810d44d0999 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -33,7 +33,7 @@ Asymmetric ciphers * FIPS 186-2 and FIPS 186-3 DSA test vectors from `NIST CAVP`_. * FIPS 186-2 and FIPS 186-3 ECDSA test vectors from `NIST CAVP`_. * DH and ECDH and ECDH+KDF(17.4) test vectors from `NIST CAVP`_. -* Ed25519 test vectors from the `Ed25519 website_`. +* Ed25519 test vectors from the `Ed25519 website`_. * OpenSSL PEM RSA serialization vectors from the `OpenSSL example key`_ and `GnuTLS key parsing tests`_. * ``asymmetric/PEM_Serialization/rsa-bad-1025-q-is-2.pem`` from `badkeys`_. From 436e5429a90c41fb7497c9f8adffc26359ceda3a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Aug 2023 12:11:13 +0000 Subject: [PATCH 0267/1014] Bump cc from 1.0.79 to 1.0.80 in /src/rust (#9340) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.79 to 1.0.80. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.79...1.0.80) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 7 +++++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 98036e950f76..c3e1058f616a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,12 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "cc" -version = "1.0.79" +version = "1.0.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f" +checksum = "51f1226cd9da55587234753d1245dd5b132343ea240f26b6a9003d68706141ba" +dependencies = [ + "libc", +] [[package]] name = "cfg-if" diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index a8b53a9a87c7..048ab2dd39eb 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -21,7 +21,7 @@ foreign-types-shared = "0.1" self_cell = "1" [build-dependencies] -cc = "1.0.72" +cc = "1.0.80" [features] extension-module = ["pyo3/extension-module"] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 547d692b850e..a1588789533f 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.19", features = ["abi3-py37"] } openssl-sys = "0.9.90" [build-dependencies] -cc = "1.0.72" +cc = "1.0.80" From 62d7b562403bf24678de900889c14e7977d21052 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Aug 2023 12:36:31 +0000 Subject: [PATCH 0268/1014] Bump rich from 13.5.1 to 13.5.2 (#9342) Bumps [rich](https://github.com/Textualize/rich) from 13.5.1 to 13.5.2. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.5.1...v13.5.2) --- updated-dependencies: - dependency-name: rich dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index af3f85eda607..2af83182762c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -136,7 +136,7 @@ requests-toolbelt==1.0.0 # via twine rfc3986==2.0.0 # via twine -rich==13.5.1 +rich==13.5.2 # via twine ruff==0.0.281 # via cryptography (pyproject.toml) From eee933454a410eadac71ac0840f2effc09c57b59 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Aug 2023 12:37:18 +0000 Subject: [PATCH 0269/1014] Bump ruff from 0.0.281 to 0.0.282 (#9343) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.281 to 0.0.282. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.281...v0.0.282) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2af83182762c..03be6a192a13 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.2 # via twine -ruff==0.0.281 +ruff==0.0.282 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 6291682ab9308b7bcbe65d6fe0ae34b73fd75424 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Aug 2023 12:40:48 +0000 Subject: [PATCH 0270/1014] Bump Swatinem/rust-cache from 2.5.1 to 2.6.0 in /.github/actions/cache (#9344) Bumps [Swatinem/rust-cache](https://github.com/swatinem/rust-cache) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/swatinem/rust-cache/releases) - [Changelog](https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md) - [Commits](https://github.com/swatinem/rust-cache/compare/dd05243424bd5c0e585e4b55eb2d7615cdd32f1f...b8a6852b4f997182bdea832df3f9e153038b5191) --- updated-dependencies: - dependency-name: Swatinem/rust-cache dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/cache/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 1102852be84a..8d691d377fcc 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -15,7 +15,7 @@ runs: id: normalized-key run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT shell: bash - - uses: Swatinem/rust-cache@dd05243424bd5c0e585e4b55eb2d7615cdd32f1f # v2.5.1 + - uses: Swatinem/rust-cache@b8a6852b4f997182bdea832df3f9e153038b5191 # v2.6.0 with: key: ${{ steps.normalized-key.outputs.key }} workspaces: "./src/rust/ -> target" From db822c794ff5aac8248fc682d6e07546bc622433 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Aug 2023 17:40:59 -0400 Subject: [PATCH 0271/1014] Bump rich from 13.5.1 to 13.5.2 in /.github/requirements (#9345) Bumps [rich](https://github.com/Textualize/rich) from 13.5.1 to 13.5.2. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.5.1...v13.5.2) --- updated-dependencies: - dependency-name: rich dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 1c1cf86c24cd..bc34d3033249 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -414,9 +414,9 @@ rfc3986==2.0.0 \ --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c # via twine -rich==13.5.1 \ - --hash=sha256:881653ee7037803559d8eae98f145e0a4c4b0ec3ff0300d2cc8d479c71fc6819 \ - --hash=sha256:b97381b204a206e1be618f5e1215a57174a1a7732490b3bf6668cf41d30bc72d +rich==13.5.2 \ + --hash=sha256:146a90b3b6b47cac4a73c12866a499e9817426423f57c5a66949c086191a8808 \ + --hash=sha256:fb9d6c0a0f643c99eed3875b5377a184132ba9be4d61516a55273d3554d75a39 # via twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ From e718a49097ce373a944685db04acb5582291d370 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 2 Aug 2023 19:15:07 -0400 Subject: [PATCH 0272/1014] Raise MSRV to 1.63.0 (#9043) --- .github/workflows/ci.yml | 5 ++--- CHANGELOG.rst | 1 + docs/installation.rst | 8 ++++---- setup.py | 2 +- src/rust/Cargo.lock | 12 ++++++------ src/rust/Cargo.toml | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- src/rust/cryptography-x509-validation/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- src/rust/cryptography-x509/src/crl.rs | 6 +++--- src/rust/cryptography-x509/src/lib.rs | 2 -- src/rust/cryptography-x509/src/name.rs | 2 +- src/rust/src/asn1.rs | 9 ++------- src/rust/src/backend/dh.rs | 4 ++-- src/rust/src/x509/certificate.rs | 8 ++++---- src/rust/src/x509/crl.rs | 4 ++-- src/rust/src/x509/csr.rs | 4 ++-- 18 files changed, 36 insertions(+), 43 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 625c0fe37734..dded047cf79c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -49,11 +49,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a1c87f64dd6d6b0f1c8b276dc415f69e1102f930"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: - # 1.60 - pem 2.0.1, once_cell 1.18.0 # 1.64 - maturin # 1.65 - Generic associated types (GATs) - - {VERSION: "3.11", NOXSESSION: "tests-nocoverage", RUST: "1.56.0"} - - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.60.0"} + - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.63.0"} + - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.64.0"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "beta"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0cc6f0e7e091..f602278eca00 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -10,6 +10,7 @@ Changelog * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. +* Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. .. _v41-0-3: diff --git a/docs/installation.rst b/docs/installation.rst index 04fc3ce3d18e..6dcac7340f21 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -105,7 +105,7 @@ Alpine .. warning:: - The Rust available by default in Alpine < 3.15 is older than the minimum + The Rust available by default in Alpine < 3.17 is older than the minimum supported version. See the :ref:`Rust installation instructions ` for information about installing a newer Rust. @@ -134,8 +134,8 @@ Fedora/RHEL/CentOS .. warning:: - For RHEL and CentOS you must be on version 8.6 or newer for the command - below to install a sufficiently new Rust. If your Rust is less than 1.56.0 + For RHEL and CentOS you must be on version 8.8 or newer for the command + below to install a sufficiently new Rust. If your Rust is less than 1.63.0 please see the :ref:`Rust installation instructions ` for information about installing a newer Rust. @@ -313,7 +313,7 @@ Rust a Rust toolchain. Building ``cryptography`` requires having a working Rust toolchain. The current -minimum supported Rust version is 1.56.0. **This is newer than the Rust some +minimum supported Rust version is 1.63.0. **This is newer than the Rust some package managers ship**, so users may need to install with the instructions below. diff --git a/setup.py b/setup.py index 87ca197207cc..60b7b713ba7b 100644 --- a/setup.py +++ b/setup.py @@ -54,7 +54,7 @@ "cryptography.hazmat.bindings._rust", "src/rust/Cargo.toml", py_limited_api=True, - rust_version=">=1.56.0", + rust_version=">=1.63.0", ) ], ) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c3e1058f616a..864fb76a2259 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -30,9 +30,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "base64" -version = "0.13.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" +checksum = "604178f6c5c21f02dc555784810edfb88d34ac2c73b2eae109655649ee73ce3d" [[package]] name = "bitflags" @@ -155,9 +155,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.17.2" +version = "1.18.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9670a07f94779e00908f3e686eab508878ebb390ba6e604d3a284c00e8d0487b" +checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] name = "openssl" @@ -222,9 +222,9 @@ dependencies = [ [[package]] name = "pem" -version = "1.1.1" +version = "3.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8835c273a76a90455d7344889b0964598e3316e2a79ede8e36f16bdcf2228b8" +checksum = "ed3127afbfc30b4cad60c34aeb741fb562a808642b81142bcf4afb73142da960" dependencies = [ "base64", ] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 048ab2dd39eb..cabf70918c07 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.56.0" +rust-version = "1.63.0" [dependencies] once_cell = "1" @@ -14,7 +14,7 @@ asn1 = { version = "0.15.4", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } -pem = "1.1" +pem = { version = "3", default-features = false } openssl = "0.10.55" openssl-sys = "0.9.90" foreign-types-shared = "0.1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index a1588789533f..7891c0ebb97d 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.56.0" +rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.19", features = ["abi3-py37"] } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index cc25950ea847..9eda40a00bd8 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.56.0" +rust-version = "1.63.0" [dependencies] openssl = "0.10.55" diff --git a/src/rust/cryptography-x509-validation/Cargo.toml b/src/rust/cryptography-x509-validation/Cargo.toml index d9117890bded..b62f1951f47a 100644 --- a/src/rust/cryptography-x509-validation/Cargo.toml +++ b/src/rust/cryptography-x509-validation/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.56.0" +rust-version = "1.63.0" [dependencies] asn1 = { version = "0.15.0", default-features = false } diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 166682c4285e..9f59aec2d153 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.56.0" +rust-version = "1.63.0" [dependencies] asn1 = { version = "0.15.4", default-features = false } diff --git a/src/rust/cryptography-x509/src/crl.rs b/src/rust/cryptography-x509/src/crl.rs index c81a3c4a95fd..fc9b21ae46ab 100644 --- a/src/rust/cryptography-x509/src/crl.rs +++ b/src/rust/cryptography-x509/src/crl.rs @@ -11,7 +11,7 @@ use crate::{ pub type ReasonFlags<'a> = Option, asn1::OwnedBitString>>; -#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash)] +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash)] pub struct CertificateRevocationList<'a> { pub tbs_cert_list: TBSCertList<'a>, pub signature_algorithm: common::AlgorithmIdentifier<'a>, @@ -26,7 +26,7 @@ pub type RevokedCertificates<'a> = Option< >, >; -#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash)] +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash)] pub struct TBSCertList<'a> { pub version: Option, pub signature: common::AlgorithmIdentifier<'a>, @@ -38,7 +38,7 @@ pub struct TBSCertList<'a> { pub raw_crl_extensions: Option>, } -#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash, Clone)] +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone)] pub struct RevokedCertificate<'a> { pub user_certificate: asn1::BigUint<'a>, pub revocation_date: common::Time, diff --git a/src/rust/cryptography-x509/src/lib.rs b/src/rust/cryptography-x509/src/lib.rs index 131c3fd156eb..548e073b13e5 100644 --- a/src/rust/cryptography-x509/src/lib.rs +++ b/src/rust/cryptography-x509/src/lib.rs @@ -3,8 +3,6 @@ // for complete details. #![forbid(unsafe_code)] -// These can be removed once our MSRV is >1.60 -#![allow(renamed_and_removed_lints, clippy::eval_order_dependence)] pub mod certificate; pub mod common; diff --git a/src/rust/cryptography-x509/src/name.rs b/src/rust/cryptography-x509/src/name.rs index 5c53c76c6844..90688b3d7026 100644 --- a/src/rust/cryptography-x509/src/name.rs +++ b/src/rust/cryptography-x509/src/name.rs @@ -43,7 +43,7 @@ impl<'a> asn1::SimpleAsn1Writable for UnvalidatedIA5String<'a> { } } -#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash)] +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash)] pub struct OtherName<'a> { pub type_id: asn1::ObjectIdentifier, #[explicit(0, required)] diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 3dd12ed070c1..93e98f091f69 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -104,13 +104,8 @@ pub(crate) fn encode_der_data<'p>( Ok(pyo3::types::PyBytes::new( py, &pem::encode_config( - &pem::Pem { - tag: pem_tag, - contents: data, - }, - pem::EncodeConfig { - line_ending: pem::LineEnding::LF, - }, + &pem::Pem::new(pem_tag, data), + pem::EncodeConfig::new().set_line_ending(pem::LineEnding::LF), ) .into_bytes(), )) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 9bb736a9c545..9cf631d7e8a9 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -83,11 +83,11 @@ fn from_der_parameters(data: &[u8]) -> CryptographyResult { fn from_pem_parameters(data: &[u8]) -> CryptographyResult { let parsed = x509::find_in_pem( data, - |p| p.tag == "DH PARAMETERS" || p.tag == "X9.42 DH PARAMETERS", + |p| p.tag() == "DH PARAMETERS" || p.tag() == "X9.42 DH PARAMETERS", "Valid PEM but no BEGIN DH PARAMETERS/END DH PARAMETERS delimiters. Are you sure this is a DH parameters?", )?; - from_der_parameters(&parsed.contents) + from_der_parameters(parsed.contents()) } fn dh_parameters_from_numbers( diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d4a540cd15ad..688ed07e8e68 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -334,12 +334,12 @@ fn load_pem_x509_certificate(py: pyo3::Python<'_>, data: &[u8]) -> CryptographyR // https://github.com/openssl/openssl/blob/5e2d22d53ed322a7124e26a4fbd116a8210eb77a/include/openssl/pem.h#L32-L33 let parsed = x509::find_in_pem( data, - |p| p.tag == "CERTIFICATE" || p.tag == "X509 CERTIFICATE", + |p| p.tag() == "CERTIFICATE" || p.tag() == "X509 CERTIFICATE", "Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate?", )?; load_der_x509_certificate( py, - pyo3::types::PyBytes::new(py, &parsed.contents).into_py(py), + pyo3::types::PyBytes::new(py, parsed.contents()).into_py(py), ) } @@ -350,9 +350,9 @@ fn load_pem_x509_certificates( ) -> CryptographyResult> { let certs = pem::parse_many(data)? .iter() - .filter(|p| p.tag == "CERTIFICATE" || p.tag == "X509 CERTIFICATE") + .filter(|p| p.tag() == "CERTIFICATE" || p.tag() == "X509 CERTIFICATE") .map(|p| { - load_der_x509_certificate(py, pyo3::types::PyBytes::new(py, &p.contents).into_py(py)) + load_der_x509_certificate(py, pyo3::types::PyBytes::new(py, p.contents()).into_py(py)) }) .collect::, _>>()?; diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 126561a1d055..d1535b31b6cb 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -54,12 +54,12 @@ fn load_pem_x509_crl( ) -> Result { let block = x509::find_in_pem( data, - |p| p.tag == "X509 CRL", + |p| p.tag() == "X509 CRL", "Valid PEM but no BEGIN X509 CRL/END X509 delimiters. Are you sure this is a CRL?", )?; load_der_x509_crl( py, - pyo3::types::PyBytes::new(py, &block.contents).into_py(py), + pyo3::types::PyBytes::new(py, block.contents()).into_py(py), ) } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index d0a27705e006..b6718a50385a 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -254,12 +254,12 @@ fn load_pem_x509_csr( // https://github.com/openssl/openssl/blob/5e2d22d53ed322a7124e26a4fbd116a8210eb77a/include/openssl/pem.h#L35-L36 let parsed = x509::find_in_pem( data, - |p| p.tag == "CERTIFICATE REQUEST" || p.tag == "NEW CERTIFICATE REQUEST", + |p| p.tag() == "CERTIFICATE REQUEST" || p.tag() == "NEW CERTIFICATE REQUEST", "Valid PEM but no BEGIN CERTIFICATE REQUEST/END CERTIFICATE REQUEST delimiters. Are you sure this is a CSR?", )?; load_der_x509_csr( py, - pyo3::types::PyBytes::new(py, &parsed.contents).into_py(py), + pyo3::types::PyBytes::new(py, parsed.contents()).into_py(py), ) } From dfe1a560f8ec079ff7635639fa485600fe1d16cf Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 3 Aug 2023 12:35:37 +0000 Subject: [PATCH 0273/1014] Bump BoringSSL and/or OpenSSL in CI (#9347) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dded047cf79c..e24dadd382af 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 02, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "04487c4e98fd34f1bfcc7ae3757efbaff7b26e4e"}} - # Latest commit on the OpenSSL master branch, as of Aug 02, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a1c87f64dd6d6b0f1c8b276dc415f69e1102f930"}} + # Latest commit on the BoringSSL master branch, as of Aug 03, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "7ae2b910c13017b63f1a8bd6c8decfce692869b0"}} + # Latest commit on the OpenSSL master branch, as of Aug 03, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1e7cc86b7516bb035b91c23a38f2d9e6323d33c9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 1bc15b1d8b23becaf8eb9e1ab8cd4099e264d2ca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 3 Aug 2023 12:43:03 +0000 Subject: [PATCH 0274/1014] Bump cc from 1.0.80 to 1.0.81 in /src/rust (#9348) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.80 to 1.0.81. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.80...1.0.81) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 864fb76a2259..6cadf2b18438 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "cc" -version = "1.0.80" +version = "1.0.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51f1226cd9da55587234753d1245dd5b132343ea240f26b6a9003d68706141ba" +checksum = "6c6b2562119bf28c3439f7f02db99faf0aa1a8cdfe5772a2ee155d32227239f0" dependencies = [ "libc", ] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index cabf70918c07..e17a4a3d304a 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -21,7 +21,7 @@ foreign-types-shared = "0.1" self_cell = "1" [build-dependencies] -cc = "1.0.80" +cc = "1.0.81" [features] extension-module = ["pyo3/extension-module"] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 7891c0ebb97d..10b1ab4f084a 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.19", features = ["abi3-py37"] } openssl-sys = "0.9.90" [build-dependencies] -cc = "1.0.80" +cc = "1.0.81" From 4eafd32ffed04ba116c874c44f731d9a52562396 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Aug 2023 13:04:40 +0000 Subject: [PATCH 0275/1014] Bump more-itertools from 10.0.0 to 10.1.0 (#9351) Bumps [more-itertools](https://github.com/more-itertools/more-itertools) from 10.0.0 to 10.1.0. - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/commits) --- updated-dependencies: - dependency-name: more-itertools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 03be6a192a13..d84db9a42c89 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -66,7 +66,7 @@ markupsafe==2.1.3 # via jinja2 mdurl==0.1.2 # via markdown-it-py -more-itertools==10.0.0 +more-itertools==10.1.0 # via jaraco-classes mypy==1.4.1 # via cryptography (pyproject.toml) From f7cfcef7ff07977db0c9eefe1520c6bfb97e18b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 4 Aug 2023 13:24:52 +0000 Subject: [PATCH 0276/1014] Bump more-itertools from 10.0.0 to 10.1.0 in /.github/requirements (#9352) Bumps [more-itertools](https://github.com/more-itertools/more-itertools) from 10.0.0 to 10.1.0. - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/commits) --- updated-dependencies: - dependency-name: more-itertools dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index bc34d3033249..6cd14dd87ecb 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -246,9 +246,9 @@ mdurl==0.1.2 \ --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba # via markdown-it-py -more-itertools==10.0.0 \ - --hash=sha256:928d514ffd22b5b0a8fce326d57f423a55d2ff783b093bab217eda71e732330f \ - --hash=sha256:cd65437d7c4b615ab81c0640c0480bc29a550ea032891977681efd28344d51e1 +more-itertools==10.1.0 \ + --hash=sha256:626c369fa0eb37bac0291bce8259b332fd59ac792fa5497b59837309cd5b114a \ + --hash=sha256:64e0735fcfdc6f3464ea133afe8ea4483b1c5fe3a3d69852e6503b43a0b222e6 # via jaraco-classes multidict==6.0.4 \ --hash=sha256:01a3a55bd90018c9c080fbb0b9f4891db37d148a0a18722b42f94694f8b6d4c9 \ From 41d89f1ae6b2a907dce60e3624eca3c0851a21a2 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 4 Aug 2023 12:48:15 -0400 Subject: [PATCH 0277/1014] noxfile, docs: fix posargs handling (#9354) * noxfile, docs: fix posargs handling Signed-off-by: William Woodruff * Update docs/development/getting-started.rst Co-authored-by: Alex Gaynor --------- Signed-off-by: William Woodruff Co-authored-by: Alex Gaynor --- docs/development/getting-started.rst | 9 ++++++++- noxfile.py | 8 ++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst index a4283469b5cc..ad4ffd91ddc8 100644 --- a/docs/development/getting-started.rst +++ b/docs/development/getting-started.rst @@ -37,6 +37,13 @@ designed to be run using `pytest`_. ``nox`` automatically invokes ``pytest``: 62746 passed in 220.43 seconds +You can also specify a subset of tests to run as positional arguments: + +.. code-block:: console + + $ # run the whole x509 testsuite, plus the fernet tests + $ nox -e tests -p py310 -- tests/x509/ tests/test_fernet.py + Building documentation ---------------------- @@ -63,4 +70,4 @@ The HTML documentation index can now be found at .. _`pip`: https://pypi.org/project/pip/ .. _`sphinx`: https://pypi.org/project/Sphinx/ .. _`reStructured Text`: https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html -.. _`as documented here`: https://docs.rs/openssl/latest/openssl/#automatic \ No newline at end of file +.. _`as documented here`: https://docs.rs/openssl/latest/openssl/#automatic diff --git a/noxfile.py b/noxfile.py index 717c06726aa0..d86cc9752bc3 100644 --- a/noxfile.py +++ b/noxfile.py @@ -64,6 +64,11 @@ def tests(session: nox.Session) -> None: else: cov_args = [] + if session.posargs: + tests = session.posargs + else: + tests = ["tests/"] + session.run( "pytest", "-n", @@ -71,8 +76,7 @@ def tests(session: nox.Session) -> None: "--dist=worksteal", *cov_args, "--durations=10", - *session.posargs, - "tests/", + *tests, ) if session.name != "tests-nocoverage": From 6f160878c491ce9021ae5c3adda46416f1068237 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 4 Aug 2023 17:25:26 -0400 Subject: [PATCH 0278/1014] validation/ops: make `public_key` return `Option` (#9356) Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/ops.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs index 6d5b27e0a4ce..7cb33c0dee7f 100644 --- a/src/rust/cryptography-x509-validation/src/ops.rs +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -9,8 +9,9 @@ pub trait CryptoOps { type Key; /// Extracts the public key from the given `Certificate` in - /// a `Key` format known by the cryptographic backend. - fn public_key(&self, cert: &Certificate) -> Self::Key; + /// a `Key` format known by the cryptographic backend, or `None` + /// if the key is malformed. + fn public_key(&self, cert: &Certificate) -> Option; /// Verifies the signature on `Certificate` using the given /// `Key`. From 743d15813e8237ac20f2b9f11873adbd2579d38a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 5 Aug 2023 12:58:30 +1200 Subject: [PATCH 0279/1014] Bump BoringSSL and/or OpenSSL in CI (#9357) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e24dadd382af..6594a665e005 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Aug 03, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "7ae2b910c13017b63f1a8bd6c8decfce692869b0"}} - # Latest commit on the OpenSSL master branch, as of Aug 03, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1e7cc86b7516bb035b91c23a38f2d9e6323d33c9"}} + # Latest commit on the OpenSSL master branch, as of Aug 05, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7c729851d169f30d9e0c0ad6e7c1cf6cefb37935"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From f7e629f70a7eb975dc96bbe5ec438eec7db62775 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 5 Aug 2023 15:38:13 +1200 Subject: [PATCH 0280/1014] tested platforms update (#9358) --- docs/installation.rst | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/installation.rst b/docs/installation.rst index 6dcac7340f21..32e2f0b295fe 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -19,14 +19,12 @@ operating systems. * x86-64 RHEL 8.x * x86-64 CentOS 9 Stream * x86-64 Fedora (latest) -* x86-64 macOS 12 Monterey -* ARM64 macOS 13 Ventura +* x86-64 and ARM64 macOS 13 Ventura * x86-64 Ubuntu 20.04, 22.04, rolling * ARM64 Ubuntu 22.04 * x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x), Trixie (13.x), and Sid (unstable) -* x86-64 Alpine (latest) -* ARM64 Alpine (latest) +* x86-64 and ARM64 Alpine (latest) * 32-bit and 64-bit Python on 64-bit Windows Server 2022 We test compiling with ``clang`` as well as ``gcc`` and use the following From 06c3fe4cb74601ac80fb831e0ebf9daa83c1cbda Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 5 Aug 2023 16:20:52 -0400 Subject: [PATCH 0281/1014] Added a test for decrypting with long AESSIV ad (#9360) --- tests/hazmat/primitives/test_aead.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 0ea84d0d4070..7db9607af197 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -671,6 +671,9 @@ def test_data_too_large(self): with pytest.raises(OverflowError): aessiv.encrypt(b"irrelevant", [large_data]) + with pytest.raises(OverflowError): + aessiv.decrypt(b"very very irrelevant", [large_data]) + def test_no_empty_encryption(self): key = AESSIV.generate_key(256) aessiv = AESSIV(key) From 80008ce29e1a698df96d744e89770d69421ed716 Mon Sep 17 00:00:00 2001 From: Andrew Pan <3821575+tnytown@users.noreply.github.com> Date: Sat, 5 Aug 2023 18:00:14 -0400 Subject: [PATCH 0282/1014] x509: construct `IPAddress` and `IPRange` types (#9346) * x509: construct `IPAddress` and `IPRange` types Signed-off-by: Andrew Pan * x509: replace iterators in `IPAddress::from_bytes` Signed-off-by: Andrew Pan * x509: test for non-left masks Signed-off-by: Andrew Pan * x509: simplify `IPRange::from_bytes` Signed-off-by: Andrew Pan * x509: comprehensive tests, rework `IPAddress.mask` Signed-off-by: Andrew Pan * x509: one more case for `test_iprange_from_bytes` Signed-off-by: Andrew Pan * x509: don't handle overlength prefixes in `mask` Signed-off-by: Andrew Pan * x509: remove `test_ipaddress_from_std` Signed-off-by: Andrew Pan * x509: doc `IPAddress` Signed-off-by: Andrew Pan * x509: use `From` for `from_std` Signed-off-by: Andrew Pan * Update src/rust/cryptography-x509-validation/src/types.rs Co-authored-by: William Woodruff * x509: make `IPAddress` a newtype, doc `IPRange` Signed-off-by: Andrew Pan * x509: don't fq `IpAddr` anymore Signed-off-by: Andrew Pan --------- Signed-off-by: Andrew Pan Co-authored-by: William Woodruff --- .../cryptography-x509-validation/src/types.rs | 263 +++++++++++++++++- 1 file changed, 262 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-validation/src/types.rs b/src/rust/cryptography-x509-validation/src/types.rs index bc729736b118..cf850ef9b26a 100644 --- a/src/rust/cryptography-x509-validation/src/types.rs +++ b/src/rust/cryptography-x509-validation/src/types.rs @@ -2,6 +2,9 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::net::IpAddr; +use std::str::FromStr; + /// A `DNSName` is an `asn1::IA5String` with additional invariant preservations /// per [RFC 5280 4.2.1.6], which in turn uses the preferred name syntax defined /// in [RFC 1034 3.5] and amended in [RFC 1123 2.1]. @@ -110,9 +113,145 @@ impl<'a> DNSPattern<'a> { } } +#[derive(Copy, Clone, Debug, PartialEq)] +pub struct IPAddress(IpAddr); + +/// An `IPAddress` represents an IP address as defined in [RFC 5280 4.2.1.6]. +/// +/// [RFC 5280 4.2.1.6]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 +impl IPAddress { + pub fn from_str(s: &str) -> Option { + IpAddr::from_str(s).ok().map(Self::from) + } + + /// Constructs an `IPAddress` from a slice. The provided data must be + /// 4 (IPv4) or 16 (IPv6) bytes in "network byte order", as specified by + /// [RFC 5280]. + /// + /// [RFC 5280]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 + pub fn from_bytes(b: &[u8]) -> Option { + match b.len() { + 4 => { + let b: [u8; 4] = b.try_into().ok()?; + Some(IpAddr::from(b).into()) + } + 16 => { + let b: [u8; 16] = b.try_into().ok()?; + Some(IpAddr::from(b).into()) + } + _ => None, + } + } + + /// Parses the octets of the `IPAddress` as a mask. If it is well-formed, + /// i.e., has only one contiguous block of set bits starting from the most + /// significant bit, a prefix is returned. + pub fn as_prefix(&self) -> Option { + let (leading, total) = match self.0 { + IpAddr::V4(a) => { + let data = u32::from_be_bytes(a.octets()); + (data.leading_ones(), data.count_ones()) + } + IpAddr::V6(a) => { + let data = u128::from_be_bytes(a.octets()); + (data.leading_ones(), data.count_ones()) + } + }; + + if leading != total { + None + } else { + Some(leading as u8) + } + } + + /// Returns a new `IPAddress` with the first `prefix` bits of the `IPAddress`. + /// + /// ```rust + /// # use cryptography_x509_validation::types::IPAddress; + /// let ip = IPAddress::from_str("192.0.2.1").unwrap(); + /// assert_eq!(ip.mask(24), IPAddress::from_str("192.0.2.0").unwrap()); + /// ``` + pub fn mask(&self, prefix: u8) -> Self { + match self.0 { + IpAddr::V4(a) => { + let prefix = 32u8.checked_sub(prefix).unwrap_or(0).into(); + let masked = u32::from_be_bytes(a.octets()) + & u32::MAX + .checked_shr(prefix) + .unwrap_or(0) + .checked_shl(prefix) + .unwrap_or(0); + Self::from_bytes(&masked.to_be_bytes()).unwrap() + } + IpAddr::V6(a) => { + let prefix = 128u8.checked_sub(prefix).unwrap_or(0).into(); + let masked = u128::from_be_bytes(a.octets()) + & u128::MAX + .checked_shr(prefix) + .unwrap_or(0) + .checked_shl(prefix) + .unwrap_or(0); + Self::from_bytes(&masked.to_be_bytes()).unwrap() + } + } + } +} + +impl From for IPAddress { + fn from(addr: IpAddr) -> Self { + Self(addr) + } +} + +#[derive(Debug, PartialEq)] +pub struct IPRange { + address: IPAddress, + prefix: u8, +} + +/// An `IPRange` represents a CIDR-style address range used in a name constraints +/// extension, as defined by [RFC 5280 4.2.1.10]. +/// +/// [RFC 5280 4.2.1.10]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 +impl IPRange { + /// Constructs an `IPRange` from a slice. The input slice must be 8 (IPv4) + /// or 32 (IPv6) bytes long and contain two IP addresses, the first being + /// a subnet and the second defining the subnet's mask. + /// + /// The subnet mask must contain only one contiguous run of set bits starting + /// from the most significant bit. For example, a valid IPv4 subnet mask would + /// be FF FF 00 00, whereas an invalid IPv4 subnet mask would be FF EF 00 00. + pub fn from_bytes(b: &[u8]) -> Option { + let slice_idx = match b.len() { + 8 => 4, + 32 => 16, + _ => return None, + }; + + let prefix = IPAddress::from_bytes(&b[slice_idx..])?.as_prefix()?; + Some(IPRange { + address: IPAddress::from_bytes(&b[..slice_idx])?.mask(prefix), + prefix, + }) + } + + /// Determines if the `addr` is within the `IPRange`. + /// + /// ```rust + /// # use cryptography_x509_validation::types::{IPAddress,IPRange}; + /// let range_bytes = b"\xc6\x33\x64\x00\xff\xff\xff\x00"; + /// let range = IPRange::from_bytes(range_bytes).unwrap(); + /// assert!(range.matches(&IPAddress::from_str("198.51.100.42").unwrap())); + /// ``` + pub fn matches(&self, addr: &IPAddress) -> bool { + self.address == addr.mask(self.prefix) + } +} + #[cfg(test)] mod tests { - use crate::types::{DNSName, DNSPattern}; + use crate::types::{DNSName, DNSPattern, IPAddress, IPRange}; #[test] fn test_dnsname_debug_trait() { @@ -245,4 +384,126 @@ mod tests { assert!(!any_example_com.matches(&DNSName::new("foo.bar.baz.example.com").unwrap())); assert!(!any_localhost.matches(&DNSName::new("localhost").unwrap())); } + + #[test] + fn test_ipaddress_from_str() { + assert_ne!(IPAddress::from_str("192.168.1.1"), None) + } + + #[test] + fn test_ipaddress_from_bytes() { + let ipv4 = b"\xc0\x00\x02\x01"; + let ipv6 = b"\x20\x01\x0d\xb8\x00\x00\x00\x00\ + \x00\x00\x00\x00\x00\x00\x00\x01"; + let bad = b"\xde\xad"; + + assert_eq!( + IPAddress::from_bytes(ipv4).unwrap(), + IPAddress::from_str("192.0.2.1").unwrap(), + ); + assert_eq!( + IPAddress::from_bytes(ipv6).unwrap(), + IPAddress::from_str("2001:db8::1").unwrap(), + ); + assert_eq!(IPAddress::from_bytes(bad), None); + } + + #[test] + fn test_ipaddress_as_prefix() { + let ipv4 = IPAddress::from_str("255.255.255.0").unwrap(); + let ipv6 = IPAddress::from_str("ffff:ffff:ffff:ffff::").unwrap(); + let ipv4_nonmask = IPAddress::from_str("192.0.2.1").unwrap(); + let ipv6_nonmask = IPAddress::from_str("2001:db8::1").unwrap(); + + assert_eq!(ipv4.as_prefix(), Some(24)); + assert_eq!(ipv6.as_prefix(), Some(64)); + assert_eq!(ipv4_nonmask.as_prefix(), None); + assert_eq!(ipv6_nonmask.as_prefix(), None); + } + + #[test] + fn test_ipaddress_mask() { + let ipv4 = IPAddress::from_str("192.0.2.252").unwrap(); + let ipv6 = IPAddress::from_str("2001:db8::f00:01ba").unwrap(); + + assert_eq!(ipv4.mask(0), IPAddress::from_str("0.0.0.0").unwrap()); + assert_eq!(ipv4.mask(64), ipv4); + assert_eq!(ipv4.mask(32), ipv4); + assert_eq!(ipv4.mask(24), IPAddress::from_str("192.0.2.0").unwrap()); + assert_eq!(ipv6.mask(0), IPAddress::from_str("::0").unwrap()); + assert_eq!(ipv6.mask(130), ipv6); + assert_eq!(ipv6.mask(128), ipv6); + assert_eq!(ipv6.mask(64), IPAddress::from_str("2001:db8::").unwrap()); + assert_eq!( + ipv6.mask(103), + IPAddress::from_str("2001:db8::e00:0").unwrap() + ); + } + + #[test] + fn test_iprange_from_bytes() { + let ipv4_bad = b"\xc0\xa8\x01\x01\xff\xfe\xff\x00"; + let ipv4_bad_many_bits = b"\xc0\xa8\x01\x01\xff\xfc\xff\x00"; + let ipv4_bad_octet = b"\xc0\xa8\x01\x01\x00\xff\xff\xff"; + let ipv6_bad = b"\ + \x26\x01\x00\x00\x00\x00\x00\x01\ + \x00\x00\x00\x00\x00\x00\x00\x00\ + \x00\x00\x00\x00\x00\x00\x00\x01\ + \x00\x00\x00\x00\x00\x00\x00\x00"; + let ipv6_good = b"\ + \x20\x01\x0d\xb8\x00\x00\x00\x00\ + \x00\x00\x00\x00\x00\x00\x00\x01\ + \xf0\x00\x00\x00\x00\x00\x00\x00\ + \x00\x00\x00\x00\x00\x00\x00\x00"; + let bad = b"\xff\xff\xff"; + + assert_eq!(IPRange::from_bytes(ipv4_bad), None); + assert_eq!(IPRange::from_bytes(ipv4_bad_many_bits), None); + assert_eq!(IPRange::from_bytes(ipv4_bad_octet), None); + assert_eq!(IPRange::from_bytes(ipv6_bad), None); + assert_ne!(IPRange::from_bytes(ipv6_good), None); + assert_eq!(IPRange::from_bytes(bad), None); + + // 192.168.1.1/16 + let ipv4_with_extra = b"\xc0\xa8\x01\x01\xff\xff\x00\x00"; + assert_ne!(IPRange::from_bytes(ipv4_with_extra), None); + + // 192.168.0.0/16 + let ipv4_masked = b"\xc0\xa8\x00\x00\xff\xff\x00\x00"; + assert_eq!( + IPRange::from_bytes(ipv4_with_extra), + IPRange::from_bytes(ipv4_masked) + ); + } + + #[test] + fn test_iprange_matches() { + // 192.168.1.1/16 + let ipv4 = IPRange::from_bytes(b"\xc0\xa8\x01\x01\xff\xff\x00\x00").unwrap(); + let ipv4_32 = IPRange::from_bytes(b"\xc0\x00\x02\xde\xff\xff\xff\xff").unwrap(); + let ipv6 = IPRange::from_bytes( + b"\x26\x00\x0d\xb8\x00\x00\x00\x00\ + \x00\x00\x00\x00\x00\x00\x00\x01\ + \xff\xff\xff\xff\x00\x00\x00\x00\ + \x00\x00\x00\x00\x00\x00\x00\x00", + ) + .unwrap(); + let ipv6_128 = IPRange::from_bytes( + b"\x26\x00\x0d\xb8\x00\x00\x00\x00\ + \x00\x00\x00\x00\xff\x00\xde\xde\ + \xff\xff\xff\xff\xff\xff\xff\xff\ + \xff\xff\xff\xff\xff\xff\xff\xff", + ) + .unwrap(); + + assert!(ipv4.matches(&IPAddress::from_str("192.168.0.50").unwrap())); + assert!(!ipv4.matches(&IPAddress::from_str("192.160.0.50").unwrap())); + assert!(ipv4_32.matches(&IPAddress::from_str("192.0.2.222").unwrap())); + assert!(!ipv4_32.matches(&IPAddress::from_str("192.5.2.222").unwrap())); + assert!(!ipv4_32.matches(&IPAddress::from_str("192.0.2.1").unwrap())); + assert!(ipv6.matches(&IPAddress::from_str("2600:db8::abba").unwrap())); + assert!(ipv6_128.matches(&IPAddress::from_str("2600:db8::ff00:dede").unwrap())); + assert!(!ipv6_128.matches(&IPAddress::from_str("2600::ff00:dede").unwrap())); + assert!(!ipv6_128.matches(&IPAddress::from_str("2600:db8::ff00:0").unwrap())); + } } From 48eba4e628eb3d23fdc54ce56b62892f25bf766c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 5 Aug 2023 21:33:53 -0400 Subject: [PATCH 0283/1014] Fix the BoringSSL build (#9362) --- .github/workflows/build_openssl.sh | 1 + .github/workflows/ci.yml | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index c7855a7f3278..013fcf42698a 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -78,4 +78,5 @@ elif [[ "${TYPE}" == "boringssl" ]]; then # delete binaries we don't need rm -rf "${OSSL_PATH}/bin" popd + rm -rf boringssl/ fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6594a665e005..388dd979071a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -97,9 +97,10 @@ jobs: timeout-minutes: 2 with: path: ${{ github.workspace }}/osslcache - # When altering the openssl build process you may need to increment the value on the end of this cache key - # so that you can prevent it from fetching the cache and skipping the build step. - key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-8 + # When altering the openssl build process you may need to increment + # the value on the end of this cache key so that you can prevent it + # from fetching the cache and skipping the build step. + key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-9 if: matrix.PYTHON.OPENSSL - name: Build custom OpenSSL/LibreSSL run: .github/workflows/build_openssl.sh From 9e065c374c9f53cce208361f073853e883835a31 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 6 Aug 2023 02:26:29 +0000 Subject: [PATCH 0284/1014] Bump BoringSSL and/or OpenSSL in CI (#9361) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 388dd979071a..d7c84ae8a589 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 03, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "7ae2b910c13017b63f1a8bd6c8decfce692869b0"}} + # Latest commit on the BoringSSL master branch, as of Aug 06, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e28988ecaa5e72523a982915084c9422e495116d"}} # Latest commit on the OpenSSL master branch, as of Aug 05, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7c729851d169f30d9e0c0ad6e7c1cf6cefb37935"}} # Builds with various Rust versions. Includes MSRV and next From 4ec8c89e8f5c085a24bd17bb7b86a882c9133124 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 6 Aug 2023 13:34:18 +0000 Subject: [PATCH 0285/1014] Bump openssl-sys from 0.9.90 to 0.9.91 in /src/rust (#9364) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.90 to 0.9.91. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.90...openssl-sys-v0.9.91) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6cadf2b18438..28c38a8eb316 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -187,9 +187,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.90" +version = "0.9.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "374533b0e45f3a7ced10fcaeccca020e66656bc03dac384f852e4e5a7a8104a6" +checksum = "866b5f16f90776b9bb8dc1e1802ac6f0513de3a7a7465867bfbc563dc737faac" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e17a4a3d304a..0a598fa8c93b 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -16,7 +16,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.55" -openssl-sys = "0.9.90" +openssl-sys = "0.9.91" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 10b1ab4f084a..b2ab35304146 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.19", features = ["abi3-py37"] } -openssl-sys = "0.9.90" +openssl-sys = "0.9.91" [build-dependencies] cc = "1.0.81" From 6f4016edaa02ab6ac1b1a474d812a7d7a835ee30 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 6 Aug 2023 09:35:38 -0400 Subject: [PATCH 0286/1014] Bump pygments from 2.15.1 to 2.16.0 (#9365) Bumps [pygments](https://github.com/pygments/pygments) from 2.15.1 to 2.16.0. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.15.1...2.16.0) --- updated-dependencies: - dependency-name: pygments dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d84db9a42c89..1d26bbc350c6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -103,7 +103,7 @@ pyenchant==3.2.2 # via # cryptography (pyproject.toml) # sphinxcontrib-spelling -pygments==2.15.1 +pygments==2.16.0 # via # readme-renderer # rich From a074ecb5e62d4a84fce0470651d994808810ad75 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 6 Aug 2023 09:46:27 -0400 Subject: [PATCH 0287/1014] Bump wheel from 0.41.0 to 0.41.1 in /.github/requirements (#9367) Bumps [wheel](https://github.com/pypa/wheel) from 0.41.0 to 0.41.1. - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](https://github.com/pypa/wheel/compare/0.41.0...0.41.1) --- updated-dependencies: - dependency-name: wheel dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 2c3639b67df3..eeff5d0d8236 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -86,9 +86,9 @@ typing-extensions==4.7.1 \ --hash=sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36 \ --hash=sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2 # via setuptools-rust -wheel==0.41.0 \ - --hash=sha256:55a0f0a5a84869bce5ba775abfd9c462e3a6b1b7b7ec69d72c0b83d673a5114d \ - --hash=sha256:7e9be3bbd0078f6147d82ed9ed957e323e7708f57e134743d2edef3a7b7972a9 +wheel==0.41.1 \ + --hash=sha256:12b911f083e876e10c595779709f8a88a59f45aacc646492a67fe9ef796c1b47 \ + --hash=sha256:473219bd4cbedc62cea0cb309089b593e47c15c4a2531015f94e4e3b9a0f6981 # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: From d5b800e1b18159e6f8bf6dae7f4b77a2626bdc6d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 6 Aug 2023 13:51:48 +0000 Subject: [PATCH 0288/1014] Bump openssl from 0.10.55 to 0.10.56 in /src/rust (#9368) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.55 to 0.10.56. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.56) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 28c38a8eb316..505544075129 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -161,9 +161,9 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] name = "openssl" -version = "0.10.55" +version = "0.10.56" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "345df152bc43501c5eb9e4654ff05f794effb78d4efe3d53abc158baddc0703d" +checksum = "729b745ad4a5575dd06a3e1af1414bd330ee561c01b3899eb584baeaa8def17e" dependencies = [ "bitflags", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 0a598fa8c93b..1578f6e7ef98 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.55" +openssl = "0.10.56" openssl-sys = "0.9.91" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 9eda40a00bd8..75588a2953a2 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -openssl = "0.10.55" +openssl = "0.10.56" ffi = { package = "openssl-sys", version = "0.9.85" } foreign-types = "0.3" foreign-types-shared = "0.1" From b31ff738453a68086da9705e4615cbef8f67044d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 6 Aug 2023 10:01:07 -0400 Subject: [PATCH 0289/1014] Bump pygments from 2.15.1 to 2.16.0 in /.github/requirements (#9366) Bumps [pygments](https://github.com/pygments/pygments) from 2.15.1 to 2.16.0. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.15.1...2.16.0) --- updated-dependencies: - dependency-name: pygments dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 6cd14dd87ecb..d52076c78709 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -374,9 +374,9 @@ pydantic==1.10.12 \ # via # id # sigstore -pygments==2.15.1 \ - --hash=sha256:8ace4d3c1dd481894b2005f560ead0f9f19ee64fe983366be1a21e171d12775c \ - --hash=sha256:db2db3deb4b4179f399a09054b023b6a586b76499d36965813c71aa8ed7b5fd1 +pygments==2.16.0 \ + --hash=sha256:4f6df32f21dca07a54a0a130bda9a25d2241e9e0a206841d061c85a60cc96145 \ + --hash=sha256:90e046f72a58b65edd7e6bd99926ffa1b9d19e23db166905046bea0069c0894d # via # readme-renderer # rich From 22054bf26cf78bf70e4d133fb2b7271b66bfe984 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 6 Aug 2023 14:56:30 -0400 Subject: [PATCH 0290/1014] remove workaround that's no longer required (#9363) --- .github/workflows/ci.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d7c84ae8a589..700f811ab0be 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -239,10 +239,6 @@ jobs: with: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - # Attempted work around for https://github.com/actions/setup-python/issues/709 - - run: brew install openssl@1.1 - if: matrix.PYTHON.VERSION == '3.7' - - name: Setup python uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: From 65a3471402b16eac76a9690f63419afc00296964 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Aug 2023 12:18:34 +0000 Subject: [PATCH 0291/1014] Bump pygments from 2.16.0 to 2.16.1 (#9369) Bumps [pygments](https://github.com/pygments/pygments) from 2.16.0 to 2.16.1. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.16.0...2.16.1) --- updated-dependencies: - dependency-name: pygments dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 1d26bbc350c6..1fee8fd88cc2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -103,7 +103,7 @@ pyenchant==3.2.2 # via # cryptography (pyproject.toml) # sphinxcontrib-spelling -pygments==2.16.0 +pygments==2.16.1 # via # readme-renderer # rich From 8e8093983491d611002ece582ea942ef934baffd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Aug 2023 08:49:01 -0400 Subject: [PATCH 0292/1014] Bump pygments from 2.16.0 to 2.16.1 in /.github/requirements (#9371) Bumps [pygments](https://github.com/pygments/pygments) from 2.16.0 to 2.16.1. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.16.0...2.16.1) --- updated-dependencies: - dependency-name: pygments dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d52076c78709..7039d9fbd353 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -374,9 +374,9 @@ pydantic==1.10.12 \ # via # id # sigstore -pygments==2.16.0 \ - --hash=sha256:4f6df32f21dca07a54a0a130bda9a25d2241e9e0a206841d061c85a60cc96145 \ - --hash=sha256:90e046f72a58b65edd7e6bd99926ffa1b9d19e23db166905046bea0069c0894d +pygments==2.16.1 \ + --hash=sha256:13fc09fa63bc8d8671a6d247e1eb303c4b343eaee81d861f3404db2935653692 \ + --hash=sha256:1daff0494820c69bc8941e407aa20f577374ee88364ee10a98fdbe0aece96e29 # via # readme-renderer # rich From e3b605a2bf9a7f319bf5142508a4dfcf83dca062 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Aug 2023 12:54:32 +0000 Subject: [PATCH 0293/1014] Bump cc from 1.0.81 to 1.0.82 in /src/rust (#9372) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.81 to 1.0.82. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.81...1.0.82) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 505544075129..254efaeaaf39 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "cc" -version = "1.0.81" +version = "1.0.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c6b2562119bf28c3439f7f02db99faf0aa1a8cdfe5772a2ee155d32227239f0" +checksum = "305fe645edc1442a0fa8b6726ba61d422798d37a52e12eaecf4b022ebbb88f01" dependencies = [ "libc", ] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 1578f6e7ef98..4d63b344db28 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -21,7 +21,7 @@ foreign-types-shared = "0.1" self_cell = "1" [build-dependencies] -cc = "1.0.81" +cc = "1.0.82" [features] extension-module = ["pyo3/extension-module"] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index b2ab35304146..46da116c5d97 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.19", features = ["abi3-py37"] } openssl-sys = "0.9.91" [build-dependencies] -cc = "1.0.81" +cc = "1.0.82" From 1ee2b48bfd6f1bafdecb21bc8741e5725c9cf467 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 8 Aug 2023 19:24:19 -0500 Subject: [PATCH 0294/1014] Bump BoringSSL and/or OpenSSL in CI (#9373) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 700f811ab0be..62b940769f00 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 06, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e28988ecaa5e72523a982915084c9422e495116d"}} - # Latest commit on the OpenSSL master branch, as of Aug 05, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7c729851d169f30d9e0c0ad6e7c1cf6cefb37935"}} + # Latest commit on the BoringSSL master branch, as of Aug 09, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "77d431746df1f86927cf8462533aa5b0f67323a1"}} + # Latest commit on the OpenSSL master branch, as of Aug 09, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9607f5ccf285ac9988a86f95c5ad9f92b556a843"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 5003ca2c72ca2b8b7c8f0b5806ee12d5a8625aa4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Aug 2023 22:52:45 -0400 Subject: [PATCH 0295/1014] Update for latest ruff (#9374) --- .../hazmat/backends/openssl/backend.py | 8 +-- .../hazmat/bindings/openssl/binding.py | 2 +- .../hazmat/primitives/asymmetric/dsa.py | 9 ++-- .../hazmat/primitives/asymmetric/rsa.py | 2 +- .../hazmat/primitives/ciphers/algorithms.py | 4 +- src/cryptography/x509/extensions.py | 52 +++++++++---------- src/cryptography/x509/name.py | 4 +- 7 files changed, 38 insertions(+), 43 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 3319e8f3a18f..a5bd949f1475 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -182,9 +182,9 @@ def openssl_version_number(self) -> int: def _evp_md_from_algorithm(self, algorithm: hashes.HashAlgorithm): if algorithm.name == "blake2b" or algorithm.name == "blake2s": - alg = "{}{}".format( - algorithm.name, algorithm.digest_size * 8 - ).encode("ascii") + alg = f"{algorithm.name}{algorithm.digest_size * 8}".encode( + "ascii" + ) else: alg = algorithm.name.encode("ascii") @@ -1535,7 +1535,7 @@ def _load_pkcs7_certificates(self, p7) -> typing.List[x509.Certificate]: if nid != self._lib.NID_pkcs7_signed: raise UnsupportedAlgorithm( "Only basic signed structures are currently supported. NID" - " for this data was {}".format(nid), + f" for this data was {nid}", _Reasons.UNSUPPORTED_SERIALIZATION, ) diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index b50d631518c1..9eb142788aa3 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -33,7 +33,7 @@ def _openssl_assert( "OpenSSL try disabling it before reporting a bug. Otherwise " "please file an issue at https://github.com/pyca/cryptography/" "issues with information on how to reproduce " - "this. ({!r})".format(errors), + f"this. ({errors!r})", errors, ) diff --git a/src/cryptography/hazmat/primitives/asymmetric/dsa.py b/src/cryptography/hazmat/primitives/asymmetric/dsa.py index 0651d34ddc2e..8163a79ccf25 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/dsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/dsa.py @@ -172,10 +172,7 @@ def __eq__(self, other: object) -> bool: return self.p == other.p and self.q == other.q and self.g == other.g def __repr__(self) -> str: - return ( - "".format(self=self) - ) + return f"" class DSAPublicNumbers: @@ -214,8 +211,8 @@ def __eq__(self, other: object) -> bool: def __repr__(self) -> str: return ( - "".format(self=self) + f"" ) diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index b740f01f7c4c..1e132cca36a7 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -427,7 +427,7 @@ def public_key(self, backend: typing.Any = None) -> RSAPublicKey: return ossl.load_rsa_public_numbers(self) def __repr__(self) -> str: - return "".format(self) + return f"" def __eq__(self, other: object) -> bool: if not isinstance(other, RSAPublicNumbers): diff --git a/src/cryptography/hazmat/primitives/ciphers/algorithms.py b/src/cryptography/hazmat/primitives/ciphers/algorithms.py index 4bfc5d840d67..ebc9595c49fb 100644 --- a/src/cryptography/hazmat/primitives/ciphers/algorithms.py +++ b/src/cryptography/hazmat/primitives/ciphers/algorithms.py @@ -18,9 +18,7 @@ def _verify_key_size(algorithm: CipherAlgorithm, key: bytes) -> bytes: # Verify that the key size matches the expected key size if len(key) * 8 not in algorithm.key_sizes: raise ValueError( - "Invalid key size ({}) for {}.".format( - len(key) * 8, algorithm.name - ) + f"Invalid key size ({len(key) * 8}) for {algorithm.name}." ) return key diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index f3cd53059849..c73d49d83e95 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -240,10 +240,10 @@ def from_issuer_subject_key_identifier( def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __eq__(self, other: object) -> bool: @@ -1211,14 +1211,14 @@ def __repr__(self) -> str: decipher_only = False return ( - "" - ).format(self, encipher_only, decipher_only) + f"" + ) def __eq__(self, other: object) -> bool: if not isinstance(other, KeyUsage): @@ -1337,8 +1337,8 @@ def _validate_dns_name(self, tree: typing.Iterable[GeneralName]) -> None: def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __hash__(self) -> int: @@ -1404,9 +1404,9 @@ def value(self) -> ExtensionTypeVar: def __repr__(self) -> str: return ( - "" - ).format(self) + f"" + ) def __eq__(self, other: object) -> bool: if not isinstance(other, Extension): @@ -2044,14 +2044,14 @@ def __init__( def __repr__(self) -> str: return ( - "".format(self) + f"{self.only_contains_attribute_certs})>" ) def __eq__(self, other: object) -> bool: @@ -2192,8 +2192,8 @@ def value(self) -> bytes: def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __eq__(self, other: object) -> bool: diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py index ff98e8724af1..8be2dac1416e 100644 --- a/src/cryptography/x509/name.py +++ b/src/cryptography/x509/name.py @@ -145,7 +145,7 @@ def __init__( elif c_len != 2: warnings.warn( "Country names should be two characters, but the " - "attribute is {} characters in length.".format(c_len), + f"attribute is {c_len} characters in length.", stacklevel=2, ) @@ -208,7 +208,7 @@ def __hash__(self) -> int: return hash((self.oid, self.value)) def __repr__(self) -> str: - return "".format(self) + return f"" class RelativeDistinguishedName: From e531383b5f0d7f249a5a947ffe96429ff32e5caf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 08:05:02 -0500 Subject: [PATCH 0296/1014] Bump ruff from 0.0.282 to 0.0.283 (#9376) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.282 to 0.0.283. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.282...v0.0.283) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 1fee8fd88cc2..c3bc1130e1f2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.2 # via twine -ruff==0.0.282 +ruff==0.0.283 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 699c15f28708cf024a2cbc0b32eca9e93dad4750 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 17:31:26 -0400 Subject: [PATCH 0297/1014] Bump sphinxcontrib-qthelp from 1.0.3 to 1.0.4 (#9380) Bumps [sphinxcontrib-qthelp](https://github.com/sphinx-doc/sphinxcontrib-qthelp) from 1.0.3 to 1.0.4. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-qthelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-qthelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-qthelp/compare/1.0.3...1.0.4) --- updated-dependencies: - dependency-name: sphinxcontrib-qthelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c3bc1130e1f2..24ddaa47ab7e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -162,7 +162,7 @@ sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-qthelp==1.0.3 +sphinxcontrib-qthelp==1.0.4 # via sphinx sphinxcontrib-serializinghtml==1.1.5 # via sphinx From 83a8745329017408bf6147e80749213b1e7685a8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 17:33:27 -0400 Subject: [PATCH 0298/1014] Bump sphinxcontrib-htmlhelp from 2.0.1 to 2.0.2 (#9378) Bumps [sphinxcontrib-htmlhelp](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp) from 2.0.1 to 2.0.2. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/compare/2.0.1...2.0.2) --- updated-dependencies: - dependency-name: sphinxcontrib-htmlhelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 24ddaa47ab7e..8ee0004ce36b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -156,7 +156,7 @@ sphinxcontrib-applehelp==1.0.4 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx -sphinxcontrib-htmlhelp==2.0.1 +sphinxcontrib-htmlhelp==2.0.2 # via sphinx sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme From 6c33a448cc5a6cbfa477687587ea1fa57bf06c03 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 17:33:54 -0400 Subject: [PATCH 0299/1014] Bump sphinxcontrib-devhelp from 1.0.2 to 1.0.3 (#9377) Bumps [sphinxcontrib-devhelp](https://github.com/sphinx-doc/sphinxcontrib-devhelp) from 1.0.2 to 1.0.3. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-devhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-devhelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-devhelp/compare/1.0.2...1.0.3) --- updated-dependencies: - dependency-name: sphinxcontrib-devhelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8ee0004ce36b..c64ad9010f3d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -154,7 +154,7 @@ sphinx-rtd-theme==1.2.2 # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.4 # via sphinx -sphinxcontrib-devhelp==1.0.2 +sphinxcontrib-devhelp==1.0.3 # via sphinx sphinxcontrib-htmlhelp==2.0.2 # via sphinx From c483a03c5a0d45f11d8c92e543faf38a1887c961 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 17:34:18 -0400 Subject: [PATCH 0300/1014] Bump sphinxcontrib-applehelp from 1.0.4 to 1.0.5 (#9375) Bumps [sphinxcontrib-applehelp](https://github.com/sphinx-doc/sphinxcontrib-applehelp) from 1.0.4 to 1.0.5. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-applehelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-applehelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-applehelp/compare/1.0.4...1.0.5) --- updated-dependencies: - dependency-name: sphinxcontrib-applehelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c64ad9010f3d..883fb9c58c43 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -152,7 +152,7 @@ sphinx==6.2.1 # sphinxcontrib-spelling sphinx-rtd-theme==1.2.2 # via cryptography (pyproject.toml) -sphinxcontrib-applehelp==1.0.4 +sphinxcontrib-applehelp==1.0.5 # via sphinx sphinxcontrib-devhelp==1.0.3 # via sphinx From dccb2c10bc48f602c16a2d3d83fbb359d8473e6d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 21:46:20 +0000 Subject: [PATCH 0301/1014] Bump sphinxcontrib-serializinghtml from 1.1.5 to 1.1.7 (#9383) Bumps [sphinxcontrib-serializinghtml](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml) from 1.1.5 to 1.1.7. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/compare/1.1.5...1.1.7) --- updated-dependencies: - dependency-name: sphinxcontrib-serializinghtml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 883fb9c58c43..2c7370f82f99 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -164,7 +164,7 @@ sphinxcontrib-jsmath==1.0.1 # via sphinx sphinxcontrib-qthelp==1.0.4 # via sphinx -sphinxcontrib-serializinghtml==1.1.5 +sphinxcontrib-serializinghtml==1.1.7 # via sphinx sphinxcontrib-spelling==8.0.0 # via cryptography (pyproject.toml) From e6fa3febc3cd90176dc04ffd04db23479fb40fab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 21:57:17 +0000 Subject: [PATCH 0302/1014] Bump sphinxcontrib-devhelp from 1.0.3 to 1.0.4 (#9385) Bumps [sphinxcontrib-devhelp](https://github.com/sphinx-doc/sphinxcontrib-devhelp) from 1.0.3 to 1.0.4. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-devhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-devhelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-devhelp/compare/1.0.3...1.0.4) --- updated-dependencies: - dependency-name: sphinxcontrib-devhelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2c7370f82f99..7973df4daecf 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -154,7 +154,7 @@ sphinx-rtd-theme==1.2.2 # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.5 # via sphinx -sphinxcontrib-devhelp==1.0.3 +sphinxcontrib-devhelp==1.0.4 # via sphinx sphinxcontrib-htmlhelp==2.0.2 # via sphinx From 00e7ecb89bae44c6e489f3c66eab4e974ff0860b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 21:59:03 +0000 Subject: [PATCH 0303/1014] Bump asn1 from 0.15.4 to 0.15.5 in /src/rust (#9386) Bumps [asn1](https://github.com/alex/rust-asn1) from 0.15.4 to 0.15.5. - [Commits](https://github.com/alex/rust-asn1/compare/0.15.4...0.15.5) --- updated-dependencies: - dependency-name: asn1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- src/rust/Cargo.toml | 2 +- src/rust/cryptography-x509-validation/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 254efaeaaf39..e378ff324648 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,18 +4,18 @@ version = 3 [[package]] name = "asn1" -version = "0.15.4" +version = "0.15.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "de594fb2adce376d7955c41e273e1ba22b0476b8763c383362b99c3d78fee593" +checksum = "ae3ecbce89a22627b5e8e6e11d69715617138290289e385cde773b1fe50befdb" dependencies = [ "asn1_derive", ] [[package]] name = "asn1_derive" -version = "0.15.4" +version = "0.15.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc6da21a2122ddd982cab7a7a73b961d12398e96c2faae5cd4d62593a5e7342f" +checksum = "861af988fac460ac69a09f41e6217a8fb9178797b76fcc9478444be6a59be19c" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 4d63b344db28..77455d375f75 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.63.0" [dependencies] once_cell = "1" pyo3 = { version = "0.19", features = ["abi3-py37"] } -asn1 = { version = "0.15.4", default-features = false } +asn1 = { version = "0.15.5", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } diff --git a/src/rust/cryptography-x509-validation/Cargo.toml b/src/rust/cryptography-x509-validation/Cargo.toml index b62f1951f47a..49c608dcbec6 100644 --- a/src/rust/cryptography-x509-validation/Cargo.toml +++ b/src/rust/cryptography-x509-validation/Cargo.toml @@ -8,5 +8,5 @@ publish = false rust-version = "1.63.0" [dependencies] -asn1 = { version = "0.15.0", default-features = false } +asn1 = { version = "0.15.5", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 9f59aec2d153..9a877fd13cb6 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.63.0" [dependencies] -asn1 = { version = "0.15.4", default-features = false } +asn1 = { version = "0.15.5", default-features = false } From 0358393dae44935038b7c010040e42a76bd98c7e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 22:14:27 +0000 Subject: [PATCH 0304/1014] Bump sphinxcontrib-applehelp from 1.0.4 to 1.0.6 (#9384) Bumps [sphinxcontrib-applehelp](https://github.com/sphinx-doc/sphinxcontrib-applehelp) from 1.0.4 to 1.0.6. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-applehelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-applehelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-applehelp/compare/1.0.4...1.0.6) --- updated-dependencies: - dependency-name: sphinxcontrib-applehelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7973df4daecf..8bee848252c6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -152,7 +152,7 @@ sphinx==6.2.1 # sphinxcontrib-spelling sphinx-rtd-theme==1.2.2 # via cryptography (pyproject.toml) -sphinxcontrib-applehelp==1.0.5 +sphinxcontrib-applehelp==1.0.6 # via sphinx sphinxcontrib-devhelp==1.0.4 # via sphinx From 46930d22f6ab195823089d52022a47ff74674eee Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 9 Aug 2023 20:32:10 -0400 Subject: [PATCH 0305/1014] Bump BoringSSL and/or OpenSSL in CI (#9388) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62b940769f00..6f8da06aa5bc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 09, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "77d431746df1f86927cf8462533aa5b0f67323a1"}} - # Latest commit on the OpenSSL master branch, as of Aug 09, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9607f5ccf285ac9988a86f95c5ad9f92b556a843"}} + # Latest commit on the BoringSSL master branch, as of Aug 10, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8d19c850d4dbde4bd7ece463c3b3f3685571a779"}} + # Latest commit on the OpenSSL master branch, as of Aug 10, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6d38ccedb25f31dfab232e2669415fd4db18b20e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 387e5094703221de9120fb91b7908461822d434b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 9 Aug 2023 22:29:55 -0400 Subject: [PATCH 0306/1014] Convert AESSIV AEAD to Rust (#9359) --- .../hazmat/backends/openssl/aead.py | 64 +----- .../bindings/_rust/openssl/__init__.pyi | 2 + .../hazmat/bindings/_rust/openssl/aead.pyi | 20 ++ .../hazmat/primitives/ciphers/aead.py | 86 +------ src/rust/src/backend/aead.rs | 210 ++++++++++++++++++ src/rust/src/backend/mod.rs | 2 + src/rust/src/exceptions.rs | 1 + 7 files changed, 258 insertions(+), 127 deletions(-) create mode 100644 src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi create mode 100644 src/rust/src/backend/aead.rs diff --git a/src/cryptography/hazmat/backends/openssl/aead.py b/src/cryptography/hazmat/backends/openssl/aead.py index b36f535f3f8f..b7fef7a52634 100644 --- a/src/cryptography/hazmat/backends/openssl/aead.py +++ b/src/cryptography/hazmat/backends/openssl/aead.py @@ -14,13 +14,10 @@ AESCCM, AESGCM, AESOCB3, - AESSIV, ChaCha20Poly1305, ) - _AEADTypes = typing.Union[ - AESCCM, AESGCM, AESOCB3, AESSIV, ChaCha20Poly1305 - ] + _AEADTypes = typing.Union[AESCCM, AESGCM, AESOCB3, ChaCha20Poly1305] def _is_evp_aead_supported_cipher( @@ -44,16 +41,9 @@ def _aead_cipher_supported(backend: Backend, cipher: _AEADTypes) -> bool: cipher_name = _evp_cipher_cipher_name(cipher) if backend._fips_enabled and cipher_name not in backend._fips_aead: return False - # SIV isn't loaded through get_cipherbyname but instead a new fetch API - # only available in 3.0+. But if we know we're on 3.0+ then we know - # it's supported. - if cipher_name.endswith(b"-siv"): - return backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER == 1 - else: - return ( - backend._lib.EVP_get_cipherbyname(cipher_name) - != backend._ffi.NULL - ) + return ( + backend._lib.EVP_get_cipherbyname(cipher_name) != backend._ffi.NULL + ) def _aead_create_ctx( @@ -231,7 +221,6 @@ def _evp_cipher_cipher_name(cipher: _AEADTypes) -> bytes: AESCCM, AESGCM, AESOCB3, - AESSIV, ChaCha20Poly1305, ) @@ -241,26 +230,14 @@ def _evp_cipher_cipher_name(cipher: _AEADTypes) -> bytes: return f"aes-{len(cipher._key) * 8}-ccm".encode("ascii") elif isinstance(cipher, AESOCB3): return f"aes-{len(cipher._key) * 8}-ocb".encode("ascii") - elif isinstance(cipher, AESSIV): - return f"aes-{len(cipher._key) * 8 // 2}-siv".encode("ascii") else: assert isinstance(cipher, AESGCM) return f"aes-{len(cipher._key) * 8}-gcm".encode("ascii") def _evp_cipher(cipher_name: bytes, backend: Backend): - if cipher_name.endswith(b"-siv"): - evp_cipher = backend._lib.EVP_CIPHER_fetch( - backend._ffi.NULL, - cipher_name, - backend._ffi.NULL, - ) - backend.openssl_assert(evp_cipher != backend._ffi.NULL) - evp_cipher = backend._ffi.gc(evp_cipher, backend._lib.EVP_CIPHER_free) - else: - evp_cipher = backend._lib.EVP_get_cipherbyname(cipher_name) - backend.openssl_assert(evp_cipher != backend._ffi.NULL) - + evp_cipher = backend._lib.EVP_get_cipherbyname(cipher_name) + backend.openssl_assert(evp_cipher != backend._ffi.NULL) return evp_cipher @@ -389,10 +366,7 @@ def _evp_cipher_process_data(backend: Backend, ctx, data: bytes) -> bytes: buf = backend._ffi.new("unsigned char[]", len(data)) data_ptr = backend._ffi.from_buffer(data) res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, data_ptr, len(data)) - if res == 0: - # AES SIV can error here if the data is invalid on decrypt - backend._consume_errors() - raise InvalidTag + backend.openssl_assert(res != 0) return backend._ffi.buffer(buf, outlen[0])[:] @@ -405,7 +379,7 @@ def _evp_cipher_encrypt( tag_length: int, ctx: typing.Any = None, ) -> bytes: - from cryptography.hazmat.primitives.ciphers.aead import AESCCM, AESSIV + from cryptography.hazmat.primitives.ciphers.aead import AESCCM if ctx is None: cipher_name = _evp_cipher_cipher_name(cipher) @@ -445,14 +419,7 @@ def _evp_cipher_encrypt( backend.openssl_assert(res != 0) tag = backend._ffi.buffer(tag_buf)[:] - if isinstance(cipher, AESSIV): - # RFC 5297 defines the output as IV || C, where the tag we generate - # is the "IV" and C is the ciphertext. This is the opposite of our - # other AEADs, which are Ciphertext || Tag - backend.openssl_assert(len(tag) == 16) - return tag + processed_data - else: - return processed_data + tag + return processed_data + tag def _evp_cipher_decrypt( @@ -464,20 +431,13 @@ def _evp_cipher_decrypt( tag_length: int, ctx: typing.Any = None, ) -> bytes: - from cryptography.hazmat.primitives.ciphers.aead import AESCCM, AESSIV + from cryptography.hazmat.primitives.ciphers.aead import AESCCM if len(data) < tag_length: raise InvalidTag - if isinstance(cipher, AESSIV): - # RFC 5297 defines the output as IV || C, where the tag we generate - # is the "IV" and C is the ciphertext. This is the opposite of our - # other AEADs, which are Ciphertext || Tag - tag = data[:tag_length] - data = data[tag_length:] - else: - tag = data[-tag_length:] - data = data[:-tag_length] + tag = data[-tag_length:] + data = data[:-tag_length] if ctx is None: cipher_name = _evp_cipher_cipher_name(cipher) ctx = _evp_cipher_aead_setup( diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index d0e6ccaed238..1784c5ade9cd 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -5,6 +5,7 @@ import typing from cryptography.hazmat.bindings._rust.openssl import ( + aead, dh, dsa, ec, @@ -21,6 +22,7 @@ from cryptography.hazmat.bindings._rust.openssl import ( __all__ = [ "openssl_version", "raise_openssl_error", + "aead", "dh", "dsa", "ec", diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi new file mode 100644 index 000000000000..57cf92ce5e75 --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -0,0 +1,20 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import typing + +class AESSIV: + def __init__(self, key: bytes) -> None: ... + @staticmethod + def generate_key(key_size: int) -> bytes: ... + def encrypt( + self, + nonce: bytes, + associated_data: typing.Optional[typing.List[bytes]], + ) -> bytes: ... + def decrypt( + self, + nonce: bytes, + associated_data: typing.Optional[typing.List[bytes]], + ) -> bytes: ... diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index 957b2d221b62..944060c0b3dd 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -11,6 +11,17 @@ from cryptography.hazmat.backends.openssl import aead from cryptography.hazmat.backends.openssl.backend import backend from cryptography.hazmat.bindings._rust import FixedPool +from cryptography.hazmat.bindings._rust import openssl as rust_openssl + +__all__ = [ + "ChaCha20Poly1305", + "AESCCM", + "AESGCM", + "AESOCB3", + "AESSIV", +] + +AESSIV = rust_openssl.aead.AESSIV class ChaCha20Poly1305: @@ -301,78 +312,3 @@ def _check_params( utils._check_byteslike("associated_data", associated_data) if len(nonce) < 12 or len(nonce) > 15: raise ValueError("Nonce must be between 12 and 15 bytes") - - -class AESSIV: - _MAX_SIZE = 2**31 - 1 - - def __init__(self, key: bytes): - utils._check_byteslike("key", key) - if len(key) not in (32, 48, 64): - raise ValueError("AESSIV key must be 256, 384, or 512 bits.") - - self._key = key - - if not backend.aead_cipher_supported(self): - raise exceptions.UnsupportedAlgorithm( - "AES-SIV is not supported by this version of OpenSSL", - exceptions._Reasons.UNSUPPORTED_CIPHER, - ) - - @classmethod - def generate_key(cls, bit_length: int) -> bytes: - if not isinstance(bit_length, int): - raise TypeError("bit_length must be an integer") - - if bit_length not in (256, 384, 512): - raise ValueError("bit_length must be 256, 384, or 512") - - return os.urandom(bit_length // 8) - - def encrypt( - self, - data: bytes, - associated_data: typing.Optional[typing.List[bytes]], - ) -> bytes: - if associated_data is None: - associated_data = [] - - self._check_params(data, associated_data) - - if len(data) > self._MAX_SIZE or any( - len(ad) > self._MAX_SIZE for ad in associated_data - ): - # This is OverflowError to match what cffi would raise - raise OverflowError( - "Data or associated data too long. Max 2**31 - 1 bytes" - ) - - return aead._encrypt(backend, self, b"", data, associated_data, 16) - - def decrypt( - self, - data: bytes, - associated_data: typing.Optional[typing.List[bytes]], - ) -> bytes: - if associated_data is None: - associated_data = [] - - self._check_params(data, associated_data) - - return aead._decrypt(backend, self, b"", data, associated_data, 16) - - def _check_params( - self, - data: bytes, - associated_data: typing.List[bytes], - ) -> None: - utils._check_byteslike("data", data) - if len(data) == 0: - raise ValueError("data must not be zero length") - - if not isinstance(associated_data, list): - raise TypeError( - "associated_data must be a list of bytes-like objects or None" - ) - for x in associated_data: - utils._check_byteslike("associated_data elements", x) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs new file mode 100644 index 000000000000..8f9c4829090e --- /dev/null +++ b/src/rust/src/backend/aead.rs @@ -0,0 +1,210 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::buf::CffiBuf; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::exceptions; + +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.bindings._rust.openssl.aead", + name = "AESSIV" +)] +struct AesSiv { + key: pyo3::Py, + cipher: openssl::cipher::Cipher, +} + +#[pyo3::prelude::pymethods] +impl AesSiv { + #[new] + fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { + let key_buf = key.extract::>(py)?; + let cipher_name = match key_buf.as_bytes().len() { + 32 => "aes-128-siv", + 48 => "aes-192-siv", + 64 => "aes-256-siv", + _ => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "AESSIV key must be 256, 384, or 512 bits.", + ), + )) + } + }; + + #[cfg(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER))] + { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-SIV is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } + #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] + { + if cryptography_openssl::fips::is_enabled() { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-SIV is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } + + let cipher = openssl::cipher::Cipher::fetch(None, cipher_name, None)?; + Ok(AesSiv { key, cipher }) + } + } + + #[staticmethod] + fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + if bit_length != 256 && bit_length != 384 && bit_length != 512 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("bit_length must be 256, 384, or 512"), + )); + } + + Ok(py + .import(pyo3::intern!(py, "os"))? + .call_method1(pyo3::intern!(py, "urandom"), (bit_length / 8,))?) + } + + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + data: CffiBuf<'_>, + associated_data: Option<&pyo3::types::PyList>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let key_buf = self.key.extract::>(py)?; + let data_bytes = data.as_bytes(); + + if data_bytes.is_empty() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("data must not be zero length"), + )); + } else if data_bytes.len() > (i32::MAX as usize) { + // This is OverflowError to match what cffi would raise + return Err(CryptographyError::from( + pyo3::exceptions::PyOverflowError::new_err( + "Data or associated data too long. Max 2**31 - 1 bytes", + ), + )); + } + + let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; + ctx.encrypt_init(Some(&self.cipher), Some(key_buf.as_bytes()), None)?; + + if let Some(ads) = associated_data { + for ad in ads.iter() { + let ad = ad.extract::>()?; + if ad.as_bytes().len() > (i32::MAX as usize) { + // This is OverflowError to match what cffi would raise + return Err(CryptographyError::from( + pyo3::exceptions::PyOverflowError::new_err( + "Data or associated data too long. Max 2**31 - 1 bytes", + ), + )); + } + + ctx.cipher_update(ad.as_bytes(), None)?; + } + } + + Ok(pyo3::types::PyBytes::new_with( + py, + data_bytes.len() + 16, + |b| { + // RFC 5297 defines the output as IV || C, where the tag we + // generate is the "IV" and C is the ciphertext. This is the + // opposite of our other AEADs, which are Ciphertext || Tag. + let (tag, ciphertext) = b.split_at_mut(16); + + let n = ctx + .cipher_update(data_bytes, Some(ciphertext)) + .map_err(CryptographyError::from)?; + assert_eq!(n, ciphertext.len()); + + let mut final_block = [0]; + let n = ctx + .cipher_final(&mut final_block) + .map_err(CryptographyError::from)?; + assert_eq!(n, 0); + + ctx.tag(tag).map_err(CryptographyError::from)?; + + Ok(()) + }, + )?) + } + + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + data: CffiBuf<'_>, + associated_data: Option<&pyo3::types::PyList>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let key_buf = self.key.extract::>(py)?; + let data_bytes = data.as_bytes(); + + if data_bytes.is_empty() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("data must not be zero length"), + )); + } + + let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; + ctx.decrypt_init(Some(&self.cipher), Some(key_buf.as_bytes()), None)?; + + if data_bytes.len() < 16 { + return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); + } + // RFC 5297 defines the output as IV || C, where the tag we generate + // is the "IV" and C is the ciphertext. This is the opposite of our + // other AEADs, which are Ciphertext || Tag. + let (tag, ciphertext) = data_bytes.split_at(16); + ctx.set_tag(tag)?; + + if let Some(ads) = associated_data { + for ad in ads.iter() { + let ad = ad.extract::>()?; + if ad.as_bytes().len() > (i32::MAX as usize) { + // This is OverflowError to match what cffi would raise + return Err(CryptographyError::from( + pyo3::exceptions::PyOverflowError::new_err( + "Data or associated data too long. Max 2**31 - 1 bytes", + ), + )); + } + + ctx.cipher_update(ad.as_bytes(), None)?; + } + } + + Ok(pyo3::types::PyBytes::new_with(py, ciphertext.len(), |b| { + // AES SIV can error here if the data is invalid on decrypt + let n = ctx + .cipher_update(ciphertext, Some(b)) + .map_err(|_| exceptions::InvalidTag::new_err(()))?; + assert_eq!(n, b.len()); + + let mut final_block = [0]; + let n = ctx + .cipher_final(&mut final_block) + .map_err(|_| exceptions::InvalidTag::new_err(()))?; + assert_eq!(n, 0); + + Ok(()) + })?) + } +} + +pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { + let m = pyo3::prelude::PyModule::new(py, "aead")?; + + m.add_class::()?; + + Ok(m) +} diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index b032aaac4404..717a09af8ad4 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +pub(crate) mod aead; pub(crate) mod dh; pub(crate) mod dsa; pub(crate) mod ec; @@ -20,6 +21,7 @@ pub(crate) mod x25519; pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { + module.add_submodule(aead::create_module(module.py())?)?; module.add_submodule(dh::create_module(module.py())?)?; module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index e3feb38d1d8c..c9456513993d 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -26,6 +26,7 @@ pub(crate) enum Reasons { pyo3::import_exception!(cryptography.exceptions, AlreadyFinalized); pyo3::import_exception!(cryptography.exceptions, InternalError); pyo3::import_exception!(cryptography.exceptions, InvalidSignature); +pyo3::import_exception!(cryptography.exceptions, InvalidTag); pyo3::import_exception!(cryptography.exceptions, UnsupportedAlgorithm); pyo3::import_exception!(cryptography.x509, AttributeNotFound); pyo3::import_exception!(cryptography.x509, DuplicateExtension); From 1b177519629223873194c261345107717da646f1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 9 Aug 2023 22:54:08 -0400 Subject: [PATCH 0307/1014] Fixed incorrect param name in pyi (#9391) --- src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi index 57cf92ce5e75..a3f722cde86a 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -10,11 +10,11 @@ class AESSIV: def generate_key(key_size: int) -> bytes: ... def encrypt( self, - nonce: bytes, + data: bytes, associated_data: typing.Optional[typing.List[bytes]], ) -> bytes: ... def decrypt( self, - nonce: bytes, + data: bytes, associated_data: typing.Optional[typing.List[bytes]], ) -> bytes: ... From e4581ca11aa2e2261ef217c559385bb4e55bcebe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Aug 2023 09:16:06 -0400 Subject: [PATCH 0308/1014] Bump sphinxcontrib-htmlhelp from 2.0.2 to 2.0.3 (#9396) Bumps [sphinxcontrib-htmlhelp](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp) from 2.0.2 to 2.0.3. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/compare/2.0.2...2.0.3) --- updated-dependencies: - dependency-name: sphinxcontrib-htmlhelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8bee848252c6..f4fde36771cf 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -156,7 +156,7 @@ sphinxcontrib-applehelp==1.0.6 # via sphinx sphinxcontrib-devhelp==1.0.4 # via sphinx -sphinxcontrib-htmlhelp==2.0.2 +sphinxcontrib-htmlhelp==2.0.3 # via sphinx sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme From 934c4e0bdc0a3c3c606a5bbb8039b82ee9476f1a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Aug 2023 09:17:28 -0400 Subject: [PATCH 0309/1014] Bump mypy from 1.4.1 to 1.5.0 (#9395) Bumps [mypy](https://github.com/python/mypy) from 1.4.1 to 1.5.0. - [Commits](https://github.com/python/mypy/compare/v1.4.1...v1.5.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f4fde36771cf..d4340f5b7001 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ mdurl==0.1.2 # via markdown-it-py more-itertools==10.1.0 # via jaraco-classes -mypy==1.4.1 +mypy==1.5.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via From ced1708d0c9902300c8deff1e64380f11cfd047d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Aug 2023 09:17:46 -0400 Subject: [PATCH 0310/1014] Bump sphinxcontrib-qthelp from 1.0.4 to 1.0.5 (#9394) Bumps [sphinxcontrib-qthelp](https://github.com/sphinx-doc/sphinxcontrib-qthelp) from 1.0.4 to 1.0.5. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-qthelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-qthelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-qthelp/compare/1.0.4...1.0.5) --- updated-dependencies: - dependency-name: sphinxcontrib-qthelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d4340f5b7001..c7d4212a9f18 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -162,7 +162,7 @@ sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-qthelp==1.0.4 +sphinxcontrib-qthelp==1.0.5 # via sphinx sphinxcontrib-serializinghtml==1.1.7 # via sphinx From 27e8b3d1d83e4c0459c245f7e55a7540b6ac7e24 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 10 Aug 2023 13:18:33 +0000 Subject: [PATCH 0311/1014] Bump ruff from 0.0.283 to 0.0.284 (#9393) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.283 to 0.0.284. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.283...v0.0.284) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c7d4212a9f18..5f8a9a9001f5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.2 # via twine -ruff==0.0.283 +ruff==0.0.284 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 1336f17267c8a8c8d3159b9c53fde39d1941dd74 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 10 Aug 2023 18:23:14 -0400 Subject: [PATCH 0312/1014] Refactor AEAD code to make it more reusable (#9397) --- src/rust/src/backend/aead.rs | 141 +++++++++++++++++++---------------- 1 file changed, 76 insertions(+), 65 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 8f9c4829090e..2a6641afa371 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -6,6 +6,76 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +fn check_length(data: &[u8]) -> CryptographyResult<()> { + if data.len() > (i32::MAX as usize) { + // This is OverflowError to match what cffi would raise + return Err(CryptographyError::from( + pyo3::exceptions::PyOverflowError::new_err( + "Data or associated data too long. Max 2**31 - 1 bytes", + ), + )); + } + + Ok(()) +} + +fn encrypt_value<'p>( + py: pyo3::Python<'p>, + mut ctx: openssl::cipher_ctx::CipherCtx, + plaintext: &[u8], + tag_len: usize, + tag_first: bool, +) -> CryptographyResult<&'p pyo3::types::PyBytes> { + Ok(pyo3::types::PyBytes::new_with( + py, + plaintext.len() + tag_len, + |b| { + let ciphertext; + let tag; + // TODO: remove once we have a second AEAD implemented here. + assert!(tag_first); + (tag, ciphertext) = b.split_at_mut(tag_len); + + let n = ctx + .cipher_update(plaintext, Some(ciphertext)) + .map_err(CryptographyError::from)?; + assert_eq!(n, ciphertext.len()); + + let mut final_block = [0]; + let n = ctx + .cipher_final(&mut final_block) + .map_err(CryptographyError::from)?; + assert_eq!(n, 0); + + ctx.tag(tag).map_err(CryptographyError::from)?; + + Ok(()) + }, + )?) +} + +fn decrypt_value<'p>( + py: pyo3::Python<'p>, + mut ctx: openssl::cipher_ctx::CipherCtx, + ciphertext: &[u8], +) -> CryptographyResult<&'p pyo3::types::PyBytes> { + Ok(pyo3::types::PyBytes::new_with(py, ciphertext.len(), |b| { + // AES SIV can error here if the data is invalid on decrypt + let n = ctx + .cipher_update(ciphertext, Some(b)) + .map_err(|_| exceptions::InvalidTag::new_err(()))?; + assert_eq!(n, b.len()); + + let mut final_block = [0]; + let n = ctx + .cipher_final(&mut final_block) + .map_err(|_| exceptions::InvalidTag::new_err(()))?; + assert_eq!(n, 0); + + Ok(()) + })?) +} + #[pyo3::prelude::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", @@ -85,14 +155,8 @@ impl AesSiv { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("data must not be zero length"), )); - } else if data_bytes.len() > (i32::MAX as usize) { - // This is OverflowError to match what cffi would raise - return Err(CryptographyError::from( - pyo3::exceptions::PyOverflowError::new_err( - "Data or associated data too long. Max 2**31 - 1 bytes", - ), - )); - } + }; + check_length(data_bytes)?; let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.encrypt_init(Some(&self.cipher), Some(key_buf.as_bytes()), None)?; @@ -100,44 +164,12 @@ impl AesSiv { if let Some(ads) = associated_data { for ad in ads.iter() { let ad = ad.extract::>()?; - if ad.as_bytes().len() > (i32::MAX as usize) { - // This is OverflowError to match what cffi would raise - return Err(CryptographyError::from( - pyo3::exceptions::PyOverflowError::new_err( - "Data or associated data too long. Max 2**31 - 1 bytes", - ), - )); - } - + check_length(ad.as_bytes())?; ctx.cipher_update(ad.as_bytes(), None)?; } } - Ok(pyo3::types::PyBytes::new_with( - py, - data_bytes.len() + 16, - |b| { - // RFC 5297 defines the output as IV || C, where the tag we - // generate is the "IV" and C is the ciphertext. This is the - // opposite of our other AEADs, which are Ciphertext || Tag. - let (tag, ciphertext) = b.split_at_mut(16); - - let n = ctx - .cipher_update(data_bytes, Some(ciphertext)) - .map_err(CryptographyError::from)?; - assert_eq!(n, ciphertext.len()); - - let mut final_block = [0]; - let n = ctx - .cipher_final(&mut final_block) - .map_err(CryptographyError::from)?; - assert_eq!(n, 0); - - ctx.tag(tag).map_err(CryptographyError::from)?; - - Ok(()) - }, - )?) + encrypt_value(py, ctx, data_bytes, 16, true) } fn decrypt<'p>( @@ -170,34 +202,13 @@ impl AesSiv { if let Some(ads) = associated_data { for ad in ads.iter() { let ad = ad.extract::>()?; - if ad.as_bytes().len() > (i32::MAX as usize) { - // This is OverflowError to match what cffi would raise - return Err(CryptographyError::from( - pyo3::exceptions::PyOverflowError::new_err( - "Data or associated data too long. Max 2**31 - 1 bytes", - ), - )); - } + check_length(ad.as_bytes())?; ctx.cipher_update(ad.as_bytes(), None)?; } } - Ok(pyo3::types::PyBytes::new_with(py, ciphertext.len(), |b| { - // AES SIV can error here if the data is invalid on decrypt - let n = ctx - .cipher_update(ciphertext, Some(b)) - .map_err(|_| exceptions::InvalidTag::new_err(()))?; - assert_eq!(n, b.len()); - - let mut final_block = [0]; - let n = ctx - .cipher_final(&mut final_block) - .map_err(|_| exceptions::InvalidTag::new_err(()))?; - assert_eq!(n, 0); - - Ok(()) - })?) + decrypt_value(py, ctx, ciphertext) } } From ecf2129e586e6f51ade1accb4b1a6b53d6f03dcb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 10 Aug 2023 18:26:17 -0400 Subject: [PATCH 0313/1014] Correctly run clippy on sub-crates (#9398) --- noxfile.py | 4 +++- src/rust/cryptography-x509-validation/src/types.rs | 9 +++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/noxfile.py b/noxfile.py index d86cc9752bc3..4c29c4db2dec 100644 --- a/noxfile.py +++ b/noxfile.py @@ -188,7 +188,9 @@ def rust(session: nox.Session) -> None: with session.chdir("src/rust/"): session.run("cargo", "fmt", "--all", "--", "--check", external=True) - session.run("cargo", "clippy", "--", "-D", "warnings", external=True) + session.run( + "cargo", "clippy", "--all", "--", "-D", "warnings", external=True + ) build_output = session.run( "cargo", diff --git a/src/rust/cryptography-x509-validation/src/types.rs b/src/rust/cryptography-x509-validation/src/types.rs index cf850ef9b26a..20b42bc06f61 100644 --- a/src/rust/cryptography-x509-validation/src/types.rs +++ b/src/rust/cryptography-x509-validation/src/types.rs @@ -113,13 +113,14 @@ impl<'a> DNSPattern<'a> { } } -#[derive(Copy, Clone, Debug, PartialEq)] +#[derive(Copy, Clone, Debug, PartialEq, Eq)] pub struct IPAddress(IpAddr); /// An `IPAddress` represents an IP address as defined in [RFC 5280 4.2.1.6]. /// /// [RFC 5280 4.2.1.6]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 impl IPAddress { + #[allow(clippy::should_implement_trait)] pub fn from_str(s: &str) -> Option { IpAddr::from_str(s).ok().map(Self::from) } @@ -175,7 +176,7 @@ impl IPAddress { pub fn mask(&self, prefix: u8) -> Self { match self.0 { IpAddr::V4(a) => { - let prefix = 32u8.checked_sub(prefix).unwrap_or(0).into(); + let prefix = 32u8.saturating_sub(prefix).into(); let masked = u32::from_be_bytes(a.octets()) & u32::MAX .checked_shr(prefix) @@ -185,7 +186,7 @@ impl IPAddress { Self::from_bytes(&masked.to_be_bytes()).unwrap() } IpAddr::V6(a) => { - let prefix = 128u8.checked_sub(prefix).unwrap_or(0).into(); + let prefix = 128u8.saturating_sub(prefix).into(); let masked = u128::from_be_bytes(a.octets()) & u128::MAX .checked_shr(prefix) @@ -204,7 +205,7 @@ impl From for IPAddress { } } -#[derive(Debug, PartialEq)] +#[derive(Debug, PartialEq, Eq)] pub struct IPRange { address: IPAddress, prefix: u8, From de7d0e43ea03133824cb4fdb237bc495aca705a1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 10 Aug 2023 19:32:59 -0500 Subject: [PATCH 0314/1014] Bump BoringSSL and/or OpenSSL in CI (#9400) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f8da06aa5bc..363000ceafd5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 10, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8d19c850d4dbde4bd7ece463c3b3f3685571a779"}} - # Latest commit on the OpenSSL master branch, as of Aug 10, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6d38ccedb25f31dfab232e2669415fd4db18b20e"}} + # Latest commit on the BoringSSL master branch, as of Aug 11, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "58adb8e1d62d6da9c1ab9f73e986273992a2b742"}} + # Latest commit on the OpenSSL master branch, as of Aug 11, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f2609004df4d91a365338e11d04ff67589f2d3e3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From f558199dbf33ccbf6dce8150c2cd4658686d6018 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 11 Aug 2023 15:31:31 -0400 Subject: [PATCH 0315/1014] Try running an extra ruff rule (#9402) * Try running an extra ruff rule I think `from __future__ import annotations` means this is fine, even on older Python * Enable UP007 * Enable UP038 --- noxfile.py | 3 +- pyproject.toml | 4 +- src/_cffi_src/utils.py | 3 +- src/cryptography/exceptions.py | 6 +- src/cryptography/fernet.py | 24 +- src/cryptography/hazmat/_oid.py | 6 +- .../hazmat/backends/openssl/aead.py | 16 +- .../hazmat/backends/openssl/backend.py | 42 +-- .../hazmat/backends/openssl/ciphers.py | 4 +- .../hazmat/backends/openssl/rsa.py | 22 +- .../hazmat/backends/openssl/utils.py | 6 +- .../hazmat/bindings/_rust/__init__.pyi | 6 +- .../hazmat/bindings/_rust/asn1.pyi | 8 +- .../hazmat/bindings/_rust/ocsp.pyi | 8 +- .../bindings/_rust/openssl/__init__.pyi | 2 +- .../hazmat/bindings/_rust/openssl/aead.pyi | 6 +- .../hazmat/bindings/_rust/pkcs7.pyi | 2 +- .../hazmat/bindings/_rust/x509.pyi | 12 +- .../hazmat/bindings/openssl/_conditional.py | 62 ++-- .../hazmat/bindings/openssl/binding.py | 4 +- .../hazmat/primitives/_cipheralgorithm.py | 3 +- .../hazmat/primitives/_serialization.py | 13 +- .../hazmat/primitives/asymmetric/dh.py | 4 +- .../hazmat/primitives/asymmetric/dsa.py | 4 +- .../hazmat/primitives/asymmetric/ec.py | 10 +- .../hazmat/primitives/asymmetric/padding.py | 9 +- .../hazmat/primitives/asymmetric/rsa.py | 10 +- .../hazmat/primitives/ciphers/aead.py | 17 +- .../hazmat/primitives/ciphers/base.py | 10 +- .../hazmat/primitives/ciphers/modes.py | 7 +- src/cryptography/hazmat/primitives/cmac.py | 4 +- src/cryptography/hazmat/primitives/hashes.py | 3 +- .../hazmat/primitives/kdf/concatkdf.py | 8 +- .../hazmat/primitives/kdf/hkdf.py | 6 +- .../hazmat/primitives/kdf/kbkdf.py | 32 +- .../hazmat/primitives/kdf/x963kdf.py | 2 +- src/cryptography/hazmat/primitives/keywrap.py | 6 +- src/cryptography/hazmat/primitives/padding.py | 20 +- .../hazmat/primitives/serialization/base.py | 4 +- .../hazmat/primitives/serialization/pkcs12.py | 36 +- .../hazmat/primitives/serialization/pkcs7.py | 14 +- .../hazmat/primitives/serialization/ssh.py | 114 +++--- .../hazmat/primitives/twofactor/hotp.py | 6 +- .../hazmat/primitives/twofactor/totp.py | 4 +- src/cryptography/utils.py | 8 +- src/cryptography/x509/base.py | 82 ++--- src/cryptography/x509/extensions.py | 336 ++++++++---------- src/cryptography/x509/name.py | 30 +- src/cryptography/x509/ocsp.py | 61 ++-- 49 files changed, 504 insertions(+), 605 deletions(-) diff --git a/noxfile.py b/noxfile.py index 4c29c4db2dec..490c4eb21a0e 100644 --- a/noxfile.py +++ b/noxfile.py @@ -10,7 +10,6 @@ import pathlib import re import sys -import typing import uuid import nox @@ -227,7 +226,7 @@ def rust(session: nox.Session) -> None: def process_rust_coverage( session: nox.Session, - rust_binaries: typing.List[str], + rust_binaries: list[str], prof_raw_location: pathlib.Path, ) -> None: # Hitting weird issues merging Windows and Linux Rust coverage, so just diff --git a/pyproject.toml b/pyproject.toml index 560f022c8387..21d17b508557 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -136,9 +136,7 @@ exclude_lines = [ ] [tool.ruff] -# UP006: Minimum Python 3.9 -# UP007, UP038: Minimum Python 3.10 -ignore = ['N818', 'UP006', 'UP007', 'UP038'] +ignore = ['N818'] select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF'] line-length = 79 diff --git a/src/_cffi_src/utils.py b/src/_cffi_src/utils.py index b5fba37091d9..8a6f9b2772a8 100644 --- a/src/_cffi_src/utils.py +++ b/src/_cffi_src/utils.py @@ -7,7 +7,6 @@ import os import platform import sys -import typing from cffi import FFI @@ -21,7 +20,7 @@ def build_ffi_for_binding( module_name: str, module_prefix: str, - modules: typing.List[str], + modules: list[str], ): """ Modules listed in ``modules`` should have the following attributes: diff --git a/src/cryptography/exceptions.py b/src/cryptography/exceptions.py index 47fdd18eeeb2..fe125ea9a763 100644 --- a/src/cryptography/exceptions.py +++ b/src/cryptography/exceptions.py @@ -15,9 +15,7 @@ class UnsupportedAlgorithm(Exception): - def __init__( - self, message: str, reason: typing.Optional[_Reasons] = None - ) -> None: + def __init__(self, message: str, reason: _Reasons | None = None) -> None: super().__init__(message) self._reason = reason @@ -44,7 +42,7 @@ class InvalidSignature(Exception): class InternalError(Exception): def __init__( - self, msg: str, err_code: typing.List[rust_openssl.OpenSSLError] + self, msg: str, err_code: list[rust_openssl.OpenSSLError] ) -> None: super().__init__(msg) self.err_code = err_code diff --git a/src/cryptography/fernet.py b/src/cryptography/fernet.py index ad8fb40b9d44..35ce1131a921 100644 --- a/src/cryptography/fernet.py +++ b/src/cryptography/fernet.py @@ -27,7 +27,7 @@ class InvalidToken(Exception): class Fernet: def __init__( self, - key: typing.Union[bytes, str], + key: bytes | str, backend: typing.Any = None, ) -> None: try: @@ -80,9 +80,7 @@ def _encrypt_from_parts( hmac = h.finalize() return base64.urlsafe_b64encode(basic_parts + hmac) - def decrypt( - self, token: typing.Union[bytes, str], ttl: typing.Optional[int] = None - ) -> bytes: + def decrypt(self, token: bytes | str, ttl: int | None = None) -> bytes: timestamp, data = Fernet._get_unverified_token_data(token) if ttl is None: time_info = None @@ -91,7 +89,7 @@ def decrypt( return self._decrypt_data(data, timestamp, time_info) def decrypt_at_time( - self, token: typing.Union[bytes, str], ttl: int, current_time: int + self, token: bytes | str, ttl: int, current_time: int ) -> bytes: if ttl is None: raise ValueError( @@ -100,16 +98,14 @@ def decrypt_at_time( timestamp, data = Fernet._get_unverified_token_data(token) return self._decrypt_data(data, timestamp, (ttl, current_time)) - def extract_timestamp(self, token: typing.Union[bytes, str]) -> int: + def extract_timestamp(self, token: bytes | str) -> int: timestamp, data = Fernet._get_unverified_token_data(token) # Verify the token was not tampered with. self._verify_signature(data) return timestamp @staticmethod - def _get_unverified_token_data( - token: typing.Union[bytes, str] - ) -> typing.Tuple[int, bytes]: + def _get_unverified_token_data(token: bytes | str) -> tuple[int, bytes]: if not isinstance(token, (str, bytes)): raise TypeError("token must be bytes or str") @@ -139,7 +135,7 @@ def _decrypt_data( self, data: bytes, timestamp: int, - time_info: typing.Optional[typing.Tuple[int, int]], + time_info: tuple[int, int] | None, ) -> bytes: if time_info is not None: ttl, current_time = time_info @@ -186,7 +182,7 @@ def encrypt(self, msg: bytes) -> bytes: def encrypt_at_time(self, msg: bytes, current_time: int) -> bytes: return self._fernets[0].encrypt_at_time(msg, current_time) - def rotate(self, msg: typing.Union[bytes, str]) -> bytes: + def rotate(self, msg: bytes | str) -> bytes: timestamp, data = Fernet._get_unverified_token_data(msg) for f in self._fernets: try: @@ -200,9 +196,7 @@ def rotate(self, msg: typing.Union[bytes, str]) -> bytes: iv = os.urandom(16) return self._fernets[0]._encrypt_from_parts(p, timestamp, iv) - def decrypt( - self, msg: typing.Union[bytes, str], ttl: typing.Optional[int] = None - ) -> bytes: + def decrypt(self, msg: bytes | str, ttl: int | None = None) -> bytes: for f in self._fernets: try: return f.decrypt(msg, ttl) @@ -211,7 +205,7 @@ def decrypt( raise InvalidToken def decrypt_at_time( - self, msg: typing.Union[bytes, str], ttl: int, current_time: int + self, msg: bytes | str, ttl: int, current_time: int ) -> bytes: for f in self._fernets: try: diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index ff92bb3de13e..c5d062c1374a 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -4,8 +4,6 @@ from __future__ import annotations -import typing - from cryptography.hazmat.bindings._rust import ( ObjectIdentifier as ObjectIdentifier, ) @@ -124,9 +122,7 @@ class SignatureAlgorithmOID: GOSTR3410_2012_WITH_3411_2012_512 = ObjectIdentifier("1.2.643.7.1.1.3.3") -_SIG_OIDS_TO_HASH: typing.Dict[ - ObjectIdentifier, typing.Optional[hashes.HashAlgorithm] -] = { +_SIG_OIDS_TO_HASH: dict[ObjectIdentifier, hashes.HashAlgorithm | None] = { SignatureAlgorithmOID.RSA_WITH_MD5: hashes.MD5(), SignatureAlgorithmOID.RSA_WITH_SHA1: hashes.SHA1(), SignatureAlgorithmOID._RSA_WITH_SHA1: hashes.SHA1(), diff --git a/src/cryptography/hazmat/backends/openssl/aead.py b/src/cryptography/hazmat/backends/openssl/aead.py index b7fef7a52634..f0162530b2f9 100644 --- a/src/cryptography/hazmat/backends/openssl/aead.py +++ b/src/cryptography/hazmat/backends/openssl/aead.py @@ -62,7 +62,7 @@ def _encrypt( cipher: _AEADTypes, nonce: bytes, data: bytes, - associated_data: typing.List[bytes], + associated_data: list[bytes], tag_length: int, ctx: typing.Any = None, ) -> bytes: @@ -81,7 +81,7 @@ def _decrypt( cipher: _AEADTypes, nonce: bytes, data: bytes, - associated_data: typing.List[bytes], + associated_data: list[bytes], tag_length: int, ctx: typing.Any = None, ) -> bytes: @@ -99,7 +99,7 @@ def _evp_aead_create_ctx( backend: Backend, cipher: _AEADTypes, key: bytes, - tag_len: typing.Optional[int] = None, + tag_len: int | None = None, ): aead_cipher = _evp_aead_get_cipher(backend, cipher) assert aead_cipher is not None @@ -132,7 +132,7 @@ def _evp_aead_encrypt( cipher: _AEADTypes, nonce: bytes, data: bytes, - associated_data: typing.List[bytes], + associated_data: list[bytes], tag_length: int, ctx: typing.Any, ) -> bytes: @@ -173,7 +173,7 @@ def _evp_aead_decrypt( cipher: _AEADTypes, nonce: bytes, data: bytes, - associated_data: typing.List[bytes], + associated_data: list[bytes], tag_length: int, ctx: typing.Any, ) -> bytes: @@ -269,7 +269,7 @@ def _evp_cipher_aead_setup( cipher_name: bytes, key: bytes, nonce: bytes, - tag: typing.Optional[bytes], + tag: bytes | None, tag_len: int, operation: int, ): @@ -375,7 +375,7 @@ def _evp_cipher_encrypt( cipher: _AEADTypes, nonce: bytes, data: bytes, - associated_data: typing.List[bytes], + associated_data: list[bytes], tag_length: int, ctx: typing.Any = None, ) -> bytes: @@ -427,7 +427,7 @@ def _evp_cipher_decrypt( cipher: _AEADTypes, nonce: bytes, data: bytes, - associated_data: typing.List[bytes], + associated_data: list[bytes], tag_length: int, ctx: typing.Any = None, ) -> bytes: diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index a5bd949f1475..900481e4c07c 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -91,7 +91,7 @@ class Backend: # disallowed algorithms are still present in OpenSSL. They just error if # you try to use them. To avoid that we allowlist the algorithms in # FIPS 140-3. This isn't ideal, but FIPS 140-3 is trash so here we are. - _fips_aead: typing.ClassVar[typing.Set[bytes]] = { + _fips_aead: typing.ClassVar[set[bytes]] = { b"aes-128-ccm", b"aes-192-ccm", b"aes-256-ccm", @@ -136,8 +136,8 @@ def __init__(self) -> None: self._lib = self._binding.lib self._fips_enabled = rust_openssl.is_fips_enabled() - self._cipher_registry: typing.Dict[ - typing.Tuple[typing.Type[CipherAlgorithm], typing.Type[Mode]], + self._cipher_registry: dict[ + tuple[type[CipherAlgorithm], type[Mode]], typing.Callable, ] = {} self._register_default_ciphers() @@ -155,7 +155,7 @@ def __repr__(self) -> str: def openssl_assert( self, ok: bool, - errors: typing.Optional[typing.List[rust_openssl.OpenSSLError]] = None, + errors: list[rust_openssl.OpenSSLError] | None = None, ) -> None: return binding._openssl_assert(self._lib, ok, errors=errors) @@ -327,7 +327,7 @@ def create_symmetric_decryption_ctx( def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: return self.hmac_supported(algorithm) - def _consume_errors(self) -> typing.List[rust_openssl.OpenSSLError]: + def _consume_errors(self) -> list[rust_openssl.OpenSSLError]: return rust_openssl.capture_error_stack() def _bn_to_int(self, bn) -> int: @@ -685,7 +685,7 @@ def create_cmac_ctx(self, algorithm: BlockCipherAlgorithm) -> _CMACContext: def load_pem_private_key( self, data: bytes, - password: typing.Optional[bytes], + password: bytes | None, unsafe_skip_rsa_key_validation: bool, ) -> PrivateKeyTypes: return self._load_key( @@ -740,7 +740,7 @@ def load_pem_public_key(self, data: bytes) -> PublicKeyTypes: def load_der_private_key( self, data: bytes, - password: typing.Optional[bytes], + password: bytes | None, unsafe_skip_rsa_key_validation: bool, ) -> PrivateKeyTypes: # OpenSSL has a function called d2i_AutoPrivateKey that in theory @@ -1173,7 +1173,7 @@ def dh_supported(self) -> bool: return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL def dh_parameters_supported( - self, p: int, g: int, q: typing.Optional[int] = None + self, p: int, g: int, q: int | None = None ) -> bool: try: rust_openssl.dh.from_parameter_numbers( @@ -1247,11 +1247,11 @@ def _zeroed_null_terminated_buf(self, data): self._zero_data(self._ffi.cast("uint8_t *", buf), data_len) def load_key_and_certificates_from_pkcs12( - self, data: bytes, password: typing.Optional[bytes] - ) -> typing.Tuple[ - typing.Optional[PrivateKeyTypes], - typing.Optional[x509.Certificate], - typing.List[x509.Certificate], + self, data: bytes, password: bytes | None + ) -> tuple[ + PrivateKeyTypes | None, + x509.Certificate | None, + list[x509.Certificate], ]: pkcs12 = self.load_pkcs12(data, password) return ( @@ -1261,7 +1261,7 @@ def load_key_and_certificates_from_pkcs12( ) def load_pkcs12( - self, data: bytes, password: typing.Optional[bytes] + self, data: bytes, password: bytes | None ) -> PKCS12KeyAndCertificates: if password is not None: utils._check_byteslike("password", password) @@ -1337,10 +1337,10 @@ def load_pkcs12( def serialize_key_and_certificates_to_pkcs12( self, - name: typing.Optional[bytes], - key: typing.Optional[PKCS12PrivateKeyTypes], - cert: typing.Optional[x509.Certificate], - cas: typing.Optional[typing.List[_PKCS12CATypes]], + name: bytes | None, + key: PKCS12PrivateKeyTypes | None, + cert: x509.Certificate | None, + cas: list[_PKCS12CATypes] | None, encryption_algorithm: serialization.KeySerializationEncryption, ) -> bytes: password = None @@ -1503,7 +1503,7 @@ def pkcs7_supported(self) -> bool: def load_pem_pkcs7_certificates( self, data: bytes - ) -> typing.List[x509.Certificate]: + ) -> list[x509.Certificate]: utils._check_bytes("data", data) bio = self._bytes_to_bio(data) p7 = self._lib.PEM_read_bio_PKCS7( @@ -1518,7 +1518,7 @@ def load_pem_pkcs7_certificates( def load_der_pkcs7_certificates( self, data: bytes - ) -> typing.List[x509.Certificate]: + ) -> list[x509.Certificate]: utils._check_bytes("data", data) bio = self._bytes_to_bio(data) p7 = self._lib.d2i_PKCS7_bio(bio.bio, self._ffi.NULL) @@ -1529,7 +1529,7 @@ def load_der_pkcs7_certificates( p7 = self._ffi.gc(p7, self._lib.PKCS7_free) return self._load_pkcs7_certificates(p7) - def _load_pkcs7_certificates(self, p7) -> typing.List[x509.Certificate]: + def _load_pkcs7_certificates(self, p7) -> list[x509.Certificate]: nid = self._lib.OBJ_obj2nid(p7.type) self.openssl_assert(nid != self._lib.NID_undef) if nid != self._lib.NID_pkcs7_signed: diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py index bc42adbd49a5..a34dcbe6ce1a 100644 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py @@ -24,7 +24,7 @@ def __init__(self, backend: Backend, cipher, mode, operation: int) -> None: self._cipher = cipher self._mode = mode self._operation = operation - self._tag: typing.Optional[bytes] = None + self._tag: bytes | None = None if isinstance(self._cipher, ciphers.BlockCipherAlgorithm): self._block_size_bytes = self._cipher.block_size // 8 @@ -277,5 +277,5 @@ def authenticate_additional_data(self, data: bytes) -> None: self._backend.openssl_assert(res != 0) @property - def tag(self) -> typing.Optional[bytes]: + def tag(self) -> bytes | None: return self._tag diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index 3a99fbfa80cf..b386581ffe69 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -41,7 +41,7 @@ def _get_rsa_pss_salt_length( backend: Backend, pss: PSS, - key: typing.Union[RSAPrivateKey, RSAPublicKey], + key: RSAPrivateKey | RSAPublicKey, hash_algorithm: hashes.HashAlgorithm, ) -> int: salt = pss._salt_length @@ -62,7 +62,7 @@ def _get_rsa_pss_salt_length( def _enc_dec_rsa( backend: Backend, - key: typing.Union[_RSAPrivateKey, _RSAPublicKey], + key: _RSAPrivateKey | _RSAPublicKey, data: bytes, padding: AsymmetricPadding, ) -> bytes: @@ -98,7 +98,7 @@ def _enc_dec_rsa( def _enc_dec_rsa_pkey_ctx( backend: Backend, - key: typing.Union[_RSAPrivateKey, _RSAPublicKey], + key: _RSAPrivateKey | _RSAPublicKey, data: bytes, padding_enum: int, padding: AsymmetricPadding, @@ -165,9 +165,9 @@ def _enc_dec_rsa_pkey_ctx( def _rsa_sig_determine_padding( backend: Backend, - key: typing.Union[_RSAPrivateKey, _RSAPublicKey], + key: _RSAPrivateKey | _RSAPublicKey, padding: AsymmetricPadding, - algorithm: typing.Optional[hashes.HashAlgorithm], + algorithm: hashes.HashAlgorithm | None, ) -> int: if not isinstance(padding, AsymmetricPadding): raise TypeError("Expected provider of AsymmetricPadding.") @@ -214,8 +214,8 @@ def _rsa_sig_determine_padding( def _rsa_sig_setup( backend: Backend, padding: AsymmetricPadding, - algorithm: typing.Optional[hashes.HashAlgorithm], - key: typing.Union[_RSAPublicKey, _RSAPrivateKey], + algorithm: hashes.HashAlgorithm | None, + key: _RSAPublicKey | _RSAPrivateKey, init_func: typing.Callable[[typing.Any], int], ): padding_enum = _rsa_sig_determine_padding(backend, key, padding, algorithm) @@ -324,7 +324,7 @@ def _rsa_sig_verify( def _rsa_sig_recover( backend: Backend, padding: AsymmetricPadding, - algorithm: typing.Optional[hashes.HashAlgorithm], + algorithm: hashes.HashAlgorithm | None, public_key: _RSAPublicKey, signature: bytes, ) -> bytes: @@ -480,7 +480,7 @@ def sign( self, data: bytes, padding: AsymmetricPadding, - algorithm: typing.Union[asym_utils.Prehashed, hashes.HashAlgorithm], + algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, ) -> bytes: data, algorithm = _calculate_digest_and_algorithm(data, algorithm) return _rsa_sig_sign(self._backend, padding, algorithm, self, data) @@ -549,7 +549,7 @@ def verify( signature: bytes, data: bytes, padding: AsymmetricPadding, - algorithm: typing.Union[asym_utils.Prehashed, hashes.HashAlgorithm], + algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, ) -> None: data, algorithm = _calculate_digest_and_algorithm(data, algorithm) _rsa_sig_verify( @@ -560,7 +560,7 @@ def recover_data_from_signature( self, signature: bytes, padding: AsymmetricPadding, - algorithm: typing.Optional[hashes.HashAlgorithm], + algorithm: hashes.HashAlgorithm | None, ) -> bytes: if isinstance(algorithm, asym_utils.Prehashed): raise TypeError( diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py index 570b776ef57d..0c06f8f7108a 100644 --- a/src/cryptography/hazmat/backends/openssl/utils.py +++ b/src/cryptography/hazmat/backends/openssl/utils.py @@ -4,16 +4,14 @@ from __future__ import annotations -import typing - from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.utils import Prehashed def _calculate_digest_and_algorithm( data: bytes, - algorithm: typing.Union[Prehashed, hashes.HashAlgorithm], -) -> typing.Tuple[bytes, hashes.HashAlgorithm]: + algorithm: Prehashed | hashes.HashAlgorithm, +) -> tuple[bytes, hashes.HashAlgorithm]: if not isinstance(algorithm, Prehashed): hash_ctx = hashes.Hash(algorithm) hash_ctx.update(data) diff --git a/src/cryptography/hazmat/bindings/_rust/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/__init__.pyi index 94a37a20aa96..0b36938ec49a 100644 --- a/src/cryptography/hazmat/bindings/_rust/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/__init__.pyi @@ -28,7 +28,7 @@ class PoolAcquisition(typing.Generic[T]): def __enter__(self) -> T: ... def __exit__( self, - exc_type: typing.Optional[typing.Type[BaseException]], - exc_value: typing.Optional[BaseException], - exc_tb: typing.Optional[types.TracebackType], + exc_type: type[BaseException] | None, + exc_value: BaseException | None, + exc_tb: types.TracebackType | None, ) -> None: ... diff --git a/src/cryptography/hazmat/bindings/_rust/asn1.pyi b/src/cryptography/hazmat/bindings/_rust/asn1.pyi index a8369ba8383e..35652c6ada1c 100644 --- a/src/cryptography/hazmat/bindings/_rust/asn1.pyi +++ b/src/cryptography/hazmat/bindings/_rust/asn1.pyi @@ -2,15 +2,13 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -import typing - class TestCertificate: not_after_tag: int not_before_tag: int - issuer_value_tags: typing.List[int] - subject_value_tags: typing.List[int] + issuer_value_tags: list[int] + subject_value_tags: list[int] -def decode_dss_signature(signature: bytes) -> typing.Tuple[int, int]: ... +def decode_dss_signature(signature: bytes) -> tuple[int, int]: ... def encode_dss_signature(r: int, s: int) -> bytes: ... def parse_spki_for_data(data: bytes) -> bytes: ... def test_parse_certificate(data: bytes) -> TestCertificate: ... diff --git a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi index 4671eb9ba34d..b15628f8d46b 100644 --- a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi +++ b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi @@ -2,8 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -import typing - from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes from cryptography.x509.ocsp import ( @@ -19,7 +17,7 @@ def load_der_ocsp_response(data: bytes) -> OCSPResponse: ... def create_ocsp_request(builder: OCSPRequestBuilder) -> OCSPRequest: ... def create_ocsp_response( status: OCSPResponseStatus, - builder: typing.Optional[OCSPResponseBuilder], - private_key: typing.Optional[PrivateKeyTypes], - hash_algorithm: typing.Optional[hashes.HashAlgorithm], + builder: OCSPResponseBuilder | None, + private_key: PrivateKeyTypes | None, + hash_algorithm: hashes.HashAlgorithm | None, ) -> OCSPResponse: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 1784c5ade9cd..e8b565443bfc 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -38,7 +38,7 @@ __all__ = [ def openssl_version() -> int: ... def raise_openssl_error() -> typing.NoReturn: ... -def capture_error_stack() -> typing.List[OpenSSLError]: ... +def capture_error_stack() -> list[OpenSSLError]: ... def is_fips_enabled() -> bool: ... class OpenSSLError: diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi index a3f722cde86a..08a9307127ac 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -2,8 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -import typing - class AESSIV: def __init__(self, key: bytes) -> None: ... @staticmethod @@ -11,10 +9,10 @@ class AESSIV: def encrypt( self, data: bytes, - associated_data: typing.Optional[typing.List[bytes]], + associated_data: list[bytes] | None, ) -> bytes: ... def decrypt( self, data: bytes, - associated_data: typing.Optional[typing.List[bytes]], + associated_data: list[bytes] | None, ) -> bytes: ... diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi index 66bd850981a6..32c21c4c5439 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi @@ -5,7 +5,7 @@ from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.serialization import pkcs7 def serialize_certificates( - certs: typing.List[x509.Certificate], + certs: list[x509.Certificate], encoding: serialization.Encoding, ) -> bytes: ... def sign_and_serialize( diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 24b2f5e3a78c..08e46a31cc1c 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -2,8 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -import typing - from cryptography import x509 from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.padding import PSS, PKCS1v15 @@ -12,7 +10,7 @@ from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes def load_pem_x509_certificate(data: bytes) -> x509.Certificate: ... def load_pem_x509_certificates( data: bytes, -) -> typing.List[x509.Certificate]: ... +) -> list[x509.Certificate]: ... def load_der_x509_certificate(data: bytes) -> x509.Certificate: ... def load_pem_x509_crl(data: bytes) -> x509.CertificateRevocationList: ... def load_der_x509_crl(data: bytes) -> x509.CertificateRevocationList: ... @@ -23,18 +21,18 @@ def encode_extension_value(extension: x509.ExtensionType) -> bytes: ... def create_x509_certificate( builder: x509.CertificateBuilder, private_key: PrivateKeyTypes, - hash_algorithm: typing.Optional[hashes.HashAlgorithm], - padding: typing.Optional[typing.Union[PKCS1v15, PSS]], + hash_algorithm: hashes.HashAlgorithm | None, + padding: PKCS1v15 | PSS | None, ) -> x509.Certificate: ... def create_x509_csr( builder: x509.CertificateSigningRequestBuilder, private_key: PrivateKeyTypes, - hash_algorithm: typing.Optional[hashes.HashAlgorithm], + hash_algorithm: hashes.HashAlgorithm | None, ) -> x509.CertificateSigningRequest: ... def create_x509_crl( builder: x509.CertificateRevocationListBuilder, private_key: PrivateKeyTypes, - hash_algorithm: typing.Optional[hashes.HashAlgorithm], + hash_algorithm: hashes.HashAlgorithm | None, ) -> x509.CertificateRevocationList: ... class Sct: ... diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 2ca0d91c8d24..3c6d31af00ea 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -4,17 +4,15 @@ from __future__ import annotations -import typing - -def cryptography_has_set_cert_cb() -> typing.List[str]: +def cryptography_has_set_cert_cb() -> list[str]: return [ "SSL_CTX_set_cert_cb", "SSL_set_cert_cb", ] -def cryptography_has_ssl_st() -> typing.List[str]: +def cryptography_has_ssl_st() -> list[str]: return [ "SSL_ST_BEFORE", "SSL_ST_OK", @@ -23,57 +21,57 @@ def cryptography_has_ssl_st() -> typing.List[str]: ] -def cryptography_has_tls_st() -> typing.List[str]: +def cryptography_has_tls_st() -> list[str]: return [ "TLS_ST_BEFORE", "TLS_ST_OK", ] -def cryptography_has_evp_pkey_dhx() -> typing.List[str]: +def cryptography_has_evp_pkey_dhx() -> list[str]: return [ "EVP_PKEY_DHX", ] -def cryptography_has_mem_functions() -> typing.List[str]: +def cryptography_has_mem_functions() -> list[str]: return [ "Cryptography_CRYPTO_set_mem_functions", ] -def cryptography_has_x509_store_ctx_get_issuer() -> typing.List[str]: +def cryptography_has_x509_store_ctx_get_issuer() -> list[str]: return [ "X509_STORE_set_get_issuer", ] -def cryptography_has_ed448() -> typing.List[str]: +def cryptography_has_ed448() -> list[str]: return [ "EVP_PKEY_ED448", ] -def cryptography_has_ed25519() -> typing.List[str]: +def cryptography_has_ed25519() -> list[str]: return [ "EVP_PKEY_ED25519", ] -def cryptography_has_fips() -> typing.List[str]: +def cryptography_has_fips() -> list[str]: return [ "FIPS_mode_set", "FIPS_mode", ] -def cryptography_has_ssl_sigalgs() -> typing.List[str]: +def cryptography_has_ssl_sigalgs() -> list[str]: return [ "SSL_CTX_set1_sigalgs_list", ] -def cryptography_has_psk() -> typing.List[str]: +def cryptography_has_psk() -> list[str]: return [ "SSL_CTX_use_psk_identity_hint", "SSL_CTX_set_psk_server_callback", @@ -81,7 +79,7 @@ def cryptography_has_psk() -> typing.List[str]: ] -def cryptography_has_psk_tlsv13() -> typing.List[str]: +def cryptography_has_psk_tlsv13() -> list[str]: return [ "SSL_CTX_set_psk_find_session_callback", "SSL_CTX_set_psk_use_session_callback", @@ -93,7 +91,7 @@ def cryptography_has_psk_tlsv13() -> typing.List[str]: ] -def cryptography_has_custom_ext() -> typing.List[str]: +def cryptography_has_custom_ext() -> list[str]: return [ "SSL_CTX_add_client_custom_ext", "SSL_CTX_add_server_custom_ext", @@ -101,7 +99,7 @@ def cryptography_has_custom_ext() -> typing.List[str]: ] -def cryptography_has_tlsv13_functions() -> typing.List[str]: +def cryptography_has_tlsv13_functions() -> list[str]: return [ "SSL_VERIFY_POST_HANDSHAKE", "SSL_CTX_set_ciphersuites", @@ -115,7 +113,7 @@ def cryptography_has_tlsv13_functions() -> typing.List[str]: ] -def cryptography_has_engine() -> typing.List[str]: +def cryptography_has_engine() -> list[str]: return [ "ENGINE_by_id", "ENGINE_init", @@ -134,13 +132,13 @@ def cryptography_has_engine() -> typing.List[str]: ] -def cryptography_has_verified_chain() -> typing.List[str]: +def cryptography_has_verified_chain() -> list[str]: return [ "SSL_get0_verified_chain", ] -def cryptography_has_srtp() -> typing.List[str]: +def cryptography_has_srtp() -> list[str]: return [ "SSL_CTX_set_tlsext_use_srtp", "SSL_set_tlsext_use_srtp", @@ -148,7 +146,7 @@ def cryptography_has_srtp() -> typing.List[str]: ] -def cryptography_has_providers() -> typing.List[str]: +def cryptography_has_providers() -> list[str]: return [ "OSSL_PROVIDER_load", "OSSL_PROVIDER_unload", @@ -158,25 +156,25 @@ def cryptography_has_providers() -> typing.List[str]: ] -def cryptography_has_op_no_renegotiation() -> typing.List[str]: +def cryptography_has_op_no_renegotiation() -> list[str]: return [ "SSL_OP_NO_RENEGOTIATION", ] -def cryptography_has_dtls_get_data_mtu() -> typing.List[str]: +def cryptography_has_dtls_get_data_mtu() -> list[str]: return [ "DTLS_get_data_mtu", ] -def cryptography_has_300_fips() -> typing.List[str]: +def cryptography_has_300_fips() -> list[str]: return [ "EVP_default_properties_enable_fips", ] -def cryptography_has_ssl_cookie() -> typing.List[str]: +def cryptography_has_ssl_cookie() -> list[str]: return [ "SSL_OP_COOKIE_EXCHANGE", "DTLSv1_listen", @@ -185,7 +183,7 @@ def cryptography_has_ssl_cookie() -> typing.List[str]: ] -def cryptography_has_pkcs7_funcs() -> typing.List[str]: +def cryptography_has_pkcs7_funcs() -> list[str]: return [ "SMIME_write_PKCS7", "PEM_write_bio_PKCS7_stream", @@ -197,35 +195,35 @@ def cryptography_has_pkcs7_funcs() -> typing.List[str]: ] -def cryptography_has_prime_checks() -> typing.List[str]: +def cryptography_has_prime_checks() -> list[str]: return [ "BN_prime_checks_for_size", ] -def cryptography_has_300_evp_cipher() -> typing.List[str]: +def cryptography_has_300_evp_cipher() -> list[str]: return ["EVP_CIPHER_fetch", "EVP_CIPHER_free"] -def cryptography_has_unexpected_eof_while_reading() -> typing.List[str]: +def cryptography_has_unexpected_eof_while_reading() -> list[str]: return ["SSL_R_UNEXPECTED_EOF_WHILE_READING"] -def cryptography_has_pkcs12_set_mac() -> typing.List[str]: +def cryptography_has_pkcs12_set_mac() -> list[str]: return ["PKCS12_set_mac"] -def cryptography_has_ssl_op_ignore_unexpected_eof() -> typing.List[str]: +def cryptography_has_ssl_op_ignore_unexpected_eof() -> list[str]: return [ "SSL_OP_IGNORE_UNEXPECTED_EOF", ] -def cryptography_has_get_extms_support() -> typing.List[str]: +def cryptography_has_get_extms_support() -> list[str]: return ["SSL_get_extms_support"] -def cryptography_has_evp_aead() -> typing.List[str]: +def cryptography_has_evp_aead() -> list[str]: return [ "EVP_aead_chacha20_poly1305", "EVP_AEAD_CTX_free", diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 9eb142788aa3..d2cf1d6f08e9 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -20,7 +20,7 @@ def _openssl_assert( lib, ok: bool, - errors: typing.Optional[typing.List[openssl.OpenSSLError]] = None, + errors: list[openssl.OpenSSLError] | None = None, ) -> None: if not ok: if errors is None: @@ -51,7 +51,7 @@ def _legacy_provider_error(loaded: bool) -> None: def build_conditional_library( lib: typing.Any, - conditional_names: typing.Dict[str, typing.Callable[[], typing.List[str]]], + conditional_names: dict[str, typing.Callable[[], list[str]]], ) -> typing.Any: conditional_lib = types.ModuleType("lib") conditional_lib._original_lib = lib # type: ignore[attr-defined] diff --git a/src/cryptography/hazmat/primitives/_cipheralgorithm.py b/src/cryptography/hazmat/primitives/_cipheralgorithm.py index 3b880b648849..9d7f5bc79c2b 100644 --- a/src/cryptography/hazmat/primitives/_cipheralgorithm.py +++ b/src/cryptography/hazmat/primitives/_cipheralgorithm.py @@ -5,7 +5,6 @@ from __future__ import annotations import abc -import typing # This exists to break an import cycle. It is normally accessible from the # ciphers module. @@ -21,7 +20,7 @@ def name(self) -> str: @property @abc.abstractmethod - def key_sizes(self) -> typing.FrozenSet[int]: + def key_sizes(self) -> frozenset[int]: """ Valid key sizes for this algorithm in bits """ diff --git a/src/cryptography/hazmat/primitives/_serialization.py b/src/cryptography/hazmat/primitives/_serialization.py index 34f3fbc86026..46157721970b 100644 --- a/src/cryptography/hazmat/primitives/_serialization.py +++ b/src/cryptography/hazmat/primitives/_serialization.py @@ -5,7 +5,6 @@ from __future__ import annotations import abc -import typing from cryptography import utils from cryptography.hazmat.primitives.hashes import HashAlgorithm @@ -78,9 +77,9 @@ def __init__( self, format: PrivateFormat, *, - _kdf_rounds: typing.Optional[int] = None, - _hmac_hash: typing.Optional[HashAlgorithm] = None, - _key_cert_algorithm: typing.Optional[PBES] = None, + _kdf_rounds: int | None = None, + _hmac_hash: HashAlgorithm | None = None, + _key_cert_algorithm: PBES | None = None, ) -> None: self._format = format @@ -158,9 +157,9 @@ def __init__( format: PrivateFormat, password: bytes, *, - kdf_rounds: typing.Optional[int], - hmac_hash: typing.Optional[HashAlgorithm], - key_cert_algorithm: typing.Optional[PBES], + kdf_rounds: int | None, + hmac_hash: HashAlgorithm | None, + key_cert_algorithm: PBES | None, ): self._format = format self.password = password diff --git a/src/cryptography/hazmat/primitives/asymmetric/dh.py b/src/cryptography/hazmat/primitives/asymmetric/dh.py index 488a7caf0506..f3d5a71bd80a 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/dh.py +++ b/src/cryptography/hazmat/primitives/asymmetric/dh.py @@ -18,7 +18,7 @@ def generate_parameters( class DHParameterNumbers: - def __init__(self, p: int, g: int, q: typing.Optional[int] = None) -> None: + def __init__(self, p: int, g: int, q: int | None = None) -> None: if not isinstance(p, int) or not isinstance(g, int): raise TypeError("p and g must be integers") if q is not None and not isinstance(q, int): @@ -57,7 +57,7 @@ def g(self) -> int: return self._g @property - def q(self) -> typing.Optional[int]: + def q(self) -> int | None: return self._q diff --git a/src/cryptography/hazmat/primitives/asymmetric/dsa.py b/src/cryptography/hazmat/primitives/asymmetric/dsa.py index 8163a79ccf25..ad521a03b0ae 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/dsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/dsa.py @@ -54,7 +54,7 @@ def parameters(self) -> DSAParameters: def sign( self, data: bytes, - algorithm: typing.Union[asym_utils.Prehashed, hashes.HashAlgorithm], + algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, ) -> bytes: """ Signs the data @@ -117,7 +117,7 @@ def verify( self, signature: bytes, data: bytes, - algorithm: typing.Union[asym_utils.Prehashed, hashes.HashAlgorithm], + algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, ) -> None: """ Verifies the signature of the data. diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py index 3a5eb62573e0..90bef64e5396 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ec.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py @@ -57,7 +57,7 @@ class EllipticCurveSignatureAlgorithm(metaclass=abc.ABCMeta): @abc.abstractmethod def algorithm( self, - ) -> typing.Union[asym_utils.Prehashed, hashes.HashAlgorithm]: + ) -> asym_utils.Prehashed | hashes.HashAlgorithm: """ The digest algorithm used with this signature. """ @@ -292,7 +292,7 @@ class BrainpoolP512R1(EllipticCurve): key_size = 512 -_CURVE_TYPES: typing.Dict[str, typing.Type[EllipticCurve]] = { +_CURVE_TYPES: dict[str, type[EllipticCurve]] = { "prime192v1": SECP192R1, "prime256v1": SECP256R1, "secp192r1": SECP192R1, @@ -320,14 +320,14 @@ class BrainpoolP512R1(EllipticCurve): class ECDSA(EllipticCurveSignatureAlgorithm): def __init__( self, - algorithm: typing.Union[asym_utils.Prehashed, hashes.HashAlgorithm], + algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, ): self._algorithm = algorithm @property def algorithm( self, - ) -> typing.Union[asym_utils.Prehashed, hashes.HashAlgorithm]: + ) -> asym_utils.Prehashed | hashes.HashAlgorithm: return self._algorithm @@ -483,7 +483,7 @@ class ECDH: } -def get_curve_for_oid(oid: ObjectIdentifier) -> typing.Type[EllipticCurve]: +def get_curve_for_oid(oid: ObjectIdentifier) -> type[EllipticCurve]: try: return _OID_TO_CURVE[oid] except KeyError: diff --git a/src/cryptography/hazmat/primitives/asymmetric/padding.py b/src/cryptography/hazmat/primitives/asymmetric/padding.py index 7198808effd0..61359adfa9b5 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/padding.py +++ b/src/cryptography/hazmat/primitives/asymmetric/padding.py @@ -5,7 +5,6 @@ from __future__ import annotations import abc -import typing from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives._asymmetric import ( @@ -35,12 +34,12 @@ class PSS(AsymmetricPadding): AUTO = _Auto() DIGEST_LENGTH = _DigestLength() name = "EMSA-PSS" - _salt_length: typing.Union[int, _MaxLength, _Auto, _DigestLength] + _salt_length: int | _MaxLength | _Auto | _DigestLength def __init__( self, mgf: MGF, - salt_length: typing.Union[int, _MaxLength, _Auto, _DigestLength], + salt_length: int | _MaxLength | _Auto | _DigestLength, ) -> None: self._mgf = mgf @@ -65,7 +64,7 @@ def __init__( self, mgf: MGF, algorithm: hashes.HashAlgorithm, - label: typing.Optional[bytes], + label: bytes | None, ): if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError("Expected instance of hashes.HashAlgorithm.") @@ -90,7 +89,7 @@ def __init__(self, algorithm: hashes.HashAlgorithm): def calculate_max_pss_salt_length( - key: typing.Union[rsa.RSAPrivateKey, rsa.RSAPublicKey], + key: rsa.RSAPrivateKey | rsa.RSAPublicKey, hash_algorithm: hashes.HashAlgorithm, ) -> int: if not isinstance(key, (rsa.RSAPrivateKey, rsa.RSAPublicKey)): diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index 1e132cca36a7..140b18a7f7b3 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -38,7 +38,7 @@ def sign( self, data: bytes, padding: AsymmetricPadding, - algorithm: typing.Union[asym_utils.Prehashed, hashes.HashAlgorithm], + algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, ) -> bytes: """ Signs the data. @@ -101,7 +101,7 @@ def verify( signature: bytes, data: bytes, padding: AsymmetricPadding, - algorithm: typing.Union[asym_utils.Prehashed, hashes.HashAlgorithm], + algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, ) -> None: """ Verifies the signature of the data. @@ -112,7 +112,7 @@ def recover_data_from_signature( self, signature: bytes, padding: AsymmetricPadding, - algorithm: typing.Optional[hashes.HashAlgorithm], + algorithm: hashes.HashAlgorithm | None, ) -> bytes: """ Recovers the original data from the signature. @@ -250,9 +250,7 @@ def rsa_crt_dmq1(private_exponent: int, q: int) -> int: _MAX_RECOVERY_ATTEMPTS = 1000 -def rsa_recover_prime_factors( - n: int, e: int, d: int -) -> typing.Tuple[int, int]: +def rsa_recover_prime_factors(n: int, e: int, d: int) -> tuple[int, int]: """ Compute factors p and q from the private exponent d. We assume that n has no more than two factors. This function is adapted from code in PyCrypto. diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index 944060c0b3dd..0feb921dc7bd 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -5,7 +5,6 @@ from __future__ import annotations import os -import typing from cryptography import exceptions, utils from cryptography.hazmat.backends.openssl import aead @@ -52,7 +51,7 @@ def encrypt( self, nonce: bytes, data: bytes, - associated_data: typing.Optional[bytes], + associated_data: bytes | None, ) -> bytes: if associated_data is None: associated_data = b"" @@ -73,7 +72,7 @@ def decrypt( self, nonce: bytes, data: bytes, - associated_data: typing.Optional[bytes], + associated_data: bytes | None, ) -> bytes: if associated_data is None: associated_data = b"" @@ -134,7 +133,7 @@ def encrypt( self, nonce: bytes, data: bytes, - associated_data: typing.Optional[bytes], + associated_data: bytes | None, ) -> bytes: if associated_data is None: associated_data = b"" @@ -155,7 +154,7 @@ def decrypt( self, nonce: bytes, data: bytes, - associated_data: typing.Optional[bytes], + associated_data: bytes | None, ) -> bytes: if associated_data is None: associated_data = b"" @@ -206,7 +205,7 @@ def encrypt( self, nonce: bytes, data: bytes, - associated_data: typing.Optional[bytes], + associated_data: bytes | None, ) -> bytes: if associated_data is None: associated_data = b"" @@ -224,7 +223,7 @@ def decrypt( self, nonce: bytes, data: bytes, - associated_data: typing.Optional[bytes], + associated_data: bytes | None, ) -> bytes: if associated_data is None: associated_data = b"" @@ -275,7 +274,7 @@ def encrypt( self, nonce: bytes, data: bytes, - associated_data: typing.Optional[bytes], + associated_data: bytes | None, ) -> bytes: if associated_data is None: associated_data = b"" @@ -293,7 +292,7 @@ def decrypt( self, nonce: bytes, data: bytes, - associated_data: typing.Optional[bytes], + associated_data: bytes | None, ) -> bytes: if associated_data is None: associated_data = b"" diff --git a/src/cryptography/hazmat/primitives/ciphers/base.py b/src/cryptography/hazmat/primitives/ciphers/base.py index 38a2ebbe081e..7f3132b7d1b7 100644 --- a/src/cryptography/hazmat/primitives/ciphers/base.py +++ b/src/cryptography/hazmat/primitives/ciphers/base.py @@ -141,9 +141,7 @@ def decryptor(self): def _wrap_ctx( self, ctx: _BackendCipherContext, encrypt: bool - ) -> typing.Union[ - AEADEncryptionContext, AEADDecryptionContext, CipherContext - ]: + ) -> AEADEncryptionContext | AEADDecryptionContext | CipherContext: if isinstance(self.mode, modes.ModeWithAuthenticationTag): if encrypt: return _AEADEncryptionContext(ctx) @@ -165,7 +163,7 @@ def _wrap_ctx( class _CipherContext(CipherContext): - _ctx: typing.Optional[_BackendCipherContext] + _ctx: _BackendCipherContext | None def __init__(self, ctx: _BackendCipherContext) -> None: self._ctx = ctx @@ -189,8 +187,8 @@ def finalize(self) -> bytes: class _AEADCipherContext(AEADCipherContext): - _ctx: typing.Optional[_BackendCipherContext] - _tag: typing.Optional[bytes] + _ctx: _BackendCipherContext | None + _tag: bytes | None def __init__(self, ctx: _BackendCipherContext) -> None: self._ctx = ctx diff --git a/src/cryptography/hazmat/primitives/ciphers/modes.py b/src/cryptography/hazmat/primitives/ciphers/modes.py index d8ea1888d67b..712ccd3f7945 100644 --- a/src/cryptography/hazmat/primitives/ciphers/modes.py +++ b/src/cryptography/hazmat/primitives/ciphers/modes.py @@ -5,7 +5,6 @@ from __future__ import annotations import abc -import typing from cryptography import utils from cryptography.exceptions import UnsupportedAlgorithm, _Reasons @@ -62,7 +61,7 @@ def nonce(self) -> bytes: class ModeWithAuthenticationTag(Mode, metaclass=abc.ABCMeta): @property @abc.abstractmethod - def tag(self) -> typing.Optional[bytes]: + def tag(self) -> bytes | None: """ The value of the tag supplied to the constructor of this mode. """ @@ -225,7 +224,7 @@ class GCM(ModeWithInitializationVector, ModeWithAuthenticationTag): def __init__( self, initialization_vector: bytes, - tag: typing.Optional[bytes] = None, + tag: bytes | None = None, min_tag_length: int = 16, ): # OpenSSL 3.0.0 constrains GCM IVs to [64, 1024] bits inclusive @@ -251,7 +250,7 @@ def __init__( self._min_tag_length = min_tag_length @property - def tag(self) -> typing.Optional[bytes]: + def tag(self) -> bytes | None: return self._tag @property diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py index 8aa1d791acdd..1a8a622c6953 100644 --- a/src/cryptography/hazmat/primitives/cmac.py +++ b/src/cryptography/hazmat/primitives/cmac.py @@ -15,14 +15,14 @@ class CMAC: - _ctx: typing.Optional[_CMACContext] + _ctx: _CMACContext | None _algorithm: ciphers.BlockCipherAlgorithm def __init__( self, algorithm: ciphers.BlockCipherAlgorithm, backend: typing.Any = None, - ctx: typing.Optional[_CMACContext] = None, + ctx: _CMACContext | None = None, ) -> None: if not isinstance(algorithm, ciphers.BlockCipherAlgorithm): raise TypeError("Expected instance of BlockCipherAlgorithm.") diff --git a/src/cryptography/hazmat/primitives/hashes.py b/src/cryptography/hazmat/primitives/hashes.py index b6a7ff140e68..c5be0c8eadc0 100644 --- a/src/cryptography/hazmat/primitives/hashes.py +++ b/src/cryptography/hazmat/primitives/hashes.py @@ -5,7 +5,6 @@ from __future__ import annotations import abc -import typing from cryptography.hazmat.bindings._rust import openssl as rust_openssl @@ -51,7 +50,7 @@ def digest_size(self) -> int: @property @abc.abstractmethod - def block_size(self) -> typing.Optional[int]: + def block_size(self) -> int | None: """ The internal block size of the hash function, or None if the hash function does not use blocks internally (e.g. SHA3). diff --git a/src/cryptography/hazmat/primitives/kdf/concatkdf.py b/src/cryptography/hazmat/primitives/kdf/concatkdf.py index d5ea58a94522..96d9d4c0df5e 100644 --- a/src/cryptography/hazmat/primitives/kdf/concatkdf.py +++ b/src/cryptography/hazmat/primitives/kdf/concatkdf.py @@ -19,7 +19,7 @@ def _int_to_u32be(n: int) -> bytes: def _common_args_checks( algorithm: hashes.HashAlgorithm, length: int, - otherinfo: typing.Optional[bytes], + otherinfo: bytes | None, ) -> None: max_length = algorithm.digest_size * (2**32 - 1) if length > max_length: @@ -56,7 +56,7 @@ def __init__( self, algorithm: hashes.HashAlgorithm, length: int, - otherinfo: typing.Optional[bytes], + otherinfo: bytes | None, backend: typing.Any = None, ): _common_args_checks(algorithm, length, otherinfo) @@ -87,8 +87,8 @@ def __init__( self, algorithm: hashes.HashAlgorithm, length: int, - salt: typing.Optional[bytes], - otherinfo: typing.Optional[bytes], + salt: bytes | None, + otherinfo: bytes | None, backend: typing.Any = None, ): _common_args_checks(algorithm, length, otherinfo) diff --git a/src/cryptography/hazmat/primitives/kdf/hkdf.py b/src/cryptography/hazmat/primitives/kdf/hkdf.py index d47689443631..ee562d2f4433 100644 --- a/src/cryptography/hazmat/primitives/kdf/hkdf.py +++ b/src/cryptography/hazmat/primitives/kdf/hkdf.py @@ -17,8 +17,8 @@ def __init__( self, algorithm: hashes.HashAlgorithm, length: int, - salt: typing.Optional[bytes], - info: typing.Optional[bytes], + salt: bytes | None, + info: bytes | None, backend: typing.Any = None, ): self._algorithm = algorithm @@ -51,7 +51,7 @@ def __init__( self, algorithm: hashes.HashAlgorithm, length: int, - info: typing.Optional[bytes], + info: bytes | None, backend: typing.Any = None, ): self._algorithm = algorithm diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py index 967763828f3f..2f41db9260ec 100644 --- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py +++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py @@ -40,12 +40,12 @@ def __init__( mode: Mode, length: int, rlen: int, - llen: typing.Optional[int], + llen: int | None, location: CounterLocation, - break_location: typing.Optional[int], - label: typing.Optional[bytes], - context: typing.Optional[bytes], - fixed: typing.Optional[bytes], + break_location: int | None, + label: bytes | None, + context: bytes | None, + fixed: bytes | None, ): assert callable(prf) @@ -181,14 +181,14 @@ def __init__( mode: Mode, length: int, rlen: int, - llen: typing.Optional[int], + llen: int | None, location: CounterLocation, - label: typing.Optional[bytes], - context: typing.Optional[bytes], - fixed: typing.Optional[bytes], + label: bytes | None, + context: bytes | None, + fixed: bytes | None, backend: typing.Any = None, *, - break_location: typing.Optional[int] = None, + break_location: int | None = None, ): if not isinstance(algorithm, hashes.HashAlgorithm): raise UnsupportedAlgorithm( @@ -239,14 +239,14 @@ def __init__( mode: Mode, length: int, rlen: int, - llen: typing.Optional[int], + llen: int | None, location: CounterLocation, - label: typing.Optional[bytes], - context: typing.Optional[bytes], - fixed: typing.Optional[bytes], + label: bytes | None, + context: bytes | None, + fixed: bytes | None, backend: typing.Any = None, *, - break_location: typing.Optional[int] = None, + break_location: int | None = None, ): if not issubclass( algorithm, ciphers.BlockCipherAlgorithm @@ -257,7 +257,7 @@ def __init__( ) self._algorithm = algorithm - self._cipher: typing.Optional[ciphers.BlockCipherAlgorithm] = None + self._cipher: ciphers.BlockCipherAlgorithm | None = None self._deriver = _KBKDFDeriver( self._prf, diff --git a/src/cryptography/hazmat/primitives/kdf/x963kdf.py b/src/cryptography/hazmat/primitives/kdf/x963kdf.py index 17acc5174bb0..6e38366a996f 100644 --- a/src/cryptography/hazmat/primitives/kdf/x963kdf.py +++ b/src/cryptography/hazmat/primitives/kdf/x963kdf.py @@ -21,7 +21,7 @@ def __init__( self, algorithm: hashes.HashAlgorithm, length: int, - sharedinfo: typing.Optional[bytes], + sharedinfo: bytes | None, backend: typing.Any = None, ): max_len = algorithm.digest_size * (2**32 - 1) diff --git a/src/cryptography/hazmat/primitives/keywrap.py b/src/cryptography/hazmat/primitives/keywrap.py index 59b0326c2a86..3ee152b7903a 100644 --- a/src/cryptography/hazmat/primitives/keywrap.py +++ b/src/cryptography/hazmat/primitives/keywrap.py @@ -15,7 +15,7 @@ def _wrap_core( wrapping_key: bytes, a: bytes, - r: typing.List[bytes], + r: list[bytes], ) -> bytes: # RFC 3394 Key Wrap - 2.2.1 (index method) encryptor = Cipher(AES(wrapping_key), ECB()).encryptor() @@ -58,8 +58,8 @@ def aes_key_wrap( def _unwrap_core( wrapping_key: bytes, a: bytes, - r: typing.List[bytes], -) -> typing.Tuple[bytes, typing.List[bytes]]: + r: list[bytes], +) -> tuple[bytes, list[bytes]]: # Implement RFC 3394 Key Unwrap - 2.2.2 (index method) decryptor = Cipher(AES(wrapping_key), ECB()).decryptor() n = len(r) diff --git a/src/cryptography/hazmat/primitives/padding.py b/src/cryptography/hazmat/primitives/padding.py index fde3094b00ae..baceaf381880 100644 --- a/src/cryptography/hazmat/primitives/padding.py +++ b/src/cryptography/hazmat/primitives/padding.py @@ -38,8 +38,8 @@ def _byte_padding_check(block_size: int) -> None: def _byte_padding_update( - buffer_: typing.Optional[bytes], data: bytes, block_size: int -) -> typing.Tuple[bytes, bytes]: + buffer_: bytes | None, data: bytes, block_size: int +) -> tuple[bytes, bytes]: if buffer_ is None: raise AlreadyFinalized("Context was already finalized.") @@ -56,7 +56,7 @@ def _byte_padding_update( def _byte_padding_pad( - buffer_: typing.Optional[bytes], + buffer_: bytes | None, block_size: int, paddingfn: typing.Callable[[int], bytes], ) -> bytes: @@ -68,8 +68,8 @@ def _byte_padding_pad( def _byte_unpadding_update( - buffer_: typing.Optional[bytes], data: bytes, block_size: int -) -> typing.Tuple[bytes, bytes]: + buffer_: bytes | None, data: bytes, block_size: int +) -> tuple[bytes, bytes]: if buffer_ is None: raise AlreadyFinalized("Context was already finalized.") @@ -86,7 +86,7 @@ def _byte_unpadding_update( def _byte_unpadding_check( - buffer_: typing.Optional[bytes], + buffer_: bytes | None, block_size: int, checkfn: typing.Callable[[bytes], int], ) -> bytes: @@ -118,7 +118,7 @@ def unpadder(self) -> PaddingContext: class _PKCS7PaddingContext(PaddingContext): - _buffer: typing.Optional[bytes] + _buffer: bytes | None def __init__(self, block_size: int): self.block_size = block_size @@ -143,7 +143,7 @@ def finalize(self) -> bytes: class _PKCS7UnpaddingContext(PaddingContext): - _buffer: typing.Optional[bytes] + _buffer: bytes | None def __init__(self, block_size: int): self.block_size = block_size @@ -177,7 +177,7 @@ def unpadder(self) -> PaddingContext: class _ANSIX923PaddingContext(PaddingContext): - _buffer: typing.Optional[bytes] + _buffer: bytes | None def __init__(self, block_size: int): self.block_size = block_size @@ -202,7 +202,7 @@ def finalize(self) -> bytes: class _ANSIX923UnpaddingContext(PaddingContext): - _buffer: typing.Optional[bytes] + _buffer: bytes | None def __init__(self, block_size: int): self.block_size = block_size diff --git a/src/cryptography/hazmat/primitives/serialization/base.py b/src/cryptography/hazmat/primitives/serialization/base.py index 606f6356e187..9df1a1e83588 100644 --- a/src/cryptography/hazmat/primitives/serialization/base.py +++ b/src/cryptography/hazmat/primitives/serialization/base.py @@ -16,7 +16,7 @@ def load_pem_private_key( data: bytes, - password: typing.Optional[bytes], + password: bytes | None, backend: typing.Any = None, *, unsafe_skip_rsa_key_validation: bool = False, @@ -44,7 +44,7 @@ def load_pem_parameters( def load_der_private_key( data: bytes, - password: typing.Optional[bytes], + password: bytes | None, backend: typing.Any = None, *, unsafe_skip_rsa_key_validation: bool = False, diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 27133a3fa851..006a248bd244 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -41,7 +41,7 @@ class PKCS12Certificate: def __init__( self, cert: x509.Certificate, - friendly_name: typing.Optional[bytes], + friendly_name: bytes | None, ): if not isinstance(cert, x509.Certificate): raise TypeError("Expecting x509.Certificate object") @@ -51,7 +51,7 @@ def __init__( self._friendly_name = friendly_name @property - def friendly_name(self) -> typing.Optional[bytes]: + def friendly_name(self) -> bytes | None: return self._friendly_name @property @@ -79,9 +79,9 @@ def __repr__(self) -> str: class PKCS12KeyAndCertificates: def __init__( self, - key: typing.Optional[PrivateKeyTypes], - cert: typing.Optional[PKCS12Certificate], - additional_certs: typing.List[PKCS12Certificate], + key: PrivateKeyTypes | None, + cert: PKCS12Certificate | None, + additional_certs: list[PKCS12Certificate], ): if key is not None and not isinstance( key, @@ -112,15 +112,15 @@ def __init__( self._additional_certs = additional_certs @property - def key(self) -> typing.Optional[PrivateKeyTypes]: + def key(self) -> PrivateKeyTypes | None: return self._key @property - def cert(self) -> typing.Optional[PKCS12Certificate]: + def cert(self) -> PKCS12Certificate | None: return self._cert @property - def additional_certs(self) -> typing.List[PKCS12Certificate]: + def additional_certs(self) -> list[PKCS12Certificate]: return self._additional_certs def __eq__(self, other: object) -> bool: @@ -145,12 +145,12 @@ def __repr__(self) -> str: def load_key_and_certificates( data: bytes, - password: typing.Optional[bytes], + password: bytes | None, backend: typing.Any = None, -) -> typing.Tuple[ - typing.Optional[PrivateKeyTypes], - typing.Optional[x509.Certificate], - typing.List[x509.Certificate], +) -> tuple[ + PrivateKeyTypes | None, + x509.Certificate | None, + list[x509.Certificate], ]: from cryptography.hazmat.backends.openssl.backend import backend as ossl @@ -159,7 +159,7 @@ def load_key_and_certificates( def load_pkcs12( data: bytes, - password: typing.Optional[bytes], + password: bytes | None, backend: typing.Any = None, ) -> PKCS12KeyAndCertificates: from cryptography.hazmat.backends.openssl.backend import backend as ossl @@ -174,10 +174,10 @@ def load_pkcs12( def serialize_key_and_certificates( - name: typing.Optional[bytes], - key: typing.Optional[PKCS12PrivateKeyTypes], - cert: typing.Optional[x509.Certificate], - cas: typing.Optional[typing.Iterable[_PKCS12CATypes]], + name: bytes | None, + key: PKCS12PrivateKeyTypes | None, + cert: x509.Certificate | None, + cas: typing.Iterable[_PKCS12CATypes] | None, encryption_algorithm: serialization.KeySerializationEncryption, ) -> bytes: if key is not None and not isinstance( diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py index e06333a6d651..1d7d9c1b6869 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py @@ -18,20 +18,20 @@ from cryptography.utils import _check_byteslike -def load_pem_pkcs7_certificates(data: bytes) -> typing.List[x509.Certificate]: +def load_pem_pkcs7_certificates(data: bytes) -> list[x509.Certificate]: from cryptography.hazmat.backends.openssl.backend import backend return backend.load_pem_pkcs7_certificates(data) -def load_der_pkcs7_certificates(data: bytes) -> typing.List[x509.Certificate]: +def load_der_pkcs7_certificates(data: bytes) -> list[x509.Certificate]: from cryptography.hazmat.backends.openssl.backend import backend return backend.load_der_pkcs7_certificates(data) def serialize_certificates( - certs: typing.List[x509.Certificate], + certs: list[x509.Certificate], encoding: serialization.Encoding, ) -> bytes: return rust_pkcs7.serialize_certificates(certs, encoding) @@ -61,15 +61,15 @@ class PKCS7Options(utils.Enum): class PKCS7SignatureBuilder: def __init__( self, - data: typing.Optional[bytes] = None, - signers: typing.List[ - typing.Tuple[ + data: bytes | None = None, + signers: list[ + tuple[ x509.Certificate, PKCS7PrivateKeyTypes, PKCS7HashTypes, ] ] = [], - additional_certs: typing.List[x509.Certificate] = [], + additional_certs: list[x509.Certificate] = [], ): self._data = data self._signers = signers diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index bcc5582bbed0..da686abadb06 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -87,21 +87,17 @@ def _bcrypt_kdf( @dataclass class _SSHCipher: - alg: typing.Type[algorithms.AES] + alg: type[algorithms.AES] key_len: int - mode: typing.Union[ - typing.Type[modes.CTR], - typing.Type[modes.CBC], - typing.Type[modes.GCM], - ] + mode: type[modes.CTR] | type[modes.CBC] | type[modes.GCM] block_len: int iv_len: int - tag_len: typing.Optional[int] + tag_len: int | None is_aead: bool # ciphers that are actually used in key wrapping -_SSH_CIPHERS: typing.Dict[bytes, _SSHCipher] = { +_SSH_CIPHERS: dict[bytes, _SSHCipher] = { b"aes256-ctr": _SSHCipher( alg=algorithms.AES, key_len=32, @@ -139,9 +135,7 @@ class _SSHCipher: } -def _get_ssh_key_type( - key: typing.Union[SSHPrivateKeyTypes, SSHPublicKeyTypes] -) -> bytes: +def _get_ssh_key_type(key: SSHPrivateKeyTypes | SSHPublicKeyTypes) -> bytes: if isinstance(key, ec.EllipticCurvePrivateKey): key_type = _ecdsa_key_type(key.public_key()) elif isinstance(key, ec.EllipticCurvePublicKey): @@ -192,10 +186,10 @@ def _check_empty(data: bytes) -> None: def _init_cipher( ciphername: bytes, - password: typing.Optional[bytes], + password: bytes | None, salt: bytes, rounds: int, -) -> Cipher[typing.Union[modes.CBC, modes.CTR, modes.GCM]]: +) -> Cipher[modes.CBC | modes.CTR | modes.GCM]: """Generate key + iv and return cipher.""" if not password: raise ValueError("Key is password-protected.") @@ -210,21 +204,21 @@ def _init_cipher( ) -def _get_u32(data: memoryview) -> typing.Tuple[int, memoryview]: +def _get_u32(data: memoryview) -> tuple[int, memoryview]: """Uint32""" if len(data) < 4: raise ValueError("Invalid data") return int.from_bytes(data[:4], byteorder="big"), data[4:] -def _get_u64(data: memoryview) -> typing.Tuple[int, memoryview]: +def _get_u64(data: memoryview) -> tuple[int, memoryview]: """Uint64""" if len(data) < 8: raise ValueError("Invalid data") return int.from_bytes(data[:8], byteorder="big"), data[8:] -def _get_sshstr(data: memoryview) -> typing.Tuple[memoryview, memoryview]: +def _get_sshstr(data: memoryview) -> tuple[memoryview, memoryview]: """Bytes with u32 length prefix""" n, data = _get_u32(data) if n > len(data): @@ -232,7 +226,7 @@ def _get_sshstr(data: memoryview) -> typing.Tuple[memoryview, memoryview]: return data[:n], data[n:] -def _get_mpint(data: memoryview) -> typing.Tuple[int, memoryview]: +def _get_mpint(data: memoryview) -> tuple[int, memoryview]: """Big integer.""" val, data = _get_sshstr(data) if val and val[0] > 0x7F: @@ -253,11 +247,9 @@ def _to_mpint(val: int) -> bytes: class _FragList: """Build recursive structure without data copy.""" - flist: typing.List[bytes] + flist: list[bytes] - def __init__( - self, init: typing.Optional[typing.List[bytes]] = None - ) -> None: + def __init__(self, init: list[bytes] | None = None) -> None: self.flist = [] if init: self.flist.extend(init) @@ -274,7 +266,7 @@ def put_u64(self, val: int) -> None: """Big-endian uint64""" self.flist.append(val.to_bytes(length=8, byteorder="big")) - def put_sshstr(self, val: typing.Union[bytes, _FragList]) -> None: + def put_sshstr(self, val: bytes | _FragList) -> None: """Bytes prefixed with u32 length""" if isinstance(val, (bytes, memoryview, bytearray)): self.put_u32(len(val)) @@ -323,7 +315,7 @@ def get_public(self, data: memoryview): def load_public( self, data: memoryview - ) -> typing.Tuple[rsa.RSAPublicKey, memoryview]: + ) -> tuple[rsa.RSAPublicKey, memoryview]: """Make RSA public key from data.""" (e, n), data = self.get_public(data) public_numbers = rsa.RSAPublicNumbers(e, n) @@ -332,7 +324,7 @@ def load_public( def load_private( self, data: memoryview, pubfields - ) -> typing.Tuple[rsa.RSAPrivateKey, memoryview]: + ) -> tuple[rsa.RSAPrivateKey, memoryview]: """Make RSA private key from data.""" n, data = _get_mpint(data) e, data = _get_mpint(data) @@ -385,9 +377,7 @@ class _SSHFormatDSA: mpint p, q, g, y, x """ - def get_public( - self, data: memoryview - ) -> typing.Tuple[typing.Tuple, memoryview]: + def get_public(self, data: memoryview) -> tuple[tuple, memoryview]: """DSA public fields""" p, data = _get_mpint(data) q, data = _get_mpint(data) @@ -397,7 +387,7 @@ def get_public( def load_public( self, data: memoryview - ) -> typing.Tuple[dsa.DSAPublicKey, memoryview]: + ) -> tuple[dsa.DSAPublicKey, memoryview]: """Make DSA public key from data.""" (p, q, g, y), data = self.get_public(data) parameter_numbers = dsa.DSAParameterNumbers(p, q, g) @@ -408,7 +398,7 @@ def load_public( def load_private( self, data: memoryview, pubfields - ) -> typing.Tuple[dsa.DSAPrivateKey, memoryview]: + ) -> tuple[dsa.DSAPrivateKey, memoryview]: """Make DSA private key from data.""" (p, q, g, y), data = self.get_public(data) x, data = _get_mpint(data) @@ -464,9 +454,7 @@ def __init__(self, ssh_curve_name: bytes, curve: ec.EllipticCurve): self.ssh_curve_name = ssh_curve_name self.curve = curve - def get_public( - self, data: memoryview - ) -> typing.Tuple[typing.Tuple, memoryview]: + def get_public(self, data: memoryview) -> tuple[tuple, memoryview]: """ECDSA public fields""" curve, data = _get_sshstr(data) point, data = _get_sshstr(data) @@ -478,7 +466,7 @@ def get_public( def load_public( self, data: memoryview - ) -> typing.Tuple[ec.EllipticCurvePublicKey, memoryview]: + ) -> tuple[ec.EllipticCurvePublicKey, memoryview]: """Make ECDSA public key from data.""" (curve_name, point), data = self.get_public(data) public_key = ec.EllipticCurvePublicKey.from_encoded_point( @@ -488,7 +476,7 @@ def load_public( def load_private( self, data: memoryview, pubfields - ) -> typing.Tuple[ec.EllipticCurvePrivateKey, memoryview]: + ) -> tuple[ec.EllipticCurvePrivateKey, memoryview]: """Make ECDSA private key from data.""" (curve_name, point), data = self.get_public(data) secret, data = _get_mpint(data) @@ -529,16 +517,14 @@ class _SSHFormatEd25519: bytes secret_and_point """ - def get_public( - self, data: memoryview - ) -> typing.Tuple[typing.Tuple, memoryview]: + def get_public(self, data: memoryview) -> tuple[tuple, memoryview]: """Ed25519 public fields""" point, data = _get_sshstr(data) return (point,), data def load_public( self, data: memoryview - ) -> typing.Tuple[ed25519.Ed25519PublicKey, memoryview]: + ) -> tuple[ed25519.Ed25519PublicKey, memoryview]: """Make Ed25519 public key from data.""" (point,), data = self.get_public(data) public_key = ed25519.Ed25519PublicKey.from_public_bytes( @@ -548,7 +534,7 @@ def load_public( def load_private( self, data: memoryview, pubfields - ) -> typing.Tuple[ed25519.Ed25519PrivateKey, memoryview]: + ) -> tuple[ed25519.Ed25519PrivateKey, memoryview]: """Make Ed25519 private key from data.""" (point,), data = self.get_public(data) keypair, data = _get_sshstr(data) @@ -615,7 +601,7 @@ def _lookup_kformat(key_type: bytes): def load_ssh_private_key( data: bytes, - password: typing.Optional[bytes], + password: bytes | None, backend: typing.Any = None, ) -> SSHPrivateKeyTypes: """Load private key from OpenSSH custom encoding.""" @@ -820,11 +806,11 @@ def __init__( _serial: int, _cctype: int, _key_id: memoryview, - _valid_principals: typing.List[bytes], + _valid_principals: list[bytes], _valid_after: int, _valid_before: int, - _critical_options: typing.Dict[bytes, bytes], - _extensions: typing.Dict[bytes, bytes], + _critical_options: dict[bytes, bytes], + _extensions: dict[bytes, bytes], _sig_type: memoryview, _sig_key: memoryview, _inner_sig_type: memoryview, @@ -876,7 +862,7 @@ def key_id(self) -> bytes: return bytes(self._key_id) @property - def valid_principals(self) -> typing.List[bytes]: + def valid_principals(self) -> list[bytes]: return self._valid_principals @property @@ -888,11 +874,11 @@ def valid_after(self) -> int: return self._valid_after @property - def critical_options(self) -> typing.Dict[bytes, bytes]: + def critical_options(self) -> dict[bytes, bytes]: return self._critical_options @property - def extensions(self) -> typing.Dict[bytes, bytes]: + def extensions(self) -> dict[bytes, bytes]: return self._extensions def signature_key(self) -> SSHCertPublicKeyTypes: @@ -954,7 +940,7 @@ def _get_ec_hash_alg(curve: ec.EllipticCurve) -> hashes.HashAlgorithm: def _load_ssh_public_identity( data: bytes, _legacy_dsa_allowed=False, -) -> typing.Union[SSHCertificate, SSHPublicKeyTypes]: +) -> SSHCertificate | SSHPublicKeyTypes: utils._check_byteslike("data", data) m = _SSH_PUBKEY_RC.match(data) @@ -1048,12 +1034,12 @@ def _load_ssh_public_identity( def load_ssh_public_identity( data: bytes, -) -> typing.Union[SSHCertificate, SSHPublicKeyTypes]: +) -> SSHCertificate | SSHPublicKeyTypes: return _load_ssh_public_identity(data) -def _parse_exts_opts(exts_opts: memoryview) -> typing.Dict[bytes, bytes]: - result: typing.Dict[bytes, bytes] = {} +def _parse_exts_opts(exts_opts: memoryview) -> dict[bytes, bytes]: + result: dict[bytes, bytes] = {} last_name = None while exts_opts: name, exts_opts = _get_sshstr(exts_opts) @@ -1127,16 +1113,16 @@ def serialize_ssh_public_key(public_key: SSHPublicKeyTypes) -> bytes: class SSHCertificateBuilder: def __init__( self, - _public_key: typing.Optional[SSHCertPublicKeyTypes] = None, - _serial: typing.Optional[int] = None, - _type: typing.Optional[SSHCertificateType] = None, - _key_id: typing.Optional[bytes] = None, - _valid_principals: typing.List[bytes] = [], + _public_key: SSHCertPublicKeyTypes | None = None, + _serial: int | None = None, + _type: SSHCertificateType | None = None, + _key_id: bytes | None = None, + _valid_principals: list[bytes] = [], _valid_for_all_principals: bool = False, - _valid_before: typing.Optional[int] = None, - _valid_after: typing.Optional[int] = None, - _critical_options: typing.List[typing.Tuple[bytes, bytes]] = [], - _extensions: typing.List[typing.Tuple[bytes, bytes]] = [], + _valid_before: int | None = None, + _valid_after: int | None = None, + _critical_options: list[tuple[bytes, bytes]] = [], + _extensions: list[tuple[bytes, bytes]] = [], ): self._public_key = _public_key self._serial = _serial @@ -1237,7 +1223,7 @@ def key_id(self, key_id: bytes) -> SSHCertificateBuilder: ) def valid_principals( - self, valid_principals: typing.List[bytes] + self, valid_principals: list[bytes] ) -> SSHCertificateBuilder: if self._valid_for_all_principals: raise ValueError( @@ -1294,9 +1280,7 @@ def valid_for_all_principals(self): _extensions=self._extensions, ) - def valid_before( - self, valid_before: typing.Union[int, float] - ) -> SSHCertificateBuilder: + def valid_before(self, valid_before: int | float) -> SSHCertificateBuilder: if not isinstance(valid_before, (int, float)): raise TypeError("valid_before must be an int or float") valid_before = int(valid_before) @@ -1318,9 +1302,7 @@ def valid_before( _extensions=self._extensions, ) - def valid_after( - self, valid_after: typing.Union[int, float] - ) -> SSHCertificateBuilder: + def valid_after(self, valid_after: int | float) -> SSHCertificateBuilder: if not isinstance(valid_after, (int, float)): raise TypeError("valid_after must be an int or float") valid_after = int(valid_after) diff --git a/src/cryptography/hazmat/primitives/twofactor/hotp.py b/src/cryptography/hazmat/primitives/twofactor/hotp.py index 2067108a63d6..af5ab6efe290 100644 --- a/src/cryptography/hazmat/primitives/twofactor/hotp.py +++ b/src/cryptography/hazmat/primitives/twofactor/hotp.py @@ -19,8 +19,8 @@ def _generate_uri( hotp: HOTP, type_name: str, account_name: str, - issuer: typing.Optional[str], - extra_parameters: typing.List[typing.Tuple[str, int]], + issuer: str | None, + extra_parameters: list[tuple[str, int]], ) -> str: parameters = [ ("digits", hotp._length), @@ -85,7 +85,7 @@ def _dynamic_truncate(self, counter: int) -> int: return int.from_bytes(p, byteorder="big") & 0x7FFFFFFF def get_provisioning_uri( - self, account_name: str, counter: int, issuer: typing.Optional[str] + self, account_name: str, counter: int, issuer: str | None ) -> str: return _generate_uri( self, "hotp", account_name, issuer, [("counter", int(counter))] diff --git a/src/cryptography/hazmat/primitives/twofactor/totp.py b/src/cryptography/hazmat/primitives/twofactor/totp.py index daddcea2f77e..68a5077468e3 100644 --- a/src/cryptography/hazmat/primitives/twofactor/totp.py +++ b/src/cryptography/hazmat/primitives/twofactor/totp.py @@ -30,7 +30,7 @@ def __init__( key, length, algorithm, enforce_key_length=enforce_key_length ) - def generate(self, time: typing.Union[int, float]) -> bytes: + def generate(self, time: int | float) -> bytes: counter = int(time / self._time_step) return self._hotp.generate(counter) @@ -39,7 +39,7 @@ def verify(self, totp: bytes, time: int) -> None: raise InvalidToken("Supplied TOTP value does not match.") def get_provisioning_uri( - self, account_name: str, issuer: typing.Optional[str] + self, account_name: str, issuer: str | None ) -> str: return _generate_uri( self._hotp, diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index 5facac1aef06..f92d226e85c8 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -38,13 +38,13 @@ def _check_byteslike(name: str, value: bytes) -> None: raise TypeError(f"{name} must be bytes-like") -def int_to_bytes(integer: int, length: typing.Optional[int] = None) -> bytes: +def int_to_bytes(integer: int, length: int | None = None) -> bytes: return integer.to_bytes( length or (integer.bit_length() + 7) // 8 or 1, "big" ) -def _extract_buffer_length(obj: typing.Any) -> typing.Tuple[typing.Any, int]: +def _extract_buffer_length(obj: typing.Any) -> tuple[typing.Any, int]: from cryptography.hazmat.bindings._rust import _openssl buf = _openssl.ffi.from_buffer(obj) @@ -92,8 +92,8 @@ def deprecated( value: object, module_name: str, message: str, - warning_class: typing.Type[Warning], - name: typing.Optional[str] = None, + warning_class: type[Warning], + name: str | None = None, ) -> _DeprecatedValue: module = sys.modules[module_name] if not isinstance(module, _ModuleWithDeprecations): diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 3d9d7c4228b3..051f7c350a04 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -60,7 +60,7 @@ def __init__(self, msg: str, oid: ObjectIdentifier) -> None: def _reject_duplicate_extension( extension: Extension[ExtensionType], - extensions: typing.List[Extension[ExtensionType]], + extensions: list[Extension[ExtensionType]], ) -> None: # This is quadratic in the number of extensions for e in extensions: @@ -70,9 +70,7 @@ def _reject_duplicate_extension( def _reject_duplicate_attribute( oid: ObjectIdentifier, - attributes: typing.List[ - typing.Tuple[ObjectIdentifier, bytes, typing.Optional[int]] - ], + attributes: list[tuple[ObjectIdentifier, bytes, int | None]], ) -> None: # This is quadratic in the number of attributes for attr_oid, _, _ in attributes: @@ -220,7 +218,7 @@ def subject(self) -> Name: @abc.abstractmethod def signature_hash_algorithm( self, - ) -> typing.Optional[hashes.HashAlgorithm]: + ) -> hashes.HashAlgorithm | None: """ Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. @@ -237,7 +235,7 @@ def signature_algorithm_oid(self) -> ObjectIdentifier: @abc.abstractmethod def signature_algorithm_parameters( self, - ) -> typing.Union[None, padding.PSS, padding.PKCS1v15, ec.ECDSA]: + ) -> None | padding.PSS | padding.PKCS1v15 | ec.ECDSA: """ Returns the signature algorithm parameters. """ @@ -369,7 +367,7 @@ def fingerprint(self, algorithm: hashes.HashAlgorithm) -> bytes: @abc.abstractmethod def get_revoked_certificate_by_serial_number( self, serial_number: int - ) -> typing.Optional[RevokedCertificate]: + ) -> RevokedCertificate | None: """ Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. @@ -379,7 +377,7 @@ def get_revoked_certificate_by_serial_number( @abc.abstractmethod def signature_hash_algorithm( self, - ) -> typing.Optional[hashes.HashAlgorithm]: + ) -> hashes.HashAlgorithm | None: """ Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. @@ -401,7 +399,7 @@ def issuer(self) -> Name: @property @abc.abstractmethod - def next_update(self) -> typing.Optional[datetime.datetime]: + def next_update(self) -> datetime.datetime | None: """ Returns the date of next update for this CRL. """ @@ -451,13 +449,13 @@ def __getitem__(self, idx: int) -> RevokedCertificate: ... @typing.overload - def __getitem__(self, idx: slice) -> typing.List[RevokedCertificate]: + def __getitem__(self, idx: slice) -> list[RevokedCertificate]: ... @abc.abstractmethod def __getitem__( - self, idx: typing.Union[int, slice] - ) -> typing.Union[RevokedCertificate, typing.List[RevokedCertificate]]: + self, idx: int | slice + ) -> RevokedCertificate | list[RevokedCertificate]: """ Returns a revoked certificate (or slice of revoked certificates). """ @@ -510,7 +508,7 @@ def subject(self) -> Name: @abc.abstractmethod def signature_hash_algorithm( self, - ) -> typing.Optional[hashes.HashAlgorithm]: + ) -> hashes.HashAlgorithm | None: """ Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. @@ -583,7 +581,7 @@ def load_pem_x509_certificate( return rust_x509.load_pem_x509_certificate(data) -def load_pem_x509_certificates(data: bytes) -> typing.List[Certificate]: +def load_pem_x509_certificates(data: bytes) -> list[Certificate]: return rust_x509.load_pem_x509_certificates(data) @@ -625,11 +623,9 @@ def load_der_x509_crl( class CertificateSigningRequestBuilder: def __init__( self, - subject_name: typing.Optional[Name] = None, - extensions: typing.List[Extension[ExtensionType]] = [], - attributes: typing.List[ - typing.Tuple[ObjectIdentifier, bytes, typing.Optional[int]] - ] = [], + subject_name: Name | None = None, + extensions: list[Extension[ExtensionType]] = [], + attributes: list[tuple[ObjectIdentifier, bytes, int | None]] = [], ): """ Creates an empty X.509 certificate request (v1). @@ -673,7 +669,7 @@ def add_attribute( oid: ObjectIdentifier, value: bytes, *, - _tag: typing.Optional[_ASN1Type] = None, + _tag: _ASN1Type | None = None, ) -> CertificateSigningRequestBuilder: """ Adds an X.509 attribute with an OID and associated value. @@ -703,7 +699,7 @@ def add_attribute( def sign( self, private_key: CertificateIssuerPrivateKeyTypes, - algorithm: typing.Optional[_AllowedHashTypes], + algorithm: _AllowedHashTypes | None, backend: typing.Any = None, ) -> CertificateSigningRequest: """ @@ -715,17 +711,17 @@ def sign( class CertificateBuilder: - _extensions: typing.List[Extension[ExtensionType]] + _extensions: list[Extension[ExtensionType]] def __init__( self, - issuer_name: typing.Optional[Name] = None, - subject_name: typing.Optional[Name] = None, - public_key: typing.Optional[CertificatePublicKeyTypes] = None, - serial_number: typing.Optional[int] = None, - not_valid_before: typing.Optional[datetime.datetime] = None, - not_valid_after: typing.Optional[datetime.datetime] = None, - extensions: typing.List[Extension[ExtensionType]] = [], + issuer_name: Name | None = None, + subject_name: Name | None = None, + public_key: CertificatePublicKeyTypes | None = None, + serial_number: int | None = None, + not_valid_before: datetime.datetime | None = None, + not_valid_after: datetime.datetime | None = None, + extensions: list[Extension[ExtensionType]] = [], ) -> None: self._version = Version.v3 self._issuer_name = issuer_name @@ -922,12 +918,10 @@ def add_extension( def sign( self, private_key: CertificateIssuerPrivateKeyTypes, - algorithm: typing.Optional[_AllowedHashTypes], + algorithm: _AllowedHashTypes | None, backend: typing.Any = None, *, - rsa_padding: typing.Optional[ - typing.Union[padding.PSS, padding.PKCS1v15] - ] = None, + rsa_padding: padding.PSS | padding.PKCS1v15 | None = None, ) -> Certificate: """ Signs the certificate using the CA's private key. @@ -962,16 +956,16 @@ def sign( class CertificateRevocationListBuilder: - _extensions: typing.List[Extension[ExtensionType]] - _revoked_certificates: typing.List[RevokedCertificate] + _extensions: list[Extension[ExtensionType]] + _revoked_certificates: list[RevokedCertificate] def __init__( self, - issuer_name: typing.Optional[Name] = None, - last_update: typing.Optional[datetime.datetime] = None, - next_update: typing.Optional[datetime.datetime] = None, - extensions: typing.List[Extension[ExtensionType]] = [], - revoked_certificates: typing.List[RevokedCertificate] = [], + issuer_name: Name | None = None, + last_update: datetime.datetime | None = None, + next_update: datetime.datetime | None = None, + extensions: list[Extension[ExtensionType]] = [], + revoked_certificates: list[RevokedCertificate] = [], ): self._issuer_name = issuer_name self._last_update = last_update @@ -1081,7 +1075,7 @@ def add_revoked_certificate( def sign( self, private_key: CertificateIssuerPrivateKeyTypes, - algorithm: typing.Optional[_AllowedHashTypes], + algorithm: _AllowedHashTypes | None, backend: typing.Any = None, ) -> CertificateRevocationList: if self._issuer_name is None: @@ -1099,9 +1093,9 @@ def sign( class RevokedCertificateBuilder: def __init__( self, - serial_number: typing.Optional[int] = None, - revocation_date: typing.Optional[datetime.datetime] = None, - extensions: typing.List[Extension[ExtensionType]] = [], + serial_number: int | None = None, + revocation_date: datetime.datetime | None = None, + extensions: list[Extension[ExtensionType]] = [], ): self._serial_number = serial_number self._revocation_date = revocation_date diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index c73d49d83e95..c61c1f4853fd 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -124,7 +124,7 @@ def get_extension_for_oid( raise ExtensionNotFound(f"No {oid} extension was found", oid) def get_extension_for_class( - self, extclass: typing.Type[ExtensionTypeVar] + self, extclass: type[ExtensionTypeVar] ) -> Extension[ExtensionTypeVar]: if extclass is UnrecognizedExtension: raise TypeError( @@ -181,9 +181,9 @@ class AuthorityKeyIdentifier(ExtensionType): def __init__( self, - key_identifier: typing.Optional[bytes], - authority_cert_issuer: typing.Optional[typing.Iterable[GeneralName]], - authority_cert_serial_number: typing.Optional[int], + key_identifier: bytes | None, + authority_cert_issuer: typing.Iterable[GeneralName] | None, + authority_cert_serial_number: int | None, ) -> None: if (authority_cert_issuer is None) != ( authority_cert_serial_number is None @@ -267,17 +267,17 @@ def __hash__(self) -> int: ) @property - def key_identifier(self) -> typing.Optional[bytes]: + def key_identifier(self) -> bytes | None: return self._key_identifier @property def authority_cert_issuer( self, - ) -> typing.Optional[typing.List[GeneralName]]: + ) -> list[GeneralName] | None: return self._authority_cert_issuer @property - def authority_cert_serial_number(self) -> typing.Optional[int]: + def authority_cert_serial_number(self) -> int | None: return self._authority_cert_serial_number def public_bytes(self) -> bytes: @@ -429,7 +429,7 @@ def access_location(self) -> GeneralName: class BasicConstraints(ExtensionType): oid = ExtensionOID.BASIC_CONSTRAINTS - def __init__(self, ca: bool, path_length: typing.Optional[int]) -> None: + def __init__(self, ca: bool, path_length: int | None) -> None: if not isinstance(ca, bool): raise TypeError("ca must be a boolean value") @@ -451,7 +451,7 @@ def ca(self) -> bool: return self._ca @property - def path_length(self) -> typing.Optional[int]: + def path_length(self) -> int | None: return self._path_length def __repr__(self) -> str: @@ -578,10 +578,10 @@ def public_bytes(self) -> bytes: class DistributionPoint: def __init__( self, - full_name: typing.Optional[typing.Iterable[GeneralName]], - relative_name: typing.Optional[RelativeDistinguishedName], - reasons: typing.Optional[typing.FrozenSet[ReasonFlags]], - crl_issuer: typing.Optional[typing.Iterable[GeneralName]], + full_name: typing.Iterable[GeneralName] | None, + relative_name: RelativeDistinguishedName | None, + reasons: frozenset[ReasonFlags] | None, + crl_issuer: typing.Iterable[GeneralName] | None, ) -> None: if full_name and relative_name: raise ValueError( @@ -654,35 +654,31 @@ def __eq__(self, other: object) -> bool: def __hash__(self) -> int: if self.full_name is not None: - fn: typing.Optional[typing.Tuple[GeneralName, ...]] = tuple( - self.full_name - ) + fn: tuple[GeneralName, ...] | None = tuple(self.full_name) else: fn = None if self.crl_issuer is not None: - crl_issuer: typing.Optional[ - typing.Tuple[GeneralName, ...] - ] = tuple(self.crl_issuer) + crl_issuer: tuple[GeneralName, ...] | None = tuple(self.crl_issuer) else: crl_issuer = None return hash((fn, self.relative_name, self.reasons, crl_issuer)) @property - def full_name(self) -> typing.Optional[typing.List[GeneralName]]: + def full_name(self) -> list[GeneralName] | None: return self._full_name @property - def relative_name(self) -> typing.Optional[RelativeDistinguishedName]: + def relative_name(self) -> RelativeDistinguishedName | None: return self._relative_name @property - def reasons(self) -> typing.Optional[typing.FrozenSet[ReasonFlags]]: + def reasons(self) -> frozenset[ReasonFlags] | None: return self._reasons @property - def crl_issuer(self) -> typing.Optional[typing.List[GeneralName]]: + def crl_issuer(self) -> list[GeneralName] | None: return self._crl_issuer @@ -739,8 +735,8 @@ class PolicyConstraints(ExtensionType): def __init__( self, - require_explicit_policy: typing.Optional[int], - inhibit_policy_mapping: typing.Optional[int], + require_explicit_policy: int | None, + inhibit_policy_mapping: int | None, ) -> None: if require_explicit_policy is not None and not isinstance( require_explicit_policy, int @@ -788,11 +784,11 @@ def __hash__(self) -> int: ) @property - def require_explicit_policy(self) -> typing.Optional[int]: + def require_explicit_policy(self) -> int | None: return self._require_explicit_policy @property - def inhibit_policy_mapping(self) -> typing.Optional[int]: + def inhibit_policy_mapping(self) -> int | None: return self._inhibit_policy_mapping def public_bytes(self) -> bytes: @@ -834,9 +830,7 @@ class PolicyInformation: def __init__( self, policy_identifier: ObjectIdentifier, - policy_qualifiers: typing.Optional[ - typing.Iterable[typing.Union[str, UserNotice]] - ], + policy_qualifiers: typing.Iterable[str | UserNotice] | None, ) -> None: if not isinstance(policy_identifier, ObjectIdentifier): raise TypeError("policy_identifier must be an ObjectIdentifier") @@ -872,9 +866,9 @@ def __eq__(self, other: object) -> bool: def __hash__(self) -> int: if self.policy_qualifiers is not None: - pq: typing.Optional[ - typing.Tuple[typing.Union[str, UserNotice], ...] - ] = tuple(self.policy_qualifiers) + pq: tuple[str | UserNotice, ...] | None = tuple( + self.policy_qualifiers + ) else: pq = None @@ -887,15 +881,15 @@ def policy_identifier(self) -> ObjectIdentifier: @property def policy_qualifiers( self, - ) -> typing.Optional[typing.List[typing.Union[str, UserNotice]]]: + ) -> list[str | UserNotice] | None: return self._policy_qualifiers class UserNotice: def __init__( self, - notice_reference: typing.Optional[NoticeReference], - explicit_text: typing.Optional[str], + notice_reference: NoticeReference | None, + explicit_text: str | None, ) -> None: if notice_reference and not isinstance( notice_reference, NoticeReference @@ -926,18 +920,18 @@ def __hash__(self) -> int: return hash((self.notice_reference, self.explicit_text)) @property - def notice_reference(self) -> typing.Optional[NoticeReference]: + def notice_reference(self) -> NoticeReference | None: return self._notice_reference @property - def explicit_text(self) -> typing.Optional[str]: + def explicit_text(self) -> str | None: return self._explicit_text class NoticeReference: def __init__( self, - organization: typing.Optional[str], + organization: str | None, notice_numbers: typing.Iterable[int], ) -> None: self._organization = organization @@ -966,11 +960,11 @@ def __hash__(self) -> int: return hash((self.organization, tuple(self.notice_numbers))) @property - def organization(self) -> typing.Optional[str]: + def organization(self) -> str | None: return self._organization @property - def notice_numbers(self) -> typing.List[int]: + def notice_numbers(self) -> list[int]: return self._notice_numbers @@ -1260,8 +1254,8 @@ class NameConstraints(ExtensionType): def __init__( self, - permitted_subtrees: typing.Optional[typing.Iterable[GeneralName]], - excluded_subtrees: typing.Optional[typing.Iterable[GeneralName]], + permitted_subtrees: typing.Iterable[GeneralName] | None, + excluded_subtrees: typing.Iterable[GeneralName] | None, ) -> None: if permitted_subtrees is not None: permitted_subtrees = list(permitted_subtrees) @@ -1343,16 +1337,12 @@ def __repr__(self) -> str: def __hash__(self) -> int: if self.permitted_subtrees is not None: - ps: typing.Optional[typing.Tuple[GeneralName, ...]] = tuple( - self.permitted_subtrees - ) + ps: tuple[GeneralName, ...] | None = tuple(self.permitted_subtrees) else: ps = None if self.excluded_subtrees is not None: - es: typing.Optional[typing.Tuple[GeneralName, ...]] = tuple( - self.excluded_subtrees - ) + es: tuple[GeneralName, ...] | None = tuple(self.excluded_subtrees) else: es = None @@ -1361,13 +1351,13 @@ def __hash__(self) -> int: @property def permitted_subtrees( self, - ) -> typing.Optional[typing.List[GeneralName]]: + ) -> list[GeneralName] | None: return self._permitted_subtrees @property def excluded_subtrees( self, - ) -> typing.Optional[typing.List[GeneralName]]: + ) -> list[GeneralName] | None: return self._excluded_subtrees def public_bytes(self) -> bytes: @@ -1438,58 +1428,52 @@ def __init__(self, general_names: typing.Iterable[GeneralName]) -> None: @typing.overload def get_values_for_type( self, - type: typing.Union[ - typing.Type[DNSName], - typing.Type[UniformResourceIdentifier], - typing.Type[RFC822Name], - ], - ) -> typing.List[str]: + type: type[DNSName] + | type[UniformResourceIdentifier] + | type[RFC822Name], + ) -> list[str]: ... @typing.overload def get_values_for_type( self, - type: typing.Type[DirectoryName], - ) -> typing.List[Name]: + type: type[DirectoryName], + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, - type: typing.Type[RegisteredID], - ) -> typing.List[ObjectIdentifier]: + type: type[RegisteredID], + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( - self, type: typing.Type[IPAddress] - ) -> typing.List[_IPAddressTypes]: + self, type: type[IPAddress] + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type( - self, type: typing.Type[OtherName] - ) -> typing.List[OtherName]: + def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: ... def get_values_for_type( self, - type: typing.Union[ - typing.Type[DNSName], - typing.Type[DirectoryName], - typing.Type[IPAddress], - typing.Type[OtherName], - typing.Type[RFC822Name], - typing.Type[RegisteredID], - typing.Type[UniformResourceIdentifier], - ], - ) -> typing.Union[ - typing.List[_IPAddressTypes], - typing.List[str], - typing.List[OtherName], - typing.List[Name], - typing.List[ObjectIdentifier], - ]: + type: type[DNSName] + | type[DirectoryName] + | type[IPAddress] + | type[OtherName] + | type[RFC822Name] + | type[RegisteredID] + | type[UniformResourceIdentifier], + ) -> ( + list[_IPAddressTypes] + | list[str] + | list[OtherName] + | list[Name] + | list[ObjectIdentifier] + ): # Return the value of each GeneralName, except for OtherName instances # which we return directly because it has two important properties not # just one value. @@ -1522,58 +1506,52 @@ def __init__(self, general_names: typing.Iterable[GeneralName]) -> None: @typing.overload def get_values_for_type( self, - type: typing.Union[ - typing.Type[DNSName], - typing.Type[UniformResourceIdentifier], - typing.Type[RFC822Name], - ], - ) -> typing.List[str]: + type: type[DNSName] + | type[UniformResourceIdentifier] + | type[RFC822Name], + ) -> list[str]: ... @typing.overload def get_values_for_type( self, - type: typing.Type[DirectoryName], - ) -> typing.List[Name]: + type: type[DirectoryName], + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, - type: typing.Type[RegisteredID], - ) -> typing.List[ObjectIdentifier]: + type: type[RegisteredID], + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( - self, type: typing.Type[IPAddress] - ) -> typing.List[_IPAddressTypes]: + self, type: type[IPAddress] + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type( - self, type: typing.Type[OtherName] - ) -> typing.List[OtherName]: + def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: ... def get_values_for_type( self, - type: typing.Union[ - typing.Type[DNSName], - typing.Type[DirectoryName], - typing.Type[IPAddress], - typing.Type[OtherName], - typing.Type[RFC822Name], - typing.Type[RegisteredID], - typing.Type[UniformResourceIdentifier], - ], - ) -> typing.Union[ - typing.List[_IPAddressTypes], - typing.List[str], - typing.List[OtherName], - typing.List[Name], - typing.List[ObjectIdentifier], - ]: + type: type[DNSName] + | type[DirectoryName] + | type[IPAddress] + | type[OtherName] + | type[RFC822Name] + | type[RegisteredID] + | type[UniformResourceIdentifier], + ) -> ( + list[_IPAddressTypes] + | list[str] + | list[OtherName] + | list[Name] + | list[ObjectIdentifier] + ): return self._general_names.get_values_for_type(type) def __repr__(self) -> str: @@ -1603,58 +1581,52 @@ def __init__(self, general_names: typing.Iterable[GeneralName]) -> None: @typing.overload def get_values_for_type( self, - type: typing.Union[ - typing.Type[DNSName], - typing.Type[UniformResourceIdentifier], - typing.Type[RFC822Name], - ], - ) -> typing.List[str]: + type: type[DNSName] + | type[UniformResourceIdentifier] + | type[RFC822Name], + ) -> list[str]: ... @typing.overload def get_values_for_type( self, - type: typing.Type[DirectoryName], - ) -> typing.List[Name]: + type: type[DirectoryName], + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, - type: typing.Type[RegisteredID], - ) -> typing.List[ObjectIdentifier]: + type: type[RegisteredID], + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( - self, type: typing.Type[IPAddress] - ) -> typing.List[_IPAddressTypes]: + self, type: type[IPAddress] + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type( - self, type: typing.Type[OtherName] - ) -> typing.List[OtherName]: + def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: ... def get_values_for_type( self, - type: typing.Union[ - typing.Type[DNSName], - typing.Type[DirectoryName], - typing.Type[IPAddress], - typing.Type[OtherName], - typing.Type[RFC822Name], - typing.Type[RegisteredID], - typing.Type[UniformResourceIdentifier], - ], - ) -> typing.Union[ - typing.List[_IPAddressTypes], - typing.List[str], - typing.List[OtherName], - typing.List[Name], - typing.List[ObjectIdentifier], - ]: + type: type[DNSName] + | type[DirectoryName] + | type[IPAddress] + | type[OtherName] + | type[RFC822Name] + | type[RegisteredID] + | type[UniformResourceIdentifier], + ) -> ( + list[_IPAddressTypes] + | list[str] + | list[OtherName] + | list[Name] + | list[ObjectIdentifier] + ): return self._general_names.get_values_for_type(type) def __repr__(self) -> str: @@ -1684,58 +1656,52 @@ def __init__(self, general_names: typing.Iterable[GeneralName]) -> None: @typing.overload def get_values_for_type( self, - type: typing.Union[ - typing.Type[DNSName], - typing.Type[UniformResourceIdentifier], - typing.Type[RFC822Name], - ], - ) -> typing.List[str]: + type: type[DNSName] + | type[UniformResourceIdentifier] + | type[RFC822Name], + ) -> list[str]: ... @typing.overload def get_values_for_type( self, - type: typing.Type[DirectoryName], - ) -> typing.List[Name]: + type: type[DirectoryName], + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, - type: typing.Type[RegisteredID], - ) -> typing.List[ObjectIdentifier]: + type: type[RegisteredID], + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( - self, type: typing.Type[IPAddress] - ) -> typing.List[_IPAddressTypes]: + self, type: type[IPAddress] + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type( - self, type: typing.Type[OtherName] - ) -> typing.List[OtherName]: + def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: ... def get_values_for_type( self, - type: typing.Union[ - typing.Type[DNSName], - typing.Type[DirectoryName], - typing.Type[IPAddress], - typing.Type[OtherName], - typing.Type[RFC822Name], - typing.Type[RegisteredID], - typing.Type[UniformResourceIdentifier], - ], - ) -> typing.Union[ - typing.List[_IPAddressTypes], - typing.List[str], - typing.List[OtherName], - typing.List[Name], - typing.List[ObjectIdentifier], - ]: + type: type[DNSName] + | type[DirectoryName] + | type[IPAddress] + | type[OtherName] + | type[RFC822Name] + | type[RegisteredID] + | type[UniformResourceIdentifier], + ) -> ( + list[_IPAddressTypes] + | list[str] + | list[OtherName] + | list[Name] + | list[ObjectIdentifier] + ): return self._general_names.get_values_for_type(type) def __repr__(self) -> str: @@ -1961,11 +1927,11 @@ class IssuingDistributionPoint(ExtensionType): def __init__( self, - full_name: typing.Optional[typing.Iterable[GeneralName]], - relative_name: typing.Optional[RelativeDistinguishedName], + full_name: typing.Iterable[GeneralName] | None, + relative_name: RelativeDistinguishedName | None, only_contains_user_certs: bool, only_contains_ca_certs: bool, - only_some_reasons: typing.Optional[typing.FrozenSet[ReasonFlags]], + only_some_reasons: frozenset[ReasonFlags] | None, indirect_crl: bool, only_contains_attribute_certs: bool, ) -> None: @@ -2083,11 +2049,11 @@ def __hash__(self) -> int: ) @property - def full_name(self) -> typing.Optional[typing.List[GeneralName]]: + def full_name(self) -> list[GeneralName] | None: return self._full_name @property - def relative_name(self) -> typing.Optional[RelativeDistinguishedName]: + def relative_name(self) -> RelativeDistinguishedName | None: return self._relative_name @property @@ -2101,7 +2067,7 @@ def only_contains_ca_certs(self) -> bool: @property def only_some_reasons( self, - ) -> typing.Optional[typing.FrozenSet[ReasonFlags]]: + ) -> frozenset[ReasonFlags] | None: return self._only_some_reasons @property @@ -2122,8 +2088,8 @@ class MSCertificateTemplate(ExtensionType): def __init__( self, template_id: ObjectIdentifier, - major_version: typing.Optional[int], - minor_version: typing.Optional[int], + major_version: int | None, + minor_version: int | None, ) -> None: if not isinstance(template_id, ObjectIdentifier): raise TypeError("oid must be an ObjectIdentifier") @@ -2144,11 +2110,11 @@ def template_id(self) -> ObjectIdentifier: return self._template_id @property - def major_version(self) -> typing.Optional[int]: + def major_version(self) -> int | None: return self._major_version @property - def minor_version(self) -> typing.Optional[int]: + def minor_version(self) -> int | None: return self._minor_version def __repr__(self) -> str: diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py index 8be2dac1416e..824a13315f99 100644 --- a/src/cryptography/x509/name.py +++ b/src/cryptography/x509/name.py @@ -31,7 +31,7 @@ class _ASN1Type(utils.Enum): _ASN1_TYPE_TO_ENUM = {i.value: i for i in _ASN1Type} -_NAMEOID_DEFAULT_TYPE: typing.Dict[ObjectIdentifier, _ASN1Type] = { +_NAMEOID_DEFAULT_TYPE: dict[ObjectIdentifier, _ASN1Type] = { NameOID.COUNTRY_NAME: _ASN1Type.PrintableString, NameOID.JURISDICTION_COUNTRY_NAME: _ASN1Type.PrintableString, NameOID.SERIAL_NUMBER: _ASN1Type.PrintableString, @@ -60,7 +60,7 @@ class _ASN1Type(utils.Enum): _NAME_TO_NAMEOID = {v: k for k, v in _NAMEOID_TO_NAME.items()} -def _escape_dn_value(val: typing.Union[str, bytes]) -> str: +def _escape_dn_value(val: str | bytes) -> str: """Escape special characters in RFC4514 Distinguished Name value.""" if not val: @@ -112,8 +112,8 @@ class NameAttribute: def __init__( self, oid: ObjectIdentifier, - value: typing.Union[str, bytes], - _type: typing.Optional[_ASN1Type] = None, + value: str | bytes, + _type: _ASN1Type | None = None, *, _validate: bool = True, ) -> None: @@ -170,7 +170,7 @@ def oid(self) -> ObjectIdentifier: return self._oid @property - def value(self) -> typing.Union[str, bytes]: + def value(self) -> str | bytes: return self._value @property @@ -182,7 +182,7 @@ def rfc4514_attribute_name(self) -> str: return _NAMEOID_TO_NAME.get(self.oid, self.oid.dotted_string) def rfc4514_string( - self, attr_name_overrides: typing.Optional[_OidNameMap] = None + self, attr_name_overrides: _OidNameMap | None = None ) -> str: """ Format as RFC4514 Distinguished Name string. @@ -228,11 +228,11 @@ def __init__(self, attributes: typing.Iterable[NameAttribute]): def get_attributes_for_oid( self, oid: ObjectIdentifier - ) -> typing.List[NameAttribute]: + ) -> list[NameAttribute]: return [i for i in self if i.oid == oid] def rfc4514_string( - self, attr_name_overrides: typing.Optional[_OidNameMap] = None + self, attr_name_overrides: _OidNameMap | None = None ) -> str: """ Format as RFC4514 Distinguished Name string. @@ -277,9 +277,7 @@ def __init__( def __init__( self, - attributes: typing.Iterable[ - typing.Union[NameAttribute, RelativeDistinguishedName] - ], + attributes: typing.Iterable[NameAttribute | RelativeDistinguishedName], ) -> None: attributes = list(attributes) if all(isinstance(x, NameAttribute) for x in attributes): @@ -301,12 +299,12 @@ def __init__( def from_rfc4514_string( cls, data: str, - attr_name_overrides: typing.Optional[_NameOidMap] = None, + attr_name_overrides: _NameOidMap | None = None, ) -> Name: return _RFC4514NameParser(data, attr_name_overrides or {}).parse() def rfc4514_string( - self, attr_name_overrides: typing.Optional[_OidNameMap] = None + self, attr_name_overrides: _OidNameMap | None = None ) -> str: """ Format as RFC4514 Distinguished Name string. @@ -325,11 +323,11 @@ def rfc4514_string( def get_attributes_for_oid( self, oid: ObjectIdentifier - ) -> typing.List[NameAttribute]: + ) -> list[NameAttribute]: return [i for i in self if i.oid == oid] @property - def rdns(self) -> typing.List[RelativeDistinguishedName]: + def rdns(self) -> list[RelativeDistinguishedName]: return self._attributes def public_bytes(self, backend: typing.Any = None) -> bytes: @@ -395,7 +393,7 @@ def __init__(self, data: str, attr_name_overrides: _NameOidMap) -> None: def _has_data(self) -> bool: return self._idx < len(self._data) - def _peek(self) -> typing.Optional[str]: + def _peek(self) -> str | None: if self._has_data(): return self._data[self._idx] return None diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index a3546230e2a7..114e0d1e34cf 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -65,9 +65,9 @@ def __init__( algorithm: hashes.HashAlgorithm, cert_status: OCSPCertStatus, this_update: datetime.datetime, - next_update: typing.Optional[datetime.datetime], - revocation_time: typing.Optional[datetime.datetime], - revocation_reason: typing.Optional[x509.ReasonFlags], + next_update: datetime.datetime | None, + revocation_time: datetime.datetime | None, + revocation_reason: x509.ReasonFlags | None, ): if not isinstance(cert, x509.Certificate) or not isinstance( issuer, x509.Certificate @@ -180,7 +180,7 @@ def certificate_status(self) -> OCSPCertStatus: @property @abc.abstractmethod - def revocation_time(self) -> typing.Optional[datetime.datetime]: + def revocation_time(self) -> datetime.datetime | None: """ The date of when the certificate was revoked or None if not revoked. @@ -188,7 +188,7 @@ def revocation_time(self) -> typing.Optional[datetime.datetime]: @property @abc.abstractmethod - def revocation_reason(self) -> typing.Optional[x509.ReasonFlags]: + def revocation_reason(self) -> x509.ReasonFlags | None: """ The reason the certificate was revoked or None if not specified or not revoked. @@ -204,7 +204,7 @@ def this_update(self) -> datetime.datetime: @property @abc.abstractmethod - def next_update(self) -> typing.Optional[datetime.datetime]: + def next_update(self) -> datetime.datetime | None: """ The time when newer information will be available """ @@ -266,7 +266,7 @@ def signature_algorithm_oid(self) -> x509.ObjectIdentifier: @abc.abstractmethod def signature_hash_algorithm( self, - ) -> typing.Optional[hashes.HashAlgorithm]: + ) -> hashes.HashAlgorithm | None: """ Returns a HashAlgorithm corresponding to the type of the digest signed """ @@ -287,7 +287,7 @@ def tbs_response_bytes(self) -> bytes: @property @abc.abstractmethod - def certificates(self) -> typing.List[x509.Certificate]: + def certificates(self) -> list[x509.Certificate]: """ A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate @@ -296,14 +296,14 @@ def certificates(self) -> typing.List[x509.Certificate]: @property @abc.abstractmethod - def responder_key_hash(self) -> typing.Optional[bytes]: + def responder_key_hash(self) -> bytes | None: """ The responder's key hash or None """ @property @abc.abstractmethod - def responder_name(self) -> typing.Optional[x509.Name]: + def responder_name(self) -> x509.Name | None: """ The responder's Name or None """ @@ -324,7 +324,7 @@ def certificate_status(self) -> OCSPCertStatus: @property @abc.abstractmethod - def revocation_time(self) -> typing.Optional[datetime.datetime]: + def revocation_time(self) -> datetime.datetime | None: """ The date of when the certificate was revoked or None if not revoked. @@ -332,7 +332,7 @@ def revocation_time(self) -> typing.Optional[datetime.datetime]: @property @abc.abstractmethod - def revocation_reason(self) -> typing.Optional[x509.ReasonFlags]: + def revocation_reason(self) -> x509.ReasonFlags | None: """ The reason the certificate was revoked or None if not specified or not revoked. @@ -348,7 +348,7 @@ def this_update(self) -> datetime.datetime: @property @abc.abstractmethod - def next_update(self) -> typing.Optional[datetime.datetime]: + def next_update(self) -> datetime.datetime | None: """ The time when newer information will be available """ @@ -405,15 +405,13 @@ def public_bytes(self, encoding: serialization.Encoding) -> bytes: class OCSPRequestBuilder: def __init__( self, - request: typing.Optional[ - typing.Tuple[ - x509.Certificate, x509.Certificate, hashes.HashAlgorithm - ] - ] = None, - request_hash: typing.Optional[ - typing.Tuple[bytes, bytes, int, hashes.HashAlgorithm] - ] = None, - extensions: typing.List[x509.Extension[x509.ExtensionType]] = [], + request: tuple[ + x509.Certificate, x509.Certificate, hashes.HashAlgorithm + ] + | None = None, + request_hash: tuple[bytes, bytes, int, hashes.HashAlgorithm] + | None = None, + extensions: list[x509.Extension[x509.ExtensionType]] = [], ) -> None: self._request = request self._request_hash = request_hash @@ -491,12 +489,11 @@ def build(self) -> OCSPRequest: class OCSPResponseBuilder: def __init__( self, - response: typing.Optional[_SingleResponse] = None, - responder_id: typing.Optional[ - typing.Tuple[x509.Certificate, OCSPResponderEncoding] - ] = None, - certs: typing.Optional[typing.List[x509.Certificate]] = None, - extensions: typing.List[x509.Extension[x509.ExtensionType]] = [], + response: _SingleResponse | None = None, + responder_id: tuple[x509.Certificate, OCSPResponderEncoding] + | None = None, + certs: list[x509.Certificate] | None = None, + extensions: list[x509.Extension[x509.ExtensionType]] = [], ): self._response = response self._responder_id = responder_id @@ -510,9 +507,9 @@ def add_response( algorithm: hashes.HashAlgorithm, cert_status: OCSPCertStatus, this_update: datetime.datetime, - next_update: typing.Optional[datetime.datetime], - revocation_time: typing.Optional[datetime.datetime], - revocation_reason: typing.Optional[x509.ReasonFlags], + next_update: datetime.datetime | None, + revocation_time: datetime.datetime | None, + revocation_reason: x509.ReasonFlags | None, ) -> OCSPResponseBuilder: if self._response is not None: raise ValueError("Only one response per OCSPResponse.") @@ -589,7 +586,7 @@ def add_extension( def sign( self, private_key: CertificateIssuerPrivateKeyTypes, - algorithm: typing.Optional[hashes.HashAlgorithm], + algorithm: hashes.HashAlgorithm | None, ) -> OCSPResponse: if self._response is None: raise ValueError("You must add a response before signing") From 32e8edc4b677ce730f2bbf4d50e363500ba4dfc6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 11 Aug 2023 19:50:08 -0700 Subject: [PATCH 0316/1014] Bump BoringSSL and/or OpenSSL in CI (#9406) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 363000ceafd5..b6b8eae5b27d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 11, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "58adb8e1d62d6da9c1ab9f73e986273992a2b742"}} + # Latest commit on the BoringSSL master branch, as of Aug 12, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "dbd143c24784e0eeb7082f840dba937f958e517f"}} # Latest commit on the OpenSSL master branch, as of Aug 11, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f2609004df4d91a365338e11d04ff67589f2d3e3"}} # Builds with various Rust versions. Includes MSRV and next From 51c0265d871bafb8ad03aa02bd735fa46707d205 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 02:02:10 +0000 Subject: [PATCH 0317/1014] Bump Swatinem/rust-cache from 2.6.0 to 2.6.1 in /.github/actions/cache (#9407) Bumps [Swatinem/rust-cache](https://github.com/swatinem/rust-cache) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/swatinem/rust-cache/releases) - [Changelog](https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md) - [Commits](https://github.com/swatinem/rust-cache/compare/b8a6852b4f997182bdea832df3f9e153038b5191...578b235f6e5f613f7727f1c17bd3305b4d4d4e1f) --- updated-dependencies: - dependency-name: Swatinem/rust-cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/cache/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 8d691d377fcc..75d4d4696a50 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -15,7 +15,7 @@ runs: id: normalized-key run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT shell: bash - - uses: Swatinem/rust-cache@b8a6852b4f997182bdea832df3f9e153038b5191 # v2.6.0 + - uses: Swatinem/rust-cache@578b235f6e5f613f7727f1c17bd3305b4d4d4e1f # v2.6.1 with: key: ${{ steps.normalized-key.outputs.key }} workspaces: "./src/rust/ -> target" From fb2c5aab8ea135ecc4fb260ab8947f6181395305 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 02:06:58 +0000 Subject: [PATCH 0318/1014] Bump virtualenv from 20.24.2 to 20.24.3 (#9409) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.24.2 to 20.24.3. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.24.2...20.24.3) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5f8a9a9001f5..373cb7613abe 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -185,7 +185,7 @@ urllib3==2.0.4 # via # requests # twine -virtualenv==20.24.2 +virtualenv==20.24.3 # via nox webencodings==0.5.1 # via bleach From 71b65226bd118e8d8c8c3bd3323649017451c039 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 13 Aug 2023 22:12:18 -0400 Subject: [PATCH 0319/1014] pin coverage only on 3.8+ (#9410) they've dropped 3.7 support --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 373cb7613abe..bab52d228ab3 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -29,7 +29,7 @@ click==8.1.6 # via black colorlog==6.7.0 # via nox -coverage==7.2.7 +coverage==7.3.0; python_version >= "3.8" # via pytest-cov distlib==0.3.7 # via virtualenv From 19b40c27a78bf1120133691dcfd4a74e788dbd4f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 12:54:57 +0000 Subject: [PATCH 0320/1014] Bump exceptiongroup from 1.1.2 to 1.1.3 (#9413) Bumps [exceptiongroup](https://github.com/agronholm/exceptiongroup) from 1.1.2 to 1.1.3. - [Changelog](https://github.com/agronholm/exceptiongroup/blob/main/CHANGES.rst) - [Commits](https://github.com/agronholm/exceptiongroup/compare/1.1.2...1.1.3) --- updated-dependencies: - dependency-name: exceptiongroup dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bab52d228ab3..5660a5dcf183 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -38,7 +38,7 @@ docutils==0.18.1 # readme-renderer # sphinx # sphinx-rtd-theme -exceptiongroup==1.1.2 +exceptiongroup==1.1.3 # via pytest execnet==2.0.2 # via pytest-xdist From c6d7bdfc4ebd8e7dd828096ea3a9116d971c5432 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 14 Aug 2023 19:14:54 +0200 Subject: [PATCH 0321/1014] common: add more RSA-PSS algorithm id definitions (#9412) Breakout from #9405. Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/common.rs | 32 ++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 00e7136eccdd..d8184d17c0b8 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -234,6 +234,22 @@ pub const PSS_SHA1_HASH_ALG: AlgorithmIdentifier<'_> = AlgorithmIdentifier { params: AlgorithmParameters::Sha1(Some(())), }; +// RSA-PSS ASN.1 hash algorithm definitions specified under the CA/B Forum BRs. +pub const PSS_SHA256_HASH_ALG: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Sha256(Some(())), +}; + +pub const PSS_SHA384_HASH_ALG: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Sha384(Some(())), +}; + +pub const PSS_SHA512_HASH_ALG: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Sha512(Some(())), +}; + // This is defined as an AlgorithmIdentifier in RFC 4055, // but the mask generation algorithm **must** contain an AlgorithmIdentifier // in its params, so we define it this way. @@ -249,6 +265,22 @@ pub const PSS_SHA1_MASK_GEN_ALG: MaskGenAlgorithm<'_> = MaskGenAlgorithm { params: PSS_SHA1_HASH_ALG, }; +// RSA-PSS ASN.1 mask gen algorithms defined under the CA/B Forum BRs. +pub const PSS_SHA256_MASK_GEN_ALG: MaskGenAlgorithm<'_> = MaskGenAlgorithm { + oid: oid::MGF1_OID, + params: PSS_SHA256_HASH_ALG, +}; + +pub const PSS_SHA384_MASK_GEN_ALG: MaskGenAlgorithm<'_> = MaskGenAlgorithm { + oid: oid::MGF1_OID, + params: PSS_SHA384_HASH_ALG, +}; + +pub const PSS_SHA512_MASK_GEN_ALG: MaskGenAlgorithm<'_> = MaskGenAlgorithm { + oid: oid::MGF1_OID, + params: PSS_SHA512_HASH_ALG, +}; + // From RFC 4055 section 3.1: // RSASSA-PSS-params ::= SEQUENCE { // hashAlgorithm [0] HashAlgorithm DEFAULT From a6baeceffc2110383d72217a2f73e93a839ca365 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 14 Aug 2023 20:09:00 +0200 Subject: [PATCH 0322/1014] x509: add Store API (#9411) * Add x509.verification.Store One of many sub-breakouts. Signed-off-by: William Woodruff * lib: actually load the new verify module Signed-off-by: William Woodruff * fix hints, add initial store tests Signed-off-by: William Woodruff * verify: use `any` instead of for-if loop Signed-off-by: William Woodruff * verify: mark Store as frozen Signed-off-by: William Woodruff * verify: don't use an interior PyList Signed-off-by: William Woodruff * verify: don't overthink the types Signed-off-by: William Woodruff * verification: __all__ Signed-off-by: William Woodruff * verification: relocate __all__ Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../hazmat/bindings/_rust/x509.pyi | 3 +++ src/cryptography/x509/__init__.py | 3 ++- src/cryptography/x509/verification.py | 9 +++++++ src/rust/src/lib.rs | 1 + src/rust/src/x509/mod.rs | 1 + src/rust/src/x509/verify.rs | 26 +++++++++++++++++++ tests/x509/test_verification.py | 24 +++++++++++++++++ 7 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 src/cryptography/x509/verification.py create mode 100644 src/rust/src/x509/verify.rs create mode 100644 tests/x509/test_verification.py diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 08e46a31cc1c..9be3dabe6703 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -40,3 +40,6 @@ class Certificate: ... class RevokedCertificate: ... class CertificateRevocationList: ... class CertificateSigningRequest: ... + +class Store: + def __init__(self, certs: list[x509.Certificate]) -> None: ... diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index d77694a29906..80c5b4dd14b5 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -4,7 +4,7 @@ from __future__ import annotations -from cryptography.x509 import certificate_transparency +from cryptography.x509 import certificate_transparency, verification from cryptography.x509.base import ( Attribute, AttributeNotFound, @@ -179,6 +179,7 @@ "load_pem_x509_crl", "load_der_x509_crl", "random_serial_number", + "verification", "Attribute", "AttributeNotFound", "Attributes", diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py new file mode 100644 index 000000000000..c622c47e2a2d --- /dev/null +++ b/src/cryptography/x509/verification.py @@ -0,0 +1,9 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from cryptography.hazmat.bindings._rust import x509 as rust_x509 + +__all__ = ["Store"] + +Store = rust_x509.Store diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index c8d92f511b7f..2da39a5523b9 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -153,6 +153,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> crate::x509::crl::add_to_module(x509_mod)?; crate::x509::csr::add_to_module(x509_mod)?; crate::x509::sct::add_to_module(x509_mod)?; + crate::x509::verify::add_to_module(x509_mod)?; m.add_submodule(x509_mod)?; let ocsp_mod = pyo3::prelude::PyModule::new(py, "ocsp")?; diff --git a/src/rust/src/x509/mod.rs b/src/rust/src/x509/mod.rs index c43bf9023e71..c1ce452567ca 100644 --- a/src/rust/src/x509/mod.rs +++ b/src/rust/src/x509/mod.rs @@ -12,6 +12,7 @@ pub(crate) mod ocsp_req; pub(crate) mod ocsp_resp; pub(crate) mod sct; pub(crate) mod sign; +pub(crate) mod verify; pub(crate) use common::{ datetime_to_py, find_in_pem, parse_and_cache_extensions, parse_general_name, diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs new file mode 100644 index 000000000000..e1a47f333a0a --- /dev/null +++ b/src/rust/src/x509/verify.rs @@ -0,0 +1,26 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::x509::certificate::Certificate as PyCertificate; + +#[pyo3::pyclass( + frozen, + name = "Store", + module = "cryptography.hazmat.bindings._rust.x509" +)] +struct PyStore(Vec>); + +#[pyo3::pymethods] +impl PyStore { + #[new] + fn new(certs: Vec>) -> pyo3::PyResult { + Ok(Self(certs)) + } +} + +pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { + module.add_class::()?; + + Ok(()) +} diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py new file mode 100644 index 000000000000..9d9e4df94518 --- /dev/null +++ b/tests/x509/test_verification.py @@ -0,0 +1,24 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import os + +import pytest + +from cryptography import x509 +from cryptography.x509.verification import Store +from tests.x509.test_x509 import _load_cert + + +class TestStore: + def test_store_rejects_non_certificates(self): + with pytest.raises(TypeError): + Store(["not a cert"]) # type: ignore[list-item] + + def test_store_initializes(self): + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + ) + assert Store([cert]) is not None From f4362f4e6a10097c2bc743475348c202b3f47f8b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 14 Aug 2023 20:48:27 +0200 Subject: [PATCH 0323/1014] docs: add Store docs (#9416) * docs: add Store docs Signed-off-by: William Woodruff * src, tests: don't allow empty stores Signed-off-by: William Woodruff * Update docs/x509/verification.rst Co-authored-by: Alex Gaynor --------- Signed-off-by: William Woodruff Co-authored-by: Alex Gaynor --- docs/x509/index.rst | 1 + docs/x509/verification.rst | 23 +++++++++++++++++++++++ src/rust/src/x509/verify.rs | 5 +++++ tests/x509/test_verification.py | 4 ++++ 4 files changed, 33 insertions(+) create mode 100644 docs/x509/verification.rst diff --git a/docs/x509/index.rst b/docs/x509/index.rst index ef51fbf6220f..6e26846f6747 100644 --- a/docs/x509/index.rst +++ b/docs/x509/index.rst @@ -11,6 +11,7 @@ certificates are commonly used in protocols like `TLS`_. tutorial certificate-transparency ocsp + verification reference .. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst new file mode 100644 index 000000000000..c0d4c311e0f1 --- /dev/null +++ b/docs/x509/verification.rst @@ -0,0 +1,23 @@ +X.509 verification +================== + +.. currentmodule:: cryptography.x509.verification + +Support for X.509 certificate verification, also known as path validation, +chain building, etc. + +.. note:: + This module is a work in progress, and does not yet contain a fully usable + X.509 path validation implementation. + +.. class:: Store(certs) + + .. versionadded:: 42.0.0 + + A Store is an opaque set of public keys and subject identifiers that are + considered trusted *a priori*. Stores are typically created from the host + OS's root of trust, from a well-known source such as a browser CA bundle, + or from a small set of manually pre-trusted entities. + + :param certs: A list of one or more :class:`~cryptography.x509.Certificate` + instances. diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index e1a47f333a0a..aef4d6a1c3ce 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -15,6 +15,11 @@ struct PyStore(Vec>); impl PyStore { #[new] fn new(certs: Vec>) -> pyo3::PyResult { + if certs.is_empty() { + return Err(pyo3::exceptions::PyValueError::new_err( + "can't create an empty store", + )); + } Ok(Self(certs)) } } diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 9d9e4df94518..8e8ad3b0900d 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -12,6 +12,10 @@ class TestStore: + def test_store_rejects_empty_list(self): + with pytest.raises(ValueError): + Store([]) + def test_store_rejects_non_certificates(self): with pytest.raises(TypeError): Store(["not a cert"]) # type: ignore[list-item] From 4721ce42d97c52d40b7c693bb57b3aec696059e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:06:43 +0000 Subject: [PATCH 0324/1014] Bump sphinxcontrib-applehelp from 1.0.6 to 1.0.7 (#9419) Bumps [sphinxcontrib-applehelp](https://github.com/sphinx-doc/sphinxcontrib-applehelp) from 1.0.6 to 1.0.7. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-applehelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-applehelp/blob/1.0.7/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-applehelp/compare/1.0.6...1.0.7) --- updated-dependencies: - dependency-name: sphinxcontrib-applehelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5660a5dcf183..a0ed1e1dd39d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -152,7 +152,7 @@ sphinx==6.2.1 # sphinxcontrib-spelling sphinx-rtd-theme==1.2.2 # via cryptography (pyproject.toml) -sphinxcontrib-applehelp==1.0.6 +sphinxcontrib-applehelp==1.0.7 # via sphinx sphinxcontrib-devhelp==1.0.4 # via sphinx From 4f140e1b7b2dfc0d58e6d2ad0783453bd4406941 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:07:04 +0000 Subject: [PATCH 0325/1014] Bump sphinxcontrib-serializinghtml from 1.1.7 to 1.1.8 (#9420) Bumps [sphinxcontrib-serializinghtml](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml) from 1.1.7 to 1.1.8. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/blob/1.1.8/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/compare/1.1.7...1.1.8) --- updated-dependencies: - dependency-name: sphinxcontrib-serializinghtml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a0ed1e1dd39d..df552d6168c9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -164,7 +164,7 @@ sphinxcontrib-jsmath==1.0.1 # via sphinx sphinxcontrib-qthelp==1.0.5 # via sphinx -sphinxcontrib-serializinghtml==1.1.7 +sphinxcontrib-serializinghtml==1.1.8 # via sphinx sphinxcontrib-spelling==8.0.0 # via cryptography (pyproject.toml) From 2f8a3cccf6c4bb3456196979bce7ce7ed689c19c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:07:11 +0000 Subject: [PATCH 0326/1014] Bump sphinxcontrib-htmlhelp from 2.0.3 to 2.0.4 (#9417) Bumps [sphinxcontrib-htmlhelp](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp) from 2.0.3 to 2.0.4. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/blob/2.0.4/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/compare/2.0.3...2.0.4) --- updated-dependencies: - dependency-name: sphinxcontrib-htmlhelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index df552d6168c9..11a3badc38fe 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -156,7 +156,7 @@ sphinxcontrib-applehelp==1.0.7 # via sphinx sphinxcontrib-devhelp==1.0.4 # via sphinx -sphinxcontrib-htmlhelp==2.0.3 +sphinxcontrib-htmlhelp==2.0.4 # via sphinx sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme From c6008eaee130797318bac7fc2563053998bc28ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:07:23 +0000 Subject: [PATCH 0327/1014] Bump sphinxcontrib-qthelp from 1.0.5 to 1.0.6 (#9418) Bumps [sphinxcontrib-qthelp](https://github.com/sphinx-doc/sphinxcontrib-qthelp) from 1.0.5 to 1.0.6. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-qthelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-qthelp/blob/1.0.6/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-qthelp/compare/1.0.5...1.0.6) --- updated-dependencies: - dependency-name: sphinxcontrib-qthelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 11a3badc38fe..6da9010a240d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -162,7 +162,7 @@ sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-qthelp==1.0.5 +sphinxcontrib-qthelp==1.0.6 # via sphinx sphinxcontrib-serializinghtml==1.1.8 # via sphinx From a4210a39c2b242f3793cdf8ec5cb84dec779b25f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:07:33 +0000 Subject: [PATCH 0328/1014] Bump windows_x86_64_gnu from 0.48.0 to 0.48.2 in /src/rust (#9421) Bumps [windows_x86_64_gnu](https://github.com/microsoft/windows-rs) from 0.48.0 to 0.48.2. - [Release notes](https://github.com/microsoft/windows-rs/releases) - [Commits](https://github.com/microsoft/windows-rs/commits) --- updated-dependencies: - dependency-name: windows_x86_64_gnu dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e378ff324648..95bfdf6771b1 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -427,9 +427,9 @@ checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00" [[package]] name = "windows_x86_64_gnu" -version = "0.48.0" +version = "0.48.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca2b8a661f7628cbd23440e50b05d705db3686f894fc9580820623656af974b1" +checksum = "ea99ff3f8b49fb7a8e0d305e5aec485bd068c2ba691b6e277d29eaeac945868a" [[package]] name = "windows_x86_64_gnullvm" From 6d9439b8067acbbf56bce6485205704f42cf55bb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:07:43 +0000 Subject: [PATCH 0329/1014] Bump windows_x86_64_gnullvm from 0.48.0 to 0.48.2 in /src/rust (#9426) Bumps [windows_x86_64_gnullvm](https://github.com/microsoft/windows-rs) from 0.48.0 to 0.48.2. - [Release notes](https://github.com/microsoft/windows-rs/releases) - [Commits](https://github.com/microsoft/windows-rs/commits) --- updated-dependencies: - dependency-name: windows_x86_64_gnullvm dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 95bfdf6771b1..a6bf980f675e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -433,9 +433,9 @@ checksum = "ea99ff3f8b49fb7a8e0d305e5aec485bd068c2ba691b6e277d29eaeac945868a" [[package]] name = "windows_x86_64_gnullvm" -version = "0.48.0" +version = "0.48.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7896dbc1f41e08872e9d5e8f8baa8fdd2677f29468c4e156210174edc7f7b953" +checksum = "8f1a05a1ece9a7a0d5a7ccf30ba2c33e3a61a30e042ffd247567d1de1d94120d" [[package]] name = "windows_x86_64_msvc" From 803527c1063aab9c29251a748520a38084ca6d50 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:07:50 +0000 Subject: [PATCH 0330/1014] Bump sphinxcontrib-devhelp from 1.0.4 to 1.0.5 (#9422) Bumps [sphinxcontrib-devhelp](https://github.com/sphinx-doc/sphinxcontrib-devhelp) from 1.0.4 to 1.0.5. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-devhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-devhelp/blob/1.0.5/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-devhelp/compare/1.0.4...1.0.5) --- updated-dependencies: - dependency-name: sphinxcontrib-devhelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6da9010a240d..7ffa6f4eb2e0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -154,7 +154,7 @@ sphinx-rtd-theme==1.2.2 # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.7 # via sphinx -sphinxcontrib-devhelp==1.0.4 +sphinxcontrib-devhelp==1.0.5 # via sphinx sphinxcontrib-htmlhelp==2.0.4 # via sphinx From ae03f1f67bd46ca54b5cf878c72ef7715f8c7bd4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:07:55 +0000 Subject: [PATCH 0331/1014] Bump windows_aarch64_msvc from 0.48.0 to 0.48.2 in /src/rust (#9423) Bumps [windows_aarch64_msvc](https://github.com/microsoft/windows-rs) from 0.48.0 to 0.48.2. - [Release notes](https://github.com/microsoft/windows-rs/releases) - [Commits](https://github.com/microsoft/windows-rs/commits) --- updated-dependencies: - dependency-name: windows_aarch64_msvc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a6bf980f675e..5daf45b74057 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -409,9 +409,9 @@ checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc" [[package]] name = "windows_aarch64_msvc" -version = "0.48.0" +version = "0.48.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2ef27e0d7bdfcfc7b868b317c1d32c641a6fe4629c171b8928c7b08d98d7cf3" +checksum = "571d8d4e62f26d4932099a9efe89660e8bd5087775a2ab5cdd8b747b811f1058" [[package]] name = "windows_i686_gnu" From 7d3f1cb48e3d86829839428baaabd10a58c5087e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:08:06 +0000 Subject: [PATCH 0332/1014] Bump windows_i686_gnu from 0.48.0 to 0.48.2 in /src/rust (#9424) Bumps [windows_i686_gnu](https://github.com/microsoft/windows-rs) from 0.48.0 to 0.48.2. - [Release notes](https://github.com/microsoft/windows-rs/releases) - [Commits](https://github.com/microsoft/windows-rs/commits) --- updated-dependencies: - dependency-name: windows_i686_gnu dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5daf45b74057..f12d3352ce33 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -415,9 +415,9 @@ checksum = "571d8d4e62f26d4932099a9efe89660e8bd5087775a2ab5cdd8b747b811f1058" [[package]] name = "windows_i686_gnu" -version = "0.48.0" +version = "0.48.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "622a1962a7db830d6fd0a69683c80a18fda201879f0f447f065a3b7467daa241" +checksum = "2229ad223e178db5fbbc8bd8d3835e51e566b8474bfca58d2e6150c48bb723cd" [[package]] name = "windows_i686_msvc" From 7370fc5961d64eec1d86ef5986b03724fb88e43b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:08:20 +0000 Subject: [PATCH 0333/1014] Bump windows_x86_64_msvc from 0.48.0 to 0.48.2 in /src/rust (#9427) Bumps [windows_x86_64_msvc](https://github.com/microsoft/windows-rs) from 0.48.0 to 0.48.2. - [Release notes](https://github.com/microsoft/windows-rs/releases) - [Commits](https://github.com/microsoft/windows-rs/commits) --- updated-dependencies: - dependency-name: windows_x86_64_msvc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f12d3352ce33..50b6d1119e5e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -439,6 +439,6 @@ checksum = "8f1a05a1ece9a7a0d5a7ccf30ba2c33e3a61a30e042ffd247567d1de1d94120d" [[package]] name = "windows_x86_64_msvc" -version = "0.48.0" +version = "0.48.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a" +checksum = "d419259aba16b663966e29e6d7c6ecfa0bb8425818bb96f6f1f3c3eb71a6e7b9" From 19fcf63977a5160a3095b18ba5bed8bc0642330d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:35:55 +0000 Subject: [PATCH 0334/1014] Bump windows-targets from 0.48.1 to 0.48.2 in /src/rust (#9429) Bumps [windows-targets](https://github.com/microsoft/windows-rs) from 0.48.1 to 0.48.2. - [Release notes](https://github.com/microsoft/windows-rs/releases) - [Commits](https://github.com/microsoft/windows-rs/commits) --- updated-dependencies: - dependency-name: windows-targets dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 50b6d1119e5e..37ef7e959dfb 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -388,9 +388,9 @@ checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" [[package]] name = "windows-targets" -version = "0.48.1" +version = "0.48.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05d4b17490f70499f20b9e791dcf6a299785ce8af4d709018206dc5b4953e95f" +checksum = "d1eeca1c172a285ee6c2c84c341ccea837e7c01b12fbb2d0fe3c9e550ce49ec8" dependencies = [ "windows_aarch64_gnullvm", "windows_aarch64_msvc", @@ -403,9 +403,9 @@ dependencies = [ [[package]] name = "windows_aarch64_gnullvm" -version = "0.48.0" +version = "0.48.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc" +checksum = "b10d0c968ba7f6166195e13d593af609ec2e3d24f916f081690695cf5eaffb2f" [[package]] name = "windows_aarch64_msvc" @@ -421,9 +421,9 @@ checksum = "2229ad223e178db5fbbc8bd8d3835e51e566b8474bfca58d2e6150c48bb723cd" [[package]] name = "windows_i686_msvc" -version = "0.48.0" +version = "0.48.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00" +checksum = "600956e2d840c194eedfc5d18f8242bc2e17c7775b6684488af3a9fff6fe3287" [[package]] name = "windows_x86_64_gnu" From fb56ff8865a4416652ed169b68d9d49ba9f5a979 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:39:23 -0400 Subject: [PATCH 0335/1014] Bump BoringSSL and/or OpenSSL in CI (#9430) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b6b8eae5b27d..487e32959dd7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 12, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "dbd143c24784e0eeb7082f840dba937f958e517f"}} - # Latest commit on the OpenSSL master branch, as of Aug 11, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f2609004df4d91a365338e11d04ff67589f2d3e3"}} + # Latest commit on the BoringSSL master branch, as of Aug 15, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "180066d66d469c26ca605f522bf5c1f08547be3e"}} + # Latest commit on the OpenSSL master branch, as of Aug 15, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f7b2942c041ee803557a009a4554760c56484c9d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From e9e1b043e107201f53358e190fa906c0d45412af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Aug 2023 12:31:05 +0000 Subject: [PATCH 0336/1014] Bump pytest-randomly from 3.13.0 to 3.14.0 (#9431) Bumps [pytest-randomly](https://github.com/pytest-dev/pytest-randomly) from 3.13.0 to 3.14.0. - [Changelog](https://github.com/pytest-dev/pytest-randomly/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-randomly/compare/3.13.0...3.14.0) --- updated-dependencies: - dependency-name: pytest-randomly dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7ffa6f4eb2e0..767a9600c0a0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -121,7 +121,7 @@ pytest-benchmark==4.0.0 # via cryptography (pyproject.toml) pytest-cov==4.1.0 # via cryptography (pyproject.toml) -pytest-randomly==3.13.0 +pytest-randomly==3.14.0 # via cryptography (pyproject.toml) pytest-xdist==3.3.1 # via cryptography (pyproject.toml) From 986c4b5ccb6026bd88bf909e2c3632b58be15228 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 16 Aug 2023 00:16:23 +0000 Subject: [PATCH 0337/1014] Bump BoringSSL and/or OpenSSL in CI (#9434) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 487e32959dd7..f726c9ab18f0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 15, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "180066d66d469c26ca605f522bf5c1f08547be3e"}} - # Latest commit on the OpenSSL master branch, as of Aug 15, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f7b2942c041ee803557a009a4554760c56484c9d"}} + # Latest commit on the BoringSSL master branch, as of Aug 16, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ac45226f8d8223d70ed37cf81df5f03aea1d533c"}} + # Latest commit on the OpenSSL master branch, as of Aug 16, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "830b6a13f9aecd42da61b79c93f236575cc58793"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 212fa583b1eeb0ec4243ce84dc70b73ec2da137f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 15 Aug 2023 20:20:25 -0400 Subject: [PATCH 0338/1014] fixes #9403 -- re-allow copying public keys (#9433) they are immutable, so this is trivial --- src/rust/src/backend/dh.rs | 4 ++++ src/rust/src/backend/dsa.rs | 4 ++++ src/rust/src/backend/ec.rs | 5 +++++ src/rust/src/backend/ed25519.rs | 4 ++++ src/rust/src/backend/ed448.rs | 4 ++++ src/rust/src/backend/x25519.rs | 4 ++++ src/rust/src/backend/x448.rs | 4 ++++ tests/hazmat/primitives/test_dh.py | 16 ++++++++++++++++ tests/hazmat/primitives/test_dsa.py | 11 +++++++++++ tests/hazmat/primitives/test_ec.py | 13 ++++++++++++- tests/hazmat/primitives/test_ed25519.py | 17 +++++++++++++++++ tests/hazmat/primitives/test_ed448.py | 17 +++++++++++++++++ tests/hazmat/primitives/test_rsa.py | 7 +++++++ tests/hazmat/primitives/test_x25519.py | 17 +++++++++++++++++ tests/hazmat/primitives/test_x448.py | 17 +++++++++++++++++ 15 files changed, 143 insertions(+), 1 deletion(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 9cf631d7e8a9..cbfd0d374009 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -352,6 +352,10 @@ impl DHPublicKey { _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), } } + + fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { + slf + } } #[pyo3::prelude::pymethods] diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index db328336ebe5..7d740d281d72 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -295,6 +295,10 @@ impl DsaPublicKey { _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), } } + + fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { + slf + } } #[pyo3::prelude::pymethods] diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 766094b2a89a..a4c4afc9d231 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -558,7 +558,12 @@ impl ECPublicKey { _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), } } + + fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { + slf + } } + pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "ec")?; m.add_function(pyo3::wrap_pyfunction!(curve_supported, m)?)?; diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index d0baba7e49bb..5a51cd7d8405 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -160,6 +160,10 @@ impl Ed25519PublicKey { _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), } } + + fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { + slf + } } pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 25d782fd3e8f..0706e4a95f74 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -158,6 +158,10 @@ impl Ed448PublicKey { _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), } } + + fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { + slf + } } pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 728f0231cb61..6b34842a6f3c 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -149,6 +149,10 @@ impl X25519PublicKey { _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), } } + + fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { + slf + } } pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 4c6da8c7d4cc..65f3249ef160 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -148,6 +148,10 @@ impl X448PublicKey { _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), } } + + fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { + slf + } } pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index 4a9afc15a560..3fc3ef17e8b7 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -4,6 +4,7 @@ import binascii +import copy import itertools import os import typing @@ -489,6 +490,21 @@ def test_public_key_equality(self, backend): with pytest.raises(TypeError): key1 < key2 # type: ignore[operator] + @pytest.mark.supported( + only_if=lambda backend: backend.dh_x942_serialization_supported(), + skip_message="DH X9.42 not supported", + ) + def test_public_key_copy(self): + key_bytes = load_vectors_from_file( + os.path.join("asymmetric", "DH", "dhpub.pem"), + lambda pemfile: pemfile.read(), + mode="rb", + ) + key1 = serialization.load_pem_public_key(key_bytes) + key2 = copy.copy(key1) + + assert key1 == key2 + @pytest.mark.supported( only_if=lambda backend: backend.dh_supported(), diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index bf50c47c4295..936b1a80f232 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -3,6 +3,7 @@ # for complete details. +import copy import itertools import os import typing @@ -398,6 +399,16 @@ def test_public_key_equality(self, backend): with pytest.raises(TypeError): key1 < key2 # type: ignore[operator] + def test_public_key_copy(self): + key_bytes = load_vectors_from_file( + os.path.join("asymmetric", "PKCS8", "unenc-dsa-pkcs8.pem"), + lambda pemfile: pemfile.read().encode(), + ) + key1 = serialization.load_pem_private_key(key_bytes, None).public_key() + key2 = copy.copy(key1) + + assert key1 == key2 + @pytest.mark.supported( only_if=lambda backend: backend.dsa_supported(), diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 1da36b86abf8..cf96bfc5182f 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -2,8 +2,8 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii +import copy import itertools import os import textwrap @@ -617,6 +617,17 @@ def test_public_key_equality(self, backend): with pytest.raises(TypeError): key1 < key2 # type: ignore[operator] + def test_public_key_copy(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + key_bytes = load_vectors_from_file( + os.path.join("asymmetric", "PKCS8", "ec_private_key.pem"), + lambda pemfile: pemfile.read().encode(), + ) + key1 = serialization.load_pem_private_key(key_bytes, None).public_key() + key2 = copy.copy(key1) + + assert key1 == key2 + class TestECSerialization: @pytest.mark.parametrize( diff --git a/tests/hazmat/primitives/test_ed25519.py b/tests/hazmat/primitives/test_ed25519.py index 2501f1cf1bb1..8e6b33b1fd62 100644 --- a/tests/hazmat/primitives/test_ed25519.py +++ b/tests/hazmat/primitives/test_ed25519.py @@ -4,6 +4,7 @@ import binascii +import copy import os import pytest @@ -294,3 +295,19 @@ def test_public_key_equality(backend): with pytest.raises(TypeError): key1 < key2 # type: ignore[operator] + + +@pytest.mark.supported( + only_if=lambda backend: backend.ed25519_supported(), + skip_message="Requires OpenSSL with Ed25519 support", +) +def test_public_key_copy(backend): + key_bytes = load_vectors_from_file( + os.path.join("asymmetric", "Ed25519", "ed25519-pkcs8.der"), + lambda derfile: derfile.read(), + mode="rb", + ) + key1 = serialization.load_der_private_key(key_bytes, None).public_key() + key2 = copy.copy(key1) + + assert key1 == key2 diff --git a/tests/hazmat/primitives/test_ed448.py b/tests/hazmat/primitives/test_ed448.py index 650cdda7997c..d363f38dfd96 100644 --- a/tests/hazmat/primitives/test_ed448.py +++ b/tests/hazmat/primitives/test_ed448.py @@ -4,6 +4,7 @@ import binascii +import copy import os import pytest @@ -288,3 +289,19 @@ def test_public_key_equality(backend): with pytest.raises(TypeError): key1 < key2 # type: ignore[operator] + + +@pytest.mark.supported( + only_if=lambda backend: backend.ed448_supported(), + skip_message="Requires OpenSSL with Ed448 support", +) +def test_public_key_copy(backend): + key_bytes = load_vectors_from_file( + os.path.join("asymmetric", "Ed448", "ed448-pkcs8.der"), + lambda derfile: derfile.read(), + mode="rb", + ) + key1 = serialization.load_der_private_key(key_bytes, None).public_key() + key2 = copy.copy(key1) + + assert key1 == key2 diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 3cb3b17efb22..eda445b8e03e 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -4,6 +4,7 @@ import binascii +import copy import itertools import os @@ -2734,3 +2735,9 @@ def test_public_key_equality(self, rsa_key_2048: rsa.RSAPrivateKey): assert key1 == key2 assert key1 != key3 assert key1 != object() + + def test_public_key_copy(self, rsa_key_2048: rsa.RSAPrivateKey): + key1 = rsa_key_2048.public_key() + key2 = copy.copy(key1) + + assert key1 == key2 diff --git a/tests/hazmat/primitives/test_x25519.py b/tests/hazmat/primitives/test_x25519.py index 2b86d3d5e22b..f81a14930257 100644 --- a/tests/hazmat/primitives/test_x25519.py +++ b/tests/hazmat/primitives/test_x25519.py @@ -4,6 +4,7 @@ import binascii +import copy import os import pytest @@ -351,3 +352,19 @@ def test_public_key_equality(backend): assert key1 != object() with pytest.raises(TypeError): key1 < key2 # type: ignore[operator] + + +@pytest.mark.supported( + only_if=lambda backend: backend.x25519_supported(), + skip_message="Requires OpenSSL with X25519 support", +) +def test_public_key_copy(backend): + key_bytes = load_vectors_from_file( + os.path.join("asymmetric", "X25519", "x25519-pkcs8.der"), + lambda derfile: derfile.read(), + mode="rb", + ) + key1 = serialization.load_der_private_key(key_bytes, None).public_key() + key2 = copy.copy(key1) + + assert key1 == key2 diff --git a/tests/hazmat/primitives/test_x448.py b/tests/hazmat/primitives/test_x448.py index e2f840fa82fb..46f4856c180d 100644 --- a/tests/hazmat/primitives/test_x448.py +++ b/tests/hazmat/primitives/test_x448.py @@ -4,6 +4,7 @@ import binascii +import copy import os import pytest @@ -280,3 +281,19 @@ def test_public_key_equality(backend): assert key1 != object() with pytest.raises(TypeError): key1 < key2 # type: ignore[operator] + + +@pytest.mark.supported( + only_if=lambda backend: backend.x448_supported(), + skip_message="Requires OpenSSL with X448 support", +) +def test_public_key_copy(backend): + key_bytes = load_vectors_from_file( + os.path.join("asymmetric", "X448", "x448-pkcs8.der"), + lambda derfile: derfile.read(), + mode="rb", + ) + key1 = serialization.load_der_private_key(key_bytes, None).public_key() + key2 = copy.copy(key1) + + assert key1 == key2 From 8f67ff280623dfe983668e7cf4ba9b12edc28645 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Aug 2023 07:14:18 -0700 Subject: [PATCH 0339/1014] Bump pytest-randomly from 3.14.0 to 3.15.0 (#9436) Bumps [pytest-randomly](https://github.com/pytest-dev/pytest-randomly) from 3.14.0 to 3.15.0. - [Changelog](https://github.com/pytest-dev/pytest-randomly/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-randomly/compare/3.14.0...3.15.0) --- updated-dependencies: - dependency-name: pytest-randomly dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 767a9600c0a0..0ace36b8b291 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -121,7 +121,7 @@ pytest-benchmark==4.0.0 # via cryptography (pyproject.toml) pytest-cov==4.1.0 # via cryptography (pyproject.toml) -pytest-randomly==3.14.0 +pytest-randomly==3.15.0 # via cryptography (pyproject.toml) pytest-xdist==3.3.1 # via cryptography (pyproject.toml) From 17f49cffb6e3ad74517f750436c66cf6d53c7a6f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 00:17:37 +0000 Subject: [PATCH 0340/1014] Bump BoringSSL and/or OpenSSL in CI (#9438) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f726c9ab18f0..4f8e38cafa75 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 16, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ac45226f8d8223d70ed37cf81df5f03aea1d533c"}} - # Latest commit on the OpenSSL master branch, as of Aug 16, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "830b6a13f9aecd42da61b79c93f236575cc58793"}} + # Latest commit on the BoringSSL master branch, as of Aug 17, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "9f4cad2208b703350fe11d9469125dad55c34d30"}} + # Latest commit on the OpenSSL master branch, as of Aug 17, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "39ed7636e0d8a90512e7ccb811cd0bfcb7a79650"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From e00346cad3c233c44c8c9554a7cc50656d1f4903 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 13:03:56 +0000 Subject: [PATCH 0341/1014] Bump quote from 1.0.32 to 1.0.33 in /src/rust (#9440) Bumps [quote](https://github.com/dtolnay/quote) from 1.0.32 to 1.0.33. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.32...1.0.33) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 37ef7e959dfb..e19f5b5abbd6 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -306,9 +306,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.32" +version = "1.0.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50f3b39ccfb720540debaa0164757101c08ecb8d326b15358ce76a62c7e85965" +checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae" dependencies = [ "proc-macro2", ] From 04eca65f7aff37dc75c04c21b880538ae974ed40 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 17 Aug 2023 09:05:58 -0400 Subject: [PATCH 0342/1014] Build wheels with python 3.11, targeting 3.7 (#9439) * Build wheels with python 3.10, targeting 3.7 * Update wheel-builder.yml * Update wheel-builder.yml * Update wheel-builder.yml --- .github/workflows/wheel-builder.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 36d6dea8d796..989f428adfcb 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -58,7 +58,7 @@ jobs: fail-fast: false matrix: PYTHON: - - { VERSION: "cp37-cp37m", ABI_VERSION: 'cp37' } + - { VERSION: "cp311-cp311", ABI_VERSION: 'cp37' } - { VERSION: "pp39-pypy39_pp73" } - { VERSION: "pp310-pypy310_pp73" } MANYLINUX: From 5d0ef0ced102e24d944c9553f6e8f04d0e168042 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 13:08:39 +0000 Subject: [PATCH 0343/1014] Bump mypy from 1.5.0 to 1.5.1 (#9441) Bumps [mypy](https://github.com/python/mypy) from 1.5.0 to 1.5.1. - [Commits](https://github.com/python/mypy/compare/v1.5.0...v1.5.1) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0ace36b8b291..bf7889800ffb 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ mdurl==0.1.2 # via markdown-it-py more-itertools==10.1.0 # via jaraco-classes -mypy==1.5.0 +mypy==1.5.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via From f3a77b299dc8cd9113318e9d86277db571ff11fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 09:22:29 -0400 Subject: [PATCH 0344/1014] Bump setuptools from 68.0.0 to 68.1.0 in /.github/requirements (#9435) Bumps [setuptools](https://github.com/pypa/setuptools) from 68.0.0 to 68.1.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v68.0.0...v68.1.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index eeff5d0d8236..7bd5ab8d59fc 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -92,9 +92,9 @@ wheel==0.41.1 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==68.0.0 \ - --hash=sha256:11e52c67415a381d10d6b462ced9cfb97066179f0e871399e006c4ab101fc85f \ - --hash=sha256:baf1fdb41c6da4cd2eae722e135500da913332ab3f2f5c7d33af9b492acb5235 +setuptools==68.1.0 \ + --hash=sha256:d59c97e7b774979a5ccb96388efc9eb65518004537e85d52e81eaee89ab6dd91 \ + --hash=sha256:e13e1b0bc760e9b0127eda042845999b2f913e12437046e663b833aa96d89715 # via # -r build-requirements.in # setuptools-rust From b660044dce45cc74ba83a2dcf04e161752bb629b Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 17 Aug 2023 15:54:35 +0200 Subject: [PATCH 0345/1014] Add test vectors for ChaCha20 counter overflow (#9221) * Adapt ChaCha20 test vectors to 64-bit counter * Add ChaCha20 test vectors for counter overflow These vectors test the behavior during counter overflow. Since different implementations use different counter sizes (e.g. OpenSSL uses a 64-bit counter, whereas BoringSSL uses a 32-bit counter), it's important to ensure that the behavior during counter overflow is consistent between implementations. These vectors take into account both 32-bit and 64-bit overflows. --- docs/development/custom-vectors/chacha20.rst | 29 ++++++++ .../chacha20/generate_chacha20_overflow.py | 49 +++++++++++++ .../chacha20/verify_chacha20_overflow.py | 67 ++++++++++++++++++ docs/development/test-vectors.rst | 4 +- tests/hazmat/primitives/test_chacha20.py | 4 +- .../ciphers/ChaCha20/counter-overflow.txt | 70 +++++++++++++++++++ .../ciphers/ChaCha20/rfc7539.txt | 10 +-- 7 files changed, 226 insertions(+), 7 deletions(-) create mode 100644 docs/development/custom-vectors/chacha20.rst create mode 100644 docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py create mode 100644 docs/development/custom-vectors/chacha20/verify_chacha20_overflow.py create mode 100644 vectors/cryptography_vectors/ciphers/ChaCha20/counter-overflow.txt diff --git a/docs/development/custom-vectors/chacha20.rst b/docs/development/custom-vectors/chacha20.rst new file mode 100644 index 000000000000..5fee0c360e35 --- /dev/null +++ b/docs/development/custom-vectors/chacha20.rst @@ -0,0 +1,29 @@ +ChaCha20 vector creation +======================== + +This page documents the code that was used to generate the vectors +to test the counter overflow behavior in ChaCha20 as well as code +used to verify them against another implementation. + +Creation +-------- + +The following Python script was run to generate the vector files. + +.. literalinclude:: /development/custom-vectors/chacha20/generate_chacha20_overflow.py + +Download link: :download:`generate_chacha20_overflow.py +` + + +Verification +------------ + +The following Python script was used to verify the vectors. The +counter overflow is handled manually to avoid relying on the same +code that generated the vectors. + +.. literalinclude:: /development/custom-vectors/chacha20/verify_chacha20_overflow.py + +Download link: :download:`verify_chacha20_overflow.py +` diff --git a/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py b/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py new file mode 100644 index 000000000000..7c6ee25fe581 --- /dev/null +++ b/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py @@ -0,0 +1,49 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import binascii +import struct + +from cryptography.hazmat.primitives import ciphers +from cryptography.hazmat.primitives.ciphers import algorithms + +_N_BLOCKS = [1, 1.5, 2, 2.5, 3] +_INITIAL_COUNTERS = [2**32 - 1, 2**64 - 1] + + +def _build_vectors(): + count = 0 + output = [] + key = "0" * 64 + nonce = "0" * 16 + for blocks in _N_BLOCKS: + plaintext = binascii.unhexlify("0" * int(128 * blocks)) + for counter in _INITIAL_COUNTERS: + full_nonce = struct.pack(" bytes: + full_nonce = struct.pack(" Date: Thu, 17 Aug 2023 10:11:09 -0400 Subject: [PATCH 0346/1014] Fix ruff on main (#9443) --- .../custom-vectors/chacha20/generate_chacha20_overflow.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py b/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py index 7c6ee25fe581..c8ed339f4074 100644 --- a/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py +++ b/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py @@ -33,9 +33,7 @@ def _build_vectors(): output.append(f"INITIAL_BLOCK_COUNTER = {counter}") output.append(f"PLAINTEXT = {binascii.hexlify(plaintext)}") output.append( - "CIPHERTEXT = {}".format( - binascii.hexlify(encryptor.update(plaintext)) - ) + f"CIPHERTEXT = {binascii.hexlify(encryptor.update(plaintext))}" ) return "\n".join(output) From 43cf14f9043e359acb2ba410a8a8a5f4ae800257 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 20:56:25 +0000 Subject: [PATCH 0347/1014] Bump windows-targets from 0.48.2 to 0.48.3 in /src/rust (#9445) Bumps [windows-targets](https://github.com/microsoft/windows-rs) from 0.48.2 to 0.48.3. - [Release notes](https://github.com/microsoft/windows-rs/releases) - [Commits](https://github.com/microsoft/windows-rs/commits) --- updated-dependencies: - dependency-name: windows-targets dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e19f5b5abbd6..46ae27769dd7 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -388,9 +388,9 @@ checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" [[package]] name = "windows-targets" -version = "0.48.2" +version = "0.48.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1eeca1c172a285ee6c2c84c341ccea837e7c01b12fbb2d0fe3c9e550ce49ec8" +checksum = "27f51fb4c64f8b770a823c043c7fad036323e1c48f55287b7bbb7987b2fcdf3b" dependencies = [ "windows_aarch64_gnullvm", "windows_aarch64_msvc", @@ -403,42 +403,42 @@ dependencies = [ [[package]] name = "windows_aarch64_gnullvm" -version = "0.48.2" +version = "0.48.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b10d0c968ba7f6166195e13d593af609ec2e3d24f916f081690695cf5eaffb2f" +checksum = "fde1bb55ae4ce76a597a8566d82c57432bc69c039449d61572a7a353da28f68c" [[package]] name = "windows_aarch64_msvc" -version = "0.48.2" +version = "0.48.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "571d8d4e62f26d4932099a9efe89660e8bd5087775a2ab5cdd8b747b811f1058" +checksum = "1513e8d48365a78adad7322fd6b5e4c4e99d92a69db8df2d435b25b1f1f286d4" [[package]] name = "windows_i686_gnu" -version = "0.48.2" +version = "0.48.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2229ad223e178db5fbbc8bd8d3835e51e566b8474bfca58d2e6150c48bb723cd" +checksum = "60587c0265d2b842298f5858e1a5d79d146f9ee0c37be5782e92a6eb5e1d7a83" [[package]] name = "windows_i686_msvc" -version = "0.48.2" +version = "0.48.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "600956e2d840c194eedfc5d18f8242bc2e17c7775b6684488af3a9fff6fe3287" +checksum = "224fe0e0ffff5d2ea6a29f82026c8f43870038a0ffc247aa95a52b47df381ac4" [[package]] name = "windows_x86_64_gnu" -version = "0.48.2" +version = "0.48.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ea99ff3f8b49fb7a8e0d305e5aec485bd068c2ba691b6e277d29eaeac945868a" +checksum = "62fc52a0f50a088de499712cbc012df7ebd94e2d6eb948435449d76a6287e7ad" [[package]] name = "windows_x86_64_gnullvm" -version = "0.48.2" +version = "0.48.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f1a05a1ece9a7a0d5a7ccf30ba2c33e3a61a30e042ffd247567d1de1d94120d" +checksum = "2093925509d91ea3d69bcd20238f4c2ecdb1a29d3c281d026a09705d0dd35f3d" [[package]] name = "windows_x86_64_msvc" -version = "0.48.2" +version = "0.48.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d419259aba16b663966e29e6d7c6ecfa0bb8425818bb96f6f1f3c3eb71a6e7b9" +checksum = "b6ade45bc8bf02ae2aa34a9d54ba660a1a58204da34ba793c00d83ca3730b5f1" From 1695df0663d48c206163f00cfa335fa5c5c9263a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 20:56:46 +0000 Subject: [PATCH 0348/1014] Bump click from 8.1.6 to 8.1.7 (#9450) Bumps [click](https://github.com/pallets/click) from 8.1.6 to 8.1.7. - [Release notes](https://github.com/pallets/click/releases) - [Changelog](https://github.com/pallets/click/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/click/compare/8.1.6...8.1.7) --- updated-dependencies: - dependency-name: click dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bf7889800ffb..bc34432e60d7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ charset-normalizer==3.2.0 # via requests check-sdist==0.1.2 # via cryptography (pyproject.toml) -click==8.1.6 +click==8.1.7 # via black colorlog==6.7.0 # via nox From d5e436bc3f88587bd43cc29fb79e53b4ce29fc22 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 18 Aug 2023 00:16:29 +0000 Subject: [PATCH 0349/1014] Bump BoringSSL and/or OpenSSL in CI (#9455) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f8e38cafa75..4eaf81ff42aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 17, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "9f4cad2208b703350fe11d9469125dad55c34d30"}} - # Latest commit on the OpenSSL master branch, as of Aug 17, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "39ed7636e0d8a90512e7ccb811cd0bfcb7a79650"}} + # Latest commit on the BoringSSL master branch, as of Aug 18, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "09096a98f303f3adcc893ede87a49472b7e6be14"}} + # Latest commit on the OpenSSL master branch, as of Aug 18, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0577dbad0709f1b3717297420069c6160245e74d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From d7eca424e1a0e4d2af3ecc83223902e47519f98b Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Fri, 18 Aug 2023 12:44:17 +0200 Subject: [PATCH 0350/1014] LibreSSL 3.8.1 and later is OPENSSL_NO_ENGINE (#9456) Unfortunately, some projects are not prepared to build without ENGINE symbols, so just like BoringSSL we needed to keep some stubs. --- src/_cffi_src/openssl/engine.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py index 609313ec57ae..9629a2c8f929 100644 --- a/src/_cffi_src/openssl/engine.py +++ b/src/_cffi_src/openssl/engine.py @@ -42,18 +42,20 @@ typedef void UI_METHOD; #endif -/* Despite being OPENSSL_NO_ENGINE, BoringSSL defines these symbols. */ -#if !CRYPTOGRAPHY_IS_BORINGSSL +/* Despite being OPENSSL_NO_ENGINE, BoringSSL/LibreSSL define these symbols. */ +#if !CRYPTOGRAPHY_IS_BORINGSSL && !CRYPTOGRAPHY_IS_LIBRESSL int (*ENGINE_free)(ENGINE *) = NULL; void (*ENGINE_load_builtin_engines)(void) = NULL; #endif -ENGINE *(*ENGINE_by_id)(const char *) = NULL; -int (*ENGINE_init)(ENGINE *) = NULL; -int (*ENGINE_finish)(ENGINE *) = NULL; ENGINE *(*ENGINE_get_default_RAND)(void) = NULL; int (*ENGINE_set_default_RAND)(ENGINE *) = NULL; void (*ENGINE_unregister_RAND)(ENGINE *) = NULL; + +#if !CRYPTOGRAPHY_IS_LIBRESSL +ENGINE *(*ENGINE_by_id)(const char *) = NULL; +int (*ENGINE_init)(ENGINE *) = NULL; +int (*ENGINE_finish)(ENGINE *) = NULL; int (*ENGINE_ctrl_cmd)(ENGINE *, const char *, long, void *, void (*)(void), int) = NULL; @@ -66,6 +68,7 @@ void *) = NULL; EVP_PKEY *(*ENGINE_load_public_key)(ENGINE *, const char *, UI_METHOD *, void *) = NULL; +#endif #else static const long Cryptography_HAS_ENGINE = 1; From ff92d524a04faf75caf857ed67d2b08593851175 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 18 Aug 2023 12:42:41 +0000 Subject: [PATCH 0351/1014] Bump ruff from 0.0.284 to 0.0.285 (#9458) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.284 to 0.0.285. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.284...v0.0.285) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bc34432e60d7..fbbc0cf46743 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.2 # via twine -ruff==0.0.284 +ruff==0.0.285 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From ed28d06132016ccb9a28ce91d6a3092dd6c795a7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 18 Aug 2023 09:26:19 -0400 Subject: [PATCH 0352/1014] Bump setuptools from 68.1.0 to 68.1.2 in /.github/requirements (#9459) Bumps [setuptools](https://github.com/pypa/setuptools) from 68.1.0 to 68.1.2. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v68.1.0...v68.1.2) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 7bd5ab8d59fc..2f3d9b035a4c 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -92,9 +92,9 @@ wheel==0.41.1 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==68.1.0 \ - --hash=sha256:d59c97e7b774979a5ccb96388efc9eb65518004537e85d52e81eaee89ab6dd91 \ - --hash=sha256:e13e1b0bc760e9b0127eda042845999b2f913e12437046e663b833aa96d89715 +setuptools==68.1.2 \ + --hash=sha256:3d4dfa6d95f1b101d695a6160a7626e15583af71a5f52176efa5d39a054d475d \ + --hash=sha256:3d8083eed2d13afc9426f227b24fd1659489ec107c0e86cec2ffdde5c92e790b # via # -r build-requirements.in # setuptools-rust From 6f0c5c17f76031955f20505e056072e3331e071f Mon Sep 17 00:00:00 2001 From: julianz- Date: Fri, 18 Aug 2023 15:25:01 -0700 Subject: [PATCH 0353/1014] restoring SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER constant (#9461) This constant was removed in https://github.com/pyca/cryptography/commit/895de04c7318edf0ecb5d55c4758598ff6d79724 but it is still needed to deal with an issue in PyOpenSSL described here https://github.com/cherrypy/cheroot/issues/245 and PR https://github.com/pyca/pyopenssl/pull/1242. --- src/_cffi_src/openssl/ssl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 73221219b83e..7e7b2b8bd91b 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -108,6 +108,7 @@ static const long SSL_CB_HANDSHAKE_DONE; static const long SSL_MODE_RELEASE_BUFFERS; static const long SSL_MODE_ENABLE_PARTIAL_WRITE; +static const long SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const long SSL_MODE_AUTO_RETRY; static const long TLS_ST_BEFORE; static const long TLS_ST_OK; From c61ab8735b0405afae059f1378c1ba3acf7ca59e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 19 Aug 2023 00:20:20 +0000 Subject: [PATCH 0354/1014] Bump BoringSSL and/or OpenSSL in CI (#9462) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4eaf81ff42aa..3911e53374e9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 18, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "09096a98f303f3adcc893ede87a49472b7e6be14"}} - # Latest commit on the OpenSSL master branch, as of Aug 18, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0577dbad0709f1b3717297420069c6160245e74d"}} + # Latest commit on the BoringSSL master branch, as of Aug 19, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5d2a41d8696b72660dec39b93221fa76201590a8"}} + # Latest commit on the OpenSSL master branch, as of Aug 19, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6404d064b8012a2c353603a3b3effa6289313d61"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 8b4025ad151fccd13f65f28e0309272bf4f94088 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 19 Aug 2023 21:54:19 -0400 Subject: [PATCH 0355/1014] Remove TODO, this was fixed in rust-openssl (#9465) --- src/rust/src/backend/ec.rs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index a4c4afc9d231..8057f5303b67 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -503,10 +503,6 @@ impl ECPublicKey { let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; let valid = verifier.verify(data, signature).unwrap_or(false); - // TODO: Empty the error stack. BoringSSL leaves one in the event of - // signature validation failure. Upstream to rust-openssl? - #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] - openssl::error::ErrorStack::get(); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), From 0000b402dd5edffa6a86ca560464e83a66fd91f5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 20 Aug 2023 13:27:15 -0400 Subject: [PATCH 0356/1014] Port RSA to rust (#9152) --- .../hazmat/backends/openssl/backend.py | 270 +------- .../hazmat/backends/openssl/rsa.py | 572 ---------------- .../bindings/_rust/openssl/__init__.pyi | 2 + .../hazmat/bindings/_rust/openssl/rsa.pyi | 23 + .../hazmat/primitives/asymmetric/rsa.py | 3 + src/rust/Cargo.lock | 8 +- src/rust/src/backend/mod.rs | 2 + src/rust/src/backend/rsa.rs | 640 ++++++++++++++++++ src/rust/src/backend/utils.rs | 42 +- tests/hazmat/primitives/test_rsa.py | 38 ++ 10 files changed, 768 insertions(+), 832 deletions(-) delete mode 100644 src/cryptography/hazmat/backends/openssl/rsa.py create mode 100644 src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi create mode 100644 src/rust/src/backend/rsa.rs diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 900481e4c07c..1109d8a3fbe5 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -14,10 +14,6 @@ from cryptography.hazmat.backends.openssl import aead from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.backends.openssl.cmac import _CMACContext -from cryptography.hazmat.backends.openssl.rsa import ( - _RSAPrivateKey, - _RSAPublicKey, -) from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding from cryptography.hazmat.primitives import hashes, serialization @@ -63,7 +59,6 @@ XTS, Mode, ) -from cryptography.hazmat.primitives.serialization import ssh from cryptography.hazmat.primitives.serialization.pkcs12 import ( PBES, PKCS12Certificate, @@ -358,24 +353,7 @@ def generate_rsa_private_key( self, public_exponent: int, key_size: int ) -> rsa.RSAPrivateKey: rsa._verify_rsa_parameters(public_exponent, key_size) - - rsa_cdata = self._lib.RSA_new() - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - - bn = self._int_to_bn(public_exponent) - bn = self._ffi.gc(bn, self._lib.BN_free) - - res = self._lib.RSA_generate_key_ex( - rsa_cdata, key_size, bn, self._ffi.NULL - ) - self.openssl_assert(res == 1) - evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - - # We can skip RSA key validation here since we just generated the key - return _RSAPrivateKey( - self, rsa_cdata, evp_pkey, unsafe_skip_rsa_key_validation=True - ) + return rust_openssl.rsa.generate_private_key(public_exponent, key_size) def generate_rsa_parameters_supported( self, public_exponent: int, key_size: int @@ -401,46 +379,15 @@ def load_rsa_private_numbers( numbers.public_numbers.e, numbers.public_numbers.n, ) - rsa_cdata = self._lib.RSA_new() - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - p = self._int_to_bn(numbers.p) - q = self._int_to_bn(numbers.q) - d = self._int_to_bn(numbers.d) - dmp1 = self._int_to_bn(numbers.dmp1) - dmq1 = self._int_to_bn(numbers.dmq1) - iqmp = self._int_to_bn(numbers.iqmp) - e = self._int_to_bn(numbers.public_numbers.e) - n = self._int_to_bn(numbers.public_numbers.n) - res = self._lib.RSA_set0_factors(rsa_cdata, p, q) - self.openssl_assert(res == 1) - res = self._lib.RSA_set0_key(rsa_cdata, n, e, d) - self.openssl_assert(res == 1) - res = self._lib.RSA_set0_crt_params(rsa_cdata, dmp1, dmq1, iqmp) - self.openssl_assert(res == 1) - evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - - return _RSAPrivateKey( - self, - rsa_cdata, - evp_pkey, - unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, + return rust_openssl.rsa.from_private_numbers( + numbers, unsafe_skip_rsa_key_validation ) def load_rsa_public_numbers( self, numbers: rsa.RSAPublicNumbers ) -> rsa.RSAPublicKey: rsa._check_public_key_components(numbers.e, numbers.n) - rsa_cdata = self._lib.RSA_new() - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - e = self._int_to_bn(numbers.e) - n = self._int_to_bn(numbers.n) - res = self._lib.RSA_set0_key(rsa_cdata, n, e, self._ffi.NULL) - self.openssl_assert(res == 1) - evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - - return _RSAPublicKey(self, rsa_cdata, evp_pkey) + return rust_openssl.rsa.from_public_numbers(numbers) def _create_evp_pkey_gc(self): evp_pkey = self._lib.EVP_PKEY_new() @@ -500,13 +447,8 @@ def _evp_pkey_to_private_key( key_type = self._lib.EVP_PKEY_id(evp_pkey) if key_type == self._lib.EVP_PKEY_RSA: - rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey) - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - return _RSAPrivateKey( - self, - rsa_cdata, - evp_pkey, + return rust_openssl.rsa.private_key_from_ptr( + int(self._ffi.cast("uintptr_t", evp_pkey)), unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, ) elif ( @@ -573,10 +515,9 @@ def _evp_pkey_to_public_key(self, evp_pkey) -> PublicKeyTypes: key_type = self._lib.EVP_PKEY_id(evp_pkey) if key_type == self._lib.EVP_PKEY_RSA: - rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey) - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - return _RSAPublicKey(self, rsa_cdata, evp_pkey) + return rust_openssl.rsa.public_key_from_ptr( + int(self._ffi.cast("uintptr_t", evp_pkey)) + ) elif ( key_type == self._lib.EVP_PKEY_RSA_PSS and not self._lib.CRYPTOGRAPHY_IS_LIBRESSL @@ -733,7 +674,9 @@ def load_pem_public_key(self, data: bytes) -> PublicKeyTypes: if rsa_cdata != self._ffi.NULL: rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return _RSAPublicKey(self, rsa_cdata, evp_pkey) + return rust_openssl.rsa.public_key_from_ptr( + int(self._ffi.cast("uintptr_t", evp_pkey)) + ) else: self._handle_key_loading_error() @@ -796,7 +739,9 @@ def load_der_public_key(self, data: bytes) -> PublicKeyTypes: if rsa_cdata != self._ffi.NULL: rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return _RSAPublicKey(self, rsa_cdata, evp_pkey) + return rust_openssl.rsa.public_key_from_ptr( + int(self._ffi.cast("uintptr_t", evp_pkey)) + ) else: self._handle_key_loading_error() @@ -984,191 +929,6 @@ def elliptic_curve_exchange_algorithm_supported( algorithm, ec.ECDH ) - def _private_key_bytes( - self, - encoding: serialization.Encoding, - format: serialization.PrivateFormat, - encryption_algorithm: serialization.KeySerializationEncryption, - key, - evp_pkey, - cdata, - ) -> bytes: - # validate argument types - if not isinstance(encoding, serialization.Encoding): - raise TypeError("encoding must be an item from the Encoding enum") - if not isinstance(format, serialization.PrivateFormat): - raise TypeError( - "format must be an item from the PrivateFormat enum" - ) - if not isinstance( - encryption_algorithm, serialization.KeySerializationEncryption - ): - raise TypeError( - "Encryption algorithm must be a KeySerializationEncryption " - "instance" - ) - - # validate password - if isinstance(encryption_algorithm, serialization.NoEncryption): - password = b"" - elif isinstance( - encryption_algorithm, serialization.BestAvailableEncryption - ): - password = encryption_algorithm.password - if len(password) > 1023: - raise ValueError( - "Passwords longer than 1023 bytes are not supported by " - "this backend" - ) - elif ( - isinstance( - encryption_algorithm, serialization._KeySerializationEncryption - ) - and encryption_algorithm._format - is format - is serialization.PrivateFormat.OpenSSH - ): - password = encryption_algorithm.password - else: - raise ValueError("Unsupported encryption type") - - # PKCS8 + PEM/DER - if format is serialization.PrivateFormat.PKCS8: - if encoding is serialization.Encoding.PEM: - write_bio = self._lib.PEM_write_bio_PKCS8PrivateKey - elif encoding is serialization.Encoding.DER: - write_bio = self._lib.i2d_PKCS8PrivateKey_bio - else: - raise ValueError("Unsupported encoding for PKCS8") - return self._private_key_bytes_via_bio( - write_bio, evp_pkey, password - ) - - # TraditionalOpenSSL + PEM/DER - if format is serialization.PrivateFormat.TraditionalOpenSSL: - if self._fips_enabled and not isinstance( - encryption_algorithm, serialization.NoEncryption - ): - raise ValueError( - "Encrypted traditional OpenSSL format is not " - "supported in FIPS mode." - ) - key_type = self._lib.EVP_PKEY_id(evp_pkey) - - if encoding is serialization.Encoding.PEM: - assert key_type == self._lib.EVP_PKEY_RSA - write_bio = self._lib.PEM_write_bio_RSAPrivateKey - return self._private_key_bytes_via_bio( - write_bio, cdata, password - ) - - if encoding is serialization.Encoding.DER: - if password: - raise ValueError( - "Encryption is not supported for DER encoded " - "traditional OpenSSL keys" - ) - assert key_type == self._lib.EVP_PKEY_RSA - write_bio = self._lib.i2d_RSAPrivateKey_bio - return self._bio_func_output(write_bio, cdata) - - raise ValueError("Unsupported encoding for TraditionalOpenSSL") - - # OpenSSH + PEM - if format is serialization.PrivateFormat.OpenSSH: - if encoding is serialization.Encoding.PEM: - return ssh._serialize_ssh_private_key( - key, password, encryption_algorithm - ) - - raise ValueError( - "OpenSSH private key format can only be used" - " with PEM encoding" - ) - - # Anything that key-specific code was supposed to handle earlier, - # like Raw. - raise ValueError("format is invalid with this key") - - def _private_key_bytes_via_bio( - self, write_bio, evp_pkey, password - ) -> bytes: - if not password: - evp_cipher = self._ffi.NULL - else: - # This is a curated value that we will update over time. - evp_cipher = self._lib.EVP_get_cipherbyname(b"aes-256-cbc") - - return self._bio_func_output( - write_bio, - evp_pkey, - evp_cipher, - password, - len(password), - self._ffi.NULL, - self._ffi.NULL, - ) - - def _bio_func_output(self, write_bio, *args) -> bytes: - bio = self._create_mem_bio_gc() - res = write_bio(bio, *args) - self.openssl_assert(res == 1) - return self._read_mem_bio(bio) - - def _public_key_bytes( - self, - encoding: serialization.Encoding, - format: serialization.PublicFormat, - key, - evp_pkey, - cdata, - ) -> bytes: - if not isinstance(encoding, serialization.Encoding): - raise TypeError("encoding must be an item from the Encoding enum") - if not isinstance(format, serialization.PublicFormat): - raise TypeError( - "format must be an item from the PublicFormat enum" - ) - - # SubjectPublicKeyInfo + PEM/DER - if format is serialization.PublicFormat.SubjectPublicKeyInfo: - if encoding is serialization.Encoding.PEM: - write_bio = self._lib.PEM_write_bio_PUBKEY - elif encoding is serialization.Encoding.DER: - write_bio = self._lib.i2d_PUBKEY_bio - else: - raise ValueError( - "SubjectPublicKeyInfo works only with PEM or DER encoding" - ) - return self._bio_func_output(write_bio, evp_pkey) - - # PKCS1 + PEM/DER - if format is serialization.PublicFormat.PKCS1: - # Only RSA is supported here. - key_type = self._lib.EVP_PKEY_id(evp_pkey) - self.openssl_assert(key_type == self._lib.EVP_PKEY_RSA) - - if encoding is serialization.Encoding.PEM: - write_bio = self._lib.PEM_write_bio_RSAPublicKey - elif encoding is serialization.Encoding.DER: - write_bio = self._lib.i2d_RSAPublicKey_bio - else: - raise ValueError("PKCS1 works only with PEM or DER encoding") - return self._bio_func_output(write_bio, cdata) - - # OpenSSH + OpenSSH - if format is serialization.PublicFormat.OpenSSH: - if encoding is serialization.Encoding.OpenSSH: - return ssh.serialize_ssh_public_key(key) - - raise ValueError( - "OpenSSH format must be used with OpenSSH encoding" - ) - - # Anything that key-specific code was supposed to handle earlier, - # like Raw, CompressedPoint, UncompressedPoint - raise ValueError("format is invalid with this key") - def dh_supported(self) -> bool: return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py deleted file mode 100644 index b386581ffe69..000000000000 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ /dev/null @@ -1,572 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -import typing - -from cryptography.exceptions import ( - InvalidSignature, - UnsupportedAlgorithm, - _Reasons, -) -from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, -) -from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import utils as asym_utils -from cryptography.hazmat.primitives.asymmetric.padding import ( - MGF1, - OAEP, - PSS, - AsymmetricPadding, - PKCS1v15, - _Auto, - _DigestLength, - _MaxLength, - calculate_max_pss_salt_length, -) -from cryptography.hazmat.primitives.asymmetric.rsa import ( - RSAPrivateKey, - RSAPrivateNumbers, - RSAPublicKey, - RSAPublicNumbers, -) - -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.backend import Backend - - -def _get_rsa_pss_salt_length( - backend: Backend, - pss: PSS, - key: RSAPrivateKey | RSAPublicKey, - hash_algorithm: hashes.HashAlgorithm, -) -> int: - salt = pss._salt_length - - if isinstance(salt, _MaxLength): - return calculate_max_pss_salt_length(key, hash_algorithm) - elif isinstance(salt, _DigestLength): - return hash_algorithm.digest_size - elif isinstance(salt, _Auto): - if isinstance(key, RSAPrivateKey): - raise ValueError( - "PSS salt length can only be set to AUTO when verifying" - ) - return backend._lib.RSA_PSS_SALTLEN_AUTO - else: - return salt - - -def _enc_dec_rsa( - backend: Backend, - key: _RSAPrivateKey | _RSAPublicKey, - data: bytes, - padding: AsymmetricPadding, -) -> bytes: - if not isinstance(padding, AsymmetricPadding): - raise TypeError("Padding must be an instance of AsymmetricPadding.") - - if isinstance(padding, PKCS1v15): - padding_enum = backend._lib.RSA_PKCS1_PADDING - elif isinstance(padding, OAEP): - padding_enum = backend._lib.RSA_PKCS1_OAEP_PADDING - - if not isinstance(padding._mgf, MGF1): - raise UnsupportedAlgorithm( - "Only MGF1 is supported by this backend.", - _Reasons.UNSUPPORTED_MGF, - ) - - if not backend.rsa_padding_supported(padding): - raise UnsupportedAlgorithm( - "This combination of padding and hash algorithm is not " - "supported by this backend.", - _Reasons.UNSUPPORTED_PADDING, - ) - - else: - raise UnsupportedAlgorithm( - f"{padding.name} is not supported by this backend.", - _Reasons.UNSUPPORTED_PADDING, - ) - - return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding) - - -def _enc_dec_rsa_pkey_ctx( - backend: Backend, - key: _RSAPrivateKey | _RSAPublicKey, - data: bytes, - padding_enum: int, - padding: AsymmetricPadding, -) -> bytes: - init: typing.Callable[[typing.Any], int] - crypt: typing.Callable[[typing.Any, typing.Any, int, bytes, int], int] - if isinstance(key, _RSAPublicKey): - init = backend._lib.EVP_PKEY_encrypt_init - crypt = backend._lib.EVP_PKEY_encrypt - else: - init = backend._lib.EVP_PKEY_decrypt_init - crypt = backend._lib.EVP_PKEY_decrypt - - pkey_ctx = backend._lib.EVP_PKEY_CTX_new(key._evp_pkey, backend._ffi.NULL) - backend.openssl_assert(pkey_ctx != backend._ffi.NULL) - pkey_ctx = backend._ffi.gc(pkey_ctx, backend._lib.EVP_PKEY_CTX_free) - res = init(pkey_ctx) - backend.openssl_assert(res == 1) - res = backend._lib.EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, padding_enum) - backend.openssl_assert(res > 0) - buf_size = backend._lib.EVP_PKEY_size(key._evp_pkey) - backend.openssl_assert(buf_size > 0) - if isinstance(padding, OAEP): - mgf1_md = backend._evp_md_non_null_from_algorithm( - padding._mgf._algorithm - ) - res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1_md) - backend.openssl_assert(res > 0) - oaep_md = backend._evp_md_non_null_from_algorithm(padding._algorithm) - res = backend._lib.EVP_PKEY_CTX_set_rsa_oaep_md(pkey_ctx, oaep_md) - backend.openssl_assert(res > 0) - - if ( - isinstance(padding, OAEP) - and padding._label is not None - and len(padding._label) > 0 - ): - # set0_rsa_oaep_label takes ownership of the char * so we need to - # copy it into some new memory - labelptr = backend._lib.OPENSSL_malloc(len(padding._label)) - backend.openssl_assert(labelptr != backend._ffi.NULL) - backend._ffi.memmove(labelptr, padding._label, len(padding._label)) - res = backend._lib.EVP_PKEY_CTX_set0_rsa_oaep_label( - pkey_ctx, labelptr, len(padding._label) - ) - backend.openssl_assert(res == 1) - - outlen = backend._ffi.new("size_t *", buf_size) - buf = backend._ffi.new("unsigned char[]", buf_size) - # Everything from this line onwards is written with the goal of being as - # constant-time as is practical given the constraints of Python and our - # API. See Bleichenbacher's '98 attack on RSA, and its many many variants. - # As such, you should not attempt to change this (particularly to "clean it - # up") without understanding why it was written this way (see - # Chesterton's Fence), and without measuring to verify you have not - # introduced observable time differences. - res = crypt(pkey_ctx, buf, outlen, data, len(data)) - resbuf = backend._ffi.buffer(buf)[: outlen[0]] - backend._lib.ERR_clear_error() - if res <= 0: - raise ValueError("Encryption/decryption failed.") - return resbuf - - -def _rsa_sig_determine_padding( - backend: Backend, - key: _RSAPrivateKey | _RSAPublicKey, - padding: AsymmetricPadding, - algorithm: hashes.HashAlgorithm | None, -) -> int: - if not isinstance(padding, AsymmetricPadding): - raise TypeError("Expected provider of AsymmetricPadding.") - - pkey_size = backend._lib.EVP_PKEY_size(key._evp_pkey) - backend.openssl_assert(pkey_size > 0) - - if isinstance(padding, PKCS1v15): - # Hash algorithm is ignored for PKCS1v15-padding, may be None. - padding_enum = backend._lib.RSA_PKCS1_PADDING - elif isinstance(padding, PSS): - if not isinstance(padding._mgf, MGF1): - raise UnsupportedAlgorithm( - "Only MGF1 is supported by this backend.", - _Reasons.UNSUPPORTED_MGF, - ) - - # PSS padding requires a hash algorithm - if not isinstance(algorithm, hashes.HashAlgorithm): - raise TypeError("Expected instance of hashes.HashAlgorithm.") - - # Size of key in bytes - 2 is the maximum - # PSS signature length (salt length is checked later) - if pkey_size - algorithm.digest_size - 2 < 0: - raise ValueError( - "Digest too large for key size. Use a larger " - "key or different digest." - ) - - padding_enum = backend._lib.RSA_PKCS1_PSS_PADDING - else: - raise UnsupportedAlgorithm( - f"{padding.name} is not supported by this backend.", - _Reasons.UNSUPPORTED_PADDING, - ) - - return padding_enum - - -# Hash algorithm can be absent (None) to initialize the context without setting -# any message digest algorithm. This is currently only valid for the PKCS1v15 -# padding type, where it means that the signature data is encoded/decoded -# as provided, without being wrapped in a DigestInfo structure. -def _rsa_sig_setup( - backend: Backend, - padding: AsymmetricPadding, - algorithm: hashes.HashAlgorithm | None, - key: _RSAPublicKey | _RSAPrivateKey, - init_func: typing.Callable[[typing.Any], int], -): - padding_enum = _rsa_sig_determine_padding(backend, key, padding, algorithm) - pkey_ctx = backend._lib.EVP_PKEY_CTX_new(key._evp_pkey, backend._ffi.NULL) - backend.openssl_assert(pkey_ctx != backend._ffi.NULL) - pkey_ctx = backend._ffi.gc(pkey_ctx, backend._lib.EVP_PKEY_CTX_free) - res = init_func(pkey_ctx) - if res != 1: - errors = backend._consume_errors() - raise ValueError("Unable to sign/verify with this key", errors) - - if algorithm is not None: - evp_md = backend._evp_md_non_null_from_algorithm(algorithm) - res = backend._lib.EVP_PKEY_CTX_set_signature_md(pkey_ctx, evp_md) - if res <= 0: - backend._consume_errors() - raise UnsupportedAlgorithm( - "{} is not supported by this backend for RSA signing.".format( - algorithm.name - ), - _Reasons.UNSUPPORTED_HASH, - ) - res = backend._lib.EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, padding_enum) - if res <= 0: - backend._consume_errors() - raise UnsupportedAlgorithm( - f"{padding.name} is not supported for the RSA signature operation", - _Reasons.UNSUPPORTED_PADDING, - ) - if isinstance(padding, PSS): - assert isinstance(algorithm, hashes.HashAlgorithm) - res = backend._lib.EVP_PKEY_CTX_set_rsa_pss_saltlen( - pkey_ctx, - _get_rsa_pss_salt_length(backend, padding, key, algorithm), - ) - backend.openssl_assert(res > 0) - - mgf1_md = backend._evp_md_non_null_from_algorithm( - padding._mgf._algorithm - ) - res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1_md) - backend.openssl_assert(res > 0) - - return pkey_ctx - - -def _rsa_sig_sign( - backend: Backend, - padding: AsymmetricPadding, - algorithm: hashes.HashAlgorithm, - private_key: _RSAPrivateKey, - data: bytes, -) -> bytes: - pkey_ctx = _rsa_sig_setup( - backend, - padding, - algorithm, - private_key, - backend._lib.EVP_PKEY_sign_init, - ) - buflen = backend._ffi.new("size_t *") - res = backend._lib.EVP_PKEY_sign( - pkey_ctx, backend._ffi.NULL, buflen, data, len(data) - ) - backend.openssl_assert(res == 1) - buf = backend._ffi.new("unsigned char[]", buflen[0]) - res = backend._lib.EVP_PKEY_sign(pkey_ctx, buf, buflen, data, len(data)) - if res != 1: - errors = backend._consume_errors() - raise ValueError( - "Digest or salt length too long for key size. Use a larger key " - "or shorter salt length if you are specifying a PSS salt", - errors, - ) - - return backend._ffi.buffer(buf)[:] - - -def _rsa_sig_verify( - backend: Backend, - padding: AsymmetricPadding, - algorithm: hashes.HashAlgorithm, - public_key: _RSAPublicKey, - signature: bytes, - data: bytes, -) -> None: - pkey_ctx = _rsa_sig_setup( - backend, - padding, - algorithm, - public_key, - backend._lib.EVP_PKEY_verify_init, - ) - res = backend._lib.EVP_PKEY_verify( - pkey_ctx, signature, len(signature), data, len(data) - ) - # The previous call can return negative numbers in the event of an - # error. This is not a signature failure but we need to fail if it - # occurs. - backend.openssl_assert(res >= 0) - if res == 0: - backend._consume_errors() - raise InvalidSignature - - -def _rsa_sig_recover( - backend: Backend, - padding: AsymmetricPadding, - algorithm: hashes.HashAlgorithm | None, - public_key: _RSAPublicKey, - signature: bytes, -) -> bytes: - pkey_ctx = _rsa_sig_setup( - backend, - padding, - algorithm, - public_key, - backend._lib.EVP_PKEY_verify_recover_init, - ) - - # Attempt to keep the rest of the code in this function as constant/time - # as possible. See the comment in _enc_dec_rsa_pkey_ctx. Note that the - # buflen parameter is used even though its value may be undefined in the - # error case. Due to the tolerant nature of Python slicing this does not - # trigger any exceptions. - maxlen = backend._lib.EVP_PKEY_size(public_key._evp_pkey) - backend.openssl_assert(maxlen > 0) - buf = backend._ffi.new("unsigned char[]", maxlen) - buflen = backend._ffi.new("size_t *", maxlen) - res = backend._lib.EVP_PKEY_verify_recover( - pkey_ctx, buf, buflen, signature, len(signature) - ) - resbuf = backend._ffi.buffer(buf)[: buflen[0]] - backend._lib.ERR_clear_error() - # Assume that all parameter errors are handled during the setup phase and - # any error here is due to invalid signature. - if res != 1: - raise InvalidSignature - return resbuf - - -class _RSAPrivateKey(RSAPrivateKey): - _evp_pkey: object - _rsa_cdata: object - _key_size: int - - def __init__( - self, - backend: Backend, - rsa_cdata, - evp_pkey, - *, - unsafe_skip_rsa_key_validation: bool, - ): - res: int - # RSA_check_key is slower in OpenSSL 3.0.0 due to improved - # primality checking. In normal use this is unlikely to be a problem - # since users don't load new keys constantly, but for TESTING we've - # added an init arg that allows skipping the checks. You should not - # use this in production code unless you understand the consequences. - if not unsafe_skip_rsa_key_validation: - res = backend._lib.RSA_check_key(rsa_cdata) - if res != 1: - errors = backend._consume_errors() - raise ValueError("Invalid private key", errors) - # 2 is prime and passes an RSA key check, so we also check - # if p and q are odd just to be safe. - p = backend._ffi.new("BIGNUM **") - q = backend._ffi.new("BIGNUM **") - backend._lib.RSA_get0_factors(rsa_cdata, p, q) - backend.openssl_assert(p[0] != backend._ffi.NULL) - backend.openssl_assert(q[0] != backend._ffi.NULL) - p_odd = backend._lib.BN_is_odd(p[0]) - q_odd = backend._lib.BN_is_odd(q[0]) - if p_odd != 1 or q_odd != 1: - errors = backend._consume_errors() - raise ValueError("Invalid private key", errors) - - self._backend = backend - self._rsa_cdata = rsa_cdata - self._evp_pkey = evp_pkey - - n = self._backend._ffi.new("BIGNUM **") - self._backend._lib.RSA_get0_key( - self._rsa_cdata, - n, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - ) - self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) - self._key_size = self._backend._lib.BN_num_bits(n[0]) - - @property - def key_size(self) -> int: - return self._key_size - - def decrypt(self, ciphertext: bytes, padding: AsymmetricPadding) -> bytes: - key_size_bytes = (self.key_size + 7) // 8 - if key_size_bytes != len(ciphertext): - raise ValueError("Ciphertext length must be equal to key size.") - - return _enc_dec_rsa(self._backend, self, ciphertext, padding) - - def public_key(self) -> RSAPublicKey: - ctx = self._backend._lib.RSAPublicKey_dup(self._rsa_cdata) - self._backend.openssl_assert(ctx != self._backend._ffi.NULL) - ctx = self._backend._ffi.gc(ctx, self._backend._lib.RSA_free) - evp_pkey = self._backend._rsa_cdata_to_evp_pkey(ctx) - return _RSAPublicKey(self._backend, ctx, evp_pkey) - - def private_numbers(self) -> RSAPrivateNumbers: - n = self._backend._ffi.new("BIGNUM **") - e = self._backend._ffi.new("BIGNUM **") - d = self._backend._ffi.new("BIGNUM **") - p = self._backend._ffi.new("BIGNUM **") - q = self._backend._ffi.new("BIGNUM **") - dmp1 = self._backend._ffi.new("BIGNUM **") - dmq1 = self._backend._ffi.new("BIGNUM **") - iqmp = self._backend._ffi.new("BIGNUM **") - self._backend._lib.RSA_get0_key(self._rsa_cdata, n, e, d) - self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(e[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(d[0] != self._backend._ffi.NULL) - self._backend._lib.RSA_get0_factors(self._rsa_cdata, p, q) - self._backend.openssl_assert(p[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(q[0] != self._backend._ffi.NULL) - self._backend._lib.RSA_get0_crt_params( - self._rsa_cdata, dmp1, dmq1, iqmp - ) - self._backend.openssl_assert(dmp1[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(dmq1[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(iqmp[0] != self._backend._ffi.NULL) - return RSAPrivateNumbers( - p=self._backend._bn_to_int(p[0]), - q=self._backend._bn_to_int(q[0]), - d=self._backend._bn_to_int(d[0]), - dmp1=self._backend._bn_to_int(dmp1[0]), - dmq1=self._backend._bn_to_int(dmq1[0]), - iqmp=self._backend._bn_to_int(iqmp[0]), - public_numbers=RSAPublicNumbers( - e=self._backend._bn_to_int(e[0]), - n=self._backend._bn_to_int(n[0]), - ), - ) - - def private_bytes( - self, - encoding: serialization.Encoding, - format: serialization.PrivateFormat, - encryption_algorithm: serialization.KeySerializationEncryption, - ) -> bytes: - return self._backend._private_key_bytes( - encoding, - format, - encryption_algorithm, - self, - self._evp_pkey, - self._rsa_cdata, - ) - - def sign( - self, - data: bytes, - padding: AsymmetricPadding, - algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, - ) -> bytes: - data, algorithm = _calculate_digest_and_algorithm(data, algorithm) - return _rsa_sig_sign(self._backend, padding, algorithm, self, data) - - -class _RSAPublicKey(RSAPublicKey): - _evp_pkey: object - _rsa_cdata: object - _key_size: int - - def __init__(self, backend: Backend, rsa_cdata, evp_pkey): - self._backend = backend - self._rsa_cdata = rsa_cdata - self._evp_pkey = evp_pkey - - n = self._backend._ffi.new("BIGNUM **") - self._backend._lib.RSA_get0_key( - self._rsa_cdata, - n, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - ) - self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) - self._key_size = self._backend._lib.BN_num_bits(n[0]) - - @property - def key_size(self) -> int: - return self._key_size - - def __eq__(self, other: object) -> bool: - if not isinstance(other, _RSAPublicKey): - return NotImplemented - - return ( - self._backend._lib.EVP_PKEY_cmp(self._evp_pkey, other._evp_pkey) - == 1 - ) - - def encrypt(self, plaintext: bytes, padding: AsymmetricPadding) -> bytes: - return _enc_dec_rsa(self._backend, self, plaintext, padding) - - def public_numbers(self) -> RSAPublicNumbers: - n = self._backend._ffi.new("BIGNUM **") - e = self._backend._ffi.new("BIGNUM **") - self._backend._lib.RSA_get0_key( - self._rsa_cdata, n, e, self._backend._ffi.NULL - ) - self._backend.openssl_assert(n[0] != self._backend._ffi.NULL) - self._backend.openssl_assert(e[0] != self._backend._ffi.NULL) - return RSAPublicNumbers( - e=self._backend._bn_to_int(e[0]), - n=self._backend._bn_to_int(n[0]), - ) - - def public_bytes( - self, - encoding: serialization.Encoding, - format: serialization.PublicFormat, - ) -> bytes: - return self._backend._public_key_bytes( - encoding, format, self, self._evp_pkey, self._rsa_cdata - ) - - def verify( - self, - signature: bytes, - data: bytes, - padding: AsymmetricPadding, - algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, - ) -> None: - data, algorithm = _calculate_digest_and_algorithm(data, algorithm) - _rsa_sig_verify( - self._backend, padding, algorithm, self, signature, data - ) - - def recover_data_from_signature( - self, - signature: bytes, - padding: AsymmetricPadding, - algorithm: hashes.HashAlgorithm | None, - ) -> bytes: - if isinstance(algorithm, asym_utils.Prehashed): - raise TypeError( - "Prehashed is only supported in the sign and verify methods. " - "It cannot be used with recover_data_from_signature." - ) - return _rsa_sig_recover( - self._backend, padding, algorithm, self, signature - ) diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index e8b565443bfc..21c860265867 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -15,6 +15,7 @@ from cryptography.hazmat.bindings._rust.openssl import ( hmac, kdf, poly1305, + rsa, x448, x25519, ) @@ -31,6 +32,7 @@ __all__ = [ "kdf", "ed448", "ed25519", + "rsa", "poly1305", "x448", "x25519", diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi new file mode 100644 index 000000000000..d42134f72c74 --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi @@ -0,0 +1,23 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from cryptography.hazmat.primitives.asymmetric import rsa + +class RSAPrivateKey: ... +class RSAPublicKey: ... + +def generate_private_key( + public_exponent: int, + key_size: int, +) -> rsa.RSAPrivateKey: ... +def private_key_from_ptr( + ptr: int, + unsafe_skip_rsa_key_validation: bool, +) -> rsa.RSAPrivateKey: ... +def public_key_from_ptr(ptr: int) -> rsa.RSAPublicKey: ... +def from_private_numbers( + numbers: rsa.RSAPrivateNumbers, + unsafe_skip_rsa_key_validation: bool, +) -> rsa.RSAPrivateKey: ... +def from_public_numbers(numbers: rsa.RSAPublicNumbers) -> rsa.RSAPublicKey: ... diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index 140b18a7f7b3..64b9d712258b 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -8,6 +8,7 @@ import typing from math import gcd +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import _serialization, hashes from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding from cryptography.hazmat.primitives.asymmetric import utils as asym_utils @@ -63,6 +64,7 @@ def private_bytes( RSAPrivateKeyWithSerialization = RSAPrivateKey +RSAPrivateKey.register(rust_openssl.rsa.RSAPrivateKey) class RSAPublicKey(metaclass=abc.ABCMeta): @@ -126,6 +128,7 @@ def __eq__(self, other: object) -> bool: RSAPublicKeyWithSerialization = RSAPublicKey +RSAPublicKey.register(rust_openssl.rsa.RSAPublicKey) def generate_private_key( diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 46ae27769dd7..e8e41b31bf77 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -19,7 +19,7 @@ checksum = "861af988fac460ac69a09f41e6217a8fb9178797b76fcc9478444be6a59be19c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.18", + "syn 2.0.28", ] [[package]] @@ -182,7 +182,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.18", + "syn 2.0.28", ] [[package]] @@ -353,9 +353,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.18" +version = "2.0.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32d41677bcbe24c20c52e7c70b0d8db04134c5d1066bf98662e2871ad200ea3e" +checksum = "04361975b3f5e348b2189d8dc55bc942f278b2d482a6a0365de5bdd62d351567" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 717a09af8ad4..eb5ef8144146 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -14,6 +14,7 @@ pub(crate) mod hashes; pub(crate) mod hmac; pub(crate) mod kdf; pub(crate) mod poly1305; +pub(crate) mod rsa; pub(crate) mod utils; #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] pub(crate) mod x25519; @@ -41,6 +42,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(hashes::create_module(module.py())?)?; module.add_submodule(hmac::create_module(module.py())?)?; module.add_submodule(kdf::create_module(module.py())?)?; + module.add_submodule(rsa::create_module(module.py())?)?; Ok(()) } diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs new file mode 100644 index 000000000000..70e8b4a2b420 --- /dev/null +++ b/src/rust/src/backend/rsa.rs @@ -0,0 +1,640 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::backend::{hashes, utils}; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::exceptions; +use foreign_types_shared::ForeignTypeRef; + +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.bindings._rust.openssl.rsa", + name = "RSAPrivateKey" +)] +struct RsaPrivateKey { + pkey: openssl::pkey::PKey, +} + +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.bindings._rust.openssl.rsa", + name = "RSAPublicKey" +)] +struct RsaPublicKey { + pkey: openssl::pkey::PKey, +} + +fn check_rsa_private_key( + rsa: &openssl::rsa::Rsa, +) -> CryptographyResult<()> { + if !rsa.check_key().unwrap_or(false) || rsa.p().unwrap().is_even() || rsa.q().unwrap().is_even() + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Invalid private key"), + )); + } + Ok(()) +} + +#[pyo3::prelude::pyfunction] +fn private_key_from_ptr( + ptr: usize, + unsafe_skip_rsa_key_validation: bool, +) -> CryptographyResult { + let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; + if !unsafe_skip_rsa_key_validation { + check_rsa_private_key(&pkey.rsa().unwrap())?; + } + Ok(RsaPrivateKey { + pkey: pkey.to_owned(), + }) +} + +#[pyo3::prelude::pyfunction] +fn public_key_from_ptr(ptr: usize) -> RsaPublicKey { + let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; + RsaPublicKey { + pkey: pkey.to_owned(), + } +} + +#[pyo3::prelude::pyfunction] +fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResult { + let e = openssl::bn::BigNum::from_u32(public_exponent)?; + let rsa = openssl::rsa::Rsa::generate_with_e(key_size, &e)?; + let pkey = openssl::pkey::PKey::from_rsa(rsa)?; + Ok(RsaPrivateKey { pkey }) +} + +#[pyo3::prelude::pyfunction] +fn from_private_numbers( + py: pyo3::Python<'_>, + numbers: &pyo3::PyAny, + unsafe_skip_rsa_key_validation: bool, +) -> CryptographyResult { + let public_numbers = numbers.getattr(pyo3::intern!(py, "public_numbers"))?; + + let rsa = openssl::rsa::Rsa::from_private_components( + utils::py_int_to_bn(py, public_numbers.getattr(pyo3::intern!(py, "n"))?)?, + utils::py_int_to_bn(py, public_numbers.getattr(pyo3::intern!(py, "e"))?)?, + utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "d"))?)?, + utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "p"))?)?, + utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "q"))?)?, + utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "dmp1"))?)?, + utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "dmq1"))?)?, + utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "iqmp"))?)?, + ) + .unwrap(); + if !unsafe_skip_rsa_key_validation { + check_rsa_private_key(&rsa)?; + } + let pkey = openssl::pkey::PKey::from_rsa(rsa)?; + Ok(RsaPrivateKey { pkey }) +} + +#[pyo3::prelude::pyfunction] +fn from_public_numbers( + py: pyo3::Python<'_>, + numbers: &pyo3::PyAny, +) -> CryptographyResult { + let rsa = openssl::rsa::Rsa::from_public_components( + utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "n"))?)?, + utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "e"))?)?, + ) + .unwrap(); + let pkey = openssl::pkey::PKey::from_rsa(rsa)?; + Ok(RsaPublicKey { pkey }) +} + +fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { + (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) + || md == &openssl::hash::MessageDigest::sha224() + || md == &openssl::hash::MessageDigest::sha256() + || md == &openssl::hash::MessageDigest::sha384() + || md == &openssl::hash::MessageDigest::sha512() +} + +fn setup_encryption_ctx( + py: pyo3::Python<'_>, + ctx: &mut openssl::pkey_ctx::PkeyCtx, + padding: &pyo3::PyAny, +) -> CryptographyResult<()> { + let padding_mod = py.import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.padding" + ))?; + let asymmetric_padding_class = padding_mod + .getattr(pyo3::intern!(py, "AsymmetricPadding"))? + .extract()?; + let pkcs1_class = padding_mod + .getattr(pyo3::intern!(py, "PKCS1v15"))? + .extract()?; + let oaep_class = padding_mod.getattr(pyo3::intern!(py, "OAEP"))?.extract()?; + let mgf1_class = padding_mod.getattr(pyo3::intern!(py, "MGF1"))?.extract()?; + + if !padding.is_instance(asymmetric_padding_class)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "Padding must be an instance of AsymmetricPadding.", + ), + )); + } + + let padding_enum = if padding.is_instance(pkcs1_class)? { + openssl::rsa::Padding::PKCS1 + } else if padding.is_instance(oaep_class)? { + if !padding + .getattr(pyo3::intern!(py, "_mgf"))? + .is_instance(mgf1_class)? + { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "Only MGF1 is supported.", + exceptions::Reasons::UNSUPPORTED_MGF, + )), + )); + } + + openssl::rsa::Padding::PKCS1_OAEP + } else { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + format!( + "{} is not supported by this backend.", + padding.getattr(pyo3::intern!(py, "name"))? + ), + exceptions::Reasons::UNSUPPORTED_PADDING, + )), + )); + }; + + ctx.set_rsa_padding(padding_enum)?; + + if padding_enum == openssl::rsa::Padding::PKCS1_OAEP { + let mgf1_md = hashes::message_digest_from_algorithm( + py, + padding + .getattr(pyo3::intern!(py, "_mgf"))? + .getattr(pyo3::intern!(py, "_algorithm"))?, + )?; + let oaep_md = hashes::message_digest_from_algorithm( + py, + padding.getattr(pyo3::intern!(py, "_algorithm"))?, + )?; + + if !oaep_hash_supported(&mgf1_md) || !oaep_hash_supported(&oaep_md) { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "This combination of padding and hash algorithm is not supported", + exceptions::Reasons::UNSUPPORTED_PADDING, + )), + )); + } + + ctx.set_rsa_mgf1_md(openssl::md::Md::from_nid(mgf1_md.type_()).unwrap())?; + ctx.set_rsa_oaep_md(openssl::md::Md::from_nid(oaep_md.type_()).unwrap())?; + + if let Some(label) = padding + .getattr(pyo3::intern!(py, "_label"))? + .extract::>()? + { + if !label.is_empty() { + ctx.set_rsa_oaep_label(label)?; + } + } + } + + Ok(()) +} + +fn setup_signature_ctx( + py: pyo3::Python<'_>, + ctx: &mut openssl::pkey_ctx::PkeyCtx, + padding: &pyo3::PyAny, + algorithm: &pyo3::PyAny, + key_size: usize, + is_signing: bool, +) -> CryptographyResult<()> { + let padding_mod = py.import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.padding" + ))?; + let asymmetric_padding_class = padding_mod.getattr(pyo3::intern!(py, "AsymmetricPadding"))?; + let pkcs1_class = padding_mod.getattr(pyo3::intern!(py, "PKCS1v15"))?; + let pss_class = padding_mod.getattr(pyo3::intern!(py, "PSS"))?.extract()?; + let max_length_class = padding_mod.getattr(pyo3::intern!(py, "_MaxLength"))?; + let digest_length_class = padding_mod.getattr(pyo3::intern!(py, "_DigestLength"))?; + let auto_class = padding_mod.getattr(pyo3::intern!(py, "_Auto"))?; + let mgf1_class = padding_mod.getattr(pyo3::intern!(py, "MGF1"))?; + let hash_algorithm_class = py + .import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))? + .getattr(pyo3::intern!(py, "HashAlgorithm"))?; + + if !padding.is_instance(asymmetric_padding_class)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "Padding must be an instance of AsymmetricPadding.", + ), + )); + } + + let padding_enum = if padding.is_instance(pkcs1_class)? { + openssl::rsa::Padding::PKCS1 + } else if padding.is_instance(pss_class)? { + if !padding + .getattr(pyo3::intern!(py, "_mgf"))? + .is_instance(mgf1_class)? + { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "Only MGF1 is supported.", + exceptions::Reasons::UNSUPPORTED_MGF, + )), + )); + } + + // PSS padding requires a hash algorithm + if !algorithm.is_instance(hash_algorithm_class)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "Expected instance of hashes.HashAlgorithm.", + ), + )); + } + + if algorithm + .getattr(pyo3::intern!(py, "digest_size"))? + .extract::()? + + 2 + > key_size + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Digest too large for key size. Use a larger key or different digest.", + ), + )); + } + + openssl::rsa::Padding::PKCS1_PSS + } else { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + format!( + "{} is not supported by this backend.", + padding.getattr(pyo3::intern!(py, "name"))? + ), + exceptions::Reasons::UNSUPPORTED_PADDING, + )), + )); + }; + + if !algorithm.is_none() { + let md = hashes::message_digest_from_algorithm(py, algorithm)?; + ctx.set_signature_md(openssl::md::Md::from_nid(md.type_()).unwrap()) + .or_else(|_| { + Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + format!( + "{} is not supported by this backend for RSA signing.", + algorithm.getattr(pyo3::intern!(py, "name"))? + ), + exceptions::Reasons::UNSUPPORTED_HASH, + )), + )) + })?; + } + ctx.set_rsa_padding(padding_enum).or_else(|_| { + Err(exceptions::UnsupportedAlgorithm::new_err(( + format!( + "{} is not supported for the RSA signature operation", + padding.getattr(pyo3::intern!(py, "name"))? + ), + exceptions::Reasons::UNSUPPORTED_PADDING, + ))) + })?; + + if padding_enum == openssl::rsa::Padding::PKCS1_PSS { + let salt = padding.getattr(pyo3::intern!(py, "_salt_length"))?; + if salt.is_instance(max_length_class)? { + ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::MAXIMUM_LENGTH)?; + } else if salt.is_instance(digest_length_class)? { + ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?; + } else if salt.is_instance(auto_class)? { + if is_signing { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "PSS salt length can only be set to Auto when verifying", + ), + )); + } + } else { + ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::custom(salt.extract::()?))?; + }; + + let mgf1_md = hashes::message_digest_from_algorithm( + py, + padding + .getattr(pyo3::intern!(py, "_mgf"))? + .getattr(pyo3::intern!(py, "_algorithm"))?, + )?; + ctx.set_rsa_mgf1_md(openssl::md::Md::from_nid(mgf1_md.type_()).unwrap())?; + } + + Ok(()) +} + +#[pyo3::prelude::pymethods] +impl RsaPrivateKey { + fn sign<'p>( + &self, + py: pyo3::Python<'p>, + data: &[u8], + padding: &pyo3::PyAny, + algorithm: &pyo3::PyAny, + ) -> CryptographyResult<&'p pyo3::PyAny> { + let (data, algorithm): (&[u8], &pyo3::PyAny) = py + .import(pyo3::intern!( + py, + "cryptography.hazmat.backends.openssl.utils" + ))? + .call_method1( + pyo3::intern!(py, "_calculate_digest_and_algorithm"), + (data, algorithm), + )? + .extract()?; + + let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; + ctx.sign_init().map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Unable to sign/verify with this key") + })?; + setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), true)?; + + let length = ctx.sign(data, None)?; + Ok(pyo3::types::PyBytes::new_with(py, length, |b| { + let length = ctx.sign(data, Some(b)).map_err(|_| { + pyo3::exceptions::PyValueError::new_err( + "Digest or salt length too long for key size. Use a larger key or shorter salt length if you are specifying a PSS salt", + ) + })?; + assert_eq!(length, b.len()); + Ok(()) + })?) + } + + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + ciphertext: &[u8], + padding: &pyo3::PyAny, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let key_size_bytes = + usize::try_from((self.pkey.rsa().unwrap().n().num_bits() + 7) / 8).unwrap(); + if key_size_bytes != ciphertext.len() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Ciphertext length must be equal to key size.", + ), + )); + } + + let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; + ctx.decrypt_init()?; + + setup_encryption_ctx(py, &mut ctx, padding)?; + + // Everything from this line onwards is written with the goal of being + // as constant-time as is practical given the constraints of + // rust-openssl and our API. See Bleichenbacher's '98 attack on RSA, + // and its many many variants. As such, you should not attempt to + // change this (particularly to "clean it up") without understanding + // why it was written this way (see Chesterton's Fence), and without + // measuring to verify you have not introduced observable time + // differences. + // + // Once OpenSSL 3.2.0 is out, this can be simplified, as OpenSSL will + // have its own mitigations for Bleichenbacher's attack. + let length = ctx.decrypt(ciphertext, None).unwrap(); + let mut plaintext = vec![0; length]; + let result = ctx.decrypt(ciphertext, Some(&mut plaintext)); + + let py_result = + pyo3::types::PyBytes::new(py, &plaintext[..*result.as_ref().unwrap_or(&length)]); + if result.is_err() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Decryption failed"), + )); + } + Ok(py_result) + } + + #[getter] + fn key_size(&self) -> i32 { + self.pkey.rsa().unwrap().n().num_bits() + } + + fn public_key(&self) -> CryptographyResult { + let priv_rsa = self.pkey.rsa().unwrap(); + let rsa = openssl::rsa::Rsa::from_public_components( + priv_rsa.n().to_owned()?, + priv_rsa.e().to_owned()?, + ) + .unwrap(); + let pkey = openssl::pkey::PKey::from_rsa(rsa)?; + Ok(RsaPublicKey { pkey }) + } + + fn private_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + let rsa = self.pkey.rsa().unwrap(); + + let py_p = utils::bn_to_py_int(py, rsa.p().unwrap())?; + let py_q = utils::bn_to_py_int(py, rsa.q().unwrap())?; + let py_d = utils::bn_to_py_int(py, rsa.d())?; + let py_dmp1 = utils::bn_to_py_int(py, rsa.dmp1().unwrap())?; + let py_dmq1 = utils::bn_to_py_int(py, rsa.dmq1().unwrap())?; + let py_iqmp = utils::bn_to_py_int(py, rsa.iqmp().unwrap())?; + let py_e = utils::bn_to_py_int(py, rsa.e())?; + let py_n = utils::bn_to_py_int(py, rsa.n())?; + + let rsa_mod = py.import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.rsa" + ))?; + + let public_numbers = + rsa_mod.call_method1(pyo3::intern!(py, "RSAPublicNumbers"), (py_e, py_n))?; + Ok(rsa_mod.call_method1( + pyo3::intern!(py, "RSAPrivateNumbers"), + (py_p, py_q, py_d, py_dmp1, py_dmq1, py_iqmp, public_numbers), + )?) + } + + fn private_bytes<'p>( + slf: &pyo3::PyCell, + py: pyo3::Python<'p>, + encoding: &pyo3::PyAny, + format: &pyo3::PyAny, + encryption_algorithm: &pyo3::PyAny, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + utils::pkey_private_bytes( + py, + slf, + &slf.borrow().pkey, + encoding, + format, + encryption_algorithm, + true, + false, + ) + } +} + +#[pyo3::prelude::pymethods] +impl RsaPublicKey { + fn verify( + &self, + py: pyo3::Python<'_>, + signature: &[u8], + data: &[u8], + padding: &pyo3::PyAny, + algorithm: &pyo3::PyAny, + ) -> CryptographyResult<()> { + let (data, algorithm): (&[u8], &pyo3::PyAny) = py + .import(pyo3::intern!( + py, + "cryptography.hazmat.backends.openssl.utils" + ))? + .call_method1( + pyo3::intern!(py, "_calculate_digest_and_algorithm"), + (data, algorithm), + )? + .extract()?; + + let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; + ctx.verify_init()?; + setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), false)?; + + let valid = ctx.verify(data, signature).unwrap_or(false); + if !valid { + return Err(CryptographyError::from( + exceptions::InvalidSignature::new_err(()), + )); + } + + Ok(()) + } + + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + plaintext: &[u8], + padding: &pyo3::PyAny, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; + ctx.encrypt_init()?; + + setup_encryption_ctx(py, &mut ctx, padding)?; + + let length = ctx.encrypt(plaintext, None)?; + Ok(pyo3::types::PyBytes::new_with(py, length, |b| { + let length = ctx + .encrypt(plaintext, Some(b)) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Encryption failed"))?; + assert_eq!(length, b.len()); + Ok(()) + })?) + } + + fn recover_data_from_signature<'p>( + &self, + py: pyo3::Python<'p>, + signature: &[u8], + padding: &pyo3::PyAny, + algorithm: &pyo3::PyAny, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let prehashed_class = py + .import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.utils" + ))? + .getattr(pyo3::intern!(py, "Prehashed"))?; + + if algorithm.is_instance(prehashed_class)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "Prehashed is only supported in the sign and verify methods. It cannot be used with recover_data_from_signature.", + ), + )); + } + + let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; + ctx.verify_recover_init()?; + setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), false)?; + + let length = ctx.verify_recover(signature, None)?; + let mut buf = vec![0u8; length]; + let length = ctx + .verify_recover(signature, Some(&mut buf)) + .map_err(|_| exceptions::InvalidSignature::new_err(()))?; + + Ok(pyo3::types::PyBytes::new(py, &buf[..length])) + } + + #[getter] + fn key_size(&self) -> i32 { + self.pkey.rsa().unwrap().n().num_bits() + } + + fn public_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + let rsa = self.pkey.rsa().unwrap(); + + let py_e = utils::bn_to_py_int(py, rsa.e())?; + let py_n = utils::bn_to_py_int(py, rsa.n())?; + + let rsa_mod = py.import(pyo3::intern!( + py, + "cryptography.hazmat.primitives.asymmetric.rsa" + ))?; + + Ok(rsa_mod.call_method1(pyo3::intern!(py, "RSAPublicNumbers"), (py_e, py_n))?) + } + + fn public_bytes<'p>( + slf: &pyo3::PyCell, + py: pyo3::Python<'p>, + encoding: &pyo3::PyAny, + format: &pyo3::PyAny, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) + } + + fn __richcmp__( + &self, + other: pyo3::PyRef<'_, RsaPublicKey>, + op: pyo3::basic::CompareOp, + ) -> pyo3::PyResult { + match op { + pyo3::basic::CompareOp::Eq => Ok(self.pkey.public_eq(&other.pkey)), + pyo3::basic::CompareOp::Ne => Ok(!self.pkey.public_eq(&other.pkey)), + _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), + } + } + + fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { + slf + } +} + +pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { + let m = pyo3::prelude::PyModule::new(py, "rsa")?; + m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(generate_private_key, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?; + + m.add_class::()?; + m.add_class::()?; + + Ok(m) +} diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 086f88ab9360..a2679cddedcf 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -163,7 +163,30 @@ pub(crate) fn pkey_private_bytes<'p>( } if format.is(private_format_class.getattr(pyo3::intern!(py, "TraditionalOpenSSL"))?) { - if let Ok(dsa) = pkey.dsa() { + if let Ok(rsa) = pkey.rsa() { + if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { + let pem_bytes = if password.is_empty() { + rsa.private_key_to_pem()? + } else { + rsa.private_key_to_pem_passphrase( + openssl::symm::Cipher::aes_256_cbc(), + password, + )? + }; + return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + } else if encoding.is(encoding_class.getattr(pyo3::intern!(py, "DER"))?) { + if !password.is_empty() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Encryption is not supported for DER encoded traditional OpenSSL keys", + ), + )); + } + + let der_bytes = rsa.private_key_to_der()?; + return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + } + } else if let Ok(dsa) = pkey.dsa() { if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { let pem_bytes = if password.is_empty() { dsa.private_key_to_pem()? @@ -332,6 +355,23 @@ pub(crate) fn pkey_public_bytes<'p>( } } + if let Ok(rsa) = pkey.rsa() { + if format.is(public_format_class.getattr(pyo3::intern!(py, "PKCS1"))?) { + if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { + let pem_bytes = rsa.public_key_to_pem_pkcs1()?; + return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + } else if encoding.is(encoding_class.getattr(pyo3::intern!(py, "DER"))?) { + let der_bytes = rsa.public_key_to_der_pkcs1()?; + return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + } + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "PKCS1 works only with PEM or DER encoding", + ), + )); + } + } + // OpenSSH + OpenSSH if openssh_allowed && format.is(public_format_class.getattr(pyo3::intern!(py, "OpenSSH"))?) { if encoding.is(encoding_class.getattr(pyo3::intern!(py, "OpenSSH"))?) { diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index eda445b8e03e..578bb7886ef4 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -846,6 +846,21 @@ def test_unsupported_hash(self, rsa_key_512: rsa.RSAPrivateKey, backend): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): private_key.sign(message, pss, hashes.BLAKE2s(32)) + @pytest.mark.supported( + only_if=lambda backend: backend.rsa_padding_supported( + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) + ), + skip_message="Does not support PSS.", + ) + def test_unsupported_hash_pss_mgf1(self, rsa_key_2048: rsa.RSAPrivateKey): + private_key = rsa_key_2048 + message = b"my message" + pss = padding.PSS( + mgf=padding.MGF1(DummyHashAlgorithm()), salt_length=0 + ) + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): + private_key.sign(message, pss, hashes.SHA256()) + @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) @@ -1938,6 +1953,27 @@ def test_invalid_oaep_decryption_data_to_large_for_modulus(self, backend): ), ) + def test_unsupported_oaep_hash(self, rsa_key_2048: rsa.RSAPrivateKey): + private_key = rsa_key_2048 + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): + private_key.decrypt( + b"0" * 256, + padding.OAEP( + mgf=padding.MGF1(DummyHashAlgorithm()), + algorithm=hashes.SHA256(), + label=None, + ), + ) + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): + private_key.decrypt( + b"0" * 256, + padding.OAEP( + mgf=padding.MGF1(hashes.SHA256()), + algorithm=DummyHashAlgorithm(), + label=None, + ), + ) + def test_unsupported_oaep_mgf( self, rsa_key_2048: rsa.RSAPrivateKey, backend ): @@ -2735,6 +2771,8 @@ def test_public_key_equality(self, rsa_key_2048: rsa.RSAPrivateKey): assert key1 == key2 assert key1 != key3 assert key1 != object() + with pytest.raises(TypeError): + key1 < key2 # type: ignore[operator] def test_public_key_copy(self, rsa_key_2048: rsa.RSAPrivateKey): key1 = rsa_key_2048.public_key() From 66ac64218ec6efd3698bf9f2596f8a28870ca82b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 20 Aug 2023 21:30:18 -0400 Subject: [PATCH 0357/1014] Bump BoringSSL and/or OpenSSL in CI (#9466) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3911e53374e9..3c3e5d96b901 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Aug 19, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5d2a41d8696b72660dec39b93221fa76201590a8"}} - # Latest commit on the OpenSSL master branch, as of Aug 19, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6404d064b8012a2c353603a3b3effa6289313d61"}} + # Latest commit on the OpenSSL master branch, as of Aug 21, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c2a8226cba2757b251729620aedffeed23d73623"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From d0dd8f556f7cd24b93b17d0c7935878d1db7fb29 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Aug 2023 12:06:46 +0000 Subject: [PATCH 0358/1014] Bump readme-renderer from 40.0 to 41.0 (#9479) Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 40.0 to 41.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/40.0...41.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index fbbc0cf46743..04e5e3a420ae 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -125,7 +125,7 @@ pytest-randomly==3.15.0 # via cryptography (pyproject.toml) pytest-xdist==3.3.1 # via cryptography (pyproject.toml) -readme-renderer==40.0 +readme-renderer==41.0 # via twine requests==2.31.0 # via From ad611b0fe635f8dd4460857915ca31abaa347756 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Aug 2023 12:07:54 +0000 Subject: [PATCH 0359/1014] Bump Swatinem/rust-cache from 2.6.1 to 2.6.2 in /.github/actions/cache (#9468) Bumps [Swatinem/rust-cache](https://github.com/swatinem/rust-cache) from 2.6.1 to 2.6.2. - [Release notes](https://github.com/swatinem/rust-cache/releases) - [Changelog](https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md) - [Commits](https://github.com/swatinem/rust-cache/compare/578b235f6e5f613f7727f1c17bd3305b4d4d4e1f...e207df5d269b42b69c8bc5101da26f7d31feddb4) --- updated-dependencies: - dependency-name: Swatinem/rust-cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/cache/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 75d4d4696a50..f577fbd73de3 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -15,7 +15,7 @@ runs: id: normalized-key run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT shell: bash - - uses: Swatinem/rust-cache@578b235f6e5f613f7727f1c17bd3305b4d4d4e1f # v2.6.1 + - uses: Swatinem/rust-cache@e207df5d269b42b69c8bc5101da26f7d31feddb4 # v2.6.2 with: key: ${{ steps.normalized-key.outputs.key }} workspaces: "./src/rust/ -> target" From 2cc6d4550612f5e34b4f9ffe25e664c2e6710fcd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Aug 2023 12:13:17 +0000 Subject: [PATCH 0360/1014] Bump cc from 1.0.82 to 1.0.83 in /src/rust (#9474) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.82 to 1.0.83. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.82...1.0.83) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e8e41b31bf77..b4dcaf1e1882 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "cc" -version = "1.0.82" +version = "1.0.83" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "305fe645edc1442a0fa8b6726ba61d422798d37a52e12eaecf4b022ebbb88f01" +checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" dependencies = [ "libc", ] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 77455d375f75..b3038ecd05a6 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -21,7 +21,7 @@ foreign-types-shared = "0.1" self_cell = "1" [build-dependencies] -cc = "1.0.82" +cc = "1.0.83" [features] extension-module = ["pyo3/extension-module"] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 46da116c5d97..c8f8bfb8e8c1 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.19", features = ["abi3-py37"] } openssl-sys = "0.9.91" [build-dependencies] -cc = "1.0.82" +cc = "1.0.83" From bdd33ea3ae88e60fa563a31c9e4588743028ec79 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Aug 2023 12:20:15 +0000 Subject: [PATCH 0361/1014] Bump windows-targets from 0.48.3 to 0.48.5 in /src/rust (#9470) Bumps [windows-targets](https://github.com/microsoft/windows-rs) from 0.48.3 to 0.48.5. - [Release notes](https://github.com/microsoft/windows-rs/releases) - [Commits](https://github.com/microsoft/windows-rs/commits/0.48.5) --- updated-dependencies: - dependency-name: windows-targets dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b4dcaf1e1882..901835b993ae 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -388,9 +388,9 @@ checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" [[package]] name = "windows-targets" -version = "0.48.3" +version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "27f51fb4c64f8b770a823c043c7fad036323e1c48f55287b7bbb7987b2fcdf3b" +checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" dependencies = [ "windows_aarch64_gnullvm", "windows_aarch64_msvc", @@ -403,42 +403,42 @@ dependencies = [ [[package]] name = "windows_aarch64_gnullvm" -version = "0.48.3" +version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fde1bb55ae4ce76a597a8566d82c57432bc69c039449d61572a7a353da28f68c" +checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" [[package]] name = "windows_aarch64_msvc" -version = "0.48.3" +version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1513e8d48365a78adad7322fd6b5e4c4e99d92a69db8df2d435b25b1f1f286d4" +checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" [[package]] name = "windows_i686_gnu" -version = "0.48.3" +version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "60587c0265d2b842298f5858e1a5d79d146f9ee0c37be5782e92a6eb5e1d7a83" +checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" [[package]] name = "windows_i686_msvc" -version = "0.48.3" +version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "224fe0e0ffff5d2ea6a29f82026c8f43870038a0ffc247aa95a52b47df381ac4" +checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" [[package]] name = "windows_x86_64_gnu" -version = "0.48.3" +version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62fc52a0f50a088de499712cbc012df7ebd94e2d6eb948435449d76a6287e7ad" +checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" [[package]] name = "windows_x86_64_gnullvm" -version = "0.48.3" +version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2093925509d91ea3d69bcd20238f4c2ecdb1a29d3c281d026a09705d0dd35f3d" +checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" [[package]] name = "windows_x86_64_msvc" -version = "0.48.3" +version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6ade45bc8bf02ae2aa34a9d54ba660a1a58204da34ba793c00d83ca3730b5f1" +checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" From 5a94cf3e2c2711a7e52cf6a3ef47e18e4200b54f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Aug 2023 12:21:26 +0000 Subject: [PATCH 0362/1014] Bump readme-renderer from 40.0 to 41.0 in /.github/requirements (#9480) Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 40.0 to 41.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/40.0...41.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7039d9fbd353..d5c62bd1bad1 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -392,9 +392,9 @@ python-dateutil==2.8.2 \ --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9 # via betterproto -readme-renderer==40.0 \ - --hash=sha256:9f77b519d96d03d7d7dce44977ba543090a14397c4f60de5b6eb5b8048110aa4 \ - --hash=sha256:e18feb2a1e7706f2865b81ebb460056d93fb29d69daa10b223c00faa7bd9a00a +readme-renderer==41.0 \ + --hash=sha256:4f4b11e5893f5a5d725f592c5a343e0dc74f5f273cb3dcf8c42d9703a27073f7 \ + --hash=sha256:a38243d5b6741b700a850026e62da4bd739edc7422071e95fd5c4bb60171df86 # via twine requests==2.31.0 \ --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \ From 3f5831ec0af620c6d6fad9a23635fe112bae945d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Aug 2023 08:21:38 -0400 Subject: [PATCH 0363/1014] Bump sphinxcontrib-serializinghtml from 1.1.8 to 1.1.9 (#9478) Bumps [sphinxcontrib-serializinghtml](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml) from 1.1.8 to 1.1.9. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/compare/1.1.8...1.1.9) --- updated-dependencies: - dependency-name: sphinxcontrib-serializinghtml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 04e5e3a420ae..38c71f891532 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -164,7 +164,7 @@ sphinxcontrib-jsmath==1.0.1 # via sphinx sphinxcontrib-qthelp==1.0.6 # via sphinx -sphinxcontrib-serializinghtml==1.1.8 +sphinxcontrib-serializinghtml==1.1.9 # via sphinx sphinxcontrib-spelling==8.0.0 # via cryptography (pyproject.toml) From e3fd0d3f097efa1d9b458cabb4d47d76b555cda1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 22 Aug 2023 00:16:33 +0000 Subject: [PATCH 0364/1014] Bump BoringSSL and/or OpenSSL in CI (#9481) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c3e5d96b901..1e64dba2a8e6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 19, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5d2a41d8696b72660dec39b93221fa76201590a8"}} + # Latest commit on the BoringSSL master branch, as of Aug 22, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f896fbd7a94daf801446ae997d288e7f03a5d9a2"}} # Latest commit on the OpenSSL master branch, as of Aug 21, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c2a8226cba2757b251729620aedffeed23d73623"}} # Builds with various Rust versions. Includes MSRV and next From 0a0555e362ede1d688b3eae1bbebf92a206355c1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Aug 2023 12:30:28 +0000 Subject: [PATCH 0365/1014] Bump sphinx-rtd-theme from 1.2.2 to 1.3.0 (#9482) Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 1.2.2 to 1.3.0. - [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst) - [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/1.2.2...1.3.0) --- updated-dependencies: - dependency-name: sphinx-rtd-theme dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 38c71f891532..630bfbafd16b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ sphinx==6.2.1 # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx-rtd-theme==1.2.2 +sphinx-rtd-theme==1.3.0 # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.7 # via sphinx From 79a1f5a6e651b548944ee3f8605e1a4ebb9ebc54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Aug 2023 12:41:05 +0000 Subject: [PATCH 0366/1014] Bump wheel from 0.41.1 to 0.41.2 in /.github/requirements (#9483) Bumps [wheel](https://github.com/pypa/wheel) from 0.41.1 to 0.41.2. - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](https://github.com/pypa/wheel/compare/0.41.1...0.41.2) --- updated-dependencies: - dependency-name: wheel dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 2f3d9b035a4c..9381a3e5b5a0 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -86,9 +86,9 @@ typing-extensions==4.7.1 \ --hash=sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36 \ --hash=sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2 # via setuptools-rust -wheel==0.41.1 \ - --hash=sha256:12b911f083e876e10c595779709f8a88a59f45aacc646492a67fe9ef796c1b47 \ - --hash=sha256:473219bd4cbedc62cea0cb309089b593e47c15c4a2531015f94e4e3b9a0f6981 +wheel==0.41.2 \ + --hash=sha256:0c5ac5ff2afb79ac23ab82bab027a0be7b5dbcf2e54dc50efe4bf507de1f7985 \ + --hash=sha256:75909db2664838d015e3d9139004ee16711748a52c8f336b52882266540215d8 # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: From dd4e37acc79d85747a57e8de526906978f349260 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Aug 2023 12:44:19 +0000 Subject: [PATCH 0367/1014] Bump sphinx from 6.2.1 to 7.2.2 (#9446) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 6.2.1 to 7.2.2. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v6.2.1...v7.2.2) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 630bfbafd16b..5ba5b0c86262 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -144,7 +144,7 @@ six==1.16.0 # via bleach snowballstemmer==2.2.0 # via sphinx -sphinx==6.2.1 +sphinx==7.2.2 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From ca274344be9f7d4d54437fe6b17229c7cd1d4f4f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 22 Aug 2023 10:04:23 -0400 Subject: [PATCH 0368/1014] Ask dependabot to send PRs so they'll be ready when we wake up (#9485) --- .github/dependabot.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 45e0817cd3ce..8a3b8d517b14 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,28 +4,38 @@ updates: directory: "/" schedule: interval: "daily" + time: "06:00" + timezone: "America/New_York" open-pull-requests-limit: 1024 - package-ecosystem: "github-actions" directory: "/.github/actions/cache/" schedule: interval: "daily" + time: "06:00" + timezone: "America/New_York" open-pull-requests-limit: 1024 - package-ecosystem: "github-actions" directory: "/.github/actions/upload-coverage/" schedule: interval: "daily" + time: "06:00" + timezone: "America/New_York" open-pull-requests-limit: 1024 - package-ecosystem: "github-actions" directory: "/.github/actions/wycheproof/" schedule: interval: "daily" + time: "06:00" + timezone: "America/New_York" open-pull-requests-limit: 1024 - package-ecosystem: cargo directory: "/src/rust/" schedule: interval: daily + time: "06:00" + timezone: "America/New_York" allow: # Also update indirect dependencies - dependency-type: all @@ -35,6 +45,8 @@ updates: directory: "/" schedule: interval: daily + time: "06:00" + timezone: "America/New_York" allow: # Also update indirect dependencies - dependency-type: all @@ -44,6 +56,8 @@ updates: directory: "/.github/requirements/" schedule: interval: daily + time: "06:00" + timezone: "America/New_York" allow: # Also update indirect dependencies - dependency-type: all From 466d41ce72c49408ec8b30170b4fde91256b7780 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 22 Aug 2023 10:05:13 -0400 Subject: [PATCH 0369/1014] Remove FAQ that's no longer up to date (#9484) I don't think this is the right error message, and it hasn't been for a while --- docs/faq.rst | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/docs/faq.rst b/docs/faq.rst index ac7f4152c731..f66cfba867d0 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -97,17 +97,6 @@ as secure as possible while retaining the advantages of OpenSSL, so we've chosen to rewrite non-cryptographic operations (such as ASN.1 parsing) in a high performance memory safe language: Rust. -Installing ``cryptography`` produces a ``fatal error: 'openssl/opensslv.h' file not found`` error -------------------------------------------------------------------------------------------------- - -``cryptography`` provides wheels which include a statically linked copy of -OpenSSL. If you see this error it is likely because your copy of ``pip`` is too -old to find our wheel files. Upgrade your ``pip`` with ``pip install -U pip`` -and then try to install ``cryptography`` again. - -Users on unusual CPU architectures will need to compile ``cryptography`` -themselves. Please view our :doc:`/installation` documentation. - ``cryptography`` raised an ``InternalError`` and I'm not sure what to do? ------------------------------------------------------------------------- From f2a6efd39bb2ebc318f0a2c5c1e66bd3e990b83d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 23 Aug 2023 00:04:26 -0400 Subject: [PATCH 0370/1014] Bump BoringSSL and/or OpenSSL in CI (#9488) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1e64dba2a8e6..39cc801dc05d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 22, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f896fbd7a94daf801446ae997d288e7f03a5d9a2"}} - # Latest commit on the OpenSSL master branch, as of Aug 21, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c2a8226cba2757b251729620aedffeed23d73623"}} + # Latest commit on the BoringSSL master branch, as of Aug 23, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e4f60679caa293c047be69f57fc48b46c7452327"}} + # Latest commit on the OpenSSL master branch, as of Aug 23, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "617cab094f0f0d4e71f8b9da5663be8ab06cba92"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 2879af1e81232deaa45ba9ec8ead64b4abecfe08 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 23 Aug 2023 02:00:00 -0400 Subject: [PATCH 0371/1014] Bump setuptools-rust version in build-requirements (#9487) --- .github/requirements/build-requirements.txt | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 9381a3e5b5a0..971a6f9807df 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -78,10 +78,14 @@ semantic-version==2.10.0 \ --hash=sha256:bdabb6d336998cbb378d4b9db3a4b56a1e3235701dc05ea2690d9a997ed5041c \ --hash=sha256:de78a3b8e0feda74cabc54aab2da702113e33ac9d9eb9d2389bcf1f58b7d9177 # via setuptools-rust -setuptools-rust==1.6.0 \ - --hash=sha256:c86e734deac330597998bfbc08da45187e6b27837e23bd91eadb320732392262 \ - --hash=sha256:e28ae09fb7167c44ab34434eb49279307d611547cb56cb9789955cdb54a1aed9 - # via -r build-requirements.in +setuptools-rust==1.7.0 \ + --hash=sha256:071099885949132a2180d16abf907b60837e74b4085047ba7e9c0f5b365310c1 \ + --hash=sha256:c7100999948235a38ae7e555fe199aa66c253dc384b125f5d85473bf81eae3a3 + # via -r build-requirements.in +tomli==2.0.1 \ + --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ + --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f + # via setuptools-rust typing-extensions==4.7.1 \ --hash=sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36 \ --hash=sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2 From afc06e28f2c858fa7132be1e5a1918295989adb8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 23 Aug 2023 10:32:16 -0400 Subject: [PATCH 0372/1014] Migrate a bit more logic to pyproject.toml (#9489) --- pyproject.toml | 9 ++++++++- setup.py | 30 ++---------------------------- 2 files changed, 10 insertions(+), 29 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 21d17b508557..1287f6486292 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ requires = [ "wheel", # Must be kept in sync with `project.dependencies` "cffi>=1.12; platform_python_implementation != 'PyPy'", - "setuptools-rust>=0.11.4", + "setuptools-rust>=1.7.0", ] build-backend = "setuptools.build_meta" @@ -81,6 +81,13 @@ docstest = ["pyenchant >=1.6.11", "twine >=1.12.0", "sphinxcontrib-spelling >=4 sdist = ["build"] pep8test = ["black", "ruff", "mypy", "check-sdist"] +[[tool.setuptools-rust.ext-modules]] +target = "cryptography.hazmat.bindings._rust" +path = "src/rust/Cargo.toml" +py-limited-api = true +rust-version = ">=1.63.0" + + [tool.black] line-length = 79 target-version = ["py37"] diff --git a/setup.py b/setup.py index 60b7b713ba7b..ef3c7ca6bd85 100644 --- a/setup.py +++ b/setup.py @@ -14,23 +14,6 @@ from setuptools import setup -try: - from setuptools_rust import RustExtension -except ImportError: - print( - """ - =============================DEBUG ASSISTANCE========================== - If you are seeing an error here please try the following to - successfully install cryptography: - - Upgrade to the latest pip and try again. This will fix errors for most - users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip - =============================DEBUG ASSISTANCE========================== - """ - ) - raise - - # distutils emits this warning if you pass `setup()` an unknown option. This # is what happens if you somehow run this file without `cffi` installed: # `cffi_modules` is an unknown option. @@ -47,17 +30,8 @@ raise RuntimeError("cryptography is not compatible with PyPy3 < 7.3.10") try: - # See pyproject.toml for most of the config metadata. - setup( - rust_extensions=[ - RustExtension( - "cryptography.hazmat.bindings._rust", - "src/rust/Cargo.toml", - py_limited_api=True, - rust_version=">=1.63.0", - ) - ], - ) + # See pyproject.toml for the config metadata. + setup() except: # Note: This is a bare exception that re-raises so that we don't interfere # with anything the installation machinery might want to do. Because we From a139e0c918e4e1096a82a335218e6ade3ec39eee Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 24 Aug 2023 00:18:04 +0000 Subject: [PATCH 0373/1014] Bump BoringSSL and/or OpenSSL in CI (#9491) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 39cc801dc05d..daa7906e6e77 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Aug 23, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e4f60679caa293c047be69f57fc48b46c7452327"}} - # Latest commit on the OpenSSL master branch, as of Aug 23, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "617cab094f0f0d4e71f8b9da5663be8ab06cba92"}} + # Latest commit on the OpenSSL master branch, as of Aug 24, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "27315a978e280a20c7f3ea0bfe05f6c186137625"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 65ed65e5952d9d448809f47b6307eef57ee99ce4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Aug 2023 06:42:58 -0400 Subject: [PATCH 0374/1014] Bump sphinx from 7.2.2 to 7.2.3 (#9492) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.2.2 to 7.2.3. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.2.2...v7.2.3) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5ba5b0c86262..31a0aaccef26 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -144,7 +144,7 @@ six==1.16.0 # via bleach snowballstemmer==2.2.0 # via sphinx -sphinx==7.2.2 +sphinx==7.2.3 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From d422c90b5b4cc3f23a5f594477c3f98b41d3d91f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 24 Aug 2023 11:05:25 +0000 Subject: [PATCH 0375/1014] Bump pem from 3.0.1 to 3.0.2 in /src/rust (#9493) Bumps [pem](https://github.com/jcreekmore/pem-rs) from 3.0.1 to 3.0.2. - [Changelog](https://github.com/jcreekmore/pem-rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/jcreekmore/pem-rs/compare/v3.0.1...v3.0.2) --- updated-dependencies: - dependency-name: pem dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 901835b993ae..6adfb9819269 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -222,9 +222,9 @@ dependencies = [ [[package]] name = "pem" -version = "3.0.1" +version = "3.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed3127afbfc30b4cad60c34aeb741fb562a808642b81142bcf4afb73142da960" +checksum = "3163d2912b7c3b52d651a055f2c7eec9ba5cd22d26ef75b8dd3a59980b185923" dependencies = [ "base64", ] From b549ca82512817a020d797508bf7bab6acba6912 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 24 Aug 2023 19:32:33 -0400 Subject: [PATCH 0376/1014] Build PDF version of docs (#9494) --- .readthedocs.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.readthedocs.yml b/.readthedocs.yml index 95b3c4f46e7c..40d9cc7ae84f 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -7,6 +7,9 @@ sphinx: # https://github.com/pyca/cryptography/issues/5863#issuecomment-817828152 builder: dirhtml +formats: + - pdf + build: # readdocs master now includes a rust toolchain os: "ubuntu-22.04" From 2e48c513d141d5eab95d20274c73066aa7f0d54b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 25 Aug 2023 00:20:02 +0000 Subject: [PATCH 0377/1014] Bump BoringSSL and/or OpenSSL in CI (#9495) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index daa7906e6e77..024e4264cf76 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 23, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e4f60679caa293c047be69f57fc48b46c7452327"}} - # Latest commit on the OpenSSL master branch, as of Aug 24, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "27315a978e280a20c7f3ea0bfe05f6c186137625"}} + # Latest commit on the BoringSSL master branch, as of Aug 25, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "50e30518df5022a86309d20d8c7471ed4c2f5a7e"}} + # Latest commit on the OpenSSL master branch, as of Aug 25, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e2972982c64f3f1ac10b3ebe1086d99ec67631bd"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 48aa105f0243263b47aa041d61a3a01d00272c79 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 25 Aug 2023 07:02:35 -0400 Subject: [PATCH 0378/1014] Bump actions/checkout from 3.5.3 to 3.6.0 (#9496) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.3 to 3.6.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/c85c95e3d7251135ab7dc9ce3241c5835cc595a9...f43a0e5ff2bd294095638e18286ca9a3d1956744) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 8 ++++---- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index e943b6b00cb8..5eb8a12b7beb 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -21,12 +21,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 timeout-minutes: 3 with: repository: "pyca/cryptography" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index fccc8a150753..881e2bc06cf5 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 024e4264cf76..36b2292223b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,7 +57,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 timeout-minutes: 3 with: persist-credentials: false @@ -178,7 +178,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 timeout-minutes: 3 with: persist-credentials: false @@ -229,7 +229,7 @@ jobs: RUNNER: {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 timeout-minutes: 3 with: persist-credentials: false @@ -293,7 +293,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 timeout-minutes: 3 with: persist-credentials: false @@ -366,7 +366,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 timeout-minutes: 3 with: persist-credentials: false @@ -409,7 +409,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 2d959ccd9e87..13f89bbc1f9b 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 6ae41538c2dd..af2578af6ce4 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -32,7 +32,7 @@ jobs: with: python-version: "3.11" - name: Get publish-requirements.txt from repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: sparse-checkout: | ${{ env.PUBLISH_REQUIREMENTS_PATH }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 989f428adfcb..dded7147003c 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -112,7 +112,7 @@ jobs: if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -200,7 +200,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -293,7 +293,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} From 6df145c8c54c7fa1cc2547d0c2d994516d2b2114 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 25 Aug 2023 11:07:20 +0000 Subject: [PATCH 0379/1014] Bump actions/checkout from 3.5.3 to 3.6.0 in /.github/actions/wycheproof (#9497) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.3 to 3.6.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/c85c95e3d7251135ab7dc9ce3241c5835cc595a9...f43a0e5ff2bd294095638e18286ca9a3d1956744) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/wycheproof/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/wycheproof/action.yml b/.github/actions/wycheproof/action.yml index 0c0a9d329a06..7d2718871921 100644 --- a/.github/actions/wycheproof/action.yml +++ b/.github/actions/wycheproof/action.yml @@ -5,7 +5,7 @@ runs: using: "composite" steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: "google/wycheproof" path: "wycheproof" From 3917aebff69d7fd8dd5b0db3fa36644f330500b6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 25 Aug 2023 21:10:16 -0400 Subject: [PATCH 0380/1014] Bump BoringSSL and/or OpenSSL in CI (#9498) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 36b2292223b3..6a659742bf65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 25, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "50e30518df5022a86309d20d8c7471ed4c2f5a7e"}} - # Latest commit on the OpenSSL master branch, as of Aug 25, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e2972982c64f3f1ac10b3ebe1086d99ec67631bd"}} + # Latest commit on the BoringSSL master branch, as of Aug 26, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "792e77c52b5a85bee15a6f644494c10d8db5f7a0"}} + # Latest commit on the OpenSSL master branch, as of Aug 26, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7a5f58b2cf0d7b2fa0451603a88c3976c657dae9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From c083140bcf0e3d796b42189cd6308de5eea4a491 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 26 Aug 2023 10:29:39 -0400 Subject: [PATCH 0381/1014] fix for latest ruff (#9500) --- src/cryptography/x509/name.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py index 824a13315f99..c237f8647cb7 100644 --- a/src/cryptography/x509/name.py +++ b/src/cryptography/x509/name.py @@ -346,8 +346,7 @@ def __hash__(self) -> int: def __iter__(self) -> typing.Iterator[NameAttribute]: for rdn in self._attributes: - for ava in rdn: - yield ava + yield from rdn def __len__(self) -> int: return sum(len(rdn) for rdn in self._attributes) From 3afcce0e63554d77d25585af80a1c99192828840 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 26 Aug 2023 14:56:34 +0000 Subject: [PATCH 0382/1014] Bump base64 from 0.21.2 to 0.21.3 in /src/rust (#9501) Bumps [base64](https://github.com/marshallpierce/rust-base64) from 0.21.2 to 0.21.3. - [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.21.2...v0.21.3) --- updated-dependencies: - dependency-name: base64 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6adfb9819269..a0beb8897552 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -30,9 +30,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "base64" -version = "0.21.2" +version = "0.21.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "604178f6c5c21f02dc555784810edfb88d34ac2c73b2eae109655649ee73ce3d" +checksum = "414dcefbc63d77c526a76b3afcf6fbb9b5e2791c19c3aa2297733208750c6e53" [[package]] name = "bitflags" From 0195f4210e93faa71354a44317dea0bbc01c01e9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 26 Aug 2023 15:00:25 +0000 Subject: [PATCH 0383/1014] Bump ruff from 0.0.285 to 0.0.286 (#9502) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.285 to 0.0.286. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.285...v0.0.286) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 31a0aaccef26..99909e477b19 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.2 # via twine -ruff==0.0.285 +ruff==0.0.286 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From faf318360ec2aa6ca923ab795fd72d2600cc7699 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 26 Aug 2023 11:05:14 -0400 Subject: [PATCH 0384/1014] Bump id from 1.0.0 to 1.1.0 in /.github/requirements (#9503) Bumps [id](https://github.com/di/id) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/di/id/releases) - [Changelog](https://github.com/di/id/blob/main/CHANGELOG.md) - [Commits](https://github.com/di/id/compare/v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: id dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d5c62bd1bad1..7a75e689ced9 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -210,9 +210,9 @@ hyperframe==6.0.1 \ --hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \ --hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914 # via h2 -id==1.0.0 \ - --hash=sha256:8822ba0454bb8660c4fff439eadbf06236cc354dcabd7ae00d907143d92215f5 \ - --hash=sha256:d4b3e75ce0d5f38c9e467826436babe8b9bc5f78e22bae716a22a6a0add570ea +id==1.1.0 \ + --hash=sha256:726b995ffea6954ecbe3f2bb9e9d52b8502b2683b8470b13c58a429cd8e701e8 \ + --hash=sha256:a15f919fa1e847f57572748d37cf40192913a861a2669059b4cb5079bbbbbdbd # via sigstore idna==3.4 \ --hash=sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4 \ From 1031dfecffaddec2a92c029470eb4ce5906bfa6d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 26 Aug 2023 11:15:43 -0400 Subject: [PATCH 0385/1014] Move more of the Rust AEAD logic into common functions (#9499) --- src/rust/src/backend/aead.rs | 57 +++++++++++++++------------- tests/hazmat/primitives/test_aead.py | 2 +- 2 files changed, 31 insertions(+), 28 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 2a6641afa371..94a9e949a53a 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -19,13 +19,36 @@ fn check_length(data: &[u8]) -> CryptographyResult<()> { Ok(()) } +enum Aad<'a> { + List(&'a pyo3::types::PyList), +} + +fn process_aad( + ctx: &mut openssl::cipher_ctx::CipherCtx, + aad: Option>, +) -> CryptographyResult<()> { + if let Some(Aad::List(ads)) = aad { + for ad in ads.iter() { + let ad = ad.extract::>()?; + check_length(ad.as_bytes())?; + ctx.cipher_update(ad.as_bytes(), None)?; + } + } + + Ok(()) +} + fn encrypt_value<'p>( py: pyo3::Python<'p>, mut ctx: openssl::cipher_ctx::CipherCtx, plaintext: &[u8], + aad: Option>, tag_len: usize, tag_first: bool, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + check_length(plaintext)?; + process_aad(&mut ctx, aad)?; + Ok(pyo3::types::PyBytes::new_with( py, plaintext.len() + tag_len, @@ -58,7 +81,10 @@ fn decrypt_value<'p>( py: pyo3::Python<'p>, mut ctx: openssl::cipher_ctx::CipherCtx, ciphertext: &[u8], + aad: Option>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + process_aad(&mut ctx, aad)?; + Ok(pyo3::types::PyBytes::new_with(py, ciphertext.len(), |b| { // AES SIV can error here if the data is invalid on decrypt let n = ctx @@ -150,26 +176,17 @@ impl AesSiv { ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let key_buf = self.key.extract::>(py)?; let data_bytes = data.as_bytes(); + let aad = associated_data.map(Aad::List); if data_bytes.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("data must not be zero length"), )); }; - check_length(data_bytes)?; - let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.encrypt_init(Some(&self.cipher), Some(key_buf.as_bytes()), None)?; - if let Some(ads) = associated_data { - for ad in ads.iter() { - let ad = ad.extract::>()?; - check_length(ad.as_bytes())?; - ctx.cipher_update(ad.as_bytes(), None)?; - } - } - - encrypt_value(py, ctx, data_bytes, 16, true) + encrypt_value(py, ctx, data_bytes, aad, 16, true) } fn decrypt<'p>( @@ -180,12 +197,7 @@ impl AesSiv { ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let key_buf = self.key.extract::>(py)?; let data_bytes = data.as_bytes(); - - if data_bytes.is_empty() { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err("data must not be zero length"), - )); - } + let aad = associated_data.map(Aad::List); let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.decrypt_init(Some(&self.cipher), Some(key_buf.as_bytes()), None)?; @@ -199,16 +211,7 @@ impl AesSiv { let (tag, ciphertext) = data_bytes.split_at(16); ctx.set_tag(tag)?; - if let Some(ads) = associated_data { - for ad in ads.iter() { - let ad = ad.extract::>()?; - check_length(ad.as_bytes())?; - - ctx.cipher_update(ad.as_bytes(), None)?; - } - } - - decrypt_value(py, ctx, ciphertext) + decrypt_value(py, ctx, ciphertext, aad) } } diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 7db9607af197..ce90f6892395 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -681,7 +681,7 @@ def test_no_empty_encryption(self): with pytest.raises(ValueError): aessiv.encrypt(b"", None) - with pytest.raises(ValueError): + with pytest.raises(InvalidTag): aessiv.decrypt(b"", None) def test_vectors(self, backend, subtests): From 92fd87f742cd0f5195891eed231921457d53ee5b Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Sat, 26 Aug 2023 14:53:09 -0600 Subject: [PATCH 0386/1014] Add Python 3.12 classifier (#9507) --- pyproject.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/pyproject.toml b/pyproject.toml index 1287f6486292..b8ba5f5e7d0d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -38,6 +38,7 @@ classifiers = [ "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", + "Programming Language :: Python :: 3.12", "Programming Language :: Python :: Implementation :: CPython", "Programming Language :: Python :: Implementation :: PyPy", "Topic :: Security :: Cryptography", From 229f6443552d0f393ded9a49763fd33346249eb4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 27 Aug 2023 11:05:19 -0400 Subject: [PATCH 0387/1014] Update to latest pluggy (#9509) It requires python 3.8+ --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 99909e477b19..9950ae25d0c8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -93,7 +93,7 @@ platformdirs==3.10.0 # via # black # virtualenv -pluggy==1.2.0 +pluggy==1.3.0; python_version >= "3.8" # via pytest pretend==1.0.9 # via cryptography (pyproject.toml) From 6d3bebb63de734a22434cbd584d5230d188b58ed Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 27 Aug 2023 11:09:12 -0400 Subject: [PATCH 0388/1014] Refactor AEAD code to allow reusing ctx (#9504) --- src/rust/src/backend/aead.rs | 173 +++++++++++++++++++---------------- 1 file changed, 95 insertions(+), 78 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 94a9e949a53a..9f008bfd1bc4 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -23,83 +23,109 @@ enum Aad<'a> { List(&'a pyo3::types::PyList), } -fn process_aad( - ctx: &mut openssl::cipher_ctx::CipherCtx, - aad: Option>, -) -> CryptographyResult<()> { - if let Some(Aad::List(ads)) = aad { - for ad in ads.iter() { - let ad = ad.extract::>()?; - check_length(ad.as_bytes())?; - ctx.cipher_update(ad.as_bytes(), None)?; +struct EvpCipherAead { + ctx: openssl::cipher_ctx::CipherCtx, + tag_len: usize, + tag_first: bool, +} + +impl EvpCipherAead { + fn new(ctx: openssl::cipher_ctx::CipherCtx, tag_len: usize, tag_first: bool) -> EvpCipherAead { + EvpCipherAead { + ctx, + tag_len, + tag_first, } } - Ok(()) -} + fn process_aad(&mut self, aad: Option>) -> CryptographyResult<()> { + if let Some(Aad::List(ads)) = aad { + for ad in ads.iter() { + let ad = ad.extract::>()?; + check_length(ad.as_bytes())?; + self.ctx.cipher_update(ad.as_bytes(), None)?; + } + } -fn encrypt_value<'p>( - py: pyo3::Python<'p>, - mut ctx: openssl::cipher_ctx::CipherCtx, - plaintext: &[u8], - aad: Option>, - tag_len: usize, - tag_first: bool, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { - check_length(plaintext)?; - process_aad(&mut ctx, aad)?; - - Ok(pyo3::types::PyBytes::new_with( - py, - plaintext.len() + tag_len, - |b| { - let ciphertext; - let tag; - // TODO: remove once we have a second AEAD implemented here. - assert!(tag_first); - (tag, ciphertext) = b.split_at_mut(tag_len); - - let n = ctx - .cipher_update(plaintext, Some(ciphertext)) - .map_err(CryptographyError::from)?; - assert_eq!(n, ciphertext.len()); + Ok(()) + } + + fn encrypt<'p>( + mut self, + py: pyo3::Python<'p>, + plaintext: &[u8], + aad: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + check_length(plaintext)?; + self.process_aad(aad)?; + + Ok(pyo3::types::PyBytes::new_with( + py, + plaintext.len() + self.tag_len, + |b| { + let ciphertext; + let tag; + // TODO: remove once we have a second AEAD implemented here. + assert!(self.tag_first); + (tag, ciphertext) = b.split_at_mut(self.tag_len); + + let n = self + .ctx + .cipher_update(plaintext, Some(ciphertext)) + .map_err(CryptographyError::from)?; + assert_eq!(n, ciphertext.len()); + + let mut final_block = [0]; + let n = self + .ctx + .cipher_final(&mut final_block) + .map_err(CryptographyError::from)?; + assert_eq!(n, 0); + + self.ctx.tag(tag).map_err(CryptographyError::from)?; + + Ok(()) + }, + )?) + } + + fn decrypt<'p>( + mut self, + py: pyo3::Python<'p>, + ciphertext: &[u8], + aad: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + if ciphertext.len() < self.tag_len { + return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); + } + + assert!(self.tag_first); + // RFC 5297 defines the output as IV || C, where the tag we generate + // is the "IV" and C is the ciphertext. This is the opposite of our + // other AEADs, which are Ciphertext || Tag. + let (tag, ciphertext) = ciphertext.split_at(self.tag_len); + self.ctx.set_tag(tag)?; + + self.process_aad(aad)?; + + Ok(pyo3::types::PyBytes::new_with(py, ciphertext.len(), |b| { + // AES SIV can error here if the data is invalid on decrypt + let n = self + .ctx + .cipher_update(ciphertext, Some(b)) + .map_err(|_| exceptions::InvalidTag::new_err(()))?; + assert_eq!(n, b.len()); let mut final_block = [0]; - let n = ctx + let n = self + .ctx .cipher_final(&mut final_block) - .map_err(CryptographyError::from)?; + .map_err(|_| exceptions::InvalidTag::new_err(()))?; assert_eq!(n, 0); - ctx.tag(tag).map_err(CryptographyError::from)?; - Ok(()) - }, - )?) -} - -fn decrypt_value<'p>( - py: pyo3::Python<'p>, - mut ctx: openssl::cipher_ctx::CipherCtx, - ciphertext: &[u8], - aad: Option>, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { - process_aad(&mut ctx, aad)?; - - Ok(pyo3::types::PyBytes::new_with(py, ciphertext.len(), |b| { - // AES SIV can error here if the data is invalid on decrypt - let n = ctx - .cipher_update(ciphertext, Some(b)) - .map_err(|_| exceptions::InvalidTag::new_err(()))?; - assert_eq!(n, b.len()); - - let mut final_block = [0]; - let n = ctx - .cipher_final(&mut final_block) - .map_err(|_| exceptions::InvalidTag::new_err(()))?; - assert_eq!(n, 0); - - Ok(()) - })?) + })?) + } } #[pyo3::prelude::pyclass( @@ -186,7 +212,7 @@ impl AesSiv { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.encrypt_init(Some(&self.cipher), Some(key_buf.as_bytes()), None)?; - encrypt_value(py, ctx, data_bytes, aad, 16, true) + EvpCipherAead::new(ctx, 16, true).encrypt(py, data_bytes, aad) } fn decrypt<'p>( @@ -202,16 +228,7 @@ impl AesSiv { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.decrypt_init(Some(&self.cipher), Some(key_buf.as_bytes()), None)?; - if data_bytes.len() < 16 { - return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); - } - // RFC 5297 defines the output as IV || C, where the tag we generate - // is the "IV" and C is the ciphertext. This is the opposite of our - // other AEADs, which are Ciphertext || Tag. - let (tag, ciphertext) = data_bytes.split_at(16); - ctx.set_tag(tag)?; - - decrypt_value(py, ctx, ciphertext, aad) + EvpCipherAead::new(ctx, 16, true).decrypt(py, data_bytes, aad) } } From 3899d8feba5a25e18bd552df74e8e92c856e92f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 27 Aug 2023 15:13:59 +0000 Subject: [PATCH 0389/1014] Bump openssl-sys from 0.9.91 to 0.9.92 in /src/rust (#9510) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.91 to 0.9.92. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.91...openssl-sys-v0.9.92) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a0beb8897552..2f30eb58bb17 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -187,9 +187,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.91" +version = "0.9.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "866b5f16f90776b9bb8dc1e1802ac6f0513de3a7a7465867bfbc563dc737faac" +checksum = "db7e971c2c2bba161b2d2fdf37080177eff520b3bc044787c7f1f5f9e78d869b" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index b3038ecd05a6..8d096cede2dc 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -16,7 +16,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.56" -openssl-sys = "0.9.91" +openssl-sys = "0.9.92" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index c8f8bfb8e8c1..e6b9a1e3b996 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.19", features = ["abi3-py37"] } -openssl-sys = "0.9.91" +openssl-sys = "0.9.92" [build-dependencies] cc = "1.0.83" From fd5e148d2d234dc008ae1e9e0c846b13d027aa83 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 27 Aug 2023 15:28:22 +0000 Subject: [PATCH 0390/1014] Bump openssl from 0.10.56 to 0.10.57 in /src/rust (#9511) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.56 to 0.10.57. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.56...openssl-v0.10.57) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 14 ++++++++++---- src/rust/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 2f30eb58bb17..f1ab498ca6e4 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -40,6 +40,12 @@ version = "1.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" +[[package]] +name = "bitflags" +version = "2.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4682ae6287fcf752ecaabbfcc7b6f9b72aa33933dc23a554d853aea8eea8635" + [[package]] name = "cc" version = "1.0.83" @@ -161,11 +167,11 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] name = "openssl" -version = "0.10.56" +version = "0.10.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "729b745ad4a5575dd06a3e1af1414bd330ee561c01b3899eb584baeaa8def17e" +checksum = "bac25ee399abb46215765b1cb35bc0212377e58a061560d8b29b024fd0430e7c" dependencies = [ - "bitflags", + "bitflags 2.4.0", "cfg-if", "foreign-types", "libc", @@ -319,7 +325,7 @@ version = "0.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29" dependencies = [ - "bitflags", + "bitflags 1.3.2", ] [[package]] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 8d096cede2dc..d854c8075bd6 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.56" +openssl = "0.10.57" openssl-sys = "0.9.92" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 75588a2953a2..15b5163d5566 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -openssl = "0.10.56" +openssl = "0.10.57" ffi = { package = "openssl-sys", version = "0.9.85" } foreign-types = "0.3" foreign-types-shared = "0.1" From cab1ee11d22d768c19268f52bb7cbe3fb99d14c6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 27 Aug 2023 11:46:24 -0400 Subject: [PATCH 0391/1014] Expirementally, try reusing ctx in AESSIV (#9505) --- src/rust/src/backend/aead.rs | 74 +++++++++++++++++++----------------- 1 file changed, 40 insertions(+), 34 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 9f008bfd1bc4..ea583136595b 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -24,26 +24,34 @@ enum Aad<'a> { } struct EvpCipherAead { - ctx: openssl::cipher_ctx::CipherCtx, + base_ctx: openssl::cipher_ctx::CipherCtx, tag_len: usize, tag_first: bool, } impl EvpCipherAead { - fn new(ctx: openssl::cipher_ctx::CipherCtx, tag_len: usize, tag_first: bool) -> EvpCipherAead { + fn new( + base_ctx: openssl::cipher_ctx::CipherCtx, + tag_len: usize, + tag_first: bool, + ) -> EvpCipherAead { EvpCipherAead { - ctx, + base_ctx, tag_len, tag_first, } } - fn process_aad(&mut self, aad: Option>) -> CryptographyResult<()> { + fn process_aad( + &self, + ctx: &mut openssl::cipher_ctx::CipherCtx, + aad: Option>, + ) -> CryptographyResult<()> { if let Some(Aad::List(ads)) = aad { for ad in ads.iter() { let ad = ad.extract::>()?; check_length(ad.as_bytes())?; - self.ctx.cipher_update(ad.as_bytes(), None)?; + ctx.cipher_update(ad.as_bytes(), None)?; } } @@ -51,13 +59,18 @@ impl EvpCipherAead { } fn encrypt<'p>( - mut self, + &self, py: pyo3::Python<'p>, plaintext: &[u8], aad: Option>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { check_length(plaintext)?; - self.process_aad(aad)?; + + let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; + ctx.copy(&self.base_ctx)?; + ctx.encrypt_init(None, None, None)?; + + self.process_aad(&mut ctx, aad)?; Ok(pyo3::types::PyBytes::new_with( py, @@ -69,20 +82,18 @@ impl EvpCipherAead { assert!(self.tag_first); (tag, ciphertext) = b.split_at_mut(self.tag_len); - let n = self - .ctx + let n = ctx .cipher_update(plaintext, Some(ciphertext)) .map_err(CryptographyError::from)?; assert_eq!(n, ciphertext.len()); let mut final_block = [0]; - let n = self - .ctx + let n = ctx .cipher_final(&mut final_block) .map_err(CryptographyError::from)?; assert_eq!(n, 0); - self.ctx.tag(tag).map_err(CryptographyError::from)?; + ctx.tag(tag).map_err(CryptographyError::from)?; Ok(()) }, @@ -90,7 +101,7 @@ impl EvpCipherAead { } fn decrypt<'p>( - mut self, + &self, py: pyo3::Python<'p>, ciphertext: &[u8], aad: Option>, @@ -99,26 +110,28 @@ impl EvpCipherAead { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } + let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; + ctx.copy(&self.base_ctx)?; + ctx.decrypt_init(None, None, None)?; + assert!(self.tag_first); // RFC 5297 defines the output as IV || C, where the tag we generate // is the "IV" and C is the ciphertext. This is the opposite of our // other AEADs, which are Ciphertext || Tag. let (tag, ciphertext) = ciphertext.split_at(self.tag_len); - self.ctx.set_tag(tag)?; + ctx.set_tag(tag)?; - self.process_aad(aad)?; + self.process_aad(&mut ctx, aad)?; Ok(pyo3::types::PyBytes::new_with(py, ciphertext.len(), |b| { // AES SIV can error here if the data is invalid on decrypt - let n = self - .ctx + let n = ctx .cipher_update(ciphertext, Some(b)) .map_err(|_| exceptions::InvalidTag::new_err(()))?; assert_eq!(n, b.len()); let mut final_block = [0]; - let n = self - .ctx + let n = ctx .cipher_final(&mut final_block) .map_err(|_| exceptions::InvalidTag::new_err(()))?; assert_eq!(n, 0); @@ -134,8 +147,7 @@ impl EvpCipherAead { name = "AESSIV" )] struct AesSiv { - key: pyo3::Py, - cipher: openssl::cipher::Cipher, + ctx: EvpCipherAead, } #[pyo3::prelude::pymethods] @@ -177,7 +189,11 @@ impl AesSiv { } let cipher = openssl::cipher::Cipher::fetch(None, cipher_name, None)?; - Ok(AesSiv { key, cipher }) + let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; + ctx.encrypt_init(Some(&cipher), Some(key_buf.as_bytes()), None)?; + Ok(AesSiv { + ctx: EvpCipherAead::new(ctx, 16, true), + }) } } @@ -200,7 +216,6 @@ impl AesSiv { data: CffiBuf<'_>, associated_data: Option<&pyo3::types::PyList>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let key_buf = self.key.extract::>(py)?; let data_bytes = data.as_bytes(); let aad = associated_data.map(Aad::List); @@ -209,10 +224,7 @@ impl AesSiv { pyo3::exceptions::PyValueError::new_err("data must not be zero length"), )); }; - let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; - ctx.encrypt_init(Some(&self.cipher), Some(key_buf.as_bytes()), None)?; - - EvpCipherAead::new(ctx, 16, true).encrypt(py, data_bytes, aad) + self.ctx.encrypt(py, data_bytes, aad) } fn decrypt<'p>( @@ -221,14 +233,8 @@ impl AesSiv { data: CffiBuf<'_>, associated_data: Option<&pyo3::types::PyList>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let key_buf = self.key.extract::>(py)?; - let data_bytes = data.as_bytes(); let aad = associated_data.map(Aad::List); - - let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; - ctx.decrypt_init(Some(&self.cipher), Some(key_buf.as_bytes()), None)?; - - EvpCipherAead::new(ctx, 16, true).decrypt(py, data_bytes, aad) + self.ctx.decrypt(py, data.as_bytes(), aad) } } From 5245fb98e41d1f5ab05077d8ef72a06f7ed42f8b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 27 Aug 2023 12:22:41 -0400 Subject: [PATCH 0392/1014] Remove setup.py (#9490) All of our configuration is now declarative --- .github/workflows/wheel-builder.yml | 1 - setup.py | 90 ----------------------------- 2 files changed, 91 deletions(-) delete mode 100644 setup.py diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index dded7147003c..439b80f461e9 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -16,7 +16,6 @@ on: paths: - .github/workflows/wheel-builder.yml - .github/requirements/** - - setup.py - pyproject.toml - vectors/pyproject.toml diff --git a/setup.py b/setup.py deleted file mode 100644 index ef3c7ca6bd85..000000000000 --- a/setup.py +++ /dev/null @@ -1,90 +0,0 @@ -#!/usr/bin/env python - -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -import os -import platform -import re -import shutil -import subprocess -import sys -import warnings - -from setuptools import setup - -# distutils emits this warning if you pass `setup()` an unknown option. This -# is what happens if you somehow run this file without `cffi` installed: -# `cffi_modules` is an unknown option. -warnings.filterwarnings("error", message="Unknown distribution option") - -base_dir = os.path.dirname(__file__) -src_dir = os.path.join(base_dir, "src") - -# When executing the setup.py, we need to be able to import ourselves, this -# means that we need to add the src/ directory to the sys.path. -sys.path.insert(0, src_dir) - -if hasattr(sys, "pypy_version_info") and sys.pypy_version_info < (7, 3, 10): - raise RuntimeError("cryptography is not compatible with PyPy3 < 7.3.10") - -try: - # See pyproject.toml for the config metadata. - setup() -except: - # Note: This is a bare exception that re-raises so that we don't interfere - # with anything the installation machinery might want to do. Because we - # print this for any exception this msg can appear (e.g. in verbose logs) - # even if there's no failure. For example, SetupRequirementsError is raised - # during PEP517 building and prints this text. setuptools raises SystemExit - # when compilation fails right now, but it's possible this isn't stable - # or a public API commitment so we'll remain ultra conservative. - - import pkg_resources - - print( - """ - =============================DEBUG ASSISTANCE============================= - If you are seeing a compilation error please try the following steps to - successfully install cryptography: - 1) Upgrade to the latest pip and try again. This will fix errors for most - users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip - 2) Read https://cryptography.io/en/latest/installation/ for specific - instructions for your platform. - 3) Check our frequently asked questions for more information: - https://cryptography.io/en/latest/faq/ - 4) Ensure you have a recent Rust toolchain installed: - https://cryptography.io/en/latest/installation/#rust - """ - ) - print(f" Python: {'.'.join(str(v) for v in sys.version_info[:3])}") - print(f" platform: {platform.platform()}") - for dist in ["pip", "setuptools", "setuptools_rust"]: - try: - version = pkg_resources.get_distribution(dist).version - except pkg_resources.DistributionNotFound: - version = "n/a" - print(f" {dist}: {version}") - version = "n/a" - if shutil.which("rustc") is not None: - try: - # If for any reason `rustc --version` fails, silently ignore it - rustc_output = subprocess.run( - ["rustc", "--version"], - capture_output=True, - timeout=0.5, - encoding="utf8", - check=True, - ).stdout - version = re.sub("^rustc ", "", rustc_output.strip()) - except subprocess.SubprocessError: - pass - print(f" rustc: {version}") - - print( - """\ - =============================DEBUG ASSISTANCE============================= - """ - ) - raise From e12febe3d3fb5e6c323dd9f3556ed1744fe34fee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Aug 2023 11:02:12 +0000 Subject: [PATCH 0393/1014] Bump sphinx from 7.2.3 to 7.2.4 (#9512) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.2.3 to 7.2.4. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.2.3...v7.2.4) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9950ae25d0c8..f3bfec42ba11 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -144,7 +144,7 @@ six==1.16.0 # via bleach snowballstemmer==2.2.0 # via sphinx -sphinx==7.2.3 +sphinx==7.2.4 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From 6bdf404054e3447779320e9665316c9d01f1826e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 28 Aug 2023 18:24:33 -0500 Subject: [PATCH 0394/1014] support PSS signing for CSRs (#9514) * support PSS signing for CSRs * doc fix --- CHANGELOG.rst | 7 ++ docs/x509/reference.rst | 39 +++++++- .../hazmat/bindings/_rust/x509.pyi | 1 + src/cryptography/x509/base.py | 22 ++++- src/rust/src/x509/csr.rs | 43 ++++---- tests/x509/test_x509.py | 98 +++++++++++++++++++ 6 files changed, 182 insertions(+), 28 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f602278eca00..8a39465f2fee 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -11,6 +11,13 @@ Changelog * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. +* Support :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` for + X.509 certificate signing requests with the keyword-only argument + ``rsa_padding`` on + :meth:`~cryptography.x509.CertificateSigningRequestBuilder.sign`. +* Added support for obtaining X.509 certificate signing request signature + algorithm parameters (including PSS) via + :meth:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_parameters`. .. _v41-0-3: diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 87ebe62f2669..3b014def579a 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -970,6 +970,27 @@ X.509 CSR (Certificate Signing Request) Object >>> csr.signature_algorithm_oid + .. attribute:: signature_algorithm_parameters + + .. versionadded:: 42.0.0 + + Returns the parameters of the signature algorithm used to sign the + certificate signing request. For RSA signatures it will return either a + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15` or + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` object. + + For ECDSA signatures it will + return an :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA`. + + For EdDSA and DSA signatures it will return ``None``. + + These objects can be used to verify signatures on the signing request. + + :returns: None, + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`, + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`, or + :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA` + .. attribute:: extensions :type: :class:`Extensions` @@ -1288,7 +1309,7 @@ X.509 CSR (Certificate Signing Request) Builder Object :returns: A new :class:`~cryptography.x509.CertificateSigningRequestBuilder`. - .. method:: sign(private_key, algorithm) + .. method:: sign(private_key, algorithm, *, rsa_padding=None) :param private_key: The private key that will be used to sign the request. When the request is @@ -1307,6 +1328,22 @@ X.509 CSR (Certificate Signing Request) Builder Object :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` otherwise. + :param rsa_padding: + + .. versionadded:: 42.0.0 + + This is a keyword-only argument. If ``private_key`` is an + ``RSAPrivateKey`` then this can be set to either + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15` or + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` to sign + with those respective paddings. If this is ``None`` then RSA + keys will default to ``PKCS1v15`` padding. All other key types **must** + not pass a value other than ``None``. + + :type rsa_padding: ``None``, + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`, + or :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` + :returns: A new :class:`~cryptography.x509.CertificateSigningRequest`. diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 9be3dabe6703..4ad055f1fc7a 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -28,6 +28,7 @@ def create_x509_csr( builder: x509.CertificateSigningRequestBuilder, private_key: PrivateKeyTypes, hash_algorithm: hashes.HashAlgorithm | None, + padding: PKCS1v15 | PSS | None, ) -> x509.CertificateSigningRequest: ... def create_x509_crl( builder: x509.CertificateRevocationListBuilder, diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 051f7c350a04..9288ddc031f8 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -521,6 +521,15 @@ def signature_algorithm_oid(self) -> ObjectIdentifier: Returns the ObjectIdentifier of the signature algorithm. """ + @property + @abc.abstractmethod + def signature_algorithm_parameters( + self, + ) -> None | padding.PSS | padding.PKCS1v15 | ec.ECDSA: + """ + Returns the signature algorithm parameters. + """ + @property @abc.abstractmethod def extensions(self) -> Extensions: @@ -701,13 +710,24 @@ def sign( private_key: CertificateIssuerPrivateKeyTypes, algorithm: _AllowedHashTypes | None, backend: typing.Any = None, + *, + rsa_padding: padding.PSS | padding.PKCS1v15 | None = None, ) -> CertificateSigningRequest: """ Signs the request using the requestor's private key. """ if self._subject_name is None: raise ValueError("A CertificateSigningRequest must have a subject") - return rust_x509.create_x509_csr(self, private_key, algorithm) + + if rsa_padding is not None: + if not isinstance(rsa_padding, (padding.PSS, padding.PKCS1v15)): + raise TypeError("Padding must be PSS or PKCS1v15") + if not isinstance(private_key, rsa.RSAPrivateKey): + raise TypeError("Padding is only supported for RSA keys") + + return rust_x509.create_x509_csr( + self, private_key, algorithm, rsa_padding + ) class CertificateBuilder: diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index b6718a50385a..2ea5170e1cc9 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -97,19 +97,7 @@ impl CertificateSigningRequest { &self, py: pyo3::Python<'p>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { - let sig_oids_to_hash = py - .import(pyo3::intern!(py, "cryptography.hazmat._oid"))? - .getattr(pyo3::intern!(py, "_SIG_OIDS_TO_HASH"))?; - let hash_alg = sig_oids_to_hash.get_item(self.signature_algorithm_oid(py)?); - match hash_alg { - Ok(data) => Ok(data), - Err(_) => Err(CryptographyError::from( - exceptions::UnsupportedAlgorithm::new_err(format!( - "Signature algorithm OID: {} not recognized", - self.raw.borrow_dependent().signature_alg.oid() - )), - )), - } + sign::identify_signature_hash_algorithm(py, &self.raw.borrow_dependent().signature_alg) } #[getter] @@ -117,6 +105,17 @@ impl CertificateSigningRequest { oid_to_py_oid(py, self.raw.borrow_dependent().signature_alg.oid()) } + #[getter] + fn signature_algorithm_parameters<'p>( + &'p self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::PyAny> { + sign::identify_signature_algorithm_parameters( + py, + &self.raw.borrow_dependent().signature_alg, + ) + } + fn public_bytes<'p>( &self, py: pyo3::Python<'p>, @@ -292,13 +291,10 @@ fn create_x509_csr( builder: &pyo3::PyAny, private_key: &pyo3::PyAny, hash_algorithm: &pyo3::PyAny, + rsa_padding: &pyo3::PyAny, ) -> CryptographyResult { - let sigalg = x509::sign::compute_signature_algorithm( - py, - private_key, - hash_algorithm, - py.None().into_ref(py), - )?; + let sigalg = + x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)?; let serialization_mod = py.import(pyo3::intern!( py, "cryptography.hazmat.primitives.serialization" @@ -368,13 +364,8 @@ fn create_x509_csr( }; let tbs_bytes = asn1::write_single(&csr_info)?; - let signature = x509::sign::sign_data( - py, - private_key, - hash_algorithm, - py.None().into_ref(py), - &tbs_bytes, - )?; + let signature = + x509::sign::sign_data(py, private_key, hash_algorithm, rsa_padding, &tbs_bytes)?; let data = asn1::write_single(&Csr { csr_info, signature_alg: sigalg, diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 2698c564fc32..a70240a92a2d 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -4920,6 +4920,104 @@ def test_rsa_key_too_small(self, rsa_key_512: rsa.RSAPrivateKey, backend): with pytest.raises(ValueError): builder.sign(private_key, hashes.SHA512(), backend) + @pytest.mark.parametrize( + ("alg", "mgf_alg"), + [ + (hashes.SHA512(), hashes.SHA256()), + (hashes.SHA3_512(), hashes.SHA3_256()), + ], + ) + def test_sign_pss( + self, rsa_key_2048: rsa.RSAPrivateKey, alg, mgf_alg, backend + ): + if not backend.signature_hash_supported(alg): + pytest.skip(f"{alg} signature not supported") + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, "US")]) + ) + pss = padding.PSS( + mgf=padding.MGF1(mgf_alg), salt_length=alg.digest_size + ) + csr = builder.sign(rsa_key_2048, alg, rsa_padding=pss) + pk = csr.public_key() + assert isinstance(pk, rsa.RSAPublicKey) + assert isinstance(csr.signature_hash_algorithm, type(alg)) + cert_params = csr.signature_algorithm_parameters + assert isinstance(cert_params, padding.PSS) + assert cert_params._salt_length == pss._salt_length + assert isinstance(cert_params._mgf, padding.MGF1) + assert isinstance(cert_params._mgf._algorithm, type(mgf_alg)) + pk.verify( + csr.signature, + csr.tbs_certrequest_bytes, + cert_params, + alg, + ) + + @pytest.mark.parametrize( + ("padding_len", "computed_len"), + [ + (padding.PSS.MAX_LENGTH, 222), + (padding.PSS.DIGEST_LENGTH, 32), + ], + ) + def test_sign_pss_length_options( + self, + rsa_key_2048: rsa.RSAPrivateKey, + padding_len, + computed_len, + backend, + ): + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, "US")]) + ) + pss = padding.PSS( + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding_len + ) + csr = builder.sign(rsa_key_2048, hashes.SHA256(), rsa_padding=pss) + assert isinstance(csr.signature_algorithm_parameters, padding.PSS) + assert csr.signature_algorithm_parameters._salt_length == computed_len + + def test_sign_pss_auto_unsupported( + self, rsa_key_2048: rsa.RSAPrivateKey, backend + ): + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, "US")]) + ) + pss = padding.PSS( + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.AUTO + ) + with pytest.raises(TypeError): + builder.sign(rsa_key_2048, hashes.SHA256(), rsa_padding=pss) + + def test_sign_invalid_padding( + self, rsa_key_2048: rsa.RSAPrivateKey, backend + ): + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, "US")]) + ) + with pytest.raises(TypeError): + builder.sign( + rsa_key_2048, + hashes.SHA256(), + rsa_padding=b"notapadding", # type: ignore[arg-type] + ) + eckey = ec.generate_private_key(ec.SECP256R1()) + with pytest.raises(TypeError): + builder.sign( + eckey, hashes.SHA256(), rsa_padding=padding.PKCS1v15() + ) + + def test_sign_pss_hash_none( + self, rsa_key_2048: rsa.RSAPrivateKey, backend + ): + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, "US")]) + ) + pss = padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=32) + with pytest.raises(TypeError): + builder.sign(rsa_key_2048, None, rsa_padding=pss) + @pytest.mark.supported( only_if=lambda backend: backend.dsa_supported(), From 58f110d9ebbf9a50a230846824417a1f57d19dda Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 29 Aug 2023 00:17:59 +0000 Subject: [PATCH 0395/1014] Bump BoringSSL and/or OpenSSL in CI (#9515) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6a659742bf65..18037d5d7c22 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 26, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "792e77c52b5a85bee15a6f644494c10d8db5f7a0"}} - # Latest commit on the OpenSSL master branch, as of Aug 26, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7a5f58b2cf0d7b2fa0451603a88c3976c657dae9"}} + # Latest commit on the BoringSSL master branch, as of Aug 29, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "85081c6b3c0b26129893c1bff6bfa42bc3ba2d2c"}} + # Latest commit on the OpenSSL master branch, as of Aug 29, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0f9caad5b95e901b87fe45cf85c9582071ca0b23"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 6fb5520b0cb44ea0e1f54c32dfb46f997edc6265 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 29 Aug 2023 08:49:46 -0400 Subject: [PATCH 0396/1014] Bump filelock, new version drops support for 3.7 (#9517) --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f3bfec42ba11..50bbcb62ce08 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -42,7 +42,7 @@ exceptiongroup==1.1.3 # via pytest execnet==2.0.2 # via pytest-xdist -filelock==3.12.2 +filelock==3.12.3; python_version >= "3.8" # via virtualenv idna==3.4 # via requests From 6e4da7ee599370779459a85cbf58918d0512ff5e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 29 Aug 2023 21:05:30 -0400 Subject: [PATCH 0397/1014] Bump BoringSSL and/or OpenSSL in CI (#9518) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 18037d5d7c22..65a01ca98a1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 29, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "85081c6b3c0b26129893c1bff6bfa42bc3ba2d2c"}} - # Latest commit on the OpenSSL master branch, as of Aug 29, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0f9caad5b95e901b87fe45cf85c9582071ca0b23"}} + # Latest commit on the BoringSSL master branch, as of Aug 30, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "79532afc453d5400be886ee7ba9ecb92451a573e"}} + # Latest commit on the OpenSSL master branch, as of Aug 30, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a2608e4bc430d6216bbf36f50a29278e8759103a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 71bfcbb447c6920694349c6e83ba8238a0dc4e2a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 31 Aug 2023 00:36:27 +0000 Subject: [PATCH 0398/1014] Bump BoringSSL and/or OpenSSL in CI (#9520) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 65a01ca98a1a..c02d044ac6d0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 30, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "79532afc453d5400be886ee7ba9ecb92451a573e"}} - # Latest commit on the OpenSSL master branch, as of Aug 30, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a2608e4bc430d6216bbf36f50a29278e8759103a"}} + # Latest commit on the BoringSSL master branch, as of Aug 31, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ab45f42e8e7340df605f378ee03c4800db2709f3"}} + # Latest commit on the OpenSSL master branch, as of Aug 31, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9f5102bffc8bb3a9b02a0a5e3c1de4326622fe04"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 2a647696f862eaac227122654e3ba102f3ede9f1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 31 Aug 2023 11:13:05 +0000 Subject: [PATCH 0399/1014] Bump virtualenv from 20.24.3 to 20.24.4 (#9521) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.24.3 to 20.24.4. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.24.3...20.24.4) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 50bbcb62ce08..441434d94444 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -185,7 +185,7 @@ urllib3==2.0.4 # via # requests # twine -virtualenv==20.24.3 +virtualenv==20.24.4 # via nox webencodings==0.5.1 # via bleach From bbc12ba478e9bb7c30a56a94b454775917e8dd47 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 31 Aug 2023 11:17:14 +0000 Subject: [PATCH 0400/1014] Bump sphinx from 7.2.4 to 7.2.5 (#9522) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.2.4 to 7.2.5. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.2.4...v7.2.5) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 441434d94444..8ee622d50f7f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -144,7 +144,7 @@ six==1.16.0 # via bleach snowballstemmer==2.2.0 # via sphinx -sphinx==7.2.4 +sphinx==7.2.5 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From 5ef77db224b8a5b3f61f8f63d9904a9bc995e76f Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 31 Aug 2023 13:36:39 +0200 Subject: [PATCH 0401/1014] Add `poly1305` implementation for BoringSSL and LibreSSL (#9392) * Add poly1305 implementation for BoringSSL and LibreSSL * Move Poly1305 safe wrapper to cryptography-openssl * Simplify Poly1305 making the backend optional * Use MaybeUninit before initializing Poly1305 context * Rename Poly1305 backend field --- .../hazmat/backends/openssl/backend.py | 8 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- src/rust/cryptography-openssl/src/lib.rs | 2 + src/rust/cryptography-openssl/src/poly1305.rs | 45 ++++++ src/rust/src/backend/poly1305.rs | 147 ++++++++++++------ 5 files changed, 151 insertions(+), 53 deletions(-) create mode 100644 src/rust/cryptography-openssl/src/poly1305.rs diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 1109d8a3fbe5..3797d1df83e3 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1256,7 +1256,13 @@ def serialize_key_and_certificates_to_pkcs12( def poly1305_supported(self) -> bool: if self._fips_enabled: return False - return self._lib.Cryptography_HAS_POLY1305 == 1 + elif ( + self._lib.CRYPTOGRAPHY_IS_BORINGSSL + or self._lib.CRYPTOGRAPHY_IS_LIBRESSL + ): + return True + else: + return self._lib.Cryptography_HAS_POLY1305 == 1 def pkcs7_supported(self) -> bool: return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 15b5163d5566..e629b3717236 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -9,6 +9,6 @@ rust-version = "1.63.0" [dependencies] openssl = "0.10.57" -ffi = { package = "openssl-sys", version = "0.9.85" } +ffi = { package = "openssl-sys", version = "0.9.91" } foreign-types = "0.3" foreign-types-shared = "0.1" diff --git a/src/rust/cryptography-openssl/src/lib.rs b/src/rust/cryptography-openssl/src/lib.rs index 0a2b48149e0f..3ddf4adbd7f6 100644 --- a/src/rust/cryptography-openssl/src/lib.rs +++ b/src/rust/cryptography-openssl/src/lib.rs @@ -4,6 +4,8 @@ pub mod fips; pub mod hmac; +#[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] +pub mod poly1305; pub type OpenSSLResult = Result; diff --git a/src/rust/cryptography-openssl/src/poly1305.rs b/src/rust/cryptography-openssl/src/poly1305.rs new file mode 100644 index 000000000000..262062eedd3f --- /dev/null +++ b/src/rust/cryptography-openssl/src/poly1305.rs @@ -0,0 +1,45 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use std::mem::MaybeUninit; + +pub struct Poly1305State { + // The state data must be allocated in the heap so that its address does not change. This is + // because BoringSSL APIs that take a `poly1305_state*` ignore all the data before an aligned + // address. Since a stack-allocated struct would change address on every copy, BoringSSL would + // interpret each copy differently, causing unexpected behavior. + context: Box, +} + +impl Poly1305State { + pub fn new(key: &[u8]) -> Poly1305State { + assert_eq!(key.len(), 32); + let mut ctx: Box> = + Box::new(MaybeUninit::::uninit()); + + // After initializing the context, unwrap the Box> into + // a Box while keeping the same memory address. See the docstring of the + // Poly1305State struct above for the rationale. + let initialized_ctx: Box = unsafe { + ffi::CRYPTO_poly1305_init(ctx.as_mut().as_mut_ptr(), key.as_ptr()); + let raw_ctx_ptr = (*Box::into_raw(ctx)).as_mut_ptr(); + Box::from_raw(raw_ctx_ptr) + }; + + Poly1305State { + context: initialized_ctx, + } + } + + pub fn update(&mut self, data: &[u8]) -> () { + unsafe { + ffi::CRYPTO_poly1305_update(self.context.as_mut(), data.as_ptr(), data.len()); + }; + } + + pub fn finalize(&mut self, output: &mut [u8]) -> () { + assert_eq!(output.len(), 16); + unsafe { ffi::CRYPTO_poly1305_finish(self.context.as_mut(), output.as_mut_ptr()) }; + } +} diff --git a/src/rust/src/backend/poly1305.rs b/src/rust/src/backend/poly1305.rs index 17d279a4023f..66fc6239fa02 100644 --- a/src/rust/src/backend/poly1305.rs +++ b/src/rust/src/backend/poly1305.rs @@ -7,26 +7,48 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.poly1305")] -struct Poly1305 { - signer: Option>, +#[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] +struct Poly1305Boring { + context: cryptography_openssl::poly1305::Poly1305State, } -impl Poly1305 { - fn get_mut_signer(&mut self) -> CryptographyResult<&mut openssl::sign::Signer<'static>> { - if let Some(signer) = self.signer.as_mut() { - return Ok(signer); - }; - Err(already_finalized_error()) +#[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] +impl Poly1305Boring { + fn new(key: CffiBuf<'_>) -> CryptographyResult { + if key.as_bytes().len() != 32 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("A poly1305 key is 32 bytes long"), + )); + } + let ctx = cryptography_openssl::poly1305::Poly1305State::new(key.as_bytes()); + Ok(Poly1305Boring { context: ctx }) + } + + fn update(&mut self, data: CffiBuf<'_>) -> CryptographyResult<()> { + self.context.update(data.as_bytes()); + Ok(()) + } + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let result = pyo3::types::PyBytes::new_with(py, 16usize, |b| { + self.context.finalize(b.as_mut()); + Ok(()) + })?; + Ok(result) } } -#[pyo3::pymethods] -impl Poly1305 { - #[new] - fn new(key: CffiBuf<'_>) -> CryptographyResult { - #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] - { +#[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] +struct Poly1305Open { + signer: openssl::sign::Signer<'static>, +} + +#[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] +impl Poly1305Open { + fn new(key: CffiBuf<'_>) -> CryptographyResult { + if cryptography_openssl::fips::is_enabled() { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "poly1305 is not supported by this version of OpenSSL.", @@ -35,33 +57,56 @@ impl Poly1305 { )); } - #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - { - if cryptography_openssl::fips::is_enabled() { - return Err(CryptographyError::from( - exceptions::UnsupportedAlgorithm::new_err(( - "poly1305 is not supported by this version of OpenSSL.", - exceptions::Reasons::UNSUPPORTED_MAC, - )), - )); - } - - let pkey = openssl::pkey::PKey::private_key_from_raw_bytes( - key.as_bytes(), - openssl::pkey::Id::POLY1305, - ) - .map_err(|_| { + let pkey = openssl::pkey::PKey::private_key_from_raw_bytes( + key.as_bytes(), + openssl::pkey::Id::POLY1305, + ) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("A poly1305 key is 32 bytes long"))?; + + Ok(Poly1305Open { + signer: openssl::sign::Signer::new_without_digest(&pkey).map_err(|_| { pyo3::exceptions::PyValueError::new_err("A poly1305 key is 32 bytes long") - })?; - - Ok(Poly1305 { - signer: Some( - openssl::sign::Signer::new_without_digest(&pkey).map_err(|_| { - pyo3::exceptions::PyValueError::new_err("A poly1305 key is 32 bytes long") - })?, - ), - }) - } + })?, + }) + } + fn update(&mut self, data: CffiBuf<'_>) -> CryptographyResult<()> { + let buf = data.as_bytes(); + self.signer.update(buf)?; + Ok(()) + } + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let result = pyo3::types::PyBytes::new_with(py, self.signer.len()?, |b| { + let n = self.signer.sign(b).unwrap(); + assert_eq!(n, b.len()); + Ok(()) + })?; + Ok(result) + } +} + +#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.poly1305")] +struct Poly1305 { + #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] + inner: Option, + #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] + inner: Option, +} + +#[pyo3::pymethods] +impl Poly1305 { + #[new] + fn new(key: CffiBuf<'_>) -> CryptographyResult { + #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] + return Ok(Poly1305 { + inner: Some(Poly1305Boring::new(key)?), + }); + #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] + return Ok(Poly1305 { + inner: Some(Poly1305Open::new(key)?), + }); } #[staticmethod] @@ -88,22 +133,22 @@ impl Poly1305 { } fn update(&mut self, data: CffiBuf<'_>) -> CryptographyResult<()> { - self.get_mut_signer()?.update(data.as_bytes())?; - Ok(()) + self.inner + .as_mut() + .map_or(Err(already_finalized_error()), |b| b.update(data)) } fn finalize<'p>( &mut self, py: pyo3::Python<'p>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let signer = self.get_mut_signer()?; - let result = pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { - let n = signer.sign(b).unwrap(); - assert_eq!(n, b.len()); - Ok(()) - })?; - self.signer = None; - Ok(result) + let res = self + .inner + .as_mut() + .map_or(Err(already_finalized_error()), |b| b.finalize(py)); + self.inner = None; + + res } fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> { From 12af0c46247fa68c45127df70c7489f2f4d4c4ef Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 31 Aug 2023 19:31:21 -0500 Subject: [PATCH 0402/1014] Bump BoringSSL and/or OpenSSL in CI (#9525) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c02d044ac6d0..db24c53441c3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Aug 31, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ab45f42e8e7340df605f378ee03c4800db2709f3"}} - # Latest commit on the OpenSSL master branch, as of Aug 31, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9f5102bffc8bb3a9b02a0a5e3c1de4326622fe04"}} + # Latest commit on the BoringSSL master branch, as of Sep 01, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5a3eb9ea7e787b7a787b7a6529d181d7e1fdb54e"}} + # Latest commit on the OpenSSL master branch, as of Sep 01, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "60421893a286bb9eb7fb7c2454b84af9778ffca4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 216aef828cd2cf07d1bbb9d0e6a2a2ae9cbe8385 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Sep 2023 11:12:58 +0000 Subject: [PATCH 0403/1014] Bump tibdex/github-app-token from 1.8.0 to 1.8.2 (#9526) Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.0 to 1.8.2. - [Release notes](https://github.com/tibdex/github-app-token/releases) - [Commits](https://github.com/tibdex/github-app-token/compare/b62528385c34dbc9f38e5f4225ac829252d1ea92...0d49dd721133f900ebd5e0dff2810704e8defbc6) --- updated-dependencies: - dependency-name: tibdex/github-app-token dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 881e2bc06cf5..3765894b7182 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -51,7 +51,7 @@ jobs: sed -E -i "s/TYPE: \"openssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"openssl\", VERSION: \"${{ steps.check-sha-openssl.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml git status if: steps.check-sha-openssl.outputs.COMMIT_SHA - - uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 + - uses: tibdex/github-app-token@0d49dd721133f900ebd5e0dff2810704e8defbc6 # v1.8.2 id: generate-token with: app_id: ${{ secrets.BORINGBOT_APP_ID }} From f31e309a0703bb0b88cde2aaf3b252f0d6e5e6f2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 1 Sep 2023 14:15:39 -0400 Subject: [PATCH 0404/1014] Update comment (#9529) --- tests/wycheproof/test_rsa.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py index 48d20f316a1d..996b3cd52c36 100644 --- a/tests/wycheproof/test_rsa.py +++ b/tests/wycheproof/test_rsa.py @@ -19,7 +19,8 @@ "SHA-256": hashes.SHA256(), "SHA-384": hashes.SHA384(), "SHA-512": hashes.SHA512(), - # Not supported by OpenSSL for RSA signing + # Not supported by OpenSSL<3 for RSA signing. + # Enable these when we require CRYPTOGRAPHY_OPENSSL_300_OR_GREATER "SHA-512/224": None, "SHA-512/256": None, "SHA3-224": hashes.SHA3_224(), From e4d7938733cf2e4668767197e9bedc0c99160b33 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Sep 2023 21:30:44 +0000 Subject: [PATCH 0405/1014] Bump build from 0.10.0 to 1.0.0 (#9530) Bumps [build](https://github.com/pypa/build) from 0.10.0 to 1.0.0. - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/0.10.0...1.0.0) --- updated-dependencies: - dependency-name: build dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8ee622d50f7f..6d243ea1501d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -15,7 +15,7 @@ black==23.7.0 # via cryptography (pyproject.toml) bleach==6.0.0 # via readme-renderer -build==0.10.0 +build==1.0.0 # via # check-sdist # cryptography (pyproject.toml) From e5f1a7f80f4756854406c6f4d4a2b2d1ee191b8d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Sep 2023 21:34:08 +0000 Subject: [PATCH 0406/1014] Bump ruff from 0.0.286 to 0.0.287 (#9531) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.286 to 0.0.287. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.286...v0.0.287) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6d243ea1501d..aba2591f0240 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.2 # via twine -ruff==0.0.286 +ruff==0.0.287 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 8a5b72dd2734514adac634ade620f9dbdf091de4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 2 Sep 2023 00:18:54 +0000 Subject: [PATCH 0407/1014] Bump BoringSSL and/or OpenSSL in CI (#9532) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index db24c53441c3..c54f2345fae9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 01, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5a3eb9ea7e787b7a787b7a6529d181d7e1fdb54e"}} - # Latest commit on the OpenSSL master branch, as of Sep 01, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "60421893a286bb9eb7fb7c2454b84af9778ffca4"}} + # Latest commit on the BoringSSL master branch, as of Sep 02, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6ca49385b168f47a50e7172d82a590b218f55e4d"}} + # Latest commit on the OpenSSL master branch, as of Sep 02, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9ff816106c2b2ccbffe5c4e3619a840547088674"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 3035c855c560296280a8e0492d31d9a3c6cbce5d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 2 Sep 2023 10:44:48 -0400 Subject: [PATCH 0408/1014] Move random functions and types out of lib.rs (#9533) --- src/rust/src/error.rs | 53 ++++++++++++++- src/rust/src/lib.rs | 138 ++-------------------------------------- src/rust/src/padding.rs | 79 +++++++++++++++++++++++ 3 files changed, 137 insertions(+), 133 deletions(-) create mode 100644 src/rust/src/padding.rs diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 6699520cb397..fff5cf756937 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::{exceptions, OpenSSLError}; +use crate::exceptions; use pyo3::ToPyObject; pub enum CryptographyError { @@ -107,6 +107,57 @@ impl CryptographyError { // https://github.com/pyca/cryptography/pull/6173 pub(crate) type CryptographyResult = Result; +#[pyo3::prelude::pyfunction] +pub(crate) fn raise_openssl_error() -> crate::error::CryptographyResult<()> { + Err(openssl::error::ErrorStack::get().into()) +} + +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl")] +pub(crate) struct OpenSSLError { + e: openssl::error::Error, +} + +#[pyo3::pymethods] +impl OpenSSLError { + #[getter] + fn lib(&self) -> i32 { + self.e.library_code() + } + + #[getter] + fn reason(&self) -> i32 { + self.e.reason_code() + } + + #[getter] + fn reason_text(&self) -> &[u8] { + self.e.reason().unwrap_or("").as_bytes() + } + + fn _lib_reason_match(&self, lib: i32, reason: i32) -> bool { + self.e.library_code() == lib && self.e.reason_code() == reason + } + + fn __repr__(&self) -> pyo3::PyResult { + Ok(format!( + "", + self.e.code(), + self.e.library_code(), + self.e.reason_code(), + self.e.reason().unwrap_or("") + )) + } +} + +#[pyo3::prelude::pyfunction] +pub(crate) fn capture_error_stack(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::types::PyList> { + let errs = pyo3::types::PyList::empty(py); + for e in openssl::error::ErrorStack::get().errors() { + errs.append(pyo3::PyCell::new(py, OpenSSLError { e: e.clone() })?)?; + } + Ok(errs) +} + #[cfg(test)] mod tests { use super::CryptographyError; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 2da39a5523b9..2216eec8296a 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -10,127 +10,16 @@ mod buf; mod error; mod exceptions; pub(crate) mod oid; +mod padding; mod pkcs7; mod pool; mod x509; -/// Returns the value of the input with the most-significant-bit copied to all -/// of the bits. -fn duplicate_msb_to_all(a: u8) -> u8 { - 0u8.wrapping_sub(a >> 7) -} - -/// This returns 0xFF if a < b else 0x00, but does so in a constant time -/// fashion. -fn constant_time_lt(a: u8, b: u8) -> u8 { - // Derived from: - // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1i/include/internal/constant_time.h#L120 - duplicate_msb_to_all(a ^ ((a ^ b) | (a.wrapping_sub(b) ^ b))) -} - -#[pyo3::prelude::pyfunction] -fn check_pkcs7_padding(data: &[u8]) -> bool { - let mut mismatch = 0; - let pad_size = *data.last().unwrap(); - let len: u8 = data.len().try_into().expect("data too long"); - for (i, b) in (0..len).zip(data.iter().rev()) { - let mask = constant_time_lt(i, pad_size); - mismatch |= mask & (pad_size ^ b); - } - - // Check to make sure the pad_size was within the valid range. - mismatch |= !constant_time_lt(0, pad_size); - mismatch |= constant_time_lt(len, pad_size); - - // Make sure any bits set are copied to the lowest bit - mismatch |= mismatch >> 4; - mismatch |= mismatch >> 2; - mismatch |= mismatch >> 1; - - // Now check the low bit to see if it's set - (mismatch & 1) == 0 -} - -#[pyo3::prelude::pyfunction] -fn check_ansix923_padding(data: &[u8]) -> bool { - let mut mismatch = 0; - let pad_size = *data.last().unwrap(); - let len: u8 = data.len().try_into().expect("data too long"); - // Skip the first one with the pad size - for (i, b) in (1..len).zip(data[..data.len() - 1].iter().rev()) { - let mask = constant_time_lt(i, pad_size); - mismatch |= mask & b; - } - - // Check to make sure the pad_size was within the valid range. - mismatch |= !constant_time_lt(0, pad_size); - mismatch |= constant_time_lt(len, pad_size); - - // Make sure any bits set are copied to the lowest bit - mismatch |= mismatch >> 4; - mismatch |= mismatch >> 2; - mismatch |= mismatch >> 1; - - // Now check the low bit to see if it's set - (mismatch & 1) == 0 -} - #[pyo3::prelude::pyfunction] fn openssl_version() -> i64 { openssl::version::number() } -#[pyo3::prelude::pyfunction] -fn raise_openssl_error() -> crate::error::CryptographyResult<()> { - Err(openssl::error::ErrorStack::get().into()) -} - -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl")] -struct OpenSSLError { - e: openssl::error::Error, -} - -#[pyo3::pymethods] -impl OpenSSLError { - #[getter] - fn lib(&self) -> i32 { - self.e.library_code() - } - - #[getter] - fn reason(&self) -> i32 { - self.e.reason_code() - } - - #[getter] - fn reason_text(&self) -> &[u8] { - self.e.reason().unwrap_or("").as_bytes() - } - - fn _lib_reason_match(&self, lib: i32, reason: i32) -> bool { - self.e.library_code() == lib && self.e.reason_code() == reason - } - - fn __repr__(&self) -> pyo3::PyResult { - Ok(format!( - "", - self.e.code(), - self.e.library_code(), - self.e.reason_code(), - self.e.reason().unwrap_or("") - )) - } -} - -#[pyo3::prelude::pyfunction] -fn capture_error_stack(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::types::PyList> { - let errs = pyo3::types::PyList::empty(py); - for e in openssl::error::ErrorStack::get().errors() { - errs.append(pyo3::PyCell::new(py, OpenSSLError { e: e.clone() })?)?; - } - Ok(errs) -} - #[pyo3::prelude::pyfunction] fn is_fips_enabled() -> bool { cryptography_openssl::fips::is_enabled() @@ -138,8 +27,8 @@ fn is_fips_enabled() -> bool { #[pyo3::prelude::pymodule] fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> { - m.add_function(pyo3::wrap_pyfunction!(check_pkcs7_padding, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(check_ansix923_padding, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(padding::check_pkcs7_padding, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(padding::check_ansix923_padding, m)?)?; m.add_class::()?; m.add_class::()?; @@ -165,27 +54,12 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version, m)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(raise_openssl_error, m)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(capture_error_stack, m)?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction!(error::raise_openssl_error, m)?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction!(error::capture_error_stack, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(is_fips_enabled, m)?)?; - openssl_mod.add_class::()?; + openssl_mod.add_class::()?; crate::backend::add_to_module(openssl_mod)?; m.add_submodule(openssl_mod)?; Ok(()) } - -#[cfg(test)] -mod tests { - use super::constant_time_lt; - - #[test] - fn test_constant_time_lt() { - for a in 0..=255 { - for b in 0..=255 { - let expected = if a < b { 0xff } else { 0 }; - assert_eq!(constant_time_lt(a, b), expected); - } - } - } -} diff --git a/src/rust/src/padding.rs b/src/rust/src/padding.rs new file mode 100644 index 000000000000..523fe85a5718 --- /dev/null +++ b/src/rust/src/padding.rs @@ -0,0 +1,79 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +/// Returns the value of the input with the most-significant-bit copied to all +/// of the bits. +fn duplicate_msb_to_all(a: u8) -> u8 { + 0u8.wrapping_sub(a >> 7) +} + +/// This returns 0xFF if a < b else 0x00, but does so in a constant time +/// fashion. +fn constant_time_lt(a: u8, b: u8) -> u8 { + // Derived from: + // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1i/include/internal/constant_time.h#L120 + duplicate_msb_to_all(a ^ ((a ^ b) | (a.wrapping_sub(b) ^ b))) +} + +#[pyo3::prelude::pyfunction] +pub(crate) fn check_pkcs7_padding(data: &[u8]) -> bool { + let mut mismatch = 0; + let pad_size = *data.last().unwrap(); + let len: u8 = data.len().try_into().expect("data too long"); + for (i, b) in (0..len).zip(data.iter().rev()) { + let mask = constant_time_lt(i, pad_size); + mismatch |= mask & (pad_size ^ b); + } + + // Check to make sure the pad_size was within the valid range. + mismatch |= !constant_time_lt(0, pad_size); + mismatch |= constant_time_lt(len, pad_size); + + // Make sure any bits set are copied to the lowest bit + mismatch |= mismatch >> 4; + mismatch |= mismatch >> 2; + mismatch |= mismatch >> 1; + + // Now check the low bit to see if it's set + (mismatch & 1) == 0 +} + +#[pyo3::prelude::pyfunction] +pub(crate) fn check_ansix923_padding(data: &[u8]) -> bool { + let mut mismatch = 0; + let pad_size = *data.last().unwrap(); + let len: u8 = data.len().try_into().expect("data too long"); + // Skip the first one with the pad size + for (i, b) in (1..len).zip(data[..data.len() - 1].iter().rev()) { + let mask = constant_time_lt(i, pad_size); + mismatch |= mask & b; + } + + // Check to make sure the pad_size was within the valid range. + mismatch |= !constant_time_lt(0, pad_size); + mismatch |= constant_time_lt(len, pad_size); + + // Make sure any bits set are copied to the lowest bit + mismatch |= mismatch >> 4; + mismatch |= mismatch >> 2; + mismatch |= mismatch >> 1; + + // Now check the low bit to see if it's set + (mismatch & 1) == 0 +} + +#[cfg(test)] +mod tests { + use super::constant_time_lt; + + #[test] + fn test_constant_time_lt() { + for a in 0..=255 { + for b in 0..=255 { + let expected = if a < b { 0xff } else { 0 }; + assert_eq!(constant_time_lt(a, b), expected); + } + } + } +} From d3ffff84924d4809a2b61b8830dc2f68c36261f6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 2 Sep 2023 14:19:08 -0400 Subject: [PATCH 0409/1014] Added an abstraction for more easily handling python imports in Rust (#9534) --- src/rust/src/lib.rs | 1 + src/rust/src/pkcs7.rs | 50 ++++++++------------------ src/rust/src/types.rs | 81 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 97 insertions(+), 35 deletions(-) create mode 100644 src/rust/src/types.rs diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 2216eec8296a..af85f373c578 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -13,6 +13,7 @@ pub(crate) mod oid; mod padding; mod pkcs7; mod pool; +pub(crate) mod types; mod x509; #[pyo3::prelude::pyfunction] diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index bc098a9d1367..1acbae457fb3 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -5,7 +5,7 @@ use crate::asn1::encode_der_data; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use crate::x509; +use crate::{types, x509}; use cryptography_x509::csr::Attribute; use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; @@ -77,17 +77,10 @@ fn sign_and_serialize<'p>( encoding: &'p pyo3::PyAny, options: &'p pyo3::types::PyList, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let pkcs7_options = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization.pkcs7" - ))? - .getattr(pyo3::intern!(py, "PKCS7Options"))?; - let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; - let text_mode = options.contains(pkcs7_options.getattr(pyo3::intern!(py, "Text"))?)?; + let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; let (data_with_header, data_without_header) = - if options.contains(pkcs7_options.getattr(pyo3::intern!(py, "Binary"))?)? { + if options.contains(types::PKCS7_BINARY.get(py)?)? { ( Cow::Borrowed(raw_data.as_bytes()), Cow::Borrowed(raw_data.as_bytes()), @@ -126,7 +119,7 @@ fn sign_and_serialize<'p>( .collect::>(); for (cert, py_private_key, py_hash_alg) in &py_signers { let (authenticated_attrs, signature) = if options - .contains(pkcs7_options.getattr(pyo3::intern!(py, "NoAttributes"))?)? + .contains(types::PKCS7_NO_ATTRIBUTES.get(py)?)? { ( None, @@ -165,7 +158,7 @@ fn sign_and_serialize<'p>( ])), }); - if !options.contains(pkcs7_options.getattr(pyo3::intern!(py, "NoCapabilities"))?)? { + if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? { authenticated_attrs.push(Attribute { type_id: PKCS7_SMIME_CAP_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ @@ -221,13 +214,12 @@ fn sign_and_serialize<'p>( } let data_tlv_bytes; - let content = - if options.contains(pkcs7_options.getattr(pyo3::intern!(py, "DetachedSignature"))?)? { - None - } else { - data_tlv_bytes = asn1::write_single(&data_with_header.deref())?; - Some(asn1::parse_single(&data_tlv_bytes).unwrap()) - }; + let content = if options.contains(types::PKCS7_DETACHED_SIGNATURE.get(py)?)? { + None + } else { + data_tlv_bytes = asn1::write_single(&data_with_header.deref())?; + Some(asn1::parse_single(&data_tlv_bytes).unwrap()) + }; let signed_data = pkcs7::SignedData { version: 1, @@ -236,7 +228,7 @@ fn sign_and_serialize<'p>( _content_type: asn1::DefinedByMarker::marker(), content: pkcs7::Content::Data(content.map(asn1::Explicit::new)), }, - certificates: if options.contains(pkcs7_options.getattr(pyo3::intern!(py, "NoCerts"))?)? { + certificates: if options.contains(types::PKCS7_NO_CERTS.get(py)?)? { None } else { Some(asn1::SetOfWriter::new(&certs)) @@ -251,26 +243,14 @@ fn sign_and_serialize<'p>( }; let ci_bytes = asn1::write_single(&content_info)?; - let encoding_class = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))? - .getattr(pyo3::intern!(py, "Encoding"))?; - - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "SMIME"))?) { + if encoding.is(types::ENCODING_SMIME.get(py)?) { let mic_algs = digest_algs .iter() .map(|d| OIDS_TO_MIC_NAME[&d.oid()]) .collect::>() .join(","); - let smime_encode = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization.pkcs7" - ))? - .getattr(pyo3::intern!(py, "_smime_encode"))?; - Ok(smime_encode + Ok(types::SMIME_ENCODE + .get(py)? .call1((&*data_without_header, &*ci_bytes, mic_algs, text_mode))? .extract()?) } else { diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs new file mode 100644 index 000000000000..48be7572863b --- /dev/null +++ b/src/rust/src/types.rs @@ -0,0 +1,81 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +pub struct LazyPyImport { + module: &'static str, + names: &'static [&'static str], + value: pyo3::once_cell::GILOnceCell, +} + +impl LazyPyImport { + pub const fn new(module: &'static str, names: &'static [&'static str]) -> LazyPyImport { + LazyPyImport { + module, + names, + value: pyo3::once_cell::GILOnceCell::new(), + } + } + + pub fn get<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + self.value + .get_or_try_init(py, || { + let mut obj = py.import(self.module)?.getattr(self.names[0])?; + for name in &self.names[1..] { + obj = obj.getattr(*name)?; + } + obj.extract() + }) + .map(|p| p.as_ref(py)) + } +} + +pub static ENCODING_SMIME: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["Encoding", "SMIME"], +); + +pub static PKCS7_BINARY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["PKCS7Options", "Binary"], +); +pub static PKCS7_TEXT: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["PKCS7Options", "Text"], +); +pub static PKCS7_NO_ATTRIBUTES: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["PKCS7Options", "NoAttributes"], +); +pub static PKCS7_NO_CAPABILITIES: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["PKCS7Options", "NoCapabilities"], +); +pub static PKCS7_NO_CERTS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["PKCS7Options", "NoCerts"], +); +pub static PKCS7_DETACHED_SIGNATURE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["PKCS7Options", "DetachedSignature"], +); + +pub static SMIME_ENCODE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["_smime_encode"], +); + +#[cfg(test)] +mod tests { + use super::LazyPyImport; + + #[test] + fn test_basic() { + pyo3::prepare_freethreaded_python(); + + let v = LazyPyImport::new("foo", &["bar"]); + pyo3::Python::with_gil(|py| { + assert!(v.get(py).is_err()); + }); + } +} From 2fccb7f2c6480b66dc39884207b273028dd9fdcf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 2 Sep 2023 21:38:22 +0000 Subject: [PATCH 0410/1014] Bump pytest from 7.4.0 to 7.4.1 (#9536) Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.4.0 to 7.4.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/7.4.0...7.4.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index aba2591f0240..e47092a758f5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -110,7 +110,7 @@ pygments==2.16.1 # sphinx pyproject-hooks==1.0.0 # via build -pytest==7.4.0 +pytest==7.4.1 # via # cryptography (pyproject.toml) # pytest-benchmark From d182176fbfb6f6aeb8856952d36d999c20f456ea Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 3 Sep 2023 00:17:25 +0000 Subject: [PATCH 0411/1014] Bump BoringSSL and/or OpenSSL in CI (#9537) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c54f2345fae9..9fbcb4ede6a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 02, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6ca49385b168f47a50e7172d82a590b218f55e4d"}} - # Latest commit on the OpenSSL master branch, as of Sep 02, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9ff816106c2b2ccbffe5c4e3619a840547088674"}} + # Latest commit on the OpenSSL master branch, as of Sep 03, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5318c012885a5382eadbf95aa9c1d35664bca819"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From d7347fbfbe372e68cfe91f7c915eb0c7646891f7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 3 Sep 2023 20:21:39 -0400 Subject: [PATCH 0412/1014] Bump BoringSSL and/or OpenSSL in CI (#9538) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9fbcb4ede6a7..024699078a59 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 02, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6ca49385b168f47a50e7172d82a590b218f55e4d"}} - # Latest commit on the OpenSSL master branch, as of Sep 03, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5318c012885a5382eadbf95aa9c1d35664bca819"}} + # Latest commit on the OpenSSL master branch, as of Sep 04, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "12d08fe3a50f28fe80ff591e05d7f8253148afb4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From c67f1b29bc762c62c18c886413fe73cf120488da Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 00:18:17 +0000 Subject: [PATCH 0413/1014] Bump BoringSSL and/or OpenSSL in CI (#9541) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 024699078a59..b7a9384ed842 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 02, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6ca49385b168f47a50e7172d82a590b218f55e4d"}} - # Latest commit on the OpenSSL master branch, as of Sep 04, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "12d08fe3a50f28fe80ff591e05d7f8253148afb4"}} + # Latest commit on the OpenSSL master branch, as of Sep 05, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b12c07cfba9651ae80b7020ffe8e634f47581389"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 6cccf916f1a3d1a341d2860bce4a2893ec578ad9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 00:45:46 +0000 Subject: [PATCH 0414/1014] Bump openssl-sys from 0.9.92 to 0.9.93 in /src/rust (#9542) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.92 to 0.9.93. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.92...openssl-sys-v0.9.93) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f1ab498ca6e4..590c25a78d68 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -193,9 +193,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.92" +version = "0.9.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db7e971c2c2bba161b2d2fdf37080177eff520b3bc044787c7f1f5f9e78d869b" +checksum = "db4d56a4c0478783083cfafcc42493dd4a981d41669da64b4572a2a089b51b1d" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index d854c8075bd6..6e408e9b4355 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -16,7 +16,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.57" -openssl-sys = "0.9.92" +openssl-sys = "0.9.93" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index e6b9a1e3b996..9c3f2eb86e74 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.19", features = ["abi3-py37"] } -openssl-sys = "0.9.92" +openssl-sys = "0.9.93" [build-dependencies] cc = "1.0.83" From 7c75ff0f68bcdaebb8d5a14406faa68e03c098d6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Sep 2023 22:11:25 -0400 Subject: [PATCH 0415/1014] Update ci.yml (#9527) --- .github/workflows/ci.yml | 2 +- src/rust/src/backend/ed25519.rs | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b7a9384ed842..b2470f14fa95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.2"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 02, 2023. diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 5a51cd7d8405..4c372a938e3b 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -121,7 +121,8 @@ impl Ed25519PrivateKey { impl Ed25519PublicKey { fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? - .verify_oneshot(signature, data)?; + .verify_oneshot(signature, data) + .unwrap_or(false); if !valid { return Err(CryptographyError::from( From 7df73d37e4de62757b7c084028c83b0ea1f37212 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 5 Sep 2023 17:36:13 -0400 Subject: [PATCH 0416/1014] Continue converting Rust files to new Python import style (#9535) --- src/rust/src/asn1.rs | 12 +- src/rust/src/backend/aead.rs | 6 +- src/rust/src/backend/dh.rs | 78 ++----- src/rust/src/backend/dsa.rs | 78 +++---- src/rust/src/backend/ec.rs | 101 +++----- src/rust/src/backend/hashes.rs | 12 +- src/rust/src/backend/rsa.rs | 115 +++------- src/rust/src/backend/utils.rs | 139 ++++------- src/rust/src/buf.rs | 7 +- src/rust/src/oid.rs | 8 +- src/rust/src/types.rs | 381 ++++++++++++++++++++++++++++++- src/rust/src/x509/certificate.rs | 87 ++----- src/rust/src/x509/common.rs | 113 +++------ src/rust/src/x509/crl.rs | 81 ++----- src/rust/src/x509/csr.rs | 47 +--- src/rust/src/x509/extensions.rs | 11 +- src/rust/src/x509/ocsp_req.rs | 28 +-- src/rust/src/x509/ocsp_resp.rs | 69 ++---- src/rust/src/x509/sct.rs | 44 ++-- src/rust/src/x509/sign.rs | 177 +++----------- 20 files changed, 710 insertions(+), 884 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 93e98f091f69..5d8f2e1a95f2 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -3,6 +3,7 @@ // for complete details. use crate::error::{CryptographyError, CryptographyResult}; +use crate::types; use asn1::SimpleAsn1Readable; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; @@ -91,16 +92,9 @@ pub(crate) fn encode_der_data<'p>( data: Vec, encoding: &'p pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let encoding_class = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))? - .getattr(pyo3::intern!(py, "Encoding"))?; - - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "DER"))?) { + if encoding.is(types::ENCODING_DER.get(py)?) { Ok(pyo3::types::PyBytes::new(py, &data)) - } else if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { + } else if encoding.is(types::ENCODING_PEM.get(py)?) { Ok(pyo3::types::PyBytes::new( py, &pem::encode_config( diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index ea583136595b..9dc3395e7140 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -4,7 +4,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; -use crate::exceptions; +use crate::{exceptions, types}; fn check_length(data: &[u8]) -> CryptographyResult<()> { if data.len() > (i32::MAX as usize) { @@ -205,9 +205,7 @@ impl AesSiv { )); } - Ok(py - .import(pyo3::intern!(py, "os"))? - .call_method1(pyo3::intern!(py, "urandom"), (bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } fn encrypt<'p>( diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index cbfd0d374009..12629ecabbd0 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -5,7 +5,7 @@ use crate::asn1::encode_der_data; use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; -use crate::x509; +use crate::{types, x509}; use cryptography_x509::common; use foreign_types_shared::ForeignTypeRef; @@ -210,22 +210,16 @@ impl DHPrivateKey { let py_pub_key = utils::bn_to_py_int(py, dh.public_key())?; let py_private_key = utils::bn_to_py_int(py, dh.private_key())?; - let dh_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.dh" - ))?; - - let parameter_numbers = - dh_mod.call_method1(pyo3::intern!(py, "DHParameterNumbers"), (py_p, py_g, py_q))?; - let public_numbers = dh_mod.call_method1( - pyo3::intern!(py, "DHPublicNumbers"), - (py_pub_key, parameter_numbers), - )?; - - Ok(dh_mod.call_method1( - pyo3::intern!(py, "DHPrivateNumbers"), - (py_private_key, public_numbers), - )?) + let parameter_numbers = types::DH_PARAMETER_NUMBERS + .get(py)? + .call1((py_p, py_g, py_q))?; + let public_numbers = types::DH_PUBLIC_NUMBERS + .get(py)? + .call1((py_pub_key, parameter_numbers))?; + + Ok(types::DH_PRIVATE_NUMBERS + .get(py)? + .call1((py_private_key, public_numbers))?) } #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] @@ -252,13 +246,7 @@ impl DHPrivateKey { format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let private_format_class = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))? - .getattr(pyo3::intern!(py, "PrivateFormat"))?; - if !format.is(private_format_class.getattr(pyo3::intern!(py, "PKCS8"))?) { + if !format.is(types::PRIVATE_FORMAT_PKCS8.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "DH private keys support only PKCS8 serialization", @@ -292,13 +280,7 @@ impl DHPublicKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let public_format_class = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))? - .getattr(pyo3::intern!(py, "PublicFormat"))?; - if !format.is(public_format_class.getattr(pyo3::intern!(py, "SubjectPublicKeyInfo"))?) { + if !format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "DH public keys support only SubjectPublicKeyInfo serialization", @@ -327,18 +309,13 @@ impl DHPublicKey { let py_pub_key = utils::bn_to_py_int(py, dh.public_key())?; - let dh_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.dh" - ))?; - - let parameter_numbers = - dh_mod.call_method1(pyo3::intern!(py, "DHParameterNumbers"), (py_p, py_g, py_q))?; + let parameter_numbers = types::DH_PARAMETER_NUMBERS + .get(py)? + .call1((py_p, py_g, py_q))?; - Ok(dh_mod.call_method1( - pyo3::intern!(py, "DHPublicNumbers"), - (py_pub_key, parameter_numbers), - )?) + Ok(types::DH_PUBLIC_NUMBERS + .get(py)? + .call1((py_pub_key, parameter_numbers))?) } fn __richcmp__( @@ -377,12 +354,9 @@ impl DHParameters { .transpose()?; let py_g = utils::bn_to_py_int(py, self.dh.generator())?; - Ok(py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.dh" - ))? - .call_method1(pyo3::intern!(py, "DHParameterNumbers"), (py_p, py_g, py_q))?) + Ok(types::DH_PARAMETER_NUMBERS + .get(py)? + .call1((py_p, py_g, py_q))?) } fn parameter_bytes<'p>( @@ -391,13 +365,7 @@ impl DHParameters { encoding: &'p pyo3::PyAny, format: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let parameter_format_class = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))? - .getattr(pyo3::intern!(py, "ParameterFormat"))?; - if !format.is(parameter_format_class.getattr(pyo3::intern!(py, "PKCS3"))?) { + if !format.is(types::PARAMETER_FORMAT_PKCS3.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Only PKCS3 serialization is supported"), )); diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 7d740d281d72..aaa90f9ddcf6 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -4,7 +4,7 @@ use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; -use crate::exceptions; +use crate::{exceptions, types}; use foreign_types_shared::ForeignTypeRef; #[pyo3::prelude::pyclass( @@ -122,15 +122,9 @@ impl DsaPrivateKey { data: &pyo3::types::PyBytes, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let (data, _): (&[u8], &pyo3::PyAny) = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.backends.openssl.utils" - ))? - .call_method1( - pyo3::intern!(py, "_calculate_digest_and_algorithm"), - (data, algorithm), - )? + let (data, _): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM + .get(py)? + .call1((data, algorithm))? .extract()?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; @@ -173,22 +167,16 @@ impl DsaPrivateKey { let py_pub_key = utils::bn_to_py_int(py, dsa.pub_key())?; let py_private_key = utils::bn_to_py_int(py, dsa.priv_key())?; - let dsa_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.dsa" - ))?; - - let parameter_numbers = - dsa_mod.call_method1(pyo3::intern!(py, "DSAParameterNumbers"), (py_p, py_q, py_g))?; - let public_numbers = dsa_mod.call_method1( - pyo3::intern!(py, "DSAPublicNumbers"), - (py_pub_key, parameter_numbers), - )?; - - Ok(dsa_mod.call_method1( - pyo3::intern!(py, "DSAPrivateNumbers"), - (py_private_key, public_numbers), - )?) + let parameter_numbers = types::DSA_PARAMETER_NUMBERS + .get(py)? + .call1((py_p, py_q, py_g))?; + let public_numbers = types::DSA_PUBLIC_NUMBERS + .get(py)? + .call1((py_pub_key, parameter_numbers))?; + + Ok(types::DSA_PRIVATE_NUMBERS + .get(py)? + .call1((py_private_key, public_numbers))?) } fn private_bytes<'p>( @@ -220,15 +208,9 @@ impl DsaPublicKey { data: &pyo3::types::PyBytes, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, _): (&[u8], &pyo3::PyAny) = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.backends.openssl.utils" - ))? - .call_method1( - pyo3::intern!(py, "_calculate_digest_and_algorithm"), - (data, algorithm), - )? + let (data, _): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM + .get(py)? + .call1((data, algorithm))? .extract()?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; @@ -262,17 +244,12 @@ impl DsaPublicKey { let py_pub_key = utils::bn_to_py_int(py, dsa.pub_key())?; - let dsa_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.dsa" - ))?; - - let parameter_numbers = - dsa_mod.call_method1(pyo3::intern!(py, "DSAParameterNumbers"), (py_p, py_q, py_g))?; - Ok(dsa_mod.call_method1( - pyo3::intern!(py, "DSAPublicNumbers"), - (py_pub_key, parameter_numbers), - )?) + let parameter_numbers = types::DSA_PARAMETER_NUMBERS + .get(py)? + .call1((py_p, py_q, py_g))?; + Ok(types::DSA_PUBLIC_NUMBERS + .get(py)? + .call1((py_pub_key, parameter_numbers))?) } fn public_bytes<'p>( @@ -314,12 +291,9 @@ impl DsaParameters { let py_q = utils::bn_to_py_int(py, self.dsa.q())?; let py_g = utils::bn_to_py_int(py, self.dsa.g())?; - let dsa_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.dsa" - ))?; - - Ok(dsa_mod.call_method1(pyo3::intern!(py, "DSAParameterNumbers"), (py_p, py_q, py_g))?) + Ok(types::DSA_PARAMETER_NUMBERS + .get(py)? + .call1((py_p, py_q, py_g))?) } } diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 8057f5303b67..f0f4e5c735be 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -4,7 +4,7 @@ use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; -use crate::exceptions; +use crate::{exceptions, types}; use foreign_types_shared::ForeignTypeRef; use pyo3::basic::CompareOp; use pyo3::ToPyObject; @@ -91,12 +91,8 @@ fn py_curve_from_curve<'p>( )); } - Ok(py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" - ))? - .getattr(pyo3::intern!(py, "_CURVE_TYPES"))? + Ok(types::CURVE_TYPES + .get(py)? .extract::<&pyo3::types::PyDict>()? .get_item(name) .ok_or_else(|| { @@ -310,15 +306,7 @@ impl ECPrivateKey { algorithm: &pyo3::PyAny, public_key: &ECPublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let ecdh_class: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" - ))? - .getattr(pyo3::intern!(py, "ECDH"))? - .extract()?; - - if !algorithm.is_instance(ecdh_class)? { + if !algorithm.is_instance(types::ECDH.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported EC exchange algorithm", @@ -356,15 +344,7 @@ impl ECPrivateKey { data: &pyo3::types::PyBytes, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let ecdsa_class: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" - ))? - .getattr(pyo3::intern!(py, "ECDSA"))? - .extract()?; - - if !algorithm.is_instance(ecdsa_class)? { + if !algorithm.is_instance(types::ECDSA.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -373,15 +353,9 @@ impl ECPrivateKey { )); } - let (data, _): (&[u8], &pyo3::PyAny) = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.backends.openssl.utils" - ))? - .call_method1( - pyo3::intern!(py, "_calculate_digest_and_algorithm"), - (data, algorithm.getattr(pyo3::intern!(py, "algorithm"))?), - )? + let (data, _): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM + .get(py)? + .call1((data, algorithm.getattr(pyo3::intern!(py, "algorithm"))?))? .extract()?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; @@ -419,20 +393,15 @@ impl ECPrivateKey { let py_private_key = utils::bn_to_py_int(py, ec.private_key())?; - let ec_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" + let public_numbers = types::ELLIPTIC_CURVE_PUBLIC_NUMBERS.get(py)?.call1(( + py_x, + py_y, + self.curve.clone_ref(py), ))?; - let public_numbers = ec_mod.call_method1( - pyo3::intern!(py, "EllipticCurvePublicNumbers"), - (py_x, py_y, self.curve.clone_ref(py)), - )?; - - Ok(ec_mod.call_method1( - pyo3::intern!(py, "EllipticCurvePrivateNumbers"), - (py_private_key, public_numbers), - )?) + Ok(types::ELLIPTIC_CURVE_PRIVATE_NUMBERS + .get(py)? + .call1((py_private_key, public_numbers))?) } fn private_bytes<'p>( @@ -469,15 +438,7 @@ impl ECPublicKey { data: &pyo3::types::PyBytes, signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let ecdsa_class: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" - ))? - .getattr(pyo3::intern!(py, "ECDSA"))? - .extract()?; - - if !signature_algorithm.is_instance(ecdsa_class)? { + if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -486,18 +447,12 @@ impl ECPublicKey { )); } - let (data, _): (&[u8], &pyo3::PyAny) = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.backends.openssl.utils" + let (data, _): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM + .get(py)? + .call1(( + data, + signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, ))? - .call_method1( - pyo3::intern!(py, "_calculate_digest_and_algorithm"), - ( - data, - signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, - ), - )? .extract()?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; @@ -523,15 +478,11 @@ impl ECPublicKey { let py_x = utils::bn_to_py_int(py, &x)?; let py_y = utils::bn_to_py_int(py, &y)?; - let ec_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" - ))?; - - Ok(ec_mod.call_method1( - pyo3::intern!(py, "EllipticCurvePublicNumbers"), - (py_x, py_y, self.curve.clone_ref(py)), - )?) + Ok(types::ELLIPTIC_CURVE_PUBLIC_NUMBERS.get(py)?.call1(( + py_x, + py_y, + self.curve.clone_ref(py), + ))?) } fn public_bytes<'p>( diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index 8da7fa53a365..f315761f26dd 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -4,7 +4,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; -use crate::exceptions; +use crate::{exceptions, types}; use std::borrow::Cow; #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.hashes")] @@ -40,10 +40,7 @@ pub(crate) fn message_digest_from_algorithm( py: pyo3::Python<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult { - let hash_algorithm_class = py - .import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))? - .getattr(pyo3::intern!(py, "HashAlgorithm"))?; - if !algorithm.is_instance(hash_algorithm_class)? { + if !algorithm.is_instance(types::HASH_ALGORITHM.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err("Expected instance of hashes.HashAlgorithm."), )); @@ -109,12 +106,9 @@ impl Hash { ) -> CryptographyResult<&'p pyo3::types::PyBytes> { #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] { - let xof_class = py - .import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))? - .getattr(pyo3::intern!(py, "ExtendableOutputFunction"))?; let algorithm = self.algorithm.clone_ref(py); let algorithm = algorithm.as_ref(py); - if algorithm.is_instance(xof_class)? { + if algorithm.is_instance(types::EXTENDABLE_OUTPUT_FUNCTION.get(py)?)? { let ctx = self.get_mut_ctx()?; let digest_size = algorithm .getattr(pyo3::intern!(py, "digest_size"))? diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 70e8b4a2b420..7e068be1a552 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -4,7 +4,7 @@ use crate::backend::{hashes, utils}; use crate::error::{CryptographyError, CryptographyResult}; -use crate::exceptions; +use crate::{exceptions, types}; use foreign_types_shared::ForeignTypeRef; #[pyo3::prelude::pyclass( @@ -120,20 +120,7 @@ fn setup_encryption_ctx( ctx: &mut openssl::pkey_ctx::PkeyCtx, padding: &pyo3::PyAny, ) -> CryptographyResult<()> { - let padding_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.padding" - ))?; - let asymmetric_padding_class = padding_mod - .getattr(pyo3::intern!(py, "AsymmetricPadding"))? - .extract()?; - let pkcs1_class = padding_mod - .getattr(pyo3::intern!(py, "PKCS1v15"))? - .extract()?; - let oaep_class = padding_mod.getattr(pyo3::intern!(py, "OAEP"))?.extract()?; - let mgf1_class = padding_mod.getattr(pyo3::intern!(py, "MGF1"))?.extract()?; - - if !padding.is_instance(asymmetric_padding_class)? { + if !padding.is_instance(types::ASYMMETRIC_PADDING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Padding must be an instance of AsymmetricPadding.", @@ -141,12 +128,12 @@ fn setup_encryption_ctx( )); } - let padding_enum = if padding.is_instance(pkcs1_class)? { + let padding_enum = if padding.is_instance(types::PKCS1V15.get(py)?)? { openssl::rsa::Padding::PKCS1 - } else if padding.is_instance(oaep_class)? { + } else if padding.is_instance(types::OAEP.get(py)?)? { if !padding .getattr(pyo3::intern!(py, "_mgf"))? - .is_instance(mgf1_class)? + .is_instance(types::MGF1.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -216,22 +203,7 @@ fn setup_signature_ctx( key_size: usize, is_signing: bool, ) -> CryptographyResult<()> { - let padding_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.padding" - ))?; - let asymmetric_padding_class = padding_mod.getattr(pyo3::intern!(py, "AsymmetricPadding"))?; - let pkcs1_class = padding_mod.getattr(pyo3::intern!(py, "PKCS1v15"))?; - let pss_class = padding_mod.getattr(pyo3::intern!(py, "PSS"))?.extract()?; - let max_length_class = padding_mod.getattr(pyo3::intern!(py, "_MaxLength"))?; - let digest_length_class = padding_mod.getattr(pyo3::intern!(py, "_DigestLength"))?; - let auto_class = padding_mod.getattr(pyo3::intern!(py, "_Auto"))?; - let mgf1_class = padding_mod.getattr(pyo3::intern!(py, "MGF1"))?; - let hash_algorithm_class = py - .import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))? - .getattr(pyo3::intern!(py, "HashAlgorithm"))?; - - if !padding.is_instance(asymmetric_padding_class)? { + if !padding.is_instance(types::ASYMMETRIC_PADDING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Padding must be an instance of AsymmetricPadding.", @@ -239,12 +211,12 @@ fn setup_signature_ctx( )); } - let padding_enum = if padding.is_instance(pkcs1_class)? { + let padding_enum = if padding.is_instance(types::PKCS1V15.get(py)?)? { openssl::rsa::Padding::PKCS1 - } else if padding.is_instance(pss_class)? { + } else if padding.is_instance(types::PSS.get(py)?)? { if !padding .getattr(pyo3::intern!(py, "_mgf"))? - .is_instance(mgf1_class)? + .is_instance(types::MGF1.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -255,7 +227,7 @@ fn setup_signature_ctx( } // PSS padding requires a hash algorithm - if !algorithm.is_instance(hash_algorithm_class)? { + if !algorithm.is_instance(types::HASH_ALGORITHM.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Expected instance of hashes.HashAlgorithm.", @@ -316,11 +288,11 @@ fn setup_signature_ctx( if padding_enum == openssl::rsa::Padding::PKCS1_PSS { let salt = padding.getattr(pyo3::intern!(py, "_salt_length"))?; - if salt.is_instance(max_length_class)? { + if salt.is_instance(types::PADDING_MAX_LENGTH.get(py)?)? { ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::MAXIMUM_LENGTH)?; - } else if salt.is_instance(digest_length_class)? { + } else if salt.is_instance(types::PADDING_DIGEST_LENGTH.get(py)?)? { ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?; - } else if salt.is_instance(auto_class)? { + } else if salt.is_instance(types::PADDING_AUTO.get(py)?)? { if is_signing { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -353,15 +325,9 @@ impl RsaPrivateKey { padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::PyAny> { - let (data, algorithm): (&[u8], &pyo3::PyAny) = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.backends.openssl.utils" - ))? - .call_method1( - pyo3::intern!(py, "_calculate_digest_and_algorithm"), - (data, algorithm), - )? + let (data, algorithm): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM + .get(py)? + .call1((data, algorithm))? .extract()?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; @@ -456,17 +422,16 @@ impl RsaPrivateKey { let py_e = utils::bn_to_py_int(py, rsa.e())?; let py_n = utils::bn_to_py_int(py, rsa.n())?; - let rsa_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.rsa" - ))?; - - let public_numbers = - rsa_mod.call_method1(pyo3::intern!(py, "RSAPublicNumbers"), (py_e, py_n))?; - Ok(rsa_mod.call_method1( - pyo3::intern!(py, "RSAPrivateNumbers"), - (py_p, py_q, py_d, py_dmp1, py_dmq1, py_iqmp, public_numbers), - )?) + let public_numbers = types::RSA_PUBLIC_NUMBERS.get(py)?.call1((py_e, py_n))?; + Ok(types::RSA_PRIVATE_NUMBERS.get(py)?.call1(( + py_p, + py_q, + py_d, + py_dmp1, + py_dmq1, + py_iqmp, + public_numbers, + ))?) } fn private_bytes<'p>( @@ -499,15 +464,9 @@ impl RsaPublicKey { padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, algorithm): (&[u8], &pyo3::PyAny) = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.backends.openssl.utils" - ))? - .call_method1( - pyo3::intern!(py, "_calculate_digest_and_algorithm"), - (data, algorithm), - )? + let (data, algorithm): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM + .get(py)? + .call1((data, algorithm))? .extract()?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; @@ -552,14 +511,7 @@ impl RsaPublicKey { padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let prehashed_class = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.utils" - ))? - .getattr(pyo3::intern!(py, "Prehashed"))?; - - if algorithm.is_instance(prehashed_class)? { + if algorithm.is_instance(types::PREHASHED.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Prehashed is only supported in the sign and verify methods. It cannot be used with recover_data_from_signature.", @@ -591,12 +543,7 @@ impl RsaPublicKey { let py_e = utils::bn_to_py_int(py, rsa.e())?; let py_n = utils::bn_to_py_int(py, rsa.n())?; - let rsa_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.rsa" - ))?; - - Ok(rsa_mod.call_method1(pyo3::intern!(py, "RSAPublicNumbers"), (py_e, py_n))?) + Ok(types::RSA_PUBLIC_NUMBERS.get(py)?.call1((py_e, py_n))?) } fn public_bytes<'p>( diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index a2679cddedcf..6c387cbbb1f6 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -3,6 +3,7 @@ // for complete details. use crate::error::{CryptographyError, CryptographyResult}; +use crate::types; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, @@ -48,44 +49,21 @@ pub(crate) fn pkey_private_bytes<'p>( openssh_allowed: bool, raw_allowed: bool, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let serialization_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))?; - let encoding_class: &pyo3::types::PyType = serialization_mod - .getattr(pyo3::intern!(py, "Encoding"))? - .extract()?; - let private_format_class: &pyo3::types::PyType = serialization_mod - .getattr(pyo3::intern!(py, "PrivateFormat"))? - .extract()?; - let key_serialization_encryption_class: &pyo3::types::PyType = serialization_mod - .getattr(pyo3::intern!(py, "KeySerializationEncryption"))? - .extract()?; - let no_encryption_class: &pyo3::types::PyType = serialization_mod - .getattr(pyo3::intern!(py, "NoEncryption"))? - .extract()?; - let best_available_encryption_class: &pyo3::types::PyType = serialization_mod - .getattr(pyo3::intern!(py, "BestAvailableEncryption"))? - .extract()?; - let encryption_builder_class: &pyo3::types::PyType = serialization_mod - .getattr(pyo3::intern!(py, "_KeySerializationEncryption"))? - .extract()?; - - if !encoding.is_instance(encoding_class)? { + if !encoding.is_instance(types::ENCODING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "encoding must be an item from the Encoding enum", ), )); } - if !format.is_instance(private_format_class)? { + if !format.is_instance(types::PRIVATE_FORMAT.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "format must be an item from the PrivateFormat enum", ), )); } - if !encryption_algorithm.is_instance(key_serialization_encryption_class)? { + if !encryption_algorithm.is_instance(types::KEY_SERIALIZATION_ENCRYPTION.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Encryption algorithm must be a KeySerializationEncryption instance", @@ -95,12 +73,12 @@ pub(crate) fn pkey_private_bytes<'p>( #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] if raw_allowed - && (encoding.is(encoding_class.getattr(pyo3::intern!(py, "Raw"))?) - || format.is(private_format_class.getattr(pyo3::intern!(py, "Raw"))?)) + && (encoding.is(types::ENCODING_RAW.get(py)?) + || format.is(types::PRIVATE_FORMAT_RAW.get(py)?)) { - if !encoding.is(encoding_class.getattr(pyo3::intern!(py, "Raw"))?) - || !format.is(private_format_class.getattr(pyo3::intern!(py, "Raw"))?) - || !encryption_algorithm.is_instance(no_encryption_class)? + if !encoding.is(types::ENCODING_RAW.get(py)?) + || !format.is(types::PRIVATE_FORMAT_RAW.get(py)?) + || !encryption_algorithm.is_instance(types::NO_ENCRYPTION.get(py)?)? { return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err( "When using Raw both encoding and format must be Raw and encryption_algorithm must be NoEncryption()" @@ -110,10 +88,10 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new(py, &raw_bytes)); } - let password = if encryption_algorithm.is_instance(no_encryption_class)? { + let password = if encryption_algorithm.is_instance(types::NO_ENCRYPTION.get(py)?)? { b"" - } else if encryption_algorithm.is_instance(best_available_encryption_class)? - || (encryption_algorithm.is_instance(encryption_builder_class)? + } else if encryption_algorithm.is_instance(types::BEST_AVAILABLE_ENCRYPTION.get(py)?)? + || (encryption_algorithm.is_instance(types::ENCRYPTION_BUILDER.get(py)?)? && encryption_algorithm .getattr(pyo3::intern!(py, "_format"))? .is(format)) @@ -135,8 +113,8 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - if format.is(private_format_class.getattr(pyo3::intern!(py, "PKCS8"))?) { - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { + if format.is(types::PRIVATE_FORMAT_PKCS8.get(py)?) { + if encoding.is(types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { pkey.private_key_to_pem_pkcs8()? } else { @@ -146,7 +124,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); - } else if encoding.is(encoding_class.getattr(pyo3::intern!(py, "DER"))?) { + } else if encoding.is(types::ENCODING_DER.get(py)?) { let der_bytes = if password.is_empty() { pkey.private_key_to_pkcs8()? } else { @@ -162,9 +140,9 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - if format.is(private_format_class.getattr(pyo3::intern!(py, "TraditionalOpenSSL"))?) { + if format.is(types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get(py)?) { if let Ok(rsa) = pkey.rsa() { - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { + if encoding.is(types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { rsa.private_key_to_pem()? } else { @@ -174,7 +152,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); - } else if encoding.is(encoding_class.getattr(pyo3::intern!(py, "DER"))?) { + } else if encoding.is(types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -187,7 +165,7 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } } else if let Ok(dsa) = pkey.dsa() { - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { + if encoding.is(types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { dsa.private_key_to_pem()? } else { @@ -197,7 +175,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); - } else if encoding.is(encoding_class.getattr(pyo3::intern!(py, "DER"))?) { + } else if encoding.is(types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -210,7 +188,7 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } } else if let Ok(ec) = pkey.ec_key() { - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { + if encoding.is(types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { ec.private_key_to_pem()? } else { @@ -220,7 +198,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); - } else if encoding.is(encoding_class.getattr(pyo3::intern!(py, "DER"))?) { + } else if encoding.is(types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -236,17 +214,11 @@ pub(crate) fn pkey_private_bytes<'p>( } // OpenSSH + PEM - if openssh_allowed && format.is(private_format_class.getattr(pyo3::intern!(py, "OpenSSH"))?) { - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { - return Ok(py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization.ssh" - ))? - .call_method1( - pyo3::intern!(py, "_serialize_ssh_private_key"), - (key_obj, password, encryption_algorithm), - )? + if openssh_allowed && format.is(types::PRIVATE_FORMAT_OPENSSH.get(py)?) { + if encoding.is(types::ENCODING_PEM.get(py)?) { + return Ok(types::SERIALIZE_SSH_PRIVATE_KEY + .get(py)? + .call1((key_obj, password, encryption_algorithm))? .extract()?); } @@ -271,25 +243,14 @@ pub(crate) fn pkey_public_bytes<'p>( openssh_allowed: bool, raw_allowed: bool, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let serialization_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))?; - let encoding_class: &pyo3::types::PyType = serialization_mod - .getattr(pyo3::intern!(py, "Encoding"))? - .extract()?; - let public_format_class: &pyo3::types::PyType = serialization_mod - .getattr(pyo3::intern!(py, "PublicFormat"))? - .extract()?; - - if !encoding.is_instance(encoding_class)? { + if !encoding.is_instance(types::ENCODING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "encoding must be an item from the Encoding enum", ), )); } - if !format.is_instance(public_format_class)? { + if !format.is_instance(types::PUBLIC_FORMAT.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "format must be an item from the PublicFormat enum", @@ -299,11 +260,11 @@ pub(crate) fn pkey_public_bytes<'p>( #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] if raw_allowed - && (encoding.is(encoding_class.getattr(pyo3::intern!(py, "Raw"))?) - || format.is(public_format_class.getattr(pyo3::intern!(py, "Raw"))?)) + && (encoding.is(types::ENCODING_RAW.get(py)?) + || format.is(types::PUBLIC_FORMAT_RAW.get(py)?)) { - if !encoding.is(encoding_class.getattr(pyo3::intern!(py, "Raw"))?) - || !format.is(public_format_class.getattr(pyo3::intern!(py, "Raw"))?) + if !encoding.is(types::ENCODING_RAW.get(py)?) + || !format.is(types::PUBLIC_FORMAT_RAW.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -316,11 +277,11 @@ pub(crate) fn pkey_public_bytes<'p>( } // SubjectPublicKeyInfo + PEM/DER - if format.is(public_format_class.getattr(pyo3::intern!(py, "SubjectPublicKeyInfo"))?) { - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { + if format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { + if encoding.is(types::ENCODING_PEM.get(py)?) { let pem_bytes = pkey.public_key_to_pem()?; return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); - } else if encoding.is(encoding_class.getattr(pyo3::intern!(py, "DER"))?) { + } else if encoding.is(types::ENCODING_DER.get(py)?) { let der_bytes = pkey.public_key_to_der()?; return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } @@ -332,13 +293,10 @@ pub(crate) fn pkey_public_bytes<'p>( } if let Ok(ec) = pkey.ec_key() { - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "X962"))?) { - let point_form = if format - .is(public_format_class.getattr(pyo3::intern!(py, "UncompressedPoint"))?) - { + if encoding.is(types::ENCODING_X962.get(py)?) { + let point_form = if format.is(types::PUBLIC_FORMAT_UNCOMPRESSED_POINT.get(py)?) { openssl::ec::PointConversionForm::UNCOMPRESSED - } else if format.is(public_format_class.getattr(pyo3::intern!(py, "CompressedPoint"))?) - { + } else if format.is(types::PUBLIC_FORMAT_COMPRESSED_POINT.get(py)?) { openssl::ec::PointConversionForm::COMPRESSED } else { return Err(CryptographyError::from( @@ -356,11 +314,11 @@ pub(crate) fn pkey_public_bytes<'p>( } if let Ok(rsa) = pkey.rsa() { - if format.is(public_format_class.getattr(pyo3::intern!(py, "PKCS1"))?) { - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "PEM"))?) { + if format.is(types::PUBLIC_FORMAT_PKCS1.get(py)?) { + if encoding.is(types::ENCODING_PEM.get(py)?) { let pem_bytes = rsa.public_key_to_pem_pkcs1()?; return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); - } else if encoding.is(encoding_class.getattr(pyo3::intern!(py, "DER"))?) { + } else if encoding.is(types::ENCODING_DER.get(py)?) { let der_bytes = rsa.public_key_to_der_pkcs1()?; return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); } @@ -373,14 +331,11 @@ pub(crate) fn pkey_public_bytes<'p>( } // OpenSSH + OpenSSH - if openssh_allowed && format.is(public_format_class.getattr(pyo3::intern!(py, "OpenSSH"))?) { - if encoding.is(encoding_class.getattr(pyo3::intern!(py, "OpenSSH"))?) { - return Ok(py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization.ssh" - ))? - .call_method1(pyo3::intern!(py, "serialize_ssh_public_key"), (key_obj,))? + if openssh_allowed && format.is(types::PUBLIC_FORMAT_OPENSSH.get(py)?) { + if encoding.is(types::ENCODING_OPENSSH.get(py)?) { + return Ok(types::SERIALIZE_SSH_PUBLIC_KEY + .get(py)? + .call1((key_obj,))? .extract()?); } diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index b7afcf047da4..0a39a80f4341 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::types; use std::{ptr, slice}; pub(crate) struct CffiBuf<'p> { @@ -20,9 +21,9 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { let py = pyobj.py(); - let (bufobj, ptrval): (&pyo3::PyAny, usize) = py - .import(pyo3::intern!(py, "cryptography.utils"))? - .call_method1(pyo3::intern!(py, "_extract_buffer_length"), (pyobj,))? + let (bufobj, ptrval): (&pyo3::PyAny, usize) = types::EXTRACT_BUFFER_LENGTH + .get(py)? + .call1((pyobj,))? .extract()?; let len = bufobj.len()?; diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index fd7b17cf9183..9dbf63ed46aa 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -3,6 +3,7 @@ // for complete details. use crate::error::CryptographyResult; +use crate::types; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -30,10 +31,9 @@ impl ObjectIdentifier { slf: pyo3::PyRef<'_, Self>, py: pyo3::Python<'p>, ) -> pyo3::PyResult<&'p pyo3::PyAny> { - let oid_names = py - .import(pyo3::intern!(py, "cryptography.hazmat._oid"))? - .getattr(pyo3::intern!(py, "_OID_NAMES"))?; - oid_names.call_method1(pyo3::intern!(py, "get"), (slf, "Unknown OID")) + types::OID_NAMES + .get(py)? + .call_method1(pyo3::intern!(py, "get"), (slf, "Unknown OID")) } fn __deepcopy__(slf: pyo3::PyRef<'_, Self>, _memo: pyo3::PyObject) -> pyo3::PyRef<'_, Self> { diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 48be7572863b..09968c338c37 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -20,8 +20,8 @@ impl LazyPyImport { pub fn get<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { self.value .get_or_try_init(py, || { - let mut obj = py.import(self.module)?.getattr(self.names[0])?; - for name in &self.names[1..] { + let mut obj = py.import(self.module)?.as_ref(); + for name in self.names { obj = obj.getattr(*name)?; } obj.extract() @@ -30,10 +30,229 @@ impl LazyPyImport { } } +pub static DATETIME_DATETIME: LazyPyImport = LazyPyImport::new("datetime", &["datetime"]); +pub static DATETIME_TIMEZONE_UTC: LazyPyImport = + LazyPyImport::new("datetime", &["timezone", "utc"]); +pub static IPADDRESS_IPADDRESS: LazyPyImport = LazyPyImport::new("ipaddress", &["ip_address"]); +pub static IPADDRESS_IPNETWORK: LazyPyImport = LazyPyImport::new("ipaddress", &["ip_network"]); +pub static OS_URANDOM: LazyPyImport = LazyPyImport::new("os", &["urandom"]); + +pub static DEPRECATED_IN_36: LazyPyImport = + LazyPyImport::new("cryptography.utils", &["DeprecatedIn36"]); +pub static DEPRECATED_IN_41: LazyPyImport = + LazyPyImport::new("cryptography.utils", &["DeprecatedIn41"]); + +pub static LOAD_DER_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["load_der_public_key"], +); + +pub static ENCODING: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["Encoding"], +); +pub static ENCODING_DER: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["Encoding", "DER"], +); +pub static ENCODING_OPENSSH: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["Encoding", "OpenSSH"], +); +pub static ENCODING_PEM: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["Encoding", "PEM"], +); +pub static ENCODING_RAW: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["Encoding", "Raw"], +); pub static ENCODING_SMIME: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization", &["Encoding", "SMIME"], ); +pub static ENCODING_X962: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["Encoding", "X962"], +); + +pub static PRIVATE_FORMAT: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PrivateFormat"], +); +pub static PRIVATE_FORMAT_OPENSSH: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PrivateFormat", "OpenSSH"], +); +pub static PRIVATE_FORMAT_PKCS8: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PrivateFormat", "PKCS8"], +); +pub static PRIVATE_FORMAT_RAW: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PrivateFormat", "Raw"], +); +pub static PRIVATE_FORMAT_TRADITIONAL_OPENSSL: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PrivateFormat", "TraditionalOpenSSL"], +); + +pub static PUBLIC_FORMAT: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PublicFormat"], +); +pub static PUBLIC_FORMAT_COMPRESSED_POINT: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PublicFormat", "CompressedPoint"], +); +pub static PUBLIC_FORMAT_OPENSSH: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PublicFormat", "OpenSSH"], +); +pub static PUBLIC_FORMAT_PKCS1: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PublicFormat", "PKCS1"], +); +pub static PUBLIC_FORMAT_RAW: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PublicFormat", "Raw"], +); +pub static PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PublicFormat", "SubjectPublicKeyInfo"], +); +pub static PUBLIC_FORMAT_UNCOMPRESSED_POINT: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PublicFormat", "UncompressedPoint"], +); + +pub static PARAMETER_FORMAT_PKCS3: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["ParameterFormat", "PKCS3"], +); + +pub static KEY_SERIALIZATION_ENCRYPTION: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["KeySerializationEncryption"], +); +pub static NO_ENCRYPTION: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["NoEncryption"], +); +pub static BEST_AVAILABLE_ENCRYPTION: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["BestAvailableEncryption"], +); +pub static ENCRYPTION_BUILDER: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["_KeySerializationEncryption"], +); + +pub static SERIALIZE_SSH_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.ssh", + &["_serialize_ssh_private_key"], +); +pub static SERIALIZE_SSH_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.ssh", + &["serialize_ssh_public_key"], +); + +pub static SIG_OIDS_TO_HASH: LazyPyImport = + LazyPyImport::new("cryptography.hazmat._oid", &["_SIG_OIDS_TO_HASH"]); +pub static OID_NAMES: LazyPyImport = LazyPyImport::new("cryptography.hazmat._oid", &["_OID_NAMES"]); + +pub static REASON_FLAGS: LazyPyImport = LazyPyImport::new("cryptography.x509", &["ReasonFlags"]); +pub static ATTRIBUTE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Attribute"]); +pub static ATTRIBUTES: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Attributes"]); + +pub static CRL_NUMBER: LazyPyImport = LazyPyImport::new("cryptography.x509", &["CRLNumber"]); +pub static DELTA_CRL_INDICATOR: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["DeltaCRLIndicator"]); +pub static ISSUER_ALTERNATIVE_NAME: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["IssuerAlternativeName"]); +pub static AUTHORITY_INFORMATION_ACCESS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["AuthorityInformationAccess"]); +pub static ISSUING_DISTRIBUTION_POINT: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["IssuingDistributionPoint"]); +pub static FRESHEST_CRL: LazyPyImport = LazyPyImport::new("cryptography.x509", &["FreshestCRL"]); +pub static CRL_REASON: LazyPyImport = LazyPyImport::new("cryptography.x509", &["CRLReason"]); +pub static CERTIFICATE_ISSUER: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["CertificateIssuer"]); +pub static INVALIDITY_DATE: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["InvalidityDate"]); +pub static OCSP_NONCE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["OCSPNonce"]); +pub static OCSP_ACCEPTABLE_RESPONSES: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["OCSPAcceptableResponses"]); +pub static SIGNED_CERTIFICATE_TIMESTAMPS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["SignedCertificateTimestamps"]); +pub static PRECERT_POISON: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["PrecertPoison"]); +pub static PRECERTIFICATE_SIGNED_CERTIFICATE_TIMESTAMPS: LazyPyImport = LazyPyImport::new( + "cryptography.x509", + &["PrecertificateSignedCertificateTimestamps"], +); +pub static DISTRIBUTION_POINT: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["DistributionPoint"]); +pub static ACCESS_DESCRIPTION: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["AccessDescription"]); +pub static AUTHORITY_KEY_IDENTIFIER: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["AuthorityKeyIdentifier"]); +pub static UNRECOGNIZED_EXTENSION: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["UnrecognizedExtension"]); +pub static EXTENSION: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Extension"]); +pub static EXTENSIONS: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Extensions"]); +pub static IPADDRESS: LazyPyImport = LazyPyImport::new("cryptography.x509", &["IPAddress"]); +pub static NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Name"]); +pub static RELATIVE_DISTINGUISHED_NAME: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["RelativeDistinguishedName"]); +pub static NAME_ATTRIBUTE: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["NameAttribute"]); + +pub static CRL_REASON_FLAGS: LazyPyImport = + LazyPyImport::new("cryptography.x509.extensions", &["_CRLREASONFLAGS"]); +pub static REASON_BIT_MAPPING: LazyPyImport = + LazyPyImport::new("cryptography.x509.extensions", &["_REASON_BIT_MAPPING"]); +pub static TLS_FEATURE_TYPE_TO_ENUM: LazyPyImport = LazyPyImport::new( + "cryptography.x509.extensions", + &["_TLS_FEATURE_TYPE_TO_ENUM"], +); + +pub static OCSP_RESPONSE_STATUS: LazyPyImport = + LazyPyImport::new("cryptography.x509.ocsp", &["OCSPResponseStatus"]); +pub static OCSP_CERT_STATUS: LazyPyImport = + LazyPyImport::new("cryptography.x509.ocsp", &["OCSPCertStatus"]); +pub static OCSP_CERT_STATUS_GOOD: LazyPyImport = + LazyPyImport::new("cryptography.x509.ocsp", &["OCSPCertStatus", "GOOD"]); +pub static OCSP_CERT_STATUS_UNKNOWN: LazyPyImport = + LazyPyImport::new("cryptography.x509.ocsp", &["OCSPCertStatus", "UNKNOWN"]); +pub static OCSP_RESPONDER_ENCODING_HASH: LazyPyImport = + LazyPyImport::new("cryptography.x509.ocsp", &["OCSPResponderEncoding", "HASH"]); + +pub static CERTIFICATE_TRANSPARENCY_VERSION_V1: LazyPyImport = LazyPyImport::new( + "cryptography.x509.certificate_transparency", + &["Version", "v1"], +); +pub static SIGNATURE_ALGORITHM: LazyPyImport = LazyPyImport::new( + "cryptography.x509.certificate_transparency", + &["SignatureAlgorithm"], +); +pub static LOG_ENTRY_TYPE_X509_CERTIFICATE: LazyPyImport = LazyPyImport::new( + "cryptography.x509.certificate_transparency", + &["LogEntryType", "X509_CERTIFICATE"], +); +pub static LOG_ENTRY_TYPE_PRE_CERTIFICATE: LazyPyImport = LazyPyImport::new( + "cryptography.x509.certificate_transparency", + &["LogEntryType", "PRE_CERTIFICATE"], +); + +pub static ASN1_TYPE_TO_ENUM: LazyPyImport = + LazyPyImport::new("cryptography.x509.name", &["_ASN1_TYPE_TO_ENUM"]); +pub static ASN1_TYPE_BIT_STRING: LazyPyImport = + LazyPyImport::new("cryptography.x509.name", &["_ASN1Type", "BitString"]); +pub static ASN1_TYPE_BMP_STRING: LazyPyImport = + LazyPyImport::new("cryptography.x509.name", &["_ASN1Type", "BMPString"]); +pub static ASN1_TYPE_UNIVERSAL_STRING: LazyPyImport = + LazyPyImport::new("cryptography.x509.name", &["_ASN1Type", "UniversalString"]); pub static PKCS7_BINARY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization.pkcs7", @@ -65,6 +284,164 @@ pub static SMIME_ENCODE: LazyPyImport = LazyPyImport::new( &["_smime_encode"], ); +pub static HASHES_MODULE: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.hashes", &[]); +pub static HASH_ALGORITHM: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.hashes", &["HashAlgorithm"]); +pub static EXTENDABLE_OUTPUT_FUNCTION: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.hashes", + &["ExtendableOutputFunction"], +); +pub static SHA1: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.hashes", &["SHA1"]); + +pub static PREHASHED: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.utils", + &["Prehashed"], +); +pub static ASYMMETRIC_PADDING: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.padding", + &["AsymmetricPadding"], +); +pub static PADDING_AUTO: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.padding", + &["_Auto"], +); +pub static PADDING_MAX_LENGTH: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.padding", + &["_MaxLength"], +); +pub static PADDING_DIGEST_LENGTH: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.padding", + &["_DigestLength"], +); +pub static PKCS1V15: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.padding", + &["PKCS1v15"], +); +pub static PSS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.padding", + &["PSS"], +); +pub static OAEP: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.padding", + &["OAEP"], +); +pub static MGF1: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.padding", + &["MGF1"], +); +pub static CALCULATE_MAX_PSS_SALT_LENGTH: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.padding", + &["calculate_max_pss_salt_length"], +); + +pub static CRL_ENTRY_REASON_ENUM_TO_CODE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.backends.openssl.decode_asn1", + &["_CRL_ENTRY_REASON_ENUM_TO_CODE"], +); +pub static CALCULATE_DIGEST_AND_ALGORITHM: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.backends.openssl.utils", + &["_calculate_digest_and_algorithm"], +); + +pub static RSA_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.rsa", + &["RSAPrivateKey"], +); +pub static RSA_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.rsa", + &["RSAPublicKey"], +); +pub static RSA_PUBLIC_NUMBERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.rsa", + &["RSAPublicNumbers"], +); +pub static RSA_PRIVATE_NUMBERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.rsa", + &["RSAPrivateNumbers"], +); + +pub static ELLIPTIC_CURVE_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.ec", + &["EllipticCurvePrivateKey"], +); +pub static ELLIPTIC_CURVE_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.ec", + &["EllipticCurvePublicKey"], +); +pub static CURVE_TYPES: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.ec", + &["_CURVE_TYPES"], +); +pub static ECDSA: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.asymmetric.ec", &["ECDSA"]); +pub static ECDH: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.asymmetric.ec", &["ECDH"]); +pub static ELLIPTIC_CURVE_PUBLIC_NUMBERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.ec", + &["EllipticCurvePublicNumbers"], +); +pub static ELLIPTIC_CURVE_PRIVATE_NUMBERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.ec", + &["EllipticCurvePrivateNumbers"], +); + +pub static ED25519_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.ed25519", + &["Ed25519PrivateKey"], +); +pub static ED25519_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.ed25519", + &["Ed25519PublicKey"], +); + +pub static ED448_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.ed448", + &["Ed448PrivateKey"], +); +pub static ED448_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.ed448", + &["Ed448PublicKey"], +); + +pub static DH_PARAMETER_NUMBERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.dh", + &["DHParameterNumbers"], +); +pub static DH_PUBLIC_NUMBERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.dh", + &["DHPublicNumbers"], +); +pub static DH_PRIVATE_NUMBERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.dh", + &["DHPrivateNumbers"], +); + +pub static DSA_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.dsa", + &["DSAPrivateKey"], +); +pub static DSA_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.dsa", + &["DSAPublicKey"], +); +pub static DSA_PARAMETER_NUMBERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.dsa", + &["DSAParameterNumbers"], +); +pub static DSA_PUBLIC_NUMBERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.dsa", + &["DSAPublicNumbers"], +); +pub static DSA_PRIVATE_NUMBERS: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.dsa", + &["DSAPrivateNumbers"], +); + +pub static EXTRACT_BUFFER_LENGTH: LazyPyImport = + LazyPyImport::new("cryptography.utils", &["_extract_buffer_length"]); + #[cfg(test)] mod tests { use super::LazyPyImport; diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 688ed07e8e68..d314386fc211 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -8,7 +8,7 @@ use crate::asn1::{ use crate::backend::hashes; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{extensions, sct, sign}; -use crate::{exceptions, x509}; +use crate::{exceptions, types, x509}; use cryptography_x509::certificate::Certificate as RawCertificate; use cryptography_x509::common::{AlgorithmParameters, Asn1ReadableOrWritable}; use cryptography_x509::extensions::{ @@ -81,13 +81,7 @@ impl Certificate { py, &asn1::write_single(&self.raw.borrow_dependent().tbs_cert.spki)?, ); - Ok(py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))? - .getattr(pyo3::intern!(py, "load_der_public_key"))? - .call1((serialized,))?) + Ok(types::LOAD_DER_PUBLIC_KEY.get(py)?.call1((serialized,))?) } fn fingerprint<'p>( @@ -248,7 +242,6 @@ impl Certificate { #[getter] fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( py, &self.cached_extensions, @@ -256,21 +249,14 @@ impl Certificate { |ext| match ext.extn_id { oid::PRECERT_POISON_OID => { ext.value::<()>()?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "PrecertPoison"))? - .call0()?, - )) + Ok(Some(types::PRECERT_POISON.get(py)?.call0()?)) } oid::PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS_OID => { let contents = ext.value::<&[u8]>()?; let scts = sct::parse_scts(py, contents, sct::LogEntryType::PreCertificate)?; Ok(Some( - x509_module - .getattr(pyo3::intern!( - py, - "PrecertificateSignedCertificateTimestamps" - ))? + types::PRECERTIFICATE_SIGNED_CERTIFICATE_TIMESTAMPS + .get(py)? .call1((scts,))?, )) } @@ -391,12 +377,10 @@ fn load_der_x509_certificate( fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyResult<()> { if bytes[0] & 0x80 != 0 { - let cryptography_warning = py - .import(pyo3::intern!(py, "cryptography.utils"))? - .getattr(pyo3::intern!(py, "DeprecatedIn36"))?; + let warning_cls = types::DEPRECATED_IN_36.get(py)?; pyo3::PyErr::warn( py, - cryptography_warning, + warning_cls, "Parsed a negative serial number, which is disallowed by RFC 5280.", 1, )?; @@ -417,12 +401,10 @@ fn warn_if_invalid_params( | AlgorithmParameters::DsaWithSha256(Some(..)) | AlgorithmParameters::DsaWithSha384(Some(..)) | AlgorithmParameters::DsaWithSha512(Some(..)) => { - let cryptography_warning = py - .import(pyo3::intern!(py, "cryptography.utils"))? - .getattr(pyo3::intern!(py, "DeprecatedIn41"))?; + let warning_cls = types::DEPRECATED_IN_41.get(py)?; pyo3::PyErr::warn( py, - cryptography_warning, + warning_cls, "The parsed certificate contains a NULL parameter value in its signature algorithm parameters. This is invalid and will be rejected in a future version of cryptography. If this certificate was created via Java, please upgrade to JDK21+ or the latest JDK11/17 once a fix is issued. If this certificate was created in some other fashion please report the issue to the cryptography issue tracker. See https://github.com/pyca/cryptography/issues/8996 and https://github.com/pyca/cryptography/issues/9253 for more details.", 2, )?; @@ -441,12 +423,10 @@ fn parse_display_text( DisplayText::Utf8String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()).to_object(py)), DisplayText::VisibleString(o) => { if asn1::VisibleString::new(o.as_str()).is_none() { - let cryptography_warning = py - .import(pyo3::intern!(py, "cryptography.utils"))? - .getattr(pyo3::intern!(py, "DeprecatedIn41"))?; + let warning_cls = types::DEPRECATED_IN_41.get(py)?; pyo3::PyErr::warn( py, - cryptography_warning, + warning_cls, "Invalid ASN.1 (UTF-8 characters in a VisibleString) in the explicit text and/or notice reference of the certificate policies extension. In a future version of cryptography, an exception will be raised.", 1, )?; @@ -590,9 +570,8 @@ fn parse_distribution_point( Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, None => py.None(), }; - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; - Ok(x509_module - .getattr(pyo3::intern!(py, "DistributionPoint"))? + Ok(types::DISTRIBUTION_POINT + .get(py)? .call1((full_name, relative_name, reasons, crl_issuer))? .to_object(py)) } @@ -614,9 +593,8 @@ pub(crate) fn parse_distribution_point_reasons( py: pyo3::Python<'_>, reasons: Option<&asn1::BitString<'_>>, ) -> Result { - let reason_bit_mapping = py - .import(pyo3::intern!(py, "cryptography.x509.extensions"))? - .getattr(pyo3::intern!(py, "_REASON_BIT_MAPPING"))?; + let reason_bit_mapping = types::REASON_BIT_MAPPING.get(py)?; + Ok(match reasons { Some(bs) => { let mut vec = Vec::new(); @@ -635,9 +613,7 @@ pub(crate) fn encode_distribution_point_reasons( py: pyo3::Python<'_>, py_reasons: &pyo3::PyAny, ) -> pyo3::PyResult { - let reason_flag_mapping = py - .import(pyo3::intern!(py, "cryptography.x509.extensions"))? - .getattr(pyo3::intern!(py, "_CRLREASONFLAGS"))?; + let reason_flag_mapping = types::CRL_REASON_FLAGS.get(py)?; let mut bits = vec![0, 0]; for py_reason in py_reasons.iter()? { @@ -657,7 +633,6 @@ pub(crate) fn parse_authority_key_identifier<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let aki = ext.value::>()?; let serial = match aki.authority_cert_serial_number { Some(biguint) => big_byte_slice_to_py_int(py, biguint.as_bytes())?.to_object(py), @@ -667,8 +642,8 @@ pub(crate) fn parse_authority_key_identifier<'p>( Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, None => py.None(), }; - Ok(x509_module - .getattr(pyo3::intern!(py, "AuthorityKeyIdentifier"))? + Ok(types::AUTHORITY_KEY_IDENTIFIER + .get(py)? .call1((aki.key_identifier, issuer, serial))?) } @@ -676,14 +651,13 @@ pub(crate) fn parse_access_descriptions( py: pyo3::Python<'_>, ext: &Extension<'_>, ) -> Result { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let ads = pyo3::types::PyList::empty(py); let parsed = ext.value::>()?; for access in parsed.unwrap_read().clone() { let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); let gn = x509::parse_general_name(py, access.access_location)?; - let ad = x509_module - .getattr(pyo3::intern!(py, "AccessDescription"))? + let ad = types::ACCESS_DESCRIPTION + .get(py)? .call1((py_oid, gn))? .to_object(py); ads.append(ad)?; @@ -716,9 +690,7 @@ pub fn parse_cert_ext<'p>( )) } oid::TLS_FEATURE_OID => { - let tls_feature_type_to_enum = py - .import(pyo3::intern!(py, "cryptography.x509.extensions"))? - .getattr(pyo3::intern!(py, "_TLS_FEATURE_TYPE_TO_ENUM"))?; + let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get(py)?; let features = pyo3::types::PyList::empty(py); for feature in ext.value::>()? { @@ -898,23 +870,12 @@ fn create_x509_certificate( ) -> CryptographyResult { let sigalg = x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)?; - let serialization_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))?; - let der_encoding = serialization_mod - .getattr(pyo3::intern!(py, "Encoding"))? - .getattr(pyo3::intern!(py, "DER"))?; - let spki_format = serialization_mod - .getattr(pyo3::intern!(py, "PublicFormat"))? - .getattr(pyo3::intern!(py, "SubjectPublicKeyInfo"))?; + let der = types::ENCODING_DER.get(py)?; + let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; let spki_bytes = builder .getattr(pyo3::intern!(py, "_public_key"))? - .call_method1( - pyo3::intern!(py, "public_bytes"), - (der_encoding, spki_format), - )? + .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? .extract::<&[u8]>()?; let py_serial = builder diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 3c64b2f6829c..10a6a8bff50b 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -4,7 +4,7 @@ use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; use crate::error::{CryptographyError, CryptographyResult}; -use crate::{exceptions, x509}; +use crate::{exceptions, types, x509}; use cryptography_x509::common::{Asn1ReadableOrWritable, AttributeTypeValue, RawTlv}; use cryptography_x509::extensions::{ AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, @@ -53,18 +53,14 @@ pub(crate) fn encode_name_entry<'p>( py: pyo3::Python<'p>, py_name_entry: &'p pyo3::PyAny, ) -> CryptographyResult> { - let asn1_type = py - .import(pyo3::intern!(py, "cryptography.x509.name"))? - .getattr(pyo3::intern!(py, "_ASN1Type"))?; - let attr_type = py_name_entry.getattr(pyo3::intern!(py, "_type"))?; let tag = attr_type .getattr(pyo3::intern!(py, "value"))? .extract::()?; - let value: &[u8] = if !attr_type.is(asn1_type.getattr(pyo3::intern!(py, "BitString"))?) { - let encoding = if attr_type.is(asn1_type.getattr(pyo3::intern!(py, "BMPString"))?) { + let value: &[u8] = if !attr_type.is(types::ASN1_TYPE_BIT_STRING.get(py)?) { + let encoding = if attr_type.is(types::ASN1_TYPE_BMP_STRING.get(py)?) { "utf_16_be" - } else if attr_type.is(asn1_type.getattr(pyo3::intern!(py, "UniversalString"))?) { + } else if attr_type.is(types::ASN1_TYPE_UNIVERSAL_STRING.get(py)?) { "utf_32_be" } else { "utf8" @@ -177,24 +173,19 @@ pub(crate) fn parse_name<'p>( py: pyo3::Python<'p>, name: &NameReadable<'_>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let py_rdns = pyo3::types::PyList::empty(py); for rdn in name.clone() { let py_rdn = parse_rdn(py, &rdn)?; py_rdns.append(py_rdn)?; } - Ok(x509_module.call_method1(pyo3::intern!(py, "Name"), (py_rdns,))?) + Ok(types::NAME.get(py)?.call1((py_rdns,))?) } fn parse_name_attribute( py: pyo3::Python<'_>, attribute: AttributeTypeValue<'_>, ) -> Result { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let oid = oid_to_py_oid(py, &attribute.type_id)?.to_object(py); - let tag_enum = py - .import(pyo3::intern!(py, "cryptography.x509.name"))? - .getattr(pyo3::intern!(py, "_ASN1_TYPE_TO_ENUM"))?; let tag_val = attribute .value .tag() @@ -205,7 +196,7 @@ fn parse_name_attribute( )) })? .to_object(py); - let py_tag = tag_enum.get_item(tag_val)?; + let py_tag = types::ASN1_TYPE_TO_ENUM.get(py)?.get_item(tag_val)?; let py_data = match attribute.value.tag().as_u8() { // BitString tag value Some(3) => pyo3::types::PyBytes::new(py, attribute.value.data()), @@ -226,12 +217,9 @@ fn parse_name_attribute( } }; let kwargs = [("_validate", false)].into_py_dict(py); - Ok(x509_module - .call_method( - pyo3::intern!(py, "NameAttribute"), - (oid, py_data, py_tag), - Some(kwargs), - )? + Ok(types::NAME_ATTRIBUTE + .get(py)? + .call((oid, py_data, py_tag), Some(kwargs))? .to_object(py)) } @@ -239,14 +227,14 @@ pub(crate) fn parse_rdn<'a>( py: pyo3::Python<'_>, rdn: &asn1::SetOf<'a, AttributeTypeValue<'a>>, ) -> Result { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let py_attrs = pyo3::types::PyList::empty(py); for attribute in rdn.clone() { let na = parse_name_attribute(py, attribute)?; py_attrs.append(na)?; } - Ok(x509_module - .call_method1(pyo3::intern!(py, "RelativeDistinguishedName"), (py_attrs,))? + Ok(types::RELATIVE_DISTINGUISHED_NAME + .get(py)? + .call1((py_attrs,))? .to_object(py)) } @@ -284,11 +272,8 @@ pub(crate) fn parse_general_name( .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::IPAddress(data) => { - let ip_module = py.import(pyo3::intern!(py, "ipaddress"))?; if data.len() == 4 || data.len() == 16 { - let addr = ip_module - .call_method1(pyo3::intern!(py, "ip_address"), (data,))? - .to_object(py); + let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; x509_module .call_method1(pyo3::intern!(py, "IPAddress"), (addr,))? .to_object(py) @@ -331,8 +316,6 @@ fn create_ip_network( py: pyo3::Python<'_>, data: &[u8], ) -> Result { - let ip_module = py.import(pyo3::intern!(py, "ipaddress"))?; - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let prefix = match data.len() { 8 => { let num = u32::from_be_bytes(data[4..].try_into().unwrap()); @@ -346,22 +329,17 @@ fn create_ip_network( format!("Invalid IPNetwork, must be 8 bytes for IPv4 and 32 bytes for IPv6. Found length: {}", data.len()), ))), }; - let base = ip_module.call_method1( - "ip_address", - (pyo3::types::PyBytes::new(py, &data[..data.len() / 2]),), - )?; + let base = types::IPADDRESS_IPADDRESS + .get(py)? + .call1((pyo3::types::PyBytes::new(py, &data[..data.len() / 2]),))?; let net = format!( "{}/{}", base.getattr(pyo3::intern!(py, "exploded"))? .extract::<&str>()?, prefix? ); - let addr = ip_module - .call_method1(pyo3::intern!(py, "ip_network"), (net,))? - .to_object(py); - Ok(x509_module - .call_method1(pyo3::intern!(py, "IPAddress"), (addr,))? - .to_object(py)) + let addr = types::IPADDRESS_IPNETWORK.get(py)?.call1((net,))?; + Ok(types::IPADDRESS.get(py)?.call1((addr,))?.to_object(py)) } fn ipv4_netmask(num: u32) -> Result { @@ -404,27 +382,23 @@ pub(crate) fn parse_and_cache_extensions< } }; - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let exts = pyo3::types::PyList::empty(py); for raw_ext in extensions.iter() { let oid_obj = oid_to_py_oid(py, &raw_ext.extn_id)?; let extn_value = match parse_ext(&raw_ext)? { Some(e) => e, - None => x509_module.call_method1( - pyo3::intern!(py, "UnrecognizedExtension"), - (oid_obj, raw_ext.extn_value), - )?, + None => types::UNRECOGNIZED_EXTENSION + .get(py)? + .call1((oid_obj, raw_ext.extn_value))?, }; - let ext_obj = x509_module.call_method1( - pyo3::intern!(py, "Extension"), - (oid_obj, raw_ext.critical, extn_value), - )?; + let ext_obj = + types::EXTENSION + .get(py)? + .call1((oid_obj, raw_ext.critical, extn_value))?; exts.append(ext_obj)?; } - Ok(x509_module - .call_method1(pyo3::intern!(py, "Extensions"), (exts,))? - .to_object(py)) + Ok(types::EXTENSIONS.get(py)?.call1((exts,))?.to_object(py)) }) .map(|p| p.clone_ref(py)) } @@ -441,18 +415,13 @@ pub(crate) fn encode_extensions< py_exts: &'p pyo3::PyAny, encode_ext: F, ) -> pyo3::PyResult>> { - let unrecognized_extension_type: &pyo3::types::PyType = py - .import(pyo3::intern!(py, "cryptography.x509"))? - .getattr(pyo3::intern!(py, "UnrecognizedExtension"))? - .extract()?; - let mut exts = vec![]; for py_ext in py_exts.iter()? { let py_ext = py_ext?; let oid = py_oid_to_oid(py_ext.getattr(pyo3::intern!(py, "oid"))?)?; let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?; - if ext_val.is_instance(unrecognized_extension_type)? { + if ext_val.is_instance(types::UNRECOGNIZED_EXTENSION.get(py)?)? { exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, @@ -511,17 +480,14 @@ pub(crate) fn datetime_to_py<'p>( py: pyo3::Python<'p>, dt: &asn1::DateTime, ) -> pyo3::PyResult<&'p pyo3::PyAny> { - let datetime_module = py.import(pyo3::intern!(py, "datetime"))?; - datetime_module - .getattr(pyo3::intern!(py, "datetime"))? - .call1(( - dt.year(), - dt.month(), - dt.day(), - dt.hour(), - dt.minute(), - dt.second(), - )) + types::DATETIME_DATETIME.get(py)?.call1(( + dt.year(), + dt.month(), + dt.day(), + dt.hour(), + dt.minute(), + dt.second(), + )) } pub(crate) fn py_to_datetime( @@ -540,15 +506,12 @@ pub(crate) fn py_to_datetime( } pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult { - let datetime_module = py.import(pyo3::intern!(py, "datetime"))?; - let utc = datetime_module - .getattr(pyo3::intern!(py, "timezone"))? - .getattr(pyo3::intern!(py, "utc"))?; + let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; py_to_datetime( py, - datetime_module - .getattr(pyo3::intern!(py, "datetime"))? + types::DATETIME_DATETIME + .get(py)? .call_method1(pyo3::intern!(py, "now"), (utc,))?, ) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index d1535b31b6cb..e9035b665da7 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -8,7 +8,7 @@ use crate::asn1::{ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, extensions, sign}; -use crate::{exceptions, x509}; +use crate::{exceptions, types, x509}; use cryptography_x509::extensions::{Extension, IssuerAlternativeName}; use cryptography_x509::{ common, @@ -199,11 +199,7 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, ) -> pyo3::PyResult<&'p pyo3::PyAny> { let oid = self.signature_algorithm_oid(py)?; - let oid_module = py.import(pyo3::intern!(py, "cryptography.hazmat._oid"))?; - match oid_module - .getattr(pyo3::intern!(py, "_SIG_OIDS_TO_HASH"))? - .get_item(oid) - { + match types::SIG_OIDS_TO_HASH.get(py)?.get_item(oid) { Ok(v) => Ok(v), Err(_) => Err(exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -272,7 +268,6 @@ impl CertificateRevocationList { fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let tbs_cert_list = &self.owned.borrow_dependent().tbs_cert_list; - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( py, &self.cached_extensions, @@ -281,36 +276,24 @@ impl CertificateRevocationList { oid::CRL_NUMBER_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "CRLNumber"))? - .call1((pynum,))?, - )) + Ok(Some(types::CRL_NUMBER.get(py)?.call1((pynum,))?)) } oid::DELTA_CRL_INDICATOR_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "DeltaCRLIndicator"))? - .call1((pynum,))?, - )) + Ok(Some(types::DELTA_CRL_INDICATOR.get(py)?.call1((pynum,))?)) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "IssuerAlternativeName"))? - .call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, )) } oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = certificate::parse_access_descriptions(py, ext)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "AuthorityInformationAccess"))? - .call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -330,27 +313,19 @@ impl CertificateRevocationList { } else { py.None() }; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "IssuingDistributionPoint"))? - .call1(( - full_name, - relative_name, - idp.only_contains_user_certs, - idp.only_contains_ca_certs, - py_reasons, - idp.indirect_crl, - idp.only_contains_attribute_certs, - ))?, - )) + Ok(Some(types::ISSUING_DISTRIBUTION_POINT.get(py)?.call1(( + full_name, + relative_name, + idp.only_contains_user_certs, + idp.only_contains_ca_certs, + py_reasons, + idp.indirect_crl, + idp.only_contains_attribute_certs, + ))?)) } oid::FRESHEST_CRL_OID => { let dp = certificate::parse_distribution_points(py, ext)?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "FreshestCRL"))? - .call1((dp,))?, - )) + Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) } _ => Ok(None), }, @@ -529,7 +504,6 @@ pub(crate) fn parse_crl_reason_flags<'p>( py: pyo3::Python<'p>, reason: &crl::CRLReason, ) -> CryptographyResult<&'p pyo3::PyAny> { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let flag_name = match reason.value() { 0 => "unspecified", 1 => "key_compromise", @@ -550,42 +524,27 @@ pub(crate) fn parse_crl_reason_flags<'p>( )) } }; - Ok(x509_module - .getattr(pyo3::intern!(py, "ReasonFlags"))? - .getattr(flag_name)?) + Ok(types::REASON_FLAGS.get(py)?.getattr(flag_name)?) } pub fn parse_crl_entry_ext<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, ) -> CryptographyResult> { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; match ext.extn_id { oid::CRL_REASON_OID => { let flags = parse_crl_reason_flags(py, &ext.value::()?)?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "CRLReason"))? - .call1((flags,))?, - )) + Ok(Some(types::CRL_REASON.get(py)?.call1((flags,))?)) } oid::CERTIFICATE_ISSUER_OID => { let gn_seq = ext.value::>>()?; let gns = x509::parse_general_names(py, &gn_seq)?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "CertificateIssuer"))? - .call1((gns,))?, - )) + Ok(Some(types::CERTIFICATE_ISSUER.get(py)?.call1((gns,))?)) } oid::INVALIDITY_DATE_OID => { let time = ext.value::()?; let py_dt = x509::datetime_to_py(py, time.as_datetime())?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "InvalidityDate"))? - .call1((py_dt,))?, - )) + Ok(Some(types::INVALIDITY_DATE.get(py)?.call1((py_dt,))?)) } _ => Ok(None), } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 2ea5170e1cc9..cab13b7a1033 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -5,7 +5,7 @@ use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sign}; -use crate::{exceptions, x509}; +use crate::{exceptions, types, x509}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; @@ -61,13 +61,7 @@ impl CertificateSigningRequest { py, &asn1::write_single(&self.raw.borrow_dependent().csr_info.spki)?, ); - Ok(py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))? - .getattr(pyo3::intern!(py, "load_der_public_key"))? - .call1((serialized,))?) + Ok(types::LOAD_DER_PUBLIC_KEY.get(py)?.call1((serialized,))?) } #[getter] @@ -131,15 +125,10 @@ impl CertificateSigningRequest { py: pyo3::Python<'p>, oid: &pyo3::PyAny, ) -> pyo3::PyResult<&'p pyo3::PyAny> { - let cryptography_warning = py - .import(pyo3::intern!(py, "cryptography.utils"))? - .getattr(pyo3::intern!(py, "DeprecatedIn36"))?; - pyo3::PyErr::warn( - py, - cryptography_warning, - "CertificateSigningRequest.get_attribute_for_oid has been deprecated. Please switch to request.attributes.get_attribute_for_oid.", - 1, - )?; + let warning_cls = types::DEPRECATED_IN_36.get(py)?; + let warning_msg = "CertificateSigningRequest.get_attribute_for_oid has been deprecated. Please switch to request.attributes.get_attribute_for_oid."; + pyo3::PyErr::warn(py, warning_cls, warning_msg, 1)?; + let rust_oid = py_oid_to_oid(oid)?; for attribute in self .raw @@ -200,13 +189,10 @@ impl CertificateSigningRequest { "Long-form tags are not supported in CSR attribute values", )) })?; - let pyattr = py - .import(pyo3::intern!(py, "cryptography.x509"))? - .call_method1(pyo3::intern!(py, "Attribute"), (oid, serialized, tag))?; + let pyattr = types::ATTRIBUTE.get(py)?.call1((oid, serialized, tag))?; pyattrs.append(pyattr)?; } - py.import(pyo3::intern!(py, "cryptography.x509"))? - .call_method1(pyo3::intern!(py, "Attributes"), (pyattrs,)) + types::ATTRIBUTES.get(py)?.call1((pyattrs,)) } #[getter] @@ -295,23 +281,12 @@ fn create_x509_csr( ) -> CryptographyResult { let sigalg = x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)?; - let serialization_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))?; - let der_encoding = serialization_mod - .getattr(pyo3::intern!(py, "Encoding"))? - .getattr(pyo3::intern!(py, "DER"))?; - let spki_format = serialization_mod - .getattr(pyo3::intern!(py, "PublicFormat"))? - .getattr(pyo3::intern!(py, "SubjectPublicKeyInfo"))?; + let der = types::ENCODING_DER.get(py)?; + let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; let spki_bytes = private_key .call_method0(pyo3::intern!(py, "public_key"))? - .call_method1( - pyo3::intern!(py, "public_bytes"), - (der_encoding, spki_format), - )? + .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? .extract::<&[u8]>()?; let mut attrs = vec![]; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index dcf28833f17f..94dfe8fe8ac2 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -4,8 +4,8 @@ use crate::asn1::{py_oid_to_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; -use crate::x509; use crate::x509::{certificate, sct}; +use crate::{types, x509}; use cryptography_x509::{common, crl, extensions, oid}; fn encode_general_subtrees<'a>( @@ -462,13 +462,8 @@ pub(crate) fn encode_extension( Ok(Some(der)) } &oid::CRL_REASON_OID => { - let value = ext - .py() - .import(pyo3::intern!( - py, - "cryptography.hazmat.backends.openssl.decode_asn1" - ))? - .getattr(pyo3::intern!(py, "_CRL_ENTRY_REASON_ENUM_TO_CODE"))? + let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE + .get(ext.py())? .get_item(ext.getattr(pyo3::intern!(py, "reason"))?)? .extract::()?; Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 38704613fa9e..97547097d09e 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -5,7 +5,7 @@ use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{extensions, ocsp}; -use crate::{exceptions, x509}; +use crate::{exceptions, types, x509}; use cryptography_x509::{ common, ocsp_req::{self, OCSPRequest as RawOCSPRequest}, @@ -89,9 +89,8 @@ impl OCSPRequest { ) -> Result<&'p pyo3::PyAny, CryptographyError> { let cert_id = self.cert_id(); - let hashes = py.import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))?; match ocsp::ALGORITHM_PARAMETERS_TO_HASH.get(&cert_id.hash_algorithm.params) { - Some(alg_name) => Ok(hashes.getattr(*alg_name)?.call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -114,7 +113,6 @@ impl OCSPRequest { fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let tbs_request = &self.raw.borrow_dependent().tbs_request; - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( py, &self.cached_extensions, @@ -129,9 +127,7 @@ impl OCSPRequest { // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); - Ok(Some( - x509_module.call_method1(pyo3::intern!(py, "OCSPNonce"), (nonce,))?, - )) + Ok(Some(types::OCSP_NONCE.get(py)?.call1((nonce,))?)) } oid::ACCEPTABLE_RESPONSES_OID => { let oids = ext.value::>()?; @@ -140,10 +136,11 @@ impl OCSPRequest { py_oids.append(oid_to_py_oid(py, &oid)?)?; } - Ok(Some(x509_module.call_method1( - pyo3::intern!(py, "OCSPAcceptableResponses"), - (py_oids,), - )?)) + Ok(Some( + types::OCSP_ACCEPTABLE_RESPONSES + .get(py)? + .call1((py_oids,))?, + )) } _ => Ok(None), } @@ -156,14 +153,7 @@ impl OCSPRequest { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let der = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))? - .getattr(pyo3::intern!(py, "Encoding"))? - .getattr(pyo3::intern!(py, "DER"))?; - if !encoding.is(der) { + if !encoding.is(types::ENCODING_DER.get(py)?) { return Err(pyo3::exceptions::PyValueError::new_err( "The only allowed encoding value is Encoding.DER", ) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e6e8f77851fe..679dff6e6e09 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -5,7 +5,7 @@ use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, crl, extensions, ocsp, py_to_datetime, sct}; -use crate::{exceptions, x509}; +use crate::{exceptions, types, x509}; use cryptography_x509::ocsp_resp::SingleResponse; use cryptography_x509::{ common, @@ -138,9 +138,7 @@ impl OCSPResponse { assert_eq!(status, UNAUTHORIZED_RESPONSE); "UNAUTHORIZED" }; - py.import(pyo3::intern!(py, "cryptography.x509.ocsp"))? - .getattr(pyo3::intern!(py, "OCSPResponseStatus"))? - .getattr(attr) + types::OCSP_RESPONSE_STATUS.get(py)?.getattr(attr) } #[getter] @@ -182,10 +180,9 @@ impl OCSPResponse { &self, py: pyo3::Python<'p>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { - let sig_oids_to_hash = py - .import(pyo3::intern!(py, "cryptography.hazmat._oid"))? - .getattr(pyo3::intern!(py, "_SIG_OIDS_TO_HASH"))?; - let hash_alg = sig_oids_to_hash.get_item(self.signature_algorithm_oid(py)?); + let hash_alg = types::SIG_OIDS_TO_HASH + .get(py)? + .get_item(self.signature_algorithm_oid(py)?); match hash_alg { Ok(data) => Ok(data), Err(_) => { @@ -333,7 +330,6 @@ impl OCSPResponse { .get() .tbs_response_data; - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( py, &self.cached_extensions, @@ -348,9 +344,7 @@ impl OCSPResponse { // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); - Ok(Some( - x509_module.call_method1(pyo3::intern!(py, "OCSPNonce"), (nonce,))?, - )) + Ok(Some(types::OCSP_NONCE.get(py)?.call1((nonce,))?)) } _ => Ok(None), } @@ -371,7 +365,6 @@ impl OCSPResponse { .get(), )?; - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; x509::parse_and_cache_extensions( py, &self.cached_single_extensions, @@ -381,8 +374,8 @@ impl OCSPResponse { let contents = ext.value::<&[u8]>()?; let scts = sct::parse_scts(py, contents, sct::LogEntryType::Certificate)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "SignedCertificateTimestamps"))? + types::SIGNED_CERTIFICATE_TIMESTAMPS + .get(py)? .call1((scts,))?, )) } @@ -396,14 +389,7 @@ impl OCSPResponse { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let der = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.serialization" - ))? - .getattr(pyo3::intern!(py, "Encoding"))? - .getattr(pyo3::intern!(py, "DER"))?; - if !encoding.is(der) { + if !encoding.is(types::ENCODING_DER.get(py)?) { return Err(pyo3::exceptions::PyValueError::new_err( "The only allowed encoding value is Encoding.DER", ) @@ -476,18 +462,15 @@ fn singleresp_py_certificate_status<'p>( ocsp_resp::CertStatus::Revoked(_) => pyo3::intern!(py, "REVOKED"), ocsp_resp::CertStatus::Unknown(_) => pyo3::intern!(py, "UNKNOWN"), }; - py.import(pyo3::intern!(py, "cryptography.x509.ocsp"))? - .getattr(pyo3::intern!(py, "OCSPCertStatus"))? - .getattr(attr) + types::OCSP_CERT_STATUS.get(py)?.getattr(attr) } fn singleresp_py_hash_algorithm<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, ) -> Result<&'p pyo3::PyAny, CryptographyError> { - let hashes = py.import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))?; match ocsp::ALGORITHM_PARAMETERS_TO_HASH.get(&resp.cert_id.hash_algorithm.params) { - Some(alg_name) => Ok(hashes.getattr(*alg_name)?.call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -560,8 +543,6 @@ fn create_ocsp_response( let borrowed_cert; let py_certs: Option>>; let response_bytes = if response_status == SUCCESSFUL_RESPONSE { - let ocsp_mod = py.import(pyo3::intern!(py, "cryptography.x509.ocsp"))?; - let py_single_resp = builder.getattr(pyo3::intern!(py, "_response"))?; py_cert = py_single_resp .getattr(pyo3::intern!(py, "_cert"))? @@ -578,27 +559,17 @@ fn create_ocsp_response( .extract()?; let py_cert_status = py_single_resp.getattr(pyo3::intern!(py, "_cert_status"))?; - let cert_status = if py_cert_status.is(ocsp_mod - .getattr(pyo3::intern!(py, "OCSPCertStatus"))? - .getattr(pyo3::intern!(py, "GOOD"))?) - { + let cert_status = if py_cert_status.is(types::OCSP_CERT_STATUS_GOOD.get(py)?) { ocsp_resp::CertStatus::Good(()) - } else if py_cert_status.is(ocsp_mod - .getattr(pyo3::intern!(py, "OCSPCertStatus"))? - .getattr(pyo3::intern!(py, "UNKNOWN"))?) - { + } else if py_cert_status.is(types::OCSP_CERT_STATUS_UNKNOWN.get(py)?) { ocsp_resp::CertStatus::Unknown(()) } else { let revocation_reason = if !py_single_resp .getattr(pyo3::intern!(py, "_revocation_reason"))? .is_none() { - let value = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.backends.openssl.decode_asn1" - ))? - .getattr(pyo3::intern!(py, "_CRL_ENTRY_REASON_ENUM_TO_CODE"))? + let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE + .get(py)? .get_item(py_single_resp.getattr(pyo3::intern!(py, "_revocation_reason"))?)? .extract::()?; Some(asn1::Enumerated::new(value)) @@ -639,14 +610,8 @@ fn create_ocsp_response( }]; borrowed_cert = responder_cert.borrow(); - let responder_id = if responder_encoding.is(ocsp_mod - .getattr(pyo3::intern!(py, "OCSPResponderEncoding"))? - .getattr(pyo3::intern!(py, "HASH"))?) - { - let sha1 = py - .import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))? - .getattr(pyo3::intern!(py, "SHA1"))? - .call0()?; + let responder_id = if responder_encoding.is(types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { + let sha1 = types::SHA1.get(py)?.call0()?; ocsp_resp::ResponderId::ByKey(ocsp::hash_data( py, sha1, diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index 22eaed817e57..173364cd2a10 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -3,6 +3,7 @@ // for complete details. use crate::error::CryptographyError; +use crate::types; use pyo3::types::IntoPyDict; use pyo3::ToPyObject; use std::collections::hash_map::DefaultHasher; @@ -164,12 +165,7 @@ impl Sct { #[getter] fn version<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - py.import(pyo3::intern!( - py, - "cryptography.x509.certificate_transparency" - ))? - .getattr(pyo3::intern!(py, "Version"))? - .getattr(pyo3::intern!(py, "v1")) + types::CERTIFICATE_TRANSPARENCY_VERSION_V1.get(py) } #[getter] @@ -179,10 +175,8 @@ impl Sct { #[getter] fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let datetime_class = py - .import(pyo3::intern!(py, "datetime"))? - .getattr(pyo3::intern!(py, "datetime"))?; - datetime_class + types::DATETIME_DATETIME + .get(py)? .call_method1( pyo3::intern!(py, "utcfromtimestamp"), (self.timestamp / 1000,), @@ -196,17 +190,10 @@ impl Sct { #[getter] fn entry_type<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let et_class = py - .import(pyo3::intern!( - py, - "cryptography.x509.certificate_transparency" - ))? - .getattr(pyo3::intern!(py, "LogEntryType"))?; - let attr_name = match self.entry_type { - LogEntryType::Certificate => "X509_CERTIFICATE", - LogEntryType::PreCertificate => "PRE_CERTIFICATE", - }; - et_class.getattr(attr_name) + Ok(match self.entry_type { + LogEntryType::Certificate => types::LOG_ENTRY_TYPE_X509_CERTIFICATE.get(py)?, + LogEntryType::PreCertificate => types::LOG_ENTRY_TYPE_PRE_CERTIFICATE.get(py)?, + }) } #[getter] @@ -214,19 +201,16 @@ impl Sct { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult<&'p pyo3::PyAny> { - let hashes_mod = py.import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))?; - hashes_mod.call_method0(self.hash_algorithm.to_attr()) + types::HASHES_MODULE + .get(py)? + .call_method0(self.hash_algorithm.to_attr()) } #[getter] fn signature_algorithm<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let sa_class = py - .import(pyo3::intern!( - py, - "cryptography.x509.certificate_transparency" - ))? - .getattr(pyo3::intern!(py, "SignatureAlgorithm"))?; - sa_class.getattr(self.signature_algorithm.to_attr()) + types::SIGNATURE_ALGORITHM + .get(py)? + .getattr(self.signature_algorithm.to_attr()) } #[getter] diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 0e3c1bc728b2..47212b555c42 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -4,7 +4,7 @@ use crate::asn1::oid_to_py_oid; use crate::error::{CryptographyError, CryptographyResult}; -use crate::exceptions; +use crate::{exceptions, types}; use cryptography_x509::{common, oid}; use once_cell::sync::Lazy; use std::collections::HashMap; @@ -47,51 +47,15 @@ enum HashType { } fn identify_key_type(py: pyo3::Python<'_>, private_key: &pyo3::PyAny) -> pyo3::PyResult { - let rsa_private_key: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.rsa" - ))? - .getattr(pyo3::intern!(py, "RSAPrivateKey"))? - .extract()?; - let dsa_key_type: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.dsa" - ))? - .getattr(pyo3::intern!(py, "DSAPrivateKey"))? - .extract()?; - let ec_key_type: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" - ))? - .getattr(pyo3::intern!(py, "EllipticCurvePrivateKey"))? - .extract()?; - let ed25519_key_type: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ed25519" - ))? - .getattr(pyo3::intern!(py, "Ed25519PrivateKey"))? - .extract()?; - let ed448_key_type: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ed448" - ))? - .getattr(pyo3::intern!(py, "Ed448PrivateKey"))? - .extract()?; - - if private_key.is_instance(rsa_private_key)? { + if private_key.is_instance(types::RSA_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Rsa) - } else if private_key.is_instance(dsa_key_type)? { + } else if private_key.is_instance(types::DSA_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Dsa) - } else if private_key.is_instance(ec_key_type)? { + } else if private_key.is_instance(types::ELLIPTIC_CURVE_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Ec) - } else if private_key.is_instance(ed25519_key_type)? { + } else if private_key.is_instance(types::ED25519_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Ed25519) - } else if private_key.is_instance(ed448_key_type)? { + } else if private_key.is_instance(types::ED448_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Ed448) } else { Err(pyo3::exceptions::PyTypeError::new_err( @@ -108,11 +72,7 @@ fn identify_hash_type( return Ok(HashType::None); } - let hash_algorithm_type: &pyo3::types::PyType = py - .import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))? - .getattr(pyo3::intern!(py, "HashAlgorithm"))? - .extract()?; - if !hash_algorithm.is_instance(hash_algorithm_type)? { + if !hash_algorithm.is_instance(types::HASH_ALGORITHM.get(py)?)? { return Err(pyo3::exceptions::PyTypeError::new_err( "Algorithm must be a registered hash algorithm.", )); @@ -143,23 +103,17 @@ fn compute_pss_salt_length<'p>( hash_algorithm: &'p pyo3::PyAny, rsa_padding: &'p pyo3::PyAny, ) -> pyo3::PyResult { - let padding_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.padding" - ))?; - let maxlen = padding_mod.getattr(pyo3::intern!(py, "_MaxLength"))?; - let digestlen = padding_mod.getattr(pyo3::intern!(py, "_DigestLength"))?; let py_saltlen = rsa_padding.getattr(pyo3::intern!(py, "_salt_length"))?; - if py_saltlen.is_instance(maxlen)? { - padding_mod - .getattr(pyo3::intern!(py, "calculate_max_pss_salt_length"))? + if py_saltlen.is_instance(types::PADDING_MAX_LENGTH.get(py)?)? { + types::CALCULATE_MAX_PSS_SALT_LENGTH + .get(py)? .call1((private_key, hash_algorithm))? .extract::() - } else if py_saltlen.is_instance(digestlen)? { + } else if py_saltlen.is_instance(types::PADDING_DIGEST_LENGTH.get(py)?)? { hash_algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::() - } else if py_saltlen.is_instance(py.get_type::())? { + } else if py_saltlen.is_instance_of::() { py_saltlen.extract::() } else { Err(pyo3::exceptions::PyTypeError::new_err( @@ -177,16 +131,9 @@ pub(crate) fn compute_signature_algorithm<'p>( let key_type = identify_key_type(py, private_key)?; let hash_type = identify_hash_type(py, hash_algorithm)?; - let pss_type: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.padding" - ))? - .getattr(pyo3::intern!(py, "PSS"))? - .extract()?; // If this is RSA-PSS we need to compute the signature algorithm from the // parameters provided in rsa_padding. - if !rsa_padding.is_none() && rsa_padding.is_instance(pss_type)? { + if !rsa_padding.is_none() && rsa_padding.is_instance(types::PSS.get(py)?)? { let hash_alg_params = identify_alg_params_for_hash_type(hash_type)?; let hash_algorithm_id = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), @@ -340,25 +287,13 @@ pub(crate) fn sign_data<'p>( private_key.call_method1(pyo3::intern!(py, "sign"), (data,))? } KeyType::Ec => { - let ec_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" - ))?; - let ecdsa = ec_mod - .getattr(pyo3::intern!(py, "ECDSA"))? - .call1((hash_algorithm,))?; + let ecdsa = types::ECDSA.get(py)?.call1((hash_algorithm,))?; private_key.call_method1(pyo3::intern!(py, "sign"), (data, ecdsa))? } KeyType::Rsa => { let mut padding = rsa_padding; if padding.is_none() { - let padding_mod = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.padding" - ))?; - padding = padding_mod - .getattr(pyo3::intern!(py, "PKCS1v15"))? - .call0()?; + padding = types::PKCS1V15.get(py)?.call0()?; } private_key.call_method1(pyo3::intern!(py, "sign"), (data, padding, hash_algorithm))? } @@ -417,51 +352,15 @@ pub(crate) fn identify_public_key_type( py: pyo3::Python<'_>, public_key: &pyo3::PyAny, ) -> pyo3::PyResult { - let rsa_key_type: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.rsa" - ))? - .getattr(pyo3::intern!(py, "RSAPublicKey"))? - .extract()?; - let dsa_key_type: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.dsa" - ))? - .getattr(pyo3::intern!(py, "DSAPublicKey"))? - .extract()?; - let ec_key_type: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" - ))? - .getattr(pyo3::intern!(py, "EllipticCurvePublicKey"))? - .extract()?; - let ed25519_key_type: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ed25519" - ))? - .getattr(pyo3::intern!(py, "Ed25519PublicKey"))? - .extract()?; - let ed448_key_type: &pyo3::types::PyType = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ed448" - ))? - .getattr(pyo3::intern!(py, "Ed448PublicKey"))? - .extract()?; - - if public_key.is_instance(rsa_key_type)? { + if public_key.is_instance(types::RSA_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Rsa) - } else if public_key.is_instance(dsa_key_type)? { + } else if public_key.is_instance(types::DSA_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Dsa) - } else if public_key.is_instance(ec_key_type)? { + } else if public_key.is_instance(types::ELLIPTIC_CURVE_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Ec) - } else if public_key.is_instance(ed25519_key_type)? { + } else if public_key.is_instance(types::ED25519_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Ed25519) - } else if public_key.is_instance(ed448_key_type)? { + } else if public_key.is_instance(types::ED448_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Ed448) } else { Err(pyo3::exceptions::PyTypeError::new_err( @@ -525,9 +424,8 @@ fn hash_oid_py_hash( py: pyo3::Python<'_>, oid: asn1::ObjectIdentifier, ) -> CryptographyResult<&pyo3::PyAny> { - let hashes = py.import(pyo3::intern!(py, "cryptography.hazmat.primitives.hashes"))?; match HASH_OIDS_TO_HASH.get(&oid) { - Some(alg_name) => Ok(hashes.getattr(*alg_name)?.call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -541,9 +439,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( py: pyo3::Python<'p>, signature_algorithm: &common::AlgorithmIdentifier<'_>, ) -> CryptographyResult<&'p pyo3::PyAny> { - let sig_oids_to_hash = py - .import(pyo3::intern!(py, "cryptography.hazmat._oid"))? - .getattr(pyo3::intern!(py, "_SIG_OIDS_TO_HASH"))?; + let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get(py)?; match &signature_algorithm.params { common::AlgorithmParameters::RsaPss(opt_pss) => { let pss = opt_pss.as_ref().ok_or_else(|| { @@ -586,16 +482,8 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( } let py_mask_gen_hash_alg = hash_oid_py_hash(py, pss.mask_gen_algorithm.params.oid().clone())?; - let padding = py.import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.padding" - ))?; - let py_mgf = padding - .getattr(pyo3::intern!(py, "MGF1"))? - .call1((py_mask_gen_hash_alg,))?; - Ok(padding - .getattr(pyo3::intern!(py, "PSS"))? - .call1((py_mgf, pss.salt_length))?) + let py_mgf = types::MGF1.get(py)?.call1((py_mask_gen_hash_alg,))?; + Ok(types::PSS.get(py)?.call1((py_mgf, pss.salt_length))?) } common::AlgorithmParameters::RsaWithSha1(_) | common::AlgorithmParameters::RsaWithSha1Alt(_) @@ -607,14 +495,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( | common::AlgorithmParameters::RsaWithSha3_256(_) | common::AlgorithmParameters::RsaWithSha3_384(_) | common::AlgorithmParameters::RsaWithSha3_512(_) => { - let pkcs = py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.padding" - ))? - .getattr(pyo3::intern!(py, "PKCS1v15"))? - .call0()?; - Ok(pkcs) + Ok(types::PKCS1V15.get(py)?.call0()?) } common::AlgorithmParameters::EcDsaWithSha224(_) | common::AlgorithmParameters::EcDsaWithSha256(_) @@ -627,13 +508,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( let signature_hash_algorithm = identify_signature_hash_algorithm(py, signature_algorithm)?; - Ok(py - .import(pyo3::intern!( - py, - "cryptography.hazmat.primitives.asymmetric.ec" - ))? - .getattr(pyo3::intern!(py, "ECDSA"))? - .call1((signature_hash_algorithm,))?) + Ok(types::ECDSA.get(py)?.call1((signature_hash_algorithm,))?) } _ => Ok(py.None().into_ref(py)), } From da94440e590a6308b6a16996993def5501ef6a84 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 21:45:33 +0000 Subject: [PATCH 0417/1014] Bump BoringSSL and/or OpenSSL in CI (#9544) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b2470f14fa95..bbe8319d479d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 02, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6ca49385b168f47a50e7172d82a590b218f55e4d"}} + # Latest commit on the BoringSSL master branch, as of Sep 05, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "fa343af32b77f5f005a651656732ae3f0b526774"}} # Latest commit on the OpenSSL master branch, as of Sep 05, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b12c07cfba9651ae80b7020ffe8e634f47581389"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e664ef78b92532bf94c7976b181d88c4abf83074"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 73cfc5012f2c3c97b4ff30f320cc0d10e1af6131 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 20:40:17 -0400 Subject: [PATCH 0418/1014] Bump BoringSSL and/or OpenSSL in CI (#9545) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bbe8319d479d..2510715bcff2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 05, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "fa343af32b77f5f005a651656732ae3f0b526774"}} - # Latest commit on the OpenSSL master branch, as of Sep 05, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e664ef78b92532bf94c7976b181d88c4abf83074"}} + # Latest commit on the OpenSSL master branch, as of Sep 06, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c1673a60e40f6dcd110d1a4ff3e11a3297ada2da"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 859539375bfb09bb79fac582cd68560dfae294d9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 5 Sep 2023 23:39:08 -0400 Subject: [PATCH 0419/1014] Complete converting Rust Python imports (#9546) * Convert src/rust/src/x509/common.rs * Convert src/rust/src/x509/certificate.rs --- src/rust/src/types.rs | 42 ++++++++++ src/rust/src/x509/certificate.rs | 138 +++++++++++-------------------- src/rust/src/x509/common.rs | 50 +++++------ 3 files changed, 110 insertions(+), 120 deletions(-) diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 09968c338c37..8bfcf905d842 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -207,6 +207,48 @@ pub static RELATIVE_DISTINGUISHED_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RelativeDistinguishedName"]); pub static NAME_ATTRIBUTE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["NameAttribute"]); +pub static NAME_CONSTRAINTS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["NameConstraints"]); +pub static MS_CERTIFICATE_TEMPLATE: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["MSCertificateTemplate"]); +pub static CRL_DISTRIBUTION_POINTS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["CRLDistributionPoints"]); +pub static BASIC_CONSTRAINTS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["BasicConstraints"]); +pub static INHIBIT_ANY_POLICY: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["InhibitAnyPolicy"]); +pub static OCSP_NO_CHECK: LazyPyImport = LazyPyImport::new("cryptography.x509", &["OCSPNoCheck"]); +pub static POLICY_CONSTRAINTS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["PolicyConstraints"]); +pub static CERTIFICATE_POLICIES: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["CertificatePolicies"]); +pub static SUBJECT_INFORMATION_ACCESS: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["SubjectInformationAccess"]); +pub static KEY_USAGE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["KeyUsage"]); +pub static EXTENDED_KEY_USAGE: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["ExtendedKeyUsage"]); +pub static SUBJECT_KEY_IDENTIFIER: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["SubjectKeyIdentifier"]); +pub static TLS_FEATURE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["TLSFeature"]); +pub static SUBJECT_ALTERNATIVE_NAME: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["SubjectAlternativeName"]); +pub static POLICY_INFORMATION: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["PolicyInformation"]); +pub static USER_NOTICE: LazyPyImport = LazyPyImport::new("cryptography.x509", &["UserNotice"]); +pub static NOTICE_REFERENCE: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["NoticeReference"]); +pub static REGISTERED_ID: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RegisteredID"]); +pub static DIRECTORY_NAME: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["DirectoryName"]); +pub static UNIFORM_RESOURCE_IDENTIFIER: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["UniformResourceIdentifier"]); +pub static DNS_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["DNSName"]); +pub static RFC822_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RFC822Name"]); +pub static OTHER_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["OtherName"]); +pub static CERTIFICATE_VERSION_V1: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["Version", "v1"]); +pub static CERTIFICATE_VERSION_V3: LazyPyImport = + LazyPyImport::new("cryptography.x509", &["Version", "v3"]); pub static CRL_REASON_FLAGS: LazyPyImport = LazyPyImport::new("cryptography.x509.extensions", &["_CRLREASONFLAGS"]); diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d314386fc211..5ebd7a24e002 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -297,14 +297,9 @@ impl Certificate { } fn cert_version(py: pyo3::Python<'_>, version: u8) -> Result<&pyo3::PyAny, CryptographyError> { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; match version { - 0 => Ok(x509_module - .getattr(pyo3::intern!(py, "Version"))? - .get_item(pyo3::intern!(py, "v1"))?), - 2 => Ok(x509_module - .getattr(pyo3::intern!(py, "Version"))? - .get_item(pyo3::intern!(py, "v3"))?), + 0 => Ok(types::CERTIFICATE_VERSION_V1.get(py)?), + 2 => Ok(types::CERTIFICATE_VERSION_V3.get(py)?), _ => Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( format!("{} is not a valid X509 version", version), @@ -450,7 +445,6 @@ fn parse_user_notice( py: pyo3::Python<'_>, un: UserNotice<'_>, ) -> Result { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let et = match un.explicit_text { Some(data) => parse_display_text(py, data)?, None => py.None(), @@ -462,15 +456,14 @@ fn parse_user_notice( for num in data.notice_numbers.unwrap_read().clone() { numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?.to_object(py))?; } - x509_module - .call_method1(pyo3::intern!(py, "NoticeReference"), (org, numbers))? + types::NOTICE_REFERENCE + .get(py)? + .call1((org, numbers))? .to_object(py) } None => py.None(), }; - Ok(x509_module - .call_method1(pyo3::intern!(py, "UserNotice"), (nr, et))? - .to_object(py)) + Ok(types::USER_NOTICE.get(py)?.call1((nr, et))?.to_object(py)) } fn parse_policy_qualifiers<'a>( @@ -512,7 +505,6 @@ fn parse_cp( ext: &Extension<'_>, ) -> Result { let cp = ext.value::>>()?; - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let certificate_policies = pyo3::types::PyList::empty(py); for policyinfo in cp { let pi_oid = oid_to_py_oid(py, &policyinfo.policy_identifier)?.to_object(py); @@ -522,8 +514,9 @@ fn parse_cp( } None => py.None(), }; - let pi = x509_module - .call_method1(pyo3::intern!(py, "PolicyInformation"), (pi_oid, py_pqis))? + let pi = types::POLICY_INFORMATION + .get(py)? + .call1((pi_oid, py_pqis))? .to_object(py); certificate_policies.append(pi)?; } @@ -669,24 +662,19 @@ pub fn parse_cert_ext<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, ) -> CryptographyResult> { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; match ext.extn_id { oid::SUBJECT_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let sans = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "SubjectAlternativeName"))? - .call1((sans,))?, + types::SUBJECT_ALTERNATIVE_NAME.get(py)?.call1((sans,))?, )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "IssuerAlternativeName"))? - .call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, )) } oid::TLS_FEATURE_OID => { @@ -697,17 +685,13 @@ pub fn parse_cert_ext<'p>( let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; features.append(py_feature)?; } - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "TLSFeature"))? - .call1((features,))?, - )) + Ok(Some(types::TLS_FEATURE.get(py)?.call1((features,))?)) } oid::SUBJECT_KEY_IDENTIFIER_OID => { let identifier = ext.value::<&[u8]>()?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "SubjectKeyIdentifier"))? + types::SUBJECT_KEY_IDENTIFIER + .get(py)? .call1((identifier,))?, )) } @@ -717,101 +701,71 @@ pub fn parse_cert_ext<'p>( let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; } - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "ExtendedKeyUsage"))? - .call1((ekus,))?, - )) + Ok(Some(types::EXTENDED_KEY_USAGE.get(py)?.call1((ekus,))?)) } oid::KEY_USAGE_OID => { let kus = ext.value::>()?; - Ok(Some( - x509_module.getattr(pyo3::intern!(py, "KeyUsage"))?.call1(( - kus.digital_signature(), - kus.content_comitment(), - kus.key_encipherment(), - kus.data_encipherment(), - kus.key_agreement(), - kus.key_cert_sign(), - kus.crl_sign(), - kus.encipher_only(), - kus.decipher_only(), - ))?, - )) + Ok(Some(types::KEY_USAGE.get(py)?.call1(( + kus.digital_signature(), + kus.content_comitment(), + kus.key_encipherment(), + kus.data_encipherment(), + kus.key_agreement(), + kus.key_cert_sign(), + kus.crl_sign(), + kus.encipher_only(), + kus.decipher_only(), + ))?)) } oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "AuthorityInformationAccess"))? - .call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::SUBJECT_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "SubjectInformationAccess"))? - .call1((ads,))?, + types::SUBJECT_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::CERTIFICATE_POLICIES_OID => { let cp = parse_cp(py, ext)?; - Ok(Some(x509_module.call_method1( - pyo3::intern!(py, "CertificatePolicies"), - (cp,), - )?)) + Ok(Some(types::CERTIFICATE_POLICIES.get(py)?.call1((cp,))?)) } oid::POLICY_CONSTRAINTS_OID => { let pc = ext.value::()?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "PolicyConstraints"))? - .call1((pc.require_explicit_policy, pc.inhibit_policy_mapping))?, - )) + Ok(Some(types::POLICY_CONSTRAINTS.get(py)?.call1(( + pc.require_explicit_policy, + pc.inhibit_policy_mapping, + ))?)) } oid::OCSP_NO_CHECK_OID => { ext.value::<()>()?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "OCSPNoCheck"))? - .call0()?, - )) + Ok(Some(types::OCSP_NO_CHECK.get(py)?.call0()?)) } oid::INHIBIT_ANY_POLICY_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "InhibitAnyPolicy"))? - .call1((pynum,))?, - )) + Ok(Some(types::INHIBIT_ANY_POLICY.get(py)?.call1((pynum,))?)) } oid::BASIC_CONSTRAINTS_OID => { let bc = ext.value::()?; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "BasicConstraints"))? + types::BASIC_CONSTRAINTS + .get(py)? .call1((bc.ca, bc.path_length))?, )) } oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some(parse_authority_key_identifier(py, ext)?)), oid::CRL_DISTRIBUTION_POINTS_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "CRLDistributionPoints"))? - .call1((dp,))?, - )) + Ok(Some(types::CRL_DISTRIBUTION_POINTS.get(py)?.call1((dp,))?)) } oid::FRESHEST_CRL_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "FreshestCRL"))? - .call1((dp,))?, - )) + Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) } oid::NAME_CONSTRAINTS_OID => { let nc = ext.value::>()?; @@ -824,19 +778,19 @@ pub fn parse_cert_ext<'p>( None => py.None(), }; Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "NameConstraints"))? + types::NAME_CONSTRAINTS + .get(py)? .call1((permitted_subtrees, excluded_subtrees))?, )) } oid::MS_CERTIFICATE_TEMPLATE => { let ms_cert_tpl = ext.value::()?; let py_oid = oid_to_py_oid(py, &ms_cert_tpl.template_id)?; - Ok(Some( - x509_module - .getattr(pyo3::intern!(py, "MSCertificateTemplate"))? - .call1((py_oid, ms_cert_tpl.major_version, ms_cert_tpl.minor_version))?, - )) + Ok(Some(types::MS_CERTIFICATE_TEMPLATE.get(py)?.call1(( + py_oid, + ms_cert_tpl.major_version, + ms_cert_tpl.minor_version, + ))?)) } _ => Ok(None), } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 10a6a8bff50b..125397c11b0d 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -108,21 +108,21 @@ pub(crate) fn encode_general_name<'a>( py: pyo3::Python<'a>, gn: &'a pyo3::PyAny, ) -> Result, CryptographyError> { - let gn_module = py.import(pyo3::intern!(py, "cryptography.x509.general_name"))?; let gn_type = gn.get_type().as_ref(); let gn_value = gn.getattr(pyo3::intern!(py, "value"))?; - if gn_type.is(gn_module.getattr(pyo3::intern!(py, "DNSName"))?) { + + if gn_type.is(types::DNS_NAME.get(py)?) { Ok(GeneralName::DNSName(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "RFC822Name"))?) { + } else if gn_type.is(types::RFC822_NAME.get(py)?) { Ok(GeneralName::RFC822Name(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "DirectoryName"))?) { + } else if gn_type.is(types::DIRECTORY_NAME.get(py)?) { let name = encode_name(py, gn_value)?; Ok(GeneralName::DirectoryName(name)) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "OtherName"))?) { + } else if gn_type.is(types::OTHER_NAME.get(py)?) { Ok(GeneralName::OtherName(OtherName { type_id: py_oid_to_oid(gn.getattr(pyo3::intern!(py, "type_id"))?)?, value: asn1::parse_single(gn_value.extract::<&[u8]>()?).map_err(|e| { @@ -132,16 +132,16 @@ pub(crate) fn encode_general_name<'a>( )) })?, })) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "UniformResourceIdentifier"))?) { + } else if gn_type.is(types::UNIFORM_RESOURCE_IDENTIFIER.get(py)?) { Ok(GeneralName::UniformResourceIdentifier( UnvalidatedIA5String(gn_value.extract::<&str>()?), )) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "IPAddress"))?) { + } else if gn_type.is(types::IPADDRESS.get(py)?) { Ok(GeneralName::IPAddress( gn.call_method0(pyo3::intern!(py, "_packed"))? .extract::<&[u8]>()?, )) - } else if gn_type.is(gn_module.getattr(pyo3::intern!(py, "RegisteredID"))?) { + } else if gn_type.is(types::REGISTERED_ID.get(py)?) { let oid = py_oid_to_oid(gn_value)?; Ok(GeneralName::RegisteredID(oid)) } else { @@ -242,41 +242,37 @@ pub(crate) fn parse_general_name( py: pyo3::Python<'_>, gn: GeneralName<'_>, ) -> Result { - let x509_module = py.import(pyo3::intern!(py, "cryptography.x509"))?; let py_gn = match gn { GeneralName::OtherName(data) => { let oid = oid_to_py_oid(py, &data.type_id)?.to_object(py); - x509_module - .call_method1( - pyo3::intern!(py, "OtherName"), - (oid, data.value.full_data()), - )? + types::OTHER_NAME + .get(py)? + .call1((oid, data.value.full_data()))? .to_object(py) } - GeneralName::RFC822Name(data) => x509_module - .getattr(pyo3::intern!(py, "RFC822Name"))? + GeneralName::RFC822Name(data) => types::RFC822_NAME + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), - GeneralName::DNSName(data) => x509_module - .getattr(pyo3::intern!(py, "DNSName"))? + GeneralName::DNSName(data) => types::DNS_NAME + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DirectoryName(data) => { let py_name = parse_name(py, data.unwrap_read())?; - x509_module - .call_method1(pyo3::intern!(py, "DirectoryName"), (py_name,))? + types::DIRECTORY_NAME + .get(py)? + .call1((py_name,))? .to_object(py) } - GeneralName::UniformResourceIdentifier(data) => x509_module - .getattr(pyo3::intern!(py, "UniformResourceIdentifier"))? + GeneralName::UniformResourceIdentifier(data) => types::UNIFORM_RESOURCE_IDENTIFIER + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; - x509_module - .call_method1(pyo3::intern!(py, "IPAddress"), (addr,))? - .to_object(py) + types::IPADDRESS.get(py)?.call1((addr,))?.to_object(py) } else { // if it's not an IPv4 or IPv6 we assume it's an IPNetwork and // verify length in this function. @@ -285,9 +281,7 @@ pub(crate) fn parse_general_name( } GeneralName::RegisteredID(data) => { let oid = oid_to_py_oid(py, &data)?.to_object(py); - x509_module - .call_method1(pyo3::intern!(py, "RegisteredID"), (oid,))? - .to_object(py) + types::REGISTERED_ID.get(py)?.call1((oid,))?.to_object(py) } _ => { return Err(CryptographyError::from( From b6784c91e3077472a9b1b1dccdbcd6878534ebfe Mon Sep 17 00:00:00 2001 From: Iain Hammond Date: Wed, 6 Sep 2023 22:32:49 +0100 Subject: [PATCH 0420/1014] add X509V3_EXT_ERROR_UNKNOWN binding (#9547) --- src/_cffi_src/openssl/x509v3.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index dae98da1bf4e..5dafabc3a89c 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -41,6 +41,8 @@ } d; ...; } GENERAL_NAME; + +static const long X509V3_EXT_ERROR_UNKNOWN; """ From 1e1b31f41f2726198ac11f294c65f0c98511029f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 7 Sep 2023 00:17:26 +0000 Subject: [PATCH 0421/1014] Bump BoringSSL and/or OpenSSL in CI (#9549) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2510715bcff2..f167152e8324 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 05, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "fa343af32b77f5f005a651656732ae3f0b526774"}} - # Latest commit on the OpenSSL master branch, as of Sep 06, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c1673a60e40f6dcd110d1a4ff3e11a3297ada2da"}} + # Latest commit on the BoringSSL master branch, as of Sep 07, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "be84aeed7d21f5e5be37dee3c827175acebb6dda"}} + # Latest commit on the OpenSSL master branch, as of Sep 07, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "025535ecd11bdebd8eb28ed4f0f6b509b1b54577"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 1f36696541db60ed8591702f3b10b7d79ec8f7c1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Sep 2023 07:03:16 -0400 Subject: [PATCH 0422/1014] Bump coverage from 7.3.0 to 7.3.1 (#9555) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.3.0 to 7.3.1. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.3.0...7.3.1) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e47092a758f5..c6ba0417257a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -29,7 +29,7 @@ click==8.1.7 # via black colorlog==6.7.0 # via nox -coverage==7.3.0; python_version >= "3.8" +coverage==7.3.1; python_version >= "3.8" # via pytest-cov distlib==0.3.7 # via virtualenv From f90a1f5fd0db9c4943a2e407863426a4ddae643c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Sep 2023 07:09:02 -0400 Subject: [PATCH 0423/1014] Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#9552) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/0b7f8abb1508181956e8e162db84b466c27e18ce...a8a3f3ad30e3422c9c7b888a15615d19a852ae32) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/wheel-builder.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f167152e8324..5f5825b6d142 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -470,14 +470,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 439b80f461e9..47d1a5a92dbd 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -40,11 +40,11 @@ jobs: run: .venv/bin/python -m build --sdist - name: Make sdist and wheel (vectors) run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -152,7 +152,7 @@ jobs: .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - run: mkdir cryptography-wheelhouse - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}" path: cryptography-wheelhouse/ @@ -265,7 +265,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: cryptography-wheelhouse/ @@ -346,7 +346,7 @@ jobs: - run: mkdir cryptography-wheelhouse - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION}}" path: cryptography-wheelhouse\ From c3cba62b99042cba655d8e620b081f1bf7cd0b6c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Sep 2023 11:10:55 +0000 Subject: [PATCH 0424/1014] Bump build from 1.0.0 to 1.0.3 (#9554) Bumps [build](https://github.com/pypa/build) from 1.0.0 to 1.0.3. - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/1.0.0...1.0.3) --- updated-dependencies: - dependency-name: build dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c6ba0417257a..f84305130af2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -15,7 +15,7 @@ black==23.7.0 # via cryptography (pyproject.toml) bleach==6.0.0 # via readme-renderer -build==1.0.0 +build==1.0.3 # via # check-sdist # cryptography (pyproject.toml) From 40f7b173b2e5a6ef4e8811df4ed1708cf5ded1b3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Sep 2023 11:19:20 +0000 Subject: [PATCH 0425/1014] Bump securesystemslib from 0.28.0 to 0.29.0 in /.github/requirements (#9553) Bumps [securesystemslib](https://github.com/secure-systems-lab/securesystemslib) from 0.28.0 to 0.29.0. - [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases) - [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md) - [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v0.28.0...v0.29.0) --- updated-dependencies: - dependency-name: securesystemslib dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7a75e689ced9..b0cd0ffdbfe4 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -422,9 +422,9 @@ secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 # via keyring -securesystemslib==0.28.0 \ - --hash=sha256:9e6b9abe36a511d4f52c759069db8f6f650362ba82d6efc7bc7466a458b3f499 \ - --hash=sha256:a27e519247576f2a77b97fb03267d8eeb88eba715d12da64109e845616f919c6 +securesystemslib==0.29.0 \ + --hash=sha256:658ea4d41bbe6bc574758f91ba809812e08a22fddebb6ee4ea837f72591f136a \ + --hash=sha256:dcfcb70562ad76069f71da9916a3cb7bc85fbf6cd51216c741a00096cf58dc6c # via # sigstore # tuf From bff4c761f9db2413f24586f41400706941519cb6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Sep 2023 11:25:51 +0000 Subject: [PATCH 0426/1014] Bump actions/upload-artifact in /.github/actions/upload-coverage (#9550) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/0b7f8abb1508181956e8e162db84b466c27e18ce...a8a3f3ad30e3422c9c7b888a15615d19a852ae32) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 5f2a0add7799..a005d6b7462d 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: coverage-data path: | From 6b3cd7c0262b186e93945f8205be31a7c53ea479 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 7 Sep 2023 08:46:43 -0400 Subject: [PATCH 0427/1014] Test OpenSSL 3.2.0-alpha1 (#9557) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5f5825b6d142..6ef7dfa3a68d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,6 +38,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.2"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha1"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} From 52b4e77eb606605213e148e1786969e775663a1c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 7 Sep 2023 08:47:06 -0400 Subject: [PATCH 0428/1014] bump setuptools in build-requirements.txt (#9556) --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 971a6f9807df..5fd448973abd 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -96,9 +96,9 @@ wheel==0.41.2 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==68.1.2 \ - --hash=sha256:3d4dfa6d95f1b101d695a6160a7626e15583af71a5f52176efa5d39a054d475d \ - --hash=sha256:3d8083eed2d13afc9426f227b24fd1659489ec107c0e86cec2ffdde5c92e790b +setuptools==68.2.0 \ + --hash=sha256:00478ca80aeebeecb2f288d3206b0de568df5cd2b8fada1209843cc9a8d88a48 \ + --hash=sha256:af3d5949030c3f493f550876b2fd1dd5ec66689c4ee5d5344f009746f71fd5a8 # via # -r build-requirements.in # setuptools-rust From 5b5412ea1b27e7a99959ec3c2240b86c1ad3b236 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 7 Sep 2023 08:55:14 -0400 Subject: [PATCH 0429/1014] Remove long pointless indirection (#9558) --- tests/hazmat/primitives/test_rsa.py | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 578bb7886ef4..ae28f5cb3a40 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -83,15 +83,6 @@ def _check_fips_key_length(backend, private_key): pytest.skip(f"Key size not FIPS compliant: {private_key.key_size}") -def _check_rsa_private_numbers_if_serializable(key): - if isinstance(key, rsa.RSAPrivateKey): - _check_rsa_private_numbers(key.private_numbers()) - - -def test_check_rsa_private_numbers_if_serializable(): - _check_rsa_private_numbers_if_serializable("notserializable") - - def _flatten_pkcs1_examples(vectors): flattened_vectors = [] for vector in vectors: @@ -192,7 +183,7 @@ def test_generate_rsa_keys(self, backend, public_exponent, key_size): skey = rsa.generate_private_key(public_exponent, key_size, backend) assert skey.key_size == key_size - _check_rsa_private_numbers_if_serializable(skey) + _check_rsa_private_numbers(skey.private_numbers()) pkey = skey.public_key() assert isinstance(pkey.public_numbers(), rsa.RSAPublicNumbers) From 8139038bdb84c7b7092eeca32a1a3c3e3584970f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 8 Sep 2023 00:17:44 +0000 Subject: [PATCH 0430/1014] Bump BoringSSL and/or OpenSSL in CI (#9559) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6ef7dfa3a68d..11a488196a71 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 07, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "be84aeed7d21f5e5be37dee3c827175acebb6dda"}} - # Latest commit on the OpenSSL master branch, as of Sep 07, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "025535ecd11bdebd8eb28ed4f0f6b509b1b54577"}} + # Latest commit on the BoringSSL master branch, as of Sep 08, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e5b6c141a19bb086481f914d4d55b35765505e6c"}} + # Latest commit on the OpenSSL master branch, as of Sep 08, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e6b6b18af3e85a6b5f0d8ea1070f7070557d6357"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From c54f88428530b09b517be5f420b5f524fc57dd36 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Sep 2023 07:42:04 -0400 Subject: [PATCH 0431/1014] Bump actions/cache from 3.3.1 to 3.3.2 (#9560) Bumps [actions/cache](https://github.com/actions/cache) from 3.3.1 to 3.3.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8...704facf57e6136b1bc63b828d79edcd491f0ee84) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11a488196a71..646483426c52 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -93,7 +93,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 id: ossl-cache timeout-minutes: 2 with: From 1a5ea26142d219b5c826972981fb6253f09d1338 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Sep 2023 07:42:23 -0400 Subject: [PATCH 0432/1014] Bump pytest from 7.4.1 to 7.4.2 (#9561) Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.4.1 to 7.4.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/7.4.1...7.4.2) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f84305130af2..3884096bb1cc 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -110,7 +110,7 @@ pygments==2.16.1 # sphinx pyproject-hooks==1.0.0 # via build -pytest==7.4.1 +pytest==7.4.2 # via # cryptography (pyproject.toml) # pytest-benchmark From ec384821f164e135b78453a5c0ed5dec40813009 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 8 Sep 2023 20:21:08 -0400 Subject: [PATCH 0433/1014] Bump BoringSSL and/or OpenSSL in CI (#9563) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 646483426c52..9cc7bb8180fc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 08, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e5b6c141a19bb086481f914d4d55b35765505e6c"}} - # Latest commit on the OpenSSL master branch, as of Sep 08, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e6b6b18af3e85a6b5f0d8ea1070f7070557d6357"}} + # Latest commit on the BoringSSL master branch, as of Sep 09, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "3aecf1d00bf62fa40bee0c93525df52204f48d4a"}} + # Latest commit on the OpenSSL master branch, as of Sep 09, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "aff99225f946d8f538b5e0cb95fc65d5cd36b99b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 69df0bd25480daf0626b348e2b88181d21aabf2c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 8 Sep 2023 23:01:45 -0400 Subject: [PATCH 0434/1014] x509/policy: add WebPKI permitted algorithms (#9548) * cargo scaffolding Signed-off-by: William Woodruff * mod: isolate failures to just RSA encodings for now Signed-off-by: William Woodruff * policy: isolate some more Signed-off-by: William Woodruff * policy: begin fixing things Signed-off-by: William Woodruff * policy: fix RSASSA-PSS trailer field * policy: make WEBPKI_PERMITTED_ALGORITHMS public * policy: add comment with link to CA/B Forum's doc * remove as-yet unneeded dep Signed-off-by: William Woodruff * mod: break out each webpki algo into its own constant Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff Co-authored-by: Facundo Tuesca --- src/rust/Cargo.lock | 1 + .../cryptography-x509-validation/Cargo.toml | 1 + .../cryptography-x509-validation/src/lib.rs | 1 + .../src/policy/mod.rs | 184 ++++++++++++++++++ 4 files changed, 187 insertions(+) create mode 100644 src/rust/cryptography-x509-validation/src/policy/mod.rs diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 590c25a78d68..3f2d8ab3a5b2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -111,6 +111,7 @@ version = "0.1.0" dependencies = [ "asn1", "cryptography-x509", + "once_cell", ] [[package]] diff --git a/src/rust/cryptography-x509-validation/Cargo.toml b/src/rust/cryptography-x509-validation/Cargo.toml index 49c608dcbec6..e756c2e940d4 100644 --- a/src/rust/cryptography-x509-validation/Cargo.toml +++ b/src/rust/cryptography-x509-validation/Cargo.toml @@ -10,3 +10,4 @@ rust-version = "1.63.0" [dependencies] asn1 = { version = "0.15.5", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } +once_cell = "1" diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 212642f6d428..b7836902c942 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -5,4 +5,5 @@ #![forbid(unsafe_code)] pub mod ops; +pub mod policy; pub mod types; diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs new file mode 100644 index 000000000000..4c6262dbd1de --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -0,0 +1,184 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use std::collections::HashSet; + +use once_cell::sync::Lazy; + +use cryptography_x509::common::{ + AlgorithmIdentifier, AlgorithmParameters, RsaPssParameters, PSS_SHA256_HASH_ALG, + PSS_SHA256_MASK_GEN_ALG, PSS_SHA384_HASH_ALG, PSS_SHA384_MASK_GEN_ALG, PSS_SHA512_HASH_ALG, + PSS_SHA512_MASK_GEN_ALG, +}; + +// RSASSA‐PKCS1‐v1_5 with SHA‐256 +static RSASSA_PKCS1V15_SHA256: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaWithSha256(Some(())), +}; + +// RSASSA‐PKCS1‐v1_5 with SHA‐384 +static RSASSA_PKCS1V15_SHA384: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaWithSha384(Some(())), +}; + +// RSASSA‐PKCS1‐v1_5 with SHA‐512 +static RSASSA_PKCS1V15_SHA512: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaWithSha512(Some(())), +}; + +// RSASSA‐PSS with SHA‐256, MGF‐1 with SHA‐256, and a salt length of 32 bytes +static RSASSA_PSS_SHA256: Lazy> = Lazy::new(|| AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaPss(Some(Box::new(RsaPssParameters { + hash_algorithm: PSS_SHA256_HASH_ALG, + mask_gen_algorithm: PSS_SHA256_MASK_GEN_ALG, + salt_length: 32, + _trailer_field: 1, + }))), +}); + +// RSASSA‐PSS with SHA‐384, MGF‐1 with SHA‐384, and a salt length of 48 bytes +static RSASSA_PSS_SHA384: Lazy> = Lazy::new(|| AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaPss(Some(Box::new(RsaPssParameters { + hash_algorithm: PSS_SHA384_HASH_ALG, + mask_gen_algorithm: PSS_SHA384_MASK_GEN_ALG, + salt_length: 48, + _trailer_field: 1, + }))), +}); + +// RSASSA‐PSS with SHA‐512, MGF‐1 with SHA‐512, and a salt length of 64 bytes +static RSASSA_PSS_SHA512: Lazy> = Lazy::new(|| AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::RsaPss(Some(Box::new(RsaPssParameters { + hash_algorithm: PSS_SHA512_HASH_ALG, + mask_gen_algorithm: PSS_SHA512_MASK_GEN_ALG, + salt_length: 64, + _trailer_field: 1, + }))), +}); + +// For P-256: the signature MUST use ECDSA with SHA‐256 +static ECDSA_SHA256: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::EcDsaWithSha256(None), +}; + +// For P-384: the signature MUST use ECDSA with SHA‐384 +static ECDSA_SHA384: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::EcDsaWithSha384(None), +}; + +// For P-521: the signature MUST use ECDSA with SHA‐512 +static ECDSA_SHA512: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::EcDsaWithSha512(None), +}; + +/// Permitted algorithms, from CA/B Forum's Baseline Requirements, section 7.1.3.2 (pages 96-98) +/// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf +pub static WEBPKI_PERMITTED_ALGORITHMS: Lazy>> = Lazy::new(|| { + HashSet::from([ + &RSASSA_PKCS1V15_SHA256, + &RSASSA_PKCS1V15_SHA384, + &RSASSA_PKCS1V15_SHA512, + &RSASSA_PSS_SHA256, + &RSASSA_PSS_SHA384, + &RSASSA_PSS_SHA512, + &ECDSA_SHA256, + &ECDSA_SHA384, + &ECDSA_SHA512, + ]) +}); + +#[cfg(test)] +mod tests { + use std::ops::Deref; + + use super::{ + ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, RSASSA_PKCS1V15_SHA384, + RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, RSASSA_PSS_SHA512, + WEBPKI_PERMITTED_ALGORITHMS, + }; + + #[test] + fn test_webpki_permitted_algorithms_canonical_encodings() { + { + assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PKCS1V15_SHA256)); + let exp_encoding = b"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00"; + assert_eq!( + asn1::write_single(&RSASSA_PKCS1V15_SHA256).unwrap(), + exp_encoding + ); + } + + { + assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PKCS1V15_SHA384)); + let exp_encoding = b"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0c\x05\x00"; + assert_eq!( + asn1::write_single(&RSASSA_PKCS1V15_SHA384).unwrap(), + exp_encoding + ); + } + + { + assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PKCS1V15_SHA512)); + let exp_encoding = b"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\r\x05\x00"; + assert_eq!( + asn1::write_single(&RSASSA_PKCS1V15_SHA512).unwrap(), + exp_encoding + ); + } + + { + assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PSS_SHA256.deref())); + let exp_encoding = b"0A\x06\t*\x86H\x86\xf7\r\x01\x01\n04\xa0\x0f0\r\x06\t`\x86H\x01e\x03\x04\x02\x01\x05\x00\xa1\x1c0\x1a\x06\t*\x86H\x86\xf7\r\x01\x01\x080\r\x06\t`\x86H\x01e\x03\x04\x02\x01\x05\x00\xa2\x03\x02\x01 "; + assert_eq!( + asn1::write_single(&RSASSA_PSS_SHA256.deref()).unwrap(), + exp_encoding + ); + } + + { + assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PSS_SHA384.deref())); + let exp_encoding = b"0A\x06\t*\x86H\x86\xf7\r\x01\x01\n04\xa0\x0f0\r\x06\t`\x86H\x01e\x03\x04\x02\x02\x05\x00\xa1\x1c0\x1a\x06\t*\x86H\x86\xf7\r\x01\x01\x080\r\x06\t`\x86H\x01e\x03\x04\x02\x02\x05\x00\xa2\x03\x02\x010"; + assert_eq!( + asn1::write_single(&RSASSA_PSS_SHA384.deref()).unwrap(), + exp_encoding + ); + } + + { + assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PSS_SHA512.deref())); + let exp_encoding = b"0A\x06\t*\x86H\x86\xf7\r\x01\x01\n04\xa0\x0f0\r\x06\t`\x86H\x01e\x03\x04\x02\x03\x05\x00\xa1\x1c0\x1a\x06\t*\x86H\x86\xf7\r\x01\x01\x080\r\x06\t`\x86H\x01e\x03\x04\x02\x03\x05\x00\xa2\x03\x02\x01@"; + assert_eq!( + asn1::write_single(&RSASSA_PSS_SHA512.deref()).unwrap(), + exp_encoding + ); + } + + { + assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&ECDSA_SHA256)); + let exp_encoding = b"0\n\x06\x08*\x86H\xce=\x04\x03\x02"; + assert_eq!(asn1::write_single(&ECDSA_SHA256).unwrap(), exp_encoding); + } + + { + assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&ECDSA_SHA384)); + let exp_encoding = b"0\n\x06\x08*\x86H\xce=\x04\x03\x03"; + assert_eq!(asn1::write_single(&ECDSA_SHA384).unwrap(), exp_encoding); + } + + { + assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&ECDSA_SHA512)); + let exp_encoding = b"0\n\x06\x08*\x86H\xce=\x04\x03\x04"; + assert_eq!(asn1::write_single(&ECDSA_SHA512).unwrap(), exp_encoding); + } + } +} From c1e3e8ed61c74d25020588dbeba2dc188e751569 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Sep 2023 13:24:37 +0000 Subject: [PATCH 0435/1014] Bump tibdex/github-app-token from 1.8.2 to 1.9.0 (#9564) Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.2 to 1.9.0. - [Release notes](https://github.com/tibdex/github-app-token/releases) - [Commits](https://github.com/tibdex/github-app-token/compare/0d49dd721133f900ebd5e0dff2810704e8defbc6...32691ba7c9e7063bd457bd8f2a5703138591fa58) --- updated-dependencies: - dependency-name: tibdex/github-app-token dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 3765894b7182..16978bf09ebc 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -51,7 +51,7 @@ jobs: sed -E -i "s/TYPE: \"openssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"openssl\", VERSION: \"${{ steps.check-sha-openssl.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml git status if: steps.check-sha-openssl.outputs.COMMIT_SHA - - uses: tibdex/github-app-token@0d49dd721133f900ebd5e0dff2810704e8defbc6 # v1.8.2 + - uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # v1.9.0 id: generate-token with: app_id: ${{ secrets.BORINGBOT_APP_ID }} From b453d4b4ac7e4d1a026e23da80dd9d993a89457b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Sep 2023 13:25:15 +0000 Subject: [PATCH 0436/1014] Bump readme-renderer from 41.0 to 42.0 (#9565) Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 41.0 to 42.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/41.0...42.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3884096bb1cc..5eef39975bf4 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -125,7 +125,7 @@ pytest-randomly==3.15.0 # via cryptography (pyproject.toml) pytest-xdist==3.3.1 # via cryptography (pyproject.toml) -readme-renderer==41.0 +readme-renderer==42.0 # via twine requests==2.31.0 # via From 275f336c0a9a2f5f7534554db7318bef68fb053f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Sep 2023 13:28:27 +0000 Subject: [PATCH 0437/1014] Bump virtualenv from 20.24.4 to 20.24.5 (#9566) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.24.4 to 20.24.5. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.24.4...20.24.5) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5eef39975bf4..f5904b92f615 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -185,7 +185,7 @@ urllib3==2.0.4 # via # requests # twine -virtualenv==20.24.4 +virtualenv==20.24.5 # via nox webencodings==0.5.1 # via bleach From ec192687d1066d0e44be5a18bf7c82a3e5e56f22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Sep 2023 13:31:36 +0000 Subject: [PATCH 0438/1014] Bump black from 23.7.0 to 23.9.0 (#9567) Bumps [black](https://github.com/psf/black) from 23.7.0 to 23.9.0. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](https://github.com/psf/black/compare/23.7.0...23.9.0) --- updated-dependencies: - dependency-name: black dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f5904b92f615..16765349c336 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.1.1 # via nox babel==2.12.1 # via sphinx -black==23.7.0 +black==23.9.0 # via cryptography (pyproject.toml) bleach==6.0.0 # via readme-renderer From 422b1aebdc6fa025d8b929f5d62bf71fff32cd34 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Sep 2023 09:57:06 -0400 Subject: [PATCH 0439/1014] Bump readme-renderer from 41.0 to 42.0 in /.github/requirements (#9568) Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 41.0 to 42.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/41.0...42.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 36 +++++++++++-------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b0cd0ffdbfe4..0277178eb4f0 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -12,10 +12,6 @@ betterproto==2.0.0b5 \ --hash=sha256:00a301c70a2db4d3cdd2b261522ae1d34972fb04b655a154d67daaaf4131102e \ --hash=sha256:d3e6115c7d5136f1d5974e565b7560273f66b43065e74218e472321ee1258f4c # via sigstore-protobuf-specs -bleach==6.0.0 \ - --hash=sha256:1a1a85c1595e07d8db14c5f09f09e6433502c51c595970edc090551f0db99414 \ - --hash=sha256:33c16e3353dbd13028ab4799a0f89a83f113405c766e9c122df8a06f5b85b3f4 - # via readme-renderer certifi==2023.7.22 \ --hash=sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082 \ --hash=sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9 @@ -326,6 +322,24 @@ multidict==6.0.4 \ --hash=sha256:fc35cb4676846ef752816d5be2193a1e8367b4c1397b74a565a9d0389c433a1d \ --hash=sha256:ff959bee35038c4624250473988b24f846cbeb2c6639de3602c073f10410ceba # via grpclib +nh3==0.2.14 \ + --hash=sha256:116c9515937f94f0057ef50ebcbcc10600860065953ba56f14473ff706371873 \ + --hash=sha256:18415df36db9b001f71a42a3a5395db79cf23d556996090d293764436e98e8ad \ + --hash=sha256:203cac86e313cf6486704d0ec620a992c8bc164c86d3a4fd3d761dd552d839b5 \ + --hash=sha256:2b0be5c792bd43d0abef8ca39dd8acb3c0611052ce466d0401d51ea0d9aa7525 \ + --hash=sha256:377aaf6a9e7c63962f367158d808c6a1344e2b4f83d071c43fbd631b75c4f0b2 \ + --hash=sha256:525846c56c2bcd376f5eaee76063ebf33cf1e620c1498b2a40107f60cfc6054e \ + --hash=sha256:5529a3bf99402c34056576d80ae5547123f1078da76aa99e8ed79e44fa67282d \ + --hash=sha256:7771d43222b639a4cd9e341f870cee336b9d886de1ad9bec8dddab22fe1de450 \ + --hash=sha256:88c753efbcdfc2644a5012938c6b9753f1c64a5723a67f0301ca43e7b85dcf0e \ + --hash=sha256:93a943cfd3e33bd03f77b97baa11990148687877b74193bf777956b67054dcc6 \ + --hash=sha256:9be2f68fb9a40d8440cbf34cbf40758aa7f6093160bfc7fb018cce8e424f0c3a \ + --hash=sha256:a0c509894fd4dccdff557068e5074999ae3b75f4c5a2d6fb5415e782e25679c4 \ + --hash=sha256:ac8056e937f264995a82bf0053ca898a1cb1c9efc7cd68fa07fe0060734df7e4 \ + --hash=sha256:aed56a86daa43966dd790ba86d4b810b219f75b4bb737461b6886ce2bde38fd6 \ + --hash=sha256:e8986f1dd3221d1e741fda0a12eaa4a273f1d80a35e31a1ffe579e7c621d069e \ + --hash=sha256:f99212a81c62b5f22f9e7c3e347aa00491114a5647e1f13bbebd79c3e5f08d75 + # via readme-renderer pkginfo==1.9.6 \ --hash=sha256:4b7a555a6d5a22169fcc9cf7bfd78d296b0361adad412a346c1226849af5e546 \ --hash=sha256:8fd5896e8718a4372f0ea9cc9d96f6417c9b986e23a4d116dda26b62cc29d046 @@ -392,9 +406,9 @@ python-dateutil==2.8.2 \ --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9 # via betterproto -readme-renderer==41.0 \ - --hash=sha256:4f4b11e5893f5a5d725f592c5a343e0dc74f5f273cb3dcf8c42d9703a27073f7 \ - --hash=sha256:a38243d5b6741b700a850026e62da4bd739edc7422071e95fd5c4bb60171df86 +readme-renderer==42.0 \ + --hash=sha256:13d039515c1f24de668e2c93f2e877b9dbe6c6c32328b90a40a49d8b2b85f36d \ + --hash=sha256:2d55489f83be4992fe4454939d1a051c33edbab778e82761d060c9fc6b308cd1 # via twine requests==2.31.0 \ --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \ @@ -439,9 +453,7 @@ sigstore-protobuf-specs==0.1.0 \ six==1.16.0 \ --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 - # via - # bleach - # python-dateutil + # via python-dateutil tuf==2.1.0 \ --hash=sha256:ab22d1143d4d8aa20c94d243de27eedc8cd517e251ddaf4a88c10952358a13ea \ --hash=sha256:dbfe18fbdeba6d76144931db88b76e473fa40c431b60d25b455a9adbb07c2397 @@ -460,10 +472,6 @@ urllib3==2.0.4 \ # via # requests # twine -webencodings==0.5.1 \ - --hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \ - --hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923 - # via bleach zipp==3.16.2 \ --hash=sha256:679e51dd4403591b2d6838a48de3d283f3d188412a9782faadf845f298736ba0 \ --hash=sha256:ebc15946aa78bd63458992fc81ec3b6f7b1e92d51c35e6de1c3804e73b799147 From 0d6b94aacf6e3bb48b57c2d688704dd020893d9f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 10 Sep 2023 00:18:42 +0000 Subject: [PATCH 0440/1014] Bump BoringSSL and/or OpenSSL in CI (#9572) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9cc7bb8180fc..23f901bfec02 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 09, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "3aecf1d00bf62fa40bee0c93525df52204f48d4a"}} - # Latest commit on the OpenSSL master branch, as of Sep 09, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "aff99225f946d8f538b5e0cb95fc65d5cd36b99b"}} + # Latest commit on the BoringSSL master branch, as of Sep 10, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "1e3da32f3754b1b9136247ee26308cfd959cbeba"}} + # Latest commit on the OpenSSL master branch, as of Sep 10, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d2873946dfaff5537ea3d1adf3890e33a3f276ff"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 05edad65fef38317dc68345673d2db3cd73dad4b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 Sep 2023 13:19:43 +0000 Subject: [PATCH 0441/1014] Bump tibdex/github-app-token from 1.9.0 to 2.0.0 (#9574) Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.9.0 to 2.0.0. - [Release notes](https://github.com/tibdex/github-app-token/releases) - [Commits](https://github.com/tibdex/github-app-token/compare/32691ba7c9e7063bd457bd8f2a5703138591fa58...0914d50df753bbc42180d982a6550f195390069f) --- updated-dependencies: - dependency-name: tibdex/github-app-token dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 16978bf09ebc..0f28798a3e7f 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -51,7 +51,7 @@ jobs: sed -E -i "s/TYPE: \"openssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"openssl\", VERSION: \"${{ steps.check-sha-openssl.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml git status if: steps.check-sha-openssl.outputs.COMMIT_SHA - - uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # v1.9.0 + - uses: tibdex/github-app-token@0914d50df753bbc42180d982a6550f195390069f # v2.0.0 id: generate-token with: app_id: ${{ secrets.BORINGBOT_APP_ID }} From 776ffed32ef4e19c9efcc9a5bce1af9872053e77 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 Sep 2023 13:27:44 +0000 Subject: [PATCH 0442/1014] Bump base64 from 0.21.3 to 0.21.4 in /src/rust (#9575) Bumps [base64](https://github.com/marshallpierce/rust-base64) from 0.21.3 to 0.21.4. - [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.21.3...v0.21.4) --- updated-dependencies: - dependency-name: base64 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3f2d8ab3a5b2..14b3aedf0845 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -30,9 +30,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "base64" -version = "0.21.3" +version = "0.21.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "414dcefbc63d77c526a76b3afcf6fbb9b5e2791c19c3aa2297733208750c6e53" +checksum = "9ba43ea6f343b788c8764558649e08df62f86c6ef251fdaeb1ffd010a9ae50a2" [[package]] name = "bitflags" From d3f1d95e45c63921030d3ba7f43de921680ae467 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 10 Sep 2023 11:07:09 -0400 Subject: [PATCH 0443/1014] Reduce code duplication in aead.rs (#9570) --- src/rust/src/backend/aead.rs | 41 +++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 9dc3395e7140..1259f1a28ff4 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -58,6 +58,26 @@ impl EvpCipherAead { Ok(()) } + fn process_data( + &self, + ctx: &mut openssl::cipher_ctx::CipherCtx, + data: &[u8], + out: &mut [u8], + ) -> CryptographyResult<()> { + let n = ctx + .cipher_update(data, Some(out)) + .map_err(CryptographyError::from)?; + assert_eq!(n, data.len()); + + let mut final_block = [0]; + let n = ctx + .cipher_final(&mut final_block) + .map_err(CryptographyError::from)?; + assert_eq!(n, 0); + + Ok(()) + } + fn encrypt<'p>( &self, py: pyo3::Python<'p>, @@ -82,16 +102,7 @@ impl EvpCipherAead { assert!(self.tag_first); (tag, ciphertext) = b.split_at_mut(self.tag_len); - let n = ctx - .cipher_update(plaintext, Some(ciphertext)) - .map_err(CryptographyError::from)?; - assert_eq!(n, ciphertext.len()); - - let mut final_block = [0]; - let n = ctx - .cipher_final(&mut final_block) - .map_err(CryptographyError::from)?; - assert_eq!(n, 0); + self.process_data(&mut ctx, plaintext, ciphertext)?; ctx.tag(tag).map_err(CryptographyError::from)?; @@ -125,16 +136,8 @@ impl EvpCipherAead { Ok(pyo3::types::PyBytes::new_with(py, ciphertext.len(), |b| { // AES SIV can error here if the data is invalid on decrypt - let n = ctx - .cipher_update(ciphertext, Some(b)) - .map_err(|_| exceptions::InvalidTag::new_err(()))?; - assert_eq!(n, b.len()); - - let mut final_block = [0]; - let n = ctx - .cipher_final(&mut final_block) + self.process_data(&mut ctx, ciphertext, b) .map_err(|_| exceptions::InvalidTag::new_err(()))?; - assert_eq!(n, 0); Ok(()) })?) From a1e4fe28c4119ae4ce55d613332cf17deeb516e3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 10 Sep 2023 11:08:33 -0400 Subject: [PATCH 0444/1014] Added nonce arg in aead.rs (#9571) Not actually used yet. --- src/rust/src/backend/aead.rs | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 1259f1a28ff4..bb8fcfd1f2ae 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -83,12 +83,13 @@ impl EvpCipherAead { py: pyo3::Python<'p>, plaintext: &[u8], aad: Option>, + nonce: Option<&[u8]>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { check_length(plaintext)?; let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_ctx)?; - ctx.encrypt_init(None, None, None)?; + ctx.encrypt_init(None, None, nonce)?; self.process_aad(&mut ctx, aad)?; @@ -116,6 +117,7 @@ impl EvpCipherAead { py: pyo3::Python<'p>, ciphertext: &[u8], aad: Option>, + nonce: Option<&[u8]>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if ciphertext.len() < self.tag_len { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); @@ -123,7 +125,7 @@ impl EvpCipherAead { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_ctx)?; - ctx.decrypt_init(None, None, None)?; + ctx.decrypt_init(None, None, nonce)?; assert!(self.tag_first); // RFC 5297 defines the output as IV || C, where the tag we generate @@ -225,7 +227,7 @@ impl AesSiv { pyo3::exceptions::PyValueError::new_err("data must not be zero length"), )); }; - self.ctx.encrypt(py, data_bytes, aad) + self.ctx.encrypt(py, data_bytes, aad, None) } fn decrypt<'p>( @@ -235,7 +237,7 @@ impl AesSiv { associated_data: Option<&pyo3::types::PyList>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let aad = associated_data.map(Aad::List); - self.ctx.decrypt(py, data.as_bytes(), aad) + self.ctx.decrypt(py, data.as_bytes(), aad, None) } } From 09c80314869516d436d1a2b91ed5c1538b693acc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 10 Sep 2023 11:14:31 -0400 Subject: [PATCH 0445/1014] Enforce a requirement to have safety comments (#9573) --- .github/workflows/ci.yml | 2 +- noxfile.py | 14 +++++++++++--- src/rust/cryptography-cffi/src/lib.rs | 3 +++ src/rust/cryptography-openssl/src/fips.rs | 1 + src/rust/cryptography-openssl/src/hmac.rs | 6 ++++++ src/rust/cryptography-openssl/src/lib.rs | 2 ++ src/rust/cryptography-x509-validation/src/lib.rs | 1 + src/rust/cryptography-x509-validation/src/ops.rs | 4 ++-- src/rust/cryptography-x509-validation/src/types.rs | 2 +- src/rust/cryptography-x509/src/extensions.rs | 6 +++--- src/rust/cryptography-x509/src/lib.rs | 1 + src/rust/src/backend/dh.rs | 2 ++ src/rust/src/backend/dsa.rs | 2 ++ src/rust/src/backend/ec.rs | 2 ++ src/rust/src/backend/ed25519.rs | 2 ++ src/rust/src/backend/ed448.rs | 2 ++ src/rust/src/backend/rsa.rs | 2 ++ src/rust/src/backend/x25519.rs | 2 ++ src/rust/src/backend/x448.rs | 2 ++ src/rust/src/lib.rs | 2 +- src/rust/src/x509/crl.rs | 10 +++++++--- src/rust/src/x509/ocsp_resp.rs | 8 ++++++++ 22 files changed, 64 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 23f901bfec02..d95ff3355778 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -52,7 +52,7 @@ jobs: # potential future MSRV: # 1.64 - maturin # 1.65 - Generic associated types (GATs) - - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.63.0"} + - {VERSION: "3.11", NOXSESSION: "rust-noclippy,tests", RUST: "1.63.0"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.64.0"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "beta"} - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "nightly"} diff --git a/noxfile.py b/noxfile.py index 490c4eb21a0e..f64827477d6a 100644 --- a/noxfile.py +++ b/noxfile.py @@ -168,6 +168,7 @@ def flake(session: nox.Session) -> None: @nox.session +@nox.session(name="rust-noclippy") def rust(session: nox.Session) -> None: prof_location = ( pathlib.Path(".") / ".rust-cov" / str(uuid.uuid4()) @@ -187,9 +188,16 @@ def rust(session: nox.Session) -> None: with session.chdir("src/rust/"): session.run("cargo", "fmt", "--all", "--", "--check", external=True) - session.run( - "cargo", "clippy", "--all", "--", "-D", "warnings", external=True - ) + if session.name != "rust-noclippy": + session.run( + "cargo", + "clippy", + "--all", + "--", + "-D", + "warnings", + external=True, + ) build_output = session.run( "cargo", diff --git a/src/rust/cryptography-cffi/src/lib.rs b/src/rust/cryptography-cffi/src/lib.rs index e263d53d8769..110341a1901e 100644 --- a/src/rust/cryptography-cffi/src/lib.rs +++ b/src/rust/cryptography-cffi/src/lib.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] + #[cfg(not(python_implementation = "PyPy"))] use pyo3::FromPyPointer; @@ -22,6 +24,7 @@ pub fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::types::PyMod pyo3::types::PyModule::import(py, "_openssl")? }; #[cfg(not(python_implementation = "PyPy"))] + // SAFETY: `PyInit__openssl` returns an owned reference. let openssl_mod = unsafe { let ptr = PyInit__openssl(); pyo3::types::PyModule::from_owned_ptr(py, ptr) diff --git a/src/rust/cryptography-openssl/src/fips.rs b/src/rust/cryptography-openssl/src/fips.rs index 29c4c789d838..9cdbd3f34648 100644 --- a/src/rust/cryptography-openssl/src/fips.rs +++ b/src/rust/cryptography-openssl/src/fips.rs @@ -18,6 +18,7 @@ pub fn is_enabled() -> bool { CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)) ))] + // SAFETY: No pre-conditions unsafe { ffi::EVP_default_properties_is_fips_enabled(ptr::null_mut()) == 1 } diff --git a/src/rust/cryptography-openssl/src/hmac.rs b/src/rust/cryptography-openssl/src/hmac.rs index b30de478688d..d2c14431853b 100644 --- a/src/rust/cryptography-openssl/src/hmac.rs +++ b/src/rust/cryptography-openssl/src/hmac.rs @@ -14,11 +14,14 @@ foreign_types::foreign_type! { pub struct HmacRef; } +// SAFETY: It's safe to have `&` references from multiple threads. unsafe impl Sync for Hmac {} +// SAFETY: It's safe to move the `Hmac` from one thread to another. unsafe impl Send for Hmac {} impl Hmac { pub fn new(key: &[u8], md: openssl::hash::MessageDigest) -> OpenSSLResult { + // SAFETY: All FFI conditions are handled. unsafe { let h = Hmac::from_ptr(cvt_p(ffi::HMAC_CTX_new())?); cvt(ffi::HMAC_Init_ex( @@ -37,6 +40,7 @@ impl Hmac { impl HmacRef { pub fn update(&mut self, data: &[u8]) -> OpenSSLResult<()> { + // SAFETY: All FFI conditions are handled. unsafe { cvt(ffi::HMAC_Update(self.as_ptr(), data.as_ptr(), data.len()))?; } @@ -46,6 +50,7 @@ impl HmacRef { pub fn finish(&mut self) -> OpenSSLResult { let mut buf = [0; ffi::EVP_MAX_MD_SIZE as usize]; let mut len = ffi::EVP_MAX_MD_SIZE as std::os::raw::c_uint; + // SAFETY: All FFI conditions are handled. unsafe { cvt(ffi::HMAC_Final(self.as_ptr(), buf.as_mut_ptr(), &mut len))?; } @@ -56,6 +61,7 @@ impl HmacRef { } pub fn copy(&self) -> OpenSSLResult { + // SAFETY: All FFI conditions are handled. unsafe { let h = Hmac::from_ptr(cvt_p(ffi::HMAC_CTX_new())?); cvt(ffi::HMAC_CTX_copy(h.as_ptr(), self.as_ptr()))?; diff --git a/src/rust/cryptography-openssl/src/lib.rs b/src/rust/cryptography-openssl/src/lib.rs index 3ddf4adbd7f6..7d2ab1bc7d8c 100644 --- a/src/rust/cryptography-openssl/src/lib.rs +++ b/src/rust/cryptography-openssl/src/lib.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] + pub mod fips; pub mod hmac; #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index b7836902c942..a22922d0a964 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -3,6 +3,7 @@ // for complete details. #![forbid(unsafe_code)] +#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] pub mod ops; pub mod policy; diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs index 7cb33c0dee7f..a9c11f9c4793 100644 --- a/src/rust/cryptography-x509-validation/src/ops.rs +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -11,9 +11,9 @@ pub trait CryptoOps { /// Extracts the public key from the given `Certificate` in /// a `Key` format known by the cryptographic backend, or `None` /// if the key is malformed. - fn public_key(&self, cert: &Certificate) -> Option; + fn public_key(&self, cert: &Certificate<'_>) -> Option; /// Verifies the signature on `Certificate` using the given /// `Key`. - fn is_signed_by(&self, cert: &Certificate, key: Self::Key) -> bool; + fn is_signed_by(&self, cert: &Certificate<'_>, key: Self::Key) -> bool; } diff --git a/src/rust/cryptography-x509-validation/src/types.rs b/src/rust/cryptography-x509-validation/src/types.rs index 20b42bc06f61..8872941e3f06 100644 --- a/src/rust/cryptography-x509-validation/src/types.rs +++ b/src/rust/cryptography-x509-validation/src/types.rs @@ -101,7 +101,7 @@ impl<'a> DNSPattern<'a> { } } - pub fn matches(&self, name: &DNSName) -> bool { + pub fn matches(&self, name: &DNSName<'_>) -> bool { match self { Self::Exact(pat) => pat == name, Self::Wildcard(pat) => match name.parent() { diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index cb24682a3b7b..142d083cdb15 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -313,7 +313,7 @@ mod tests { let der = asn1::write_single(&extensions).unwrap(); let raw = asn1::parse_single(&der).unwrap(); - let extensions: Extensions = Extensions::from_raw_extensions(Some(&raw)).ok().unwrap(); + let extensions = Extensions::from_raw_extensions(Some(&raw)).ok().unwrap(); assert!(&extensions.get_extension(&BASIC_CONSTRAINTS_OID).is_some()); assert!(&extensions @@ -337,7 +337,7 @@ mod tests { let der = asn1::write_single(&extensions).unwrap(); let parsed = asn1::parse_single(&der).unwrap(); - let extensions: Extensions = Extensions::from_raw_extensions(Some(&parsed)).ok().unwrap(); + let extensions = Extensions::from_raw_extensions(Some(&parsed)).ok().unwrap(); let extension_list: Vec<_> = extensions.iter().collect(); assert_eq!(extension_list.len(), 1); @@ -367,7 +367,7 @@ mod tests { let ku_bitstring = asn1::BitString::new(&ku_bits, 7).unwrap(); let asn1 = asn1::write_single(&ku_bitstring).unwrap(); - let ku: KeyUsage = asn1::parse_single(&asn1).unwrap(); + let ku: KeyUsage<'_> = asn1::parse_single(&asn1).unwrap(); assert!(!ku.is_zeroed()); assert!(ku.digital_signature()); assert!(ku.content_comitment()); diff --git a/src/rust/cryptography-x509/src/lib.rs b/src/rust/cryptography-x509/src/lib.rs index 548e073b13e5..c74424acfa34 100644 --- a/src/rust/cryptography-x509/src/lib.rs +++ b/src/rust/cryptography-x509/src/lib.rs @@ -3,6 +3,7 @@ // for complete details. #![forbid(unsafe_code)] +#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] pub mod certificate; pub mod common; diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 12629ecabbd0..204b9ebc5b3a 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -49,6 +49,7 @@ fn generate_parameters(generator: u32, key_size: u32) -> CryptographyResult DHPrivateKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; DHPrivateKey { pkey: pkey.to_owned(), @@ -57,6 +58,7 @@ fn private_key_from_ptr(ptr: usize) -> DHPrivateKey { #[pyo3::prelude::pyfunction] fn public_key_from_ptr(ptr: usize) -> DHPublicKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; DHPublicKey { pkey: pkey.to_owned(), diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index aaa90f9ddcf6..f5606e9c4a0c 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -36,6 +36,7 @@ struct DsaParameters { #[pyo3::prelude::pyfunction] fn private_key_from_ptr(ptr: usize) -> DsaPrivateKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; DsaPrivateKey { pkey: pkey.to_owned(), @@ -44,6 +45,7 @@ fn private_key_from_ptr(ptr: usize) -> DsaPrivateKey { #[pyo3::prelude::pyfunction] fn public_key_from_ptr(ptr: usize) -> DsaPublicKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; DsaPublicKey { pkey: pkey.to_owned(), diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index f0f4e5c735be..e6cba24ecc7d 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -124,6 +124,7 @@ fn curve_supported(py: pyo3::Python<'_>, py_curve: &pyo3::PyAny) -> bool { #[pyo3::prelude::pyfunction] fn private_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; let curve = py_curve_from_curve(py, pkey.ec_key().unwrap().group())?; check_key_infinity(&pkey.ec_key().unwrap())?; @@ -135,6 +136,7 @@ fn private_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult< #[pyo3::prelude::pyfunction] fn public_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; let ec = pkey.ec_key().map_err(|e| { pyo3::exceptions::PyValueError::new_err(format!("Unable to load EC key: {}", e)) diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 4c372a938e3b..ba90eff08b5e 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -27,6 +27,7 @@ fn generate_key() -> CryptographyResult { #[pyo3::prelude::pyfunction] fn private_key_from_ptr(ptr: usize) -> Ed25519PrivateKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; Ed25519PrivateKey { pkey: pkey.to_owned(), @@ -35,6 +36,7 @@ fn private_key_from_ptr(ptr: usize) -> Ed25519PrivateKey { #[pyo3::prelude::pyfunction] fn public_key_from_ptr(ptr: usize) -> Ed25519PublicKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; Ed25519PublicKey { pkey: pkey.to_owned(), diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 0706e4a95f74..2c54226eb405 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -27,6 +27,7 @@ fn generate_key() -> CryptographyResult { #[pyo3::prelude::pyfunction] fn private_key_from_ptr(ptr: usize) -> Ed448PrivateKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; Ed448PrivateKey { pkey: pkey.to_owned(), @@ -35,6 +36,7 @@ fn private_key_from_ptr(ptr: usize) -> Ed448PrivateKey { #[pyo3::prelude::pyfunction] fn public_key_from_ptr(ptr: usize) -> Ed448PublicKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; Ed448PublicKey { pkey: pkey.to_owned(), diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 7e068be1a552..5460cb3a1578 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -42,6 +42,7 @@ fn private_key_from_ptr( ptr: usize, unsafe_skip_rsa_key_validation: bool, ) -> CryptographyResult { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; if !unsafe_skip_rsa_key_validation { check_rsa_private_key(&pkey.rsa().unwrap())?; @@ -53,6 +54,7 @@ fn private_key_from_ptr( #[pyo3::prelude::pyfunction] fn public_key_from_ptr(ptr: usize) -> RsaPublicKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; RsaPublicKey { pkey: pkey.to_owned(), diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 6b34842a6f3c..ec89a758a2b1 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -26,6 +26,7 @@ fn generate_key() -> CryptographyResult { #[pyo3::prelude::pyfunction] fn private_key_from_ptr(ptr: usize) -> X25519PrivateKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; X25519PrivateKey { pkey: pkey.to_owned(), @@ -34,6 +35,7 @@ fn private_key_from_ptr(ptr: usize) -> X25519PrivateKey { #[pyo3::prelude::pyfunction] fn public_key_from_ptr(ptr: usize) -> X25519PublicKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; X25519PublicKey { pkey: pkey.to_owned(), diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 65f3249ef160..9e6f4fd0d301 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -26,6 +26,7 @@ fn generate_key() -> CryptographyResult { #[pyo3::prelude::pyfunction] fn private_key_from_ptr(ptr: usize) -> X448PrivateKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; X448PrivateKey { pkey: pkey.to_owned(), @@ -34,6 +35,7 @@ fn private_key_from_ptr(ptr: usize) -> X448PrivateKey { #[pyo3::prelude::pyfunction] fn public_key_from_ptr(ptr: usize) -> X448PublicKey { + // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; X448PublicKey { pkey: pkey.to_owned(), diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index af85f373c578..c245649f985e 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -#![deny(rust_2018_idioms)] +#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] mod asn1; mod backend; diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index e9035b665da7..fddc4b286617 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -412,6 +412,10 @@ fn try_map_arc_data_mut_crl_iterator( ) -> Result, E>, ) -> Result { OwnedRevokedCertificate::try_new(Arc::clone(it.borrow_owner()), |inner_it| { + // SAFETY: This is safe because `Arc::clone` ensures the data is + // alive, but Rust doesn't understand the lifetime relationship it + // produces. Open-coded implementation of the API discussed in + // https://github.com/joshua-maros/ouroboros/issues/38 it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) })) }) } @@ -455,9 +459,9 @@ self_cell::self_cell!( impl Clone for OwnedRevokedCertificate { fn clone(&self) -> OwnedRevokedCertificate { - // This is safe because `Arc::clone` ensures the data is alive, but - // Rust doesn't understand the lifetime relationship it produces. - // Open-coded implementation of the API discussed in + // SAFETY: This is safe because `Arc::clone` ensures the data is + // alive, but Rust doesn't understand the lifetime relationship it + // produces. Open-coded implementation of the API discussed in // https://github.com/joshua-maros/ouroboros/issues/38 OwnedRevokedCertificate::new(Arc::clone(self.borrow_owner()), |_| unsafe { std::mem::transmute(self.borrow_dependent().clone()) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 679dff6e6e09..f4251089d69a 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -412,6 +412,10 @@ fn map_arc_data_ocsp_response( ) -> certificate::OwnedCertificate { certificate::OwnedCertificate::new(it.borrow_owner().clone_ref(py), |inner_it| { it.with_dependent(|_, value| { + // SAFETY: This is safe because `Arc::clone` ensures the data is + // alive, but Rust doesn't understand the lifetime relationship it + // produces. Open-coded implementation of the API discussed in + // https://github.com/joshua-maros/ouroboros/issues/38 f(inner_it.as_bytes(py), unsafe { std::mem::transmute(value) }) }) }) @@ -424,6 +428,10 @@ fn try_map_arc_data_mut_ocsp_response_iterator( ) -> Result, E>, ) -> Result { OwnedSingleResponse::try_new(Arc::clone(it.borrow_owner()), |inner_it| { + // SAFETY: This is safe because `Arc::clone` ensures the data is + // alive, but Rust doesn't understand the lifetime relationship it + // produces. Open-coded implementation of the API discussed in + // https://github.com/joshua-maros/ouroboros/issues/38 it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) })) }) } From dd02171a30c5d1e4e825053042091aea830adf66 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 11 Sep 2023 00:17:26 +0000 Subject: [PATCH 0446/1014] Bump BoringSSL and/or OpenSSL in CI (#9576) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d95ff3355778..776f176d8614 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 10, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "1e3da32f3754b1b9136247ee26308cfd959cbeba"}} - # Latest commit on the OpenSSL master branch, as of Sep 10, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d2873946dfaff5537ea3d1adf3890e33a3f276ff"}} + # Latest commit on the OpenSSL master branch, as of Sep 11, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c499cbc3239e3ac93fa5acf85cec7ea7df116518"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 029399c8ef3a3844c143d2436e979fe84e612310 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Sep 2023 07:02:52 -0400 Subject: [PATCH 0447/1014] Bump black from 23.9.0 to 23.9.1 (#9579) Bumps [black](https://github.com/psf/black) from 23.9.0 to 23.9.1. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](https://github.com/psf/black/compare/23.9.0...23.9.1) --- updated-dependencies: - dependency-name: black dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 16765349c336..56036d131dac 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.1.1 # via nox babel==2.12.1 # via sphinx -black==23.9.0 +black==23.9.1 # via cryptography (pyproject.toml) bleach==6.0.0 # via readme-renderer From da21e9670b3a03db95086634c1eb4b4a69e5c8c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?McCoy=20Pati=C3=B1o?= <39780829+mccoyp@users.noreply.github.com> Date: Mon, 11 Sep 2023 16:58:01 -0700 Subject: [PATCH 0448/1014] Add algorithm/MGF properties to asymmetric paddings (#9582) * Add properties * Update documentation * Add tests * Line length; Expose MGF class * Remove unnecessary flags --- CHANGELOG.rst | 4 +++ docs/hazmat/primitives/asymmetric/rsa.rst | 29 +++++++++++++++++++ .../hazmat/primitives/asymmetric/padding.py | 12 ++++++++ tests/hazmat/primitives/test_rsa.py | 21 ++++++++++++++ 4 files changed, 66 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 8a39465f2fee..3e85f3bb540d 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -18,6 +18,10 @@ Changelog * Added support for obtaining X.509 certificate signing request signature algorithm parameters (including PSS) via :meth:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_parameters`. +* Added `mgf` property to + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. +* Added `algorithm` and `mgf` properties to + :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP`. .. _v41-0-3: diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index 23401f52793a..b8f2acacdf8f 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -317,6 +317,14 @@ Padding Pass this attribute to ``salt_length`` to automatically determine the salt length when verifying. Raises ``ValueError`` if used when signing. + .. attribute:: mgf + + :type: :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF` + + .. versionadded:: 42.0.0 + + The padding's mask generation function (MGF). + .. class:: OAEP(mgf, algorithm, label) .. versionadded:: 0.4 @@ -335,6 +343,22 @@ Padding :param bytes label: A label to apply. This is a rarely used field and should typically be set to ``None`` or ``b""``, which are equivalent. + .. attribute:: algorithm + + :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` + + .. versionadded:: 42.0.0 + + The padding's hash algorithm. + + .. attribute:: mgf + + :type: :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF` + + .. versionadded:: 42.0.0 + + The padding's mask generation function (MGF). + .. class:: PKCS1v15() .. versionadded:: 0.3 @@ -369,6 +393,11 @@ Padding Mask generation functions ------------------------- +.. class:: MGF + + .. versionadded:: 37.0.0 + + .. class:: MGF1(algorithm) .. versionadded:: 0.3 diff --git a/src/cryptography/hazmat/primitives/asymmetric/padding.py b/src/cryptography/hazmat/primitives/asymmetric/padding.py index 61359adfa9b5..b4babf44f79b 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/padding.py +++ b/src/cryptography/hazmat/primitives/asymmetric/padding.py @@ -56,6 +56,10 @@ def __init__( self._salt_length = salt_length + @property + def mgf(self) -> MGF: + return self._mgf + class OAEP(AsymmetricPadding): name = "EME-OAEP" @@ -73,6 +77,14 @@ def __init__( self._algorithm = algorithm self._label = label + @property + def algorithm(self) -> hashes.HashAlgorithm: + return self._algorithm + + @property + def mgf(self) -> MGF: + return self._mgf + class MGF(metaclass=abc.ABCMeta): _algorithm: hashes.HashAlgorithm diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index ae28f5cb3a40..cf9fb9d689aa 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -1687,6 +1687,13 @@ def test_valid_pss_parameters_maximum(self): assert pss._mgf == mgf assert pss._salt_length == padding.PSS.MAX_LENGTH + def test_mgf_property(self): + algorithm = hashes.SHA1() + mgf = padding.MGF1(algorithm) + pss = padding.PSS(mgf=mgf, salt_length=padding.PSS.MAX_LENGTH) + assert pss.mgf == mgf + assert pss.mgf == pss._mgf + class TestMGF1: def test_invalid_hash_algorithm(self): @@ -1707,6 +1714,20 @@ def test_invalid_algorithm(self): mgf=mgf, algorithm=b"", label=None # type:ignore[arg-type] ) + def test_algorithm_property(self): + algorithm = hashes.SHA1() + mgf = padding.MGF1(algorithm) + oaep = padding.OAEP(mgf=mgf, algorithm=algorithm, label=None) + assert oaep.algorithm == algorithm + assert oaep.algorithm == oaep._algorithm + + def test_mgf_property(self): + algorithm = hashes.SHA1() + mgf = padding.MGF1(algorithm) + oaep = padding.OAEP(mgf=mgf, algorithm=algorithm, label=None) + assert oaep.mgf == mgf + assert oaep.mgf == oaep._mgf + class TestRSADecryption: @pytest.mark.supported( From ad1a92f814b477e63682d2ec25a530543d86edce Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 12 Sep 2023 00:26:15 +0000 Subject: [PATCH 0449/1014] Bump BoringSSL and/or OpenSSL in CI (#9584) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 776f176d8614..2762f223859f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 10, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "1e3da32f3754b1b9136247ee26308cfd959cbeba"}} - # Latest commit on the OpenSSL master branch, as of Sep 11, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c499cbc3239e3ac93fa5acf85cec7ea7df116518"}} + # Latest commit on the OpenSSL master branch, as of Sep 12, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4ee8c1fb51687ea811fc2abf87e173c70d018bc2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 1523940558774335c158d1b47cf9eb174113dedb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 11 Sep 2023 20:49:17 -0400 Subject: [PATCH 0450/1014] last ever 1.1.1 bump in CI (#9585) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2762f223859f..4406614ea17d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,7 +32,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1v"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.10"}} - {VERSION: "3.11", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} From 7b77e4e11c09681d48d0f1e21be6caca7fb7ab03 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Sep 2023 11:11:40 +0000 Subject: [PATCH 0451/1014] Bump ruff from 0.0.287 to 0.0.288 (#9587) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.287 to 0.0.288. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.287...v0.0.288) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 56036d131dac..c526e2908505 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.2 # via twine -ruff==0.0.287 +ruff==0.0.288 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 8f0269b82bc5aca8df66363c3f6fdf24ceee8b1b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 12 Sep 2023 10:05:08 -0400 Subject: [PATCH 0452/1014] Bump setuptools verison (#9588) --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 5fd448973abd..485b26606f20 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -96,9 +96,9 @@ wheel==0.41.2 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==68.2.0 \ - --hash=sha256:00478ca80aeebeecb2f288d3206b0de568df5cd2b8fada1209843cc9a8d88a48 \ - --hash=sha256:af3d5949030c3f493f550876b2fd1dd5ec66689c4ee5d5344f009746f71fd5a8 +setuptools==68.2.1 \ + --hash=sha256:56ee14884fd8d0cd015411f4a13f40b4356775a0aefd9ebc1d3bfb9a1acb32f1 \ + --hash=sha256:eff96148eb336377ab11beee0c73ed84f1709a40c0b870298b0d058828761bae # via # -r build-requirements.in # setuptools-rust From 7995dc970cf198468e02e54d0bc04769efd48698 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 12 Sep 2023 10:10:01 -0400 Subject: [PATCH 0453/1014] added tests for invalid nonces with AESOCB decryption (#9583) --- tests/hazmat/primitives/test_aead.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index ce90f6892395..9b0607802489 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -610,6 +610,11 @@ def test_invalid_nonce_length(self, backend): with pytest.raises(ValueError): aesocb3.encrypt(b"\x00" * 16, b"hi", None) + with pytest.raises(ValueError): + aesocb3.decrypt(b"\x00" * 11, b"hi", None) + with pytest.raises(ValueError): + aesocb3.decrypt(b"\x00" * 16, b"hi", None) + def test_bad_key(self, backend): with pytest.raises(TypeError): AESOCB3(object()) # type:ignore[arg-type] From 2eaee33566410676238b0c1bf9a050a7b99d4991 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 12 Sep 2023 10:10:32 -0400 Subject: [PATCH 0454/1014] Simplify error handling code (#9578) --- src/rust/src/backend/aead.rs | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index bb8fcfd1f2ae..a390a44b4b71 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -64,15 +64,11 @@ impl EvpCipherAead { data: &[u8], out: &mut [u8], ) -> CryptographyResult<()> { - let n = ctx - .cipher_update(data, Some(out)) - .map_err(CryptographyError::from)?; + let n = ctx.cipher_update(data, Some(out))?; assert_eq!(n, data.len()); let mut final_block = [0]; - let n = ctx - .cipher_final(&mut final_block) - .map_err(CryptographyError::from)?; + let n = ctx.cipher_final(&mut final_block)?; assert_eq!(n, 0); Ok(()) From a245028b3a067962c6194b4b2b62245bf6cc7a90 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 12 Sep 2023 10:12:28 -0400 Subject: [PATCH 0455/1014] Use EVP_CIPHER_CTX the way OpenSSL intended. (#9577) Which is to say, don't mix up encryption and decryption ones, even though it'll sometimes work and it's not at all documented when or why it doesn't. --- src/rust/src/backend/aead.rs | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index a390a44b4b71..de330448b9e9 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -24,22 +24,30 @@ enum Aad<'a> { } struct EvpCipherAead { - base_ctx: openssl::cipher_ctx::CipherCtx, + base_encryption_ctx: openssl::cipher_ctx::CipherCtx, + base_decryption_ctx: openssl::cipher_ctx::CipherCtx, tag_len: usize, tag_first: bool, } impl EvpCipherAead { fn new( - base_ctx: openssl::cipher_ctx::CipherCtx, + cipher: &openssl::cipher::CipherRef, + key: &[u8], tag_len: usize, tag_first: bool, - ) -> EvpCipherAead { - EvpCipherAead { - base_ctx, + ) -> CryptographyResult { + let mut base_encryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; + base_encryption_ctx.encrypt_init(Some(cipher), Some(key), None)?; + let mut base_decryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; + base_decryption_ctx.decrypt_init(Some(cipher), Some(key), None)?; + + Ok(EvpCipherAead { + base_encryption_ctx, + base_decryption_ctx, tag_len, tag_first, - } + }) } fn process_aad( @@ -84,7 +92,7 @@ impl EvpCipherAead { check_length(plaintext)?; let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; - ctx.copy(&self.base_ctx)?; + ctx.copy(&self.base_encryption_ctx)?; ctx.encrypt_init(None, None, nonce)?; self.process_aad(&mut ctx, aad)?; @@ -120,7 +128,7 @@ impl EvpCipherAead { } let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; - ctx.copy(&self.base_ctx)?; + ctx.copy(&self.base_decryption_ctx)?; ctx.decrypt_init(None, None, nonce)?; assert!(self.tag_first); @@ -190,10 +198,8 @@ impl AesSiv { } let cipher = openssl::cipher::Cipher::fetch(None, cipher_name, None)?; - let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; - ctx.encrypt_init(Some(&cipher), Some(key_buf.as_bytes()), None)?; Ok(AesSiv { - ctx: EvpCipherAead::new(ctx, 16, true), + ctx: EvpCipherAead::new(&cipher, key_buf.as_bytes(), 16, true)?, }) } } From 8c2fe360be6fb214f6232f0f415dbf6c63422aa3 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 12 Sep 2023 17:06:46 -0400 Subject: [PATCH 0456/1014] x509/sct: replace another utcfromtimestamp call (#9589) Signed-off-by: William Woodruff --- src/rust/src/x509/sct.rs | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index 173364cd2a10..29d3697019ce 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -4,7 +4,6 @@ use crate::error::CryptographyError; use crate::types; -use pyo3::types::IntoPyDict; use pyo3::ToPyObject; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -175,17 +174,19 @@ impl Sct { #[getter] fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; + + let kwargs = pyo3::types::PyDict::new(py); + kwargs.set_item("microsecond", self.timestamp % 1000 * 1000)?; + kwargs.set_item("tzinfo", None::>)?; + types::DATETIME_DATETIME .get(py)? .call_method1( - pyo3::intern!(py, "utcfromtimestamp"), - (self.timestamp / 1000,), + pyo3::intern!(py, "fromtimestamp"), + (self.timestamp / 1000, utc), )? - .call_method( - "replace", - (), - Some(vec![("microsecond", self.timestamp % 1000 * 1000)].into_py_dict(py)), - ) + .call_method("replace", (), Some(kwargs)) } #[getter] From e8168a41f19332b07ccdf5fa5f8ec901a01d51e3 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 00:19:25 +0000 Subject: [PATCH 0457/1014] Bump BoringSSL and/or OpenSSL in CI (#9591) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4406614ea17d..1c1fd23b5033 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 10, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "1e3da32f3754b1b9136247ee26308cfd959cbeba"}} - # Latest commit on the OpenSSL master branch, as of Sep 12, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4ee8c1fb51687ea811fc2abf87e173c70d018bc2"}} + # Latest commit on the BoringSSL master branch, as of Sep 13, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ecb7e9ae5cf7e940751f0f68d212fb2b099322ef"}} + # Latest commit on the OpenSSL master branch, as of Sep 13, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "123c85864fa7fe97d8ae3a09989d410501d957a5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From ee84311c06ad5e30ba9d391eb26181b2fece6356 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 12 Sep 2023 20:36:54 -0400 Subject: [PATCH 0458/1014] Added an additional test for AESOCB3 (#9590) This covers all three AES key lengths --- tests/hazmat/primitives/test_aead.py | 32 ++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 9b0607802489..5cf5bca546a1 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -585,6 +585,38 @@ def test_vectors_invalid(self, backend, subtests): with pytest.raises(InvalidTag): aesocb3.decrypt(nonce, ct, b"nonsense") + @pytest.mark.parametrize( + ("key_len", "expected"), + [ + (128, b"g\xe9D\xd22V\xc5\xe0\xb6\xc6\x1f\xa2/\xdf\x1e\xa2"), + (192, b"\xf6s\xf2\xc3\xe7\x17J\xae{\xae\x98l\xa9\xf2\x9e\x17"), + (256, b"\xd9\x0e\xb8\xe9\xc9w\xc8\x8by\xddy=\x7f\xfa\x16\x1c"), + ], + ) + def test_rfc7253(self, backend, key_len, expected): + # This is derived from page 18 of RFC 7253, with a tag length of + # 128 bits. + + k = AESOCB3(b"\x00" * ((key_len - 8) // 8) + b"\x80") + + c = b"" + + for i in range(0, 128): + s = b"\x00" * i + n = (3 * i + 1).to_bytes(12, "big") + c += k.encrypt(n, s, s) + n = (3 * i + 2).to_bytes(12, "big") + c += k.encrypt(n, s, b"") + n = (3 * i + 3).to_bytes(12, "big") + c += k.encrypt(n, b"", s) + + assert len(c) == 22400 + + n = (385).to_bytes(12, "big") + output = k.encrypt(n, b"", c) + + assert output == expected + @pytest.mark.parametrize( ("nonce", "data", "associated_data"), [ From 8f8dc7ed42c65b3c2a17c5b3471a29e9c8621b7b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 12 Sep 2023 23:45:16 -0400 Subject: [PATCH 0459/1014] Mark cryptography_vectors as typed (#9592) --- vectors/cryptography_vectors/py.typed | 1 + 1 file changed, 1 insertion(+) create mode 100644 vectors/cryptography_vectors/py.typed diff --git a/vectors/cryptography_vectors/py.typed b/vectors/cryptography_vectors/py.typed new file mode 100644 index 000000000000..8b137891791f --- /dev/null +++ b/vectors/cryptography_vectors/py.typed @@ -0,0 +1 @@ + From 804b56979fc9ec3c100bfb673cf77ad817ad643e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 07:32:31 -0400 Subject: [PATCH 0460/1014] Bump libc from 0.2.147 to 0.2.148 in /src/rust (#9597) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.147 to 0.2.148. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.147...0.2.148) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 14b3aedf0845..1648908e3030 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -137,9 +137,9 @@ checksum = "bfa799dd5ed20a7e349f3b4639aa80d74549c81716d9ec4f994c9b5815598306" [[package]] name = "libc" -version = "0.2.147" +version = "0.2.148" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3" +checksum = "9cdc71e17332e86d2e1d38c1f99edcb6288ee11b815fb1a4b049eaa2114d369b" [[package]] name = "lock_api" From 251223105bcb855df98fe2d787ad1a3a3027e964 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 07:33:41 -0400 Subject: [PATCH 0461/1014] Bump unicode-ident from 1.0.11 to 1.0.12 in /src/rust (#9596) Bumps [unicode-ident](https://github.com/dtolnay/unicode-ident) from 1.0.11 to 1.0.12. - [Release notes](https://github.com/dtolnay/unicode-ident/releases) - [Commits](https://github.com/dtolnay/unicode-ident/compare/1.0.11...1.0.12) --- updated-dependencies: - dependency-name: unicode-ident dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1648908e3030..18d790e9c8f1 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "9d0e916b1148c8e263850e1ebcbd046f333e0683c724876bb0da63ea4373dc8a" [[package]] name = "unicode-ident" -version = "1.0.11" +version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c" +checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" [[package]] name = "unindent" From e1f02a3bc0625870d093eb03172a95750f46c1f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 07:34:24 -0400 Subject: [PATCH 0462/1014] Bump Swatinem/rust-cache from 2.6.2 to 2.7.0 in /.github/actions/cache (#9595) Bumps [Swatinem/rust-cache](https://github.com/swatinem/rust-cache) from 2.6.2 to 2.7.0. - [Release notes](https://github.com/swatinem/rust-cache/releases) - [Changelog](https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md) - [Commits](https://github.com/swatinem/rust-cache/compare/e207df5d269b42b69c8bc5101da26f7d31feddb4...a95ba195448af2da9b00fb742d14ffaaf3c21f43) --- updated-dependencies: - dependency-name: Swatinem/rust-cache dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/cache/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index f577fbd73de3..53db3e1d2e65 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -15,7 +15,7 @@ runs: id: normalized-key run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT shell: bash - - uses: Swatinem/rust-cache@e207df5d269b42b69c8bc5101da26f7d31feddb4 # v2.6.2 + - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2.7.0 with: key: ${{ steps.normalized-key.outputs.key }} workspaces: "./src/rust/ -> target" From df0910ee020392c309673ce2b2c790e3ad2be1cd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 07:35:43 -0400 Subject: [PATCH 0463/1014] Bump ruff from 0.0.288 to 0.0.289 (#9593) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.288 to 0.0.289. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.288...v0.0.289) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c526e2908505..71efd5d5acc3 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.2 # via twine -ruff==0.0.288 +ruff==0.0.289 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 6a723330602f0d62f065f650a7726f18884ceb27 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 13 Sep 2023 09:53:34 -0400 Subject: [PATCH 0464/1014] Bump setuptools version in build-requirements (#9598) --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 485b26606f20..50072432710b 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -96,9 +96,9 @@ wheel==0.41.2 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==68.2.1 \ - --hash=sha256:56ee14884fd8d0cd015411f4a13f40b4356775a0aefd9ebc1d3bfb9a1acb32f1 \ - --hash=sha256:eff96148eb336377ab11beee0c73ed84f1709a40c0b870298b0d058828761bae +setuptools==68.2.2 \ + --hash=sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87 \ + --hash=sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a # via # -r build-requirements.in # setuptools-rust From d167a2e2576d6961875d801b0d13b4bb312982f3 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 13 Sep 2023 12:39:48 -0400 Subject: [PATCH 0465/1014] ops: use `Result<..., Self::Err>` for returns (#9599) This allows us to pass error states through, rather than swallowing them, which in turn will make these interfaces easier to reuse in a way that gets us coverage. Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/ops.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs index a9c11f9c4793..faacca5c47a8 100644 --- a/src/rust/cryptography-x509-validation/src/ops.rs +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -8,12 +8,15 @@ pub trait CryptoOps { /// A public key type for this cryptographic backend. type Key; + /// An error type for this cryptographic backend. + type Err; + /// Extracts the public key from the given `Certificate` in /// a `Key` format known by the cryptographic backend, or `None` /// if the key is malformed. - fn public_key(&self, cert: &Certificate<'_>) -> Option; + fn public_key(&self, cert: &Certificate<'_>) -> Result; /// Verifies the signature on `Certificate` using the given /// `Key`. - fn is_signed_by(&self, cert: &Certificate<'_>, key: Self::Key) -> bool; + fn is_signed_by(&self, cert: &Certificate<'_>, key: Self::Key) -> Result<(), Self::Err>; } From 51ea13ed3a6101d732ed805787a5b991f6b39276 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 13 Sep 2023 20:02:23 -0400 Subject: [PATCH 0466/1014] Migrate OCB3 to Rust (#9569) --- .../hazmat/backends/openssl/aead.py | 6 +- .../hazmat/bindings/_rust/openssl/aead.pyi | 17 ++ .../hazmat/primitives/ciphers/aead.py | 70 +----- src/rust/Cargo.lock | 1 + src/rust/Cargo.toml | 1 + src/rust/src/backend/aead.rs | 214 ++++++++++++++++-- 6 files changed, 212 insertions(+), 97 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/aead.py b/src/cryptography/hazmat/backends/openssl/aead.py index f0162530b2f9..95c5133c1dc9 100644 --- a/src/cryptography/hazmat/backends/openssl/aead.py +++ b/src/cryptography/hazmat/backends/openssl/aead.py @@ -13,11 +13,10 @@ from cryptography.hazmat.primitives.ciphers.aead import ( AESCCM, AESGCM, - AESOCB3, ChaCha20Poly1305, ) - _AEADTypes = typing.Union[AESCCM, AESGCM, AESOCB3, ChaCha20Poly1305] + _AEADTypes = typing.Union[AESCCM, AESGCM, ChaCha20Poly1305] def _is_evp_aead_supported_cipher( @@ -220,7 +219,6 @@ def _evp_cipher_cipher_name(cipher: _AEADTypes) -> bytes: from cryptography.hazmat.primitives.ciphers.aead import ( AESCCM, AESGCM, - AESOCB3, ChaCha20Poly1305, ) @@ -228,8 +226,6 @@ def _evp_cipher_cipher_name(cipher: _AEADTypes) -> bytes: return b"chacha20-poly1305" elif isinstance(cipher, AESCCM): return f"aes-{len(cipher._key) * 8}-ccm".encode("ascii") - elif isinstance(cipher, AESOCB3): - return f"aes-{len(cipher._key) * 8}-ocb".encode("ascii") else: assert isinstance(cipher, AESGCM) return f"aes-{len(cipher._key) * 8}-gcm".encode("ascii") diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi index 08a9307127ac..981d69d13219 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -16,3 +16,20 @@ class AESSIV: data: bytes, associated_data: list[bytes] | None, ) -> bytes: ... + +class AESOCB3: + def __init__(self, key: bytes) -> None: ... + @staticmethod + def generate_key(key_size: int) -> bytes: ... + def encrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + def decrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index 0feb921dc7bd..291513d75f04 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -21,6 +21,7 @@ ] AESSIV = rust_openssl.aead.AESSIV +AESOCB3 = rust_openssl.aead.AESOCB3 class ChaCha20Poly1305: @@ -242,72 +243,3 @@ def _check_params( utils._check_byteslike("associated_data", associated_data) if len(nonce) < 8 or len(nonce) > 128: raise ValueError("Nonce must be between 8 and 128 bytes") - - -class AESOCB3: - _MAX_SIZE = 2**31 - 1 - - def __init__(self, key: bytes): - utils._check_byteslike("key", key) - if len(key) not in (16, 24, 32): - raise ValueError("AESOCB3 key must be 128, 192, or 256 bits.") - - self._key = key - - if not backend.aead_cipher_supported(self): - raise exceptions.UnsupportedAlgorithm( - "OCB3 is not supported by this version of OpenSSL", - exceptions._Reasons.UNSUPPORTED_CIPHER, - ) - - @classmethod - def generate_key(cls, bit_length: int) -> bytes: - if not isinstance(bit_length, int): - raise TypeError("bit_length must be an integer") - - if bit_length not in (128, 192, 256): - raise ValueError("bit_length must be 128, 192, or 256") - - return os.urandom(bit_length // 8) - - def encrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - if len(data) > self._MAX_SIZE or len(associated_data) > self._MAX_SIZE: - # This is OverflowError to match what cffi would raise - raise OverflowError( - "Data or associated data too long. Max 2**31 - 1 bytes" - ) - - self._check_params(nonce, data, associated_data) - return aead._encrypt(backend, self, nonce, data, [associated_data], 16) - - def decrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - self._check_params(nonce, data, associated_data) - return aead._decrypt(backend, self, nonce, data, [associated_data], 16) - - def _check_params( - self, - nonce: bytes, - data: bytes, - associated_data: bytes, - ) -> None: - utils._check_byteslike("nonce", nonce) - utils._check_byteslike("data", data) - utils._check_byteslike("associated_data", associated_data) - if len(nonce) < 12 or len(nonce) > 15: - raise ValueError("Nonce must be between 12 and 15 bytes") diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 18d790e9c8f1..6134c6a02b72 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -86,6 +86,7 @@ version = "0.1.0" dependencies = [ "asn1", "cc", + "cfg-if", "cryptography-cffi", "cryptography-openssl", "cryptography-x509", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 6e408e9b4355..9d41d805fc16 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -9,6 +9,7 @@ rust-version = "1.63.0" [dependencies] once_cell = "1" +cfg-if = "1" pyo3 = { version = "0.19", features = ["abi3-py37"] } asn1 = { version = "0.15.5", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index de330448b9e9..0965b71a7005 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -20,6 +20,7 @@ fn check_length(data: &[u8]) -> CryptographyResult<()> { } enum Aad<'a> { + Single(CffiBuf<'a>), List(&'a pyo3::types::PyList), } @@ -55,12 +56,19 @@ impl EvpCipherAead { ctx: &mut openssl::cipher_ctx::CipherCtx, aad: Option>, ) -> CryptographyResult<()> { - if let Some(Aad::List(ads)) = aad { - for ad in ads.iter() { - let ad = ad.extract::>()?; + match aad { + Some(Aad::Single(ad)) => { check_length(ad.as_bytes())?; ctx.cipher_update(ad.as_bytes(), None)?; } + Some(Aad::List(ads)) => { + for ad in ads.iter() { + let ad = ad.extract::>()?; + check_length(ad.as_bytes())?; + ctx.cipher_update(ad.as_bytes(), None)?; + } + } + None => {} } Ok(()) @@ -72,12 +80,46 @@ impl EvpCipherAead { data: &[u8], out: &mut [u8], ) -> CryptographyResult<()> { - let n = ctx.cipher_update(data, Some(out))?; - assert_eq!(n, data.len()); - - let mut final_block = [0]; - let n = ctx.cipher_final(&mut final_block)?; - assert_eq!(n, 0); + let bs = ctx.block_size(); + + // For AEADs that operate as if they are streaming there's an easy + // path. For AEADs that are more like block ciphers (notably, OCB), + // this is a bit more complicated. + if bs == 1 { + let n = ctx.cipher_update(data, Some(out))?; + assert_eq!(n, data.len()); + + let mut final_block = [0]; + let n = ctx.cipher_final(&mut final_block)?; + assert_eq!(n, 0); + } else { + // Our algorithm here is: split the data into the full chunks, and + // the remaining partial chunk. Feed the full chunks into OpenSSL + // and let it write the results to `out`. Then feed the trailer + // in, allowing it to write the results to a buffer on the + // stack -- this never writes anything. Finally, finalize the AEAD + // and let it write the results to the stack buffer, then copy + // from the stack buffer over to `out`. The indirection via the + // stack buffer is required because OpenSSL uses it as scratch + // space, and `out` wouldn't be long enough. + let (initial, trailer) = data.split_at((data.len() / bs) * bs); + + let n = + // SAFETY: `initial.len()` is a precise multiple of the block + // size, which means the space required in the output is + // exactly `initial.len()`. + unsafe { ctx.cipher_update_unchecked(initial, Some(&mut out[..initial.len()]))? }; + assert_eq!(n, initial.len()); + + assert!(bs <= 16); + let mut buf = [0; 32]; + let n = ctx.cipher_update(trailer, Some(&mut buf))?; + assert_eq!(n, 0); + + let n = ctx.cipher_final(&mut buf)?; + assert_eq!(n, trailer.len()); + out[initial.len()..].copy_from_slice(&buf[..n]); + } Ok(()) } @@ -93,6 +135,9 @@ impl EvpCipherAead { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_encryption_ctx)?; + if let Some(nonce) = nonce { + ctx.set_iv_length(nonce.len())?; + } ctx.encrypt_init(None, None, nonce)?; self.process_aad(&mut ctx, aad)?; @@ -103,9 +148,11 @@ impl EvpCipherAead { |b| { let ciphertext; let tag; - // TODO: remove once we have a second AEAD implemented here. - assert!(self.tag_first); - (tag, ciphertext) = b.split_at_mut(self.tag_len); + if self.tag_first { + (tag, ciphertext) = b.split_at_mut(self.tag_len); + } else { + (ciphertext, tag) = b.split_at_mut(plaintext.len()); + } self.process_data(&mut ctx, plaintext, ciphertext)?; @@ -129,24 +176,35 @@ impl EvpCipherAead { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_decryption_ctx)?; + if let Some(nonce) = nonce { + ctx.set_iv_length(nonce.len())?; + } ctx.decrypt_init(None, None, nonce)?; - assert!(self.tag_first); - // RFC 5297 defines the output as IV || C, where the tag we generate - // is the "IV" and C is the ciphertext. This is the opposite of our - // other AEADs, which are Ciphertext || Tag. - let (tag, ciphertext) = ciphertext.split_at(self.tag_len); + let tag; + let ciphertext_data; + if self.tag_first { + // RFC 5297 defines the output as IV || C, where the tag we generate + // is the "IV" and C is the ciphertext. This is the opposite of our + // other AEADs, which are Ciphertext || Tag. + (tag, ciphertext_data) = ciphertext.split_at(self.tag_len); + } else { + (ciphertext_data, tag) = ciphertext.split_at(ciphertext.len() - self.tag_len); + } ctx.set_tag(tag)?; self.process_aad(&mut ctx, aad)?; - Ok(pyo3::types::PyBytes::new_with(py, ciphertext.len(), |b| { - // AES SIV can error here if the data is invalid on decrypt - self.process_data(&mut ctx, ciphertext, b) - .map_err(|_| exceptions::InvalidTag::new_err(()))?; + Ok(pyo3::types::PyBytes::new_with( + py, + ciphertext_data.len(), + |b| { + self.process_data(&mut ctx, ciphertext_data, b) + .map_err(|_| exceptions::InvalidTag::new_err(()))?; - Ok(()) - })?) + Ok(()) + }, + )?) } } @@ -215,6 +273,7 @@ impl AesSiv { Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } + #[pyo3(signature = (data, associated_data))] fn encrypt<'p>( &self, py: pyo3::Python<'p>, @@ -232,6 +291,7 @@ impl AesSiv { self.ctx.encrypt(py, data_bytes, aad, None) } + #[pyo3(signature = (data, associated_data))] fn decrypt<'p>( &self, py: pyo3::Python<'p>, @@ -243,10 +303,118 @@ impl AesSiv { } } +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.bindings._rust.openssl.aead", + name = "AESOCB3" +)] +struct AesOcb3 { + ctx: EvpCipherAead, +} + +#[pyo3::prelude::pymethods] +impl AesOcb3 { + #[new] + fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { + let key_buf = key.extract::>(py)?; + + cfg_if::cfg_if! { + if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-OCB3 is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } else { + if cryptography_openssl::fips::is_enabled() { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-OCB3 is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } + + let cipher = match key_buf.as_bytes().len() { + 16 => openssl::cipher::Cipher::aes_128_ocb(), + 24 => openssl::cipher::Cipher::aes_192_ocb(), + 32 => openssl::cipher::Cipher::aes_256_ocb(), + _ => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "AESOCB3 key must be 128, 192, or 256 bits.", + ), + )) + } + }; + + Ok(AesOcb3 { + ctx: EvpCipherAead::new(cipher, key_buf.as_bytes(), 16, false)?, + }) + } + } + } + + #[staticmethod] + fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + if bit_length != 128 && bit_length != 192 && bit_length != 256 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), + )); + } + + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + } + + #[pyo3(signature = (nonce, data, associated_data))] + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() < 12 || nonce_bytes.len() > 15 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be between 12 and 15 bytes"), + )); + } + + self.ctx + .encrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) + } + + #[pyo3(signature = (nonce, data, associated_data))] + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() < 12 || nonce_bytes.len() > 15 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be between 12 and 15 bytes"), + )); + } + + self.ctx + .decrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) + } +} + pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "aead")?; m.add_class::()?; + m.add_class::()?; Ok(m) } From 0b11c112bd7ab860029d4f33c391411790f32571 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 14 Sep 2023 00:19:18 +0000 Subject: [PATCH 0467/1014] Bump BoringSSL and/or OpenSSL in CI (#9600) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1c1fd23b5033..ceb16991e11a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 13, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ecb7e9ae5cf7e940751f0f68d212fb2b099322ef"}} - # Latest commit on the OpenSSL master branch, as of Sep 13, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "123c85864fa7fe97d8ae3a09989d410501d957a5"}} + # Latest commit on the OpenSSL master branch, as of Sep 14, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "df9ecd2ef3907ec0a7bf9c54d9273d5342329bf9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 50afae73cba935a24f90056c4d9ba8dd93aaee63 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 14 Sep 2023 07:05:29 -0400 Subject: [PATCH 0468/1014] Bump sphinx from 7.2.5 to 7.2.6 (#9604) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.2.5 to 7.2.6. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.2.5...v7.2.6) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 71efd5d5acc3..04b4f8538942 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -144,7 +144,7 @@ six==1.16.0 # via bleach snowballstemmer==2.2.0 # via sphinx -sphinx==7.2.5 +sphinx==7.2.6 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From 2c27bb69ada132b70fb9e2c230f8ad6d1899aff9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 14 Sep 2023 07:06:57 -0400 Subject: [PATCH 0469/1014] Bump proc-macro2 from 1.0.66 to 1.0.67 in /src/rust (#9605) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.66 to 1.0.67. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.66...1.0.67) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6134c6a02b72..efb128ee8985 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -245,9 +245,9 @@ checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" [[package]] name = "proc-macro2" -version = "1.0.66" +version = "1.0.67" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18fb31db3f9bddb2ea821cde30a9f70117e3f119938b5ee630b7403aa6e2ead9" +checksum = "3d433d9f1a3e8c1263d9456598b16fec66f4acc9a74dacffd35c7bb09b3a1328" dependencies = [ "unicode-ident", ] From 7cff10421c1b45d8a223864caca24c74ebca491a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 14 Sep 2023 11:10:51 +0000 Subject: [PATCH 0470/1014] Bump filelock from 3.12.3 to 3.12.4 (#9603) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.12.3 to 3.12.4. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.12.3...3.12.4) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 04b4f8538942..57753ac6cace 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -42,7 +42,7 @@ exceptiongroup==1.1.3 # via pytest execnet==2.0.2 # via pytest-xdist -filelock==3.12.3; python_version >= "3.8" +filelock==3.12.4; python_version >= "3.8" # via virtualenv idna==3.4 # via requests From 3e411cf9519d45cda0f2d80660d43e54ebfe7971 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 14 Sep 2023 13:36:01 -0400 Subject: [PATCH 0471/1014] verification: add PolicyBuilder API (#9601) * verification: add PolicyBuilder API Signed-off-by: William Woodruff * docs: fix the docs build Signed-off-by: William Woodruff * docs: drop doc for `webpki()` classmethod Signed-off-by: William Woodruff * docs, src, test: refactoring Signed-off-by: William Woodruff * tests: coverage Signed-off-by: William Woodruff * docs, src, tests: rename `build_server_policy` Signed-off-by: William Woodruff * Update docs/x509/verification.rst Co-authored-by: Alex Gaynor * Update docs/x509/verification.rst Co-authored-by: Alex Gaynor * verification: feedback Signed-off-by: William Woodruff * tests: fix test Signed-off-by: William Woodruff * tests: fix some more Signed-off-by: William Woodruff * Update docs/x509/verification.rst Co-authored-by: Alex Gaynor --------- Signed-off-by: William Woodruff Co-authored-by: Alex Gaynor --- docs/x509/verification.rst | 32 +++++++++++++++++++++++ src/cryptography/x509/verification.py | 37 ++++++++++++++++++++++++++- tests/x509/test_verification.py | 18 ++++++++++++- 3 files changed, 85 insertions(+), 2 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index c0d4c311e0f1..f46dd91c729b 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -21,3 +21,35 @@ chain building, etc. :param certs: A list of one or more :class:`~cryptography.x509.Certificate` instances. + +.. class:: Subject + + .. versionadded:: 42.0.0 + + Type alias: A union of all subject types supported: + :class:`cryptography.x509.general_name.DNSName`, + :class:`cryptography.x509.general_name.IPAddress`. + + +.. class:: PolicyBuilder + + .. versionadded:: 42.0.0 + + A PolicyBuilder provides a builder-style interface for constructing a + Verifier. + + .. method:: time(new_time) + + Sets the policy's verification time. + + :param new_time: The :class:`datetime.datetime` to use in the policy + + :returns: A new instance of :class:`PolicyBuilder` + + .. method:: build_server_verifier(subject) + + Builds a verifier for verifying server certificates. + + :param subject: A :class:`Subject` to use in the policy + + :raises NotImplementedError: This API is not implemented yet. diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index c622c47e2a2d..5274fab896a2 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -2,8 +2,43 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +from __future__ import annotations + +import datetime +import typing + from cryptography.hazmat.bindings._rust import x509 as rust_x509 +from cryptography.x509.general_name import DNSName, IPAddress -__all__ = ["Store"] +__all__ = ["Store", "Subject", "PolicyBuilder"] Store = rust_x509.Store + +Subject = typing.Union[DNSName, IPAddress] + + +class PolicyBuilder: + def __init__( + self, + *, + time: datetime.datetime | None = None, + ): + self._time = time + + def time(self, new_time: datetime.datetime) -> PolicyBuilder: + """ + Sets the validation time. + """ + if self._time is not None: + raise ValueError("The validation time may only be set once.") + + return PolicyBuilder( + time=new_time, + ) + + def build_server_verifier(self, subject: Subject) -> typing.NoReturn: + """ + Builds a verifier for verifying server certificates. + """ + + raise NotImplementedError diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 8e8ad3b0900d..2d8e4a16c444 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -2,12 +2,14 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import datetime import os import pytest from cryptography import x509 -from cryptography.x509.verification import Store +from cryptography.x509.general_name import DNSName +from cryptography.x509.verification import PolicyBuilder, Store from tests.x509.test_x509 import _load_cert @@ -26,3 +28,17 @@ def test_store_initializes(self): x509.load_pem_x509_certificate, ) assert Store([cert]) is not None + + +class TestPolicyBuilder: + def test_time_already_set(self): + with pytest.raises(ValueError): + PolicyBuilder().time(datetime.datetime.now()).time( + datetime.datetime.now() + ) + + def test_build_not_implemented(self): + with pytest.raises(NotImplementedError): + PolicyBuilder().time( + datetime.datetime.now() + ).build_server_verifier(DNSName("cryptography.io")) From 324eb6f8ea85f8134a659983fe42f067aa18e0c3 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 14 Sep 2023 15:50:47 -0400 Subject: [PATCH 0472/1014] rust: add PyCryptoOps (#9606) * rust: add PyCryptoOps Reimplements `verify_directly_issued_by` in terms of `PyCryptoOps`, for free coverage. Signed-off-by: William Woodruff * rust: is_signed_by -> verify_signed_by Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- src/rust/Cargo.lock | 1 + src/rust/Cargo.toml | 1 + .../cryptography-x509-validation/src/ops.rs | 2 +- src/rust/src/x509/certificate.rs | 14 +++---- src/rust/src/x509/verify.rs | 41 ++++++++++++++++++- 5 files changed, 49 insertions(+), 10 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index efb128ee8985..74419631a5cf 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -90,6 +90,7 @@ dependencies = [ "cryptography-cffi", "cryptography-openssl", "cryptography-x509", + "cryptography-x509-validation", "foreign-types-shared", "once_cell", "openssl", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 9d41d805fc16..6a30b6afbf59 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -14,6 +14,7 @@ pyo3 = { version = "0.19", features = ["abi3-py37"] } asn1 = { version = "0.15.5", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } +cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.57" diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs index faacca5c47a8..47e3f2cd07ef 100644 --- a/src/rust/cryptography-x509-validation/src/ops.rs +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -18,5 +18,5 @@ pub trait CryptoOps { /// Verifies the signature on `Certificate` using the given /// `Key`. - fn is_signed_by(&self, cert: &Certificate<'_>, key: Self::Key) -> Result<(), Self::Err>; + fn verify_signed_by(&self, cert: &Certificate<'_>, key: Self::Key) -> Result<(), Self::Err>; } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 5ebd7a24e002..3ed8f55cf848 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -7,6 +7,7 @@ use crate::asn1::{ }; use crate::backend::hashes; use crate::error::{CryptographyError, CryptographyResult}; +use crate::x509::verify::PyCryptoOps; use crate::x509::{extensions, sct, sign}; use crate::{exceptions, types, x509}; use cryptography_x509::certificate::Certificate as RawCertificate; @@ -20,6 +21,7 @@ use cryptography_x509::extensions::{ }; use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; +use cryptography_x509_validation::ops::CryptoOps; use pyo3::{IntoPy, ToPyObject}; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -267,7 +269,6 @@ impl Certificate { fn verify_directly_issued_by( &self, - py: pyo3::Python<'_>, issuer: pyo3::PyRef<'_, Certificate>, ) -> CryptographyResult<()> { if self.raw.borrow_dependent().tbs_cert.signature_alg @@ -286,13 +287,10 @@ impl Certificate { ), )); }; - sign::verify_signature_with_signature_algorithm( - py, - issuer.public_key(py)?, - &self.raw.borrow_dependent().signature_alg, - self.raw.borrow_dependent().signature.as_bytes(), - &asn1::write_single(&self.raw.borrow_dependent().tbs_cert)?, - ) + + let ops = PyCryptoOps {}; + let issuer_key = ops.public_key(issuer.raw.borrow_dependent())?; + ops.verify_signed_by(self.raw.borrow_dependent(), issuer_key) } } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index aef4d6a1c3ce..a0e221660641 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -2,7 +2,46 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::x509::certificate::Certificate as PyCertificate; +use cryptography_x509::certificate::Certificate; +use cryptography_x509_validation::ops::CryptoOps; + +use crate::x509::sign; +use crate::{ + error::{CryptographyError, CryptographyResult}, + types, + x509::certificate::Certificate as PyCertificate, +}; + +pub(crate) struct PyCryptoOps {} + +impl CryptoOps for PyCryptoOps { + type Key = pyo3::Py; + type Err = CryptographyError; + + fn public_key(&self, cert: &Certificate<'_>) -> Result { + pyo3::Python::with_gil(|py| -> Result { + // This makes an unnecessary copy. It'd be nice to get rid of it. + let spki_der = pyo3::types::PyBytes::new(py, &asn1::write_single(&cert.tbs_cert.spki)?); + + Ok(types::LOAD_DER_PUBLIC_KEY + .get(py)? + .call1((spki_der,))? + .into()) + }) + } + + fn verify_signed_by(&self, cert: &Certificate<'_>, key: Self::Key) -> Result<(), Self::Err> { + pyo3::Python::with_gil(|py| -> CryptographyResult<()> { + sign::verify_signature_with_signature_algorithm( + py, + key.as_ref(py), + &cert.signature_alg, + cert.signature.as_bytes(), + &asn1::write_single(&cert.tbs_cert)?, + ) + }) + } +} #[pyo3::pyclass( frozen, From f14e7f0bdae85829654795fa4ac56373de7b6daf Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 15 Sep 2023 00:17:08 +0000 Subject: [PATCH 0473/1014] Bump BoringSSL and/or OpenSSL in CI (#9607) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ceb16991e11a..11d5d0a16d94 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 13, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ecb7e9ae5cf7e940751f0f68d212fb2b099322ef"}} - # Latest commit on the OpenSSL master branch, as of Sep 14, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "df9ecd2ef3907ec0a7bf9c54d9273d5342329bf9"}} + # Latest commit on the OpenSSL master branch, as of Sep 15, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fc785a554cc37dfa94710b28ced45b03006f0300"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From d35e0f8be8b18dd84db440148ae54941cc170abc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 15 Sep 2023 16:24:16 -0400 Subject: [PATCH 0474/1014] Be clear that x509.verification is not yet covered by our policies (#9609) * Be clear that x509.verification is not yet covered by our policies * Update verification.rst --- docs/x509/verification.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index f46dd91c729b..0fbc7870ea80 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -8,7 +8,8 @@ chain building, etc. .. note:: This module is a work in progress, and does not yet contain a fully usable - X.509 path validation implementation. + X.509 path validation implementation. These APIs should be considered + experimental and not yet subject to our backwards compatibility policy. .. class:: Store(certs) From 88633f8a381c9b7983239ba89da206b6c8d7c35f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 16 Sep 2023 00:18:10 +0000 Subject: [PATCH 0475/1014] Bump BoringSSL and/or OpenSSL in CI (#9610) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11d5d0a16d94..eef11eda8cf6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 13, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ecb7e9ae5cf7e940751f0f68d212fb2b099322ef"}} - # Latest commit on the OpenSSL master branch, as of Sep 15, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fc785a554cc37dfa94710b28ced45b03006f0300"}} + # Latest commit on the OpenSSL master branch, as of Sep 16, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "388a8e731445d190a46ec27b2ff5b4bf334d526b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 73d070e8535de46f69ce53d90fc69c7c4a07a957 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 16 Sep 2023 22:56:11 +0200 Subject: [PATCH 0476/1014] Path validation: builder/verifier API skeletons (#9405) * src, tests: flatten all changes Signed-off-by: William Woodruff validation: remove Profile abstract from public APIs One step towards removing it entirely Signed-off-by: William Woodruff policy: disambiguate references Signed-off-by: William Woodruff policy: remove separate rfc5280 profile Signed-off-by: William Woodruff policy: remove profile abstraction entirely Signed-off-by: William Woodruff rust: permitted_algorithms filtering Signed-off-by: William Woodruff verify: simplify policy API substantially No more manual monomorphization. Signed-off-by: William Woodruff src, tests: remove verification code Signed-off-by: William Woodruff validation: remove more validation code Signed-off-by: William Woodruff * cryptography, rust: lintage Signed-off-by: William Woodruff * cryptography, rust: lintage, add Policy.subject API Signed-off-by: William Woodruff * src, tests: initial PolicyBuilder tests Signed-off-by: William Woodruff * verify: Policy.validation_time getter Signed-off-by: William Woodruff * push Store into rust Signed-off-by: William Woodruff * cleanup, fixup Signed-off-by: William Woodruff * tests: lintage Signed-off-by: William Woodruff * src: lintage Signed-off-by: William Woodruff * tests: fix linter warning * policy: apply the relevant parts of trail-of-forks/cryptography/pull/3 Signed-off-by: William Woodruff * policy: typo Signed-off-by: William Woodruff * fixup type hints Signed-off-by: William Woodruff * drop dep Not used, yet. Signed-off-by: William Woodruff * Revert "drop dep" This reverts commit a5154e1245e666a79838cd73784884fad6743e7f. * mod: remove permits_* bodies Will include these in a subsequent PR. Signed-off-by: William Woodruff * src: drop certificate helpers as well Not needed yet. Signed-off-by: William Woodruff * verify: remove unneeded explicit lifetimes Signed-off-by: William Woodruff * tests: builder API coverage Signed-off-by: William Woodruff * tests: more coverage Signed-off-by: William Woodruff * type hints Signed-off-by: William Woodruff * unused derives Signed-off-by: William Woodruff * validation: more coverage Signed-off-by: William Woodruff * policy: more cov Signed-off-by: William Woodruff * policy: more coverage Signed-off-by: William Woodruff * policy: add some known bad testcases Signed-off-by: William Woodruff * policy: coverage Signed-off-by: William Woodruff * validation: remove trust_store Not yet used. Signed-off-by: William Woodruff * ops: add NullOps test Signed-off-by: William Woodruff * x509: reimplement verify_directly_issued_by via CryptoOps Tests fail, but this gets the right coverage. Signed-off-by: William Woodruff * ops: use results Signed-off-by: William Woodruff * src, tests: last cov, hopefully Signed-off-by: William Woodruff * test: lintage Signed-off-by: William Woodruff * docs: fill in API docs Signed-off-by: William Woodruff * rust: uniform imports Signed-off-by: William Woodruff * minimize for MVP No configurable profile, Web PKI only. Signed-off-by: William Woodruff * verify: remove old NOTE Signed-off-by: William Woodruff * verify: remove another old NOTE Signed-off-by: William Woodruff * src, tests: fixup tests Signed-off-by: William Woodruff * docs: cleanup Signed-off-by: William Woodruff * src, tests: drop support for missing subjects As part of the MVP. Signed-off-by: William Woodruff * profile: remove old comments Signed-off-by: William Woodruff * policy: remove some verify-adjacent APIs Paring down for review. Signed-off-by: William Woodruff * policy: remove more verify-adjacent APIs Signed-off-by: William Woodruff * policy: remove some From impls Signed-off-by: William Woodruff * policy: remove rfc5280 constructor Signed-off-by: William Woodruff * docs: declutter diff Signed-off-by: William Woodruff * profile: prune even more state Signed-off-by: William Woodruff * policy: remove old TODO Signed-off-by: William Woodruff * policy: remove PolicyError For now. Signed-off-by: William Woodruff * docs: typo Signed-off-by: William Woodruff * ops: remove NullOps Signed-off-by: William Woodruff * rust: remove dev-dep, don't use import Signed-off-by: William Woodruff * rust: fix IP_ADDRESS rename Signed-off-by: William Woodruff * docs: clarify time behavior Signed-off-by: William Woodruff * rename webpki() to new() Since it doesn't actually do anything WebPKI related at the moment. Signed-off-by: William Woodruff * docs: relocate Signed-off-by: William Woodruff * verify: FixedPolicy -> PyCryptoPolicy Signed-off-by: William Woodruff * verify: simplify SubjectOwner substantially Signed-off-by: William Woodruff * verify: remove getter helper Signed-off-by: William Woodruff * verify: reloc TODO Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff Co-authored-by: Facundo Tuesca --- docs/x509/verification.rst | 38 ++++- .../hazmat/bindings/_rust/x509.pyi | 12 ++ src/cryptography/x509/__init__.py | 1 + src/cryptography/x509/verification.py | 8 +- .../src/policy/mod.rs | 36 +++++ .../cryptography-x509-validation/src/types.rs | 2 +- src/rust/src/types.rs | 2 +- src/rust/src/x509/common.rs | 6 +- src/rust/src/x509/verify.rs | 136 +++++++++++++++++- tests/x509/test_verification.py | 66 +++++++-- 10 files changed, 273 insertions(+), 34 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 0fbc7870ea80..3964e4384bc6 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -20,7 +20,7 @@ chain building, etc. OS's root of trust, from a well-known source such as a browser CA bundle, or from a small set of manually pre-trusted entities. - :param certs: A list of one or more :class:`~cryptography.x509.Certificate` + :param certs: A list of one or more :class:`cryptography.x509.Certificate` instances. .. class:: Subject @@ -31,6 +31,31 @@ chain building, etc. :class:`cryptography.x509.general_name.DNSName`, :class:`cryptography.x509.general_name.IPAddress`. +.. class:: ServerVerifier + + .. versionadded:: 42.0.0 + + A ServerVerifier verifies server certificates. + + It contains and describes various pieces of configurable path + validation logic, such as which subject to expect, how deep prospective + validation chains may go, which signature algorithms are allowed, and + so forth. + + ServerVerifier instances cannot be constructed directly; + :class:`PolicyBuilder` must be used. + + .. attribute:: subject + + :type: :class:`Subject` + + The verifier's subject. + + .. attribute:: validation_time + + :type: :class:`datetime.datetime` + + The verifier's validation time. .. class:: PolicyBuilder @@ -41,9 +66,12 @@ chain building, etc. .. method:: time(new_time) - Sets the policy's verification time. + Sets the verifier's verification time. + + If not called explicitly, this is set to :meth:`datetime.datetime.now` + when :meth:`build_server_verifier` is called. - :param new_time: The :class:`datetime.datetime` to use in the policy + :param new_time: The :class:`datetime.datetime` to use in the verifier :returns: A new instance of :class:`PolicyBuilder` @@ -51,6 +79,6 @@ chain building, etc. Builds a verifier for verifying server certificates. - :param subject: A :class:`Subject` to use in the policy + :param subject: A :class:`Subject` to use in the verifier - :raises NotImplementedError: This API is not implemented yet. + :returns: An instance of :class:`ServerVerifier` diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 4ad055f1fc7a..19b5a70b0a77 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -2,6 +2,8 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import datetime + from cryptography import x509 from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.padding import PSS, PKCS1v15 @@ -35,6 +37,10 @@ def create_x509_crl( private_key: PrivateKeyTypes, hash_algorithm: hashes.HashAlgorithm | None, ) -> x509.CertificateRevocationList: ... +def create_server_verifier( + name: x509.verification.Subject, + time: datetime.datetime | None, +) -> x509.verification.ServerVerifier: ... class Sct: ... class Certificate: ... @@ -42,5 +48,11 @@ class RevokedCertificate: ... class CertificateRevocationList: ... class CertificateSigningRequest: ... +class ServerVerifier: + @property + def subject(self) -> x509.verification.Subject: ... + @property + def validation_time(self) -> datetime.datetime: ... + class Store: def __init__(self, certs: list[x509.Certificate]) -> None: ... diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 80c5b4dd14b5..931618aa49d1 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -171,6 +171,7 @@ __all__ = [ "certificate_transparency", + "verification", "load_pem_x509_certificate", "load_pem_x509_certificates", "load_der_x509_certificate", diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index 5274fab896a2..8fe2f3b55487 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -10,12 +10,14 @@ from cryptography.hazmat.bindings._rust import x509 as rust_x509 from cryptography.x509.general_name import DNSName, IPAddress -__all__ = ["Store", "Subject", "PolicyBuilder"] +__all__ = ["Store", "Subject", "ServerVerifier", "PolicyBuilder"] Store = rust_x509.Store Subject = typing.Union[DNSName, IPAddress] +ServerVerifier = rust_x509.ServerVerifier + class PolicyBuilder: def __init__( @@ -36,9 +38,9 @@ def time(self, new_time: datetime.datetime) -> PolicyBuilder: time=new_time, ) - def build_server_verifier(self, subject: Subject) -> typing.NoReturn: + def build_server_verifier(self, subject: Subject) -> ServerVerifier: """ Builds a verifier for verifying server certificates. """ - raise NotImplementedError + return rust_x509.create_server_verifier(subject, self._time) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 4c6262dbd1de..1ce7193d6b2c 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -12,6 +12,9 @@ use cryptography_x509::common::{ PSS_SHA512_MASK_GEN_ALG, }; +use crate::ops::CryptoOps; +use crate::types::{DNSName, IPAddress}; + // RSASSA‐PKCS1‐v1_5 with SHA‐256 static RSASSA_PKCS1V15_SHA256: AlgorithmIdentifier<'_> = AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), @@ -97,6 +100,39 @@ pub static WEBPKI_PERMITTED_ALGORITHMS: Lazy>> ]) }); +/// Represents a logical certificate "subject," i.e. a principal matching +/// one of the names listed in a certificate's `subjectAltNames` extension. +pub enum Subject<'a> { + DNS(DNSName<'a>), + IP(IPAddress), +} + +/// A `Policy` describes user-configurable aspects of X.509 path validation. +pub struct Policy<'a, B: CryptoOps> { + _ops: B, + + /// A subject (i.e. DNS name or other name format) that any EE certificates + /// validated by this policy must match. + /// If `None`, the EE certificate must not contain a SAN. + pub subject: Option>, + + /// The validation time. All certificates validated by this policy must + /// be valid at this time. + pub validation_time: asn1::DateTime, +} + +impl<'a, B: CryptoOps> Policy<'a, B> { + /// Creates a new policy with the given `CryptoOps`, an optional subject, + /// and a validation time. + pub fn new(ops: B, subject: Option>, time: asn1::DateTime) -> Self { + Self { + _ops: ops, + subject, + validation_time: time, + } + } +} + #[cfg(test)] mod tests { use std::ops::Deref; diff --git a/src/rust/cryptography-x509-validation/src/types.rs b/src/rust/cryptography-x509-validation/src/types.rs index 8872941e3f06..515962ad13aa 100644 --- a/src/rust/cryptography-x509-validation/src/types.rs +++ b/src/rust/cryptography-x509-validation/src/types.rs @@ -20,7 +20,7 @@ use std::str::FromStr; /// # use cryptography_x509_validation::types::DNSName; /// assert_eq!(DNSName::new("foo.com").unwrap(), DNSName::new("FOO.com").unwrap()); /// ``` -#[derive(Debug)] +#[derive(Clone, Debug)] pub struct DNSName<'a>(asn1::IA5String<'a>); impl<'a> DNSName<'a> { diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 8bfcf905d842..60680cd1ab14 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -201,7 +201,6 @@ pub static UNRECOGNIZED_EXTENSION: LazyPyImport = LazyPyImport::new("cryptography.x509", &["UnrecognizedExtension"]); pub static EXTENSION: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Extension"]); pub static EXTENSIONS: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Extensions"]); -pub static IPADDRESS: LazyPyImport = LazyPyImport::new("cryptography.x509", &["IPAddress"]); pub static NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["Name"]); pub static RELATIVE_DISTINGUISHED_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RelativeDistinguishedName"]); @@ -243,6 +242,7 @@ pub static DIRECTORY_NAME: LazyPyImport = pub static UNIFORM_RESOURCE_IDENTIFIER: LazyPyImport = LazyPyImport::new("cryptography.x509", &["UniformResourceIdentifier"]); pub static DNS_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["DNSName"]); +pub static IP_ADDRESS: LazyPyImport = LazyPyImport::new("cryptography.x509", &["IPAddress"]); pub static RFC822_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["RFC822Name"]); pub static OTHER_NAME: LazyPyImport = LazyPyImport::new("cryptography.x509", &["OtherName"]); pub static CERTIFICATE_VERSION_V1: LazyPyImport = diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 125397c11b0d..1e9a228edb0d 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -136,7 +136,7 @@ pub(crate) fn encode_general_name<'a>( Ok(GeneralName::UniformResourceIdentifier( UnvalidatedIA5String(gn_value.extract::<&str>()?), )) - } else if gn_type.is(types::IPADDRESS.get(py)?) { + } else if gn_type.is(types::IP_ADDRESS.get(py)?) { Ok(GeneralName::IPAddress( gn.call_method0(pyo3::intern!(py, "_packed"))? .extract::<&[u8]>()?, @@ -272,7 +272,7 @@ pub(crate) fn parse_general_name( GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; - types::IPADDRESS.get(py)?.call1((addr,))?.to_object(py) + types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py) } else { // if it's not an IPv4 or IPv6 we assume it's an IPNetwork and // verify length in this function. @@ -333,7 +333,7 @@ fn create_ip_network( prefix? ); let addr = types::IPADDRESS_IPNETWORK.get(py)?.call1((net,))?; - Ok(types::IPADDRESS.get(py)?.call1((addr,))?.to_object(py)) + Ok(types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py)) } fn ipv4_netmask(num: u32) -> Result { diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index a0e221660641..9f440b3f1358 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -3,14 +3,17 @@ // for complete details. use cryptography_x509::certificate::Certificate; -use cryptography_x509_validation::ops::CryptoOps; +use cryptography_x509_validation::{ + ops::CryptoOps, + policy::{Policy, Subject}, + types::{DNSName, IPAddress}, +}; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::types; +use crate::x509::certificate::Certificate as PyCertificate; +use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime}; use crate::x509::sign; -use crate::{ - error::{CryptographyError, CryptographyResult}, - types, - x509::certificate::Certificate as PyCertificate, -}; pub(crate) struct PyCryptoOps {} @@ -43,6 +46,125 @@ impl CryptoOps for PyCryptoOps { } } +struct PyCryptoPolicy<'a>(Policy<'a, PyCryptoOps>); + +/// This enum exists solely to provide heterogeneously typed ownership for `OwnedPolicy`. +enum SubjectOwner { + // TODO: Switch this to `Py` once Pyo3's `to_str()` preserves a + // lifetime relationship between an a `PyString` and its borrowed `&str` + // reference in all limited API builds. PyO3 can't currently do that in + // older limited API builds because it needs `PyUnicode_AsUTF8AndSize` to do + // so, which was only stabilized with 3.10. + DNSName(String), + IPAddress(pyo3::Py), +} + +self_cell::self_cell!( + struct OwnedPolicy { + owner: SubjectOwner, + + #[covariant] + dependent: PyCryptoPolicy, + } +); + +#[pyo3::pyclass( + name = "ServerVerifier", + module = "cryptography.hazmat.bindings._rust.x509" +)] +struct PyServerVerifier { + #[pyo3(get, name = "subject")] + py_subject: pyo3::Py, + policy: OwnedPolicy, +} + +impl PyServerVerifier { + fn as_policy(&self) -> &Policy<'_, PyCryptoOps> { + &self.policy.borrow_dependent().0 + } +} + +#[pyo3::pymethods] +impl PyServerVerifier { + #[getter] + fn validation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + datetime_to_py(py, &self.as_policy().validation_time) + } +} + +fn build_subject_owner( + py: pyo3::Python<'_>, + subject: &pyo3::Py, +) -> pyo3::PyResult { + let subject = subject.as_ref(py); + + if subject.is_instance(types::DNS_NAME.get(py)?)? { + let value = subject + .getattr(pyo3::intern!(py, "value"))? + .downcast::()?; + + Ok(SubjectOwner::DNSName(value.to_str()?.to_owned())) + } else if subject.is_instance(types::IP_ADDRESS.get(py)?)? { + let value = subject + .getattr(pyo3::intern!(py, "_packed"))? + .call0()? + .downcast::()?; + + Ok(SubjectOwner::IPAddress(value.into())) + } else { + Err(pyo3::exceptions::PyTypeError::new_err( + "unsupported subject type", + )) + } +} + +fn build_subject<'a>( + py: pyo3::Python<'_>, + subject: &'a SubjectOwner, +) -> pyo3::PyResult>> { + match subject { + SubjectOwner::DNSName(dns_name) => { + let dns_name = DNSName::new(dns_name) + .ok_or_else(|| pyo3::exceptions::PyValueError::new_err("invalid domain name"))?; + + Ok(Some(Subject::DNS(dns_name))) + } + SubjectOwner::IPAddress(ip_addr) => { + let ip_addr = IPAddress::from_bytes(ip_addr.as_bytes(py)) + .ok_or_else(|| pyo3::exceptions::PyValueError::new_err("invalid IP address"))?; + + Ok(Some(Subject::IP(ip_addr))) + } + } +} + +#[pyo3::prelude::pyfunction] +fn create_server_verifier( + py: pyo3::Python<'_>, + subject: pyo3::Py, + time: Option<&pyo3::PyAny>, +) -> pyo3::PyResult { + let time = match time { + Some(time) => py_to_datetime(py, time)?, + None => datetime_now(py)?, + }; + + let subject_owner = build_subject_owner(py, &subject)?; + let policy = OwnedPolicy::try_new(subject_owner, |subject_owner| { + let subject = build_subject(py, subject_owner)?; + Ok::, pyo3::PyErr>(PyCryptoPolicy(Policy::new( + PyCryptoOps {}, + subject, + time, + ))) + })?; + + Ok(PyServerVerifier { + py_subject: subject, + policy, + }) +} + #[pyo3::pyclass( frozen, name = "Store", @@ -64,7 +186,9 @@ impl PyStore { } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { + module.add_class::()?; module.add_class::()?; + module.add_function(pyo3::wrap_pyfunction!(create_server_verifier, module)?)?; Ok(()) } diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 2d8e4a16c444..5b0c354d8150 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -4,15 +4,65 @@ import datetime import os +from ipaddress import IPv4Address import pytest from cryptography import x509 -from cryptography.x509.general_name import DNSName +from cryptography.x509.general_name import DNSName, IPAddress from cryptography.x509.verification import PolicyBuilder, Store from tests.x509.test_x509 import _load_cert +class TestPolicyBuilder: + def test_time_already_set(self): + with pytest.raises(ValueError): + PolicyBuilder().time(datetime.datetime.now()).time( + datetime.datetime.now() + ) + + def test_ipaddress_subject(self): + policy = PolicyBuilder().build_server_verifier( + IPAddress(IPv4Address("0.0.0.0")) + ) + assert policy.subject == IPAddress(IPv4Address("0.0.0.0")) + + def test_dnsname_subject(self): + policy = PolicyBuilder().build_server_verifier( + DNSName("cryptography.io") + ) + assert policy.subject == DNSName("cryptography.io") + + def test_subject_bad_types(self): + # Subject must be a supported GeneralName type + with pytest.raises(TypeError): + PolicyBuilder().build_server_verifier( + "cryptography.io" # type: ignore[arg-type] + ) + with pytest.raises(TypeError): + PolicyBuilder().build_server_verifier( + "0.0.0.0" # type: ignore[arg-type] + ) + with pytest.raises(TypeError): + PolicyBuilder().build_server_verifier( + IPv4Address("0.0.0.0") # type: ignore[arg-type] + ) + with pytest.raises(TypeError): + PolicyBuilder().build_server_verifier( + None # type: ignore[arg-type] + ) + + def test_builder_pattern(self): + now = datetime.datetime.now().replace(microsecond=0) + + builder = PolicyBuilder() + builder = builder.time(now) + + verifier = builder.build_server_verifier(DNSName("cryptography.io")) + assert verifier.subject == DNSName("cryptography.io") + assert verifier.validation_time == now + + class TestStore: def test_store_rejects_empty_list(self): with pytest.raises(ValueError): @@ -28,17 +78,3 @@ def test_store_initializes(self): x509.load_pem_x509_certificate, ) assert Store([cert]) is not None - - -class TestPolicyBuilder: - def test_time_already_set(self): - with pytest.raises(ValueError): - PolicyBuilder().time(datetime.datetime.now()).time( - datetime.datetime.now() - ) - - def test_build_not_implemented(self): - with pytest.raises(NotImplementedError): - PolicyBuilder().time( - datetime.datetime.now() - ).build_server_verifier(DNSName("cryptography.io")) From 4694fac3b2e3ddd899942d642412ea75584514c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 17 Sep 2023 01:52:23 +0000 Subject: [PATCH 0477/1014] Bump argcomplete from 3.1.1 to 3.1.2 (#9611) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.1.1 to 3.1.2. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.1.1...v3.1.2) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 57753ac6cace..4b21e7324ee0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.13 # via sphinx -argcomplete==3.1.1 +argcomplete==3.1.2 # via nox babel==2.12.1 # via sphinx From 873d67450721f6e92584ffb71778caddf0362061 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 17 Sep 2023 01:53:05 +0000 Subject: [PATCH 0478/1014] Bump ruff from 0.0.289 to 0.0.290 (#9612) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.289 to 0.0.290. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.289...v0.0.290) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4b21e7324ee0..3ef89e0af1bf 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.2 # via twine -ruff==0.0.289 +ruff==0.0.290 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From d7aa76102ad8967b5c56eef89fc9d012fd0851e9 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 17 Sep 2023 20:00:33 -0500 Subject: [PATCH 0479/1014] Bump BoringSSL and/or OpenSSL in CI (#9613) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eef11eda8cf6..61df14e91aee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 13, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ecb7e9ae5cf7e940751f0f68d212fb2b099322ef"}} - # Latest commit on the OpenSSL master branch, as of Sep 16, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "388a8e731445d190a46ec27b2ff5b4bf334d526b"}} + # Latest commit on the OpenSSL master branch, as of Sep 18, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "861027ffd06019baf82148837e30a992ca9b055e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 65e0d0df8698735e9ae4ff3e1a76d102671775f2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 06:23:30 -0500 Subject: [PATCH 0480/1014] Bump rich from 13.5.2 to 13.5.3 (#9614) Bumps [rich](https://github.com/Textualize/rich) from 13.5.2 to 13.5.3. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.5.2...v13.5.3) --- updated-dependencies: - dependency-name: rich dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3ef89e0af1bf..4af1723574ca 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -136,7 +136,7 @@ requests-toolbelt==1.0.0 # via twine rfc3986==2.0.0 # via twine -rich==13.5.2 +rich==13.5.3 # via twine ruff==0.0.290 # via cryptography (pyproject.toml) From 364c6c2a1ba304a41f65b2b1539e0ab6e97c4d1c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 06:24:34 -0500 Subject: [PATCH 0481/1014] Bump rich from 13.5.2 to 13.5.3 in /.github/requirements (#9617) Bumps [rich](https://github.com/Textualize/rich) from 13.5.2 to 13.5.3. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.5.2...v13.5.3) --- updated-dependencies: - dependency-name: rich dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 0277178eb4f0..65b3885bbc90 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -428,9 +428,9 @@ rfc3986==2.0.0 \ --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c # via twine -rich==13.5.2 \ - --hash=sha256:146a90b3b6b47cac4a73c12866a499e9817426423f57c5a66949c086191a8808 \ - --hash=sha256:fb9d6c0a0f643c99eed3875b5377a184132ba9be4d61516a55273d3554d75a39 +rich==13.5.3 \ + --hash=sha256:87b43e0543149efa1253f485cd845bb7ee54df16c9617b8a893650ab84b4acb6 \ + --hash=sha256:9257b468badc3d347e146a4faa268ff229039d4c2d176ab0cffb4c4fbc73d5d9 # via twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ From 489228796c57cd8358af353ce48160eca102e142 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 06:25:06 -0500 Subject: [PATCH 0482/1014] Bump dtolnay/rust-toolchain (#9616) Bumps [dtolnay/rust-toolchain](https://github.com/dtolnay/rust-toolchain) from 0e66bd3e6b38ec0ad5312288c83e47c143e6b09e to 1482605bfc5719782e1267fd0c0cc350fe7646b8. - [Release notes](https://github.com/dtolnay/rust-toolchain/releases) - [Commits](https://github.com/dtolnay/rust-toolchain/compare/0e66bd3e6b38ec0ad5312288c83e47c143e6b09e...1482605bfc5719782e1267fd0c0cc350fe7646b8) --- updated-dependencies: - dependency-name: dtolnay/rust-toolchain dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61df14e91aee..f9f1840ead37 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -70,7 +70,7 @@ jobs: cache: pip cache-dependency-path: ci-constraints-requirements.txt - name: Setup rust - uses: dtolnay/rust-toolchain@0e66bd3e6b38ec0ad5312288c83e47c143e6b09e + uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 with: toolchain: ${{ matrix.PYTHON.RUST }} components: rustfmt,clippy diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 47d1a5a92dbd..999da4eb55a8 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -228,7 +228,7 @@ jobs: name: openssl-macos-universal2 path: "../openssl-macos-universal2/" github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: dtolnay/rust-toolchain@0e66bd3e6b38ec0ad5312288c83e47c143e6b09e + - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 with: toolchain: stable # Add the arm64 target in addition to the native arch (x86_64) @@ -310,7 +310,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} - - uses: dtolnay/rust-toolchain@0e66bd3e6b38ec0ad5312288c83e47c143e6b09e + - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 with: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} From 08b12665724129ef45057d2c650fb18a38d011a2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Sep 2023 06:55:18 -0500 Subject: [PATCH 0483/1014] latest typing extensions in 3.8 only (#9619) --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4af1723574ca..e7deda75233a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -179,7 +179,7 @@ tomli==2.0.1 # pytest twine==4.0.2 # via cryptography (pyproject.toml) -typing-extensions==4.7.1 +typing-extensions==4.8.0; python_version >= "3.8" # via mypy urllib3==2.0.4 # via From 9ccb8b37a49d348f3556cf2761f71c62093df08f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Sep 2023 06:57:21 -0500 Subject: [PATCH 0484/1014] Bump typing-extensions in build-requirements (#9620) --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 50072432710b..b646edb21b79 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -86,9 +86,9 @@ tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f # via setuptools-rust -typing-extensions==4.7.1 \ - --hash=sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36 \ - --hash=sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2 +typing-extensions==4.8.0 \ + --hash=sha256:8f92fc8806f9a6b641eaa5318da32b44d401efaac0f6678c9bc448ba3605faa0 \ + --hash=sha256:df8e4339e9cb77357558cbdbceca33c303714cf861d1eef15e1070055ae8b7ef # via setuptools-rust wheel==0.41.2 \ --hash=sha256:0c5ac5ff2afb79ac23ab82bab027a0be7b5dbcf2e54dc50efe4bf507de1f7985 \ From 8c90d9f6f69c1fdbb790f5e6c27ee7b84dd36954 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Sep 2023 07:00:26 -0500 Subject: [PATCH 0485/1014] Bump typing-extensions in publish-requirements.txt (#9621) --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 65b3885bbc90..d209e700282c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -462,9 +462,9 @@ twine==4.0.2 \ --hash=sha256:929bc3c280033347a00f847236564d1c52a3e61b1ac2516c97c48f3ceab756d8 \ --hash=sha256:9e102ef5fdd5a20661eb88fad46338806c3bd32cf1db729603fe3697b1bc83c8 # via -r publish-requirements.in -typing-extensions==4.7.1 \ - --hash=sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36 \ - --hash=sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2 +typing-extensions==4.8.0 \ + --hash=sha256:8f92fc8806f9a6b641eaa5318da32b44d401efaac0f6678c9bc448ba3605faa0 \ + --hash=sha256:df8e4339e9cb77357558cbdbceca33c303714cf861d1eef15e1070055ae8b7ef # via pydantic urllib3==2.0.4 \ --hash=sha256:8d22f86aae8ef5e410d4f539fde9ce6b2113a001bb4d189e0aed70642d602b11 \ From 5eb016f58d0167a47d6908c4c8ab3a6432a4344e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 19 Sep 2023 00:17:52 +0000 Subject: [PATCH 0486/1014] Bump BoringSSL and/or OpenSSL in CI (#9622) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f9f1840ead37..cb0270d76362 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 13, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ecb7e9ae5cf7e940751f0f68d212fb2b099322ef"}} - # Latest commit on the OpenSSL master branch, as of Sep 18, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "861027ffd06019baf82148837e30a992ca9b055e"}} + # Latest commit on the BoringSSL master branch, as of Sep 19, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a1843d660b47116207877614af53defa767be46a"}} + # Latest commit on the OpenSSL master branch, as of Sep 19, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2743594d73e65c38375c619e89ec62579e2c24a9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 72e6f9e9631e5d2b7ac3eeff4652b6392bdad69e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Sep 2023 07:05:45 -0400 Subject: [PATCH 0487/1014] Bump zipp from 3.16.2 to 3.17.0 in /.github/requirements (#9623) Bumps [zipp](https://github.com/jaraco/zipp) from 3.16.2 to 3.17.0. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.16.2...v3.17.0) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d209e700282c..5e2925ab0932 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -472,7 +472,7 @@ urllib3==2.0.4 \ # via # requests # twine -zipp==3.16.2 \ - --hash=sha256:679e51dd4403591b2d6838a48de3d283f3d188412a9782faadf845f298736ba0 \ - --hash=sha256:ebc15946aa78bd63458992fc81ec3b6f7b1e92d51c35e6de1c3804e73b799147 +zipp==3.17.0 \ + --hash=sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31 \ + --hash=sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0 # via importlib-metadata From 8d4b2612c2e2932eb6459c03e79ecb4f7fc7d37c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Sep 2023 07:05:57 -0400 Subject: [PATCH 0488/1014] Bump zipp from 3.16.2 to 3.17.0 (#9625) Bumps [zipp](https://github.com/jaraco/zipp) from 3.16.2 to 3.17.0. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.16.2...v3.17.0) --- updated-dependencies: - dependency-name: zipp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e7deda75233a..df2b72fa37af 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -189,7 +189,7 @@ virtualenv==20.24.5 # via nox webencodings==0.5.1 # via bleach -zipp==3.16.2; python_version >= "3.8" +zipp==3.17.0; python_version >= "3.8" # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: From aa0b2c98cc8abeefbb9da3d9bea1c34d374d5e9c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Sep 2023 07:06:30 -0400 Subject: [PATCH 0489/1014] Bump dawidd6/action-download-artifact from 2.27.0 to 2.28.0 (#9624) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 2.27.0 to 2.28.0. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/246dbf436b23d7c49e21a7ab8204ca9ecd1fe615...268677152d06ba59fcec7a7f0b5d961b6ccd7e1e) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cb0270d76362..d32b7328097b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -255,7 +255,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/wycheproof - - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 + - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -314,7 +314,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" - - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 + - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index af2578af6ce4..b6429014a80b 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -41,7 +41,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 + - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 999da4eb55a8..06541ece8a56 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -219,7 +219,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 + - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -315,7 +315,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0 + - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 with: repo: pyca/infra workflow: build-windows-openssl.yml From 699449302e4d974aaa53fd89e9a9009bf92306a8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 19 Sep 2023 09:51:40 -0400 Subject: [PATCH 0490/1014] More CF domains making linkcheck not work (#9626) * More CF domains making linkcheck not work * Update conf.py --- docs/conf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/conf.py b/docs/conf.py index 6cc82a032997..5d3b59f50473 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -197,10 +197,10 @@ r"https://info.isl.ntt.co.jp/crypt/eng/camellia/", # Inconsistent small DH params they seem incapable of fixing r"https://www.secg.org/sec1-v2.pdf", - # Incomplete cert chain - r"https://www.oscca.gov.cn", # Cloudflare returns 403s for all non-browser requests r"https://speakerdeck.com", + r"https://\w+.stackexchange.com", + r"https://stackoverflow.com", # GitHub changed how they do page renders so anchor detection # no longer works in source view r"https://github.com/.*/blob/.*#L\d+", From 9660c18e63db915f4d7127fee7f00ad1559fe337 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 19 Sep 2023 08:50:26 -0700 Subject: [PATCH 0491/1014] bump openssl versions in CI (#9628) --- .github/workflows/ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d32b7328097b..2e9634d3bd96 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,15 +29,15 @@ jobs: PYTHON: - {VERSION: "3.11", NOXSESSION: "flake"} - {VERSION: "3.11", NOXSESSION: "rust"} - - {VERSION: "3.11", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2"}} + - {VERSION: "3.11", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.10"}} - - {VERSION: "3.11", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.2", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.2"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.11"}} + - {VERSION: "3.11", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha1"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} From 3a75010ee6734ee414ab4dbb9b973f2f9f025ba5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 19 Sep 2023 12:36:14 -0400 Subject: [PATCH 0492/1014] Verify version in release script (#9631) --- release.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/release.py b/release.py index b4844a12a5e5..9fa5240625ee 100644 --- a/release.py +++ b/release.py @@ -7,6 +7,7 @@ import subprocess import click +import tomllib def run(*args: str) -> None: @@ -25,6 +26,16 @@ def release(version: str) -> None: """ ``version`` should be a string like '0.4' or '1.0'. """ + base_dir = pathlib.Path(__file__).parent + with (base_dir / "pyproject.toml").open("rb") as f: + pyproject = tomllib.load(f) + pyproject_version = pyproject["project"]["version"] + + if version != pyproject_version: + raise RuntimeError( + f"Version mismatch: pyproject.toml has {pyproject_version}" + ) + # Tag and push the tag (this will trigger the wheel builder in Actions) run("git", "tag", "-s", version, "-m", f"{version} release") run("git", "push", "--tags") From 250b943d3732700b2ae2f5a877ddf111099a8caf Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 19 Sep 2023 09:39:17 -0700 Subject: [PATCH 0493/1014] port 41.0.4 changelog to main (#9630) --- CHANGELOG.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 3e85f3bb540d..a77d17198d96 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -23,6 +23,13 @@ Changelog * Added `algorithm` and `mgf` properties to :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP`. +.. _v41-0-4: + +41.0.4 - 2023-09-19 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3. + .. _v41-0-3: 41.0.3 - 2023-08-01 From 723ba3ce5d496fac3c63017adc5b82e6398e48e5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 19 Sep 2023 17:19:35 -0700 Subject: [PATCH 0494/1014] Bump BoringSSL and/or OpenSSL in CI (#9632) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2e9634d3bd96..347e5960d869 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 19, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a1843d660b47116207877614af53defa767be46a"}} - # Latest commit on the OpenSSL master branch, as of Sep 19, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2743594d73e65c38375c619e89ec62579e2c24a9"}} + # Latest commit on the OpenSSL master branch, as of Sep 20, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e900942587a18cdd6e3b064d6b21c9ce36a7b640"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From ace5ebd712e2d59601e488cfd4486e39689062d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Sep 2023 07:04:13 -0400 Subject: [PATCH 0495/1014] Bump tibdex/github-app-token from 2.0.0 to 2.1.0 (#9635) Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 2.0.0 to 2.1.0. - [Release notes](https://github.com/tibdex/github-app-token/releases) - [Commits](https://github.com/tibdex/github-app-token/compare/0914d50df753bbc42180d982a6550f195390069f...3beb63f4bd073e61482598c45c71c1019b59b73a) --- updated-dependencies: - dependency-name: tibdex/github-app-token dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 0f28798a3e7f..9a6ba2ae81bc 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -51,7 +51,7 @@ jobs: sed -E -i "s/TYPE: \"openssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"openssl\", VERSION: \"${{ steps.check-sha-openssl.outputs.COMMIT_SHA }}\"/" .github/workflows/ci.yml git status if: steps.check-sha-openssl.outputs.COMMIT_SHA - - uses: tibdex/github-app-token@0914d50df753bbc42180d982a6550f195390069f # v2.0.0 + - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token with: app_id: ${{ secrets.BORINGBOT_APP_ID }} From 65b5a62c979b5ba7978e7612cf86d6af3ecde900 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Sep 2023 07:05:42 -0400 Subject: [PATCH 0496/1014] Bump urllib3 from 2.0.4 to 2.0.5 (#9634) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.4 to 2.0.5. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.4...v2.0.5) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index df2b72fa37af..cfbe6cb2e740 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -181,7 +181,7 @@ twine==4.0.2 # via cryptography (pyproject.toml) typing-extensions==4.8.0; python_version >= "3.8" # via mypy -urllib3==2.0.4 +urllib3==2.0.5 # via # requests # twine From 8c914bf211c30550507f68cfd8fb89536ce55c2d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Sep 2023 07:21:04 -0400 Subject: [PATCH 0497/1014] Bump cryptography from 41.0.3 to 41.0.4 in /.github/requirements (#9636) Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.3 to 41.0.4. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/41.0.3...41.0.4) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 5e2925ab0932..7bf476a3d9d4 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -159,30 +159,30 @@ charset-normalizer==3.2.0 \ --hash=sha256:f779d3ad205f108d14e99bb3859aa7dd8e9c68874617c72354d7ecaec2a054ac \ --hash=sha256:f87f746ee241d30d6ed93969de31e5ffd09a2961a051e60ae6bddde9ec3583aa # via requests -cryptography==41.0.3 \ - --hash=sha256:0d09fb5356f975974dbcb595ad2d178305e5050656affb7890a1583f5e02a306 \ - --hash=sha256:23c2d778cf829f7d0ae180600b17e9fceea3c2ef8b31a99e3c694cbbf3a24b84 \ - --hash=sha256:3fb248989b6363906827284cd20cca63bb1a757e0a2864d4c1682a985e3dca47 \ - --hash=sha256:41d7aa7cdfded09b3d73a47f429c298e80796c8e825ddfadc84c8a7f12df212d \ - --hash=sha256:42cb413e01a5d36da9929baa9d70ca90d90b969269e5a12d39c1e0d475010116 \ - --hash=sha256:4c2f0d35703d61002a2bbdcf15548ebb701cfdd83cdc12471d2bae80878a4207 \ - --hash=sha256:4fd871184321100fb400d759ad0cddddf284c4b696568204d281c902fc7b0d81 \ - --hash=sha256:5259cb659aa43005eb55a0e4ff2c825ca111a0da1814202c64d28a985d33b087 \ - --hash=sha256:57a51b89f954f216a81c9d057bf1a24e2f36e764a1ca9a501a6964eb4a6800dd \ - --hash=sha256:652627a055cb52a84f8c448185922241dd5217443ca194d5739b44612c5e6507 \ - --hash=sha256:67e120e9a577c64fe1f611e53b30b3e69744e5910ff3b6e97e935aeb96005858 \ - --hash=sha256:6af1c6387c531cd364b72c28daa29232162010d952ceb7e5ca8e2827526aceae \ - --hash=sha256:6d192741113ef5e30d89dcb5b956ef4e1578f304708701b8b73d38e3e1461f34 \ - --hash=sha256:7efe8041897fe7a50863e51b77789b657a133c75c3b094e51b5e4b5cec7bf906 \ - --hash=sha256:84537453d57f55a50a5b6835622ee405816999a7113267739a1b4581f83535bd \ - --hash=sha256:8f09daa483aedea50d249ef98ed500569841d6498aa9c9f4b0531b9964658922 \ - --hash=sha256:95dd7f261bb76948b52a5330ba5202b91a26fbac13ad0e9fc8a3ac04752058c7 \ - --hash=sha256:a74fbcdb2a0d46fe00504f571a2a540532f4c188e6ccf26f1f178480117b33c4 \ - --hash=sha256:a983e441a00a9d57a4d7c91b3116a37ae602907a7618b882c8013b5762e80574 \ - --hash=sha256:ab8de0d091acbf778f74286f4989cf3d1528336af1b59f3e5d2ebca8b5fe49e1 \ - --hash=sha256:aeb57c421b34af8f9fe830e1955bf493a86a7996cc1338fe41b30047d16e962c \ - --hash=sha256:ce785cf81a7bdade534297ef9e490ddff800d956625020ab2ec2780a556c313e \ - --hash=sha256:d0d651aa754ef58d75cec6edfbd21259d93810b73f6ec246436a21b7841908de +cryptography==41.0.4 \ + --hash=sha256:004b6ccc95943f6a9ad3142cfabcc769d7ee38a3f60fb0dddbfb431f818c3a67 \ + --hash=sha256:047c4603aeb4bbd8db2756e38f5b8bd7e94318c047cfe4efeb5d715e08b49311 \ + --hash=sha256:0d9409894f495d465fe6fda92cb70e8323e9648af912d5b9141d616df40a87b8 \ + --hash=sha256:23a25c09dfd0d9f28da2352503b23e086f8e78096b9fd585d1d14eca01613e13 \ + --hash=sha256:2ed09183922d66c4ec5fdaa59b4d14e105c084dd0febd27452de8f6f74704143 \ + --hash=sha256:35c00f637cd0b9d5b6c6bd11b6c3359194a8eba9c46d4e875a3660e3b400005f \ + --hash=sha256:37480760ae08065437e6573d14be973112c9e6dcaf5f11d00147ee74f37a3829 \ + --hash=sha256:3b224890962a2d7b57cf5eeb16ccaafba6083f7b811829f00476309bce2fe0fd \ + --hash=sha256:5a0f09cefded00e648a127048119f77bc2b2ec61e736660b5789e638f43cc397 \ + --hash=sha256:5b72205a360f3b6176485a333256b9bcd48700fc755fef51c8e7e67c4b63e3ac \ + --hash=sha256:7e53db173370dea832190870e975a1e09c86a879b613948f09eb49324218c14d \ + --hash=sha256:7febc3094125fc126a7f6fb1f420d0da639f3f32cb15c8ff0dc3997c4549f51a \ + --hash=sha256:80907d3faa55dc5434a16579952ac6da800935cd98d14dbd62f6f042c7f5e839 \ + --hash=sha256:86defa8d248c3fa029da68ce61fe735432b047e32179883bdb1e79ed9bb8195e \ + --hash=sha256:8ac4f9ead4bbd0bc8ab2d318f97d85147167a488be0e08814a37eb2f439d5cf6 \ + --hash=sha256:93530900d14c37a46ce3d6c9e6fd35dbe5f5601bf6b3a5c325c7bffc030344d9 \ + --hash=sha256:9eeb77214afae972a00dee47382d2591abe77bdae166bda672fb1e24702a3860 \ + --hash=sha256:b5f4dfe950ff0479f1f00eda09c18798d4f49b98f4e2006d644b3301682ebdca \ + --hash=sha256:c3391bd8e6de35f6f1140e50aaeb3e2b3d6a9012536ca23ab0d9c35ec18c8a91 \ + --hash=sha256:c880eba5175f4307129784eca96f4e70b88e57aa3f680aeba3bab0e980b0f37d \ + --hash=sha256:cecfefa17042941f94ab54f769c8ce0fe14beff2694e9ac684176a2535bf9714 \ + --hash=sha256:e40211b4923ba5a6dc9769eab704bdb3fbb58d56c5b336d30996c24fcf12aadb \ + --hash=sha256:efc8ad4e6fc4f1752ebfb58aefece8b4e3c4cae940b0994d43649bdfce8d0d4f # via # pyopenssl # secretstorage From 326565673e433f606e4f32aa1998d742d6f66ffd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Sep 2023 07:27:01 -0400 Subject: [PATCH 0498/1014] Bump urllib3 from 2.0.4 to 2.0.5 in /.github/requirements (#9637) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.4 to 2.0.5. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.4...v2.0.5) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7bf476a3d9d4..34b88b335eef 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -466,9 +466,9 @@ typing-extensions==4.8.0 \ --hash=sha256:8f92fc8806f9a6b641eaa5318da32b44d401efaac0f6678c9bc448ba3605faa0 \ --hash=sha256:df8e4339e9cb77357558cbdbceca33c303714cf861d1eef15e1070055ae8b7ef # via pydantic -urllib3==2.0.4 \ - --hash=sha256:8d22f86aae8ef5e410d4f539fde9ce6b2113a001bb4d189e0aed70642d602b11 \ - --hash=sha256:de7df1803967d2c2a98e4b11bb7d6bd9210474c46e8a0401514e3a42a75ebde4 +urllib3==2.0.5 \ + --hash=sha256:13abf37382ea2ce6fb744d4dad67838eec857c9f4f57009891805e0b5e123594 \ + --hash=sha256:ef16afa8ba34a1f989db38e1dbbe0c302e4289a47856990d0682e374563ce35e # via # requests # twine From 8994305f941e42affcbb1337747c79b1d947f58b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 21 Sep 2023 00:17:36 +0000 Subject: [PATCH 0499/1014] Bump BoringSSL and/or OpenSSL in CI (#9638) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 347e5960d869..10fc168a1f65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 19, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a1843d660b47116207877614af53defa767be46a"}} - # Latest commit on the OpenSSL master branch, as of Sep 20, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e900942587a18cdd6e3b064d6b21c9ce36a7b640"}} + # Latest commit on the OpenSSL master branch, as of Sep 21, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0988de278c2f861e47d63cd284992befa686e4a8"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From e7482d55a51eb163ce00fa0b3b9d9f189449d186 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Sep 2023 07:13:18 -0400 Subject: [PATCH 0500/1014] Bump smallvec from 1.11.0 to 1.11.1 in /src/rust (#9641) Bumps [smallvec](https://github.com/servo/rust-smallvec) from 1.11.0 to 1.11.1. - [Release notes](https://github.com/servo/rust-smallvec/releases) - [Commits](https://github.com/servo/rust-smallvec/compare/v1.11.0...v1.11.1) --- updated-dependencies: - dependency-name: smallvec dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 74419631a5cf..e30876da8b08 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -345,9 +345,9 @@ checksum = "4c309e515543e67811222dbc9e3dd7e1056279b782e1dacffe4242b718734fb6" [[package]] name = "smallvec" -version = "1.11.0" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9" +checksum = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a" [[package]] name = "syn" From cdcdc80bb9da83a9d64a2d82684af2df6da469db Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 22 Sep 2023 00:16:52 +0000 Subject: [PATCH 0501/1014] Bump BoringSSL and/or OpenSSL in CI (#9643) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 10fc168a1f65..92ba980a590c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 19, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a1843d660b47116207877614af53defa767be46a"}} - # Latest commit on the OpenSSL master branch, as of Sep 21, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0988de278c2f861e47d63cd284992befa686e4a8"}} + # Latest commit on the OpenSSL master branch, as of Sep 22, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f34878d846de43a6f760e506f440b5fef85afba6"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From d0a78c0e012bc13e92c79828ed7c63fe4376dc49 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 23 Sep 2023 00:17:58 +0000 Subject: [PATCH 0502/1014] Bump BoringSSL and/or OpenSSL in CI (#9645) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 92ba980a590c..acc7162b15f6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 19, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a1843d660b47116207877614af53defa767be46a"}} - # Latest commit on the OpenSSL master branch, as of Sep 22, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f34878d846de43a6f760e506f440b5fef85afba6"}} + # Latest commit on the OpenSSL master branch, as of Sep 23, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1acc3e8cc3c69187b55cc557c1bc03278ab38063"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 2ef74d767ecbcf2418a32024a346a76804decf24 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 24 Sep 2023 20:17:28 -0400 Subject: [PATCH 0503/1014] Bump BoringSSL and/or OpenSSL in CI (#9646) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index acc7162b15f6..8ea17f3e5487 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 19, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a1843d660b47116207877614af53defa767be46a"}} - # Latest commit on the OpenSSL master branch, as of Sep 23, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1acc3e8cc3c69187b55cc557c1bc03278ab38063"}} + # Latest commit on the OpenSSL master branch, as of Sep 25, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "30224a248495ad604a06b8977fa3aa1cc75b9d0d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From deea9d43b54ec38c01682e73a2f6604aa636da36 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 09:05:51 +0000 Subject: [PATCH 0504/1014] Bump ruff from 0.0.290 to 0.0.291 (#9648) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.290 to 0.0.291. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.290...v0.0.291) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cfbe6cb2e740..4635dd5dc97a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.5.3 # via twine -ruff==0.0.290 +ruff==0.0.291 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From c428721f6b4c26665eefd43a0dfdd9e5fa774484 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 25 Sep 2023 12:05:45 -0400 Subject: [PATCH 0505/1014] extensions: drop unnecessary self lifetime bound (#9650) Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/extensions.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 142d083cdb15..f4deb7c8451f 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -75,7 +75,7 @@ pub struct Extension<'a> { } impl<'a> Extension<'a> { - pub fn value>(&'a self) -> asn1::ParseResult { + pub fn value>(&self) -> asn1::ParseResult { asn1::parse_single(self.extn_value) } } From 5e02bc0472bf28381877615c3ba22bd7470137a6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 25 Sep 2023 13:06:05 -0400 Subject: [PATCH 0506/1014] certificate: increase lifetime precisions (#9651) Similar to #9650: adding explicit lifetimes here prevents Rust from binding `&self` to the placeholder lifetime, which it does by default. The in turn allows the return values here to outlive `&self`. Signed-off-by: William Woodruff --- src/rust/cryptography-x509/src/certificate.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509/src/certificate.rs b/src/rust/cryptography-x509/src/certificate.rs index d5b48a537194..b91f6a1eaf08 100644 --- a/src/rust/cryptography-x509/src/certificate.rs +++ b/src/rust/cryptography-x509/src/certificate.rs @@ -16,7 +16,7 @@ pub struct Certificate<'a> { pub signature: asn1::BitString<'a>, } -impl Certificate<'_> { +impl<'a> Certificate<'a> { /// Returns the certificate's issuer. pub fn issuer(&self) -> &NameReadable<'_> { self.tbs_cert.issuer.unwrap_read() @@ -29,7 +29,7 @@ impl Certificate<'_> { /// Returns an iterable container over the certificate's extension, or /// an error if the extension set contains a duplicate extension. - pub fn extensions(&self) -> Result, DuplicateExtensionsError> { + pub fn extensions(&self) -> Result, DuplicateExtensionsError> { self.tbs_cert.extensions() } } @@ -55,8 +55,8 @@ pub struct TbsCertificate<'a> { pub raw_extensions: Option>, } -impl TbsCertificate<'_> { - pub fn extensions(&self) -> Result, DuplicateExtensionsError> { +impl<'a> TbsCertificate<'a> { + pub fn extensions(&self) -> Result, DuplicateExtensionsError> { Extensions::from_raw_extensions(self.raw_extensions.as_ref()) } } From f157db5766128ba2d57f727b8c3dfa75f4dc1d47 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 26 Sep 2023 00:19:56 +0000 Subject: [PATCH 0507/1014] Bump BoringSSL and/or OpenSSL in CI (#9652) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8ea17f3e5487..14ff658a8d8e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 19, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a1843d660b47116207877614af53defa767be46a"}} - # Latest commit on the OpenSSL master branch, as of Sep 25, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "30224a248495ad604a06b8977fa3aa1cc75b9d0d"}} + # Latest commit on the BoringSSL master branch, as of Sep 26, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "cfcb954901e264edb9915e501de64a81732c5edd"}} + # Latest commit on the OpenSSL master branch, as of Sep 26, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "91bc783a93a2a695fe6a2f8da93cf5b5e086ba42"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From c255b00525dbbee3b3cc80fb63ca608e50536513 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 27 Sep 2023 00:23:30 +0000 Subject: [PATCH 0508/1014] Bump BoringSSL and/or OpenSSL in CI (#9656) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 14ff658a8d8e..9f8af80dd608 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 26, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "cfcb954901e264edb9915e501de64a81732c5edd"}} + # Latest commit on the BoringSSL master branch, as of Sep 27, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "764e6a319ba97dc36a8523583488c315ff22c4ae"}} # Latest commit on the OpenSSL master branch, as of Sep 26, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "91bc783a93a2a695fe6a2f8da93cf5b5e086ba42"}} # Builds with various Rust versions. Includes MSRV and next From 3a392c0021a532c10219ecd9c726ec87a20509ec Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 27 Sep 2023 18:01:44 -0400 Subject: [PATCH 0509/1014] validation/policy: general name matching (#9659) * validation/policy: general name matching Signed-off-by: William Woodruff * validation/policy: replace conditions with map_or Signed-off-by: William Woodruff * validation/policy: rename `general_name_matches` Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 124 +++++++++++++++++- 1 file changed, 120 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 1ce7193d6b2c..e2fc54b710a7 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -4,6 +4,8 @@ use std::collections::HashSet; +use cryptography_x509::extensions::SubjectAlternativeName; +use cryptography_x509::name::GeneralName; use once_cell::sync::Lazy; use cryptography_x509::common::{ @@ -13,7 +15,7 @@ use cryptography_x509::common::{ }; use crate::ops::CryptoOps; -use crate::types::{DNSName, IPAddress}; +use crate::types::{DNSName, DNSPattern, IPAddress, IPRange}; // RSASSA‐PKCS1‐v1_5 with SHA‐256 static RSASSA_PKCS1V15_SHA256: AlgorithmIdentifier<'_> = AlgorithmIdentifier { @@ -107,6 +109,38 @@ pub enum Subject<'a> { IP(IPAddress), } +impl Subject<'_> { + fn subject_alt_name_matches(&self, general_name: &GeneralName<'_>) -> bool { + match (general_name, self) { + (GeneralName::DNSName(pattern), Self::DNS(name)) => { + DNSPattern::new(pattern.0).map_or(false, |p| p.matches(name)) + } + (GeneralName::IPAddress(pattern), Self::IP(name)) => { + IPRange::from_bytes(pattern).map_or(false, |p| p.matches(name)) + } + _ => false, + } + } + + /// Returns true if any of the names in the given `SubjectAlternativeName` + /// match this `Subject`. + pub fn matches(&self, san: &SubjectAlternativeName<'_>) -> bool { + san.clone().any(|gn| self.subject_alt_name_matches(&gn)) + } +} + +impl<'a> From> for Subject<'a> { + fn from(value: DNSName<'a>) -> Self { + Self::DNS(value) + } +} + +impl From for Subject<'_> { + fn from(value: IPAddress) -> Self { + Self::IP(value) + } +} + /// A `Policy` describes user-configurable aspects of X.509 path validation. pub struct Policy<'a, B: CryptoOps> { _ops: B, @@ -137,10 +171,18 @@ impl<'a, B: CryptoOps> Policy<'a, B> { mod tests { use std::ops::Deref; + use asn1::SequenceOfWriter; + use cryptography_x509::{ + extensions::SubjectAlternativeName, + name::{GeneralName, UnvalidatedIA5String}, + }; + + use crate::types::{DNSName, IPAddress}; + use super::{ - ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, RSASSA_PKCS1V15_SHA384, - RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, RSASSA_PSS_SHA512, - WEBPKI_PERMITTED_ALGORITHMS, + Subject, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, + RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, WEBPKI_PERMITTED_ALGORITHMS, }; #[test] @@ -217,4 +259,78 @@ mod tests { assert_eq!(asn1::write_single(&ECDSA_SHA512).unwrap(), exp_encoding); } } + + #[test] + fn test_subject_from_impls() { + assert!(matches!( + Subject::from(DNSName::new("cryptography.io").unwrap()), + Subject::DNS(_) + )); + + assert!(matches!( + Subject::from(IPAddress::from_str("1.1.1.1").unwrap()), + Subject::IP(_) + )); + } + + #[test] + fn test_subject_matches() { + let domain_sub = Subject::from(DNSName::new("test.cryptography.io").unwrap()); + let ip_sub = Subject::from(IPAddress::from_str("127.0.0.1").unwrap()); + + // Single SAN, domain wildcard. + { + let domain_gn = GeneralName::DNSName(UnvalidatedIA5String("*.cryptography.io")); + let san_der = asn1::write_single(&SequenceOfWriter::new([domain_gn])).unwrap(); + let any_cryptography_io = + asn1::parse_single::>(&san_der).unwrap(); + + assert!(domain_sub.matches(&any_cryptography_io)); + assert!(!ip_sub.matches(&any_cryptography_io)); + } + + // Single SAN, IP range. + { + // 127.0.0.1/24 + let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 255, 255, 255, 0]); + let san_der = asn1::write_single(&SequenceOfWriter::new([ip_gn])).unwrap(); + let local_24 = asn1::parse_single::>(&san_der).unwrap(); + + assert!(ip_sub.matches(&local_24)); + assert!(!domain_sub.matches(&local_24)); + } + + // Multiple SANs, both domain wildcard and IP range. + { + let domain_gn = GeneralName::DNSName(UnvalidatedIA5String("*.cryptography.io")); + let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 255, 255, 255, 0]); + let san_der = asn1::write_single(&SequenceOfWriter::new([domain_gn, ip_gn])).unwrap(); + + let any_cryptography_io_or_local_24 = + asn1::parse_single::>(&san_der).unwrap(); + + assert!(domain_sub.matches(&any_cryptography_io_or_local_24)); + assert!(ip_sub.matches(&any_cryptography_io_or_local_24)); + } + + // Single SAN, invalid domain pattern. + { + let domain_gn = GeneralName::DNSName(UnvalidatedIA5String("*es*.cryptography.io")); + let san_der = asn1::write_single(&SequenceOfWriter::new([domain_gn])).unwrap(); + let any_cryptography_io = + asn1::parse_single::>(&san_der).unwrap(); + + assert!(!domain_sub.matches(&any_cryptography_io)); + } + + // Single SAN, invalid IP range. + { + // 127.0.0.1/24 + let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 1, 255, 1, 0]); + let san_der = asn1::write_single(&SequenceOfWriter::new([ip_gn])).unwrap(); + let local_24 = asn1::parse_single::>(&san_der).unwrap(); + + assert!(!ip_sub.matches(&local_24)); + } + } } From 241894a4044116d89a4927d1826511652cab721d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 28 Sep 2023 00:24:57 +0000 Subject: [PATCH 0510/1014] Bump BoringSSL and/or OpenSSL in CI (#9660) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9f8af80dd608..f1768ad386ba 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 27, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "764e6a319ba97dc36a8523583488c315ff22c4ae"}} - # Latest commit on the OpenSSL master branch, as of Sep 26, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "91bc783a93a2a695fe6a2f8da93cf5b5e086ba42"}} + # Latest commit on the BoringSSL master branch, as of Sep 28, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "d24a38200fef19150eef00cad35b138936c08767"}} + # Latest commit on the OpenSSL master branch, as of Sep 28, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b07107e31149bf870bc1ae17e59444859fe4e23a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 7009bd852756d90813c2d4b22d670178f69ff016 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Sep 2023 07:17:01 -0400 Subject: [PATCH 0511/1014] Bump pydantic from 1.10.12 to 1.10.13 in /.github/requirements (#9662) Bumps [pydantic](https://github.com/pydantic/pydantic) from 1.10.12 to 1.10.13. - [Release notes](https://github.com/pydantic/pydantic/releases) - [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md) - [Commits](https://github.com/pydantic/pydantic/compare/v1.10.12...v1.10.13) --- updated-dependencies: - dependency-name: pydantic dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 74 +++++++++---------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 34b88b335eef..1c882e254423 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -348,43 +348,43 @@ pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 # via cffi -pydantic==1.10.12 \ - --hash=sha256:0fe8a415cea8f340e7a9af9c54fc71a649b43e8ca3cc732986116b3cb135d303 \ - --hash=sha256:1289c180abd4bd4555bb927c42ee42abc3aee02b0fb2d1223fb7c6e5bef87dbe \ - --hash=sha256:1eb2085c13bce1612da8537b2d90f549c8cbb05c67e8f22854e201bde5d98a47 \ - --hash=sha256:2031de0967c279df0d8a1c72b4ffc411ecd06bac607a212892757db7462fc494 \ - --hash=sha256:2a7bac939fa326db1ab741c9d7f44c565a1d1e80908b3797f7f81a4f86bc8d33 \ - --hash=sha256:2d5a58feb9a39f481eda4d5ca220aa8b9d4f21a41274760b9bc66bfd72595b86 \ - --hash=sha256:2f9a6fab5f82ada41d56b0602606a5506aab165ca54e52bc4545028382ef1c5d \ - --hash=sha256:2fcfb5296d7877af406ba1547dfde9943b1256d8928732267e2653c26938cd9c \ - --hash=sha256:549a8e3d81df0a85226963611950b12d2d334f214436a19537b2efed61b7639a \ - --hash=sha256:598da88dfa127b666852bef6d0d796573a8cf5009ffd62104094a4fe39599565 \ - --hash=sha256:5d1197e462e0364906cbc19681605cb7c036f2475c899b6f296104ad42b9f5fb \ - --hash=sha256:69328e15cfda2c392da4e713443c7dbffa1505bc9d566e71e55abe14c97ddc62 \ - --hash=sha256:6a9dfa722316f4acf4460afdf5d41d5246a80e249c7ff475c43a3a1e9d75cf62 \ - --hash=sha256:6b30bcb8cbfccfcf02acb8f1a261143fab622831d9c0989707e0e659f77a18e0 \ - --hash=sha256:6c076be61cd0177a8433c0adcb03475baf4ee91edf5a4e550161ad57fc90f523 \ - --hash=sha256:771735dc43cf8383959dc9b90aa281f0b6092321ca98677c5fb6125a6f56d58d \ - --hash=sha256:795e34e6cc065f8f498c89b894a3c6da294a936ee71e644e4bd44de048af1405 \ - --hash=sha256:87afda5539d5140cb8ba9e8b8c8865cb5b1463924d38490d73d3ccfd80896b3f \ - --hash=sha256:8fb2aa3ab3728d950bcc885a2e9eff6c8fc40bc0b7bb434e555c215491bcf48b \ - --hash=sha256:a1fcb59f2f355ec350073af41d927bf83a63b50e640f4dbaa01053a28b7a7718 \ - --hash=sha256:a5e7add47a5b5a40c49b3036d464e3c7802f8ae0d1e66035ea16aa5b7a3923ed \ - --hash=sha256:a73f489aebd0c2121ed974054cb2759af8a9f747de120acd2c3394cf84176ccb \ - --hash=sha256:ab26038b8375581dc832a63c948f261ae0aa21f1d34c1293469f135fa92972a5 \ - --hash=sha256:b0d191db0f92dfcb1dec210ca244fdae5cbe918c6050b342d619c09d31eea0cc \ - --hash=sha256:b749a43aa51e32839c9d71dc67eb1e4221bb04af1033a32e3923d46f9effa942 \ - --hash=sha256:b7ccf02d7eb340b216ec33e53a3a629856afe1c6e0ef91d84a4e6f2fb2ca70fe \ - --hash=sha256:ba5b2e6fe6ca2b7e013398bc7d7b170e21cce322d266ffcd57cca313e54fb246 \ - --hash=sha256:ba5c4a8552bff16c61882db58544116d021d0b31ee7c66958d14cf386a5b5350 \ - --hash=sha256:c79e6a11a07da7374f46970410b41d5e266f7f38f6a17a9c4823db80dadf4303 \ - --hash=sha256:ca48477862372ac3770969b9d75f1bf66131d386dba79506c46d75e6b48c1e09 \ - --hash=sha256:dea7adcc33d5d105896401a1f37d56b47d443a2b2605ff8a969a0ed5543f7e33 \ - --hash=sha256:e0a16d274b588767602b7646fa05af2782576a6cf1022f4ba74cbb4db66f6ca8 \ - --hash=sha256:e4129b528c6baa99a429f97ce733fff478ec955513630e61b49804b6cf9b224a \ - --hash=sha256:e5f805d2d5d0a41633651a73fa4ecdd0b3d7a49de4ec3fadf062fe16501ddbf1 \ - --hash=sha256:ef6c96b2baa2100ec91a4b428f80d8f28a3c9e53568219b6c298c1125572ebc6 \ - --hash=sha256:fdbdd1d630195689f325c9ef1a12900524dceb503b00a987663ff4f58669b93d +pydantic==1.10.13 \ + --hash=sha256:1740068fd8e2ef6eb27a20e5651df000978edce6da6803c2bef0bc74540f9548 \ + --hash=sha256:210ce042e8f6f7c01168b2d84d4c9eb2b009fe7bf572c2266e235edf14bacd80 \ + --hash=sha256:32c8b48dcd3b2ac4e78b0ba4af3a2c2eb6048cb75202f0ea7b34feb740efc340 \ + --hash=sha256:3ecea2b9d80e5333303eeb77e180b90e95eea8f765d08c3d278cd56b00345d01 \ + --hash=sha256:4b03e42ec20286f052490423682016fd80fda830d8e4119f8ab13ec7464c0132 \ + --hash=sha256:4c5370a7edaac06daee3af1c8b1192e305bc102abcbf2a92374b5bc793818599 \ + --hash=sha256:56e3ff861c3b9c6857579de282ce8baabf443f42ffba355bf070770ed63e11e1 \ + --hash=sha256:5a1f9f747851338933942db7af7b6ee8268568ef2ed86c4185c6ef4402e80ba8 \ + --hash=sha256:5e08865bc6464df8c7d61439ef4439829e3ab62ab1669cddea8dd00cd74b9ffe \ + --hash=sha256:61d9dce220447fb74f45e73d7ff3b530e25db30192ad8d425166d43c5deb6df0 \ + --hash=sha256:654db58ae399fe6434e55325a2c3e959836bd17a6f6a0b6ca8107ea0571d2e17 \ + --hash=sha256:678bcf5591b63cc917100dc50ab6caebe597ac67e8c9ccb75e698f66038ea953 \ + --hash=sha256:6cf25c1a65c27923a17b3da28a0bdb99f62ee04230c931d83e888012851f4e7f \ + --hash=sha256:75ac15385a3534d887a99c713aa3da88a30fbd6204a5cd0dc4dab3d770b9bd2f \ + --hash=sha256:75b297827b59bc229cac1a23a2f7a4ac0031068e5be0ce385be1462e7e17a35d \ + --hash=sha256:7d6f6e7305244bddb4414ba7094ce910560c907bdfa3501e9db1a7fd7eaea127 \ + --hash=sha256:84bafe2e60b5e78bc64a2941b4c071a4b7404c5c907f5f5a99b0139781e69ed8 \ + --hash=sha256:854223752ba81e3abf663d685f105c64150873cc6f5d0c01d3e3220bcff7d36f \ + --hash=sha256:8ae5dd6b721459bfa30805f4c25880e0dd78fc5b5879f9f7a692196ddcb5a580 \ + --hash=sha256:8ef467901d7a41fa0ca6db9ae3ec0021e3f657ce2c208e98cd511f3161c762c6 \ + --hash=sha256:968ac42970f57b8344ee08837b62f6ee6f53c33f603547a55571c954a4225691 \ + --hash=sha256:97cce3ae7341f7620a0ba5ef6cf043975cd9d2b81f3aa5f4ea37928269bc1b87 \ + --hash=sha256:9849f031cf8a2f0a928fe885e5a04b08006d6d41876b8bbd2fc68a18f9f2e3fd \ + --hash=sha256:9f00790179497767aae6bcdc36355792c79e7bbb20b145ff449700eb076c5f96 \ + --hash=sha256:b87326822e71bd5f313e7d3bfdc77ac3247035ac10b0c0618bd99dcf95b1e687 \ + --hash=sha256:b97c1fac8c49be29486df85968682b0afa77e1b809aff74b83081cc115e52f33 \ + --hash=sha256:bc0898c12f8e9c97f6cd44c0ed70d55749eaf783716896960b4ecce2edfd2d69 \ + --hash=sha256:c553f6a156deb868ba38a23cf0df886c63492e9257f60a79c0fd8e7173537653 \ + --hash=sha256:c636925f38b8db208e09d344c7aa4f29a86bb9947495dd6b6d376ad10334fb78 \ + --hash=sha256:c958d053453a1c4b1c2062b05cd42d9d5c8eb67537b8d5a7e3c3032943ecd261 \ + --hash=sha256:d3a3c792a58e1622667a2837512099eac62490cdfd63bd407993aaf200a4cf1f \ + --hash=sha256:e31647d85a2013d926ce60b84f9dd5300d44535a9941fe825dc349ae1f760df9 \ + --hash=sha256:e70ca129d2053fb8b728ee7d1af8e553a928d7e301a311094b8a0501adc8763d \ + --hash=sha256:efff03cc7a4f29d9009d1c96ceb1e7a70a65cfe86e89d34e4a5f2ab1e5693737 \ + --hash=sha256:f59ef915cac80275245824e9d771ee939133be38215555e9dc90c6cb148aaeb5 \ + --hash=sha256:f8e81fc5fb17dae698f52bdd1c4f18b6ca674d7068242b2aff075f588301bbb0 # via # id # sigstore From ce94de03e8feca67388529671cd366d23c966f58 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 28 Sep 2023 17:45:30 +0200 Subject: [PATCH 0512/1014] Add timezone-aware API variants for x509 (#9661) * Add timezone-aware API variants for x509 * Add documentation for timezone-aware APIs --- CHANGELOG.rst | 8 + docs/x509/reference.rst | 69 +++++++++ src/cryptography/x509/base.py | 42 ++++++ src/rust/src/x509/certificate.rs | 24 +++ src/rust/src/x509/common.rs | 17 +++ src/rust/src/x509/crl.rs | 28 ++++ src/rust/src/x509/mod.rs | 4 +- tests/x509/test_x509.py | 168 ++++++++++++++++----- tests/x509/test_x509_revokedcertbuilder.py | 3 + 9 files changed, 324 insertions(+), 39 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a77d17198d96..78c24fed4702 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -22,6 +22,14 @@ Changelog :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. * Added `algorithm` and `mgf` properties to :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP`. +* Added the following properties that return timezone-aware ``datetime`` objects: + :meth:`~cryptography.x509.Certificate.not_valid_before_utc`, + :meth:`~cryptography.x509.Certificate.not_valid_after_utc`, + :meth:`~cryptography.x509.RevokedCertificate.revocation_date_utc`, + :meth:`~cryptography.x509.CertificateRevocationList.next_update_utc`, + :meth:`~cryptography.x509.CertificateRevocationList.last_update_utc`. + These are timezone-aware variants of existing properties that return naïve + ``datetime`` objects. .. _v41-0-4: diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 3b014def579a..a7aaac5e10b3 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -376,6 +376,20 @@ X.509 Certificate Object >>> cert.not_valid_before datetime.datetime(2010, 1, 1, 8, 30) + .. attribute:: not_valid_before_utc + + .. versionadded:: 42.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the beginning of the validity + period for the certificate in UTC. This value is inclusive. + + .. doctest:: + + >>> cert.not_valid_before_utc + datetime.datetime(2010, 1, 1, 8, 30, tzinfo=datetime.timezone.utc) + .. attribute:: not_valid_after :type: :class:`datetime.datetime` @@ -388,6 +402,20 @@ X.509 Certificate Object >>> cert.not_valid_after datetime.datetime(2030, 12, 31, 8, 30) + .. attribute:: not_valid_after_utc + + .. versionadded:: 42.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the end of the validity period + for the certificate in UTC. This value is inclusive. + + .. doctest:: + + >>> cert.not_valid_after_utc + datetime.datetime(2030, 12, 31, 8, 30, tzinfo=datetime.timezone.utc) + .. attribute:: issuer .. versionadded:: 0.8 @@ -698,6 +726,20 @@ X.509 CRL (Certificate Revocation List) Object >>> crl.next_update datetime.datetime(2016, 1, 1, 0, 0) + .. attribute:: next_update_utc + + .. versionadded:: 42.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing when the next update to this + CRL is expected. + + .. doctest:: + + >>> crl.next_update_utc + datetime.datetime(2016, 1, 1, 0, 0, tzinfo=datetime.timezone.utc) + .. attribute:: last_update :type: :class:`datetime.datetime` @@ -709,6 +751,19 @@ X.509 CRL (Certificate Revocation List) Object >>> crl.last_update datetime.datetime(2015, 1, 1, 0, 0) + .. attribute:: last_update_utc + + .. versionadded:: 42.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing when this CRL was last updated. + + .. doctest:: + + >>> crl.last_update_utc + datetime.datetime(2015, 1, 1, 0, 0, tzinfo=datetime.timezone.utc) + .. attribute:: extensions :type: :class:`Extensions` @@ -1183,6 +1238,20 @@ X.509 Revoked Certificate Object >>> revoked_certificate.revocation_date datetime.datetime(2015, 1, 1, 0, 0) + .. attribute:: revocation_date_utc + + .. versionadded:: 42.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the date this certificates was + revoked. + + .. doctest:: + + >>> revoked_certificate.revocation_date_utc + datetime.datetime(2015, 1, 1, 0, 0, tzinfo=datetime.timezone.utc) + .. attribute:: extensions :type: :class:`Extensions` diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 9288ddc031f8..9195efbc6e12 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -193,6 +193,13 @@ def not_valid_before(self) -> datetime.datetime: Not before time (represented as UTC datetime) """ + @property + @abc.abstractmethod + def not_valid_before_utc(self) -> datetime.datetime: + """ + Not before time (represented as a non-naive UTC datetime) + """ + @property @abc.abstractmethod def not_valid_after(self) -> datetime.datetime: @@ -200,6 +207,13 @@ def not_valid_after(self) -> datetime.datetime: Not after time (represented as UTC datetime) """ + @property + @abc.abstractmethod + def not_valid_after_utc(self) -> datetime.datetime: + """ + Not after time (represented as a non-naive UTC datetime) + """ + @property @abc.abstractmethod def issuer(self) -> Name: @@ -315,6 +329,14 @@ def revocation_date(self) -> datetime.datetime: Returns the date of when this certificate was revoked. """ + @property + @abc.abstractmethod + def revocation_date_utc(self) -> datetime.datetime: + """ + Returns the date of when this certificate was revoked as a non-naive + UTC datetime. + """ + @property @abc.abstractmethod def extensions(self) -> Extensions: @@ -346,6 +368,10 @@ def serial_number(self) -> int: def revocation_date(self) -> datetime.datetime: return self._revocation_date + @property + def revocation_date_utc(self) -> datetime.datetime: + return self._revocation_date.replace(tzinfo=datetime.timezone.utc) + @property def extensions(self) -> Extensions: return self._extensions @@ -404,6 +430,14 @@ def next_update(self) -> datetime.datetime | None: Returns the date of next update for this CRL. """ + @property + @abc.abstractmethod + def next_update_utc(self) -> datetime.datetime | None: + """ + Returns the date of next update for this CRL as a non-naive UTC + datetime. + """ + @property @abc.abstractmethod def last_update(self) -> datetime.datetime: @@ -411,6 +445,14 @@ def last_update(self) -> datetime.datetime: Returns the date of last update for this CRL. """ + @property + @abc.abstractmethod + def last_update_utc(self) -> datetime.datetime: + """ + Returns the date of last update for this CRL as a non-naive UTC + datetime. + """ + @property @abc.abstractmethod def extensions(self) -> Extensions: diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 3ed8f55cf848..9c29416833d0 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -206,6 +206,18 @@ impl Certificate { x509::datetime_to_py(py, dt) } + #[getter] + fn not_valid_before_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + let dt = &self + .raw + .borrow_dependent() + .tbs_cert + .validity + .not_before + .as_datetime(); + x509::datetime_to_py_utc(py, dt) + } + #[getter] fn not_valid_after<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { let dt = &self @@ -218,6 +230,18 @@ impl Certificate { x509::datetime_to_py(py, dt) } + #[getter] + fn not_valid_after_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + let dt = &self + .raw + .borrow_dependent() + .tbs_cert + .validity + .not_after + .as_datetime(); + x509::datetime_to_py_utc(py, dt) + } + #[getter] fn signature_hash_algorithm<'p>( &self, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 1e9a228edb0d..d541a27b8fc9 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -484,6 +484,23 @@ pub(crate) fn datetime_to_py<'p>( )) } +pub(crate) fn datetime_to_py_utc<'p>( + py: pyo3::Python<'p>, + dt: &asn1::DateTime, +) -> pyo3::PyResult<&'p pyo3::PyAny> { + let timezone = types::DATETIME_TIMEZONE_UTC.get(py)?; + types::DATETIME_DATETIME.get(py)?.call1(( + dt.year(), + dt.month(), + dt.day(), + dt.hour(), + dt.minute(), + dt.second(), + 0, + timezone, + )) +} + pub(crate) fn py_to_datetime( py: pyo3::Python<'_>, val: &pyo3::PyAny, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index fddc4b286617..58d3a3e711ab 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -252,6 +252,14 @@ impl CertificateRevocationList { } } + #[getter] + fn next_update_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + match &self.owned.borrow_dependent().tbs_cert_list.next_update { + Some(t) => x509::datetime_to_py_utc(py, t.as_datetime()), + None => Ok(py.None().into_ref(py)), + } + } + #[getter] fn last_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { x509::datetime_to_py( @@ -264,6 +272,18 @@ impl CertificateRevocationList { ) } + #[getter] + fn last_update_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + x509::datetime_to_py_utc( + py, + self.owned + .borrow_dependent() + .tbs_cert_list + .this_update + .as_datetime(), + ) + } + #[getter] fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let tbs_cert_list = &self.owned.borrow_dependent().tbs_cert_list; @@ -493,6 +513,14 @@ impl RevokedCertificate { ) } + #[getter] + fn revocation_date_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + x509::datetime_to_py_utc( + py, + self.owned.borrow_dependent().revocation_date.as_datetime(), + ) + } + #[getter] fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { x509::parse_and_cache_extensions( diff --git a/src/rust/src/x509/mod.rs b/src/rust/src/x509/mod.rs index c1ce452567ca..a1503ea98592 100644 --- a/src/rust/src/x509/mod.rs +++ b/src/rust/src/x509/mod.rs @@ -15,6 +15,6 @@ pub(crate) mod sign; pub(crate) mod verify; pub(crate) use common::{ - datetime_to_py, find_in_pem, parse_and_cache_extensions, parse_general_name, - parse_general_names, parse_name, parse_rdn, py_to_datetime, + datetime_to_py, datetime_to_py_utc, find_in_pem, parse_and_cache_extensions, + parse_general_name, parse_general_names, parse_name, parse_rdn, py_to_datetime, }; diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index a70240a92a2d..5519d36c3f27 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -135,6 +135,38 @@ def _break_cert_sig(cert: x509.Certificate) -> x509.Certificate: return x509.load_pem_x509_certificate(bytes(cert_bad_sig)) +def _check_cert_times( + cert: x509.Certificate, + not_valid_before: typing.Optional[datetime.datetime], + not_valid_after: typing.Optional[datetime.datetime], +) -> None: + if not_valid_before: + assert cert.not_valid_before == not_valid_before + assert cert.not_valid_before_utc == not_valid_before.replace( + tzinfo=datetime.timezone.utc + ) + if not_valid_after: + assert cert.not_valid_after == not_valid_after + assert cert.not_valid_after_utc == not_valid_after.replace( + tzinfo=datetime.timezone.utc + ) + + +def _check_crl_times( + crl: x509.CertificateRevocationList, + last_update: datetime.datetime, + next_update: datetime.datetime, +) -> None: + assert crl.last_update == last_update + assert crl.last_update_utc == last_update.replace( + tzinfo=datetime.timezone.utc + ) + assert crl.next_update == next_update + assert crl.next_update_utc == next_update.replace( + tzinfo=datetime.timezone.utc + ) + + class TestCertificateRevocationList: def test_load_pem_crl(self, backend): crl = _load_cert( @@ -276,10 +308,14 @@ def test_update_dates(self, backend): ) assert isinstance(crl.next_update, datetime.datetime) + assert isinstance(crl.next_update_utc, datetime.datetime) assert isinstance(crl.last_update, datetime.datetime) + assert isinstance(crl.last_update_utc, datetime.datetime) assert crl.next_update.isoformat() == "2016-01-01T00:00:00" + assert crl.next_update_utc.isoformat() == "2016-01-01T00:00:00+00:00" assert crl.last_update.isoformat() == "2015-01-01T00:00:00" + assert crl.last_update_utc.isoformat() == "2015-01-01T00:00:00+00:00" def test_no_next_update(self, backend): crl = _load_cert( @@ -287,6 +323,7 @@ def test_no_next_update(self, backend): x509.load_pem_x509_crl, ) assert crl.next_update is None + assert crl.next_update_utc is None def test_unrecognized_extension(self, backend): crl = _load_cert( @@ -340,6 +377,9 @@ def test_revoked_cert_retrieval_retain_only_revoked(self, backend): x509.load_pem_x509_crl, )[11] assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0) + assert revoked.revocation_date_utc == datetime.datetime( + 2015, 1, 1, 0, 0, tzinfo=datetime.timezone.utc + ) assert revoked.serial_number == 11 def test_extensions(self, backend): @@ -444,8 +484,11 @@ def test_public_bytes_pem(self, backend): ) assert len(crl) == 0 - assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47) - assert crl.next_update == datetime.datetime(2015, 12, 28, 0, 44, 47) + _check_crl_times( + crl, + last_update=datetime.datetime(2015, 12, 20, 23, 44, 47), + next_update=datetime.datetime(2015, 12, 28, 0, 44, 47), + ) def test_public_bytes_der(self, backend): crl = _load_cert( @@ -461,8 +504,11 @@ def test_public_bytes_der(self, backend): ) assert len(crl) == 12 - assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0) - assert crl.next_update == datetime.datetime(2016, 1, 1, 0, 0, 0) + _check_crl_times( + crl, + last_update=datetime.datetime(2015, 1, 1, 0, 0, 0), + next_update=datetime.datetime(2016, 1, 1, 0, 0, 0), + ) @pytest.mark.parametrize( ("cert_path", "loader_func", "encoding"), @@ -558,10 +604,15 @@ def test_revoked_basics(self, backend): assert isinstance(rev, x509.RevokedCertificate) assert isinstance(rev.serial_number, int) assert isinstance(rev.revocation_date, datetime.datetime) + assert isinstance(rev.revocation_date_utc, datetime.datetime) assert isinstance(rev.extensions, x509.Extensions) assert rev.serial_number == i assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00" + assert ( + rev.revocation_date_utc.isoformat() + == "2015-01-01T00:00:00+00:00" + ) def test_revoked_extensions(self, backend): crl = _load_cert( @@ -1274,8 +1325,11 @@ def test_load_good_ca_cert(self, backend): x509.load_der_x509_certificate, ) - assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) - assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) + _check_cert_times( + cert, + not_valid_before=datetime.datetime(2010, 1, 1, 8, 30), + not_valid_after=datetime.datetime(2030, 12, 31, 8, 30), + ) assert cert.serial_number == 2 public_key = cert.public_key() assert isinstance(public_key, rsa.RSAPublicKey) @@ -1294,7 +1348,11 @@ def test_utc_pre_2000_not_before_cert(self, backend): x509.load_der_x509_certificate, ) - assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1) + _check_cert_times( + cert, + not_valid_before=datetime.datetime(1950, 1, 1, 12, 1), + not_valid_after=None, + ) def test_pre_2000_utc_not_after_cert(self, backend): cert = _load_cert( @@ -1307,18 +1365,21 @@ def test_pre_2000_utc_not_after_cert(self, backend): x509.load_der_x509_certificate, ) - assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1) + _check_cert_times( + cert, + not_valid_before=None, + not_valid_after=datetime.datetime(1999, 1, 1, 12, 1), + ) def test_post_2000_utc_cert(self, backend): cert = _load_cert( os.path.join("x509", "custom", "post2000utctime.pem"), x509.load_pem_x509_certificate, ) - assert cert.not_valid_before == datetime.datetime( - 2014, 11, 26, 21, 41, 20 - ) - assert cert.not_valid_after == datetime.datetime( - 2014, 12, 26, 21, 41, 20 + _check_cert_times( + cert, + not_valid_before=datetime.datetime(2014, 11, 26, 21, 41, 20), + not_valid_after=datetime.datetime(2014, 12, 26, 21, 41, 20), ) def test_generalized_time_not_before_cert(self, backend): @@ -1331,8 +1392,11 @@ def test_generalized_time_not_before_cert(self, backend): ), x509.load_der_x509_certificate, ) - assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1) - assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) + _check_cert_times( + cert, + not_valid_before=datetime.datetime(2002, 1, 1, 12, 1), + not_valid_after=datetime.datetime(2030, 12, 31, 8, 30), + ) assert cert.version is x509.Version.v3 def test_generalized_time_not_after_cert(self, backend): @@ -1345,8 +1409,11 @@ def test_generalized_time_not_after_cert(self, backend): ), x509.load_der_x509_certificate, ) - assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) - assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1) + _check_cert_times( + cert, + not_valid_before=datetime.datetime(2010, 1, 1, 8, 30), + not_valid_after=datetime.datetime(2050, 1, 1, 12, 1), + ) assert cert.version is x509.Version.v3 def test_invalid_version_cert(self, backend): @@ -1486,8 +1553,11 @@ def test_public_bytes_pem(self, backend): ) # We should recover what we had to start with. - assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) - assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) + _check_cert_times( + cert, + not_valid_before=datetime.datetime(2010, 1, 1, 8, 30), + not_valid_after=datetime.datetime(2030, 12, 31, 8, 30), + ) assert cert.serial_number == 2 public_key = cert.public_key() assert isinstance(public_key, rsa.RSAPublicKey) @@ -1510,8 +1580,11 @@ def test_public_bytes_der(self, backend): ) # We should recover what we had to start with. - assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30) - assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30) + _check_cert_times( + cert, + not_valid_before=datetime.datetime(2010, 1, 1, 8, 30), + not_valid_after=datetime.datetime(2030, 12, 31, 8, 30), + ) assert cert.serial_number == 2 public_key = cert.public_key() assert isinstance(public_key, rsa.RSAPublicKey) @@ -2175,8 +2248,11 @@ def test_build_cert( assert cert.version is x509.Version.v3 assert cert.signature_algorithm_oid == hashalg_oid assert type(cert.signature_hash_algorithm) is hashalg - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after + _check_cert_times( + cert, + not_valid_before=not_valid_before, + not_valid_after=not_valid_after, + ) basic_constraints = cert.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) @@ -2470,8 +2546,11 @@ def test_extreme_times( .not_valid_after(not_valid_after) ) cert = builder.sign(private_key, hashes.SHA256(), backend) - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after + _check_cert_times( + cert, + not_valid_before=not_valid_before, + not_valid_after=not_valid_after, + ) parsed = asn1.test_parse_certificate( cert.public_bytes(serialization.Encoding.DER) ) @@ -2923,7 +3002,9 @@ def test_aware_not_valid_after( ) cert = cert_builder.sign(private_key, hashes.SHA256(), backend) - assert cert.not_valid_after == utc_time + _check_cert_times( + cert, not_valid_before=None, not_valid_after=utc_time + ) def test_earliest_time(self, rsa_key_2048: rsa.RSAPrivateKey, backend): time = datetime.datetime(1950, 1, 1) @@ -2942,8 +3023,7 @@ def test_earliest_time(self, rsa_key_2048: rsa.RSAPrivateKey, backend): .not_valid_after(time) ) cert = cert_builder.sign(private_key, hashes.SHA256(), backend) - assert cert.not_valid_before == time - assert cert.not_valid_after == time + _check_cert_times(cert, not_valid_before=time, not_valid_after=time) parsed = asn1.test_parse_certificate( cert.public_bytes(serialization.Encoding.DER) ) @@ -2996,7 +3076,9 @@ def test_aware_not_valid_before( ) cert = cert_builder.sign(private_key, hashes.SHA256(), backend) - assert cert.not_valid_before == utc_time + _check_cert_times( + cert, not_valid_before=utc_time, not_valid_after=None + ) def test_invalid_not_valid_before(self): with pytest.raises(TypeError): @@ -3220,8 +3302,11 @@ def test_build_cert_with_dsa_private_key( assert cert.version is x509.Version.v3 assert cert.signature_algorithm_oid == hashalg_oid - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after + _check_cert_times( + cert, + not_valid_before=not_valid_before, + not_valid_after=not_valid_after, + ) basic_constraints = cert.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) @@ -3291,8 +3376,11 @@ def test_build_cert_with_ec_private_key( assert cert.version is x509.Version.v3 assert cert.signature_algorithm_oid == hashalg_oid assert type(cert.signature_hash_algorithm) is hashalg - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after + _check_cert_times( + cert, + not_valid_before=not_valid_before, + not_valid_after=not_valid_after, + ) basic_constraints = cert.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) @@ -3387,8 +3475,11 @@ def test_build_cert_with_ed25519(self, backend): assert cert.signature_hash_algorithm is None assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey) assert cert.version is x509.Version.v3 - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after + _check_cert_times( + cert, + not_valid_before=not_valid_before, + not_valid_after=not_valid_after, + ) basic_constraints = cert.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) @@ -3487,8 +3578,11 @@ def test_build_cert_with_ed448(self, backend): assert cert.signature_hash_algorithm is None assert isinstance(cert.public_key(), ed448.Ed448PublicKey) assert cert.version is x509.Version.v3 - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after + _check_cert_times( + cert, + not_valid_before=not_valid_before, + not_valid_after=not_valid_after, + ) basic_constraints = cert.extensions.get_extension_for_oid( ExtensionOID.BASIC_CONSTRAINTS ) diff --git a/tests/x509/test_x509_revokedcertbuilder.py b/tests/x509/test_x509_revokedcertbuilder.py index e0f53f856f02..230b11b7a6b2 100644 --- a/tests/x509/test_x509_revokedcertbuilder.py +++ b/tests/x509/test_x509_revokedcertbuilder.py @@ -69,6 +69,9 @@ def test_aware_revocation_date(self, backend): revoked_certificate = builder.build(backend) assert revoked_certificate.revocation_date == utc_time + assert revoked_certificate.revocation_date_utc == utc_time.replace( + tzinfo=datetime.timezone.utc + ) def test_revocation_date_invalid(self): with pytest.raises(TypeError): From c6d8bd6ab939038afdff058c3a04dea9c7475c02 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 28 Sep 2023 10:48:21 -0500 Subject: [PATCH 0513/1014] 3.2.0-alpha2 testing (#9663) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f1768ad386ba..72cf05b00e84 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,7 +38,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha1"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha2"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} From 77bcdec16e282e51cb958315cebc248d2b0ad4ee Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 28 Sep 2023 14:58:58 -0500 Subject: [PATCH 0514/1014] cffi 1.16.0 (#9665) --- .github/requirements/build-requirements.txt | 120 ++++++++---------- .github/requirements/publish-requirements.txt | 118 ++++++++--------- 2 files changed, 107 insertions(+), 131 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index b646edb21b79..beec7a1754eb 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -4,71 +4,59 @@ # # pip-compile --allow-unsafe --generate-hashes build-requirements.in # -cffi==1.15.1 ; platform_python_implementation != "PyPy" \ - --hash=sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5 \ - --hash=sha256:03425bdae262c76aad70202debd780501fabeaca237cdfddc008987c0e0f59ef \ - --hash=sha256:04ed324bda3cda42b9b695d51bb7d54b680b9719cfab04227cdd1e04e5de3104 \ - --hash=sha256:0e2642fe3142e4cc4af0799748233ad6da94c62a8bec3a6648bf8ee68b1c7426 \ - --hash=sha256:173379135477dc8cac4bc58f45db08ab45d228b3363adb7af79436135d028405 \ - --hash=sha256:198caafb44239b60e252492445da556afafc7d1e3ab7a1fb3f0584ef6d742375 \ - --hash=sha256:1e74c6b51a9ed6589199c787bf5f9875612ca4a8a0785fb2d4a84429badaf22a \ - --hash=sha256:2012c72d854c2d03e45d06ae57f40d78e5770d252f195b93f581acf3ba44496e \ - --hash=sha256:21157295583fe8943475029ed5abdcf71eb3911894724e360acff1d61c1d54bc \ - --hash=sha256:2470043b93ff09bf8fb1d46d1cb756ce6132c54826661a32d4e4d132e1977adf \ - --hash=sha256:285d29981935eb726a4399badae8f0ffdff4f5050eaa6d0cfc3f64b857b77185 \ - --hash=sha256:30d78fbc8ebf9c92c9b7823ee18eb92f2e6ef79b45ac84db507f52fbe3ec4497 \ - --hash=sha256:320dab6e7cb2eacdf0e658569d2575c4dad258c0fcc794f46215e1e39f90f2c3 \ - --hash=sha256:33ab79603146aace82c2427da5ca6e58f2b3f2fb5da893ceac0c42218a40be35 \ - --hash=sha256:3548db281cd7d2561c9ad9984681c95f7b0e38881201e157833a2342c30d5e8c \ - --hash=sha256:3799aecf2e17cf585d977b780ce79ff0dc9b78d799fc694221ce814c2c19db83 \ - --hash=sha256:39d39875251ca8f612b6f33e6b1195af86d1b3e60086068be9cc053aa4376e21 \ - --hash=sha256:3b926aa83d1edb5aa5b427b4053dc420ec295a08e40911296b9eb1b6170f6cca \ - --hash=sha256:3bcde07039e586f91b45c88f8583ea7cf7a0770df3a1649627bf598332cb6984 \ - --hash=sha256:3d08afd128ddaa624a48cf2b859afef385b720bb4b43df214f85616922e6a5ac \ - --hash=sha256:3eb6971dcff08619f8d91607cfc726518b6fa2a9eba42856be181c6d0d9515fd \ - --hash=sha256:40f4774f5a9d4f5e344f31a32b5096977b5d48560c5592e2f3d2c4374bd543ee \ - --hash=sha256:4289fc34b2f5316fbb762d75362931e351941fa95fa18789191b33fc4cf9504a \ - --hash=sha256:470c103ae716238bbe698d67ad020e1db9d9dba34fa5a899b5e21577e6d52ed2 \ - --hash=sha256:4f2c9f67e9821cad2e5f480bc8d83b8742896f1242dba247911072d4fa94c192 \ - --hash=sha256:50a74364d85fd319352182ef59c5c790484a336f6db772c1a9231f1c3ed0cbd7 \ - --hash=sha256:54a2db7b78338edd780e7ef7f9f6c442500fb0d41a5a4ea24fff1c929d5af585 \ - --hash=sha256:5635bd9cb9731e6d4a1132a498dd34f764034a8ce60cef4f5319c0541159392f \ - --hash=sha256:59c0b02d0a6c384d453fece7566d1c7e6b7bae4fc5874ef2ef46d56776d61c9e \ - --hash=sha256:5d598b938678ebf3c67377cdd45e09d431369c3b1a5b331058c338e201f12b27 \ - --hash=sha256:5df2768244d19ab7f60546d0c7c63ce1581f7af8b5de3eb3004b9b6fc8a9f84b \ - --hash=sha256:5ef34d190326c3b1f822a5b7a45f6c4535e2f47ed06fec77d3d799c450b2651e \ - --hash=sha256:6975a3fac6bc83c4a65c9f9fcab9e47019a11d3d2cf7f3c0d03431bf145a941e \ - --hash=sha256:6c9a799e985904922a4d207a94eae35c78ebae90e128f0c4e521ce339396be9d \ - --hash=sha256:70df4e3b545a17496c9b3f41f5115e69a4f2e77e94e1d2a8e1070bc0c38c8a3c \ - --hash=sha256:7473e861101c9e72452f9bf8acb984947aa1661a7704553a9f6e4baa5ba64415 \ - --hash=sha256:8102eaf27e1e448db915d08afa8b41d6c7ca7a04b7d73af6514df10a3e74bd82 \ - --hash=sha256:87c450779d0914f2861b8526e035c5e6da0a3199d8f1add1a665e1cbc6fc6d02 \ - --hash=sha256:8b7ee99e510d7b66cdb6c593f21c043c248537a32e0bedf02e01e9553a172314 \ - --hash=sha256:91fc98adde3d7881af9b59ed0294046f3806221863722ba7d8d120c575314325 \ - --hash=sha256:94411f22c3985acaec6f83c6df553f2dbe17b698cc7f8ae751ff2237d96b9e3c \ - --hash=sha256:98d85c6a2bef81588d9227dde12db8a7f47f639f4a17c9ae08e773aa9c697bf3 \ - --hash=sha256:9ad5db27f9cabae298d151c85cf2bad1d359a1b9c686a275df03385758e2f914 \ - --hash=sha256:a0b71b1b8fbf2b96e41c4d990244165e2c9be83d54962a9a1d118fd8657d2045 \ - --hash=sha256:a0f100c8912c114ff53e1202d0078b425bee3649ae34d7b070e9697f93c5d52d \ - --hash=sha256:a591fe9e525846e4d154205572a029f653ada1a78b93697f3b5a8f1f2bc055b9 \ - --hash=sha256:a5c84c68147988265e60416b57fc83425a78058853509c1b0629c180094904a5 \ - --hash=sha256:a66d3508133af6e8548451b25058d5812812ec3798c886bf38ed24a98216fab2 \ - --hash=sha256:a8c4917bd7ad33e8eb21e9a5bbba979b49d9a97acb3a803092cbc1133e20343c \ - --hash=sha256:b3bbeb01c2b273cca1e1e0c5df57f12dce9a4dd331b4fa1635b8bec26350bde3 \ - --hash=sha256:cba9d6b9a7d64d4bd46167096fc9d2f835e25d7e4c121fb2ddfc6528fb0413b2 \ - --hash=sha256:cc4d65aeeaa04136a12677d3dd0b1c0c94dc43abac5860ab33cceb42b801c1e8 \ - --hash=sha256:ce4bcc037df4fc5e3d184794f27bdaab018943698f4ca31630bc7f84a7b69c6d \ - --hash=sha256:cec7d9412a9102bdc577382c3929b337320c4c4c4849f2c5cdd14d7368c5562d \ - --hash=sha256:d400bfb9a37b1351253cb402671cea7e89bdecc294e8016a707f6d1d8ac934f9 \ - --hash=sha256:d61f4695e6c866a23a21acab0509af1cdfd2c013cf256bbf5b6b5e2695827162 \ - --hash=sha256:db0fbb9c62743ce59a9ff687eb5f4afbe77e5e8403d6697f7446e5f609976f76 \ - --hash=sha256:dd86c085fae2efd48ac91dd7ccffcfc0571387fe1193d33b6394db7ef31fe2a4 \ - --hash=sha256:e00b098126fd45523dd056d2efba6c5a63b71ffe9f2bbe1a4fe1716e1d0c331e \ - --hash=sha256:e229a521186c75c8ad9490854fd8bbdd9a0c9aa3a524326b55be83b54d4e0ad9 \ - --hash=sha256:e263d77ee3dd201c3a142934a086a4450861778baaeeb45db4591ef65550b0a6 \ - --hash=sha256:ed9cb427ba5504c1dc15ede7d516b84757c3e3d7868ccc85121d9310d27eed0b \ - --hash=sha256:fa6693661a4c91757f4412306191b6dc88c1703f780c8234035eac011922bc01 \ - --hash=sha256:fcd131dd944808b5bdb38e6f5b53013c5aa4f334c5cad0c72742f6eba4b73db0 +cffi==1.16.0 ; platform_python_implementation != "PyPy" \ + --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ + --hash=sha256:131fd094d1065b19540c3d72594260f118b231090295d8c34e19a7bbcf2e860a \ + --hash=sha256:1b8ebc27c014c59692bb2664c7d13ce7a6e9a629be20e54e7271fa696ff2b417 \ + --hash=sha256:2c56b361916f390cd758a57f2e16233eb4f64bcbeee88a4881ea90fca14dc6ab \ + --hash=sha256:2d92b25dbf6cae33f65005baf472d2c245c050b1ce709cc4588cdcdd5495b520 \ + --hash=sha256:31d13b0f99e0836b7ff893d37af07366ebc90b678b6664c955b54561fc36ef36 \ + --hash=sha256:32c68ef735dbe5857c810328cb2481e24722a59a2003018885514d4c09af9743 \ + --hash=sha256:3686dffb02459559c74dd3d81748269ffb0eb027c39a6fc99502de37d501faa8 \ + --hash=sha256:582215a0e9adbe0e379761260553ba11c58943e4bbe9c36430c4ca6ac74b15ed \ + --hash=sha256:5b50bf3f55561dac5438f8e70bfcdfd74543fd60df5fa5f62d94e5867deca684 \ + --hash=sha256:5bf44d66cdf9e893637896c7faa22298baebcd18d1ddb6d2626a6e39793a1d56 \ + --hash=sha256:6602bc8dc6f3a9e02b6c22c4fc1e47aa50f8f8e6d3f78a5e16ac33ef5fefa324 \ + --hash=sha256:673739cb539f8cdaa07d92d02efa93c9ccf87e345b9a0b556e3ecc666718468d \ + --hash=sha256:68678abf380b42ce21a5f2abde8efee05c114c2fdb2e9eef2efdb0257fba1235 \ + --hash=sha256:68e7c44931cc171c54ccb702482e9fc723192e88d25a0e133edd7aff8fcd1f6e \ + --hash=sha256:6b3d6606d369fc1da4fd8c357d026317fbb9c9b75d36dc16e90e84c26854b088 \ + --hash=sha256:748dcd1e3d3d7cd5443ef03ce8685043294ad6bd7c02a38d1bd367cfd968e000 \ + --hash=sha256:7651c50c8c5ef7bdb41108b7b8c5a83013bfaa8a935590c5d74627c047a583c7 \ + --hash=sha256:7b78010e7b97fef4bee1e896df8a4bbb6712b7f05b7ef630f9d1da00f6444d2e \ + --hash=sha256:7e61e3e4fa664a8588aa25c883eab612a188c725755afff6289454d6362b9673 \ + --hash=sha256:80876338e19c951fdfed6198e70bc88f1c9758b94578d5a7c4c91a87af3cf31c \ + --hash=sha256:8895613bcc094d4a1b2dbe179d88d7fb4a15cee43c052e8885783fac397d91fe \ + --hash=sha256:88e2b3c14bdb32e440be531ade29d3c50a1a59cd4e51b1dd8b0865c54ea5d2e2 \ + --hash=sha256:8f8e709127c6c77446a8c0a8c8bf3c8ee706a06cd44b1e827c3e6a2ee6b8c098 \ + --hash=sha256:9cb4a35b3642fc5c005a6755a5d17c6c8b6bcb6981baf81cea8bfbc8903e8ba8 \ + --hash=sha256:9f90389693731ff1f659e55c7d1640e2ec43ff725cc61b04b2f9c6d8d017df6a \ + --hash=sha256:a09582f178759ee8128d9270cd1344154fd473bb77d94ce0aeb2a93ebf0feaf0 \ + --hash=sha256:a6a14b17d7e17fa0d207ac08642c8820f84f25ce17a442fd15e27ea18d67c59b \ + --hash=sha256:a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896 \ + --hash=sha256:abd808f9c129ba2beda4cfc53bde801e5bcf9d6e0f22f095e45327c038bfe68e \ + --hash=sha256:ac0f5edd2360eea2f1daa9e26a41db02dd4b0451b48f7c318e217ee092a213e9 \ + --hash=sha256:b29ebffcf550f9da55bec9e02ad430c992a87e5f512cd63388abb76f1036d8d2 \ + --hash=sha256:b2ca4e77f9f47c55c194982e10f058db063937845bb2b7a86c84a6cfe0aefa8b \ + --hash=sha256:b7be2d771cdba2942e13215c4e340bfd76398e9227ad10402a8767ab1865d2e6 \ + --hash=sha256:b84834d0cf97e7d27dd5b7f3aca7b6e9263c56308ab9dc8aae9784abb774d404 \ + --hash=sha256:b86851a328eedc692acf81fb05444bdf1891747c25af7529e39ddafaf68a4f3f \ + --hash=sha256:bcb3ef43e58665bbda2fb198698fcae6776483e0c4a631aa5647806c25e02cc0 \ + --hash=sha256:c0f31130ebc2d37cdd8e44605fb5fa7ad59049298b3f745c74fa74c62fbfcfc4 \ + --hash=sha256:c6a164aa47843fb1b01e941d385aab7215563bb8816d80ff3a363a9f8448a8dc \ + --hash=sha256:d8a9d3ebe49f084ad71f9269834ceccbf398253c9fac910c4fd7053ff1386936 \ + --hash=sha256:db8e577c19c0fda0beb7e0d4e09e0ba74b1e4c092e0e40bfa12fe05b6f6d75ba \ + --hash=sha256:dc9b18bf40cc75f66f40a7379f6a9513244fe33c0e8aa72e2d56b0196a7ef872 \ + --hash=sha256:e09f3ff613345df5e8c3667da1d918f9149bd623cd9070c983c013792a9a62eb \ + --hash=sha256:e4108df7fe9b707191e55f33efbcb2d81928e10cea45527879a4749cbe472614 \ + --hash=sha256:e6024675e67af929088fda399b2094574609396b1decb609c55fa58b028a32a1 \ + --hash=sha256:e70f54f1796669ef691ca07d046cd81a29cb4deb1e5f942003f401c0c4a2695d \ + --hash=sha256:e715596e683d2ce000574bae5d07bd522c781a822866c20495e52520564f0969 \ + --hash=sha256:e760191dd42581e023a68b758769e2da259b5d52e3103c6060ddc02c9edb8d7b \ + --hash=sha256:ed86a35631f7bfbb28e108dd96773b9d5a6ce4811cf6ea468bb6a359b256b1e4 \ + --hash=sha256:ee07e47c12890ef248766a6e55bd38ebfb2bb8edd4142d56db91b21ea68b7627 \ + --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ + --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via -r build-requirements.in pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ @@ -81,7 +69,7 @@ semantic-version==2.10.0 \ setuptools-rust==1.7.0 \ --hash=sha256:071099885949132a2180d16abf907b60837e74b4085047ba7e9c0f5b365310c1 \ --hash=sha256:c7100999948235a38ae7e555fe199aa66c253dc384b125f5d85473bf81eae3a3 - # via -r build-requirements.in + # via -r build-requirements.in tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 1c882e254423..5ce28eca8bd8 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -16,71 +16,59 @@ certifi==2023.7.22 \ --hash=sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082 \ --hash=sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9 # via requests -cffi==1.15.1 \ - --hash=sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5 \ - --hash=sha256:03425bdae262c76aad70202debd780501fabeaca237cdfddc008987c0e0f59ef \ - --hash=sha256:04ed324bda3cda42b9b695d51bb7d54b680b9719cfab04227cdd1e04e5de3104 \ - --hash=sha256:0e2642fe3142e4cc4af0799748233ad6da94c62a8bec3a6648bf8ee68b1c7426 \ - --hash=sha256:173379135477dc8cac4bc58f45db08ab45d228b3363adb7af79436135d028405 \ - --hash=sha256:198caafb44239b60e252492445da556afafc7d1e3ab7a1fb3f0584ef6d742375 \ - --hash=sha256:1e74c6b51a9ed6589199c787bf5f9875612ca4a8a0785fb2d4a84429badaf22a \ - --hash=sha256:2012c72d854c2d03e45d06ae57f40d78e5770d252f195b93f581acf3ba44496e \ - --hash=sha256:21157295583fe8943475029ed5abdcf71eb3911894724e360acff1d61c1d54bc \ - --hash=sha256:2470043b93ff09bf8fb1d46d1cb756ce6132c54826661a32d4e4d132e1977adf \ - --hash=sha256:285d29981935eb726a4399badae8f0ffdff4f5050eaa6d0cfc3f64b857b77185 \ - --hash=sha256:30d78fbc8ebf9c92c9b7823ee18eb92f2e6ef79b45ac84db507f52fbe3ec4497 \ - --hash=sha256:320dab6e7cb2eacdf0e658569d2575c4dad258c0fcc794f46215e1e39f90f2c3 \ - --hash=sha256:33ab79603146aace82c2427da5ca6e58f2b3f2fb5da893ceac0c42218a40be35 \ - --hash=sha256:3548db281cd7d2561c9ad9984681c95f7b0e38881201e157833a2342c30d5e8c \ - --hash=sha256:3799aecf2e17cf585d977b780ce79ff0dc9b78d799fc694221ce814c2c19db83 \ - --hash=sha256:39d39875251ca8f612b6f33e6b1195af86d1b3e60086068be9cc053aa4376e21 \ - --hash=sha256:3b926aa83d1edb5aa5b427b4053dc420ec295a08e40911296b9eb1b6170f6cca \ - --hash=sha256:3bcde07039e586f91b45c88f8583ea7cf7a0770df3a1649627bf598332cb6984 \ - --hash=sha256:3d08afd128ddaa624a48cf2b859afef385b720bb4b43df214f85616922e6a5ac \ - --hash=sha256:3eb6971dcff08619f8d91607cfc726518b6fa2a9eba42856be181c6d0d9515fd \ - --hash=sha256:40f4774f5a9d4f5e344f31a32b5096977b5d48560c5592e2f3d2c4374bd543ee \ - --hash=sha256:4289fc34b2f5316fbb762d75362931e351941fa95fa18789191b33fc4cf9504a \ - --hash=sha256:470c103ae716238bbe698d67ad020e1db9d9dba34fa5a899b5e21577e6d52ed2 \ - --hash=sha256:4f2c9f67e9821cad2e5f480bc8d83b8742896f1242dba247911072d4fa94c192 \ - --hash=sha256:50a74364d85fd319352182ef59c5c790484a336f6db772c1a9231f1c3ed0cbd7 \ - --hash=sha256:54a2db7b78338edd780e7ef7f9f6c442500fb0d41a5a4ea24fff1c929d5af585 \ - --hash=sha256:5635bd9cb9731e6d4a1132a498dd34f764034a8ce60cef4f5319c0541159392f \ - --hash=sha256:59c0b02d0a6c384d453fece7566d1c7e6b7bae4fc5874ef2ef46d56776d61c9e \ - --hash=sha256:5d598b938678ebf3c67377cdd45e09d431369c3b1a5b331058c338e201f12b27 \ - --hash=sha256:5df2768244d19ab7f60546d0c7c63ce1581f7af8b5de3eb3004b9b6fc8a9f84b \ - --hash=sha256:5ef34d190326c3b1f822a5b7a45f6c4535e2f47ed06fec77d3d799c450b2651e \ - --hash=sha256:6975a3fac6bc83c4a65c9f9fcab9e47019a11d3d2cf7f3c0d03431bf145a941e \ - --hash=sha256:6c9a799e985904922a4d207a94eae35c78ebae90e128f0c4e521ce339396be9d \ - --hash=sha256:70df4e3b545a17496c9b3f41f5115e69a4f2e77e94e1d2a8e1070bc0c38c8a3c \ - --hash=sha256:7473e861101c9e72452f9bf8acb984947aa1661a7704553a9f6e4baa5ba64415 \ - --hash=sha256:8102eaf27e1e448db915d08afa8b41d6c7ca7a04b7d73af6514df10a3e74bd82 \ - --hash=sha256:87c450779d0914f2861b8526e035c5e6da0a3199d8f1add1a665e1cbc6fc6d02 \ - --hash=sha256:8b7ee99e510d7b66cdb6c593f21c043c248537a32e0bedf02e01e9553a172314 \ - --hash=sha256:91fc98adde3d7881af9b59ed0294046f3806221863722ba7d8d120c575314325 \ - --hash=sha256:94411f22c3985acaec6f83c6df553f2dbe17b698cc7f8ae751ff2237d96b9e3c \ - --hash=sha256:98d85c6a2bef81588d9227dde12db8a7f47f639f4a17c9ae08e773aa9c697bf3 \ - --hash=sha256:9ad5db27f9cabae298d151c85cf2bad1d359a1b9c686a275df03385758e2f914 \ - --hash=sha256:a0b71b1b8fbf2b96e41c4d990244165e2c9be83d54962a9a1d118fd8657d2045 \ - --hash=sha256:a0f100c8912c114ff53e1202d0078b425bee3649ae34d7b070e9697f93c5d52d \ - --hash=sha256:a591fe9e525846e4d154205572a029f653ada1a78b93697f3b5a8f1f2bc055b9 \ - --hash=sha256:a5c84c68147988265e60416b57fc83425a78058853509c1b0629c180094904a5 \ - --hash=sha256:a66d3508133af6e8548451b25058d5812812ec3798c886bf38ed24a98216fab2 \ - --hash=sha256:a8c4917bd7ad33e8eb21e9a5bbba979b49d9a97acb3a803092cbc1133e20343c \ - --hash=sha256:b3bbeb01c2b273cca1e1e0c5df57f12dce9a4dd331b4fa1635b8bec26350bde3 \ - --hash=sha256:cba9d6b9a7d64d4bd46167096fc9d2f835e25d7e4c121fb2ddfc6528fb0413b2 \ - --hash=sha256:cc4d65aeeaa04136a12677d3dd0b1c0c94dc43abac5860ab33cceb42b801c1e8 \ - --hash=sha256:ce4bcc037df4fc5e3d184794f27bdaab018943698f4ca31630bc7f84a7b69c6d \ - --hash=sha256:cec7d9412a9102bdc577382c3929b337320c4c4c4849f2c5cdd14d7368c5562d \ - --hash=sha256:d400bfb9a37b1351253cb402671cea7e89bdecc294e8016a707f6d1d8ac934f9 \ - --hash=sha256:d61f4695e6c866a23a21acab0509af1cdfd2c013cf256bbf5b6b5e2695827162 \ - --hash=sha256:db0fbb9c62743ce59a9ff687eb5f4afbe77e5e8403d6697f7446e5f609976f76 \ - --hash=sha256:dd86c085fae2efd48ac91dd7ccffcfc0571387fe1193d33b6394db7ef31fe2a4 \ - --hash=sha256:e00b098126fd45523dd056d2efba6c5a63b71ffe9f2bbe1a4fe1716e1d0c331e \ - --hash=sha256:e229a521186c75c8ad9490854fd8bbdd9a0c9aa3a524326b55be83b54d4e0ad9 \ - --hash=sha256:e263d77ee3dd201c3a142934a086a4450861778baaeeb45db4591ef65550b0a6 \ - --hash=sha256:ed9cb427ba5504c1dc15ede7d516b84757c3e3d7868ccc85121d9310d27eed0b \ - --hash=sha256:fa6693661a4c91757f4412306191b6dc88c1703f780c8234035eac011922bc01 \ - --hash=sha256:fcd131dd944808b5bdb38e6f5b53013c5aa4f334c5cad0c72742f6eba4b73db0 +cffi==1.16.0 \ + --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ + --hash=sha256:131fd094d1065b19540c3d72594260f118b231090295d8c34e19a7bbcf2e860a \ + --hash=sha256:1b8ebc27c014c59692bb2664c7d13ce7a6e9a629be20e54e7271fa696ff2b417 \ + --hash=sha256:2c56b361916f390cd758a57f2e16233eb4f64bcbeee88a4881ea90fca14dc6ab \ + --hash=sha256:2d92b25dbf6cae33f65005baf472d2c245c050b1ce709cc4588cdcdd5495b520 \ + --hash=sha256:31d13b0f99e0836b7ff893d37af07366ebc90b678b6664c955b54561fc36ef36 \ + --hash=sha256:32c68ef735dbe5857c810328cb2481e24722a59a2003018885514d4c09af9743 \ + --hash=sha256:3686dffb02459559c74dd3d81748269ffb0eb027c39a6fc99502de37d501faa8 \ + --hash=sha256:582215a0e9adbe0e379761260553ba11c58943e4bbe9c36430c4ca6ac74b15ed \ + --hash=sha256:5b50bf3f55561dac5438f8e70bfcdfd74543fd60df5fa5f62d94e5867deca684 \ + --hash=sha256:5bf44d66cdf9e893637896c7faa22298baebcd18d1ddb6d2626a6e39793a1d56 \ + --hash=sha256:6602bc8dc6f3a9e02b6c22c4fc1e47aa50f8f8e6d3f78a5e16ac33ef5fefa324 \ + --hash=sha256:673739cb539f8cdaa07d92d02efa93c9ccf87e345b9a0b556e3ecc666718468d \ + --hash=sha256:68678abf380b42ce21a5f2abde8efee05c114c2fdb2e9eef2efdb0257fba1235 \ + --hash=sha256:68e7c44931cc171c54ccb702482e9fc723192e88d25a0e133edd7aff8fcd1f6e \ + --hash=sha256:6b3d6606d369fc1da4fd8c357d026317fbb9c9b75d36dc16e90e84c26854b088 \ + --hash=sha256:748dcd1e3d3d7cd5443ef03ce8685043294ad6bd7c02a38d1bd367cfd968e000 \ + --hash=sha256:7651c50c8c5ef7bdb41108b7b8c5a83013bfaa8a935590c5d74627c047a583c7 \ + --hash=sha256:7b78010e7b97fef4bee1e896df8a4bbb6712b7f05b7ef630f9d1da00f6444d2e \ + --hash=sha256:7e61e3e4fa664a8588aa25c883eab612a188c725755afff6289454d6362b9673 \ + --hash=sha256:80876338e19c951fdfed6198e70bc88f1c9758b94578d5a7c4c91a87af3cf31c \ + --hash=sha256:8895613bcc094d4a1b2dbe179d88d7fb4a15cee43c052e8885783fac397d91fe \ + --hash=sha256:88e2b3c14bdb32e440be531ade29d3c50a1a59cd4e51b1dd8b0865c54ea5d2e2 \ + --hash=sha256:8f8e709127c6c77446a8c0a8c8bf3c8ee706a06cd44b1e827c3e6a2ee6b8c098 \ + --hash=sha256:9cb4a35b3642fc5c005a6755a5d17c6c8b6bcb6981baf81cea8bfbc8903e8ba8 \ + --hash=sha256:9f90389693731ff1f659e55c7d1640e2ec43ff725cc61b04b2f9c6d8d017df6a \ + --hash=sha256:a09582f178759ee8128d9270cd1344154fd473bb77d94ce0aeb2a93ebf0feaf0 \ + --hash=sha256:a6a14b17d7e17fa0d207ac08642c8820f84f25ce17a442fd15e27ea18d67c59b \ + --hash=sha256:a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896 \ + --hash=sha256:abd808f9c129ba2beda4cfc53bde801e5bcf9d6e0f22f095e45327c038bfe68e \ + --hash=sha256:ac0f5edd2360eea2f1daa9e26a41db02dd4b0451b48f7c318e217ee092a213e9 \ + --hash=sha256:b29ebffcf550f9da55bec9e02ad430c992a87e5f512cd63388abb76f1036d8d2 \ + --hash=sha256:b2ca4e77f9f47c55c194982e10f058db063937845bb2b7a86c84a6cfe0aefa8b \ + --hash=sha256:b7be2d771cdba2942e13215c4e340bfd76398e9227ad10402a8767ab1865d2e6 \ + --hash=sha256:b84834d0cf97e7d27dd5b7f3aca7b6e9263c56308ab9dc8aae9784abb774d404 \ + --hash=sha256:b86851a328eedc692acf81fb05444bdf1891747c25af7529e39ddafaf68a4f3f \ + --hash=sha256:bcb3ef43e58665bbda2fb198698fcae6776483e0c4a631aa5647806c25e02cc0 \ + --hash=sha256:c0f31130ebc2d37cdd8e44605fb5fa7ad59049298b3f745c74fa74c62fbfcfc4 \ + --hash=sha256:c6a164aa47843fb1b01e941d385aab7215563bb8816d80ff3a363a9f8448a8dc \ + --hash=sha256:d8a9d3ebe49f084ad71f9269834ceccbf398253c9fac910c4fd7053ff1386936 \ + --hash=sha256:db8e577c19c0fda0beb7e0d4e09e0ba74b1e4c092e0e40bfa12fe05b6f6d75ba \ + --hash=sha256:dc9b18bf40cc75f66f40a7379f6a9513244fe33c0e8aa72e2d56b0196a7ef872 \ + --hash=sha256:e09f3ff613345df5e8c3667da1d918f9149bd623cd9070c983c013792a9a62eb \ + --hash=sha256:e4108df7fe9b707191e55f33efbcb2d81928e10cea45527879a4749cbe472614 \ + --hash=sha256:e6024675e67af929088fda399b2094574609396b1decb609c55fa58b028a32a1 \ + --hash=sha256:e70f54f1796669ef691ca07d046cd81a29cb4deb1e5f942003f401c0c4a2695d \ + --hash=sha256:e715596e683d2ce000574bae5d07bd522c781a822866c20495e52520564f0969 \ + --hash=sha256:e760191dd42581e023a68b758769e2da259b5d52e3103c6060ddc02c9edb8d7b \ + --hash=sha256:ed86a35631f7bfbb28e108dd96773b9d5a6ce4811cf6ea468bb6a359b256b1e4 \ + --hash=sha256:ee07e47c12890ef248766a6e55bd38ebfb2bb8edd4142d56db91b21ea68b7627 \ + --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ + --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via cryptography charset-normalizer==3.2.0 \ --hash=sha256:04e57ab9fbf9607b77f7d057974694b4f6b142da9ed4a199859d9d4d5c63fe96 \ From 77798ec4ae1237253f2300ed61ba26b2eeecc4b4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 29 Sep 2023 00:18:09 +0000 Subject: [PATCH 0515/1014] Bump BoringSSL and/or OpenSSL in CI (#9666) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72cf05b00e84..98888a60f4b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 28, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "d24a38200fef19150eef00cad35b138936c08767"}} - # Latest commit on the OpenSSL master branch, as of Sep 28, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b07107e31149bf870bc1ae17e59444859fe4e23a"}} + # Latest commit on the OpenSSL master branch, as of Sep 29, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "219bd6ac7061c40bd24f896f8652994d62d109de"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 2dae9a72390eb4a2b6ef672b769271cc921c6e65 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Sep 2023 07:14:09 -0400 Subject: [PATCH 0516/1014] Bump sigstore from 1.1.2 to 2.0.0 in /.github/requirements (#9668) Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 1.1.2 to 2.0.0. - [Release notes](https://github.com/sigstore/sigstore-python/releases) - [Changelog](https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/sigstore-python/compare/v1.1.2...v2.0.0) --- updated-dependencies: - dependency-name: sigstore dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 168 +++++++++++++----- 1 file changed, 124 insertions(+), 44 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 5ce28eca8bd8..11761882a025 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -4,6 +4,10 @@ # # pip-compile --generate-hashes publish-requirements.in # +annotated-types==0.5.0 \ + --hash=sha256:47cdc3490d9ac1506ce92c7aaa76c579dc3509ff11e098fc867e5130ab7be802 \ + --hash=sha256:58da39888f92c276ad970249761ebea80ba544b77acddaa1a4d6cf78287d45fd + # via pydantic appdirs==1.4.4 \ --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 @@ -336,46 +340,120 @@ pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 # via cffi -pydantic==1.10.13 \ - --hash=sha256:1740068fd8e2ef6eb27a20e5651df000978edce6da6803c2bef0bc74540f9548 \ - --hash=sha256:210ce042e8f6f7c01168b2d84d4c9eb2b009fe7bf572c2266e235edf14bacd80 \ - --hash=sha256:32c8b48dcd3b2ac4e78b0ba4af3a2c2eb6048cb75202f0ea7b34feb740efc340 \ - --hash=sha256:3ecea2b9d80e5333303eeb77e180b90e95eea8f765d08c3d278cd56b00345d01 \ - --hash=sha256:4b03e42ec20286f052490423682016fd80fda830d8e4119f8ab13ec7464c0132 \ - --hash=sha256:4c5370a7edaac06daee3af1c8b1192e305bc102abcbf2a92374b5bc793818599 \ - --hash=sha256:56e3ff861c3b9c6857579de282ce8baabf443f42ffba355bf070770ed63e11e1 \ - --hash=sha256:5a1f9f747851338933942db7af7b6ee8268568ef2ed86c4185c6ef4402e80ba8 \ - --hash=sha256:5e08865bc6464df8c7d61439ef4439829e3ab62ab1669cddea8dd00cd74b9ffe \ - --hash=sha256:61d9dce220447fb74f45e73d7ff3b530e25db30192ad8d425166d43c5deb6df0 \ - --hash=sha256:654db58ae399fe6434e55325a2c3e959836bd17a6f6a0b6ca8107ea0571d2e17 \ - --hash=sha256:678bcf5591b63cc917100dc50ab6caebe597ac67e8c9ccb75e698f66038ea953 \ - --hash=sha256:6cf25c1a65c27923a17b3da28a0bdb99f62ee04230c931d83e888012851f4e7f \ - --hash=sha256:75ac15385a3534d887a99c713aa3da88a30fbd6204a5cd0dc4dab3d770b9bd2f \ - --hash=sha256:75b297827b59bc229cac1a23a2f7a4ac0031068e5be0ce385be1462e7e17a35d \ - --hash=sha256:7d6f6e7305244bddb4414ba7094ce910560c907bdfa3501e9db1a7fd7eaea127 \ - --hash=sha256:84bafe2e60b5e78bc64a2941b4c071a4b7404c5c907f5f5a99b0139781e69ed8 \ - --hash=sha256:854223752ba81e3abf663d685f105c64150873cc6f5d0c01d3e3220bcff7d36f \ - --hash=sha256:8ae5dd6b721459bfa30805f4c25880e0dd78fc5b5879f9f7a692196ddcb5a580 \ - --hash=sha256:8ef467901d7a41fa0ca6db9ae3ec0021e3f657ce2c208e98cd511f3161c762c6 \ - --hash=sha256:968ac42970f57b8344ee08837b62f6ee6f53c33f603547a55571c954a4225691 \ - --hash=sha256:97cce3ae7341f7620a0ba5ef6cf043975cd9d2b81f3aa5f4ea37928269bc1b87 \ - --hash=sha256:9849f031cf8a2f0a928fe885e5a04b08006d6d41876b8bbd2fc68a18f9f2e3fd \ - --hash=sha256:9f00790179497767aae6bcdc36355792c79e7bbb20b145ff449700eb076c5f96 \ - --hash=sha256:b87326822e71bd5f313e7d3bfdc77ac3247035ac10b0c0618bd99dcf95b1e687 \ - --hash=sha256:b97c1fac8c49be29486df85968682b0afa77e1b809aff74b83081cc115e52f33 \ - --hash=sha256:bc0898c12f8e9c97f6cd44c0ed70d55749eaf783716896960b4ecce2edfd2d69 \ - --hash=sha256:c553f6a156deb868ba38a23cf0df886c63492e9257f60a79c0fd8e7173537653 \ - --hash=sha256:c636925f38b8db208e09d344c7aa4f29a86bb9947495dd6b6d376ad10334fb78 \ - --hash=sha256:c958d053453a1c4b1c2062b05cd42d9d5c8eb67537b8d5a7e3c3032943ecd261 \ - --hash=sha256:d3a3c792a58e1622667a2837512099eac62490cdfd63bd407993aaf200a4cf1f \ - --hash=sha256:e31647d85a2013d926ce60b84f9dd5300d44535a9941fe825dc349ae1f760df9 \ - --hash=sha256:e70ca129d2053fb8b728ee7d1af8e553a928d7e301a311094b8a0501adc8763d \ - --hash=sha256:efff03cc7a4f29d9009d1c96ceb1e7a70a65cfe86e89d34e4a5f2ab1e5693737 \ - --hash=sha256:f59ef915cac80275245824e9d771ee939133be38215555e9dc90c6cb148aaeb5 \ - --hash=sha256:f8e81fc5fb17dae698f52bdd1c4f18b6ca674d7068242b2aff075f588301bbb0 +pydantic==2.4.2 \ + --hash=sha256:94f336138093a5d7f426aac732dcfe7ab4eb4da243c88f891d65deb4a2556ee7 \ + --hash=sha256:bc3ddf669d234f4220e6e1c4d96b061abe0998185a8d7855c0126782b7abc8c1 # via # id # sigstore +pydantic-core==2.10.1 \ + --hash=sha256:042462d8d6ba707fd3ce9649e7bf268633a41018d6a998fb5fbacb7e928a183e \ + --hash=sha256:0523aeb76e03f753b58be33b26540880bac5aa54422e4462404c432230543f33 \ + --hash=sha256:05560ab976012bf40f25d5225a58bfa649bb897b87192a36c6fef1ab132540d7 \ + --hash=sha256:0675ba5d22de54d07bccde38997e780044dcfa9a71aac9fd7d4d7a1d2e3e65f7 \ + --hash=sha256:073d4a470b195d2b2245d0343569aac7e979d3a0dcce6c7d2af6d8a920ad0bea \ + --hash=sha256:07ec6d7d929ae9c68f716195ce15e745b3e8fa122fc67698ac6498d802ed0fa4 \ + --hash=sha256:0880e239827b4b5b3e2ce05e6b766a7414e5f5aedc4523be6b68cfbc7f61c5d0 \ + --hash=sha256:0c27f38dc4fbf07b358b2bc90edf35e82d1703e22ff2efa4af4ad5de1b3833e7 \ + --hash=sha256:0d8a8adef23d86d8eceed3e32e9cca8879c7481c183f84ed1a8edc7df073af94 \ + --hash=sha256:0e2a35baa428181cb2270a15864ec6286822d3576f2ed0f4cd7f0c1708472aff \ + --hash=sha256:0f8682dbdd2f67f8e1edddcbffcc29f60a6182b4901c367fc8c1c40d30bb0a82 \ + --hash=sha256:0fa467fd300a6f046bdb248d40cd015b21b7576c168a6bb20aa22e595c8ffcdd \ + --hash=sha256:128552af70a64660f21cb0eb4876cbdadf1a1f9d5de820fed6421fa8de07c893 \ + --hash=sha256:1396e81b83516b9d5c9e26a924fa69164156c148c717131f54f586485ac3c15e \ + --hash=sha256:149b8a07712f45b332faee1a2258d8ef1fb4a36f88c0c17cb687f205c5dc6e7d \ + --hash=sha256:14ac492c686defc8e6133e3a2d9eaf5261b3df26b8ae97450c1647286750b901 \ + --hash=sha256:14cfbb00959259e15d684505263d5a21732b31248a5dd4941f73a3be233865b9 \ + --hash=sha256:14e09ff0b8fe6e46b93d36a878f6e4a3a98ba5303c76bb8e716f4878a3bee92c \ + --hash=sha256:154ea7c52e32dce13065dbb20a4a6f0cc012b4f667ac90d648d36b12007fa9f7 \ + --hash=sha256:15d6bca84ffc966cc9976b09a18cf9543ed4d4ecbd97e7086f9ce9327ea48891 \ + --hash=sha256:1d40f55222b233e98e3921df7811c27567f0e1a4411b93d4c5c0f4ce131bc42f \ + --hash=sha256:25bd966103890ccfa028841a8f30cebcf5875eeac8c4bde4fe221364c92f0c9a \ + --hash=sha256:2cf5bb4dd67f20f3bbc1209ef572a259027c49e5ff694fa56bed62959b41e1f9 \ + --hash=sha256:2e0e2959ef5d5b8dc9ef21e1a305a21a36e254e6a34432d00c72a92fdc5ecda5 \ + --hash=sha256:320f14bd4542a04ab23747ff2c8a778bde727158b606e2661349557f0770711e \ + --hash=sha256:3625578b6010c65964d177626fde80cf60d7f2e297d56b925cb5cdeda6e9925a \ + --hash=sha256:39215d809470f4c8d1881758575b2abfb80174a9e8daf8f33b1d4379357e417c \ + --hash=sha256:3f0ac9fb8608dbc6eaf17956bf623c9119b4db7dbb511650910a82e261e6600f \ + --hash=sha256:417243bf599ba1f1fef2bb8c543ceb918676954734e2dcb82bf162ae9d7bd514 \ + --hash=sha256:420a692b547736a8d8703c39ea935ab5d8f0d2573f8f123b0a294e49a73f214b \ + --hash=sha256:443fed67d33aa85357464f297e3d26e570267d1af6fef1c21ca50921d2976302 \ + --hash=sha256:48525933fea744a3e7464c19bfede85df4aba79ce90c60b94d8b6e1eddd67096 \ + --hash=sha256:485a91abe3a07c3a8d1e082ba29254eea3e2bb13cbbd4351ea4e5a21912cc9b0 \ + --hash=sha256:4a5be350f922430997f240d25f8219f93b0c81e15f7b30b868b2fddfc2d05f27 \ + --hash=sha256:4d966c47f9dd73c2d32a809d2be529112d509321c5310ebf54076812e6ecd884 \ + --hash=sha256:524ff0ca3baea164d6d93a32c58ac79eca9f6cf713586fdc0adb66a8cdeab96a \ + --hash=sha256:53df009d1e1ba40f696f8995683e067e3967101d4bb4ea6f667931b7d4a01357 \ + --hash=sha256:5994985da903d0b8a08e4935c46ed8daf5be1cf217489e673910951dc533d430 \ + --hash=sha256:5cabb9710f09d5d2e9e2748c3e3e20d991a4c5f96ed8f1132518f54ab2967221 \ + --hash=sha256:5fdb39f67c779b183b0c853cd6b45f7db84b84e0571b3ef1c89cdb1dfc367325 \ + --hash=sha256:600d04a7b342363058b9190d4e929a8e2e715c5682a70cc37d5ded1e0dd370b4 \ + --hash=sha256:631cb7415225954fdcc2a024119101946793e5923f6c4d73a5914d27eb3d3a05 \ + --hash=sha256:63974d168b6233b4ed6a0046296803cb13c56637a7b8106564ab575926572a55 \ + --hash=sha256:64322bfa13e44c6c30c518729ef08fda6026b96d5c0be724b3c4ae4da939f875 \ + --hash=sha256:655f8f4c8d6a5963c9a0687793da37b9b681d9ad06f29438a3b2326d4e6b7970 \ + --hash=sha256:6835451b57c1b467b95ffb03a38bb75b52fb4dc2762bb1d9dbed8de31ea7d0fc \ + --hash=sha256:6db2eb9654a85ada248afa5a6db5ff1cf0f7b16043a6b070adc4a5be68c716d6 \ + --hash=sha256:7c4d1894fe112b0864c1fa75dffa045720a194b227bed12f4be7f6045b25209f \ + --hash=sha256:7eb037106f5c6b3b0b864ad226b0b7ab58157124161d48e4b30c4a43fef8bc4b \ + --hash=sha256:8282bab177a9a3081fd3d0a0175a07a1e2bfb7fcbbd949519ea0980f8a07144d \ + --hash=sha256:82f55187a5bebae7d81d35b1e9aaea5e169d44819789837cdd4720d768c55d15 \ + --hash=sha256:8572cadbf4cfa95fb4187775b5ade2eaa93511f07947b38f4cd67cf10783b118 \ + --hash=sha256:8cdbbd92154db2fec4ec973d45c565e767ddc20aa6dbaf50142676484cbff8ee \ + --hash=sha256:8f6e6aed5818c264412ac0598b581a002a9f050cb2637a84979859e70197aa9e \ + --hash=sha256:92f675fefa977625105708492850bcbc1182bfc3e997f8eecb866d1927c98ae6 \ + --hash=sha256:962ed72424bf1f72334e2f1e61b68f16c0e596f024ca7ac5daf229f7c26e4208 \ + --hash=sha256:9badf8d45171d92387410b04639d73811b785b5161ecadabf056ea14d62d4ede \ + --hash=sha256:9c120c9ce3b163b985a3b966bb701114beb1da4b0468b9b236fc754783d85aa3 \ + --hash=sha256:9f6f3e2598604956480f6c8aa24a3384dbf6509fe995d97f6ca6103bb8c2534e \ + --hash=sha256:a1254357f7e4c82e77c348dabf2d55f1d14d19d91ff025004775e70a6ef40ada \ + --hash=sha256:a1392e0638af203cee360495fd2cfdd6054711f2db5175b6e9c3c461b76f5175 \ + --hash=sha256:a1c311fd06ab3b10805abb72109f01a134019739bd3286b8ae1bc2fc4e50c07a \ + --hash=sha256:a5cb87bdc2e5f620693148b5f8f842d293cae46c5f15a1b1bf7ceeed324a740c \ + --hash=sha256:a7a7902bf75779bc12ccfc508bfb7a4c47063f748ea3de87135d433a4cca7a2f \ + --hash=sha256:aad7bd686363d1ce4ee930ad39f14e1673248373f4a9d74d2b9554f06199fb58 \ + --hash=sha256:aafdb89fdeb5fe165043896817eccd6434aee124d5ee9b354f92cd574ba5e78f \ + --hash=sha256:ae8a8843b11dc0b03b57b52793e391f0122e740de3df1474814c700d2622950a \ + --hash=sha256:b00bc4619f60c853556b35f83731bd817f989cba3e97dc792bb8c97941b8053a \ + --hash=sha256:b1f22a9ab44de5f082216270552aa54259db20189e68fc12484873d926426921 \ + --hash=sha256:b3c01c2fb081fced3bbb3da78510693dc7121bb893a1f0f5f4b48013201f362e \ + --hash=sha256:b3dcd587b69bbf54fc04ca157c2323b8911033e827fffaecf0cafa5a892a0904 \ + --hash=sha256:b4a6db486ac8e99ae696e09efc8b2b9fea67b63c8f88ba7a1a16c24a057a0776 \ + --hash=sha256:bec7dd208a4182e99c5b6c501ce0b1f49de2802448d4056091f8e630b28e9a52 \ + --hash=sha256:c0877239307b7e69d025b73774e88e86ce82f6ba6adf98f41069d5b0b78bd1bf \ + --hash=sha256:caa48fc31fc7243e50188197b5f0c4228956f97b954f76da157aae7f67269ae8 \ + --hash=sha256:cfe1090245c078720d250d19cb05d67e21a9cd7c257698ef139bc41cf6c27b4f \ + --hash=sha256:d43002441932f9a9ea5d6f9efaa2e21458221a3a4b417a14027a1d530201ef1b \ + --hash=sha256:d64728ee14e667ba27c66314b7d880b8eeb050e58ffc5fec3b7a109f8cddbd63 \ + --hash=sha256:d6495008733c7521a89422d7a68efa0a0122c99a5861f06020ef5b1f51f9ba7c \ + --hash=sha256:d8f1ebca515a03e5654f88411420fea6380fc841d1bea08effb28184e3d4899f \ + --hash=sha256:d99277877daf2efe074eae6338453a4ed54a2d93fb4678ddfe1209a0c93a2468 \ + --hash=sha256:da01bec0a26befab4898ed83b362993c844b9a607a86add78604186297eb047e \ + --hash=sha256:db9a28c063c7c00844ae42a80203eb6d2d6bbb97070cfa00194dff40e6f545ab \ + --hash=sha256:dda81e5ec82485155a19d9624cfcca9be88a405e2857354e5b089c2a982144b2 \ + --hash=sha256:e357571bb0efd65fd55f18db0a2fb0ed89d0bb1d41d906b138f088933ae618bb \ + --hash=sha256:e544246b859f17373bed915182ab841b80849ed9cf23f1f07b73b7c58baee5fb \ + --hash=sha256:e562617a45b5a9da5be4abe72b971d4f00bf8555eb29bb91ec2ef2be348cd132 \ + --hash=sha256:e570ffeb2170e116a5b17e83f19911020ac79d19c96f320cbfa1fa96b470185b \ + --hash=sha256:e6f31a17acede6a8cd1ae2d123ce04d8cca74056c9d456075f4f6f85de055607 \ + --hash=sha256:e9121b4009339b0f751955baf4543a0bfd6bc3f8188f8056b1a25a2d45099934 \ + --hash=sha256:ebedb45b9feb7258fac0a268a3f6bec0a2ea4d9558f3d6f813f02ff3a6dc6698 \ + --hash=sha256:ecaac27da855b8d73f92123e5f03612b04c5632fd0a476e469dfc47cd37d6b2e \ + --hash=sha256:ecdbde46235f3d560b18be0cb706c8e8ad1b965e5c13bbba7450c86064e96561 \ + --hash=sha256:ed550ed05540c03f0e69e6d74ad58d026de61b9eaebebbaaf8873e585cbb18de \ + --hash=sha256:eeb3d3d6b399ffe55f9a04e09e635554012f1980696d6b0aca3e6cf42a17a03b \ + --hash=sha256:ef337945bbd76cce390d1b2496ccf9f90b1c1242a3a7bc242ca4a9fc5993427a \ + --hash=sha256:f1365e032a477c1430cfe0cf2856679529a2331426f8081172c4a74186f1d595 \ + --hash=sha256:f23b55eb5464468f9e0e9a9935ce3ed2a870608d5f534025cd5536bca25b1402 \ + --hash=sha256:f2e9072d71c1f6cfc79a36d4484c82823c560e6f5599c43c1ca6b5cdbd54f881 \ + --hash=sha256:f323306d0556351735b54acbf82904fe30a27b6a7147153cbe6e19aaaa2aa429 \ + --hash=sha256:f36a3489d9e28fe4b67be9992a23029c3cec0babc3bd9afb39f49844a8c721c5 \ + --hash=sha256:f64f82cc3443149292b32387086d02a6c7fb39b8781563e0ca7b8d7d9cf72bd7 \ + --hash=sha256:f6defd966ca3b187ec6c366604e9296f585021d922e666b99c47e78738b5666c \ + --hash=sha256:f7c2b8eb9fc872e68b46eeaf835e86bccc3a58ba57d0eedc109cbb14177be531 \ + --hash=sha256:fa7db7558607afeccb33c0e4bf1c9a9a835e26599e76af6fe2fcea45904083a6 \ + --hash=sha256:fcb83175cc4936a5425dde3356f079ae03c0802bbdf8ff82c035f8a54b333521 + # via pydantic pygments==2.16.1 \ --hash=sha256:13fc09fa63bc8d8671a6d247e1eb303c4b343eaee81d861f3404db2935653692 \ --hash=sha256:1daff0494820c69bc8941e407aa20f577374ee88364ee10a98fdbe0aece96e29 @@ -430,13 +508,13 @@ securesystemslib==0.29.0 \ # via # sigstore # tuf -sigstore==1.1.2 \ - --hash=sha256:1252c34b6bf0f5c0680dffe36e1961bd23da9dd77838fc8ece35bcf87a3bf6df \ - --hash=sha256:1f5d74006073a4bc1572290fb133418c25ff76c5a02fcb567c3feb238d425ab3 +sigstore==2.0.0 \ + --hash=sha256:ef342f4fd4fc03f8ca12b58462683da099e26279ff6eba8fc3ec03f86e1c42ed \ + --hash=sha256:fed5457c3be16c9dff6367dad9062260d67761a46cb1e7cf0ca8c96b96632bb7 # via -r publish-requirements.in -sigstore-protobuf-specs==0.1.0 \ - --hash=sha256:0e7766add04b5bd145181936e6fedbb2609d7e959f2740051cbca12572b277a2 \ - --hash=sha256:622b2d231613a28ed3e6660acd87818675b4e83486f49a0f0c198ac5475fcb81 +sigstore-protobuf-specs==0.2.1 \ + --hash=sha256:5add858b87fb119607fcab48cad5b880d414a1ac8dc60cf0bf63148dd89ac194 \ + --hash=sha256:ea9db15cd2fa7229d3647d0c47079f246bfb177b6a6189647224910b0a740da9 # via sigstore six==1.16.0 \ --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ @@ -453,7 +531,9 @@ twine==4.0.2 \ typing-extensions==4.8.0 \ --hash=sha256:8f92fc8806f9a6b641eaa5318da32b44d401efaac0f6678c9bc448ba3605faa0 \ --hash=sha256:df8e4339e9cb77357558cbdbceca33c303714cf861d1eef15e1070055ae8b7ef - # via pydantic + # via + # pydantic + # pydantic-core urllib3==2.0.5 \ --hash=sha256:13abf37382ea2ce6fb744d4dad67838eec857c9f4f57009891805e0b5e123594 \ --hash=sha256:ef16afa8ba34a1f989db38e1dbbe0c302e4289a47856990d0682e374563ce35e From 566fcd6c4ddc3c868c1154875537970ebb188c9f Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 29 Sep 2023 16:58:48 +0200 Subject: [PATCH 0517/1014] Deprecate naive datetime x509 APIs (#9667) * Deprecate naive datetime x509 APIs * Add missing tests for timezone-aware x509 APIs * Document the deprecation of the naive datetime APIs --- CHANGELOG.rst | 8 +++ docs/x509/reference.rst | 31 +++++++++++ src/cryptography/utils.py | 1 + src/cryptography/x509/base.py | 7 +++ src/rust/src/types.rs | 2 + src/rust/src/x509/certificate.rs | 14 +++++ src/rust/src/x509/crl.rs | 24 ++++++++- tests/x509/test_x509.py | 38 +++++++++----- tests/x509/test_x509_crlbuilder.py | 60 +++++++++++++++++----- tests/x509/test_x509_revokedcertbuilder.py | 19 +++++-- 10 files changed, 173 insertions(+), 31 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 78c24fed4702..f14f5233a554 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -30,6 +30,14 @@ Changelog :meth:`~cryptography.x509.CertificateRevocationList.last_update_utc`. These are timezone-aware variants of existing properties that return naïve ``datetime`` objects. +* Deprecated the following properties that return naïve ``datetime`` objects: + :meth:`~cryptography.x509.Certificate.not_valid_before`, + :meth:`~cryptography.x509.Certificate.not_valid_after`, + :meth:`~cryptography.x509.RevokedCertificate.revocation_date`, + :meth:`~cryptography.x509.CertificateRevocationList.next_update`, + :meth:`~cryptography.x509.CertificateRevocationList.last_update` + in favor of the new timezone-aware variants mentioned above. + .. _v41-0-4: diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index a7aaac5e10b3..40de24983992 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -368,6 +368,13 @@ X.509 Certificate Object :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.Certificate.not_valid_before_utc`. + + A naïve datetime representing the beginning of the validity period for the certificate in UTC. This value is inclusive. @@ -394,6 +401,12 @@ X.509 Certificate Object :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.Certificate.not_valid_after_utc`. + A naïve datetime representing the end of the validity period for the certificate in UTC. This value is inclusive. @@ -718,6 +731,12 @@ X.509 CRL (Certificate Revocation List) Object :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.CertificateRevocationList.next_update_utc`. + A naïve datetime representing when the next update to this CRL is expected. @@ -744,6 +763,12 @@ X.509 CRL (Certificate Revocation List) Object :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.CertificateRevocationList.last_update_utc`. + A naïve datetime representing when this CRL was last updated. .. doctest:: @@ -1231,6 +1256,12 @@ X.509 Revoked Certificate Object :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.RevokedCertificate.revocation_date_utc`. + A naïve datetime representing the date this certificates was revoked. .. doctest:: diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index f92d226e85c8..01403fc179b3 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -24,6 +24,7 @@ class CryptographyDeprecationWarning(UserWarning): DeprecatedIn37 = CryptographyDeprecationWarning DeprecatedIn40 = CryptographyDeprecationWarning DeprecatedIn41 = CryptographyDeprecationWarning +DeprecatedIn42 = CryptographyDeprecationWarning def _check_bytes(name: str, value: bytes) -> None: diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 9195efbc6e12..5d229c7e9d77 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -8,6 +8,7 @@ import datetime import os import typing +import warnings from cryptography import utils from cryptography.hazmat.bindings._rust import x509 as rust_x509 @@ -366,6 +367,12 @@ def serial_number(self) -> int: @property def revocation_date(self) -> datetime.datetime: + warnings.warn( + "Properties that return a naïve datetime object have been " + "deprecated. Please switch to revocation_date_utc.", + utils.DeprecatedIn42, + stacklevel=2, + ) return self._revocation_date @property diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 60680cd1ab14..1e1dca93a19e 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -41,6 +41,8 @@ pub static DEPRECATED_IN_36: LazyPyImport = LazyPyImport::new("cryptography.utils", &["DeprecatedIn36"]); pub static DEPRECATED_IN_41: LazyPyImport = LazyPyImport::new("cryptography.utils", &["DeprecatedIn41"]); +pub static DEPRECATED_IN_42: LazyPyImport = + LazyPyImport::new("cryptography.utils", &["DeprecatedIn42"]); pub static LOAD_DER_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization", diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 9c29416833d0..5da224afcf88 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -196,6 +196,13 @@ impl Certificate { #[getter] fn not_valid_before<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + let warning_cls = types::DEPRECATED_IN_42.get(py)?; + pyo3::PyErr::warn( + py, + warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_before_utc.", + 1, + )?; let dt = &self .raw .borrow_dependent() @@ -220,6 +227,13 @@ impl Certificate { #[getter] fn not_valid_after<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + let warning_cls = types::DEPRECATED_IN_42.get(py)?; + pyo3::PyErr::warn( + py, + warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.", + 1, + )?; let dt = &self .raw .borrow_dependent() diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 58d3a3e711ab..9513c3aba918 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -246,6 +246,13 @@ impl CertificateRevocationList { #[getter] fn next_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + let warning_cls = types::DEPRECATED_IN_42.get(py)?; + pyo3::PyErr::warn( + py, + warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.", + 1, + )?; match &self.owned.borrow_dependent().tbs_cert_list.next_update { Some(t) => x509::datetime_to_py(py, t.as_datetime()), None => Ok(py.None().into_ref(py)), @@ -262,6 +269,13 @@ impl CertificateRevocationList { #[getter] fn last_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + let warning_cls = types::DEPRECATED_IN_42.get(py)?; + pyo3::PyErr::warn( + py, + warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to last_update_utc.", + 1, + )?; x509::datetime_to_py( py, self.owned @@ -507,6 +521,13 @@ impl RevokedCertificate { #[getter] fn revocation_date<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + let warning_cls = types::DEPRECATED_IN_42.get(py)?; + pyo3::PyErr::warn( + py, + warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.", + 1, + )?; x509::datetime_to_py( py, self.owned.borrow_dependent().revocation_date.as_datetime(), @@ -604,7 +625,8 @@ fn create_x509_crl( let serial_number = py_revoked_cert .getattr(pyo3::intern!(py, "serial_number"))? .extract()?; - let py_revocation_date = py_revoked_cert.getattr(pyo3::intern!(py, "revocation_date"))?; + let py_revocation_date = + py_revoked_cert.getattr(pyo3::intern!(py, "revocation_date_utc"))?; revoked_certs.push(crl::RevokedCertificate { user_certificate: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, serial_number)?) .unwrap(), diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 5519d36c3f27..f834834165aa 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -141,12 +141,14 @@ def _check_cert_times( not_valid_after: typing.Optional[datetime.datetime], ) -> None: if not_valid_before: - assert cert.not_valid_before == not_valid_before + with pytest.warns(utils.DeprecatedIn42): + assert cert.not_valid_before == not_valid_before assert cert.not_valid_before_utc == not_valid_before.replace( tzinfo=datetime.timezone.utc ) if not_valid_after: - assert cert.not_valid_after == not_valid_after + with pytest.warns(utils.DeprecatedIn42): + assert cert.not_valid_after == not_valid_after assert cert.not_valid_after_utc == not_valid_after.replace( tzinfo=datetime.timezone.utc ) @@ -157,11 +159,13 @@ def _check_crl_times( last_update: datetime.datetime, next_update: datetime.datetime, ) -> None: - assert crl.last_update == last_update + with pytest.warns(utils.DeprecatedIn42): + assert crl.last_update == last_update + assert crl.next_update == next_update + assert crl.last_update_utc == last_update.replace( tzinfo=datetime.timezone.utc ) - assert crl.next_update == next_update assert crl.next_update_utc == next_update.replace( tzinfo=datetime.timezone.utc ) @@ -307,14 +311,15 @@ def test_update_dates(self, backend): x509.load_pem_x509_crl, ) - assert isinstance(crl.next_update, datetime.datetime) + with pytest.warns(utils.DeprecatedIn42): + assert isinstance(crl.next_update, datetime.datetime) + assert isinstance(crl.last_update, datetime.datetime) + assert crl.next_update.isoformat() == "2016-01-01T00:00:00" + assert crl.last_update.isoformat() == "2015-01-01T00:00:00" + assert isinstance(crl.next_update_utc, datetime.datetime) - assert isinstance(crl.last_update, datetime.datetime) assert isinstance(crl.last_update_utc, datetime.datetime) - - assert crl.next_update.isoformat() == "2016-01-01T00:00:00" assert crl.next_update_utc.isoformat() == "2016-01-01T00:00:00+00:00" - assert crl.last_update.isoformat() == "2015-01-01T00:00:00" assert crl.last_update_utc.isoformat() == "2015-01-01T00:00:00+00:00" def test_no_next_update(self, backend): @@ -322,7 +327,9 @@ def test_no_next_update(self, backend): os.path.join("x509", "custom", "crl_no_next_update.pem"), x509.load_pem_x509_crl, ) - assert crl.next_update is None + + with pytest.warns(utils.DeprecatedIn42): + assert crl.next_update is None assert crl.next_update_utc is None def test_unrecognized_extension(self, backend): @@ -376,7 +383,10 @@ def test_revoked_cert_retrieval_retain_only_revoked(self, backend): os.path.join("x509", "custom", "crl_all_reasons.pem"), x509.load_pem_x509_crl, )[11] - assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0) + with pytest.warns(utils.DeprecatedIn42): + assert revoked.revocation_date == datetime.datetime( + 2015, 1, 1, 0, 0 + ) assert revoked.revocation_date_utc == datetime.datetime( 2015, 1, 1, 0, 0, tzinfo=datetime.timezone.utc ) @@ -603,12 +613,14 @@ def test_revoked_basics(self, backend): for i, rev in enumerate(crl): assert isinstance(rev, x509.RevokedCertificate) assert isinstance(rev.serial_number, int) - assert isinstance(rev.revocation_date, datetime.datetime) + with pytest.warns(utils.DeprecatedIn42): + assert isinstance(rev.revocation_date, datetime.datetime) assert isinstance(rev.revocation_date_utc, datetime.datetime) assert isinstance(rev.extensions, x509.Extensions) assert rev.serial_number == i - assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00" + with pytest.warns(utils.DeprecatedIn42): + assert rev.revocation_date.isoformat() == "2015-01-01T00:00:00" assert ( rev.revocation_date_utc.isoformat() == "2015-01-01T00:00:00+00:00" diff --git a/tests/x509/test_x509_crlbuilder.py b/tests/x509/test_x509_crlbuilder.py index e7ae0a0a475e..66a13567ac61 100644 --- a/tests/x509/test_x509_crlbuilder.py +++ b/tests/x509/test_x509_crlbuilder.py @@ -7,7 +7,7 @@ import pytest -from cryptography import x509 +from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import ec, ed448, ed25519, rsa @@ -65,7 +65,11 @@ def test_aware_last_update(self, rsa_key_2048: rsa.RSAPrivateKey, backend): ) crl = builder.sign(private_key, hashes.SHA256(), backend) - assert crl.last_update == utc_last + with pytest.warns(utils.DeprecatedIn42): + assert crl.last_update == utc_last + assert crl.last_update_utc == utc_last.replace( + tzinfo=datetime.timezone.utc + ) def test_last_update_invalid(self): builder = x509.CertificateRevocationListBuilder() @@ -106,7 +110,11 @@ def test_aware_next_update(self, rsa_key_2048: rsa.RSAPrivateKey, backend): ) crl = builder.sign(private_key, hashes.SHA256(), backend) - assert crl.next_update == utc_next + with pytest.warns(utils.DeprecatedIn42): + assert crl.next_update == utc_next + assert crl.next_update_utc == utc_next.replace( + tzinfo=datetime.timezone.utc + ) def test_next_update_invalid(self): builder = x509.CertificateRevocationListBuilder() @@ -217,8 +225,15 @@ def test_sign_empty_list(self, rsa_key_2048: rsa.RSAPrivateKey, backend): crl = builder.sign(private_key, hashes.SHA256(), backend) assert len(crl) == 0 - assert crl.last_update == last_update - assert crl.next_update == next_update + with pytest.warns(utils.DeprecatedIn42): + assert crl.last_update == last_update + assert crl.next_update == next_update + assert crl.last_update_utc == last_update.replace( + tzinfo=datetime.timezone.utc + ) + assert crl.next_update_utc == next_update.replace( + tzinfo=datetime.timezone.utc + ) @pytest.mark.parametrize( "extension", @@ -574,7 +589,9 @@ def test_sign_dsa_key(self, backend): == ian ) assert crl[0].serial_number == revoked_cert0.serial_number - assert crl[0].revocation_date == revoked_cert0.revocation_date + with pytest.warns(utils.DeprecatedIn42): + assert crl[0].revocation_date == revoked_cert0.revocation_date + assert crl[0].revocation_date_utc == revoked_cert0.revocation_date_utc assert len(crl[0].extensions) == 1 ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate) assert ext.critical is False @@ -623,7 +640,9 @@ def test_sign_ec_key(self, backend): == ian ) assert crl[0].serial_number == revoked_cert0.serial_number - assert crl[0].revocation_date == revoked_cert0.revocation_date + with pytest.warns(utils.DeprecatedIn42): + assert crl[0].revocation_date == revoked_cert0.revocation_date + assert crl[0].revocation_date_utc == revoked_cert0.revocation_date_utc assert len(crl[0].extensions) == 1 ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate) assert ext.critical is False @@ -677,7 +696,9 @@ def test_sign_ed25519_key(self, backend): == ian ) assert crl[0].serial_number == revoked_cert0.serial_number - assert crl[0].revocation_date == revoked_cert0.revocation_date + with pytest.warns(utils.DeprecatedIn42): + assert crl[0].revocation_date == revoked_cert0.revocation_date + assert crl[0].revocation_date_utc == revoked_cert0.revocation_date_utc assert len(crl[0].extensions) == 1 ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate) assert ext.critical is False @@ -731,7 +752,9 @@ def test_sign_ed448_key(self, backend): == ian ) assert crl[0].serial_number == revoked_cert0.serial_number - assert crl[0].revocation_date == revoked_cert0.revocation_date + with pytest.warns(utils.DeprecatedIn42): + assert crl[0].revocation_date == revoked_cert0.revocation_date + assert crl[0].revocation_date_utc == revoked_cert0.revocation_date_utc assert len(crl[0].extensions) == 1 ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate) assert ext.critical is False @@ -839,13 +862,24 @@ def test_sign_with_revoked_certificates( crl = builder.sign(private_key, hashes.SHA256(), backend) assert len(crl) == 3 - assert crl.last_update == last_update - assert crl.next_update == next_update + with pytest.warns(utils.DeprecatedIn42): + assert crl.last_update == last_update + assert crl.next_update == next_update + assert crl.last_update_utc == last_update.replace( + tzinfo=datetime.timezone.utc + ) + assert crl.next_update_utc == next_update.replace( + tzinfo=datetime.timezone.utc + ) assert crl[0].serial_number == revoked_cert0.serial_number - assert crl[0].revocation_date == revoked_cert0.revocation_date + with pytest.warns(utils.DeprecatedIn42): + assert crl[0].revocation_date == revoked_cert0.revocation_date + assert crl[0].revocation_date_utc == revoked_cert0.revocation_date_utc assert len(crl[0].extensions) == 0 assert crl[1].serial_number == revoked_cert1.serial_number - assert crl[1].revocation_date == revoked_cert1.revocation_date + with pytest.warns(utils.DeprecatedIn42): + assert crl[1].revocation_date == revoked_cert1.revocation_date + assert crl[1].revocation_date_utc == revoked_cert1.revocation_date_utc assert len(crl[1].extensions) == 2 ext = crl[1].extensions.get_extension_for_class(x509.InvalidityDate) assert ext.critical is False diff --git a/tests/x509/test_x509_revokedcertbuilder.py b/tests/x509/test_x509_revokedcertbuilder.py index 230b11b7a6b2..dc439bc05eb9 100644 --- a/tests/x509/test_x509_revokedcertbuilder.py +++ b/tests/x509/test_x509_revokedcertbuilder.py @@ -7,7 +7,7 @@ import pytest -from cryptography import x509 +from cryptography import utils, x509 class TestRevokedCertificateBuilder: @@ -68,7 +68,8 @@ def test_aware_revocation_date(self, backend): ) revoked_certificate = builder.build(backend) - assert revoked_certificate.revocation_date == utc_time + with pytest.warns(utils.DeprecatedIn42): + assert revoked_certificate.revocation_date == utc_time assert revoked_certificate.revocation_date_utc == utc_time.replace( tzinfo=datetime.timezone.utc ) @@ -133,7 +134,12 @@ def test_create_revoked(self, backend): revoked_certificate = builder.build(backend) assert revoked_certificate.serial_number == serial_number - assert revoked_certificate.revocation_date == revocation_date + with pytest.warns(utils.DeprecatedIn42): + assert revoked_certificate.revocation_date == revocation_date + assert ( + revoked_certificate.revocation_date_utc + == revocation_date.replace(tzinfo=datetime.timezone.utc) + ) assert len(revoked_certificate.extensions) == 0 @pytest.mark.parametrize( @@ -156,7 +162,12 @@ def test_add_extensions(self, backend, extension): revoked_certificate = builder.build(backend) assert revoked_certificate.serial_number == serial_number - assert revoked_certificate.revocation_date == revocation_date + with pytest.warns(utils.DeprecatedIn42): + assert revoked_certificate.revocation_date == revocation_date + assert ( + revoked_certificate.revocation_date_utc + == revocation_date.replace(tzinfo=datetime.timezone.utc) + ) assert len(revoked_certificate.extensions) == 1 ext = revoked_certificate.extensions.get_extension_for_class( type(extension) From d8a023482f3ad66e0eadab9a94642894eee30d00 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 30 Sep 2023 00:18:05 +0000 Subject: [PATCH 0518/1014] Bump BoringSSL and/or OpenSSL in CI (#9670) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 98888a60f4b5..309c31f13814 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 28, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "d24a38200fef19150eef00cad35b138936c08767"}} - # Latest commit on the OpenSSL master branch, as of Sep 29, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "219bd6ac7061c40bd24f896f8652994d62d109de"}} + # Latest commit on the BoringSSL master branch, as of Sep 30, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "bd20800c22fc8402611b537287bd6948c3f2a5a8"}} + # Latest commit on the OpenSSL master branch, as of Sep 30, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8ed76c62b5d3214e807e684c06efd69c6471c800"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 9f9076771503fc9a1b39cc0a9559c41391f9e077 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 29 Sep 2023 21:04:03 -0400 Subject: [PATCH 0519/1014] verification: fill in policy API internals (#9642) * src, tests: flatten all changes Signed-off-by: William Woodruff validation: remove Profile abstract from public APIs One step towards removing it entirely Signed-off-by: William Woodruff policy: disambiguate references Signed-off-by: William Woodruff policy: remove separate rfc5280 profile Signed-off-by: William Woodruff policy: remove profile abstraction entirely Signed-off-by: William Woodruff rust: permitted_algorithms filtering Signed-off-by: William Woodruff verify: simplify policy API substantially No more manual monomorphization. Signed-off-by: William Woodruff src, tests: remove verification code Signed-off-by: William Woodruff validation: remove more validation code Signed-off-by: William Woodruff * cryptography, rust: lintage Signed-off-by: William Woodruff * cryptography, rust: lintage, add Policy.subject API Signed-off-by: William Woodruff * src, tests: initial PolicyBuilder tests Signed-off-by: William Woodruff * verify: Policy.validation_time getter Signed-off-by: William Woodruff * push Store into rust Signed-off-by: William Woodruff * cleanup, fixup Signed-off-by: William Woodruff * tests: lintage Signed-off-by: William Woodruff * src: lintage Signed-off-by: William Woodruff * tests: fix linter warning * policy: apply the relevant parts of trail-of-forks/cryptography/pull/3 Signed-off-by: William Woodruff * policy: typo Signed-off-by: William Woodruff * fixup type hints Signed-off-by: William Woodruff * drop dep Not used, yet. Signed-off-by: William Woodruff * Revert "drop dep" This reverts commit a5154e1245e666a79838cd73784884fad6743e7f. * mod: remove permits_* bodies Will include these in a subsequent PR. Signed-off-by: William Woodruff * src: drop certificate helpers as well Not needed yet. Signed-off-by: William Woodruff * verify: remove unneeded explicit lifetimes Signed-off-by: William Woodruff * tests: builder API coverage Signed-off-by: William Woodruff * tests: more coverage Signed-off-by: William Woodruff * type hints Signed-off-by: William Woodruff * unused derives Signed-off-by: William Woodruff * validation: more coverage Signed-off-by: William Woodruff * policy: more cov Signed-off-by: William Woodruff * policy: more coverage Signed-off-by: William Woodruff * policy: add some known bad testcases Signed-off-by: William Woodruff * policy: coverage Signed-off-by: William Woodruff * validation: remove trust_store Not yet used. Signed-off-by: William Woodruff * ops: add NullOps test Signed-off-by: William Woodruff * x509: reimplement verify_directly_issued_by via CryptoOps Tests fail, but this gets the right coverage. Signed-off-by: William Woodruff * ops: use results Signed-off-by: William Woodruff * src, tests: last cov, hopefully Signed-off-by: William Woodruff * test: lintage Signed-off-by: William Woodruff * docs: fill in API docs Signed-off-by: William Woodruff * rust: uniform imports Signed-off-by: William Woodruff * minimize for MVP No configurable profile, Web PKI only. Signed-off-by: William Woodruff * verify: remove old NOTE Signed-off-by: William Woodruff * verify: remove another old NOTE Signed-off-by: William Woodruff * src, tests: fixup tests Signed-off-by: William Woodruff * docs: cleanup Signed-off-by: William Woodruff * src, tests: drop support for missing subjects As part of the MVP. Signed-off-by: William Woodruff * profile: remove old comments Signed-off-by: William Woodruff * verification: deconflict docs Signed-off-by: William Woodruff * validation: bump pem dev-dep Signed-off-by: William Woodruff * validation: drop PolicyError Not part of these changes. Signed-off-by: William Woodruff * validation: drop Policy::rfc5280 Not needed yet; not part of MVP. Signed-off-by: William Woodruff * `Policy::webpki` -> `Policy::new` Bad merge. Signed-off-by: William Woodruff * validation/policy: remove configuration APIs Rust-only, unused, non-MVP. Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff Co-authored-by: Facundo Tuesca --- src/rust/Cargo.lock | 1 + .../cryptography-x509-validation/Cargo.toml | 3 + .../cryptography-x509-validation/src/ops.rs | 50 +++++++++++++ .../src/policy/mod.rs | 75 +++++++++++++++++-- 4 files changed, 123 insertions(+), 6 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e30876da8b08..1b6f68ddd458 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -114,6 +114,7 @@ dependencies = [ "asn1", "cryptography-x509", "once_cell", + "pem", ] [[package]] diff --git a/src/rust/cryptography-x509-validation/Cargo.toml b/src/rust/cryptography-x509-validation/Cargo.toml index e756c2e940d4..3e3a815551e5 100644 --- a/src/rust/cryptography-x509-validation/Cargo.toml +++ b/src/rust/cryptography-x509-validation/Cargo.toml @@ -11,3 +11,6 @@ rust-version = "1.63.0" asn1 = { version = "0.15.5", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } once_cell = "1" + +[dev-dependencies] +pem = { version = "3", default-features = false } diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs index 47e3f2cd07ef..c1565321d54a 100644 --- a/src/rust/cryptography-x509-validation/src/ops.rs +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -20,3 +20,53 @@ pub trait CryptoOps { /// `Key`. fn verify_signed_by(&self, cert: &Certificate<'_>, key: Self::Key) -> Result<(), Self::Err>; } + +#[cfg(test)] +pub(crate) mod tests { + use cryptography_x509::certificate::Certificate; + + use super::CryptoOps; + + pub(crate) struct NullOps {} + impl CryptoOps for NullOps { + type Key = (); + type Err = (); + + fn public_key(&self, _cert: &Certificate<'_>) -> Result { + Ok(()) + } + + fn verify_signed_by( + &self, + _cert: &Certificate<'_>, + _key: Self::Key, + ) -> Result<(), Self::Err> { + Ok(()) + } + } + + #[test] + fn test_nullops() { + // Arbitrary relatively small cert (v1_cert.pem from cryptography_vectors). + let v1_cert = " +-----BEGIN CERTIFICATE----- +MIIBWzCCAQYCARgwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV +BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MDYxOTIz +MzMxMloXDTk1MDcxNzIzMzMxMlowOjELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM +RDEdMBsGA1UEAxMUU1NMZWF5L3JzYSB0ZXN0IGNlcnQwXDANBgkqhkiG9w0BAQEF +AANLADBIAkEAqtt6qS5GTxVxGZYWa0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO +/Re1uwLKXdCjIoaGs4DLdG88rkzfyK5dPQIDAQABMAwGCCqGSIb3DQIFBQADQQAE +Wc7EcF8po2/ZO6kNCwK/ICH6DobgLekA5lSLr5EvuioZniZp5lFzAw4+YzPQ7XKJ +zl9HYIMxATFyqSiD9jsx +-----END CERTIFICATE-----"; + + let pem = pem::parse(v1_cert.as_bytes()).unwrap(); + let cert = asn1::parse_single::>(pem.contents()).unwrap(); + + let ops = NullOps {}; + assert_eq!(ops.public_key(&cert), Ok(())); + assert!(ops + .verify_signed_by(&cert, ops.public_key(&cert).unwrap()) + .is_ok()); + } +} diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index e2fc54b710a7..17e7e636e71d 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -4,8 +4,7 @@ use std::collections::HashSet; -use cryptography_x509::extensions::SubjectAlternativeName; -use cryptography_x509::name::GeneralName; +use asn1::ObjectIdentifier; use once_cell::sync::Lazy; use cryptography_x509::common::{ @@ -13,6 +12,11 @@ use cryptography_x509::common::{ PSS_SHA256_MASK_GEN_ALG, PSS_SHA384_HASH_ALG, PSS_SHA384_MASK_GEN_ALG, PSS_SHA512_HASH_ALG, PSS_SHA512_MASK_GEN_ALG, }; +use cryptography_x509::extensions::SubjectAlternativeName; +use cryptography_x509::name::GeneralName; +use cryptography_x509::oid::{ + BASIC_CONSTRAINTS_OID, EKU_SERVER_AUTH_OID, KEY_USAGE_OID, SUBJECT_ALTERNATIVE_NAME_OID, +}; use crate::ops::CryptoOps; use crate::types::{DNSName, DNSPattern, IPAddress, IPRange}; @@ -102,6 +106,11 @@ pub static WEBPKI_PERMITTED_ALGORITHMS: Lazy>> ]) }); +const RFC5280_CRITICAL_CA_EXTENSIONS: &[asn1::ObjectIdentifier] = + &[BASIC_CONSTRAINTS_OID, KEY_USAGE_OID]; +const RFC5280_CRITICAL_EE_EXTENSIONS: &[asn1::ObjectIdentifier] = + &[BASIC_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID]; + /// Represents a logical certificate "subject," i.e. a principal matching /// one of the names listed in a certificate's `subjectAltNames` extension. pub enum Subject<'a> { @@ -145,6 +154,14 @@ impl From for Subject<'_> { pub struct Policy<'a, B: CryptoOps> { _ops: B, + /// A top-level constraint on the length of paths constructed under + /// this policy. + /// + /// Note that this has different semantics from `pathLenConstraint`: + /// it controls the *overall* non-self-issued chain length, not the number + /// of non-self-issued intermediates in the chain. + pub max_chain_depth: u8, + /// A subject (i.e. DNS name or other name format) that any EE certificates /// validated by this policy must match. /// If `None`, the EE certificate must not contain a SAN. @@ -153,16 +170,42 @@ pub struct Policy<'a, B: CryptoOps> { /// The validation time. All certificates validated by this policy must /// be valid at this time. pub validation_time: asn1::DateTime, + + /// An extended key usage that must appear in EEs validated by this policy. + pub extended_key_usage: ObjectIdentifier, + + /// The set of permitted signature algorithms, identified by their + /// algorithm identifiers. + /// + /// If not `None`, all certificates validated by this policy MUST + /// have a signature algorithm in this set. + /// + /// If `None`, all signature algorithms are permitted. + pub permitted_algorithms: Option>>, + + pub critical_ca_extensions: HashSet, + pub critical_ee_extensions: HashSet, } impl<'a, B: CryptoOps> Policy<'a, B> { - /// Creates a new policy with the given `CryptoOps`, an optional subject, - /// and a validation time. + /// Create a new policy with defaults for the certificate profile defined in + /// the CA/B Forum's Basic Requirements. pub fn new(ops: B, subject: Option>, time: asn1::DateTime) -> Self { Self { _ops: ops, + max_chain_depth: 8, subject, validation_time: time, + extended_key_usage: EKU_SERVER_AUTH_OID.clone(), + permitted_algorithms: Some( + WEBPKI_PERMITTED_ALGORITHMS + .clone() + .into_iter() + .cloned() + .collect(), + ), + critical_ca_extensions: RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect(), + critical_ee_extensions: RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect(), } } } @@ -175,12 +218,17 @@ mod tests { use cryptography_x509::{ extensions::SubjectAlternativeName, name::{GeneralName, UnvalidatedIA5String}, + oid::EXTENDED_KEY_USAGE_OID, }; - use crate::types::{DNSName, IPAddress}; + use crate::{ + ops::tests::NullOps, + policy::{Subject, RFC5280_CRITICAL_CA_EXTENSIONS, RFC5280_CRITICAL_EE_EXTENSIONS}, + types::{DNSName, IPAddress}, + }; use super::{ - Subject, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, + Policy, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, RSASSA_PSS_SHA512, WEBPKI_PERMITTED_ALGORITHMS, }; @@ -260,6 +308,21 @@ mod tests { } } + #[test] + fn test_policy_critical_extensions() { + let time = asn1::DateTime::new(2023, 9, 12, 1, 1, 1).unwrap(); + let policy = Policy::new(NullOps {}, None, time); + + assert_eq!( + policy.critical_ca_extensions, + RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect() + ); + assert_eq!( + policy.critical_ee_extensions, + RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect() + ); + } + #[test] fn test_subject_from_impls() { assert!(matches!( From 057241cd302271467a11dd796c41328b50460b0f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Sep 2023 14:03:21 -0400 Subject: [PATCH 0520/1014] Another sweep removing unused bindings (#9671) * Another sweep removing unused bindings * Remove unused FIPS --- src/_cffi_src/build_openssl.py | 1 - src/_cffi_src/openssl/evp.py | 23 --------------- src/_cffi_src/openssl/fips.py | 28 ------------------- src/_cffi_src/openssl/pem.py | 12 -------- src/_cffi_src/openssl/rsa.py | 26 ----------------- .../hazmat/bindings/openssl/_conditional.py | 8 ------ 6 files changed, 98 deletions(-) delete mode 100644 src/_cffi_src/openssl/fips.py diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 361473679ece..ae8b821fe644 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -35,7 +35,6 @@ "err", "evp", "evp_aead", - "fips", "nid", "objects", "opensslv", diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 35e2110c38b6..48ad0b8e58b1 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -61,11 +61,6 @@ int EVP_PKEY_size(EVP_PKEY *); RSA *EVP_PKEY_get1_RSA(EVP_PKEY *); -int EVP_PKEY_encrypt(EVP_PKEY_CTX *, unsigned char *, size_t *, - const unsigned char *, size_t); -int EVP_PKEY_decrypt(EVP_PKEY_CTX *, unsigned char *, size_t *, - const unsigned char *, size_t); - int EVP_SignInit(EVP_MD_CTX *, const EVP_MD *); int EVP_SignUpdate(EVP_MD_CTX *, const void *, size_t); int EVP_SignFinal(EVP_MD_CTX *, unsigned char *, unsigned int *, EVP_PKEY *); @@ -76,25 +71,9 @@ EVP_PKEY *); -EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *); -void EVP_PKEY_CTX_free(EVP_PKEY_CTX *); -int EVP_PKEY_sign_init(EVP_PKEY_CTX *); -int EVP_PKEY_sign(EVP_PKEY_CTX *, unsigned char *, size_t *, - const unsigned char *, size_t); -int EVP_PKEY_verify_init(EVP_PKEY_CTX *); -int EVP_PKEY_verify(EVP_PKEY_CTX *, const unsigned char *, size_t, - const unsigned char *, size_t); -int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *); -int EVP_PKEY_verify_recover(EVP_PKEY_CTX *, unsigned char *, - size_t *, const unsigned char *, size_t); -int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *); -int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *); - int EVP_PKEY_set1_RSA(EVP_PKEY *, RSA *); int EVP_PKEY_set1_DSA(EVP_PKEY *, DSA *); -int EVP_PKEY_cmp(const EVP_PKEY *, const EVP_PKEY *); - int EVP_PKEY_id(const EVP_PKEY *); EVP_MD_CTX *EVP_MD_CTX_new(void); @@ -106,8 +85,6 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); -int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *, const EVP_MD *); - int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); """ diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py deleted file mode 100644 index 9e3ce9524b44..000000000000 --- a/src/_cffi_src/openssl/fips.py +++ /dev/null @@ -1,28 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -INCLUDES = """ -#include -""" - -TYPES = """ -static const long Cryptography_HAS_FIPS; -""" - -FUNCTIONS = """ -int FIPS_mode_set(int); -int FIPS_mode(void); -""" - -CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -static const long Cryptography_HAS_FIPS = 0; -int (*FIPS_mode_set)(int) = NULL; -int (*FIPS_mode)(void) = NULL; -#else -static const long Cryptography_HAS_FIPS = 1; -#endif -""" diff --git a/src/_cffi_src/openssl/pem.py b/src/_cffi_src/openssl/pem.py index 93c5a9955ba0..5758181284f0 100644 --- a/src/_cffi_src/openssl/pem.py +++ b/src/_cffi_src/openssl/pem.py @@ -22,12 +22,6 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *, EVP_PKEY **, pem_password_cb *, void *); -int PEM_write_bio_PKCS8PrivateKey(BIO *, EVP_PKEY *, const EVP_CIPHER *, - char *, int, pem_password_cb *, void *); - -int i2d_PKCS8PrivateKey_bio(BIO *, EVP_PKEY *, const EVP_CIPHER *, - char *, int, pem_password_cb *, void *); - PKCS7 *d2i_PKCS7_bio(BIO *, PKCS7 **); EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *, EVP_PKEY **, pem_password_cb *, @@ -45,14 +39,8 @@ DH *PEM_read_bio_DHparams(BIO *, DH **, pem_password_cb *, void *); -int PEM_write_bio_RSAPrivateKey(BIO *, RSA *, const EVP_CIPHER *, - unsigned char *, int, - pem_password_cb *, void *); - RSA *PEM_read_bio_RSAPublicKey(BIO *, RSA **, pem_password_cb *, void *); -int PEM_write_bio_RSAPublicKey(BIO *, const RSA *); - EVP_PKEY *PEM_read_bio_PUBKEY(BIO *, EVP_PKEY **, pem_password_cb *, void *); int PEM_write_bio_PUBKEY(BIO *, EVP_PKEY *); """ diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py index 9ae7365b1ec7..89e46470de38 100644 --- a/src/_cffi_src/openssl/rsa.py +++ b/src/_cffi_src/openssl/rsa.py @@ -11,11 +11,7 @@ TYPES = """ typedef ... RSA; typedef ... BN_GENCB; -static const int RSA_PKCS1_PADDING; -static const int RSA_PKCS1_OAEP_PADDING; -static const int RSA_PKCS1_PSS_PADDING; static const int RSA_F4; -static const int RSA_PSS_SALTLEN_AUTO; static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION; """ @@ -25,32 +21,10 @@ void RSA_free(RSA *); int RSA_generate_key_ex(RSA *, int, BIGNUM *, BN_GENCB *); int RSA_check_key(const RSA *); -RSA *RSAPublicKey_dup(RSA *); int RSA_print(BIO *, const RSA *, int); - -int RSA_set0_key(RSA *, BIGNUM *, BIGNUM *, BIGNUM *); -int RSA_set0_factors(RSA *, BIGNUM *, BIGNUM *); -int RSA_set0_crt_params(RSA *, BIGNUM *, BIGNUM *, BIGNUM *); -void RSA_get0_key(const RSA *, const BIGNUM **, const BIGNUM **, - const BIGNUM **); -void RSA_get0_factors(const RSA *, const BIGNUM **, const BIGNUM **); -void RSA_get0_crt_params(const RSA *, const BIGNUM **, const BIGNUM **, - const BIGNUM **); -int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *, int); -int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *, int); -int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *, EVP_MD *); -int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *, unsigned char *, int); - -int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *, EVP_MD *); """ CUSTOMIZATIONS = """ -// BoringSSL doesn't define this constant, but the value is used for -// automatic salt length computation as in OpenSSL and LibreSSL -#if !defined(RSA_PSS_SALTLEN_AUTO) -#define RSA_PSS_SALTLEN_AUTO -2 -#endif - #if defined(EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION) static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 1; #else diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 3c6d31af00ea..5cb1619af6a6 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -58,13 +58,6 @@ def cryptography_has_ed25519() -> list[str]: ] -def cryptography_has_fips() -> list[str]: - return [ - "FIPS_mode_set", - "FIPS_mode", - ] - - def cryptography_has_ssl_sigalgs() -> list[str]: return [ "SSL_CTX_set1_sigalgs_list", @@ -250,7 +243,6 @@ def cryptography_has_evp_aead() -> list[str]: ), "Cryptography_HAS_ED448": cryptography_has_ed448, "Cryptography_HAS_ED25519": cryptography_has_ed25519, - "Cryptography_HAS_FIPS": cryptography_has_fips, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, "Cryptography_HAS_PSK": cryptography_has_psk, "Cryptography_HAS_PSK_TLSv1_3": cryptography_has_psk_tlsv13, From 3934d2e0944f10dfc9487fd651d03579cd619249 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Sep 2023 14:29:10 -0400 Subject: [PATCH 0521/1014] Remove unused bignum functions and bindings (#9672) --- src/_cffi_src/openssl/bignum.py | 11 --------- .../hazmat/backends/openssl/backend.py | 24 ------------------- tests/hazmat/backends/test_openssl.py | 13 ---------- 3 files changed, 48 deletions(-) diff --git a/src/_cffi_src/openssl/bignum.py b/src/_cffi_src/openssl/bignum.py index d1682ba8aaf1..4c7a9593d51c 100644 --- a/src/_cffi_src/openssl/bignum.py +++ b/src/_cffi_src/openssl/bignum.py @@ -19,7 +19,6 @@ FUNCTIONS = """ BIGNUM *BN_new(void); void BN_free(BIGNUM *); -void BN_clear_free(BIGNUM *); int BN_rand_range(BIGNUM *, const BIGNUM *); @@ -28,16 +27,6 @@ char *BN_bn2hex(const BIGNUM *); int BN_hex2bn(BIGNUM **, const char *); -int BN_bn2bin(const BIGNUM *, unsigned char *); -BIGNUM *BN_bin2bn(const unsigned char *, int, BIGNUM *); - -int BN_num_bits(const BIGNUM *); - -int BN_is_negative(const BIGNUM *); -int BN_is_odd(const BIGNUM *); - -int BN_num_bytes(const BIGNUM *); - /* The following 3 prime methods are exposed for Tribler. */ int BN_generate_prime_ex(BIGNUM *, int, int, const BIGNUM *, const BIGNUM *, BN_GENCB *); diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 3797d1df83e3..4d4aa65ec40e 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -325,30 +325,6 @@ def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: def _consume_errors(self) -> list[rust_openssl.OpenSSLError]: return rust_openssl.capture_error_stack() - def _bn_to_int(self, bn) -> int: - assert bn != self._ffi.NULL - self.openssl_assert(not self._lib.BN_is_negative(bn)) - - bn_num_bytes = self._lib.BN_num_bytes(bn) - bin_ptr = self._ffi.new("unsigned char[]", bn_num_bytes) - bin_len = self._lib.BN_bn2bin(bn, bin_ptr) - # A zero length means the BN has value 0 - self.openssl_assert(bin_len >= 0) - val = int.from_bytes(self._ffi.buffer(bin_ptr)[:bin_len], "big") - return val - - def _int_to_bn(self, num: int): - """ - Converts a python integer to a BIGNUM. The returned BIGNUM will not - be garbage collected (to support adding them to structs that take - ownership of the object). Be sure to register it for GC if it will - be discarded after use. - """ - binary = num.to_bytes(int(num.bit_length() / 8.0 + 1), "big") - bn_ptr = self._lib.BN_bin2bn(binary, len(binary), self._ffi.NULL) - self.openssl_assert(bn_ptr != self._ffi.NULL) - return bn_ptr - def generate_rsa_private_key( self, public_exponent: int, key_size: int ) -> rsa.RSAPrivateKey: diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 68f3d1a5fb24..44093e98da6b 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -150,19 +150,6 @@ def test_unknown_error_in_cipher_finalize(self): with pytest.raises(InternalError): enc.finalize() - def test_int_to_bn(self): - value = (2**4242) - 4242 - bn = backend._int_to_bn(value) - assert bn != backend._ffi.NULL - bn = backend._ffi.gc(bn, backend._lib.BN_clear_free) - - assert bn - assert backend._bn_to_int(bn) == value - - def test_bn_to_int(self): - bn = backend._int_to_bn(0) - assert backend._bn_to_int(bn) == 0 - class TestOpenSSLRSA: def test_generate_rsa_parameters_supported(self): From 98aac6587cf97a3082560d12b03e32ca0de62847 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 1 Oct 2023 12:53:37 -0400 Subject: [PATCH 0522/1014] Remove unused PKCS7 bindings (#9674) --- src/_cffi_src/openssl/pkcs7.py | 10 ---------- .../hazmat/bindings/openssl/_conditional.py | 4 ---- 2 files changed, 14 deletions(-) diff --git a/src/_cffi_src/openssl/pkcs7.py b/src/_cffi_src/openssl/pkcs7.py index ef75157a80da..b656f96e7239 100644 --- a/src/_cffi_src/openssl/pkcs7.py +++ b/src/_cffi_src/openssl/pkcs7.py @@ -48,11 +48,6 @@ FUNCTIONS = """ void PKCS7_free(PKCS7 *); -int SMIME_write_PKCS7(BIO *, PKCS7 *, BIO *, int); -int PEM_write_bio_PKCS7_stream(BIO *, PKCS7 *, BIO *, int); -PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *, X509 *, EVP_PKEY *, - const EVP_MD *, int); -int PKCS7_final(PKCS7 *, BIO *, int); /* Included verify due to external consumer, see https://github.com/pyca/cryptography/issues/5433 */ int PKCS7_verify(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *, @@ -74,11 +69,6 @@ #if CRYPTOGRAPHY_IS_BORINGSSL static const long Cryptography_HAS_PKCS7_FUNCS = 0; -int (*SMIME_write_PKCS7)(BIO *, PKCS7 *, BIO *, int) = NULL; -int (*PEM_write_bio_PKCS7_stream)(BIO *, PKCS7 *, BIO *, int) = NULL; -PKCS7_SIGNER_INFO *(*PKCS7_sign_add_signer)(PKCS7 *, X509 *, EVP_PKEY *, - const EVP_MD *, int) = NULL; -int (*PKCS7_final)(PKCS7 *, BIO *, int); int (*PKCS7_verify)(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *, BIO *, int) = NULL; PKCS7 *(*SMIME_read_PKCS7)(BIO *, BIO **) = NULL; diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 5cb1619af6a6..6dffae404d6f 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -178,10 +178,6 @@ def cryptography_has_ssl_cookie() -> list[str]: def cryptography_has_pkcs7_funcs() -> list[str]: return [ - "SMIME_write_PKCS7", - "PEM_write_bio_PKCS7_stream", - "PKCS7_sign_add_signer", - "PKCS7_final", "PKCS7_verify", "SMIME_read_PKCS7", "PKCS7_get0_signers", From 4553a409e30d280e8f773921db8fdd71931fe230 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 1 Oct 2023 12:54:54 -0400 Subject: [PATCH 0523/1014] Remove pointless indirections (#9673) --- .../hazmat/backends/openssl/backend.py | 61 +------------------ .../hazmat/primitives/asymmetric/ec.py | 24 ++------ .../hazmat/primitives/asymmetric/rsa.py | 25 ++++---- tests/hazmat/backends/test_openssl.py | 18 ------ 4 files changed, 19 insertions(+), 109 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 4d4aa65ec40e..a909900db6a2 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -18,7 +18,7 @@ from cryptography.hazmat.bindings.openssl import binding from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding -from cryptography.hazmat.primitives.asymmetric import dh, ec, rsa +from cryptography.hazmat.primitives.asymmetric import dh, ec from cryptography.hazmat.primitives.asymmetric import utils as asym_utils from cryptography.hazmat.primitives.asymmetric.padding import ( MGF1, @@ -325,12 +325,6 @@ def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: def _consume_errors(self) -> list[rust_openssl.OpenSSLError]: return rust_openssl.capture_error_stack() - def generate_rsa_private_key( - self, public_exponent: int, key_size: int - ) -> rsa.RSAPrivateKey: - rsa._verify_rsa_parameters(public_exponent, key_size) - return rust_openssl.rsa.generate_private_key(public_exponent, key_size) - def generate_rsa_parameters_supported( self, public_exponent: int, key_size: int ) -> bool: @@ -340,31 +334,6 @@ def generate_rsa_parameters_supported( and key_size >= 512 ) - def load_rsa_private_numbers( - self, - numbers: rsa.RSAPrivateNumbers, - unsafe_skip_rsa_key_validation: bool, - ) -> rsa.RSAPrivateKey: - rsa._check_private_key_components( - numbers.p, - numbers.q, - numbers.d, - numbers.dmp1, - numbers.dmq1, - numbers.iqmp, - numbers.public_numbers.e, - numbers.public_numbers.n, - ) - return rust_openssl.rsa.from_private_numbers( - numbers, unsafe_skip_rsa_key_validation - ) - - def load_rsa_public_numbers( - self, numbers: rsa.RSAPublicNumbers - ) -> rsa.RSAPublicKey: - rsa._check_public_key_components(numbers.e, numbers.n) - return rust_openssl.rsa.from_public_numbers(numbers) - def _create_evp_pkey_gc(self): evp_pkey = self._lib.EVP_PKEY_new() self.openssl_assert(evp_pkey != self._ffi.NULL) @@ -870,34 +839,6 @@ def elliptic_curve_signature_algorithm_supported( or self.hash_supported(signature_algorithm.algorithm) ) - def generate_elliptic_curve_private_key( - self, curve: ec.EllipticCurve - ) -> ec.EllipticCurvePrivateKey: - """ - Generate a new private key on the named curve. - """ - return rust_openssl.ec.generate_private_key(curve) - - def load_elliptic_curve_private_numbers( - self, numbers: ec.EllipticCurvePrivateNumbers - ) -> ec.EllipticCurvePrivateKey: - return rust_openssl.ec.from_private_numbers(numbers) - - def load_elliptic_curve_public_numbers( - self, numbers: ec.EllipticCurvePublicNumbers - ) -> ec.EllipticCurvePublicKey: - return rust_openssl.ec.from_public_numbers(numbers) - - def load_elliptic_curve_public_bytes( - self, curve: ec.EllipticCurve, point_bytes: bytes - ) -> ec.EllipticCurvePublicKey: - return rust_openssl.ec.from_public_bytes(curve, point_bytes) - - def derive_elliptic_curve_private_key( - self, private_value: int, curve: ec.EllipticCurve - ) -> ec.EllipticCurvePrivateKey: - return rust_openssl.ec.derive_private_key(private_value, curve) - def elliptic_curve_exchange_algorithm_supported( self, algorithm: ec.ECDH, curve: ec.EllipticCurve ) -> bool: diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py index 90bef64e5396..661dd1dd8870 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ec.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py @@ -182,9 +182,7 @@ def from_encoded_point( if data[0] not in [0x02, 0x03, 0x04]: raise ValueError("Unsupported elliptic curve point type") - from cryptography.hazmat.backends.openssl.backend import backend - - return backend.load_elliptic_curve_public_bytes(curve, data) + return rust_openssl.ec.from_public_bytes(curve, data) @abc.abstractmethod def __eq__(self, other: object) -> bool: @@ -334,9 +332,7 @@ def algorithm( def generate_private_key( curve: EllipticCurve, backend: typing.Any = None ) -> EllipticCurvePrivateKey: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.generate_elliptic_curve_private_key(curve) + return rust_openssl.ec.generate_private_key(curve) def derive_private_key( @@ -344,8 +340,6 @@ def derive_private_key( curve: EllipticCurve, backend: typing.Any = None, ) -> EllipticCurvePrivateKey: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - if not isinstance(private_value, int): raise TypeError("private_value must be an integer type.") @@ -355,7 +349,7 @@ def derive_private_key( if not isinstance(curve, EllipticCurve): raise TypeError("curve must provide the EllipticCurve interface.") - return ossl.derive_elliptic_curve_private_key(private_value, curve) + return rust_openssl.ec.derive_private_key(private_value, curve) class EllipticCurvePublicNumbers: @@ -371,11 +365,7 @@ def __init__(self, x: int, y: int, curve: EllipticCurve): self._curve = curve def public_key(self, backend: typing.Any = None) -> EllipticCurvePublicKey: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - return ossl.load_elliptic_curve_public_numbers(self) + return rust_openssl.ec.from_public_numbers(self) @property def curve(self) -> EllipticCurve: @@ -429,11 +419,7 @@ def __init__( def private_key( self, backend: typing.Any = None ) -> EllipticCurvePrivateKey: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - return ossl.load_elliptic_curve_private_numbers(self) + return rust_openssl.ec.from_private_numbers(self) @property def private_value(self) -> int: diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index 64b9d712258b..bb24ffbfe86a 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -136,10 +136,8 @@ def generate_private_key( key_size: int, backend: typing.Any = None, ) -> RSAPrivateKey: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - _verify_rsa_parameters(public_exponent, key_size) - return ossl.generate_rsa_private_key(public_exponent, key_size) + return rust_openssl.rsa.generate_private_key(public_exponent, key_size) def _verify_rsa_parameters(public_exponent: int, key_size: int) -> None: @@ -368,11 +366,17 @@ def private_key( *, unsafe_skip_rsa_key_validation: bool = False, ) -> RSAPrivateKey: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, + _check_private_key_components( + self.p, + self.q, + self.d, + self.dmp1, + self.dmq1, + self.iqmp, + self.public_numbers.e, + self.public_numbers.n, ) - - return ossl.load_rsa_private_numbers( + return rust_openssl.rsa.from_private_numbers( self, unsafe_skip_rsa_key_validation ) @@ -421,11 +425,8 @@ def n(self) -> int: return self._n def public_key(self, backend: typing.Any = None) -> RSAPublicKey: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - return ossl.load_rsa_public_numbers(self) + _check_public_key_components(self.e, self.n) + return rust_openssl.rsa.from_public_numbers(self) def __repr__(self) -> str: return f"" diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 44093e98da6b..a47470b9a243 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -158,24 +158,6 @@ def test_generate_rsa_parameters_supported(self): assert backend.generate_rsa_parameters_supported(3, 1024) is True assert backend.generate_rsa_parameters_supported(3, 511) is False - def test_generate_bad_public_exponent(self): - with pytest.raises(ValueError): - backend.generate_rsa_private_key(public_exponent=1, key_size=2048) - - with pytest.raises(ValueError): - backend.generate_rsa_private_key(public_exponent=4, key_size=2048) - - def test_cant_generate_insecure_tiny_key(self): - with pytest.raises(ValueError): - backend.generate_rsa_private_key( - public_exponent=65537, key_size=511 - ) - - with pytest.raises(ValueError): - backend.generate_rsa_private_key( - public_exponent=65537, key_size=256 - ) - def test_rsa_padding_unsupported_pss_mgf1_hash(self): assert ( backend.rsa_padding_supported( From a2f6520b449b6a15cb4a74e80f7656673c69fd67 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 06:57:34 -0400 Subject: [PATCH 0524/1014] Bump tuf from 2.1.0 to 3.0.0 in /.github/requirements (#9675) Bumps [tuf](https://github.com/theupdateframework/python-tuf) from 2.1.0 to 3.0.0. - [Release notes](https://github.com/theupdateframework/python-tuf/releases) - [Changelog](https://github.com/theupdateframework/python-tuf/blob/develop/docs/CHANGELOG.md) - [Commits](https://github.com/theupdateframework/python-tuf/compare/v2.1.0...v3.0.0) --- updated-dependencies: - dependency-name: tuf dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 11761882a025..a46dbe5b74e8 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -520,9 +520,9 @@ six==1.16.0 \ --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 # via python-dateutil -tuf==2.1.0 \ - --hash=sha256:ab22d1143d4d8aa20c94d243de27eedc8cd517e251ddaf4a88c10952358a13ea \ - --hash=sha256:dbfe18fbdeba6d76144931db88b76e473fa40c431b60d25b455a9adbb07c2397 +tuf==3.0.0 \ + --hash=sha256:493f5e9dc60c6a216320a82e052f6bd6f4b12cf8dfafc90ce6de537545ccfa61 \ + --hash=sha256:e8fb94cb38f472530d591c59e87f22698355a673231f5bf50d7d1da4842c0007 # via sigstore twine==4.0.2 \ --hash=sha256:929bc3c280033347a00f847236564d1c52a3e61b1ac2516c97c48f3ceab756d8 \ From 7470417383c6ad22b90a1a82cfe7ec4e257f28e8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 07:12:43 -0400 Subject: [PATCH 0525/1014] Bump rich from 13.5.3 to 13.6.0 in /.github/requirements (#9677) Bumps [rich](https://github.com/Textualize/rich) from 13.5.3 to 13.6.0. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.5.3...v13.6.0) --- updated-dependencies: - dependency-name: rich dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index a46dbe5b74e8..1597aac6b2b4 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -494,9 +494,9 @@ rfc3986==2.0.0 \ --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c # via twine -rich==13.5.3 \ - --hash=sha256:87b43e0543149efa1253f485cd845bb7ee54df16c9617b8a893650ab84b4acb6 \ - --hash=sha256:9257b468badc3d347e146a4faa268ff229039d4c2d176ab0cffb4c4fbc73d5d9 +rich==13.6.0 \ + --hash=sha256:2b38e2fe9ca72c9a00170a1a2d20c63c790d0e10ef1fe35eba76e1e7b1d7d245 \ + --hash=sha256:5c14d22737e6d5084ef4771b62d5d4363165b403455a30a1c8ca39dc7b644bef # via twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ From cbd59cb5b83f93400c905bc82d2877d5a505f040 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 11:18:57 +0000 Subject: [PATCH 0526/1014] Bump charset-normalizer from 3.2.0 to 3.3.0 (#9678) Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/Ousret/charset_normalizer/releases) - [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/Ousret/charset_normalizer/compare/3.2.0...3.3.0) --- updated-dependencies: - dependency-name: charset-normalizer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4635dd5dc97a..813c056227e0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -21,7 +21,7 @@ build==1.0.3 # cryptography (pyproject.toml) certifi==2023.7.22 # via requests -charset-normalizer==3.2.0 +charset-normalizer==3.3.0 # via requests check-sdist==0.1.2 # via cryptography (pyproject.toml) From 801ee479ba40a550e38d58fc1fbee55ed0f0b05b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 11:19:08 +0000 Subject: [PATCH 0527/1014] Bump packaging from 23.1 to 23.2 (#9680) Bumps [packaging](https://github.com/pypa/packaging) from 23.1 to 23.2. - [Release notes](https://github.com/pypa/packaging/releases) - [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/packaging/compare/23.1...23.2) --- updated-dependencies: - dependency-name: packaging dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 813c056227e0..d168803d80ad 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -76,7 +76,7 @@ mypy-extensions==1.0.0 # mypy nox==2023.4.22 # via cryptography (pyproject.toml) -packaging==23.1 +packaging==23.2 # via # black # build From 4af88601c0669d2b0ca98b87ed186fdda24b90c4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 11:27:27 +0000 Subject: [PATCH 0528/1014] Bump rich from 13.5.3 to 13.6.0 (#9679) Bumps [rich](https://github.com/Textualize/rich) from 13.5.3 to 13.6.0. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.5.3...v13.6.0) --- updated-dependencies: - dependency-name: rich dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d168803d80ad..39f2f4c53ab9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -136,7 +136,7 @@ requests-toolbelt==1.0.0 # via twine rfc3986==2.0.0 # via twine -rich==13.5.3 +rich==13.6.0 # via twine ruff==0.0.291 # via cryptography (pyproject.toml) From 4166517b739558ce5efb8d8067e0b681abd36654 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 07:39:46 -0400 Subject: [PATCH 0529/1014] Bump charset-normalizer from 3.2.0 to 3.3.0 in /.github/requirements (#9676) Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/Ousret/charset_normalizer/releases) - [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/Ousret/charset_normalizer/compare/3.2.0...3.3.0) --- updated-dependencies: - dependency-name: charset-normalizer dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 167 ++++++++++-------- 1 file changed, 91 insertions(+), 76 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 1597aac6b2b4..cc49a5f77c42 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -74,82 +74,97 @@ cffi==1.16.0 \ --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via cryptography -charset-normalizer==3.2.0 \ - --hash=sha256:04e57ab9fbf9607b77f7d057974694b4f6b142da9ed4a199859d9d4d5c63fe96 \ - --hash=sha256:09393e1b2a9461950b1c9a45d5fd251dc7c6f228acab64da1c9c0165d9c7765c \ - --hash=sha256:0b87549028f680ca955556e3bd57013ab47474c3124dc069faa0b6545b6c9710 \ - --hash=sha256:1000fba1057b92a65daec275aec30586c3de2401ccdcd41f8a5c1e2c87078706 \ - --hash=sha256:1249cbbf3d3b04902ff081ffbb33ce3377fa6e4c7356f759f3cd076cc138d020 \ - --hash=sha256:1920d4ff15ce893210c1f0c0e9d19bfbecb7983c76b33f046c13a8ffbd570252 \ - --hash=sha256:193cbc708ea3aca45e7221ae58f0fd63f933753a9bfb498a3b474878f12caaad \ - --hash=sha256:1a100c6d595a7f316f1b6f01d20815d916e75ff98c27a01ae817439ea7726329 \ - --hash=sha256:1f30b48dd7fa1474554b0b0f3fdfdd4c13b5c737a3c6284d3cdc424ec0ffff3a \ - --hash=sha256:203f0c8871d5a7987be20c72442488a0b8cfd0f43b7973771640fc593f56321f \ - --hash=sha256:246de67b99b6851627d945db38147d1b209a899311b1305dd84916f2b88526c6 \ - --hash=sha256:2dee8e57f052ef5353cf608e0b4c871aee320dd1b87d351c28764fc0ca55f9f4 \ - --hash=sha256:2efb1bd13885392adfda4614c33d3b68dee4921fd0ac1d3988f8cbb7d589e72a \ - --hash=sha256:2f4ac36d8e2b4cc1aa71df3dd84ff8efbe3bfb97ac41242fbcfc053c67434f46 \ - --hash=sha256:3170c9399da12c9dc66366e9d14da8bf7147e1e9d9ea566067bbce7bb74bd9c2 \ - --hash=sha256:3b1613dd5aee995ec6d4c69f00378bbd07614702a315a2cf6c1d21461fe17c23 \ - --hash=sha256:3bb3d25a8e6c0aedd251753a79ae98a093c7e7b471faa3aa9a93a81431987ace \ - --hash=sha256:3bb7fda7260735efe66d5107fb7e6af6a7c04c7fce9b2514e04b7a74b06bf5dd \ - --hash=sha256:41b25eaa7d15909cf3ac4c96088c1f266a9a93ec44f87f1d13d4a0e86c81b982 \ - --hash=sha256:45de3f87179c1823e6d9e32156fb14c1927fcc9aba21433f088fdfb555b77c10 \ - --hash=sha256:46fb8c61d794b78ec7134a715a3e564aafc8f6b5e338417cb19fe9f57a5a9bf2 \ - --hash=sha256:48021783bdf96e3d6de03a6e39a1171ed5bd7e8bb93fc84cc649d11490f87cea \ - --hash=sha256:4957669ef390f0e6719db3613ab3a7631e68424604a7b448f079bee145da6e09 \ - --hash=sha256:5e86d77b090dbddbe78867a0275cb4df08ea195e660f1f7f13435a4649e954e5 \ - --hash=sha256:6339d047dab2780cc6220f46306628e04d9750f02f983ddb37439ca47ced7149 \ - --hash=sha256:681eb3d7e02e3c3655d1b16059fbfb605ac464c834a0c629048a30fad2b27489 \ - --hash=sha256:6c409c0deba34f147f77efaa67b8e4bb83d2f11c8806405f76397ae5b8c0d1c9 \ - --hash=sha256:7095f6fbfaa55defb6b733cfeb14efaae7a29f0b59d8cf213be4e7ca0b857b80 \ - --hash=sha256:70c610f6cbe4b9fce272c407dd9d07e33e6bf7b4aa1b7ffb6f6ded8e634e3592 \ - --hash=sha256:72814c01533f51d68702802d74f77ea026b5ec52793c791e2da806a3844a46c3 \ - --hash=sha256:7a4826ad2bd6b07ca615c74ab91f32f6c96d08f6fcc3902ceeedaec8cdc3bcd6 \ - --hash=sha256:7c70087bfee18a42b4040bb9ec1ca15a08242cf5867c58726530bdf3945672ed \ - --hash=sha256:855eafa5d5a2034b4621c74925d89c5efef61418570e5ef9b37717d9c796419c \ - --hash=sha256:8700f06d0ce6f128de3ccdbc1acaea1ee264d2caa9ca05daaf492fde7c2a7200 \ - --hash=sha256:89f1b185a01fe560bc8ae5f619e924407efca2191b56ce749ec84982fc59a32a \ - --hash=sha256:8b2c760cfc7042b27ebdb4a43a4453bd829a5742503599144d54a032c5dc7e9e \ - --hash=sha256:8c2f5e83493748286002f9369f3e6607c565a6a90425a3a1fef5ae32a36d749d \ - --hash=sha256:8e098148dd37b4ce3baca71fb394c81dc5d9c7728c95df695d2dca218edf40e6 \ - --hash=sha256:94aea8eff76ee6d1cdacb07dd2123a68283cb5569e0250feab1240058f53b623 \ - --hash=sha256:95eb302ff792e12aba9a8b8f8474ab229a83c103d74a750ec0bd1c1eea32e669 \ - --hash=sha256:9bd9b3b31adcb054116447ea22caa61a285d92e94d710aa5ec97992ff5eb7cf3 \ - --hash=sha256:9e608aafdb55eb9f255034709e20d5a83b6d60c054df0802fa9c9883d0a937aa \ - --hash=sha256:a103b3a7069b62f5d4890ae1b8f0597618f628b286b03d4bc9195230b154bfa9 \ - --hash=sha256:a386ebe437176aab38c041de1260cd3ea459c6ce5263594399880bbc398225b2 \ - --hash=sha256:a38856a971c602f98472050165cea2cdc97709240373041b69030be15047691f \ - --hash=sha256:a401b4598e5d3f4a9a811f3daf42ee2291790c7f9d74b18d75d6e21dda98a1a1 \ - --hash=sha256:a7647ebdfb9682b7bb97e2a5e7cb6ae735b1c25008a70b906aecca294ee96cf4 \ - --hash=sha256:aaf63899c94de41fe3cf934601b0f7ccb6b428c6e4eeb80da72c58eab077b19a \ - --hash=sha256:b0dac0ff919ba34d4df1b6131f59ce95b08b9065233446be7e459f95554c0dc8 \ - --hash=sha256:baacc6aee0b2ef6f3d308e197b5d7a81c0e70b06beae1f1fcacffdbd124fe0e3 \ - --hash=sha256:bf420121d4c8dce6b889f0e8e4ec0ca34b7f40186203f06a946fa0276ba54029 \ - --hash=sha256:c04a46716adde8d927adb9457bbe39cf473e1e2c2f5d0a16ceb837e5d841ad4f \ - --hash=sha256:c0b21078a4b56965e2b12f247467b234734491897e99c1d51cee628da9786959 \ - --hash=sha256:c1c76a1743432b4b60ab3358c937a3fe1341c828ae6194108a94c69028247f22 \ - --hash=sha256:c4983bf937209c57240cff65906b18bb35e64ae872da6a0db937d7b4af845dd7 \ - --hash=sha256:c4fb39a81950ec280984b3a44f5bd12819953dc5fa3a7e6fa7a80db5ee853952 \ - --hash=sha256:c57921cda3a80d0f2b8aec7e25c8aa14479ea92b5b51b6876d975d925a2ea346 \ - --hash=sha256:c8063cf17b19661471ecbdb3df1c84f24ad2e389e326ccaf89e3fb2484d8dd7e \ - --hash=sha256:ccd16eb18a849fd8dcb23e23380e2f0a354e8daa0c984b8a732d9cfaba3a776d \ - --hash=sha256:cd6dbe0238f7743d0efe563ab46294f54f9bc8f4b9bcf57c3c666cc5bc9d1299 \ - --hash=sha256:d62e51710986674142526ab9f78663ca2b0726066ae26b78b22e0f5e571238dd \ - --hash=sha256:db901e2ac34c931d73054d9797383d0f8009991e723dab15109740a63e7f902a \ - --hash=sha256:e03b8895a6990c9ab2cdcd0f2fe44088ca1c65ae592b8f795c3294af00a461c3 \ - --hash=sha256:e1c8a2f4c69e08e89632defbfabec2feb8a8d99edc9f89ce33c4b9e36ab63037 \ - --hash=sha256:e4b749b9cc6ee664a3300bb3a273c1ca8068c46be705b6c31cf5d276f8628a94 \ - --hash=sha256:e6a5bf2cba5ae1bb80b154ed68a3cfa2fa00fde979a7f50d6598d3e17d9ac20c \ - --hash=sha256:e857a2232ba53ae940d3456f7533ce6ca98b81917d47adc3c7fd55dad8fab858 \ - --hash=sha256:ee4006268ed33370957f55bf2e6f4d263eaf4dc3cfc473d1d90baff6ed36ce4a \ - --hash=sha256:eef9df1eefada2c09a5e7a40991b9fc6ac6ef20b1372abd48d2794a316dc0449 \ - --hash=sha256:f058f6963fd82eb143c692cecdc89e075fa0828db2e5b291070485390b2f1c9c \ - --hash=sha256:f25c229a6ba38a35ae6e25ca1264621cc25d4d38dca2942a7fce0b67a4efe918 \ - --hash=sha256:f2a1d0fd4242bd8643ce6f98927cf9c04540af6efa92323e9d3124f57727bfc1 \ - --hash=sha256:f7560358a6811e52e9c4d142d497f1a6e10103d3a6881f18d04dbce3729c0e2c \ - --hash=sha256:f779d3ad205f108d14e99bb3859aa7dd8e9c68874617c72354d7ecaec2a054ac \ - --hash=sha256:f87f746ee241d30d6ed93969de31e5ffd09a2961a051e60ae6bddde9ec3583aa +charset-normalizer==3.3.0 \ + --hash=sha256:02673e456dc5ab13659f85196c534dc596d4ef260e4d86e856c3b2773ce09843 \ + --hash=sha256:02af06682e3590ab952599fbadac535ede5d60d78848e555aa58d0c0abbde786 \ + --hash=sha256:03680bb39035fbcffe828eae9c3f8afc0428c91d38e7d61aa992ef7a59fb120e \ + --hash=sha256:0570d21da019941634a531444364f2482e8db0b3425fcd5ac0c36565a64142c8 \ + --hash=sha256:09c77f964f351a7369cc343911e0df63e762e42bac24cd7d18525961c81754f4 \ + --hash=sha256:0d3d5b7db9ed8a2b11a774db2bbea7ba1884430a205dbd54a32d61d7c2a190fa \ + --hash=sha256:1063da2c85b95f2d1a430f1c33b55c9c17ffaf5e612e10aeaad641c55a9e2b9d \ + --hash=sha256:12ebea541c44fdc88ccb794a13fe861cc5e35d64ed689513a5c03d05b53b7c82 \ + --hash=sha256:153e7b6e724761741e0974fc4dcd406d35ba70b92bfe3fedcb497226c93b9da7 \ + --hash=sha256:15b26ddf78d57f1d143bdf32e820fd8935d36abe8a25eb9ec0b5a71c82eb3895 \ + --hash=sha256:1872d01ac8c618a8da634e232f24793883d6e456a66593135aeafe3784b0848d \ + --hash=sha256:187d18082694a29005ba2944c882344b6748d5be69e3a89bf3cc9d878e548d5a \ + --hash=sha256:1b2919306936ac6efb3aed1fbf81039f7087ddadb3160882a57ee2ff74fd2382 \ + --hash=sha256:232ac332403e37e4a03d209a3f92ed9071f7d3dbda70e2a5e9cff1c4ba9f0678 \ + --hash=sha256:23e8565ab7ff33218530bc817922fae827420f143479b753104ab801145b1d5b \ + --hash=sha256:24817cb02cbef7cd499f7c9a2735286b4782bd47a5b3516a0e84c50eab44b98e \ + --hash=sha256:249c6470a2b60935bafd1d1d13cd613f8cd8388d53461c67397ee6a0f5dce741 \ + --hash=sha256:24a91a981f185721542a0b7c92e9054b7ab4fea0508a795846bc5b0abf8118d4 \ + --hash=sha256:2502dd2a736c879c0f0d3e2161e74d9907231e25d35794584b1ca5284e43f596 \ + --hash=sha256:250c9eb0f4600361dd80d46112213dff2286231d92d3e52af1e5a6083d10cad9 \ + --hash=sha256:278c296c6f96fa686d74eb449ea1697f3c03dc28b75f873b65b5201806346a69 \ + --hash=sha256:2935ffc78db9645cb2086c2f8f4cfd23d9b73cc0dc80334bc30aac6f03f68f8c \ + --hash=sha256:2f4a0033ce9a76e391542c182f0d48d084855b5fcba5010f707c8e8c34663d77 \ + --hash=sha256:30a85aed0b864ac88309b7d94be09f6046c834ef60762a8833b660139cfbad13 \ + --hash=sha256:380c4bde80bce25c6e4f77b19386f5ec9db230df9f2f2ac1e5ad7af2caa70459 \ + --hash=sha256:3ae38d325b512f63f8da31f826e6cb6c367336f95e418137286ba362925c877e \ + --hash=sha256:3b447982ad46348c02cb90d230b75ac34e9886273df3a93eec0539308a6296d7 \ + --hash=sha256:3debd1150027933210c2fc321527c2299118aa929c2f5a0a80ab6953e3bd1908 \ + --hash=sha256:4162918ef3098851fcd8a628bf9b6a98d10c380725df9e04caf5ca6dd48c847a \ + --hash=sha256:468d2a840567b13a590e67dd276c570f8de00ed767ecc611994c301d0f8c014f \ + --hash=sha256:4cc152c5dd831641e995764f9f0b6589519f6f5123258ccaca8c6d34572fefa8 \ + --hash=sha256:542da1178c1c6af8873e143910e2269add130a299c9106eef2594e15dae5e482 \ + --hash=sha256:557b21a44ceac6c6b9773bc65aa1b4cc3e248a5ad2f5b914b91579a32e22204d \ + --hash=sha256:5707a746c6083a3a74b46b3a631d78d129edab06195a92a8ece755aac25a3f3d \ + --hash=sha256:588245972aca710b5b68802c8cad9edaa98589b1b42ad2b53accd6910dad3545 \ + --hash=sha256:5adf257bd58c1b8632046bbe43ee38c04e1038e9d37de9c57a94d6bd6ce5da34 \ + --hash=sha256:619d1c96099be5823db34fe89e2582b336b5b074a7f47f819d6b3a57ff7bdb86 \ + --hash=sha256:63563193aec44bce707e0c5ca64ff69fa72ed7cf34ce6e11d5127555756fd2f6 \ + --hash=sha256:67b8cc9574bb518ec76dc8e705d4c39ae78bb96237cb533edac149352c1f39fe \ + --hash=sha256:6a685067d05e46641d5d1623d7c7fdf15a357546cbb2f71b0ebde91b175ffc3e \ + --hash=sha256:70f1d09c0d7748b73290b29219e854b3207aea922f839437870d8cc2168e31cc \ + --hash=sha256:750b446b2ffce1739e8578576092179160f6d26bd5e23eb1789c4d64d5af7dc7 \ + --hash=sha256:7966951325782121e67c81299a031f4c115615e68046f79b85856b86ebffc4cd \ + --hash=sha256:7b8b8bf1189b3ba9b8de5c8db4d541b406611a71a955bbbd7385bbc45fcb786c \ + --hash=sha256:7f5d10bae5d78e4551b7be7a9b29643a95aded9d0f602aa2ba584f0388e7a557 \ + --hash=sha256:805dfea4ca10411a5296bcc75638017215a93ffb584c9e344731eef0dcfb026a \ + --hash=sha256:81bf654678e575403736b85ba3a7867e31c2c30a69bc57fe88e3ace52fb17b89 \ + --hash=sha256:82eb849f085624f6a607538ee7b83a6d8126df6d2f7d3b319cb837b289123078 \ + --hash=sha256:85a32721ddde63c9df9ebb0d2045b9691d9750cb139c161c80e500d210f5e26e \ + --hash=sha256:86d1f65ac145e2c9ed71d8ffb1905e9bba3a91ae29ba55b4c46ae6fc31d7c0d4 \ + --hash=sha256:86f63face3a527284f7bb8a9d4f78988e3c06823f7bea2bd6f0e0e9298ca0403 \ + --hash=sha256:8eaf82f0eccd1505cf39a45a6bd0a8cf1c70dcfc30dba338207a969d91b965c0 \ + --hash=sha256:93aa7eef6ee71c629b51ef873991d6911b906d7312c6e8e99790c0f33c576f89 \ + --hash=sha256:96c2b49eb6a72c0e4991d62406e365d87067ca14c1a729a870d22354e6f68115 \ + --hash=sha256:9cf3126b85822c4e53aa28c7ec9869b924d6fcfb76e77a45c44b83d91afd74f9 \ + --hash=sha256:9fe359b2e3a7729010060fbca442ca225280c16e923b37db0e955ac2a2b72a05 \ + --hash=sha256:a0ac5e7015a5920cfce654c06618ec40c33e12801711da6b4258af59a8eff00a \ + --hash=sha256:a3f93dab657839dfa61025056606600a11d0b696d79386f974e459a3fbc568ec \ + --hash=sha256:a4b71f4d1765639372a3b32d2638197f5cd5221b19531f9245fcc9ee62d38f56 \ + --hash=sha256:aae32c93e0f64469f74ccc730a7cb21c7610af3a775157e50bbd38f816536b38 \ + --hash=sha256:aaf7b34c5bc56b38c931a54f7952f1ff0ae77a2e82496583b247f7c969eb1479 \ + --hash=sha256:abecce40dfebbfa6abf8e324e1860092eeca6f7375c8c4e655a8afb61af58f2c \ + --hash=sha256:abf0d9f45ea5fb95051c8bfe43cb40cda383772f7e5023a83cc481ca2604d74e \ + --hash=sha256:ac71b2977fb90c35d41c9453116e283fac47bb9096ad917b8819ca8b943abecd \ + --hash=sha256:ada214c6fa40f8d800e575de6b91a40d0548139e5dc457d2ebb61470abf50186 \ + --hash=sha256:b09719a17a2301178fac4470d54b1680b18a5048b481cb8890e1ef820cb80455 \ + --hash=sha256:b1121de0e9d6e6ca08289583d7491e7fcb18a439305b34a30b20d8215922d43c \ + --hash=sha256:b3b2316b25644b23b54a6f6401074cebcecd1244c0b8e80111c9a3f1c8e83d65 \ + --hash=sha256:b3d9b48ee6e3967b7901c052b670c7dda6deb812c309439adaffdec55c6d7b78 \ + --hash=sha256:b5bcf60a228acae568e9911f410f9d9e0d43197d030ae5799e20dca8df588287 \ + --hash=sha256:b8f3307af845803fb0b060ab76cf6dd3a13adc15b6b451f54281d25911eb92df \ + --hash=sha256:c2af80fb58f0f24b3f3adcb9148e6203fa67dd3f61c4af146ecad033024dde43 \ + --hash=sha256:c350354efb159b8767a6244c166f66e67506e06c8924ed74669b2c70bc8735b1 \ + --hash=sha256:c5a74c359b2d47d26cdbbc7845e9662d6b08a1e915eb015d044729e92e7050b7 \ + --hash=sha256:c71f16da1ed8949774ef79f4a0260d28b83b3a50c6576f8f4f0288d109777989 \ + --hash=sha256:d47ecf253780c90ee181d4d871cd655a789da937454045b17b5798da9393901a \ + --hash=sha256:d7eff0f27edc5afa9e405f7165f85a6d782d308f3b6b9d96016c010597958e63 \ + --hash=sha256:d97d85fa63f315a8bdaba2af9a6a686e0eceab77b3089af45133252618e70884 \ + --hash=sha256:db756e48f9c5c607b5e33dd36b1d5872d0422e960145b08ab0ec7fd420e9d649 \ + --hash=sha256:dc45229747b67ffc441b3de2f3ae5e62877a282ea828a5bdb67883c4ee4a8810 \ + --hash=sha256:e0fc42822278451bc13a2e8626cf2218ba570f27856b536e00cfa53099724828 \ + --hash=sha256:e39c7eb31e3f5b1f88caff88bcff1b7f8334975b46f6ac6e9fc725d829bc35d4 \ + --hash=sha256:e46cd37076971c1040fc8c41273a8b3e2c624ce4f2be3f5dfcb7a430c1d3acc2 \ + --hash=sha256:e5c1502d4ace69a179305abb3f0bb6141cbe4714bc9b31d427329a95acfc8bdd \ + --hash=sha256:edfe077ab09442d4ef3c52cb1f9dab89bff02f4524afc0acf2d46be17dc479f5 \ + --hash=sha256:effe5406c9bd748a871dbcaf3ac69167c38d72db8c9baf3ff954c344f31c4cbe \ + --hash=sha256:f0d1e3732768fecb052d90d62b220af62ead5748ac51ef61e7b32c266cac9293 \ + --hash=sha256:f5969baeaea61c97efa706b9b107dcba02784b1601c74ac84f2a532ea079403e \ + --hash=sha256:f8888e31e3a85943743f8fc15e71536bda1c81d5aa36d014a3c0c44481d7db6e \ + --hash=sha256:fc52b79d83a3fe3a360902d3f5d79073a993597d48114c29485e9431092905d8 # via requests cryptography==41.0.4 \ --hash=sha256:004b6ccc95943f6a9ad3142cfabcc769d7ee38a3f60fb0dddbfb431f818c3a67 \ From 2824865f8053a154eec7bb4a2c78bcf59b784e85 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 22:19:19 +0000 Subject: [PATCH 0530/1014] Bump platformdirs from 3.10.0 to 3.11.0 (#9684) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 3.10.0 to 3.11.0. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/3.10.0...3.11.0) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 39f2f4c53ab9..ecad2788e860 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -89,7 +89,7 @@ pathspec==0.11.2 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==3.10.0 +platformdirs==3.11.0 # via # black # virtualenv From 2a9e4df296ca8d2a483dba8f1752c16184a86b78 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 22:19:31 +0000 Subject: [PATCH 0531/1014] Bump coverage from 7.3.1 to 7.3.2 (#9685) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.3.1 to 7.3.2. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.3.1...7.3.2) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ecad2788e860..ebc2a064c6dd 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -29,7 +29,7 @@ click==8.1.7 # via black colorlog==6.7.0 # via nox -coverage==7.3.1; python_version >= "3.8" +coverage==7.3.2; python_version >= "3.8" # via pytest-cov distlib==0.3.7 # via virtualenv From eaa922ba65f1fcfc143c080117602f765f7a19f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 22:19:50 +0000 Subject: [PATCH 0532/1014] Bump ruff from 0.0.291 to 0.0.292 (#9686) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.291 to 0.0.292. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.291...v0.0.292) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ebc2a064c6dd..2e97b6a5ec86 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.6.0 # via twine -ruff==0.0.291 +ruff==0.0.292 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 2c5b3ef40dedd5bfaffe6f999c802402cdae84cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 22:20:05 +0000 Subject: [PATCH 0533/1014] Bump urllib3 from 2.0.5 to 2.0.6 (#9687) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.5 to 2.0.6. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/v2.0.5...2.0.6) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2e97b6a5ec86..7be08d60032f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -181,7 +181,7 @@ twine==4.0.2 # via cryptography (pyproject.toml) typing-extensions==4.8.0; python_version >= "3.8" # via mypy -urllib3==2.0.5 +urllib3==2.0.6 # via # requests # twine From a5f9cac9b0393ee3a6c53aa3958f78e71d2cb332 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 18:24:20 -0400 Subject: [PATCH 0534/1014] Bump actions/setup-python from 4.7.0 to 4.7.1 (#9688) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.0 to 4.7.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/61a6322f88396a6271a6ee3565807d608ecaddd1...65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 5eb8a12b7beb..eda9e5d7c3cd 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -35,7 +35,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 309c31f13814..953b42778e40 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -64,7 +64,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -241,7 +241,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 @@ -300,7 +300,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -375,7 +375,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: ${{ matrix.PYTHON }} cache: pip @@ -420,7 +420,7 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.11' cache: pip diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 13f89bbc1f9b..67774a07931c 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index b6429014a80b..666b56940bee 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -28,7 +28,7 @@ jobs: permissions: id-token: "write" steps: - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: "3.11" - name: Get publish-requirements.txt from repository diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 06541ece8a56..6ba5b072d2b3 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -215,7 +215,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -306,7 +306,7 @@ jobs: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From 47d96f990e9b0858e72500f3727319b1e8504e97 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 18:37:39 -0400 Subject: [PATCH 0535/1014] Bump grpclib from 0.4.5 to 0.4.6 in /.github/requirements (#9690) Bumps [grpclib](https://github.com/vmagamedov/grpclib) from 0.4.5 to 0.4.6. - [Commits](https://github.com/vmagamedov/grpclib/compare/v0.4.5...v0.4.6) --- updated-dependencies: - dependency-name: grpclib dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index cc49a5f77c42..1e00c72da226 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -198,8 +198,8 @@ docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ --hash=sha256:f08a4e276c3a1583a86dce3e34aba3fe04d02bba2dd51ed16106244e8a923e3b # via readme-renderer -grpclib==0.4.5 \ - --hash=sha256:bf83ed55aca59497e168761d9555056efc54a8f865316c3b39becd007e9f9a73 +grpclib==0.4.6 \ + --hash=sha256:595d05236ca8b8f8e433f5bf6095e6354c1d8777d003ddaf5288efa9611e3fd6 # via betterproto h2==4.1.0 \ --hash=sha256:03a46bcf682256c95b5fd9e9a99c1323584c3eec6440d379b9903d709476bc6d \ From bbaefb5da3593f9615c984253b5db61d71ceb545 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Oct 2023 18:51:40 -0400 Subject: [PATCH 0536/1014] Bump urllib3 from 2.0.5 to 2.0.6 in /.github/requirements (#9689) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.5 to 2.0.6. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/v2.0.5...2.0.6) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 1e00c72da226..7449628604f2 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -549,9 +549,9 @@ typing-extensions==4.8.0 \ # via # pydantic # pydantic-core -urllib3==2.0.5 \ - --hash=sha256:13abf37382ea2ce6fb744d4dad67838eec857c9f4f57009891805e0b5e123594 \ - --hash=sha256:ef16afa8ba34a1f989db38e1dbbe0c302e4289a47856990d0682e374563ce35e +urllib3==2.0.6 \ + --hash=sha256:7a7c7003b000adf9e7ca2a377c9688bbc54ed41b985789ed576570342a375cd2 \ + --hash=sha256:b19e1a85d206b56d7df1d5e683df4a7725252a964e3993648dd0fb5a1c157564 # via # requests # twine From d95e3f058d17e8031808ddf2767e34e817b6e01d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 3 Oct 2023 00:18:14 +0000 Subject: [PATCH 0537/1014] Bump BoringSSL and/or OpenSSL in CI (#9691) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 953b42778e40..f0abe5b306b6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12-dev", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 30, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "bd20800c22fc8402611b537287bd6948c3f2a5a8"}} - # Latest commit on the OpenSSL master branch, as of Sep 30, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8ed76c62b5d3214e807e684c06efd69c6471c800"}} + # Latest commit on the OpenSSL master branch, as of Oct 03, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ad4af6dfca8344516bb658b1745a530635af9433"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From b72c0d78a9c679f9fb325fcaa27e214433013e0a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Oct 2023 07:00:11 -0400 Subject: [PATCH 0538/1014] Bump babel from 2.12.1 to 2.13.0 (#9692) Bumps [babel](https://github.com/python-babel/babel) from 2.12.1 to 2.13.0. - [Release notes](https://github.com/python-babel/babel/releases) - [Changelog](https://github.com/python-babel/babel/blob/master/CHANGES.rst) - [Commits](https://github.com/python-babel/babel/compare/v2.12.1...v2.13.0) --- updated-dependencies: - dependency-name: babel dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7be08d60032f..eebf09053200 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -9,7 +9,7 @@ alabaster==0.7.13 # via sphinx argcomplete==3.1.2 # via nox -babel==2.12.1 +babel==2.13.0 # via sphinx black==23.9.1 # via cryptography (pyproject.toml) From e947701b14cfb33fa2f7d31134c06aa395750938 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Oct 2023 07:16:06 -0400 Subject: [PATCH 0539/1014] Bump securesystemslib from 0.29.0 to 0.30.0 in /.github/requirements (#9693) Bumps [securesystemslib](https://github.com/secure-systems-lab/securesystemslib) from 0.29.0 to 0.30.0. - [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases) - [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md) - [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v0.29.0...v0.30.0) --- updated-dependencies: - dependency-name: securesystemslib dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7449628604f2..89e412fa1c73 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -517,9 +517,9 @@ secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 # via keyring -securesystemslib==0.29.0 \ - --hash=sha256:658ea4d41bbe6bc574758f91ba809812e08a22fddebb6ee4ea837f72591f136a \ - --hash=sha256:dcfcb70562ad76069f71da9916a3cb7bc85fbf6cd51216c741a00096cf58dc6c +securesystemslib==0.30.0 \ + --hash=sha256:6a769e4816921ac4059c8c149ab5f69ed7cd92859857f0e17b67a3dd7bbee866 \ + --hash=sha256:8b290de294aa0972c4ac6ecb036da24ed86e312de980c57adf1b92ad37667e43 # via # sigstore # tuf From 1380c475dbe082c94f9b464313205dbaf210c814 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 3 Oct 2023 17:04:52 -0400 Subject: [PATCH 0540/1014] Use 3.12 final in CI (#9682) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f0abe5b306b6..bdec22a170eb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,7 +43,7 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - - {VERSION: "3.12-dev", NOXSESSION: "tests"} + - {VERSION: "3.12", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Sep 30, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "bd20800c22fc8402611b537287bd6948c3f2a5a8"}} # Latest commit on the OpenSSL master branch, as of Oct 03, 2023. From b3e7766b97f53214677b7e9e6a7e1932849faf03 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 4 Oct 2023 00:18:17 +0000 Subject: [PATCH 0541/1014] Bump BoringSSL and/or OpenSSL in CI (#9694) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bdec22a170eb..7fefd86e87db 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of Sep 30, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "bd20800c22fc8402611b537287bd6948c3f2a5a8"}} - # Latest commit on the OpenSSL master branch, as of Oct 03, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ad4af6dfca8344516bb658b1745a530635af9433"}} + # Latest commit on the BoringSSL master branch, as of Oct 04, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "81ed2b3f6a135449772c46980067b8d4f71f5c82"}} + # Latest commit on the OpenSSL master branch, as of Oct 04, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2b74e75331a27fc89cad9c8ea6a26c70019300b5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 3a77c154b3992d6a6760f74cc2f0ace611cc1ed0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Oct 2023 06:45:04 -0400 Subject: [PATCH 0542/1014] Bump check-sdist from 0.1.2 to 0.1.3 (#9695) Bumps [check-sdist](https://github.com/henryiii/check-sdist) from 0.1.2 to 0.1.3. - [Release notes](https://github.com/henryiii/check-sdist/releases) - [Commits](https://github.com/henryiii/check-sdist/compare/v0.1.2...v0.1.3) --- updated-dependencies: - dependency-name: check-sdist dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index eebf09053200..24826bc61276 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -23,7 +23,7 @@ certifi==2023.7.22 # via requests charset-normalizer==3.3.0 # via requests -check-sdist==0.1.2 +check-sdist==0.1.3 # via cryptography (pyproject.toml) click==8.1.7 # via black From d849cb02e659854c171db806db8e20e18ea1a3b1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 5 Oct 2023 00:18:30 +0000 Subject: [PATCH 0543/1014] Bump BoringSSL and/or OpenSSL in CI (#9696) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7fefd86e87db..0a18f630c735 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} # Latest commit on the BoringSSL master branch, as of Oct 04, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "81ed2b3f6a135449772c46980067b8d4f71f5c82"}} - # Latest commit on the OpenSSL master branch, as of Oct 04, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2b74e75331a27fc89cad9c8ea6a26c70019300b5"}} + # Latest commit on the OpenSSL master branch, as of Oct 05, 2023. + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11f69aa50771d50151fa24c55fd0858db30517df"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From a87d041ab72d5a890da1aa2df75bad368e2dec1b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 5 Oct 2023 08:39:31 -0400 Subject: [PATCH 0544/1014] Bump default CI job to 3.12 (#9697) --- .github/workflows/ci.yml | 47 +++++++++++++++++++------------------- docs/spelling_wordlist.txt | 1 + noxfile.py | 2 +- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a18f630c735..35e7d95fa327 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,35 +27,34 @@ jobs: fail-fast: false matrix: PYTHON: - - {VERSION: "3.11", NOXSESSION: "flake"} - - {VERSION: "3.11", NOXSESSION: "rust"} - - {VERSION: "3.11", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3"}} + - {VERSION: "3.12", NOXSESSION: "flake"} + - {VERSION: "3.12", NOXSESSION: "rust"} + - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.11"}} - - {VERSION: "3.11", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha2"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - - {VERSION: "3.12", NOXSESSION: "tests"} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.11"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha2"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} + - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Oct 04, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "81ed2b3f6a135449772c46980067b8d4f71f5c82"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "81ed2b3f6a135449772c46980067b8d4f71f5c82"}} # Latest commit on the OpenSSL master branch, as of Oct 05, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11f69aa50771d50151fa24c55fd0858db30517df"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11f69aa50771d50151fa24c55fd0858db30517df"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin # 1.65 - Generic associated types (GATs) - - {VERSION: "3.11", NOXSESSION: "rust-noclippy,tests", RUST: "1.63.0"} - - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "1.64.0"} - - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "beta"} - - {VERSION: "3.11", NOXSESSION: "rust,tests", RUST: "nightly"} + - {VERSION: "3.12", NOXSESSION: "rust-noclippy,tests", RUST: "1.63.0"} + - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.64.0"} + - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "beta"} + - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 @@ -223,7 +222,7 @@ jobs: - {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} PYTHON: - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.11", NOXSESSION: "tests"} + - {VERSION: "3.12", NOXSESSION: "tests"} exclude: # We only test latest Python on arm64. py37 won't work since there's no universal2 binary - PYTHON: {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} @@ -291,7 +290,7 @@ jobs: - {ARCH: 'x64', WINDOWS: 'win64'} PYTHON: - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.11", NOXSESSION: "tests"} + - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 @@ -422,7 +421,7 @@ jobs: if: ${{ always() }} uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: - python-version: '3.11' + python-version: '3.12' cache: pip cache-dependency-path: ci-constraints-requirements.txt - run: pip install -c ci-constraints-requirements.txt coverage[toml] diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 485f452db014..60113c130caa 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -114,6 +114,7 @@ Schneier scrypt serializer Serializers +setuptools SHA Solaris Sur diff --git a/noxfile.py b/noxfile.py index f64827477d6a..472bc6cb6608 100644 --- a/noxfile.py +++ b/noxfile.py @@ -184,7 +184,7 @@ def rust(session: nox.Session) -> None: # Just install the dependencies needed for the Rust build.rs # TODO: Ideally there'd be a pip flag to install just our dependencies, # but not install us. - install(session, "cffi") + install(session, "cffi", "setuptools") with session.chdir("src/rust/"): session.run("cargo", "fmt", "--all", "--", "--check", external=True) From 5964d0358fd4ad4978427ed68aee50990176c97d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 5 Oct 2023 20:21:31 -0400 Subject: [PATCH 0545/1014] Bump BoringSSL and/or OpenSSL in CI (#9698) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 35e7d95fa327..6eb3c6548dbb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 04, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "81ed2b3f6a135449772c46980067b8d4f71f5c82"}} - # Latest commit on the OpenSSL master branch, as of Oct 05, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11f69aa50771d50151fa24c55fd0858db30517df"}} + # Latest commit on the BoringSSL master branch, as of Oct 06, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a1982649e01adb75ac7dcf400920ca7064dec352"}} + # Latest commit on the OpenSSL master branch, as of Oct 06, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7ae31586a77c09d45838fff73b589b2958fbd18b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 5b12d65f528c10f90d5248325ec170d36971284e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Oct 2023 07:08:02 -0400 Subject: [PATCH 0546/1014] Bump proc-macro2 from 1.0.67 to 1.0.68 in /src/rust (#9699) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.67 to 1.0.68. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.67...1.0.68) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1b6f68ddd458..0ca28808882e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -247,9 +247,9 @@ checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" [[package]] name = "proc-macro2" -version = "1.0.67" +version = "1.0.68" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d433d9f1a3e8c1263d9456598b16fec66f4acc9a74dacffd35c7bb09b3a1328" +checksum = "5b1106fec09662ec6dd98ccac0f81cef56984d0b49f75c92d8cbad76e20c005c" dependencies = [ "unicode-ident", ] From 4cd984e1bbce639245a8d70716eb87d89ee428e6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 6 Oct 2023 16:37:48 -0400 Subject: [PATCH 0547/1014] validation/types: add DNSConstraint, rename IPConstraint (#9700) * validation/types: add DNSConstraint, rename IPConstraint This further fleshes out the helper types for name constraint checking, as a breakout from #8873. Co-authored-by: Alex Cameron Signed-off-by: William Woodruff * types: drop unnecessary traits Signed-off-by: William Woodruff * types: don't do coverage in doctests Signed-off-by: William Woodruff * types: avoid unnecessary Vec + rev Signed-off-by: William Woodruff * types: update comment Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 5 +- .../cryptography-x509-validation/src/types.rs | 128 ++++++++++++++---- 2 files changed, 106 insertions(+), 27 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 17e7e636e71d..b9bc437901b3 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -19,7 +19,7 @@ use cryptography_x509::oid::{ }; use crate::ops::CryptoOps; -use crate::types::{DNSName, DNSPattern, IPAddress, IPRange}; +use crate::types::{DNSName, DNSPattern, IPAddress, IPConstraint}; // RSASSA‐PKCS1‐v1_5 with SHA‐256 static RSASSA_PKCS1V15_SHA256: AlgorithmIdentifier<'_> = AlgorithmIdentifier { @@ -125,7 +125,7 @@ impl Subject<'_> { DNSPattern::new(pattern.0).map_or(false, |p| p.matches(name)) } (GeneralName::IPAddress(pattern), Self::IP(name)) => { - IPRange::from_bytes(pattern).map_or(false, |p| p.matches(name)) + IPConstraint::from_bytes(pattern).map_or(false, |p| p.matches(name)) } _ => false, } @@ -218,7 +218,6 @@ mod tests { use cryptography_x509::{ extensions::SubjectAlternativeName, name::{GeneralName, UnvalidatedIA5String}, - oid::EXTENDED_KEY_USAGE_OID, }; use crate::{ diff --git a/src/rust/cryptography-x509-validation/src/types.rs b/src/rust/cryptography-x509-validation/src/types.rs index 515962ad13aa..2868c59cc3ef 100644 --- a/src/rust/cryptography-x509-validation/src/types.rs +++ b/src/rust/cryptography-x509-validation/src/types.rs @@ -69,6 +69,12 @@ impl<'a> DNSName<'a> { None => None, } } + + /// Returns this DNS name's labels, in reversed order + /// (from top-level domain to most-specific subdomain). + fn rlabels(&self) -> impl Iterator { + self.as_str().rsplit('.') + } } impl PartialEq for DNSName<'_> { @@ -113,6 +119,48 @@ impl<'a> DNSPattern<'a> { } } +/// A `DNSConstraint` represents a DNS name constraint as defined in [RFC 5280 4.2.1.10]. +/// +/// [RFC 5280 4.2.1.10]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 +pub struct DNSConstraint<'a>(DNSName<'a>); + +impl<'a> DNSConstraint<'a> { + pub fn new(pattern: &'a str) -> Option { + DNSName::new(pattern).map(Self) + } + + /// Returns true if this `DNSConstraint` matches the given name. + /// + /// Constraint matching is defined by RFC 5280: any DNS name that can + /// be constructed by simply adding zero or more labels to the left-hand + /// side of the name satisfies the name constraint. + /// + /// ```rust + /// # use cryptography_x509_validation::types::{DNSConstraint, DNSName}; + /// let example_com = DNSName::new("example.com").unwrap(); + /// let badexample_com = DNSName::new("badexample.com").unwrap(); + /// let foo_example_com = DNSName::new("foo.example.com").unwrap(); + /// assert!(DNSConstraint::new(example_com.as_str()).unwrap().matches(&example_com)); + /// assert!(DNSConstraint::new(example_com.as_str()).unwrap().matches(&foo_example_com)); + /// assert!(!DNSConstraint::new(example_com.as_str()).unwrap().matches(&badexample_com)); + /// ``` + pub fn matches(&self, name: &DNSName<'_>) -> bool { + // NOTE: This may seem like an obtuse way to perform label matching, + // but it saves us a few allocations: doing a substring check instead + // would require us to clone each string and do case normalization. + // Note also that we check the length in advance: Rust's zip + // implementation terminates with the shorter iterator, so we need + // to first check that the candidate name is at least as long as + // the constraint it's matching against. + name.as_str().len() >= self.0.as_str().len() + && self + .0 + .rlabels() + .zip(name.rlabels()) + .all(|(a, o)| a.eq_ignore_ascii_case(o)) + } +} + #[derive(Copy, Clone, Debug, PartialEq, Eq)] pub struct IPAddress(IpAddr); @@ -206,17 +254,17 @@ impl From for IPAddress { } #[derive(Debug, PartialEq, Eq)] -pub struct IPRange { +pub struct IPConstraint { address: IPAddress, prefix: u8, } -/// An `IPRange` represents a CIDR-style address range used in a name constraints +/// An `IPConstraint` represents a CIDR-style IP address range used in a name constraints /// extension, as defined by [RFC 5280 4.2.1.10]. /// /// [RFC 5280 4.2.1.10]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 -impl IPRange { - /// Constructs an `IPRange` from a slice. The input slice must be 8 (IPv4) +impl IPConstraint { + /// Constructs an `IPConstraint` from a slice. The input slice must be 8 (IPv4) /// or 32 (IPv6) bytes long and contain two IP addresses, the first being /// a subnet and the second defining the subnet's mask. /// @@ -231,18 +279,18 @@ impl IPRange { }; let prefix = IPAddress::from_bytes(&b[slice_idx..])?.as_prefix()?; - Some(IPRange { + Some(IPConstraint { address: IPAddress::from_bytes(&b[..slice_idx])?.mask(prefix), prefix, }) } - /// Determines if the `addr` is within the `IPRange`. + /// Determines if the `addr` is within the `IPConstraint`. /// /// ```rust - /// # use cryptography_x509_validation::types::{IPAddress,IPRange}; + /// # use cryptography_x509_validation::types::{IPAddress, IPConstraint}; /// let range_bytes = b"\xc6\x33\x64\x00\xff\xff\xff\x00"; - /// let range = IPRange::from_bytes(range_bytes).unwrap(); + /// let range = IPConstraint::from_bytes(range_bytes).unwrap(); /// assert!(range.matches(&IPAddress::from_str("198.51.100.42").unwrap())); /// ``` pub fn matches(&self, addr: &IPAddress) -> bool { @@ -252,7 +300,7 @@ impl IPRange { #[cfg(test)] mod tests { - use crate::types::{DNSName, DNSPattern, IPAddress, IPRange}; + use crate::types::{DNSConstraint, DNSName, DNSPattern, IPAddress, IPConstraint}; #[test] fn test_dnsname_debug_trait() { @@ -286,6 +334,8 @@ mod tests { assert_eq!(DNSName::new("foo.bar-.example.com"), None); assert_eq!(DNSName::new(&"a".repeat(64)), None); assert_eq!(DNSName::new("⚠️"), None); + assert_eq!(DNSName::new(".foo.example"), None); + assert_eq!(DNSName::new(".example.com"), None); let long_valid_label = "a".repeat(63); let long_name = std::iter::repeat(long_valid_label) @@ -386,6 +436,36 @@ mod tests { assert!(!any_localhost.matches(&DNSName::new("localhost").unwrap())); } + #[test] + fn test_dnsconstraint_new() { + assert!(DNSConstraint::new("").is_none()); + assert!(DNSConstraint::new(".").is_none()); + assert!(DNSConstraint::new("*.").is_none()); + assert!(DNSConstraint::new("*").is_none()); + assert!(DNSConstraint::new(".example").is_none()); + assert!(DNSConstraint::new("*.example").is_none()); + assert!(DNSConstraint::new("*.example.com").is_none()); + + assert!(DNSConstraint::new("example").is_some()); + assert!(DNSConstraint::new("example.com").is_some()); + assert!(DNSConstraint::new("foo.example.com").is_some()); + } + + #[test] + fn test_dnsconstraint_matches() { + let example_com = DNSConstraint::new("example.com").unwrap(); + + // Exact domain and arbitrary subdomains match. + assert!(example_com.matches(&DNSName::new("example.com").unwrap())); + assert!(example_com.matches(&DNSName::new("foo.example.com").unwrap())); + assert!(example_com.matches(&DNSName::new("foo.bar.baz.quux.example.com").unwrap())); + + // Parent domains, distinct domains, and substring domains do not match. + assert!(!example_com.matches(&DNSName::new("com").unwrap())); + assert!(!example_com.matches(&DNSName::new("badexample.com").unwrap())); + assert!(!example_com.matches(&DNSName::new("wrong.com").unwrap())); + } + #[test] fn test_ipaddress_from_str() { assert_ne!(IPAddress::from_str("192.168.1.1"), None) @@ -442,7 +522,7 @@ mod tests { } #[test] - fn test_iprange_from_bytes() { + fn test_ipconstraint_from_bytes() { let ipv4_bad = b"\xc0\xa8\x01\x01\xff\xfe\xff\x00"; let ipv4_bad_many_bits = b"\xc0\xa8\x01\x01\xff\xfc\xff\x00"; let ipv4_bad_octet = b"\xc0\xa8\x01\x01\x00\xff\xff\xff"; @@ -458,38 +538,38 @@ mod tests { \x00\x00\x00\x00\x00\x00\x00\x00"; let bad = b"\xff\xff\xff"; - assert_eq!(IPRange::from_bytes(ipv4_bad), None); - assert_eq!(IPRange::from_bytes(ipv4_bad_many_bits), None); - assert_eq!(IPRange::from_bytes(ipv4_bad_octet), None); - assert_eq!(IPRange::from_bytes(ipv6_bad), None); - assert_ne!(IPRange::from_bytes(ipv6_good), None); - assert_eq!(IPRange::from_bytes(bad), None); + assert_eq!(IPConstraint::from_bytes(ipv4_bad), None); + assert_eq!(IPConstraint::from_bytes(ipv4_bad_many_bits), None); + assert_eq!(IPConstraint::from_bytes(ipv4_bad_octet), None); + assert_eq!(IPConstraint::from_bytes(ipv6_bad), None); + assert_ne!(IPConstraint::from_bytes(ipv6_good), None); + assert_eq!(IPConstraint::from_bytes(bad), None); // 192.168.1.1/16 let ipv4_with_extra = b"\xc0\xa8\x01\x01\xff\xff\x00\x00"; - assert_ne!(IPRange::from_bytes(ipv4_with_extra), None); + assert_ne!(IPConstraint::from_bytes(ipv4_with_extra), None); // 192.168.0.0/16 let ipv4_masked = b"\xc0\xa8\x00\x00\xff\xff\x00\x00"; assert_eq!( - IPRange::from_bytes(ipv4_with_extra), - IPRange::from_bytes(ipv4_masked) + IPConstraint::from_bytes(ipv4_with_extra), + IPConstraint::from_bytes(ipv4_masked) ); } #[test] - fn test_iprange_matches() { + fn test_ipconstraint_matches() { // 192.168.1.1/16 - let ipv4 = IPRange::from_bytes(b"\xc0\xa8\x01\x01\xff\xff\x00\x00").unwrap(); - let ipv4_32 = IPRange::from_bytes(b"\xc0\x00\x02\xde\xff\xff\xff\xff").unwrap(); - let ipv6 = IPRange::from_bytes( + let ipv4 = IPConstraint::from_bytes(b"\xc0\xa8\x01\x01\xff\xff\x00\x00").unwrap(); + let ipv4_32 = IPConstraint::from_bytes(b"\xc0\x00\x02\xde\xff\xff\xff\xff").unwrap(); + let ipv6 = IPConstraint::from_bytes( b"\x26\x00\x0d\xb8\x00\x00\x00\x00\ \x00\x00\x00\x00\x00\x00\x00\x01\ \xff\xff\xff\xff\x00\x00\x00\x00\ \x00\x00\x00\x00\x00\x00\x00\x00", ) .unwrap(); - let ipv6_128 = IPRange::from_bytes( + let ipv6_128 = IPConstraint::from_bytes( b"\x26\x00\x0d\xb8\x00\x00\x00\x00\ \x00\x00\x00\x00\xff\x00\xde\xde\ \xff\xff\xff\xff\xff\xff\xff\xff\ From c40a44caabaf18ed08d99cbf6aec48a88d3ee1b8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 7 Oct 2023 00:19:26 +0000 Subject: [PATCH 0548/1014] Bump BoringSSL and/or OpenSSL in CI (#9701) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6eb3c6548dbb..d099abe56621 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 06, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a1982649e01adb75ac7dcf400920ca7064dec352"}} - # Latest commit on the OpenSSL master branch, as of Oct 06, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7ae31586a77c09d45838fff73b589b2958fbd18b"}} + # Latest commit on the BoringSSL master branch, as of Oct 07, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6d3db84c47643271cb553593ee67362be3820874"}} + # Latest commit on the OpenSSL master branch, as of Oct 07, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "79997a919f6cf3823d04fa9b34adaaa5aadd871a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 27c62512cffbca5499e5041d35519c8f8434dc67 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 00:21:27 +0000 Subject: [PATCH 0549/1014] Bump BoringSSL and/or OpenSSL in CI (#9702) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d099abe56621..4d9c797a0db1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Oct 07, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6d3db84c47643271cb553593ee67362be3820874"}} - # Latest commit on the OpenSSL master branch, as of Oct 07, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "79997a919f6cf3823d04fa9b34adaaa5aadd871a"}} + # Latest commit on the OpenSSL master branch, as of Oct 09, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "50b3c47b65e47a4f52ed1c47a0f248beb890193e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From b6b10c7a7e28c565741291c31c1105bef1a0be96 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 07:29:35 -0400 Subject: [PATCH 0550/1014] Bump annotated-types from 0.5.0 to 0.6.0 in /.github/requirements (#9707) Bumps [annotated-types](https://github.com/annotated-types/annotated-types) from 0.5.0 to 0.6.0. - [Release notes](https://github.com/annotated-types/annotated-types/releases) - [Commits](https://github.com/annotated-types/annotated-types/compare/v0.5.0...v0.6.0) --- updated-dependencies: - dependency-name: annotated-types dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 89e412fa1c73..f72431cd9e63 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -4,9 +4,9 @@ # # pip-compile --generate-hashes publish-requirements.in # -annotated-types==0.5.0 \ - --hash=sha256:47cdc3490d9ac1506ce92c7aaa76c579dc3509ff11e098fc867e5130ab7be802 \ - --hash=sha256:58da39888f92c276ad970249761ebea80ba544b77acddaa1a4d6cf78287d45fd +annotated-types==0.6.0 \ + --hash=sha256:0641064de18ba7a25dee8f96403ebc39113d0cb953a01429249d5c7564666a43 \ + --hash=sha256:563339e807e53ffd9c267e99fc6d9ea23eb8443c08f112651963e24e22f84a5d # via pydantic appdirs==1.4.4 \ --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ From 6968a21ac69628593526f35e8e4bc3e0991e4c9a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 07:30:43 -0400 Subject: [PATCH 0551/1014] Bump bleach from 6.0.0 to 6.1.0 (#9706) Bumps [bleach](https://github.com/mozilla/bleach) from 6.0.0 to 6.1.0. - [Changelog](https://github.com/mozilla/bleach/blob/main/CHANGES) - [Commits](https://github.com/mozilla/bleach/compare/v6.0.0...v6.1.0) --- updated-dependencies: - dependency-name: bleach dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 24826bc61276..1ae798acf6de 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -13,7 +13,7 @@ babel==2.13.0 # via sphinx black==23.9.1 # via cryptography (pyproject.toml) -bleach==6.0.0 +bleach==6.1.0 # via readme-renderer build==1.0.3 # via From 56f91dd705c44ece645222ddd14f3854d14cae12 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 07:31:02 -0400 Subject: [PATCH 0552/1014] Bump proc-macro2 from 1.0.68 to 1.0.69 in /src/rust (#9705) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.68 to 1.0.69. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.68...1.0.69) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0ca28808882e..17967f9e51c6 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -247,9 +247,9 @@ checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" [[package]] name = "proc-macro2" -version = "1.0.68" +version = "1.0.69" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b1106fec09662ec6dd98ccac0f81cef56984d0b49f75c92d8cbad76e20c005c" +checksum = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da" dependencies = [ "unicode-ident", ] From fe31098740572bf344fb87c48d3cca5cd7a9344d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 07:31:21 -0400 Subject: [PATCH 0553/1014] Bump libc from 0.2.148 to 0.2.149 in /src/rust (#9704) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.148 to 0.2.149. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.148...0.2.149) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 17967f9e51c6..b7560418612f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -140,9 +140,9 @@ checksum = "bfa799dd5ed20a7e349f3b4639aa80d74549c81716d9ec4f994c9b5815598306" [[package]] name = "libc" -version = "0.2.148" +version = "0.2.149" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9cdc71e17332e86d2e1d38c1f99edcb6288ee11b815fb1a4b049eaa2114d369b" +checksum = "a08173bc88b7955d1b3145aa561539096c421ac8debde8cbc3612ec635fee29b" [[package]] name = "lock_api" From 07b1c9961d6166f9afd00916ef6f0b2f263077bc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 9 Oct 2023 10:21:14 -0400 Subject: [PATCH 0554/1014] Simplify release script (#9703) --- release.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/release.py b/release.py index 9fa5240625ee..2315a43e9df2 100644 --- a/release.py +++ b/release.py @@ -44,8 +44,7 @@ def release(version: str) -> None: def replace_version( p: pathlib.Path, variable_name: str, new_version: str ) -> None: - with p.open() as f: - content = f.read() + content = p.read_text() pattern = rf"^{variable_name}\s*=\s*.*$" match = re.search(pattern, content, re.MULTILINE) @@ -56,9 +55,7 @@ def replace_version( content[:start] + f'{variable_name} = "{new_version}"' + content[end:] ) - # Write back to file - with p.open("w") as f: - f.write(new_content) + p.write_text(new_content) @cli.command() From 6a346f9a1ef8e1fd35e7f2facee7a3202c475752 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 00:18:02 +0000 Subject: [PATCH 0555/1014] Bump BoringSSL and/or OpenSSL in CI (#9708) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d9c797a0db1..694844bbb02e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 07, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6d3db84c47643271cb553593ee67362be3820874"}} - # Latest commit on the OpenSSL master branch, as of Oct 09, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "50b3c47b65e47a4f52ed1c47a0f248beb890193e"}} + # Latest commit on the BoringSSL master branch, as of Oct 10, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b975f12a2fa3f313b98b0dc40a9bc9e8c0667d08"}} + # Latest commit on the OpenSSL master branch, as of Oct 10, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "91895e39b10033178e662fc7427a09d7562cf8e1"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From f0d63b80d4e9e4441617bb10f79a0ecc3c72cfe1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 11 Oct 2023 00:19:32 +0000 Subject: [PATCH 0556/1014] Bump BoringSSL and/or OpenSSL in CI (#9710) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 694844bbb02e..e29d6347b554 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 10, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b975f12a2fa3f313b98b0dc40a9bc9e8c0667d08"}} - # Latest commit on the OpenSSL master branch, as of Oct 10, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "91895e39b10033178e662fc7427a09d7562cf8e1"}} + # Latest commit on the BoringSSL master branch, as of Oct 11, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "d94be4172325d0ac239ef3046d2c609aebeaf00a"}} + # Latest commit on the OpenSSL master branch, as of Oct 11, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ac0677bd2394c04632f7ad526879a866b6ed149f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From bcb2ed477cbdc21137ea3a35726bb85416266536 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Oct 2023 06:50:00 -0400 Subject: [PATCH 0557/1014] Bump mypy from 1.5.1 to 1.6.0 (#9711) Bumps [mypy](https://github.com/python/mypy) from 1.5.1 to 1.6.0. - [Commits](https://github.com/python/mypy/compare/v1.5.1...v1.6.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 1ae798acf6de..2b0520cccfec 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ mdurl==0.1.2 # via markdown-it-py more-itertools==10.1.0 # via jaraco-classes -mypy==1.5.1 +mypy==1.6.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via From dd9dd3e125a6fd3d57cb8b9b034d4b83b405c381 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 11 Oct 2023 08:29:37 -0400 Subject: [PATCH 0558/1014] Added missing type annotation (#9712) --- src/_cffi_src/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/_cffi_src/utils.py b/src/_cffi_src/utils.py index 8a6f9b2772a8..e942eddd4630 100644 --- a/src/_cffi_src/utils.py +++ b/src/_cffi_src/utils.py @@ -12,7 +12,7 @@ # Load the cryptography __about__ to get the current package version base_src = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) -about = {} +about: dict = {} with open(os.path.join(base_src, "cryptography", "__about__.py")) as f: exec(f.read(), about) From 40dfa188135c18672a79bf312aa90689b362ea53 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 11 Oct 2023 17:55:05 -0400 Subject: [PATCH 0559/1014] Bump to pyo3 0.20 (#9714) --- src/rust/Cargo.lock | 54 +++++++++++++-------------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/src/backend/ec.rs | 2 +- 4 files changed, 28 insertions(+), 32 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b7560418612f..de407b5edd3c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -19,7 +19,7 @@ checksum = "861af988fac460ac69a09f41e6217a8fb9178797b76fcc9478444be6a59be19c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.28", + "syn", ] [[package]] @@ -132,11 +132,17 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" +[[package]] +name = "heck" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" + [[package]] name = "indoc" -version = "1.0.9" +version = "2.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfa799dd5ed20a7e349f3b4639aa80d74549c81716d9ec4f994c9b5815598306" +checksum = "1e186cfbae8084e513daff4240b4797e342f988cecda4fb6c939150f96315fd8" [[package]] name = "libc" @@ -192,7 +198,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.28", + "syn", ] [[package]] @@ -256,9 +262,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.19.2" +version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e681a6cfdc4adcc93b4d3cf993749a4552018ee0a9b65fc0ccfad74352c72a38" +checksum = "04e8453b658fe480c3e70c8ed4e3d3ec33eb74988bd186561b0cc66b85c3bc4b" dependencies = [ "cfg-if", "indoc", @@ -273,9 +279,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.19.2" +version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "076c73d0bc438f7a4ef6fdd0c3bb4732149136abd952b110ac93e4edb13a6ba5" +checksum = "a96fe70b176a89cff78f2fa7b3c930081e163d5379b4dcdf993e3ae29ca662e5" dependencies = [ "once_cell", "target-lexicon", @@ -283,9 +289,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.19.2" +version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e53cee42e77ebe256066ba8aa77eff722b3bb91f3419177cf4cd0f304d3284d9" +checksum = "214929900fd25e6604661ed9cf349727c8920d47deff196c4e28165a6ef2a96b" dependencies = [ "libc", "pyo3-build-config", @@ -293,25 +299,26 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.19.2" +version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dfeb4c99597e136528c6dd7d5e3de5434d1ceaf487436a3f03b2d56b6fc9efd1" +checksum = "dac53072f717aa1bfa4db832b39de8c875b7c7af4f4a6fe93cdbf9264cf8383b" dependencies = [ "proc-macro2", "pyo3-macros-backend", "quote", - "syn 1.0.109", + "syn", ] [[package]] name = "pyo3-macros-backend" -version = "0.19.2" +version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "947dc12175c254889edc0c02e399476c2f652b4b9ebd123aa655c224de259536" +checksum = "7774b5a8282bd4f25f803b1f0d945120be959a36c72e08e7cd031c792fdfd424" dependencies = [ + "heck", "proc-macro2", "quote", - "syn 1.0.109", + "syn", ] [[package]] @@ -350,17 +357,6 @@ version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a" -[[package]] -name = "syn" -version = "1.0.109" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" -dependencies = [ - "proc-macro2", - "quote", - "unicode-ident", -] - [[package]] name = "syn" version = "2.0.28" @@ -386,9 +382,9 @@ checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" [[package]] name = "unindent" -version = "0.1.11" +version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e1766d682d402817b5ac4490b3c3002d91dfa0d22812f341609f97b08757359c" +checksum = "c7de7d73e1754487cb58364ee906a499937a0dfabd86bcb980fa99ec8c8fa2ce" [[package]] name = "vcpkg" diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 6a30b6afbf59..b7a366dc4ceb 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.63.0" [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.19", features = ["abi3-py37"] } +pyo3 = { version = "0.20", features = ["abi3-py37"] } asn1 = { version = "0.15.5", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 9c3f2eb86e74..e0ff392ffd74 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -pyo3 = { version = "0.19", features = ["abi3-py37"] } +pyo3 = { version = "0.20", features = ["abi3-py37"] } openssl-sys = "0.9.93" [build-dependencies] diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index e6cba24ecc7d..927c39b3f5c2 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -94,7 +94,7 @@ fn py_curve_from_curve<'p>( Ok(types::CURVE_TYPES .get(py)? .extract::<&pyo3::types::PyDict>()? - .get_item(name) + .get_item(name)? .ok_or_else(|| { CryptographyError::from(exceptions::UnsupportedAlgorithm::new_err(( format!("{} is not a supported elliptic curve", name), From 519a9fe0462cd60600993be46aacf7161fd24ca7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 11 Oct 2023 20:48:04 -0400 Subject: [PATCH 0560/1014] Bump BoringSSL and/or OpenSSL in CI (#9715) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e29d6347b554..2ef85eee7070 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 11, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "d94be4172325d0ac239ef3046d2c609aebeaf00a"}} - # Latest commit on the OpenSSL master branch, as of Oct 11, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ac0677bd2394c04632f7ad526879a866b6ed149f"}} + # Latest commit on the BoringSSL master branch, as of Oct 12, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5555991d3729d4231671214f0b9ba4858a5a8a81"}} + # Latest commit on the OpenSSL master branch, as of Oct 12, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "eaee1765a49c6a8ba728e3e2d18bb67bff8aaa55"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 5963480036342fc206712c912b9fd0818588dcfc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 11 Oct 2023 21:27:31 -0400 Subject: [PATCH 0561/1014] Simplify rust code with new pyo3 0.20 features (#9716) --- src/rust/src/backend/dh.rs | 12 ++---------- src/rust/src/backend/dsa.rs | 12 ++---------- src/rust/src/backend/ec.rs | 12 ++---------- src/rust/src/backend/ed25519.rs | 12 ++---------- src/rust/src/backend/ed448.rs | 12 ++---------- src/rust/src/backend/rsa.rs | 12 ++---------- src/rust/src/backend/x25519.rs | 12 ++---------- src/rust/src/backend/x448.rs | 12 ++---------- src/rust/src/oid.rs | 14 ++------------ src/rust/src/x509/certificate.rs | 18 ++---------------- src/rust/src/x509/crl.rs | 18 ++---------------- src/rust/src/x509/csr.rs | 17 +++-------------- src/rust/src/x509/sct.rs | 14 ++------------ tests/x509/test_x509.py | 4 ++-- 14 files changed, 29 insertions(+), 152 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 204b9ebc5b3a..eb177cde44fe 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -320,16 +320,8 @@ impl DHPublicKey { .call1((py_pub_key, parameter_numbers))?) } - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, DHPublicKey>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => Ok(self.pkey.public_eq(&other.pkey)), - pyo3::basic::CompareOp::Ne => Ok(!self.pkey.public_eq(&other.pkey)), - _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), - } + fn __eq__(&self, other: pyo3::PyRef<'_, Self>) -> bool { + self.pkey.public_eq(&other.pkey) } fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index f5606e9c4a0c..fa4c9ae9d0ed 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -263,16 +263,8 @@ impl DsaPublicKey { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, DsaPublicKey>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => Ok(self.pkey.public_eq(&other.pkey)), - pyo3::basic::CompareOp::Ne => Ok(!self.pkey.public_eq(&other.pkey)), - _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), - } + fn __eq__(&self, other: pyo3::PyRef<'_, Self>) -> bool { + self.pkey.public_eq(&other.pkey) } fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 927c39b3f5c2..96e42f4ec3ec 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -496,16 +496,8 @@ impl ECPublicKey { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, ECPublicKey>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => Ok(self.pkey.public_eq(&other.pkey)), - pyo3::basic::CompareOp::Ne => Ok(!self.pkey.public_eq(&other.pkey)), - _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), - } + fn __eq__(&self, other: pyo3::PyRef<'_, Self>) -> bool { + self.pkey.public_eq(&other.pkey) } fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index ba90eff08b5e..93ea3f6e8a87 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -152,16 +152,8 @@ impl Ed25519PublicKey { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, true) } - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, Ed25519PublicKey>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => Ok(self.pkey.public_eq(&other.pkey)), - pyo3::basic::CompareOp::Ne => Ok(!self.pkey.public_eq(&other.pkey)), - _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), - } + fn __eq__(&self, other: pyo3::PyRef<'_, Self>) -> bool { + self.pkey.public_eq(&other.pkey) } fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 2c54226eb405..9950cf4b19c5 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -149,16 +149,8 @@ impl Ed448PublicKey { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, true) } - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, Ed448PublicKey>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => Ok(self.pkey.public_eq(&other.pkey)), - pyo3::basic::CompareOp::Ne => Ok(!self.pkey.public_eq(&other.pkey)), - _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), - } + fn __eq__(&self, other: pyo3::PyRef<'_, Self>) -> bool { + self.pkey.public_eq(&other.pkey) } fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 5460cb3a1578..86168e3b8d8f 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -557,16 +557,8 @@ impl RsaPublicKey { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, RsaPublicKey>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => Ok(self.pkey.public_eq(&other.pkey)), - pyo3::basic::CompareOp::Ne => Ok(!self.pkey.public_eq(&other.pkey)), - _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), - } + fn __eq__(&self, other: pyo3::PyRef<'_, Self>) -> bool { + self.pkey.public_eq(&other.pkey) } fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index ec89a758a2b1..8c9c93f066f6 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -140,16 +140,8 @@ impl X25519PublicKey { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, false, true) } - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, X25519PublicKey>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => Ok(self.pkey.public_eq(&other.pkey)), - pyo3::basic::CompareOp::Ne => Ok(!self.pkey.public_eq(&other.pkey)), - _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), - } + fn __eq__(&self, other: pyo3::PyRef<'_, Self>) -> bool { + self.pkey.public_eq(&other.pkey) } fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 9e6f4fd0d301..c466c337b222 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -139,16 +139,8 @@ impl X448PublicKey { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, false, true) } - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, X448PublicKey>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => Ok(self.pkey.public_eq(&other.pkey)), - pyo3::basic::CompareOp::Ne => Ok(!self.pkey.public_eq(&other.pkey)), - _ => Err(pyo3::exceptions::PyTypeError::new_err("Cannot be ordered")), - } + fn __eq__(&self, other: pyo3::PyRef<'_, Self>) -> bool { + self.pkey.public_eq(&other.pkey) } fn __copy__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 9dbf63ed46aa..094b2c0b2110 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -54,18 +54,8 @@ impl ObjectIdentifier { )) } - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, ObjectIdentifier>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => Ok(self.oid == other.oid), - pyo3::basic::CompareOp::Ne => Ok(self.oid != other.oid), - _ => Err(pyo3::exceptions::PyTypeError::new_err( - "ObjectIdentifiers cannot be ordered", - )), - } + fn __eq__(&self, other: pyo3::PyRef<'_, ObjectIdentifier>) -> bool { + self.oid == other.oid } fn __hash__(&self) -> u64 { diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 5da224afcf88..a7817f4be582 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -49,22 +49,8 @@ impl Certificate { hasher.finish() } - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, Certificate>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => { - Ok(self.raw.borrow_dependent() == other.raw.borrow_dependent()) - } - pyo3::basic::CompareOp::Ne => { - Ok(self.raw.borrow_dependent() != other.raw.borrow_dependent()) - } - _ => Err(pyo3::exceptions::PyTypeError::new_err( - "Certificates cannot be ordered", - )), - } + fn __eq__(&self, other: pyo3::PyRef<'_, Certificate>) -> bool { + self.raw.borrow_dependent() == other.raw.borrow_dependent() } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 9513c3aba918..bdea230a3898 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -103,22 +103,8 @@ impl CertificateRevocationList { #[pyo3::prelude::pymethods] impl CertificateRevocationList { - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, CertificateRevocationList>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => { - Ok(self.owned.borrow_dependent() == other.owned.borrow_dependent()) - } - pyo3::basic::CompareOp::Ne => { - Ok(self.owned.borrow_dependent() != other.owned.borrow_dependent()) - } - _ => Err(pyo3::exceptions::PyTypeError::new_err( - "CRLs cannot be ordered", - )), - } + fn __eq__(&self, other: pyo3::PyRef<'_, CertificateRevocationList>) -> bool { + self.owned.borrow_dependent() == other.owned.borrow_dependent() } fn __len__(&self) -> usize { diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index cab13b7a1033..6adb7abb4c3d 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -36,23 +36,12 @@ impl CertificateSigningRequest { hasher.finish() } - fn __richcmp__( + fn __eq__( &self, py: pyo3::Python<'_>, other: pyo3::PyRef<'_, CertificateSigningRequest>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => { - Ok(self.raw.borrow_owner().as_bytes(py) == other.raw.borrow_owner().as_bytes(py)) - } - pyo3::basic::CompareOp::Ne => { - Ok(self.raw.borrow_owner().as_bytes(py) != other.raw.borrow_owner().as_bytes(py)) - } - _ => Err(pyo3::exceptions::PyTypeError::new_err( - "CSRs cannot be ordered", - )), - } + ) -> bool { + self.raw.borrow_owner().as_bytes(py) == other.raw.borrow_owner().as_bytes(py) } fn public_key<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index 29d3697019ce..119def248453 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -142,18 +142,8 @@ pub(crate) struct Sct { #[pyo3::prelude::pymethods] impl Sct { - fn __richcmp__( - &self, - other: pyo3::PyRef<'_, Sct>, - op: pyo3::basic::CompareOp, - ) -> pyo3::PyResult { - match op { - pyo3::basic::CompareOp::Eq => Ok(self.sct_data == other.sct_data), - pyo3::basic::CompareOp::Ne => Ok(self.sct_data != other.sct_data), - _ => Err(pyo3::exceptions::PyTypeError::new_err( - "SCTs cannot be ordered", - )), - } + fn __eq__(&self, other: pyo3::PyRef<'_, Sct>) -> bool { + self.sct_data == other.sct_data } fn __hash__(&self) -> u64 { diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index f834834165aa..08e51ba7c64b 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -1493,7 +1493,7 @@ def test_ordering_unsupported(self, backend): os.path.join("x509", "custom", "post2000utctime.pem"), x509.load_pem_x509_certificate, ) - with pytest.raises(TypeError, match="cannot be ordered"): + with pytest.raises(TypeError, match="'>' not supported"): cert > cert2 # type: ignore[operator] def test_hash(self, backend): @@ -2164,7 +2164,7 @@ def test_ordering_unsupported(self, backend): os.path.join("x509", "requests", "rsa_sha256.pem"), x509.load_pem_x509_csr, ) - with pytest.raises(TypeError, match="cannot be ordered"): + with pytest.raises(TypeError, match="'>' not supported"): csr > csr2 # type: ignore[operator] def test_hash(self, backend): From fbccf2d3e3a13cff5cad1f35645f1a7b93601bda Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 12 Oct 2023 08:44:52 -0400 Subject: [PATCH 0562/1014] Bump syn from 2.0.28 to 2.0.38 in /src/rust (#9717) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.28 to 2.0.38. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.28...2.0.38) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index de407b5edd3c..e28689253362 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a" [[package]] name = "syn" -version = "2.0.28" +version = "2.0.38" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04361975b3f5e348b2189d8dc55bc942f278b2d482a6a0365de5bdd62d351567" +checksum = "e96b79aaa137db8f61e26363a0c9b47d8b4ec75da28b7d1d614c2303e232408b" dependencies = [ "proc-macro2", "quote", From e7aeb1795239370c43976a9fb2b3d23b5e959015 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 12 Oct 2023 22:18:06 -0400 Subject: [PATCH 0563/1014] Bump BoringSSL and/or OpenSSL in CI (#9718) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2ef85eee7070..41d8516735f2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 12, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5555991d3729d4231671214f0b9ba4858a5a8a81"}} + # Latest commit on the BoringSSL master branch, as of Oct 13, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8d71d244c0debac4079beeb02b5802fde59b94bd"}} # Latest commit on the OpenSSL master branch, as of Oct 12, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "eaee1765a49c6a8ba728e3e2d18bb67bff8aaa55"}} # Builds with various Rust versions. Includes MSRV and next From 4b24343a87d185c38f5ece1ba9ccb6aa9f426554 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 13 Oct 2023 20:39:01 -0400 Subject: [PATCH 0564/1014] Bump BoringSSL and/or OpenSSL in CI (#9720) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 41d8516735f2..f3ba973837a1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Oct 13, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8d71d244c0debac4079beeb02b5802fde59b94bd"}} - # Latest commit on the OpenSSL master branch, as of Oct 12, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "eaee1765a49c6a8ba728e3e2d18bb67bff8aaa55"}} + # Latest commit on the OpenSSL master branch, as of Oct 14, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cd138c33d82cc889fe6a16d18806fbe939279d25"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 552d234248438350336b80bf21b74408996f6cdd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Oct 2023 07:04:41 -0400 Subject: [PATCH 0565/1014] Bump tuf from 3.0.0 to 3.1.0 in /.github/requirements (#9721) Bumps [tuf](https://github.com/theupdateframework/python-tuf) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/theupdateframework/python-tuf/releases) - [Changelog](https://github.com/theupdateframework/python-tuf/blob/develop/docs/CHANGELOG.md) - [Commits](https://github.com/theupdateframework/python-tuf/compare/v3.0.0...v3.1.0) --- updated-dependencies: - dependency-name: tuf dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f72431cd9e63..76172240cd23 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -535,9 +535,9 @@ six==1.16.0 \ --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 # via python-dateutil -tuf==3.0.0 \ - --hash=sha256:493f5e9dc60c6a216320a82e052f6bd6f4b12cf8dfafc90ce6de537545ccfa61 \ - --hash=sha256:e8fb94cb38f472530d591c59e87f22698355a673231f5bf50d7d1da4842c0007 +tuf==3.1.0 \ + --hash=sha256:3a4e9abba9d03c221842f62a9a687d51cc2b4a26c43ee7deb1ffb5fa2fb49374 \ + --hash=sha256:a8f055fbaf90d1477258c98fe29d23217e793ca0bdc5fb5a7d252ff5acecddc0 # via sigstore twine==4.0.2 \ --hash=sha256:929bc3c280033347a00f847236564d1c52a3e61b1ac2516c97c48f3ceab756d8 \ From e2739d8af0f9063d7d49992a94078f97d16997a6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 17 Oct 2023 00:19:10 +0000 Subject: [PATCH 0566/1014] Bump BoringSSL and/or OpenSSL in CI (#9723) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f3ba973837a1..0e40f607feb7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 13, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8d71d244c0debac4079beeb02b5802fde59b94bd"}} - # Latest commit on the OpenSSL master branch, as of Oct 14, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cd138c33d82cc889fe6a16d18806fbe939279d25"}} + # Latest commit on the BoringSSL master branch, as of Oct 17, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5d58c559ace6a24ea6613e412b26bd4c50668ab3"}} + # Latest commit on the OpenSSL master branch, as of Oct 17, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "143ca66cf00c88950d689a8aa0c89888052669f4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 0f3a32eb5c4c03e65375cd10f6d2cd97f45043c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Oct 2023 01:41:01 +0000 Subject: [PATCH 0567/1014] Bump ruff from 0.0.292 to 0.1.0 (#9724) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.0.292 to 0.1.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.0.292...v0.1.0) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2b0520cccfec..d0839352c190 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.6.0 # via twine -ruff==0.0.292 +ruff==0.1.0 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From bbcf28cebf612d6f4afb073258a515f33fbfcbc7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Oct 2023 17:32:06 -0400 Subject: [PATCH 0568/1014] Bump urllib3 from 2.0.6 to 2.0.7 (#9725) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.6 to 2.0.7. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.6...2.0.7) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d0839352c190..e4066c7d46f8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -181,7 +181,7 @@ twine==4.0.2 # via cryptography (pyproject.toml) typing-extensions==4.8.0; python_version >= "3.8" # via mypy -urllib3==2.0.6 +urllib3==2.0.7 # via # requests # twine From 46b65761d03ffa1292b1ecf222fd36e451d4d43a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Oct 2023 17:32:17 -0400 Subject: [PATCH 0569/1014] Bump urllib3 from 2.0.6 to 2.0.7 in /.github/requirements (#9726) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.6 to 2.0.7. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.6...2.0.7) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 76172240cd23..7862023812f5 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -549,9 +549,9 @@ typing-extensions==4.8.0 \ # via # pydantic # pydantic-core -urllib3==2.0.6 \ - --hash=sha256:7a7c7003b000adf9e7ca2a377c9688bbc54ed41b985789ed576570342a375cd2 \ - --hash=sha256:b19e1a85d206b56d7df1d5e683df4a7725252a964e3993648dd0fb5a1c157564 +urllib3==2.0.7 \ + --hash=sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84 \ + --hash=sha256:fdb6d215c776278489906c2f8916e6e7d4f5a9b602ccbcfdf7f016fc8da0596e # via # requests # twine From 5278578faf07aae0c57ca90f1ec470efc1282b22 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 17 Oct 2023 20:45:56 -0400 Subject: [PATCH 0570/1014] Bump BoringSSL and/or OpenSSL in CI (#9727) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0e40f607feb7..554de8dfed9f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 17, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "5d58c559ace6a24ea6613e412b26bd4c50668ab3"}} - # Latest commit on the OpenSSL master branch, as of Oct 17, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "143ca66cf00c88950d689a8aa0c89888052669f4"}} + # Latest commit on the BoringSSL master branch, as of Oct 18, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "3763efb56b5282cf92d71c259576352555c1a8f8"}} + # Latest commit on the OpenSSL master branch, as of Oct 18, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "410c80dc7bf2085167553ab9fa517189eed2b3a6"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From ec87945303e07cb1ca6c797f322b770fd3c5f918 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Oct 2023 02:17:50 +0000 Subject: [PATCH 0571/1014] Bump black from 23.9.1 to 23.10.0 (#9731) Bumps [black](https://github.com/psf/black) from 23.9.1 to 23.10.0. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](https://github.com/psf/black/compare/23.9.1...23.10.0) --- updated-dependencies: - dependency-name: black dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e4066c7d46f8..31673246d5b9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.1.2 # via nox babel==2.13.0 # via sphinx -black==23.9.1 +black==23.10.0 # via cryptography (pyproject.toml) bleach==6.1.0 # via readme-renderer From cd1c6d4a8fb5992e05289ada969cbd16d40c9a99 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Oct 2023 02:18:09 +0000 Subject: [PATCH 0572/1014] Bump lock_api from 0.4.10 to 0.4.11 in /src/rust (#9733) Bumps [lock_api](https://github.com/Amanieu/parking_lot) from 0.4.10 to 0.4.11. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/lock_api-0.4.10...lock_api-0.4.11) --- updated-dependencies: - dependency-name: lock_api dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e28689253362..6a02925ce08e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -152,9 +152,9 @@ checksum = "a08173bc88b7955d1b3145aa561539096c421ac8debde8cbc3612ec635fee29b" [[package]] name = "lock_api" -version = "0.4.10" +version = "0.4.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1cc9717a20b1bb222f333e6a92fd32f7d8a18ddc5a3191a11af45dcbf4dcd16" +checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45" dependencies = [ "autocfg", "scopeguard", From c388662cf3a32fd51fe1864e7a3b885c6f6f44ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Oct 2023 02:24:43 +0000 Subject: [PATCH 0573/1014] Bump parking_lot_core from 0.9.8 to 0.9.9 in /src/rust (#9730) Bumps [parking_lot_core](https://github.com/Amanieu/parking_lot) from 0.9.8 to 0.9.9. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/core-0.9.8...core-0.9.9) --- updated-dependencies: - dependency-name: parking_lot_core dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6a02925ce08e..ced8b8e53aa3 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -225,9 +225,9 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.8" +version = "0.9.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93f00c865fe7cabf650081affecd3871070f26767e7b2070a3ffae14c654b447" +checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e" dependencies = [ "cfg-if", "libc", @@ -332,9 +332,9 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.3.5" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29" +checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" dependencies = [ "bitflags 1.3.2", ] From a31b0ef531df78d39308b5a6a3fcef53e34d97f6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Oct 2023 22:25:18 -0400 Subject: [PATCH 0574/1014] Bump sigstore from 2.0.0 to 2.0.1 in /.github/requirements (#9734) Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 2.0.0 to 2.0.1. - [Release notes](https://github.com/sigstore/sigstore-python/releases) - [Changelog](https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/sigstore-python/compare/v2.0.0...v2.0.1) --- updated-dependencies: - dependency-name: sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7862023812f5..423db2b0cfaf 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -194,10 +194,18 @@ cryptography==41.0.4 \ # pyopenssl # secretstorage # sigstore +dnspython==2.4.2 \ + --hash=sha256:57c6fbaaeaaf39c891292012060beb141791735dbb4004798328fc2c467402d8 \ + --hash=sha256:8dcfae8c7460a2f84b4072e26f1c9f4101ca20c071649cb7c34e8b6a93d58984 + # via email-validator docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ --hash=sha256:f08a4e276c3a1583a86dce3e34aba3fe04d02bba2dd51ed16106244e8a923e3b # via readme-renderer +email-validator==2.0.0.post2 \ + --hash=sha256:1ff6e86044200c56ae23595695c54e9614f4a9551e0e393614f764860b3d7900 \ + --hash=sha256:2466ba57cda361fb7309fd3d5a225723c788ca4bbad32a0ebd5373b99730285c + # via pydantic grpclib==0.4.6 \ --hash=sha256:595d05236ca8b8f8e433f5bf6095e6354c1d8777d003ddaf5288efa9611e3fd6 # via betterproto @@ -220,7 +228,9 @@ id==1.1.0 \ idna==3.4 \ --hash=sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4 \ --hash=sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2 - # via requests + # via + # email-validator + # requests importlib-metadata==6.8.0 \ --hash=sha256:3ebb78df84a805d7698245025b975d9d67053cd94c79245ba4b3eb694abe68bb \ --hash=sha256:dbace7892d8c0c4ac1ad096662232f831d4e64f4c4545bd53016a3e9d4654743 @@ -355,12 +365,13 @@ pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 # via cffi -pydantic==2.4.2 \ +pydantic[email]==2.4.2 \ --hash=sha256:94f336138093a5d7f426aac732dcfe7ab4eb4da243c88f891d65deb4a2556ee7 \ --hash=sha256:bc3ddf669d234f4220e6e1c4d96b061abe0998185a8d7855c0126782b7abc8c1 # via # id # sigstore + # sigstore-rekor-types pydantic-core==2.10.1 \ --hash=sha256:042462d8d6ba707fd3ce9649e7bf268633a41018d6a998fb5fbacb7e928a183e \ --hash=sha256:0523aeb76e03f753b58be33b26540880bac5aa54422e4462404c432230543f33 \ @@ -523,14 +534,18 @@ securesystemslib==0.30.0 \ # via # sigstore # tuf -sigstore==2.0.0 \ - --hash=sha256:ef342f4fd4fc03f8ca12b58462683da099e26279ff6eba8fc3ec03f86e1c42ed \ - --hash=sha256:fed5457c3be16c9dff6367dad9062260d67761a46cb1e7cf0ca8c96b96632bb7 +sigstore==2.0.1 \ + --hash=sha256:1ec613be4e9623e3b7992cf92be7e127c470141ecae691fdc417d2855f7b25f4 \ + --hash=sha256:78013eaa2207c054ac803b361f8722011766d243bcbfa50c6e48003df2e3ca2f # via -r publish-requirements.in sigstore-protobuf-specs==0.2.1 \ --hash=sha256:5add858b87fb119607fcab48cad5b880d414a1ac8dc60cf0bf63148dd89ac194 \ --hash=sha256:ea9db15cd2fa7229d3647d0c47079f246bfb177b6a6189647224910b0a740da9 # via sigstore +sigstore-rekor-types==0.0.11 \ + --hash=sha256:791a696eccd5d07c933cc11d46dea22983efedaf5f1068734263ce0f25695bba \ + --hash=sha256:b63b4dc6dd70a3f69b236575146a18c357a3743172a03e8ceb18bbc25ef2563b + # via sigstore six==1.16.0 \ --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 From 7231b4b48244995b30955f7949cb2cf67ec5302b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Oct 2023 07:06:12 -0400 Subject: [PATCH 0575/1014] Bump mypy from 1.6.0 to 1.6.1 (#9735) Bumps [mypy](https://github.com/python/mypy) from 1.6.0 to 1.6.1. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 31673246d5b9..a324121bb13f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ mdurl==0.1.2 # via markdown-it-py more-itertools==10.1.0 # via jaraco-classes -mypy==1.6.0 +mypy==1.6.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via From 4a308c0840aa313e46d8b85be085c44416f090a4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:42:53 -0700 Subject: [PATCH 0576/1014] Bump BoringSSL and/or OpenSSL in CI (#9736) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 554de8dfed9f..4ce6b37e96af 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 18, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "3763efb56b5282cf92d71c259576352555c1a8f8"}} - # Latest commit on the OpenSSL master branch, as of Oct 18, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "410c80dc7bf2085167553ab9fa517189eed2b3a6"}} + # Latest commit on the BoringSSL master branch, as of Oct 19, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "9e6144382ca4752591910b38b71a3301d97999df"}} + # Latest commit on the OpenSSL master branch, as of Oct 19, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e62097f48c3d0b8b61ca6a061b8098b0086b3fbc"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 37dc67e5240df6663255af2221c948b84a01d03f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Oct 2023 07:15:33 -0400 Subject: [PATCH 0577/1014] Bump sigstore-protobuf-specs in /.github/requirements (#9737) Bumps [sigstore-protobuf-specs](https://github.com/sigstore/protobuf-specs) from 0.2.1 to 0.2.2. - [Release notes](https://github.com/sigstore/protobuf-specs/releases) - [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/protobuf-specs/compare/v0.2.1...release/python/v0.2.2) --- updated-dependencies: - dependency-name: sigstore-protobuf-specs dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 423db2b0cfaf..8f21df63427c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -12,9 +12,9 @@ appdirs==1.4.4 \ --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 # via sigstore -betterproto==2.0.0b5 \ - --hash=sha256:00a301c70a2db4d3cdd2b261522ae1d34972fb04b655a154d67daaaf4131102e \ - --hash=sha256:d3e6115c7d5136f1d5974e565b7560273f66b43065e74218e472321ee1258f4c +betterproto==2.0.0b6 \ + --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ + --hash=sha256:a0839ec165d110a69d0d116f4d0e2bec8d186af4db826257931f0831dab73fcf # via sigstore-protobuf-specs certifi==2023.7.22 \ --hash=sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082 \ @@ -538,9 +538,9 @@ sigstore==2.0.1 \ --hash=sha256:1ec613be4e9623e3b7992cf92be7e127c470141ecae691fdc417d2855f7b25f4 \ --hash=sha256:78013eaa2207c054ac803b361f8722011766d243bcbfa50c6e48003df2e3ca2f # via -r publish-requirements.in -sigstore-protobuf-specs==0.2.1 \ - --hash=sha256:5add858b87fb119607fcab48cad5b880d414a1ac8dc60cf0bf63148dd89ac194 \ - --hash=sha256:ea9db15cd2fa7229d3647d0c47079f246bfb177b6a6189647224910b0a740da9 +sigstore-protobuf-specs==0.2.2 \ + --hash=sha256:62c7beabc6910fb570dc4c600e33e81f2d2d683f785202ee109ca394bd829e94 \ + --hash=sha256:c05c1e7478a80af0c7dea9cc2d11f047826e4c029573d564137f788e11377391 # via sigstore sigstore-rekor-types==0.0.11 \ --hash=sha256:791a696eccd5d07c933cc11d46dea22983efedaf5f1068734263ce0f25695bba \ From 7a6bf2254d9f85f3cc384cba0012ec33dfb81bda Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 19 Oct 2023 18:31:06 -0400 Subject: [PATCH 0578/1014] Added binding needed for pyOpenSSL (#9739) --- src/_cffi_src/openssl/x509.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index f071be3d231a..5c5d7335df7e 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -192,6 +192,9 @@ const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *); const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *); + +void X509_ALGOR_get0(const ASN1_OBJECT **, int *, const void **, + const X509_ALGOR *); """ CUSTOMIZATIONS = """ From e177413a47df597cbf193a42fb9a04dfe06c94e4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 19 Oct 2023 17:22:38 -0700 Subject: [PATCH 0579/1014] Bump BoringSSL and/or OpenSSL in CI (#9741) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4ce6b37e96af..3fc3f9baf704 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 19, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "9e6144382ca4752591910b38b71a3301d97999df"}} - # Latest commit on the OpenSSL master branch, as of Oct 19, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e62097f48c3d0b8b61ca6a061b8098b0086b3fbc"}} + # Latest commit on the BoringSSL master branch, as of Oct 20, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "39d7ee9c8262d9cd3338735bf3e95649857375e5"}} + # Latest commit on the OpenSSL master branch, as of Oct 20, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "098f27f9ef8be2a418f76896ee3c824e8709fcf7"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 24fd23d15af984d6fc647358ac447ffb2c5721e8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Oct 2023 07:09:03 -0400 Subject: [PATCH 0580/1014] Bump target-lexicon from 0.12.11 to 0.12.12 in /src/rust (#9742) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.11 to 0.12.12. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.11...v0.12.12) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index ced8b8e53aa3..69be6c3de9ea 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -370,9 +370,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.11" +version = "0.12.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d0e916b1148c8e263850e1ebcbd046f333e0683c724876bb0da63ea4373dc8a" +checksum = "14c39fd04924ca3a864207c66fc2cd7d22d7c016007f9ce846cbb9326331930a" [[package]] name = "unicode-ident" From 2212438b5d745432c1eeb81bc2ebcd3c15dbd369 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Oct 2023 07:09:24 -0400 Subject: [PATCH 0581/1014] Bump ruff from 0.1.0 to 0.1.1 (#9743) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.0 to 0.1.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.0...v0.1.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a324121bb13f..15c48ce339a6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.6.0 # via twine -ruff==0.1.0 +ruff==0.1.1 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 35e7c91d8f04563144fe1770f84c31116bb03193 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 21 Oct 2023 00:21:03 +0000 Subject: [PATCH 0582/1014] Bump BoringSSL and/or OpenSSL in CI (#9745) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3fc3f9baf704..45f6644a2ced 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 20, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "39d7ee9c8262d9cd3338735bf3e95649857375e5"}} - # Latest commit on the OpenSSL master branch, as of Oct 20, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "098f27f9ef8be2a418f76896ee3c824e8709fcf7"}} + # Latest commit on the BoringSSL master branch, as of Oct 21, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "bfa8369795b7533a222a72b7a1bc928941cd66bf"}} + # Latest commit on the OpenSSL master branch, as of Oct 21, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b6eb95fa4439ea6254a5330487dabb2a499fb6c8"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 57f0222d06997477c03849063c0ccabba1dc9328 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 22 Oct 2023 13:03:37 -0400 Subject: [PATCH 0583/1014] Drop support for LibreSSL 3.6.x (#9747) Per https://endoflife.date/openbsd, the OpenBSD release it corresponds to is now EOL --- .github/workflows/ci.yml | 1 - src/_cffi_src/openssl/cryptography.py | 15 --------------- src/_cffi_src/openssl/evp.py | 14 -------------- src/_cffi_src/openssl/nid.py | 6 ------ src/_cffi_src/openssl/x509v3.py | 6 +++--- .../hazmat/backends/openssl/backend.py | 4 ++-- .../hazmat/bindings/openssl/_conditional.py | 7 ------- .../hazmat/primitives/asymmetric/ed25519.py | 6 ++---- .../hazmat/primitives/asymmetric/x25519.py | 8 ++------ src/rust/build.rs | 8 ++------ src/rust/src/backend/mod.rs | 4 ---- src/rust/src/backend/utils.rs | 2 -- 12 files changed, 11 insertions(+), 70 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 45f6644a2ced..baff52c5ff16 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,7 +39,6 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha2"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index f5fcb04405b5..44c325749172 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -42,14 +42,6 @@ #define CRYPTOGRAPHY_IS_BORINGSSL 0 #endif -#if CRYPTOGRAPHY_IS_LIBRESSL -#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 \ - (LIBRESSL_VERSION_NUMBER < 0x3070000f) - -#else -#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 (0) -#endif - #if OPENSSL_VERSION_NUMBER < 0x10101040 #error "pyca/cryptography MUST be linked with Openssl 1.1.1d or later" #endif @@ -59,19 +51,12 @@ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \ (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL) -/* Ed25519 support is in all supported OpenSSLs as well as LibreSSL 3.7.0. */ -#define CRYPTOGRAPHY_HAS_WORKING_ED25519 \ - (!CRYPTOGRAPHY_IS_LIBRESSL || \ - (CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370)) """ TYPES = """ static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E; -static const int CRYPTOGRAPHY_HAS_WORKING_ED25519; - -static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370; static const int CRYPTOGRAPHY_IS_LIBRESSL; static const int CRYPTOGRAPHY_IS_BORINGSSL; diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 48ad0b8e58b1..7e80f36229f8 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -102,14 +102,6 @@ static const long Cryptography_HAS_SCRYPT = 1; #endif -/* This is tied to X25519 support so we reuse the Cryptography_HAS_X25519 - conditional to remove it. OpenSSL 1.1.0 didn't have this define, but - 1.1.1 will when it is released. We can remove this in the distant - future when we drop 1.1.0 support. */ -#ifndef EVP_PKEY_X25519 -#define EVP_PKEY_X25519 NID_X25519 -#endif - /* This is tied to X448 support so we reuse the Cryptography_HAS_X448 conditional to remove it. OpenSSL 1.1.1 adds this define. We can remove this in the distant future when we drop 1.1.0 support. */ @@ -117,12 +109,6 @@ #define EVP_PKEY_X448 NID_X448 #endif -/* This is tied to ED25519 support so we reuse the Cryptography_HAS_ED25519 - conditional to remove it. */ -#ifndef EVP_PKEY_ED25519 -#define EVP_PKEY_ED25519 0 -#endif - /* This is tied to ED448 support so we reuse the Cryptography_HAS_ED448 conditional to remove it. */ #ifndef EVP_PKEY_ED448 diff --git a/src/_cffi_src/openssl/nid.py b/src/_cffi_src/openssl/nid.py index b35a70464ae6..0a38fe038da7 100644 --- a/src/_cffi_src/openssl/nid.py +++ b/src/_cffi_src/openssl/nid.py @@ -10,7 +10,6 @@ TYPES = """ static const int Cryptography_HAS_ED448; -static const int Cryptography_HAS_ED25519; static const int Cryptography_HAS_POLY1305; static const int NID_undef; @@ -27,11 +26,6 @@ """ CUSTOMIZATIONS = """ -#ifndef NID_ED25519 -static const long Cryptography_HAS_ED25519 = 0; -#else -static const long Cryptography_HAS_ED25519 = 1; -#endif #ifndef NID_ED448 static const long Cryptography_HAS_ED448 = 0; #else diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index 5dafabc3a89c..7f04a2cbce35 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -30,7 +30,7 @@ static const int GEN_DNS; static const int GEN_URI; -typedef struct stack_st_GENERAL_NAME GENERAL_NAMES; +typedef ... GENERAL_NAMES; /* Only include the one union element used by pyOpenSSL. */ typedef struct { @@ -56,8 +56,8 @@ void X509V3_set_ctx_nodb(X509V3_CTX *); -int sk_GENERAL_NAME_num(struct stack_st_GENERAL_NAME *); -GENERAL_NAME *sk_GENERAL_NAME_value(struct stack_st_GENERAL_NAME *, int); +int sk_GENERAL_NAME_num(GENERAL_NAMES *); +GENERAL_NAME *sk_GENERAL_NAME_value(GENERAL_NAMES *, int); """ CUSTOMIZATIONS = """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index a909900db6a2..dd1ca9044937 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -867,7 +867,7 @@ def dh_x942_serialization_supported(self) -> bool: def x25519_supported(self) -> bool: if self._fips_enabled: return False - return not self._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 + return True def x448_supported(self) -> bool: if self._fips_enabled: @@ -880,7 +880,7 @@ def x448_supported(self) -> bool: def ed25519_supported(self) -> bool: if self._fips_enabled: return False - return self._lib.CRYPTOGRAPHY_HAS_WORKING_ED25519 + return True def ed448_supported(self) -> bool: if self._fips_enabled: diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 6dffae404d6f..ebd287b51f17 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -52,12 +52,6 @@ def cryptography_has_ed448() -> list[str]: ] -def cryptography_has_ed25519() -> list[str]: - return [ - "EVP_PKEY_ED25519", - ] - - def cryptography_has_ssl_sigalgs() -> list[str]: return [ "SSL_CTX_set1_sigalgs_list", @@ -238,7 +232,6 @@ def cryptography_has_evp_aead() -> list[str]: cryptography_has_x509_store_ctx_get_issuer ), "Cryptography_HAS_ED448": cryptography_has_ed448, - "Cryptography_HAS_ED25519": cryptography_has_ed25519, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, "Cryptography_HAS_PSK": cryptography_has_psk, "Cryptography_HAS_PSK_TLSv1_3": cryptography_has_psk_tlsv13, diff --git a/src/cryptography/hazmat/primitives/asymmetric/ed25519.py b/src/cryptography/hazmat/primitives/asymmetric/ed25519.py index c06c2c86aac6..3a26185d7dbc 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ed25519.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ed25519.py @@ -54,8 +54,7 @@ def __eq__(self, other: object) -> bool: """ -if hasattr(rust_openssl, "ed25519"): - Ed25519PublicKey.register(rust_openssl.ed25519.Ed25519PublicKey) +Ed25519PublicKey.register(rust_openssl.ed25519.Ed25519PublicKey) class Ed25519PrivateKey(metaclass=abc.ABCMeta): @@ -114,5 +113,4 @@ def sign(self, data: bytes) -> bytes: """ -if hasattr(rust_openssl, "x25519"): - Ed25519PrivateKey.register(rust_openssl.ed25519.Ed25519PrivateKey) +Ed25519PrivateKey.register(rust_openssl.ed25519.Ed25519PrivateKey) diff --git a/src/cryptography/hazmat/primitives/asymmetric/x25519.py b/src/cryptography/hazmat/primitives/asymmetric/x25519.py index ac5e670c303f..912f8f2ca5c9 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/x25519.py +++ b/src/cryptography/hazmat/primitives/asymmetric/x25519.py @@ -48,9 +48,7 @@ def __eq__(self, other: object) -> bool: """ -# For LibreSSL -if hasattr(rust_openssl, "x25519"): - X25519PublicKey.register(rust_openssl.x25519.X25519PublicKey) +X25519PublicKey.register(rust_openssl.x25519.X25519PublicKey) class X25519PrivateKey(metaclass=abc.ABCMeta): @@ -108,6 +106,4 @@ def exchange(self, peer_public_key: X25519PublicKey) -> bytes: """ -# For LibreSSL -if hasattr(rust_openssl, "x25519"): - X25519PrivateKey.register(rust_openssl.x25519.X25519PrivateKey) +X25519PrivateKey.register(rust_openssl.x25519.X25519PrivateKey) diff --git a/src/rust/build.rs b/src/rust/build.rs index 49740fccecfb..a0b4566a753c 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -14,14 +14,10 @@ fn main() { } } - if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { - let version = u64::from_str_radix(&version, 16).unwrap(); - + if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL"); - if version >= 0x3_07_00_00_0 { - println!("cargo:rustc-cfg=CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER"); - } } + if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL"); } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index eb5ef8144146..4251bacfbaf3 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -6,7 +6,6 @@ pub(crate) mod aead; pub(crate) mod dh; pub(crate) mod dsa; pub(crate) mod ec; -#[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] pub(crate) mod ed25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] pub(crate) mod ed448; @@ -16,7 +15,6 @@ pub(crate) mod kdf; pub(crate) mod poly1305; pub(crate) mod rsa; pub(crate) mod utils; -#[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] pub(crate) mod x25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] pub(crate) mod x448; @@ -27,12 +25,10 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] module.add_submodule(ed25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(ed448::create_module(module.py())?)?; - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] module.add_submodule(x25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(x448::create_module(module.py())?)?; diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 6c387cbbb1f6..09dc6d67cc3e 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -71,7 +71,6 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] if raw_allowed && (encoding.is(types::ENCODING_RAW.get(py)?) || format.is(types::PRIVATE_FORMAT_RAW.get(py)?)) @@ -258,7 +257,6 @@ pub(crate) fn pkey_public_bytes<'p>( )); } - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] if raw_allowed && (encoding.is(types::ENCODING_RAW.get(py)?) || format.is(types::PUBLIC_FORMAT_RAW.get(py)?)) From a423a59e0c9e9a249c61447a0793406f2ed05494 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 22 Oct 2023 13:04:33 -0700 Subject: [PATCH 0584/1014] document dropping < 3.7 libre (#9748) --- CHANGELOG.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f14f5233a554..3940cb9e4e03 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,7 @@ Changelog .. note:: This version is not yet released and is under active development. +* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7. * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. From a04865bdda4e4fe9094ed7b13943dbcfecd0df62 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sun, 22 Oct 2023 16:49:53 -0400 Subject: [PATCH 0585/1014] validation: add Rust-side trust store APIs (#9744) * validation: add Rust-side trust store APIs Signed-off-by: William Woodruff * remove 'static hacks Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 1 + .../cryptography-x509-validation/src/ops.rs | 22 +++++++--- .../src/trust_store.rs | 44 +++++++++++++++++++ 3 files changed, 60 insertions(+), 7 deletions(-) create mode 100644 src/rust/cryptography-x509-validation/src/trust_store.rs diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index a22922d0a964..972f357fd4c2 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -7,4 +7,5 @@ pub mod ops; pub mod policy; +pub mod trust_store; pub mod types; diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs index c1565321d54a..47529cf0bc0f 100644 --- a/src/rust/cryptography-x509-validation/src/ops.rs +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -45,10 +45,9 @@ pub(crate) mod tests { } } - #[test] - fn test_nullops() { - // Arbitrary relatively small cert (v1_cert.pem from cryptography_vectors). - let v1_cert = " + pub(crate) fn v1_cert_pem() -> pem::Pem { + pem::parse( + " -----BEGIN CERTIFICATE----- MIIBWzCCAQYCARgwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MDYxOTIz @@ -58,10 +57,19 @@ AANLADBIAkEAqtt6qS5GTxVxGZYWa0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO /Re1uwLKXdCjIoaGs4DLdG88rkzfyK5dPQIDAQABMAwGCCqGSIb3DQIFBQADQQAE Wc7EcF8po2/ZO6kNCwK/ICH6DobgLekA5lSLr5EvuioZniZp5lFzAw4+YzPQ7XKJ zl9HYIMxATFyqSiD9jsx ------END CERTIFICATE-----"; +-----END CERTIFICATE-----", + ) + .unwrap() + } - let pem = pem::parse(v1_cert.as_bytes()).unwrap(); - let cert = asn1::parse_single::>(pem.contents()).unwrap(); + pub(crate) fn cert(cert_pem: &pem::Pem) -> Certificate<'_> { + asn1::parse_single(cert_pem.contents()).unwrap() + } + + #[test] + fn test_nullops() { + let cert_pem = v1_cert_pem(); + let cert = cert(&cert_pem); let ops = NullOps {}; assert_eq!(ops.public_key(&cert), Ok(())); diff --git a/src/rust/cryptography-x509-validation/src/trust_store.rs b/src/rust/cryptography-x509-validation/src/trust_store.rs new file mode 100644 index 000000000000..0b2556d5337a --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/trust_store.rs @@ -0,0 +1,44 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use std::collections::HashSet; + +use cryptography_x509::certificate::Certificate; + +/// A `Store` represents the core state needed for X.509 path validation. +pub struct Store<'a>(HashSet>); + +impl<'a> Store<'a> { + /// Create a new `Store` from the given iterable certificate source. + pub fn new(trusted: impl IntoIterator>) -> Self { + Store(HashSet::from_iter(trusted)) + } + + /// Returns whether this store contains the given certificate. + pub fn contains(&self, cert: &Certificate<'a>) -> bool { + self.0.contains(cert) + } + + /// Returns an iterator over all certificates in this store. + pub fn iter(&self) -> impl Iterator> { + self.0.iter() + } +} + +#[cfg(test)] +mod tests { + use crate::ops::tests::{cert, v1_cert_pem}; + + use super::Store; + + #[test] + fn test_store() { + let cert_pem = v1_cert_pem(); + let cert = cert(&cert_pem); + let store = Store::new([cert.clone()]); + + assert!(store.contains(&cert)); + assert!(store.iter().collect::>() == Vec::from([&cert])); + } +} From 726794becf5f1fdb2b08e602507cfdcf214846da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Oct 2023 07:53:36 -0400 Subject: [PATCH 0586/1014] Bump charset-normalizer from 3.3.0 to 3.3.1 in /.github/requirements (#9749) Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/Ousret/charset_normalizer/releases) - [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/Ousret/charset_normalizer/compare/3.3.0...3.3.1) --- updated-dependencies: - dependency-name: charset-normalizer dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 182 +++++++++--------- 1 file changed, 91 insertions(+), 91 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8f21df63427c..8a7f19711f93 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -74,97 +74,97 @@ cffi==1.16.0 \ --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via cryptography -charset-normalizer==3.3.0 \ - --hash=sha256:02673e456dc5ab13659f85196c534dc596d4ef260e4d86e856c3b2773ce09843 \ - --hash=sha256:02af06682e3590ab952599fbadac535ede5d60d78848e555aa58d0c0abbde786 \ - --hash=sha256:03680bb39035fbcffe828eae9c3f8afc0428c91d38e7d61aa992ef7a59fb120e \ - --hash=sha256:0570d21da019941634a531444364f2482e8db0b3425fcd5ac0c36565a64142c8 \ - --hash=sha256:09c77f964f351a7369cc343911e0df63e762e42bac24cd7d18525961c81754f4 \ - --hash=sha256:0d3d5b7db9ed8a2b11a774db2bbea7ba1884430a205dbd54a32d61d7c2a190fa \ - --hash=sha256:1063da2c85b95f2d1a430f1c33b55c9c17ffaf5e612e10aeaad641c55a9e2b9d \ - --hash=sha256:12ebea541c44fdc88ccb794a13fe861cc5e35d64ed689513a5c03d05b53b7c82 \ - --hash=sha256:153e7b6e724761741e0974fc4dcd406d35ba70b92bfe3fedcb497226c93b9da7 \ - --hash=sha256:15b26ddf78d57f1d143bdf32e820fd8935d36abe8a25eb9ec0b5a71c82eb3895 \ - --hash=sha256:1872d01ac8c618a8da634e232f24793883d6e456a66593135aeafe3784b0848d \ - --hash=sha256:187d18082694a29005ba2944c882344b6748d5be69e3a89bf3cc9d878e548d5a \ - --hash=sha256:1b2919306936ac6efb3aed1fbf81039f7087ddadb3160882a57ee2ff74fd2382 \ - --hash=sha256:232ac332403e37e4a03d209a3f92ed9071f7d3dbda70e2a5e9cff1c4ba9f0678 \ - --hash=sha256:23e8565ab7ff33218530bc817922fae827420f143479b753104ab801145b1d5b \ - --hash=sha256:24817cb02cbef7cd499f7c9a2735286b4782bd47a5b3516a0e84c50eab44b98e \ - --hash=sha256:249c6470a2b60935bafd1d1d13cd613f8cd8388d53461c67397ee6a0f5dce741 \ - --hash=sha256:24a91a981f185721542a0b7c92e9054b7ab4fea0508a795846bc5b0abf8118d4 \ - --hash=sha256:2502dd2a736c879c0f0d3e2161e74d9907231e25d35794584b1ca5284e43f596 \ - --hash=sha256:250c9eb0f4600361dd80d46112213dff2286231d92d3e52af1e5a6083d10cad9 \ - --hash=sha256:278c296c6f96fa686d74eb449ea1697f3c03dc28b75f873b65b5201806346a69 \ - --hash=sha256:2935ffc78db9645cb2086c2f8f4cfd23d9b73cc0dc80334bc30aac6f03f68f8c \ - --hash=sha256:2f4a0033ce9a76e391542c182f0d48d084855b5fcba5010f707c8e8c34663d77 \ - --hash=sha256:30a85aed0b864ac88309b7d94be09f6046c834ef60762a8833b660139cfbad13 \ - --hash=sha256:380c4bde80bce25c6e4f77b19386f5ec9db230df9f2f2ac1e5ad7af2caa70459 \ - --hash=sha256:3ae38d325b512f63f8da31f826e6cb6c367336f95e418137286ba362925c877e \ - --hash=sha256:3b447982ad46348c02cb90d230b75ac34e9886273df3a93eec0539308a6296d7 \ - --hash=sha256:3debd1150027933210c2fc321527c2299118aa929c2f5a0a80ab6953e3bd1908 \ - --hash=sha256:4162918ef3098851fcd8a628bf9b6a98d10c380725df9e04caf5ca6dd48c847a \ - --hash=sha256:468d2a840567b13a590e67dd276c570f8de00ed767ecc611994c301d0f8c014f \ - --hash=sha256:4cc152c5dd831641e995764f9f0b6589519f6f5123258ccaca8c6d34572fefa8 \ - --hash=sha256:542da1178c1c6af8873e143910e2269add130a299c9106eef2594e15dae5e482 \ - --hash=sha256:557b21a44ceac6c6b9773bc65aa1b4cc3e248a5ad2f5b914b91579a32e22204d \ - --hash=sha256:5707a746c6083a3a74b46b3a631d78d129edab06195a92a8ece755aac25a3f3d \ - --hash=sha256:588245972aca710b5b68802c8cad9edaa98589b1b42ad2b53accd6910dad3545 \ - --hash=sha256:5adf257bd58c1b8632046bbe43ee38c04e1038e9d37de9c57a94d6bd6ce5da34 \ - --hash=sha256:619d1c96099be5823db34fe89e2582b336b5b074a7f47f819d6b3a57ff7bdb86 \ - --hash=sha256:63563193aec44bce707e0c5ca64ff69fa72ed7cf34ce6e11d5127555756fd2f6 \ - --hash=sha256:67b8cc9574bb518ec76dc8e705d4c39ae78bb96237cb533edac149352c1f39fe \ - --hash=sha256:6a685067d05e46641d5d1623d7c7fdf15a357546cbb2f71b0ebde91b175ffc3e \ - --hash=sha256:70f1d09c0d7748b73290b29219e854b3207aea922f839437870d8cc2168e31cc \ - --hash=sha256:750b446b2ffce1739e8578576092179160f6d26bd5e23eb1789c4d64d5af7dc7 \ - --hash=sha256:7966951325782121e67c81299a031f4c115615e68046f79b85856b86ebffc4cd \ - --hash=sha256:7b8b8bf1189b3ba9b8de5c8db4d541b406611a71a955bbbd7385bbc45fcb786c \ - --hash=sha256:7f5d10bae5d78e4551b7be7a9b29643a95aded9d0f602aa2ba584f0388e7a557 \ - --hash=sha256:805dfea4ca10411a5296bcc75638017215a93ffb584c9e344731eef0dcfb026a \ - --hash=sha256:81bf654678e575403736b85ba3a7867e31c2c30a69bc57fe88e3ace52fb17b89 \ - --hash=sha256:82eb849f085624f6a607538ee7b83a6d8126df6d2f7d3b319cb837b289123078 \ - --hash=sha256:85a32721ddde63c9df9ebb0d2045b9691d9750cb139c161c80e500d210f5e26e \ - --hash=sha256:86d1f65ac145e2c9ed71d8ffb1905e9bba3a91ae29ba55b4c46ae6fc31d7c0d4 \ - --hash=sha256:86f63face3a527284f7bb8a9d4f78988e3c06823f7bea2bd6f0e0e9298ca0403 \ - --hash=sha256:8eaf82f0eccd1505cf39a45a6bd0a8cf1c70dcfc30dba338207a969d91b965c0 \ - --hash=sha256:93aa7eef6ee71c629b51ef873991d6911b906d7312c6e8e99790c0f33c576f89 \ - --hash=sha256:96c2b49eb6a72c0e4991d62406e365d87067ca14c1a729a870d22354e6f68115 \ - --hash=sha256:9cf3126b85822c4e53aa28c7ec9869b924d6fcfb76e77a45c44b83d91afd74f9 \ - --hash=sha256:9fe359b2e3a7729010060fbca442ca225280c16e923b37db0e955ac2a2b72a05 \ - --hash=sha256:a0ac5e7015a5920cfce654c06618ec40c33e12801711da6b4258af59a8eff00a \ - --hash=sha256:a3f93dab657839dfa61025056606600a11d0b696d79386f974e459a3fbc568ec \ - --hash=sha256:a4b71f4d1765639372a3b32d2638197f5cd5221b19531f9245fcc9ee62d38f56 \ - --hash=sha256:aae32c93e0f64469f74ccc730a7cb21c7610af3a775157e50bbd38f816536b38 \ - --hash=sha256:aaf7b34c5bc56b38c931a54f7952f1ff0ae77a2e82496583b247f7c969eb1479 \ - --hash=sha256:abecce40dfebbfa6abf8e324e1860092eeca6f7375c8c4e655a8afb61af58f2c \ - --hash=sha256:abf0d9f45ea5fb95051c8bfe43cb40cda383772f7e5023a83cc481ca2604d74e \ - --hash=sha256:ac71b2977fb90c35d41c9453116e283fac47bb9096ad917b8819ca8b943abecd \ - --hash=sha256:ada214c6fa40f8d800e575de6b91a40d0548139e5dc457d2ebb61470abf50186 \ - --hash=sha256:b09719a17a2301178fac4470d54b1680b18a5048b481cb8890e1ef820cb80455 \ - --hash=sha256:b1121de0e9d6e6ca08289583d7491e7fcb18a439305b34a30b20d8215922d43c \ - --hash=sha256:b3b2316b25644b23b54a6f6401074cebcecd1244c0b8e80111c9a3f1c8e83d65 \ - --hash=sha256:b3d9b48ee6e3967b7901c052b670c7dda6deb812c309439adaffdec55c6d7b78 \ - --hash=sha256:b5bcf60a228acae568e9911f410f9d9e0d43197d030ae5799e20dca8df588287 \ - --hash=sha256:b8f3307af845803fb0b060ab76cf6dd3a13adc15b6b451f54281d25911eb92df \ - --hash=sha256:c2af80fb58f0f24b3f3adcb9148e6203fa67dd3f61c4af146ecad033024dde43 \ - --hash=sha256:c350354efb159b8767a6244c166f66e67506e06c8924ed74669b2c70bc8735b1 \ - --hash=sha256:c5a74c359b2d47d26cdbbc7845e9662d6b08a1e915eb015d044729e92e7050b7 \ - --hash=sha256:c71f16da1ed8949774ef79f4a0260d28b83b3a50c6576f8f4f0288d109777989 \ - --hash=sha256:d47ecf253780c90ee181d4d871cd655a789da937454045b17b5798da9393901a \ - --hash=sha256:d7eff0f27edc5afa9e405f7165f85a6d782d308f3b6b9d96016c010597958e63 \ - --hash=sha256:d97d85fa63f315a8bdaba2af9a6a686e0eceab77b3089af45133252618e70884 \ - --hash=sha256:db756e48f9c5c607b5e33dd36b1d5872d0422e960145b08ab0ec7fd420e9d649 \ - --hash=sha256:dc45229747b67ffc441b3de2f3ae5e62877a282ea828a5bdb67883c4ee4a8810 \ - --hash=sha256:e0fc42822278451bc13a2e8626cf2218ba570f27856b536e00cfa53099724828 \ - --hash=sha256:e39c7eb31e3f5b1f88caff88bcff1b7f8334975b46f6ac6e9fc725d829bc35d4 \ - --hash=sha256:e46cd37076971c1040fc8c41273a8b3e2c624ce4f2be3f5dfcb7a430c1d3acc2 \ - --hash=sha256:e5c1502d4ace69a179305abb3f0bb6141cbe4714bc9b31d427329a95acfc8bdd \ - --hash=sha256:edfe077ab09442d4ef3c52cb1f9dab89bff02f4524afc0acf2d46be17dc479f5 \ - --hash=sha256:effe5406c9bd748a871dbcaf3ac69167c38d72db8c9baf3ff954c344f31c4cbe \ - --hash=sha256:f0d1e3732768fecb052d90d62b220af62ead5748ac51ef61e7b32c266cac9293 \ - --hash=sha256:f5969baeaea61c97efa706b9b107dcba02784b1601c74ac84f2a532ea079403e \ - --hash=sha256:f8888e31e3a85943743f8fc15e71536bda1c81d5aa36d014a3c0c44481d7db6e \ - --hash=sha256:fc52b79d83a3fe3a360902d3f5d79073a993597d48114c29485e9431092905d8 +charset-normalizer==3.3.1 \ + --hash=sha256:06cf46bdff72f58645434d467bf5228080801298fbba19fe268a01b4534467f5 \ + --hash=sha256:0c8c61fb505c7dad1d251c284e712d4e0372cef3b067f7ddf82a7fa82e1e9a93 \ + --hash=sha256:10b8dd31e10f32410751b3430996f9807fc4d1587ca69772e2aa940a82ab571a \ + --hash=sha256:1171ef1fc5ab4693c5d151ae0fdad7f7349920eabbaca6271f95969fa0756c2d \ + --hash=sha256:17a866d61259c7de1bdadef418a37755050ddb4b922df8b356503234fff7932c \ + --hash=sha256:1d6bfc32a68bc0933819cfdfe45f9abc3cae3877e1d90aac7259d57e6e0f85b1 \ + --hash=sha256:1ec937546cad86d0dce5396748bf392bb7b62a9eeb8c66efac60e947697f0e58 \ + --hash=sha256:223b4d54561c01048f657fa6ce41461d5ad8ff128b9678cfe8b2ecd951e3f8a2 \ + --hash=sha256:2465aa50c9299d615d757c1c888bc6fef384b7c4aec81c05a0172b4400f98557 \ + --hash=sha256:28f512b9a33235545fbbdac6a330a510b63be278a50071a336afc1b78781b147 \ + --hash=sha256:2c092be3885a1b7899cd85ce24acedc1034199d6fca1483fa2c3a35c86e43041 \ + --hash=sha256:2c4c99f98fc3a1835af8179dcc9013f93594d0670e2fa80c83aa36346ee763d2 \ + --hash=sha256:31445f38053476a0c4e6d12b047b08ced81e2c7c712e5a1ad97bc913256f91b2 \ + --hash=sha256:31bbaba7218904d2eabecf4feec0d07469284e952a27400f23b6628439439fa7 \ + --hash=sha256:34d95638ff3613849f473afc33f65c401a89f3b9528d0d213c7037c398a51296 \ + --hash=sha256:352a88c3df0d1fa886562384b86f9a9e27563d4704ee0e9d56ec6fcd270ea690 \ + --hash=sha256:39b70a6f88eebe239fa775190796d55a33cfb6d36b9ffdd37843f7c4c1b5dc67 \ + --hash=sha256:3c66df3f41abee950d6638adc7eac4730a306b022570f71dd0bd6ba53503ab57 \ + --hash=sha256:3f70fd716855cd3b855316b226a1ac8bdb3caf4f7ea96edcccc6f484217c9597 \ + --hash=sha256:3f9bc2ce123637a60ebe819f9fccc614da1bcc05798bbbaf2dd4ec91f3e08846 \ + --hash=sha256:3fb765362688821404ad6cf86772fc54993ec11577cd5a92ac44b4c2ba52155b \ + --hash=sha256:45f053a0ece92c734d874861ffe6e3cc92150e32136dd59ab1fb070575189c97 \ + --hash=sha256:46fb9970aa5eeca547d7aa0de5d4b124a288b42eaefac677bde805013c95725c \ + --hash=sha256:4cb50a0335382aac15c31b61d8531bc9bb657cfd848b1d7158009472189f3d62 \ + --hash=sha256:4e12f8ee80aa35e746230a2af83e81bd6b52daa92a8afaef4fea4a2ce9b9f4fa \ + --hash=sha256:4f3100d86dcd03c03f7e9c3fdb23d92e32abbca07e7c13ebd7ddfbcb06f5991f \ + --hash=sha256:4f6e2a839f83a6a76854d12dbebde50e4b1afa63e27761549d006fa53e9aa80e \ + --hash=sha256:4f861d94c2a450b974b86093c6c027888627b8082f1299dfd5a4bae8e2292821 \ + --hash=sha256:501adc5eb6cd5f40a6f77fbd90e5ab915c8fd6e8c614af2db5561e16c600d6f3 \ + --hash=sha256:520b7a142d2524f999447b3a0cf95115df81c4f33003c51a6ab637cbda9d0bf4 \ + --hash=sha256:548eefad783ed787b38cb6f9a574bd8664468cc76d1538215d510a3cd41406cb \ + --hash=sha256:555fe186da0068d3354cdf4bbcbc609b0ecae4d04c921cc13e209eece7720727 \ + --hash=sha256:55602981b2dbf8184c098bc10287e8c245e351cd4fdcad050bd7199d5a8bf514 \ + --hash=sha256:58e875eb7016fd014c0eea46c6fa92b87b62c0cb31b9feae25cbbe62c919f54d \ + --hash=sha256:5a3580a4fdc4ac05f9e53c57f965e3594b2f99796231380adb2baaab96e22761 \ + --hash=sha256:5b70bab78accbc672f50e878a5b73ca692f45f5b5e25c8066d748c09405e6a55 \ + --hash=sha256:5ceca5876032362ae73b83347be8b5dbd2d1faf3358deb38c9c88776779b2e2f \ + --hash=sha256:61f1e3fb621f5420523abb71f5771a204b33c21d31e7d9d86881b2cffe92c47c \ + --hash=sha256:633968254f8d421e70f91c6ebe71ed0ab140220469cf87a9857e21c16687c034 \ + --hash=sha256:63a6f59e2d01310f754c270e4a257426fe5a591dc487f1983b3bbe793cf6bac6 \ + --hash=sha256:63accd11149c0f9a99e3bc095bbdb5a464862d77a7e309ad5938fbc8721235ae \ + --hash=sha256:6db3cfb9b4fcecb4390db154e75b49578c87a3b9979b40cdf90d7e4b945656e1 \ + --hash=sha256:71ef3b9be10070360f289aea4838c784f8b851be3ba58cf796262b57775c2f14 \ + --hash=sha256:7ae8e5142dcc7a49168f4055255dbcced01dc1714a90a21f87448dc8d90617d1 \ + --hash=sha256:7b6cefa579e1237ce198619b76eaa148b71894fb0d6bcf9024460f9bf30fd228 \ + --hash=sha256:800561453acdecedaac137bf09cd719c7a440b6800ec182f077bb8e7025fb708 \ + --hash=sha256:82ca51ff0fc5b641a2d4e1cc8c5ff108699b7a56d7f3ad6f6da9dbb6f0145b48 \ + --hash=sha256:851cf693fb3aaef71031237cd68699dded198657ec1e76a76eb8be58c03a5d1f \ + --hash=sha256:854cc74367180beb327ab9d00f964f6d91da06450b0855cbbb09187bcdb02de5 \ + --hash=sha256:87071618d3d8ec8b186d53cb6e66955ef2a0e4fa63ccd3709c0c90ac5a43520f \ + --hash=sha256:871d045d6ccc181fd863a3cd66ee8e395523ebfbc57f85f91f035f50cee8e3d4 \ + --hash=sha256:8aee051c89e13565c6bd366813c386939f8e928af93c29fda4af86d25b73d8f8 \ + --hash=sha256:8af5a8917b8af42295e86b64903156b4f110a30dca5f3b5aedea123fbd638bff \ + --hash=sha256:8ec8ef42c6cd5856a7613dcd1eaf21e5573b2185263d87d27c8edcae33b62a61 \ + --hash=sha256:91e43805ccafa0a91831f9cd5443aa34528c0c3f2cc48c4cb3d9a7721053874b \ + --hash=sha256:9505dc359edb6a330efcd2be825fdb73ee3e628d9010597aa1aee5aa63442e97 \ + --hash=sha256:985c7965f62f6f32bf432e2681173db41336a9c2611693247069288bcb0c7f8b \ + --hash=sha256:9a74041ba0bfa9bc9b9bb2cd3238a6ab3b7618e759b41bd15b5f6ad958d17605 \ + --hash=sha256:9edbe6a5bf8b56a4a84533ba2b2f489d0046e755c29616ef8830f9e7d9cf5728 \ + --hash=sha256:a15c1fe6d26e83fd2e5972425a772cca158eae58b05d4a25a4e474c221053e2d \ + --hash=sha256:a66bcdf19c1a523e41b8e9d53d0cedbfbac2e93c649a2e9502cb26c014d0980c \ + --hash=sha256:ae4070f741f8d809075ef697877fd350ecf0b7c5837ed68738607ee0a2c572cf \ + --hash=sha256:ae55d592b02c4349525b6ed8f74c692509e5adffa842e582c0f861751701a673 \ + --hash=sha256:b578cbe580e3b41ad17b1c428f382c814b32a6ce90f2d8e39e2e635d49e498d1 \ + --hash=sha256:b891a2f68e09c5ef989007fac11476ed33c5c9994449a4e2c3386529d703dc8b \ + --hash=sha256:baec8148d6b8bd5cee1ae138ba658c71f5b03e0d69d5907703e3e1df96db5e41 \ + --hash=sha256:bb06098d019766ca16fc915ecaa455c1f1cd594204e7f840cd6258237b5079a8 \ + --hash=sha256:bc791ec3fd0c4309a753f95bb6c749ef0d8ea3aea91f07ee1cf06b7b02118f2f \ + --hash=sha256:bd28b31730f0e982ace8663d108e01199098432a30a4c410d06fe08fdb9e93f4 \ + --hash=sha256:be4d9c2770044a59715eb57c1144dedea7c5d5ae80c68fb9959515037cde2008 \ + --hash=sha256:c0c72d34e7de5604df0fde3644cc079feee5e55464967d10b24b1de268deceb9 \ + --hash=sha256:c0e842112fe3f1a4ffcf64b06dc4c61a88441c2f02f373367f7b4c1aa9be2ad5 \ + --hash=sha256:c15070ebf11b8b7fd1bfff7217e9324963c82dbdf6182ff7050519e350e7ad9f \ + --hash=sha256:c2000c54c395d9e5e44c99dc7c20a64dc371f777faf8bae4919ad3e99ce5253e \ + --hash=sha256:c30187840d36d0ba2893bc3271a36a517a717f9fd383a98e2697ee890a37c273 \ + --hash=sha256:cb7cd68814308aade9d0c93c5bd2ade9f9441666f8ba5aa9c2d4b389cb5e2a45 \ + --hash=sha256:cd805513198304026bd379d1d516afbf6c3c13f4382134a2c526b8b854da1c2e \ + --hash=sha256:d0bf89afcbcf4d1bb2652f6580e5e55a840fdf87384f6063c4a4f0c95e378656 \ + --hash=sha256:d9137a876020661972ca6eec0766d81aef8a5627df628b664b234b73396e727e \ + --hash=sha256:dbd95e300367aa0827496fe75a1766d198d34385a58f97683fe6e07f89ca3e3c \ + --hash=sha256:dced27917823df984fe0c80a5c4ad75cf58df0fbfae890bc08004cd3888922a2 \ + --hash=sha256:de0b4caa1c8a21394e8ce971997614a17648f94e1cd0640fbd6b4d14cab13a72 \ + --hash=sha256:debb633f3f7856f95ad957d9b9c781f8e2c6303ef21724ec94bea2ce2fcbd056 \ + --hash=sha256:e372d7dfd154009142631de2d316adad3cc1c36c32a38b16a4751ba78da2a397 \ + --hash=sha256:ecd26be9f112c4f96718290c10f4caea6cc798459a3a76636b817a0ed7874e42 \ + --hash=sha256:edc0202099ea1d82844316604e17d2b175044f9bcb6b398aab781eba957224bd \ + --hash=sha256:f194cce575e59ffe442c10a360182a986535fd90b57f7debfaa5c845c409ecc3 \ + --hash=sha256:f5fb672c396d826ca16a022ac04c9dce74e00a1c344f6ad1a0fdc1ba1f332213 \ + --hash=sha256:f6a02a3c7950cafaadcd46a226ad9e12fc9744652cc69f9e5534f98b47f3bbcf \ + --hash=sha256:fe81b35c33772e56f4b6cf62cf4aedc1762ef7162a31e6ac7fe5e40d0149eb67 # via requests cryptography==41.0.4 \ --hash=sha256:004b6ccc95943f6a9ad3142cfabcc769d7ee38a3f60fb0dddbfb431f818c3a67 \ From 50e08a22f94d8c0dfe1b1d1558e2c0756c0a424c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Oct 2023 07:55:13 -0400 Subject: [PATCH 0587/1014] Bump email-validator in /.github/requirements (#9750) Bumps [email-validator](https://github.com/JoshData/python-email-validator) from 2.0.0.post2 to 2.1.0.post1. - [Release notes](https://github.com/JoshData/python-email-validator/releases) - [Changelog](https://github.com/JoshData/python-email-validator/blob/main/CHANGELOG.md) - [Commits](https://github.com/JoshData/python-email-validator/commits) --- updated-dependencies: - dependency-name: email-validator dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8a7f19711f93..99df6557a999 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -202,9 +202,9 @@ docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ --hash=sha256:f08a4e276c3a1583a86dce3e34aba3fe04d02bba2dd51ed16106244e8a923e3b # via readme-renderer -email-validator==2.0.0.post2 \ - --hash=sha256:1ff6e86044200c56ae23595695c54e9614f4a9551e0e393614f764860b3d7900 \ - --hash=sha256:2466ba57cda361fb7309fd3d5a225723c788ca4bbad32a0ebd5373b99730285c +email-validator==2.1.0.post1 \ + --hash=sha256:a4b0bd1cf55f073b924258d19321b1f3aa74b4b5a71a42c305575dba920e1a44 \ + --hash=sha256:c973053efbeddfef924dc0bd93f6e77a1ea7ee0fce935aea7103c7a3d6d2d637 # via pydantic grpclib==0.4.6 \ --hash=sha256:595d05236ca8b8f8e433f5bf6095e6354c1d8777d003ddaf5288efa9611e3fd6 From 41312bf560ba4f6cb3b82336065bfd290605681a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Oct 2023 07:55:47 -0400 Subject: [PATCH 0588/1014] Bump Swatinem/rust-cache from 2.7.0 to 2.7.1 in /.github/actions/cache (#9751) Bumps [Swatinem/rust-cache](https://github.com/swatinem/rust-cache) from 2.7.0 to 2.7.1. - [Release notes](https://github.com/swatinem/rust-cache/releases) - [Changelog](https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md) - [Commits](https://github.com/swatinem/rust-cache/compare/a95ba195448af2da9b00fb742d14ffaaf3c21f43...3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8) --- updated-dependencies: - dependency-name: Swatinem/rust-cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/cache/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 53db3e1d2e65..b806abd215a2 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -15,7 +15,7 @@ runs: id: normalized-key run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT shell: bash - - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2.7.0 + - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 with: key: ${{ steps.normalized-key.outputs.key }} workspaces: "./src/rust/ -> target" From 952997eb520aabfb8cfa7b8e7e4d5208a01e7d04 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Oct 2023 12:10:40 +0000 Subject: [PATCH 0589/1014] Bump charset-normalizer from 3.3.0 to 3.3.1 (#9752) Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/Ousret/charset_normalizer/releases) - [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/Ousret/charset_normalizer/compare/3.3.0...3.3.1) --- updated-dependencies: - dependency-name: charset-normalizer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 15c48ce339a6..47e34b82f3c0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -21,7 +21,7 @@ build==1.0.3 # cryptography (pyproject.toml) certifi==2023.7.22 # via requests -charset-normalizer==3.3.0 +charset-normalizer==3.3.1 # via requests check-sdist==0.1.3 # via cryptography (pyproject.toml) From 724697fc848daab83332dd382b5270903ee5255a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 24 Oct 2023 00:18:21 +0000 Subject: [PATCH 0590/1014] Bump BoringSSL and/or OpenSSL in CI (#9756) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index baff52c5ff16..9c77d6bef823 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Oct 21, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "bfa8369795b7533a222a72b7a1bc928941cd66bf"}} - # Latest commit on the OpenSSL master branch, as of Oct 21, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b6eb95fa4439ea6254a5330487dabb2a499fb6c8"}} + # Latest commit on the OpenSSL master branch, as of Oct 24, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fac61ea4618c83826b51aebf03cbc2bc3ac7b8c8"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From b943680d4710e4b4cb5772b1f1bb69deb6673c13 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Tue, 24 Oct 2023 13:36:07 +0200 Subject: [PATCH 0591/1014] Add support for ChaCha20 in LibreSSL (#9758) --- CHANGELOG.rst | 4 +++- .../hazmat/backends/openssl/backend.py | 8 ++++++- tests/hazmat/primitives/test_chacha20.py | 21 +++++++++++++++++++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 3940cb9e4e03..be5ba2070299 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -38,7 +38,9 @@ Changelog :meth:`~cryptography.x509.CertificateRevocationList.next_update`, :meth:`~cryptography.x509.CertificateRevocationList.last_update` in favor of the new timezone-aware variants mentioned above. - +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20` + on LibreSSL. .. _v41-0-4: diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index dd1ca9044937..733c31d47296 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -264,8 +264,14 @@ def _register_default_ciphers(self) -> None: self.register_cipher_adapter( TripleDES, ECB, GetCipherByName("des-ede3") ) + # ChaCha20 uses the Short Name "chacha20" in OpenSSL, but in LibreSSL + # it uses "chacha" self.register_cipher_adapter( - ChaCha20, type(None), GetCipherByName("chacha20") + ChaCha20, + type(None), + GetCipherByName( + "chacha" if self._lib.CRYPTOGRAPHY_IS_LIBRESSL else "chacha20" + ), ) self.register_cipher_adapter(AES, XTS, _get_xts_cipher) for mode_cls in [ECB, CBC, OFB, CFB, CTR]: diff --git a/tests/hazmat/primitives/test_chacha20.py b/tests/hazmat/primitives/test_chacha20.py index 314b0aa60666..7c52ad598d3c 100644 --- a/tests/hazmat/primitives/test_chacha20.py +++ b/tests/hazmat/primitives/test_chacha20.py @@ -69,3 +69,24 @@ def test_invalid_nonce(self): def test_invalid_key_type(self): with pytest.raises(TypeError, match="key must be bytes"): algorithms.ChaCha20("0" * 32, b"0" * 16) # type:ignore[arg-type] + + def test_partial_blocks(self, backend): + # Test that partial blocks and counter increments are handled + # correctly. Successive calls to update should return the same + # as if the entire input was passed in a single call: + # update(pt[0:n]) + update(pt[n:m]) + update(pt[m:]) == update(pt) + key = bytearray(os.urandom(32)) + nonce = bytearray(os.urandom(16)) + cipher = Cipher(algorithms.ChaCha20(key, nonce), None, backend) + pt = bytearray(os.urandom(96 * 3)) + + enc_full = cipher.encryptor() + ct_full = enc_full.update(pt) + + enc_partial = cipher.encryptor() + len_partial = len(pt) // 3 + ct_partial_1 = enc_partial.update(pt[:len_partial]) + ct_partial_2 = enc_partial.update(pt[len_partial : len_partial * 2]) + ct_partial_3 = enc_partial.update(pt[len_partial * 2 :]) + + assert ct_full == ct_partial_1 + ct_partial_2 + ct_partial_3 From 50b1813893af8424357bdc02ee119e7cad5d8669 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Oct 2023 07:36:34 -0400 Subject: [PATCH 0592/1014] Bump virtualenv from 20.24.5 to 20.24.6 (#9761) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.24.5 to 20.24.6. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.24.5...20.24.6) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 47e34b82f3c0..a35bf17b32a4 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -185,7 +185,7 @@ urllib3==2.0.7 # via # requests # twine -virtualenv==20.24.5 +virtualenv==20.24.6 # via nox webencodings==0.5.1 # via bleach From ee45fde5c1e54e0c80e2f2ed9e1f4d1d282b11a8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Oct 2023 07:36:50 -0400 Subject: [PATCH 0593/1014] Bump black from 23.10.0 to 23.10.1 (#9760) Bumps [black](https://github.com/psf/black) from 23.10.0 to 23.10.1. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](https://github.com/psf/black/compare/23.10.0...23.10.1) --- updated-dependencies: - dependency-name: black dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a35bf17b32a4..9b32e6e2f6ab 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.1.2 # via nox babel==2.13.0 # via sphinx -black==23.10.0 +black==23.10.1 # via cryptography (pyproject.toml) bleach==6.1.0 # via readme-renderer From a9bac408807e588647d355372400690291294b96 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Oct 2023 07:37:11 -0400 Subject: [PATCH 0594/1014] Bump base64 from 0.21.4 to 0.21.5 in /src/rust (#9759) Bumps [base64](https://github.com/marshallpierce/rust-base64) from 0.21.4 to 0.21.5. - [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.21.4...v0.21.5) --- updated-dependencies: - dependency-name: base64 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 69be6c3de9ea..bbd2846492cd 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -30,9 +30,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "base64" -version = "0.21.4" +version = "0.21.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9ba43ea6f343b788c8764558649e08df62f86c6ef251fdaeb1ffd010a9ae50a2" +checksum = "35636a1494ede3b646cc98f74f8e62c773a38a659ebc777a2cf26b9b74171df9" [[package]] name = "bitflags" From ccb563dc15b53e74dfb1b4ba539eec33c883d6fc Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Tue, 24 Oct 2023 16:44:42 +0200 Subject: [PATCH 0595/1014] Fix comment on ChaCha20 backend registration (#9764) --- src/cryptography/hazmat/backends/openssl/backend.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 733c31d47296..52b536908dec 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -264,7 +264,7 @@ def _register_default_ciphers(self) -> None: self.register_cipher_adapter( TripleDES, ECB, GetCipherByName("des-ede3") ) - # ChaCha20 uses the Short Name "chacha20" in OpenSSL, but in LibreSSL + # ChaCha20 uses the Long Name "chacha20" in OpenSSL, but in LibreSSL # it uses "chacha" self.register_cipher_adapter( ChaCha20, From e7e420cf8f1a21cf220615e7f07fe44427a84456 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 24 Oct 2023 10:17:36 -0500 Subject: [PATCH 0596/1014] bump to latest openssl 3.0.x and 3.1.x (#9765) --- .github/workflows/ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9c77d6bef823..11b6d098c45c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,15 +29,15 @@ jobs: PYTHON: - {VERSION: "3.12", NOXSESSION: "flake"} - {VERSION: "3.12", NOXSESSION: "rust"} - - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3"}} + - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.11"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.12"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha2"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} From 54873e12ee94a459fc2bc457e9f2649f9abf34dc Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 24 Oct 2023 10:47:15 -0500 Subject: [PATCH 0597/1014] port 41.0.5 changelog to main (#9767) --- CHANGELOG.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index be5ba2070299..5bdb89901a87 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -42,6 +42,14 @@ Changelog :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20` on LibreSSL. +.. _v41-0-5: + +41.0.5 - 2023-10-24 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4. +* Added a function to support an upcoming ``pyOpenSSL`` release. + .. _v41-0-4: 41.0.4 - 2023-09-19 From 0acc90d24d7fc33a0b6465a60081a930196553b7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 24 Oct 2023 21:00:05 -0400 Subject: [PATCH 0598/1014] Bump BoringSSL and/or OpenSSL in CI (#9768) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11b6d098c45c..290a83c2a37d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 21, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "bfa8369795b7533a222a72b7a1bc928941cd66bf"}} - # Latest commit on the OpenSSL master branch, as of Oct 24, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fac61ea4618c83826b51aebf03cbc2bc3ac7b8c8"}} + # Latest commit on the BoringSSL master branch, as of Oct 25, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "4df6f97cf9a32770b2a6ffb8da7d97845743ffb7"}} + # Latest commit on the OpenSSL master branch, as of Oct 25, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dbbdb940d421daca4a65e765b5244bde6aed3f61"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From fbc19c35c338e55a364324d41874599788021c17 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Oct 2023 07:04:26 -0400 Subject: [PATCH 0599/1014] Bump cryptography from 41.0.4 to 41.0.5 in /.github/requirements (#9776) Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.4 to 41.0.5. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/41.0.4...41.0.5) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 99df6557a999..7cf244cc2ed5 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,30 +166,30 @@ charset-normalizer==3.3.1 \ --hash=sha256:f6a02a3c7950cafaadcd46a226ad9e12fc9744652cc69f9e5534f98b47f3bbcf \ --hash=sha256:fe81b35c33772e56f4b6cf62cf4aedc1762ef7162a31e6ac7fe5e40d0149eb67 # via requests -cryptography==41.0.4 \ - --hash=sha256:004b6ccc95943f6a9ad3142cfabcc769d7ee38a3f60fb0dddbfb431f818c3a67 \ - --hash=sha256:047c4603aeb4bbd8db2756e38f5b8bd7e94318c047cfe4efeb5d715e08b49311 \ - --hash=sha256:0d9409894f495d465fe6fda92cb70e8323e9648af912d5b9141d616df40a87b8 \ - --hash=sha256:23a25c09dfd0d9f28da2352503b23e086f8e78096b9fd585d1d14eca01613e13 \ - --hash=sha256:2ed09183922d66c4ec5fdaa59b4d14e105c084dd0febd27452de8f6f74704143 \ - --hash=sha256:35c00f637cd0b9d5b6c6bd11b6c3359194a8eba9c46d4e875a3660e3b400005f \ - --hash=sha256:37480760ae08065437e6573d14be973112c9e6dcaf5f11d00147ee74f37a3829 \ - --hash=sha256:3b224890962a2d7b57cf5eeb16ccaafba6083f7b811829f00476309bce2fe0fd \ - --hash=sha256:5a0f09cefded00e648a127048119f77bc2b2ec61e736660b5789e638f43cc397 \ - --hash=sha256:5b72205a360f3b6176485a333256b9bcd48700fc755fef51c8e7e67c4b63e3ac \ - --hash=sha256:7e53db173370dea832190870e975a1e09c86a879b613948f09eb49324218c14d \ - --hash=sha256:7febc3094125fc126a7f6fb1f420d0da639f3f32cb15c8ff0dc3997c4549f51a \ - --hash=sha256:80907d3faa55dc5434a16579952ac6da800935cd98d14dbd62f6f042c7f5e839 \ - --hash=sha256:86defa8d248c3fa029da68ce61fe735432b047e32179883bdb1e79ed9bb8195e \ - --hash=sha256:8ac4f9ead4bbd0bc8ab2d318f97d85147167a488be0e08814a37eb2f439d5cf6 \ - --hash=sha256:93530900d14c37a46ce3d6c9e6fd35dbe5f5601bf6b3a5c325c7bffc030344d9 \ - --hash=sha256:9eeb77214afae972a00dee47382d2591abe77bdae166bda672fb1e24702a3860 \ - --hash=sha256:b5f4dfe950ff0479f1f00eda09c18798d4f49b98f4e2006d644b3301682ebdca \ - --hash=sha256:c3391bd8e6de35f6f1140e50aaeb3e2b3d6a9012536ca23ab0d9c35ec18c8a91 \ - --hash=sha256:c880eba5175f4307129784eca96f4e70b88e57aa3f680aeba3bab0e980b0f37d \ - --hash=sha256:cecfefa17042941f94ab54f769c8ce0fe14beff2694e9ac684176a2535bf9714 \ - --hash=sha256:e40211b4923ba5a6dc9769eab704bdb3fbb58d56c5b336d30996c24fcf12aadb \ - --hash=sha256:efc8ad4e6fc4f1752ebfb58aefece8b4e3c4cae940b0994d43649bdfce8d0d4f +cryptography==41.0.5 \ + --hash=sha256:0c327cac00f082013c7c9fb6c46b7cc9fa3c288ca702c74773968173bda421bf \ + --hash=sha256:0d2a6a598847c46e3e321a7aef8af1436f11c27f1254933746304ff014664d84 \ + --hash=sha256:227ec057cd32a41c6651701abc0328135e472ed450f47c2766f23267b792a88e \ + --hash=sha256:22892cc830d8b2c89ea60148227631bb96a7da0c1b722f2aac8824b1b7c0b6b8 \ + --hash=sha256:392cb88b597247177172e02da6b7a63deeff1937fa6fec3bbf902ebd75d97ec7 \ + --hash=sha256:3be3ca726e1572517d2bef99a818378bbcf7d7799d5372a46c79c29eb8d166c1 \ + --hash=sha256:573eb7128cbca75f9157dcde974781209463ce56b5804983e11a1c462f0f4e88 \ + --hash=sha256:580afc7b7216deeb87a098ef0674d6ee34ab55993140838b14c9b83312b37b86 \ + --hash=sha256:5a70187954ba7292c7876734183e810b728b4f3965fbe571421cb2434d279179 \ + --hash=sha256:73801ac9736741f220e20435f84ecec75ed70eda90f781a148f1bad546963d81 \ + --hash=sha256:7d208c21e47940369accfc9e85f0de7693d9a5d843c2509b3846b2db170dfd20 \ + --hash=sha256:8254962e6ba1f4d2090c44daf50a547cd5f0bf446dc658a8e5f8156cae0d8548 \ + --hash=sha256:88417bff20162f635f24f849ab182b092697922088b477a7abd6664ddd82291d \ + --hash=sha256:a48e74dad1fb349f3dc1d449ed88e0017d792997a7ad2ec9587ed17405667e6d \ + --hash=sha256:b948e09fe5fb18517d99994184854ebd50b57248736fd4c720ad540560174ec5 \ + --hash=sha256:c707f7afd813478e2019ae32a7c49cd932dd60ab2d2a93e796f68236b7e1fbf1 \ + --hash=sha256:d38e6031e113b7421db1de0c1b1f7739564a88f1684c6b89234fbf6c11b75147 \ + --hash=sha256:d3977f0e276f6f5bf245c403156673db103283266601405376f075c849a0b936 \ + --hash=sha256:da6a0ff8f1016ccc7477e6339e1d50ce5f59b88905585f77193ebd5068f1e797 \ + --hash=sha256:e270c04f4d9b5671ebcc792b3ba5d4488bf7c42c3c241a3748e2599776f29696 \ + --hash=sha256:e886098619d3815e0ad5790c973afeee2c0e6e04b4da90b88e6bd06e2a0b1b72 \ + --hash=sha256:ec3b055ff8f1dce8e6ef28f626e0972981475173d7973d63f271b29c8a2897da \ + --hash=sha256:fba1e91467c65fe64a82c689dc6cf58151158993b13eb7a7f3f4b7f395636723 # via # pyopenssl # secretstorage From 3a262f3990263682d54b77d5147ac81571d63026 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Oct 2023 07:04:49 -0400 Subject: [PATCH 0600/1014] Bump ruff from 0.1.1 to 0.1.2 (#9775) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.1 to 0.1.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.1...v0.1.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9b32e6e2f6ab..da13bcd6fcda 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -138,7 +138,7 @@ rfc3986==2.0.0 # via twine rich==13.6.0 # via twine -ruff==0.1.1 +ruff==0.1.2 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From f36eb59215119a2003f80535681bd241129d81f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Oct 2023 07:05:26 -0400 Subject: [PATCH 0601/1014] Bump babel from 2.13.0 to 2.13.1 (#9774) Bumps [babel](https://github.com/python-babel/babel) from 2.13.0 to 2.13.1. - [Release notes](https://github.com/python-babel/babel/releases) - [Changelog](https://github.com/python-babel/babel/blob/master/CHANGES.rst) - [Commits](https://github.com/python-babel/babel/compare/v2.13.0...v2.13.1) --- updated-dependencies: - dependency-name: babel dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index da13bcd6fcda..4f0d169a3cf0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -9,7 +9,7 @@ alabaster==0.7.13 # via sphinx argcomplete==3.1.2 # via nox -babel==2.13.0 +babel==2.13.1 # via sphinx black==23.10.1 # via cryptography (pyproject.toml) From cbfaa6cd05f22011386739e958dab18c679612cd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Oct 2023 07:05:44 -0400 Subject: [PATCH 0602/1014] Bump pytest from 7.4.2 to 7.4.3 (#9773) Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.4.2 to 7.4.3. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/7.4.2...7.4.3) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4f0d169a3cf0..1b3b7b0173f8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -110,7 +110,7 @@ pygments==2.16.1 # sphinx pyproject-hooks==1.0.0 # via build -pytest==7.4.2 +pytest==7.4.3 # via # cryptography (pyproject.toml) # pytest-benchmark From 7a066bf9f92a9b1c6124844db96d254dd767a090 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 25 Oct 2023 11:31:24 -0400 Subject: [PATCH 0603/1014] reformat code (#9769) this matches both ruff and black style --- src/cryptography/hazmat/backends/openssl/ciphers.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py index a34dcbe6ce1a..64c4690540fc 100644 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py @@ -149,8 +149,9 @@ def update_into(self, data: bytes, buf: bytes) -> int: total_data_len = len(data) if len(buf) < (total_data_len + self._block_size_bytes - 1): raise ValueError( - "buffer must be at least {} bytes for this " - "payload".format(len(data) + self._block_size_bytes - 1) + "buffer must be at least {} bytes for this payload".format( + len(data) + self._block_size_bytes - 1 + ) ) data_processed = 0 From c687e5c4cb64272d8968ce737df3e2eb19775407 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 25 Oct 2023 11:32:48 -0400 Subject: [PATCH 0604/1014] Re-format tests/hazmat/primitives/ (#9770) this matches both ruff and black style --- tests/hazmat/primitives/test_block.py | 4 +++- tests/hazmat/primitives/test_ciphers.py | 8 ++++++-- tests/hazmat/primitives/test_dsa.py | 6 ++++-- tests/hazmat/primitives/test_ec.py | 3 ++- tests/hazmat/primitives/test_hmac.py | 4 +++- tests/hazmat/primitives/test_pkcs12.py | 16 ++++++++++++---- tests/hazmat/primitives/test_pkcs7.py | 15 +++++++++++---- tests/hazmat/primitives/test_rsa.py | 10 +++++++--- tests/hazmat/primitives/test_ssh.py | 9 ++++++--- tests/hazmat/primitives/test_x25519.py | 3 ++- 10 files changed, 56 insertions(+), 22 deletions(-) diff --git a/tests/hazmat/primitives/test_block.py b/tests/hazmat/primitives/test_block.py index b831de176a0a..6233e197a50b 100644 --- a/tests/hazmat/primitives/test_block.py +++ b/tests/hazmat/primitives/test_block.py @@ -44,7 +44,9 @@ def test_instantiate_with_non_algorithm(self, backend): algorithm = object() with pytest.raises(TypeError): Cipher( - algorithm, mode=None, backend=backend # type: ignore[arg-type] + algorithm, # type: ignore[arg-type] + mode=None, + backend=backend, ) diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py index bf3b047dec25..786992d34f3d 100644 --- a/tests/hazmat/primitives/test_ciphers.py +++ b/tests/hazmat/primitives/test_ciphers.py @@ -346,7 +346,9 @@ def test_update_into_auto_chunking(self, backend, monkeypatch): encryptor = c.encryptor() # Lower max chunk size so we can test chunking monkeypatch.setattr( - encryptor._ctx, "_MAX_CHUNK_SIZE", 40 # type: ignore[attr-defined] + encryptor._ctx, # type: ignore[attr-defined] + "_MAX_CHUNK_SIZE", + 40, ) buf = bytearray(527) pt = b"abcdefghijklmnopqrstuvwxyz012345" * 16 # 512 bytes @@ -355,7 +357,9 @@ def test_update_into_auto_chunking(self, backend, monkeypatch): decryptor = c.decryptor() # Change max chunk size to verify alternate boundaries don't matter monkeypatch.setattr( - decryptor._ctx, "_MAX_CHUNK_SIZE", 73 # type: ignore[attr-defined] + decryptor._ctx, # type: ignore[attr-defined] + "_MAX_CHUNK_SIZE", + 73, ) decbuf = bytearray(527) decprocessed = decryptor.update_into(buf[:processed], decbuf) diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index 936b1a80f232..c3990cd5af44 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -572,7 +572,8 @@ def test_dsa_public_numbers(self): def test_dsa_public_numbers_invalid_types(self): with pytest.raises(TypeError): dsa.DSAPublicNumbers( - y=4, parameter_numbers=None # type: ignore[arg-type] + y=4, + parameter_numbers=None, # type: ignore[arg-type] ) with pytest.raises(TypeError): @@ -606,7 +607,8 @@ def test_dsa_private_numbers_invalid_types(self): with pytest.raises(TypeError): dsa.DSAPrivateNumbers( - x=None, public_numbers=public_numbers # type: ignore[arg-type] + x=None, # type: ignore[arg-type] + public_numbers=public_numbers, ) def test_repr(self): diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index cf96bfc5182f..73bfa122858a 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -1098,7 +1098,8 @@ def test_from_encoded_point_empty_byte_string(self): def test_from_encoded_point_not_a_curve(self): with pytest.raises(TypeError): ec.EllipticCurvePublicKey.from_encoded_point( - "notacurve", b"\x04data" # type: ignore[arg-type] + "notacurve", # type: ignore[arg-type] + b"\x04data", ) def test_from_encoded_point_unsupported_encoding(self): diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 78bb26254d9b..862b8340d736 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -38,7 +38,9 @@ def test_hmac_reject_unicode(self, backend): def test_hmac_algorithm_instance(self, backend): with pytest.raises(TypeError): hmac.HMAC( - b"key", hashes.SHA1, backend=backend # type: ignore[arg-type] + b"key", + hashes.SHA1, # type: ignore[arg-type] + backend=backend, ) def test_raises_after_finalize(self, backend): diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 0cd3111bc2b7..957eea6cfd68 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -143,7 +143,9 @@ def test_load_pkcs12_key_only(self, backend): def test_non_bytes(self, backend): with pytest.raises(TypeError): load_key_and_certificates( - b"irrelevant", object(), backend # type: ignore[arg-type] + b"irrelevant", + object(), # type: ignore[arg-type] + backend, ) def test_not_a_pkcs12(self, backend): @@ -804,15 +806,21 @@ def test_certificate_repr(self, backend): def test_key_and_certificates_constructor(self, backend): with pytest.raises(TypeError): PKCS12KeyAndCertificates( - "hello", None, [] # type:ignore[arg-type] + "hello", # type:ignore[arg-type] + None, + [], ) with pytest.raises(TypeError): PKCS12KeyAndCertificates( - None, "hello", [] # type:ignore[arg-type] + None, + "hello", # type:ignore[arg-type] + [], ) with pytest.raises(TypeError): PKCS12KeyAndCertificates( - None, None, ["hello"] # type:ignore[list-item] + None, + None, + ["hello"], # type:ignore[list-item] ) def test_key_and_certificates_equality(self, backend): diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 172cf40bd6e4..a634cffe763a 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -194,14 +194,18 @@ def test_unsupported_hash_alg(self, backend): cert, key = _load_cert_key() with pytest.raises(TypeError): pkcs7.PKCS7SignatureBuilder().add_signer( - cert, key, hashes.SHA512_256() # type: ignore[arg-type] + cert, + key, + hashes.SHA512_256(), # type: ignore[arg-type] ) def test_not_a_cert(self, backend): cert, key = _load_cert_key() with pytest.raises(TypeError): pkcs7.PKCS7SignatureBuilder().add_signer( - b"notacert", key, hashes.SHA256() # type: ignore[arg-type] + b"notacert", # type: ignore[arg-type] + key, + hashes.SHA256(), ) @pytest.mark.supported( @@ -213,7 +217,9 @@ def test_unsupported_key_type(self, backend): key = ed25519.Ed25519PrivateKey.generate() with pytest.raises(TypeError): pkcs7.PKCS7SignatureBuilder().add_signer( - cert, key, hashes.SHA256() # type: ignore[arg-type] + cert, + key, # type: ignore[arg-type] + hashes.SHA256(), ) def test_sign_invalid_options(self, backend): @@ -816,5 +822,6 @@ def test_invalid_types(self): with pytest.raises(TypeError): pkcs7.serialize_certificates( - certs, "not an encoding" # type: ignore[arg-type] + certs, + "not an encoding", # type: ignore[arg-type] ) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index cf9fb9d689aa..7d8a1fd05507 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -1658,7 +1658,8 @@ class TestPSS: def test_calculate_max_pss_salt_length(self): with pytest.raises(TypeError): padding.calculate_max_pss_salt_length( - object(), hashes.SHA256() # type:ignore[arg-type] + object(), # type:ignore[arg-type] + hashes.SHA256(), ) def test_invalid_salt_length_not_integer(self): @@ -1711,7 +1712,9 @@ def test_invalid_algorithm(self): mgf = padding.MGF1(hashes.SHA1()) with pytest.raises(TypeError): padding.OAEP( - mgf=mgf, algorithm=b"", label=None # type:ignore[arg-type] + mgf=mgf, + algorithm=b"", # type:ignore[arg-type] + label=None, ) def test_algorithm_property(self): @@ -2180,7 +2183,8 @@ def test_unsupported_padding( public_key.encrypt(b"somedata", DummyAsymmetricPadding()) with pytest.raises(TypeError): public_key.encrypt( - b"somedata", padding=object() # type: ignore[arg-type] + b"somedata", + padding=object(), # type: ignore[arg-type] ) def test_unsupported_oaep_mgf( diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py index 6369ba67639e..d3372566e93f 100644 --- a/tests/hazmat/primitives/test_ssh.py +++ b/tests/hazmat/primitives/test_ssh.py @@ -1501,11 +1501,13 @@ def test_add_critical_option_errors(self): builder = SSHCertificateBuilder() with pytest.raises(TypeError): builder.add_critical_option( - "not bytes", b"test" # type: ignore[arg-type] + "not bytes", # type: ignore[arg-type] + b"test", ) with pytest.raises(TypeError): builder.add_critical_option( - b"test", object() # type: ignore[arg-type] + b"test", + object(), # type: ignore[arg-type] ) builder = builder.add_critical_option(b"test", b"test") with pytest.raises(ValueError): @@ -1515,7 +1517,8 @@ def test_add_extension_errors(self): builder = SSHCertificateBuilder() with pytest.raises(TypeError): builder.add_extension( - "not bytes", b"test" # type: ignore[arg-type] + "not bytes", # type: ignore[arg-type] + b"test", ) with pytest.raises(TypeError): builder.add_extension(b"test", object()) # type: ignore[arg-type] diff --git a/tests/hazmat/primitives/test_x25519.py b/tests/hazmat/primitives/test_x25519.py index f81a14930257..b68286e1e5f0 100644 --- a/tests/hazmat/primitives/test_x25519.py +++ b/tests/hazmat/primitives/test_x25519.py @@ -100,7 +100,8 @@ def test_public_bytes_bad_args(self, backend): key = X25519PrivateKey.generate().public_key() with pytest.raises(TypeError): key.public_bytes( - None, serialization.PublicFormat.Raw # type: ignore[arg-type] + None, # type: ignore[arg-type] + serialization.PublicFormat.Raw, ) with pytest.raises(ValueError): key.public_bytes( From 6b966a9b21e26ce942072ac65998f004551a5c21 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 25 Oct 2023 12:10:42 -0400 Subject: [PATCH 0605/1014] Reformat most remaining tests (#9771) this matches both ruff and black style --- tests/test_fernet.py | 4 +++- tests/x509/test_ocsp.py | 8 ++++++-- tests/x509/test_x509.py | 11 ++++++++--- tests/x509/test_x509_crlbuilder.py | 12 +++++++++--- tests/x509/test_x509_revokedcertbuilder.py | 3 ++- 5 files changed, 28 insertions(+), 10 deletions(-) diff --git a/tests/test_fernet.py b/tests/test_fernet.py index 89908e2793b8..360b569136d8 100644 --- a/tests/test_fernet.py +++ b/tests/test_fernet.py @@ -198,7 +198,9 @@ def test_decrypt_at_time(self, backend): f.decrypt_at_time(token, ttl=1, current_time=102) with pytest.raises(ValueError): f.decrypt_at_time( - token, ttl=None, current_time=100 # type: ignore[arg-type] + token, + ttl=None, # type: ignore[arg-type] + current_time=100, ) def test_no_fernets(self, backend): diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index e2a62f0ca53d..94a08bc6cfaa 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -203,7 +203,10 @@ def test_add_cert_by_hash_bad_hash(self): builder = ocsp.OCSPRequestBuilder() with pytest.raises(ValueError): builder.add_certificate_by_hash( - b"0" * 20, b"0" * 20, 1, "notahash" # type:ignore[arg-type] + b"0" * 20, + b"0" * 20, + 1, + "notahash", # type:ignore[arg-type] ) with pytest.raises(ValueError): builder.add_certificate_by_hash( @@ -516,7 +519,8 @@ def test_invalid_extension(self): builder = ocsp.OCSPResponseBuilder() with pytest.raises(TypeError): builder.add_extension( - "notanextension", True # type: ignore[arg-type] + "notanextension", # type: ignore[arg-type] + True, ) def test_unsupported_extension(self): diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 08e51ba7c64b..8d40481b47c6 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -3263,7 +3263,9 @@ def test_sign_ec_with_md5(self, backend): ) with pytest.raises(UnsupportedAlgorithm): builder.sign( - private_key, hashes.MD5(), backend # type: ignore[arg-type] + private_key, + hashes.MD5(), # type: ignore[arg-type] + backend, ) @pytest.mark.supported( @@ -4300,7 +4302,9 @@ def test_sign_invalid_hash_algorithm( ) with pytest.raises(TypeError): builder.sign( - private_key, "NotAHash", backend # type: ignore[arg-type] + private_key, + "NotAHash", # type: ignore[arg-type] + backend, ) @pytest.mark.supported( @@ -5726,7 +5730,8 @@ def test_init_bitstring_not_allowed_random_oid(self): def test_init_none_value(self): with pytest.raises(TypeError): x509.NameAttribute( - NameOID.ORGANIZATION_NAME, None # type:ignore[arg-type] + NameOID.ORGANIZATION_NAME, + None, # type:ignore[arg-type] ) def test_init_bad_country_code_value(self): diff --git a/tests/x509/test_x509_crlbuilder.py b/tests/x509/test_x509_crlbuilder.py index 66a13567ac61..749c4ecb783f 100644 --- a/tests/x509/test_x509_crlbuilder.py +++ b/tests/x509/test_x509_crlbuilder.py @@ -476,7 +476,9 @@ def test_sign_with_invalid_hash( with pytest.raises(TypeError): builder.sign( - private_key, object(), backend # type: ignore[arg-type] + private_key, + object(), # type: ignore[arg-type] + backend, ) @pytest.mark.supported( @@ -781,7 +783,9 @@ def test_dsa_key_sign_md5(self, backend): with pytest.raises(UnsupportedAlgorithm): builder.sign( - private_key, hashes.MD5(), backend # type: ignore[arg-type] + private_key, + hashes.MD5(), # type: ignore[arg-type] + backend, ) def test_ec_key_sign_md5(self, backend): @@ -806,7 +810,9 @@ def test_ec_key_sign_md5(self, backend): with pytest.raises(UnsupportedAlgorithm): builder.sign( - private_key, hashes.MD5(), backend # type: ignore[arg-type] + private_key, + hashes.MD5(), # type: ignore[arg-type] + backend, ) def test_sign_with_revoked_certificates( diff --git a/tests/x509/test_x509_revokedcertbuilder.py b/tests/x509/test_x509_revokedcertbuilder.py index dc439bc05eb9..c3c063beabb4 100644 --- a/tests/x509/test_x509_revokedcertbuilder.py +++ b/tests/x509/test_x509_revokedcertbuilder.py @@ -106,7 +106,8 @@ def test_add_extension_checks_for_duplicates(self): def test_add_invalid_extension(self): with pytest.raises(TypeError): x509.RevokedCertificateBuilder().add_extension( - "notanextension", False # type: ignore[arg-type] + "notanextension", # type: ignore[arg-type] + False, ) def test_no_serial_number(self, backend): From e9dedc3dcc6a454aa6cfa65c8661db83078648bd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 25 Oct 2023 12:11:05 -0400 Subject: [PATCH 0606/1014] Reformat tests/x509/test_x509_ext.py (#9772) this matches both ruff and black style --- tests/x509/test_x509_ext.py | 60 +++++++++++++++++++++++++++---------- 1 file changed, 45 insertions(+), 15 deletions(-) diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 7d45d3308a35..7048c025d312 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -221,7 +221,8 @@ class TestUnrecognizedExtension: def test_invalid_oid(self): with pytest.raises(TypeError): x509.UnrecognizedExtension( - "notanoid", b"somedata" # type:ignore[arg-type] + "notanoid", # type:ignore[arg-type] + b"somedata", ) def test_eq(self): @@ -448,7 +449,8 @@ class TestNoticeReference: def test_notice_numbers_not_all_int(self): with pytest.raises(TypeError): x509.NoticeReference( - "org", [1, 2, "three"] # type:ignore[list-item] + "org", + [1, 2, "three"], # type:ignore[list-item] ) def test_notice_numbers_none(self): @@ -1223,7 +1225,9 @@ class TestAuthorityKeyIdentifier: def test_authority_cert_issuer_not_generalname(self): with pytest.raises(TypeError): x509.AuthorityKeyIdentifier( - b"identifier", ["notname"], 3 # type:ignore[list-item] + b"identifier", + ["notname"], # type:ignore[list-item] + 3, ) def test_authority_cert_serial_number_not_integer(self): @@ -1241,7 +1245,9 @@ def test_authority_cert_serial_number_not_integer(self): ) with pytest.raises(TypeError): x509.AuthorityKeyIdentifier( - b"identifier", [dirname], "notanint" # type:ignore[arg-type] + b"identifier", + [dirname], + "notanint", # type:ignore[arg-type] ) def test_authority_issuer_none_serial_not_none(self): @@ -1354,7 +1360,8 @@ class TestBasicConstraints: def test_ca_not_boolean(self): with pytest.raises(TypeError): x509.BasicConstraints( - ca="notbool", path_length=None # type:ignore[arg-type] + ca="notbool", # type:ignore[arg-type] + path_length=None, ) def test_path_length_not_ca(self): @@ -1364,12 +1371,14 @@ def test_path_length_not_ca(self): def test_path_length_not_int(self): with pytest.raises(TypeError): x509.BasicConstraints( - ca=True, path_length=1.1 # type:ignore[arg-type] + ca=True, + path_length=1.1, # type:ignore[arg-type] ) with pytest.raises(TypeError): x509.BasicConstraints( - ca=True, path_length="notint" # type:ignore[arg-type] + ca=True, + path_length="notint", # type:ignore[arg-type] ) def test_path_length_negative(self): @@ -2723,7 +2732,8 @@ class TestAccessDescription: def test_invalid_access_method(self): with pytest.raises(TypeError): x509.AccessDescription( - "notanoid", x509.DNSName("test") # type:ignore[arg-type] + "notanoid", # type:ignore[arg-type] + x509.DNSName("test"), ) def test_invalid_access_location(self): @@ -3910,19 +3920,30 @@ class TestDistributionPoint: def test_distribution_point_full_name_not_general_names(self): with pytest.raises(TypeError): x509.DistributionPoint( - ["notgn"], None, None, None # type:ignore[list-item] + ["notgn"], # type:ignore[list-item] + None, + None, + None, ) def test_distribution_point_relative_name_not_name(self): with pytest.raises(TypeError): x509.DistributionPoint( - None, "notname", None, None # type:ignore[arg-type] + None, + "notname", # type:ignore[arg-type] + None, + None, ) def test_distribution_point_full_and_relative_not_none(self): with pytest.raises(ValueError): x509.DistributionPoint( - "data", "notname", None, None # type:ignore[arg-type] + [x509.UniformResourceIdentifier("http://crypt.og/crl")], + x509.RelativeDistinguishedName( + [x509.NameAttribute(NameOID.TITLE, "Test")] + ), + None, + None, ) def test_no_full_name_relative_name_or_crl_issuer(self): @@ -3932,7 +3953,10 @@ def test_no_full_name_relative_name_or_crl_issuer(self): def test_crl_issuer_not_general_names(self): with pytest.raises(TypeError): x509.DistributionPoint( - None, None, None, ["notgn"] # type:ignore[list-item] + None, + None, + None, + ["notgn"], # type:ignore[list-item] ) def test_reason_not_reasonflags(self): @@ -6203,16 +6227,22 @@ class TestMSCertificateTemplate: def test_invalid_type(self): with pytest.raises(TypeError): x509.MSCertificateTemplate( - "notanoid", None, None # type:ignore[arg-type] + "notanoid", # type:ignore[arg-type] + None, + None, ) oid = x509.ObjectIdentifier("1.2.3.4") with pytest.raises(TypeError): x509.MSCertificateTemplate( - oid, "notanint", None # type:ignore[arg-type] + oid, + "notanint", # type:ignore[arg-type] + None, ) with pytest.raises(TypeError): x509.MSCertificateTemplate( - oid, None, "notanint" # type:ignore[arg-type] + oid, + None, + "notanint", # type:ignore[arg-type] ) def test_eq(self): From 9d41ee63f063d64f8298bd223987404966afe4fa Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 25 Oct 2023 16:39:20 -0500 Subject: [PATCH 0607/1014] test on sonoma on M1 (#9777) * test on sonoma on M1 * sonoma is also a word --- docs/installation.rst | 2 +- docs/spelling_wordlist.txt | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/installation.rst b/docs/installation.rst index 32e2f0b295fe..d24d8062c8ad 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -19,7 +19,7 @@ operating systems. * x86-64 RHEL 8.x * x86-64 CentOS 9 Stream * x86-64 Fedora (latest) -* x86-64 and ARM64 macOS 13 Ventura +* x86-64 macOS 13 Ventura and ARM64 macOS 14 Sonoma * x86-64 Ubuntu 20.04, 22.04, rolling * ARM64 Ubuntu 22.04 * x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x), diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 60113c130caa..69a5f68ea0f8 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -117,6 +117,7 @@ Serializers setuptools SHA Solaris +Sonoma Sur syscall Tanja From 6970149e3992d8a862369a3025a8f20d263d3022 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 25 Oct 2023 18:15:44 -0400 Subject: [PATCH 0608/1014] Alway use ruff format (#9778) --- ci-constraints-requirements.txt | 9 +-------- noxfile.py | 2 +- pyproject.toml | 7 ++----- 3 files changed, 4 insertions(+), 14 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 1b3b7b0173f8..641533a10d80 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,8 +11,6 @@ argcomplete==3.1.2 # via nox babel==2.13.1 # via sphinx -black==23.10.1 - # via cryptography (pyproject.toml) bleach==6.1.0 # via readme-renderer build==1.0.3 @@ -26,7 +24,7 @@ charset-normalizer==3.3.1 check-sdist==0.1.3 # via cryptography (pyproject.toml) click==8.1.7 - # via black + # via cryptography (pyproject.toml) colorlog==6.7.0 # via nox coverage==7.3.2; python_version >= "3.8" @@ -72,26 +70,22 @@ mypy==1.6.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via - # black # mypy nox==2023.4.22 # via cryptography (pyproject.toml) packaging==23.2 # via - # black # build # nox # pytest # sphinx pathspec==0.11.2 # via - # black # check-sdist pkginfo==1.9.6 # via twine platformdirs==3.11.0 # via - # black # virtualenv pluggy==1.3.0; python_version >= "3.8" # via pytest @@ -170,7 +164,6 @@ sphinxcontrib-spelling==8.0.0 # via cryptography (pyproject.toml) tomli==2.0.1 # via - # black # build # check-manifest # coverage diff --git a/noxfile.py b/noxfile.py index 472bc6cb6608..f53d026875a6 100644 --- a/noxfile.py +++ b/noxfile.py @@ -155,7 +155,7 @@ def flake(session: nox.Session) -> None: install(session, ".[pep8test,test,ssh,nox]") session.run("ruff", ".") - session.run("black", "--check", ".") + session.run("ruff", "format", "--check", ".") session.run("check-sdist") session.run( "mypy", diff --git a/pyproject.toml b/pyproject.toml index b8ba5f5e7d0d..7c6b616b1660 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -80,7 +80,8 @@ test-randomorder = ["pytest-randomly"] docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=1.1.1"] docstest = ["pyenchant >=1.6.11", "twine >=1.12.0", "sphinxcontrib-spelling >=4.0.1"] sdist = ["build"] -pep8test = ["black", "ruff", "mypy", "check-sdist"] +# `click` included because its needed to type check `release.py` +pep8test = ["ruff", "mypy", "check-sdist", "click"] [[tool.setuptools-rust.ext-modules]] target = "cryptography.hazmat.bindings._rust" @@ -89,10 +90,6 @@ py-limited-api = true rust-version = ">=1.63.0" -[tool.black] -line-length = 79 -target-version = ["py37"] - [tool.pytest.ini_options] addopts = "-r s --capture=no --strict-markers --benchmark-disable" console_output_style = "progress-even-when-capture-no" From 8dd3f6c705663f10ab82a217b4f06c8722ab16e0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 25 Oct 2023 20:34:01 -0400 Subject: [PATCH 0609/1014] Bump BoringSSL and/or OpenSSL in CI (#9779) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 290a83c2a37d..193c4d517652 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 25, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "4df6f97cf9a32770b2a6ffb8da7d97845743ffb7"}} - # Latest commit on the OpenSSL master branch, as of Oct 25, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dbbdb940d421daca4a65e765b5244bde6aed3f61"}} + # Latest commit on the BoringSSL master branch, as of Oct 26, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c38dc29860a72540eb2c4fdb8a8bfb27ef94ddf3"}} + # Latest commit on the OpenSSL master branch, as of Oct 26, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6a0ae393dd554eb718e5148696e8f437d4faae5b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 1cb847a59735e8fee40f540cfe2f154db337569f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 25 Oct 2023 20:49:20 -0400 Subject: [PATCH 0610/1014] Updates to dev docs (#9780) - Stop talking about black - Use type annotations in examples --- docs/development/submitting-patches.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/development/submitting-patches.rst b/docs/development/submitting-patches.rst index 6148419ce134..147de318e40f 100644 --- a/docs/development/submitting-patches.rst +++ b/docs/development/submitting-patches.rst @@ -19,10 +19,10 @@ Code ---- When in doubt, refer to :pep:`8` for Python code. You can check if your code -meets our automated requirements by formatting it with ``black`` and running -``ruff`` against it. If you've installed the development requirements this -will automatically use our configuration. You can also run the ``nox`` job with -``nox -e flake``. +meets our automated requirements by formatting it with ``ruff format`` and +running ``ruff`` against it. If you've installed the development requirements +this will automatically use our configuration. You can also run the ``nox`` +job with ``nox -e flake``. `Write comments as complete sentences.`_ @@ -61,12 +61,12 @@ whether the signature was valid. .. code-block:: python # This is bad. - def verify(sig): + def verify(sig: bytes) -> bool: # ... return is_valid # Good! - def verify(sig): + def verify(sig: bytes) -> None: # ... if not is_valid: raise InvalidSignature From 16a969eb9bc977358826f1b94c71710e75256866 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Thu, 26 Oct 2023 13:35:36 +1100 Subject: [PATCH 0611/1014] validation: add Rust-side certificate validation helpers (#9757) * validation: add Rust-side certificate validation helpers * rust: Add unit test for certification validation helpers * rust: Add comment explaining why we're allowing dead code * rust: Get remaining coverage for self-issued case * rust: Add test case for when we fail to retrieve public key * rust: Rename tests to be less verbose * rust: Get remaining coverage in `PublicKeyErrorOps` --- .../src/certificate.rs | 109 ++++++++++++++++++ .../cryptography-x509-validation/src/lib.rs | 1 + 2 files changed, 110 insertions(+) create mode 100644 src/rust/cryptography-x509-validation/src/certificate.rs diff --git a/src/rust/cryptography-x509-validation/src/certificate.rs b/src/rust/cryptography-x509-validation/src/certificate.rs new file mode 100644 index 000000000000..8aa65a4a8ac8 --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/certificate.rs @@ -0,0 +1,109 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +//! Validation-specific certificate functionality. + +use cryptography_x509::certificate::Certificate; + +use crate::ops::CryptoOps; + +// TODO: Remove these attributes once we start using these helpers. +#[allow(dead_code)] +pub(crate) fn cert_is_self_issued(cert: &Certificate<'_>) -> bool { + cert.issuer() == cert.subject() +} + +#[allow(dead_code)] +pub(crate) fn cert_is_self_signed(cert: &Certificate<'_>, ops: &B) -> bool { + match ops.public_key(cert) { + Ok(pk) => cert_is_self_issued(cert) && ops.verify_signed_by(cert, pk).is_ok(), + Err(_) => false, + } +} + +#[cfg(test)] +mod tests { + use crate::certificate::Certificate; + use crate::ops::tests::{cert, v1_cert_pem, NullOps}; + use crate::ops::CryptoOps; + + use super::{cert_is_self_issued, cert_is_self_signed}; + + #[test] + fn test_certificate_v1() { + let cert_pem = v1_cert_pem(); + let cert = cert(&cert_pem); + let ops = NullOps {}; + + assert!(!cert_is_self_issued(&cert)); + assert!(!cert_is_self_signed(&cert, &ops)); + } + + fn ca_pem() -> pem::Pem { + // From vectors/cryptography_vectors/x509/custom/ca/ca.pem + pem::parse( + "-----BEGIN CERTIFICATE----- +MIIBUTCB96ADAgECAgIDCTAKBggqhkjOPQQDAjAnMQswCQYDVQQGEwJVUzEYMBYG +A1UEAwwPY3J5cHRvZ3JhcGh5IENBMB4XDTE3MDEwMTEyMDEwMFoXDTM4MTIzMTA4 +MzAwMFowJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABBj/z7v5Obj13cPuwECLBnUGq0/N2CxS +JE4f4BBGZ7VfFblivTvPDG++Gve0oQ+0uctuhrNQ+WxRv8GC177F+QWjEzARMA8G +A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANES742XWm64tkGnz8Dn +pG6u2lHkZFQr3oaVvPcemvlbAiEA0WGGzmYx5C9UvfXIK7NEziT4pQtyESE0uRVK +Xw4nMqk= +-----END CERTIFICATE-----", + ) + .unwrap() + } + + #[test] + fn test_certificate_ca() { + let cert_pem = ca_pem(); + let cert = cert(&cert_pem); + let ops = NullOps {}; + + assert!(cert_is_self_issued(&cert)); + assert!(cert_is_self_signed(&cert, &ops)); + } + + struct PublicKeyErrorOps {} + impl CryptoOps for PublicKeyErrorOps { + type Key = (); + type Err = (); + + fn public_key(&self, _cert: &Certificate<'_>) -> Result { + // Simulate failing to retrieve a public key. + Err(()) + } + + fn verify_signed_by( + &self, + _cert: &Certificate<'_>, + _key: Self::Key, + ) -> Result<(), Self::Err> { + Ok(()) + } + } + + #[test] + fn test_certificate_public_key_error() { + let cert_pem = ca_pem(); + let cert = cert(&cert_pem); + let ops = PublicKeyErrorOps {}; + + assert!(cert_is_self_issued(&cert)); + assert!(!cert_is_self_signed(&cert, &ops)); + } + + #[test] + fn test_certificate_public_key_error_ops() { + // Just to get coverage on the `PublicKeyErrorOps` helper. + let cert_pem = ca_pem(); + let cert = cert(&cert_pem); + let ops = PublicKeyErrorOps {}; + + assert!(ops.public_key(&cert).is_err()); + assert!(ops.verify_signed_by(&cert, ()).is_ok()); + } +} diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 972f357fd4c2..db654a547540 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -5,6 +5,7 @@ #![forbid(unsafe_code)] #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +pub mod certificate; pub mod ops; pub mod policy; pub mod trust_store; From ecaf2e508dc773d9251eeb271c9f051ce0c83456 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 25 Oct 2023 23:18:58 -0400 Subject: [PATCH 0612/1014] Make X509_ALGOR opaque (#9738) --- src/_cffi_src/openssl/x509.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 5c5d7335df7e..120a23eb35e8 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -24,11 +24,7 @@ typedef ... Cryptography_STACK_OF_X509_CRL; typedef ... Cryptography_STACK_OF_X509_REVOKED; -typedef struct { - ASN1_OBJECT *algorithm; - ...; -} X509_ALGOR; - +typedef ... X509_ALGOR; typedef ... X509_ATTRIBUTE; typedef ... X509_EXTENSION; typedef ... X509_EXTENSIONS; From 5aef6fe9b789a4c83ef636abba7a6d3d8ec9a98e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 26 Oct 2023 07:20:21 -0400 Subject: [PATCH 0613/1014] Bump pyopenssl from 23.2.0 to 23.3.0 in /.github/requirements (#9782) Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 23.2.0 to 23.3.0. - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/pyopenssl/compare/23.2.0...23.3.0) --- updated-dependencies: - dependency-name: pyopenssl dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7cf244cc2ed5..0a8068fa6d2f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -490,9 +490,9 @@ pyjwt==2.8.0 \ --hash=sha256:57e28d156e3d5c10088e0c68abb90bfac3df82b40a71bd0daa20c65ccd5c23de \ --hash=sha256:59127c392cc44c2da5bb3192169a91f429924e17aff6534d70fdc02ab3e04320 # via sigstore -pyopenssl==23.2.0 \ - --hash=sha256:24f0dc5227396b3e831f4c7f602b950a5e9833d292c8e4a2e06b709292806ae2 \ - --hash=sha256:276f931f55a452e7dea69c7173e984eb2a4407ce413c918aa34b55f82f9b8bac +pyopenssl==23.3.0 \ + --hash=sha256:6756834481d9ed5470f4a9393455154bc92fe7a64b7bc6ee2c804e78c52099b2 \ + --hash=sha256:6b2cba5cc46e822750ec3e5a81ee12819850b11303630d575e98108a079c2b12 # via sigstore python-dateutil==2.8.2 \ --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ From b9e6ac740bec095f1ffb4c12dd61f2bbd30aa410 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 26 Oct 2023 08:54:56 -0400 Subject: [PATCH 0614/1014] Bump setuptools rust (#9784) * Bump setuptools-rust from 1.7.0 to 1.8.0 in /.github/requirements Bumps [setuptools-rust](https://github.com/PyO3/setuptools-rust) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/PyO3/setuptools-rust/releases) - [Changelog](https://github.com/PyO3/setuptools-rust/blob/main/CHANGELOG.md) - [Commits](https://github.com/PyO3/setuptools-rust/compare/v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: setuptools-rust dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Bump setuptools-rust --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index beec7a1754eb..ca671a99d910 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -66,18 +66,14 @@ semantic-version==2.10.0 \ --hash=sha256:bdabb6d336998cbb378d4b9db3a4b56a1e3235701dc05ea2690d9a997ed5041c \ --hash=sha256:de78a3b8e0feda74cabc54aab2da702113e33ac9d9eb9d2389bcf1f58b7d9177 # via setuptools-rust -setuptools-rust==1.7.0 \ - --hash=sha256:071099885949132a2180d16abf907b60837e74b4085047ba7e9c0f5b365310c1 \ - --hash=sha256:c7100999948235a38ae7e555fe199aa66c253dc384b125f5d85473bf81eae3a3 +setuptools-rust==1.8.0 \ + --hash=sha256:5e02b7a80058853bf64127314f6b97d0efed11e08b94c88ca639a20976f6adc4 \ + --hash=sha256:95ec67edee2ca73233c9e75250e9d23a302aa23b4c8413dfd19c14c30d08f703 # via -r build-requirements.in tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f # via setuptools-rust -typing-extensions==4.8.0 \ - --hash=sha256:8f92fc8806f9a6b641eaa5318da32b44d401efaac0f6678c9bc448ba3605faa0 \ - --hash=sha256:df8e4339e9cb77357558cbdbceca33c303714cf861d1eef15e1070055ae8b7ef - # via setuptools-rust wheel==0.41.2 \ --hash=sha256:0c5ac5ff2afb79ac23ab82bab027a0be7b5dbcf2e54dc50efe4bf507de1f7985 \ --hash=sha256:75909db2664838d015e3d9139004ee16711748a52c8f336b52882266540215d8 From 7abf1f0ce2ac5d531ecd6e5a10bdf3aa1aa472fd Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 26 Oct 2023 10:34:55 -0500 Subject: [PATCH 0615/1014] openssl 3.2.0-beta1 (#9786) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 193c4d517652..23f2050cbb08 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,7 +38,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha2"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-beta1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From 7f4bd0b3501ef436fe1531c8c5cf0414b2191739 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 26 Oct 2023 18:45:23 -0400 Subject: [PATCH 0616/1014] Trim the PKCS7 bindings (#9787) --- src/_cffi_src/openssl/pkcs7.py | 21 +------------------ .../hazmat/bindings/openssl/_conditional.py | 1 - 2 files changed, 1 insertion(+), 21 deletions(-) diff --git a/src/_cffi_src/openssl/pkcs7.py b/src/_cffi_src/openssl/pkcs7.py index b656f96e7239..cce06c6ec0c8 100644 --- a/src/_cffi_src/openssl/pkcs7.py +++ b/src/_cffi_src/openssl/pkcs7.py @@ -13,16 +13,10 @@ typedef struct { Cryptography_STACK_OF_X509 *cert; - Cryptography_STACK_OF_X509_CRL *crl; ...; } PKCS7_SIGNED; -typedef struct { - Cryptography_STACK_OF_X509 *cert; - Cryptography_STACK_OF_X509_CRL *crl; - ...; -} PKCS7_SIGN_ENVELOPE; - +typedef ... PKCS7_SIGN_ENVELOPE; typedef ... PKCS7_DIGEST; typedef ... PKCS7_ENCRYPT; typedef ... PKCS7_ENVELOPE; @@ -53,16 +47,6 @@ int PKCS7_verify(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *, BIO *, int); PKCS7 *SMIME_read_PKCS7(BIO *, BIO **); -/* Included due to external consumer, see - https://github.com/pyca/pyopenssl/issues/1031 */ -Cryptography_STACK_OF_X509 *PKCS7_get0_signers(PKCS7 *, - Cryptography_STACK_OF_X509 *, - int); - -int PKCS7_type_is_signed(PKCS7 *); -int PKCS7_type_is_enveloped(PKCS7 *); -int PKCS7_type_is_signedAndEnveloped(PKCS7 *); -int PKCS7_type_is_data(PKCS7 *); """ CUSTOMIZATIONS = """ @@ -72,9 +56,6 @@ int (*PKCS7_verify)(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *, BIO *, int) = NULL; PKCS7 *(*SMIME_read_PKCS7)(BIO *, BIO **) = NULL; -Cryptography_STACK_OF_X509 *(*PKCS7_get0_signers)(PKCS7 *, - Cryptography_STACK_OF_X509 *, - int) = NULL; #else static const long Cryptography_HAS_PKCS7_FUNCS = 1; #endif diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index ebd287b51f17..d40cbd8f963e 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -174,7 +174,6 @@ def cryptography_has_pkcs7_funcs() -> list[str]: return [ "PKCS7_verify", "SMIME_read_PKCS7", - "PKCS7_get0_signers", ] From 52e7fee583b5cce842af7470a3b1d9a8ebbc53b9 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 27 Oct 2023 00:17:24 +0000 Subject: [PATCH 0617/1014] Bump BoringSSL and/or OpenSSL in CI (#9788) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 23f2050cbb08..129d30c0e990 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 26, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c38dc29860a72540eb2c4fdb8a8bfb27ef94ddf3"}} - # Latest commit on the OpenSSL master branch, as of Oct 26, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6a0ae393dd554eb718e5148696e8f437d4faae5b"}} + # Latest commit on the BoringSSL master branch, as of Oct 27, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "3309ca66385ecb0c37f1ac1be9f88712e25aa8ec"}} + # Latest commit on the OpenSSL master branch, as of Oct 27, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "09298141592c579504966f1907a44cb95f37cc6e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 5838299787f5f72a30b8b2840baafcaaedd4cba2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Oct 2023 07:04:14 -0400 Subject: [PATCH 0618/1014] Bump ruff from 0.1.2 to 0.1.3 (#9790) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.2 to 0.1.3. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.2...v0.1.3) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 641533a10d80..2087f30e4b47 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -132,7 +132,7 @@ rfc3986==2.0.0 # via twine rich==13.6.0 # via twine -ruff==0.1.2 +ruff==0.1.3 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From bb28549247a33418374c9f40a513cf59835e915f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 27 Oct 2023 10:44:41 -0400 Subject: [PATCH 0619/1014] Avoid building ourselves in the flake job (#9789) --- noxfile.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index f53d026875a6..98ecdb619a4a 100644 --- a/noxfile.py +++ b/noxfile.py @@ -152,7 +152,21 @@ def docs_linkcheck(session: nox.Session) -> None: @nox.session def flake(session: nox.Session) -> None: - install(session, ".[pep8test,test,ssh,nox]") + # Just install the dependencies needed for these tests - basically + # `pip install .[pep8test,test,ssh,nox]`, but without installing `.` + # TODO: Ideally there'd be a pip flag to install just our dependencies, + # but not install us. + install( + session, + "ruff", + "check-sdist", + "mypy", + "bcrypt", + "click", + "pytest", + "nox", + ) + install(session, "-e", "vectors/") session.run("ruff", ".") session.run("ruff", "format", "--check", ".") From 1e190d33c404115d6b96a1c29bb5cb436df8c167 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 27 Oct 2023 14:01:32 -0400 Subject: [PATCH 0620/1014] Run check-sdist with --no-isolation (#9791) * Run check-sdist with --no-isolation This is primarily useful for quick dev-cycles locally * Update noxfile.py --- noxfile.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index 98ecdb619a4a..a8b10a6fbf25 100644 --- a/noxfile.py +++ b/noxfile.py @@ -158,6 +158,9 @@ def flake(session: nox.Session) -> None: # but not install us. install( session, + "setuptools-rust", + "cffi>=1.12; platform_python_implementation != 'PyPy'", + "wheel", "ruff", "check-sdist", "mypy", @@ -170,7 +173,7 @@ def flake(session: nox.Session) -> None: session.run("ruff", ".") session.run("ruff", "format", "--check", ".") - session.run("check-sdist") + session.run("check-sdist", "--no-isolation") session.run( "mypy", "src/cryptography/", From 8cce93bb492392ea4a1cd168511b9ccaf20cb7eb Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 28 Oct 2023 00:17:53 +0000 Subject: [PATCH 0621/1014] Bump BoringSSL and/or OpenSSL in CI (#9793) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 129d30c0e990..9195ff66d8cb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Oct 27, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "3309ca66385ecb0c37f1ac1be9f88712e25aa8ec"}} - # Latest commit on the OpenSSL master branch, as of Oct 27, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "09298141592c579504966f1907a44cb95f37cc6e"}} + # Latest commit on the OpenSSL master branch, as of Oct 28, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "186b3f6a016de8fcf8573be111e3d174ca20f1bc"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From ed57fbb118a26346d92af95e98e39c82dc0768b8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 27 Oct 2023 20:54:05 -0400 Subject: [PATCH 0622/1014] Simplify code with new pyo3 method (#9794) --- src/rust/src/asn1.rs | 3 +-- src/rust/src/backend/ec.rs | 5 +---- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 5d8f2e1a95f2..6bed105518d8 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -8,7 +8,6 @@ use asn1::SimpleAsn1Readable; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; use cryptography_x509::name::Name; -use pyo3::basic::CompareOp; use pyo3::types::IntoPyDict; use pyo3::ToPyObject; @@ -68,7 +67,7 @@ pub(crate) fn py_uint_to_big_endian_bytes<'p>( v: &'p pyo3::types::PyLong, ) -> pyo3::PyResult<&'p [u8]> { let zero = (0).to_object(py); - if v.rich_compare(zero, CompareOp::Lt)?.is_true()? { + if v.lt(zero)? { return Err(pyo3::exceptions::PyValueError::new_err( "Negative integers are not supported", )); diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 96e42f4ec3ec..885a5cbf4dc2 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -6,7 +6,6 @@ use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; use foreign_types_shared::ForeignTypeRef; -use pyo3::basic::CompareOp; use pyo3::ToPyObject; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] @@ -214,9 +213,7 @@ fn public_key_from_numbers( let py_y = numbers.getattr(pyo3::intern!(py, "y"))?; let zero = (0).to_object(py); - if py_x.rich_compare(&zero, CompareOp::Lt)?.is_true()? - || py_y.rich_compare(&zero, CompareOp::Lt)?.is_true()? - { + if py_x.lt(&zero)? || py_y.lt(&zero)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "Invalid EC key. Both x and y must be non-negative.", From 3b39f657cb2a694e8fc289958ca723af7667c755 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Sat, 28 Oct 2023 12:44:18 +1100 Subject: [PATCH 0623/1014] validation: add Rust-side extension validation helpers (#9781) * validation: add Rust-side extension validation helpers * rust: Add unit tests for criticality and basic extension policy flow * rust: Remove validators, these can be in a separate PR * rust: Fix comment * rust: Collapse criticality unit tests * rust: Test case where maybe present validator detects incorrect criticality * rust: Remove unused `PolicyError` variants * rust: Add unit test exercising formatting of `DuplicateExtensionsError` * rust: Remove the need for printing `DuplicateExtensionsError` --- .../src/policy/extension.rs | 400 ++++++++++++++++++ .../src/policy/mod.rs | 6 + src/rust/cryptography-x509/src/extensions.rs | 2 +- 3 files changed, 407 insertions(+), 1 deletion(-) create mode 100644 src/rust/cryptography-x509-validation/src/policy/extension.rs diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs new file mode 100644 index 000000000000..06d88c4e3ad7 --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -0,0 +1,400 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use asn1::ObjectIdentifier; +use cryptography_x509::{ + certificate::Certificate, + extensions::{Extension, Extensions}, +}; + +use crate::ops::CryptoOps; + +use super::{Policy, PolicyError}; + +// TODO: Remove `dead_code` attributes once we start using these helpers. + +/// Represents different criticality states for an extension. +#[allow(dead_code)] +pub(crate) enum Criticality { + /// The extension MUST be marked as critical. + Critical, + /// The extension MAY be marked as critical. + Agnostic, + /// The extension MUST NOT be marked as critical. + NonCritical, +} + +#[allow(dead_code)] +impl Criticality { + pub(crate) fn permits(&self, critical: bool) -> bool { + match (self, critical) { + (Criticality::Critical, true) => true, + (Criticality::Critical, false) => false, + (Criticality::Agnostic, _) => true, + (Criticality::NonCritical, true) => false, + (Criticality::NonCritical, false) => true, + } + } +} + +#[allow(dead_code)] +type PresentExtensionValidatorCallback = + fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> Result<(), PolicyError>; + +#[allow(dead_code)] +type MaybeExtensionValidatorCallback = + fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), PolicyError>; + +/// Represents different validation states for an extension. +#[allow(dead_code)] +pub(crate) enum ExtensionValidator { + /// The extension MUST NOT be present. + NotPresent, + /// The extension MUST be present. + Present { + /// The extension's criticality. + criticality: Criticality, + /// An optional validator over the extension's inner contents, with + /// the surrounding `Policy` as context. + validator: Option>, + }, + /// The extension MAY be present; the interior validator is + /// always called if supplied, including if the extension is not present. + MaybePresent { + criticality: Criticality, + validator: Option>, + }, +} + +/// A "policy" for validating a specific X.509v3 extension, identified by +/// its OID. +#[allow(dead_code)] +pub(crate) struct ExtensionPolicy { + pub(crate) oid: asn1::ObjectIdentifier, + pub(crate) validator: ExtensionValidator, +} + +#[allow(dead_code)] +impl ExtensionPolicy { + pub(crate) fn not_present(oid: ObjectIdentifier) -> Self { + Self { + oid, + validator: ExtensionValidator::NotPresent, + } + } + + pub(crate) fn present( + oid: ObjectIdentifier, + criticality: Criticality, + validator: Option>, + ) -> Self { + Self { + oid, + validator: ExtensionValidator::Present { + criticality, + validator, + }, + } + } + + pub(crate) fn maybe_present( + oid: ObjectIdentifier, + criticality: Criticality, + validator: Option>, + ) -> Self { + Self { + oid, + validator: ExtensionValidator::MaybePresent { + criticality, + validator, + }, + } + } + + pub(crate) fn permits( + &self, + policy: &Policy<'_, B>, + cert: &Certificate<'_>, + extensions: &Extensions<'_>, + ) -> Result<(), PolicyError> { + match (&self.validator, extensions.get_extension(&self.oid)) { + // Extension MUST NOT be present and isn't; OK. + (ExtensionValidator::NotPresent, None) => Ok(()), + // Extension MUST NOT be present but is; NOT OK. + (ExtensionValidator::NotPresent, Some(_)) => Err(PolicyError::Other( + "EE certificate contains prohibited extension", + )), + // Extension MUST be present but is not; NOT OK. + (ExtensionValidator::Present { .. }, None) => Err(PolicyError::Other( + "EE certificate is missing required extension", + )), + // Extension MUST be present and is; check it. + ( + ExtensionValidator::Present { + criticality, + validator, + }, + Some(extn), + ) => { + if !criticality.permits(extn.critical) { + return Err(PolicyError::Other( + "EE certificate extension has incorrect criticality", + )); + } + + // If a custom validator is supplied, apply it. + validator.map_or(Ok(()), |v| v(policy, cert, &extn)) + } + // Extension MAY be present. + ( + ExtensionValidator::MaybePresent { + criticality, + validator, + }, + extn, + ) => { + // If the extension is present, apply our criticality check. + if extn + .as_ref() + .map_or(false, |extn| !criticality.permits(extn.critical)) + { + return Err(PolicyError::Other( + "EE certificate extension has incorrect criticality", + )); + } + + // If a custom validator is supplied, apply it. + validator.map_or(Ok(()), |v| v(policy, cert, extn.as_ref())) + } + } + } +} + +#[cfg(test)] +mod tests { + use super::{Criticality, ExtensionPolicy}; + use crate::ops::tests::{cert, v1_cert_pem, NullOps}; + use crate::ops::CryptoOps; + use crate::policy::{Policy, PolicyError}; + use asn1::{ObjectIdentifier, SimpleAsn1Writable}; + use cryptography_x509::certificate::Certificate; + use cryptography_x509::extensions::{BasicConstraints, Extension, Extensions}; + use cryptography_x509::oid::BASIC_CONSTRAINTS_OID; + + #[test] + fn test_criticality_variants() { + let criticality = Criticality::Critical; + assert!(criticality.permits(true)); + assert!(!criticality.permits(false)); + + let criticality = Criticality::Agnostic; + assert!(criticality.permits(true)); + assert!(criticality.permits(false)); + + let criticality = Criticality::NonCritical; + assert!(!criticality.permits(true)); + assert!(criticality.permits(false)); + } + + fn epoch() -> asn1::DateTime { + asn1::DateTime::new(1970, 1, 1, 0, 0, 0).unwrap() + } + + fn create_encoded_extensions( + oid: ObjectIdentifier, + critical: bool, + ext: &T, + ) -> Vec { + let ext_value = asn1::write_single(&ext).unwrap(); + let exts = vec![Extension { + extn_id: oid, + critical, + extn_value: &ext_value, + }]; + let der_exts = asn1::write_single(&asn1::SequenceOfWriter::new(exts)).unwrap(); + der_exts + } + + fn create_empty_encoded_extensions() -> Vec { + let exts: Vec> = vec![]; + let der_exts = asn1::write_single(&asn1::SequenceOfWriter::new(exts)).unwrap(); + der_exts + } + + fn present_extension_validator( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + _ext: &Extension<'_>, + ) -> Result<(), PolicyError> { + Ok(()) + } + + #[test] + fn test_extension_policy_present() { + // The certificate doesn't get used for this validator, so the certificate we use isn't important. + let cert_pem = v1_cert_pem(); + let cert = cert(&cert_pem); + let ops = NullOps {}; + let policy = Policy::new(ops, None, epoch()); + + // Test a policy that stipulates that a given extension MUST be present. + let extension_policy = ExtensionPolicy::present( + BASIC_CONSTRAINTS_OID, + Criticality::Critical, + Some(present_extension_validator), + ); + + // Check the case where the extension is present. + let bc = BasicConstraints { + ca: true, + path_length: Some(3), + }; + let der_exts = create_encoded_extensions(BASIC_CONSTRAINTS_OID, true, &bc); + let raw_exts = asn1::parse_single(&der_exts).unwrap(); + let exts = Extensions::from_raw_extensions(Some(&raw_exts)) + .ok() + .unwrap(); + assert!(extension_policy.permits(&policy, &cert, &exts).is_ok()); + + // Check the case where the extension isn't present. + let der_exts: Vec = create_empty_encoded_extensions(); + let raw_exts = asn1::parse_single(&der_exts).unwrap(); + let exts = Extensions::from_raw_extensions(Some(&raw_exts)) + .ok() + .unwrap(); + assert!(extension_policy.permits(&policy, &cert, &exts).is_err()); + } + + fn maybe_extension_validator( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + _ext: Option<&Extension<'_>>, + ) -> Result<(), PolicyError> { + Ok(()) + } + + #[test] + fn test_extension_policy_maybe() { + // The certificate doesn't get used for this validator, so the certificate we use isn't important. + let cert_pem = v1_cert_pem(); + let cert = cert(&cert_pem); + let ops = NullOps {}; + let policy = Policy::new(ops, None, epoch()); + + // Test a policy that stipulates that a given extension CAN be present. + let extension_policy = ExtensionPolicy::maybe_present( + BASIC_CONSTRAINTS_OID, + Criticality::Critical, + Some(maybe_extension_validator), + ); + + // Check the case where the extension is present. + let bc = BasicConstraints { + ca: false, + path_length: Some(3), + }; + let der_exts = create_encoded_extensions(BASIC_CONSTRAINTS_OID, true, &bc); + let raw_exts = asn1::parse_single(&der_exts).unwrap(); + let exts = Extensions::from_raw_extensions(Some(&raw_exts)) + .ok() + .unwrap(); + assert!(extension_policy.permits(&policy, &cert, &exts).is_ok()); + + // Check the case where the extension isn't present. + let der_exts: Vec = create_empty_encoded_extensions(); + let raw_exts = asn1::parse_single(&der_exts).unwrap(); + let exts = Extensions::from_raw_extensions(Some(&raw_exts)) + .ok() + .unwrap(); + assert!(extension_policy.permits(&policy, &cert, &exts).is_ok()); + } + + #[test] + fn test_extension_policy_not_present() { + // The certificate doesn't get used for this validator, so the certificate we use isn't important. + let cert_pem = v1_cert_pem(); + let cert = cert(&cert_pem); + let ops = NullOps {}; + let policy = Policy::new(ops, None, epoch()); + + // Test a policy that stipulates that a given extension MUST NOT be present. + let extension_policy = ExtensionPolicy::not_present(BASIC_CONSTRAINTS_OID); + + // Check the case where the extension is present. + let bc = BasicConstraints { + ca: false, + path_length: Some(3), + }; + let der_exts = create_encoded_extensions(BASIC_CONSTRAINTS_OID, true, &bc); + let raw_exts = asn1::parse_single(&der_exts).unwrap(); + let exts = Extensions::from_raw_extensions(Some(&raw_exts)) + .ok() + .unwrap(); + assert!(extension_policy.permits(&policy, &cert, &exts).is_err()); + + // Check the case where the extension isn't present. + let der_exts: Vec = create_empty_encoded_extensions(); + let raw_exts = asn1::parse_single(&der_exts).unwrap(); + let exts = Extensions::from_raw_extensions(Some(&raw_exts)) + .ok() + .unwrap(); + assert!(extension_policy.permits(&policy, &cert, &exts).is_ok()); + } + + #[test] + fn test_extension_policy_present_incorrect_criticality() { + // The certificate doesn't get used for this validator, so the certificate we use isn't important. + let cert_pem = v1_cert_pem(); + let cert = cert(&cert_pem); + let ops = NullOps {}; + let policy = Policy::new(ops, None, epoch()); + + // Test a present policy that stipulates that a given extension MUST be critical. + let extension_policy = ExtensionPolicy::present( + BASIC_CONSTRAINTS_OID, + Criticality::Critical, + Some(present_extension_validator), + ); + + // Mark the extension as non-critical despite our policy stipulating that it must be critical. + let bc = BasicConstraints { + ca: true, + path_length: Some(3), + }; + let der_exts = create_encoded_extensions(BASIC_CONSTRAINTS_OID, false, &bc); + let raw_exts = asn1::parse_single(&der_exts).unwrap(); + let exts = Extensions::from_raw_extensions(Some(&raw_exts)) + .ok() + .unwrap(); + assert!(extension_policy.permits(&policy, &cert, &exts).is_err()); + } + + #[test] + fn test_extension_policy_maybe_present_incorrect_criticality() { + // The certificate doesn't get used for this validator, so the certificate we use isn't important. + let cert_pem = v1_cert_pem(); + let cert = cert(&cert_pem); + let ops = NullOps {}; + let policy = Policy::new(ops, None, epoch()); + + // Test a maybe present policy that stipulates that a given extension MUST be critical. + let extension_policy = ExtensionPolicy::maybe_present( + BASIC_CONSTRAINTS_OID, + Criticality::Critical, + Some(maybe_extension_validator), + ); + + // Mark the extension as non-critical despite our policy stipulating that it must be critical. + let bc = BasicConstraints { + ca: true, + path_length: Some(3), + }; + let der_exts = create_encoded_extensions(BASIC_CONSTRAINTS_OID, false, &bc); + let raw_exts = asn1::parse_single(&der_exts).unwrap(); + let exts = Extensions::from_raw_extensions(Some(&raw_exts)) + .ok() + .unwrap(); + assert!(extension_policy.permits(&policy, &cert, &exts).is_err()); + } +} diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index b9bc437901b3..725020c6a2b6 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +mod extension; + use std::collections::HashSet; use asn1::ObjectIdentifier; @@ -111,6 +113,10 @@ const RFC5280_CRITICAL_CA_EXTENSIONS: &[asn1::ObjectIdentifier] = const RFC5280_CRITICAL_EE_EXTENSIONS: &[asn1::ObjectIdentifier] = &[BASIC_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID]; +pub enum PolicyError { + Other(&'static str), +} + /// Represents a logical certificate "subject," i.e. a principal matching /// one of the names listed in a certificate's `subjectAltNames` extension. pub enum Subject<'a> { diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index f4deb7c8451f..fd7a3aaa0a3a 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -295,7 +295,7 @@ impl KeyUsage<'_> { mod tests { use crate::oid::{AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID}; - use super::{BasicConstraints, Extension, Extensions, KeyUsage}; + use super::{BasicConstraints, DuplicateExtensionsError, Extension, Extensions, KeyUsage}; #[test] fn test_get_extension() { From 06fccfc50b130a88a67a14c13b62e4349dedd06f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 29 Oct 2023 12:59:59 +0000 Subject: [PATCH 0624/1014] Bump filelock from 3.12.4 to 3.13.0 (#9796) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.12.4 to 3.13.0. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.12.4...3.13.0) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2087f30e4b47..2f059cf7bdd0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.1.3 # via pytest execnet==2.0.2 # via pytest-xdist -filelock==3.12.4; python_version >= "3.8" +filelock==3.13.0; python_version >= "3.8" # via virtualenv idna==3.4 # via requests From b9f1e3e27b10a8db541feeb366d253e3a180f4f3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 29 Oct 2023 13:30:23 -0400 Subject: [PATCH 0625/1014] Use a newer rust in RTD (#9797) * Use a newer rust in RTD Should make it a smidge faster * Update .readthedocs.yml --- .readthedocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.readthedocs.yml b/.readthedocs.yml index 40d9cc7ae84f..8a37ec36404d 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -15,7 +15,7 @@ build: os: "ubuntu-22.04" tools: python: "3.11" - rust: "1.64" + rust: "1.70" python: install: From e597ae7df8983432c71697028be5eb4029bb9aea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 07:07:51 -0400 Subject: [PATCH 0626/1014] Bump wheel from 0.41.2 to 0.41.3 in /.github/requirements (#9798) Bumps [wheel](https://github.com/pypa/wheel) from 0.41.2 to 0.41.3. - [Release notes](https://github.com/pypa/wheel/releases) - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](https://github.com/pypa/wheel/compare/0.41.2...0.41.3) --- updated-dependencies: - dependency-name: wheel dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index ca671a99d910..b9639cc4b3d2 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -74,9 +74,9 @@ tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f # via setuptools-rust -wheel==0.41.2 \ - --hash=sha256:0c5ac5ff2afb79ac23ab82bab027a0be7b5dbcf2e54dc50efe4bf507de1f7985 \ - --hash=sha256:75909db2664838d015e3d9139004ee16711748a52c8f336b52882266540215d8 +wheel==0.41.3 \ + --hash=sha256:488609bc63a29322326e05560731bf7bfea8e48ad646e1f5e40d366607de0942 \ + --hash=sha256:4d4987ce51a49370ea65c0bfd2234e8ce80a12780820d9dc462597a6e60d0841 # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: From 4285077336427be0dce91ad2867ced1b255f0121 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 30 Oct 2023 23:25:25 +0100 Subject: [PATCH 0627/1014] X.509: Add WebPKI SPKI AlgorithmIdentifiers (#9800) * x509: add WebPKI SPKI AlgorithmIdentifiers Signed-off-by: William Woodruff * x509: add EcParameters This allows us to encode non-namedCurve forms, which are already supported and tested for. Signed-off-by: William Woodruff * use Sequence for SpecifiedCurve Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 121 ++++++++++++++---- src/rust/cryptography-x509/src/common.rs | 22 ++++ src/rust/cryptography-x509/src/oid.rs | 7 + 3 files changed, 122 insertions(+), 28 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 725020c6a2b6..fcc2adbeb994 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -10,19 +10,53 @@ use asn1::ObjectIdentifier; use once_cell::sync::Lazy; use cryptography_x509::common::{ - AlgorithmIdentifier, AlgorithmParameters, RsaPssParameters, PSS_SHA256_HASH_ALG, + AlgorithmIdentifier, AlgorithmParameters, EcParameters, RsaPssParameters, PSS_SHA256_HASH_ALG, PSS_SHA256_MASK_GEN_ALG, PSS_SHA384_HASH_ALG, PSS_SHA384_MASK_GEN_ALG, PSS_SHA512_HASH_ALG, PSS_SHA512_MASK_GEN_ALG, }; use cryptography_x509::extensions::SubjectAlternativeName; use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{ - BASIC_CONSTRAINTS_OID, EKU_SERVER_AUTH_OID, KEY_USAGE_OID, SUBJECT_ALTERNATIVE_NAME_OID, + BASIC_CONSTRAINTS_OID, EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID, + KEY_USAGE_OID, SUBJECT_ALTERNATIVE_NAME_OID, }; use crate::ops::CryptoOps; use crate::types::{DNSName, DNSPattern, IPAddress, IPConstraint}; +// SubjectPublicKeyInfo AlgorithmIdentifier constants, as defined in CA/B 7.1.3.1. + +// RSA +static SPKI_RSA: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Rsa(Some(())), +}; + +// SECP256R1 +static SPKI_SECP256R1: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Ec(EcParameters::NamedCurve(EC_SECP256R1)), +}; + +// SECP384R1 +static SPKI_SECP384R1: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Ec(EcParameters::NamedCurve(EC_SECP384R1)), +}; + +// SECP521R1 +static SPKI_SECP521R1: AlgorithmIdentifier<'_> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Ec(EcParameters::NamedCurve(EC_SECP521R1)), +}; + +/// Permitted algorithms, from CA/B Forum's Baseline Requirements, section 7.1.3.1 (page 96) +/// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf +pub static WEBPKI_PERMITTED_SPKI_ALGORITHMS: Lazy>> = + Lazy::new(|| HashSet::from([&SPKI_RSA, &SPKI_SECP256R1, &SPKI_SECP384R1, &SPKI_SECP521R1])); + +// Signature AlgorithmIdentifier constants, as defined in CA/B 7.1.3.2. + // RSASSA‐PKCS1‐v1_5 with SHA‐256 static RSASSA_PKCS1V15_SHA256: AlgorithmIdentifier<'_> = AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), @@ -94,19 +128,20 @@ static ECDSA_SHA512: AlgorithmIdentifier<'_> = AlgorithmIdentifier { /// Permitted algorithms, from CA/B Forum's Baseline Requirements, section 7.1.3.2 (pages 96-98) /// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf -pub static WEBPKI_PERMITTED_ALGORITHMS: Lazy>> = Lazy::new(|| { - HashSet::from([ - &RSASSA_PKCS1V15_SHA256, - &RSASSA_PKCS1V15_SHA384, - &RSASSA_PKCS1V15_SHA512, - &RSASSA_PSS_SHA256, - &RSASSA_PSS_SHA384, - &RSASSA_PSS_SHA512, - &ECDSA_SHA256, - &ECDSA_SHA384, - &ECDSA_SHA512, - ]) -}); +pub static WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS: Lazy>> = + Lazy::new(|| { + HashSet::from([ + &RSASSA_PKCS1V15_SHA256, + &RSASSA_PKCS1V15_SHA384, + &RSASSA_PKCS1V15_SHA512, + &RSASSA_PSS_SHA256, + &RSASSA_PSS_SHA384, + &RSASSA_PSS_SHA512, + &ECDSA_SHA256, + &ECDSA_SHA384, + &ECDSA_SHA512, + ]) + }); const RFC5280_CRITICAL_CA_EXTENSIONS: &[asn1::ObjectIdentifier] = &[BASIC_CONSTRAINTS_OID, KEY_USAGE_OID]; @@ -204,7 +239,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { validation_time: time, extended_key_usage: EKU_SERVER_AUTH_OID.clone(), permitted_algorithms: Some( - WEBPKI_PERMITTED_ALGORITHMS + WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS .clone() .into_iter() .cloned() @@ -228,20 +263,50 @@ mod tests { use crate::{ ops::tests::NullOps, - policy::{Subject, RFC5280_CRITICAL_CA_EXTENSIONS, RFC5280_CRITICAL_EE_EXTENSIONS}, + policy::{ + Subject, RFC5280_CRITICAL_CA_EXTENSIONS, RFC5280_CRITICAL_EE_EXTENSIONS, SPKI_RSA, + SPKI_SECP256R1, SPKI_SECP384R1, SPKI_SECP521R1, WEBPKI_PERMITTED_SPKI_ALGORITHMS, + }, types::{DNSName, IPAddress}, }; use super::{ Policy, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, - RSASSA_PSS_SHA512, WEBPKI_PERMITTED_ALGORITHMS, + RSASSA_PSS_SHA512, WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, }; #[test] - fn test_webpki_permitted_algorithms_canonical_encodings() { + fn test_webpki_permitted_spki_algorithms_canonical_encodings() { + { + assert!(WEBPKI_PERMITTED_SPKI_ALGORITHMS.contains(&SPKI_RSA)); + let exp_encoding = b"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00"; + assert_eq!(asn1::write_single(&SPKI_RSA).unwrap(), exp_encoding); + } + + { + assert!(WEBPKI_PERMITTED_SPKI_ALGORITHMS.contains(&SPKI_SECP256R1)); + let exp_encoding = b"0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07"; + assert_eq!(asn1::write_single(&SPKI_SECP256R1).unwrap(), exp_encoding); + } + + { + assert!(WEBPKI_PERMITTED_SPKI_ALGORITHMS.contains(&SPKI_SECP384R1)); + let exp_encoding = b"0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00\""; + assert_eq!(asn1::write_single(&SPKI_SECP384R1).unwrap(), exp_encoding); + } + + { + assert!(WEBPKI_PERMITTED_SPKI_ALGORITHMS.contains(&SPKI_SECP521R1)); + let exp_encoding = b"0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00#"; + assert_eq!(asn1::write_single(&SPKI_SECP521R1).unwrap(), exp_encoding); + } + } + + #[test] + fn test_webpki_permitted_signature_algorithms_canonical_encodings() { { - assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PKCS1V15_SHA256)); + assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&RSASSA_PKCS1V15_SHA256)); let exp_encoding = b"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00"; assert_eq!( asn1::write_single(&RSASSA_PKCS1V15_SHA256).unwrap(), @@ -250,7 +315,7 @@ mod tests { } { - assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PKCS1V15_SHA384)); + assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&RSASSA_PKCS1V15_SHA384)); let exp_encoding = b"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0c\x05\x00"; assert_eq!( asn1::write_single(&RSASSA_PKCS1V15_SHA384).unwrap(), @@ -259,7 +324,7 @@ mod tests { } { - assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PKCS1V15_SHA512)); + assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&RSASSA_PKCS1V15_SHA512)); let exp_encoding = b"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\r\x05\x00"; assert_eq!( asn1::write_single(&RSASSA_PKCS1V15_SHA512).unwrap(), @@ -268,7 +333,7 @@ mod tests { } { - assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PSS_SHA256.deref())); + assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&RSASSA_PSS_SHA256.deref())); let exp_encoding = b"0A\x06\t*\x86H\x86\xf7\r\x01\x01\n04\xa0\x0f0\r\x06\t`\x86H\x01e\x03\x04\x02\x01\x05\x00\xa1\x1c0\x1a\x06\t*\x86H\x86\xf7\r\x01\x01\x080\r\x06\t`\x86H\x01e\x03\x04\x02\x01\x05\x00\xa2\x03\x02\x01 "; assert_eq!( asn1::write_single(&RSASSA_PSS_SHA256.deref()).unwrap(), @@ -277,7 +342,7 @@ mod tests { } { - assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PSS_SHA384.deref())); + assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&RSASSA_PSS_SHA384.deref())); let exp_encoding = b"0A\x06\t*\x86H\x86\xf7\r\x01\x01\n04\xa0\x0f0\r\x06\t`\x86H\x01e\x03\x04\x02\x02\x05\x00\xa1\x1c0\x1a\x06\t*\x86H\x86\xf7\r\x01\x01\x080\r\x06\t`\x86H\x01e\x03\x04\x02\x02\x05\x00\xa2\x03\x02\x010"; assert_eq!( asn1::write_single(&RSASSA_PSS_SHA384.deref()).unwrap(), @@ -286,7 +351,7 @@ mod tests { } { - assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&RSASSA_PSS_SHA512.deref())); + assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&RSASSA_PSS_SHA512.deref())); let exp_encoding = b"0A\x06\t*\x86H\x86\xf7\r\x01\x01\n04\xa0\x0f0\r\x06\t`\x86H\x01e\x03\x04\x02\x03\x05\x00\xa1\x1c0\x1a\x06\t*\x86H\x86\xf7\r\x01\x01\x080\r\x06\t`\x86H\x01e\x03\x04\x02\x03\x05\x00\xa2\x03\x02\x01@"; assert_eq!( asn1::write_single(&RSASSA_PSS_SHA512.deref()).unwrap(), @@ -295,19 +360,19 @@ mod tests { } { - assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&ECDSA_SHA256)); + assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&ECDSA_SHA256)); let exp_encoding = b"0\n\x06\x08*\x86H\xce=\x04\x03\x02"; assert_eq!(asn1::write_single(&ECDSA_SHA256).unwrap(), exp_encoding); } { - assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&ECDSA_SHA384)); + assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&ECDSA_SHA384)); let exp_encoding = b"0\n\x06\x08*\x86H\xce=\x04\x03\x03"; assert_eq!(asn1::write_single(&ECDSA_SHA384).unwrap(), exp_encoding); } { - assert!(WEBPKI_PERMITTED_ALGORITHMS.contains(&ECDSA_SHA512)); + assert!(WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS.contains(&ECDSA_SHA512)); let exp_encoding = b"0\n\x06\x08*\x86H\xce=\x04\x03\x04"; assert_eq!(asn1::write_single(&ECDSA_SHA512).unwrap(), exp_encoding); } diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index d8184d17c0b8..263d78e0d18f 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -45,6 +45,13 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::ED448_OID)] Ed448, + // These encodings are only used in SPKI AlgorithmIdentifiers. + #[defined_by(oid::EC_OID)] + Ec(EcParameters<'a>), + + #[defined_by(oid::RSA_OID)] + Rsa(Option), + // These ECDSA algorithms should have no parameters, // but Java 11 (up to at least 11.0.19) encodes them // with NULL parameters. The JDK team is looking to @@ -281,6 +288,21 @@ pub const PSS_SHA512_MASK_GEN_ALG: MaskGenAlgorithm<'_> = MaskGenAlgorithm { params: PSS_SHA512_HASH_ALG, }; +// From RFC 5480 section 2.1.1: +// ECParameters ::= CHOICE { +// namedCurve OBJECT IDENTIFIER +// -- implicitCurve NULL +// -- specifiedCurve SpecifiedECDomain } +// +// Only the namedCurve form may appear in PKIX. Other forms may be found in +// other PKIs. +#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, Clone, PartialEq, Eq, Debug)] +pub enum EcParameters<'a> { + NamedCurve(asn1::ObjectIdentifier), + ImplicitCurve(asn1::Null), + SpecifiedCurve(asn1::Sequence<'a>), +} + // From RFC 4055 section 3.1: // RSASSA-PSS-params ::= SEQUENCE { // hashAlgorithm [0] HashAlgorithm DEFAULT diff --git a/src/rust/cryptography-x509/src/oid.rs b/src/rust/cryptography-x509/src/oid.rs index f77524418860..8d3e3543d1b5 100644 --- a/src/rust/cryptography-x509/src/oid.rs +++ b/src/rust/cryptography-x509/src/oid.rs @@ -45,6 +45,13 @@ pub const INHIBIT_ANY_POLICY_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, pub const ACCEPTABLE_RESPONSES_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 4); +// Public key identifiers +pub const EC_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 2, 1); +pub const EC_SECP256R1: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 3, 1, 7); +pub const EC_SECP384R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 34); +pub const EC_SECP521R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 35); +pub const RSA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 1, 1); + // Signing methods pub const ECDSA_WITH_SHA224_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 4, 3, 1); pub const ECDSA_WITH_SHA256_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 4, 3, 2); From f15b07899ede5983b5809699ba1ffe73589cecad Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 30 Oct 2023 23:50:15 +0100 Subject: [PATCH 0628/1014] validation: add permitted_public_key_algorithms (#9801) Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index fcc2adbeb994..5d1a92cc6630 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -215,6 +215,15 @@ pub struct Policy<'a, B: CryptoOps> { /// An extended key usage that must appear in EEs validated by this policy. pub extended_key_usage: ObjectIdentifier, + /// The set of permitted public key algorithms, identified by their + /// algorithm identifiers. + /// + /// If not `None`, all certificates validated by this policy MUST + /// have a public key algorithm in this set. + /// + /// If `None`, all public key algorithms are permitted. + pub permitted_public_key_algorithms: Option>>, + /// The set of permitted signature algorithms, identified by their /// algorithm identifiers. /// @@ -222,7 +231,7 @@ pub struct Policy<'a, B: CryptoOps> { /// have a signature algorithm in this set. /// /// If `None`, all signature algorithms are permitted. - pub permitted_algorithms: Option>>, + pub permitted_signature_algorithms: Option>>, pub critical_ca_extensions: HashSet, pub critical_ee_extensions: HashSet, @@ -238,7 +247,14 @@ impl<'a, B: CryptoOps> Policy<'a, B> { subject, validation_time: time, extended_key_usage: EKU_SERVER_AUTH_OID.clone(), - permitted_algorithms: Some( + permitted_public_key_algorithms: Some( + WEBPKI_PERMITTED_SPKI_ALGORITHMS + .clone() + .into_iter() + .cloned() + .collect(), + ), + permitted_signature_algorithms: Some( WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS .clone() .into_iter() From e9398c1bd006bf48d5867474fdf87d9955ec0326 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 20:43:16 -0400 Subject: [PATCH 0629/1014] Bump BoringSSL and/or OpenSSL in CI (#9802) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9195ff66d8cb..2541ddd9e543 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Oct 27, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "3309ca66385ecb0c37f1ac1be9f88712e25aa8ec"}} - # Latest commit on the OpenSSL master branch, as of Oct 28, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "186b3f6a016de8fcf8573be111e3d174ca20f1bc"}} + # Latest commit on the OpenSSL master branch, as of Oct 31, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "497a7810bcee48781aa12d4db870f6a565bd0592"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From aad2484707683edd5dd0a547225b4a60f55def6e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Oct 2023 07:10:51 -0400 Subject: [PATCH 0630/1014] Bump filelock from 3.13.0 to 3.13.1 (#9803) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.13.0 to 3.13.1. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.13.0...3.13.1) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2f059cf7bdd0..da11c2fde4c0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.1.3 # via pytest execnet==2.0.2 # via pytest-xdist -filelock==3.13.0; python_version >= "3.8" +filelock==3.13.1; python_version >= "3.8" # via virtualenv idna==3.4 # via requests From e828151d1e8dc2e4db8f719c03d838f883375cdc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 31 Oct 2023 07:14:20 -0400 Subject: [PATCH 0631/1014] Bump setuptools-rust from 1.8.0 to 1.8.1 in /.github/requirements (#9804) Bumps [setuptools-rust](https://github.com/PyO3/setuptools-rust) from 1.8.0 to 1.8.1. - [Release notes](https://github.com/PyO3/setuptools-rust/releases) - [Changelog](https://github.com/PyO3/setuptools-rust/blob/main/CHANGELOG.md) - [Commits](https://github.com/PyO3/setuptools-rust/compare/v1.8.0...v1.8.1) --- updated-dependencies: - dependency-name: setuptools-rust dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index b9639cc4b3d2..02760a9d87e5 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -66,9 +66,9 @@ semantic-version==2.10.0 \ --hash=sha256:bdabb6d336998cbb378d4b9db3a4b56a1e3235701dc05ea2690d9a997ed5041c \ --hash=sha256:de78a3b8e0feda74cabc54aab2da702113e33ac9d9eb9d2389bcf1f58b7d9177 # via setuptools-rust -setuptools-rust==1.8.0 \ - --hash=sha256:5e02b7a80058853bf64127314f6b97d0efed11e08b94c88ca639a20976f6adc4 \ - --hash=sha256:95ec67edee2ca73233c9e75250e9d23a302aa23b4c8413dfd19c14c30d08f703 +setuptools-rust==1.8.1 \ + --hash=sha256:94b1dd5d5308b3138d5b933c3a2b55e6d6927d1a22632e509fcea9ddd0f7e486 \ + --hash=sha256:b5324493949ccd6aa0c03890c5f6b5f02de4512e3ac1697d02e9a6c02b18aa8e # via -r build-requirements.in tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ From d643b04eb7012236e10edc6f02125fa2cf19a699 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 31 Oct 2023 15:03:35 -0400 Subject: [PATCH 0632/1014] Add top-level ServerVerifier.verify API (#9805) * Add top-level ServerVerifier.verify API This is a breakout from #8873, with just the interface/types and a `NotImplementedError` stub. Signed-off-by: William Woodruff * verification: move Store into PolicyBuilder/ServerVerifier Signed-off-by: William Woodruff * verification: docs Signed-off-by: William Woodruff * lintage Signed-off-by: William Woodruff * docs: document ServerVerifier.store Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- docs/x509/verification.rst | 14 +++++ .../hazmat/bindings/_rust/x509.pyi | 8 +++ src/cryptography/x509/verification.py | 25 ++++++-- src/rust/cryptography-x509/src/extensions.rs | 2 +- src/rust/src/x509/verify.rs | 13 +++++ tests/x509/test_verification.py | 57 +++++++++++++++---- 6 files changed, 102 insertions(+), 17 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 3964e4384bc6..2a074b945ccc 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -57,6 +57,12 @@ chain building, etc. The verifier's validation time. + .. attribute:: store + + :type: :class:`Store` + + The verifier's trust store. + .. class:: PolicyBuilder .. versionadded:: 42.0.0 @@ -75,6 +81,14 @@ chain building, etc. :returns: A new instance of :class:`PolicyBuilder` + .. method:: store(new_store) + + Sets the verifier's trust store. + + :param new_store: The :class:`Store` to use in the verifier + + :returns: A new instance of :class:`PolicyBuilder` + .. method:: build_server_verifier(subject) Builds a verifier for verifying server certificates. diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 19b5a70b0a77..c1ef852ee76e 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -39,6 +39,7 @@ def create_x509_crl( ) -> x509.CertificateRevocationList: ... def create_server_verifier( name: x509.verification.Subject, + store: Store, time: datetime.datetime | None, ) -> x509.verification.ServerVerifier: ... @@ -53,6 +54,13 @@ class ServerVerifier: def subject(self) -> x509.verification.Subject: ... @property def validation_time(self) -> datetime.datetime: ... + @property + def store(self) -> Store: ... + def verify( + self, + leaf: x509.Certificate, + intermediates: list[x509.Certificate], + ) -> list[x509.Certificate]: ... class Store: def __init__(self, certs: list[x509.Certificate]) -> None: ... diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index 8fe2f3b55487..bf200f73a724 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -24,8 +24,10 @@ def __init__( self, *, time: datetime.datetime | None = None, + store: Store | None = None, ): self._time = time + self._store = store def time(self, new_time: datetime.datetime) -> PolicyBuilder: """ @@ -34,13 +36,28 @@ def time(self, new_time: datetime.datetime) -> PolicyBuilder: if self._time is not None: raise ValueError("The validation time may only be set once.") - return PolicyBuilder( - time=new_time, - ) + return PolicyBuilder(time=new_time, store=self._store) + + def store(self, new_store: Store) -> PolicyBuilder: + """ + Sets the trust store. + """ + + if self._store is not None: + raise ValueError("The trust store may only be set once.") + + return PolicyBuilder(time=self._time, store=new_store) def build_server_verifier(self, subject: Subject) -> ServerVerifier: """ Builds a verifier for verifying server certificates. """ - return rust_x509.create_server_verifier(subject, self._time) + if self._store is None: + raise ValueError("A server verifier must have a trust store") + + return rust_x509.create_server_verifier( + subject, + self._store, + self._time, + ) diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index fd7a3aaa0a3a..f4deb7c8451f 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -295,7 +295,7 @@ impl KeyUsage<'_> { mod tests { use crate::oid::{AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID}; - use super::{BasicConstraints, DuplicateExtensionsError, Extension, Extensions, KeyUsage}; + use super::{BasicConstraints, Extension, Extensions, KeyUsage}; #[test] fn test_get_extension() { diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 9f440b3f1358..992d27fbf73e 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -76,6 +76,8 @@ struct PyServerVerifier { #[pyo3(get, name = "subject")] py_subject: pyo3::Py, policy: OwnedPolicy, + #[pyo3(get)] + store: pyo3::Py, } impl PyServerVerifier { @@ -90,6 +92,15 @@ impl PyServerVerifier { fn validation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { datetime_to_py(py, &self.as_policy().validation_time) } + + fn verify<'p>( + &self, + _py: pyo3::Python<'p>, + _leaf: &PyCertificate, + _intermediates: &'p pyo3::types::PyList, + ) -> CryptographyResult> { + Err(pyo3::exceptions::PyNotImplementedError::new_err("unimplemented").into()) + } } fn build_subject_owner( @@ -142,6 +153,7 @@ fn build_subject<'a>( fn create_server_verifier( py: pyo3::Python<'_>, subject: pyo3::Py, + store: pyo3::Py, time: Option<&pyo3::PyAny>, ) -> pyo3::PyResult { let time = match time { @@ -162,6 +174,7 @@ fn create_server_verifier( Ok(PyServerVerifier { py_subject: subject, policy, + store, }) } diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 5b0c354d8150..d5e575a4724f 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -4,6 +4,7 @@ import datetime import os +from functools import lru_cache from ipaddress import IPv4Address import pytest @@ -14,6 +15,15 @@ from tests.x509.test_x509 import _load_cert +@lru_cache(maxsize=1) +def dummy_store() -> Store: + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + ) + return Store([cert]) + + class TestPolicyBuilder: def test_time_already_set(self): with pytest.raises(ValueError): @@ -21,46 +31,61 @@ def test_time_already_set(self): datetime.datetime.now() ) + def test_store_already_set(self): + with pytest.raises(ValueError): + PolicyBuilder().store(dummy_store()).store(dummy_store()) + def test_ipaddress_subject(self): - policy = PolicyBuilder().build_server_verifier( - IPAddress(IPv4Address("0.0.0.0")) + policy = ( + PolicyBuilder() + .store(dummy_store()) + .build_server_verifier(IPAddress(IPv4Address("0.0.0.0"))) ) assert policy.subject == IPAddress(IPv4Address("0.0.0.0")) def test_dnsname_subject(self): - policy = PolicyBuilder().build_server_verifier( - DNSName("cryptography.io") + policy = ( + PolicyBuilder() + .store(dummy_store()) + .build_server_verifier(DNSName("cryptography.io")) ) assert policy.subject == DNSName("cryptography.io") def test_subject_bad_types(self): # Subject must be a supported GeneralName type with pytest.raises(TypeError): - PolicyBuilder().build_server_verifier( + PolicyBuilder().store(dummy_store()).build_server_verifier( "cryptography.io" # type: ignore[arg-type] ) with pytest.raises(TypeError): - PolicyBuilder().build_server_verifier( + PolicyBuilder().store(dummy_store()).build_server_verifier( "0.0.0.0" # type: ignore[arg-type] ) with pytest.raises(TypeError): - PolicyBuilder().build_server_verifier( + PolicyBuilder().store(dummy_store()).build_server_verifier( IPv4Address("0.0.0.0") # type: ignore[arg-type] ) with pytest.raises(TypeError): - PolicyBuilder().build_server_verifier( - None # type: ignore[arg-type] - ) + PolicyBuilder().store(dummy_store()).build_server_verifier(None) # type: ignore[arg-type] def test_builder_pattern(self): now = datetime.datetime.now().replace(microsecond=0) + store = dummy_store() builder = PolicyBuilder() builder = builder.time(now) + builder = builder.store(store) verifier = builder.build_server_verifier(DNSName("cryptography.io")) assert verifier.subject == DNSName("cryptography.io") assert verifier.validation_time == now + assert verifier.store == store + + def test_build_server_verifier_missing_store(self): + with pytest.raises( + ValueError, match="A server verifier must have a trust store" + ): + PolicyBuilder().build_server_verifier(DNSName("cryptography.io")) class TestStore: @@ -72,9 +97,17 @@ def test_store_rejects_non_certificates(self): with pytest.raises(TypeError): Store(["not a cert"]) # type: ignore[list-item] - def test_store_initializes(self): + +class TestServerVerifier: + def test_not_implemented(self): + verifier = ( + PolicyBuilder() + .store(dummy_store()) + .build_server_verifier(DNSName("cryptography.io")) + ) cert = _load_cert( os.path.join("x509", "cryptography.io.pem"), x509.load_pem_x509_certificate, ) - assert Store([cert]) is not None + with pytest.raises(NotImplementedError): + verifier.verify(cert, []) From 94f732bf0fffebb478caf0cedd37a210db94918b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 31 Oct 2023 17:20:11 -0400 Subject: [PATCH 0633/1014] Skip llvm-tools-preview where not relevant (#9806) * Skip llvm-tools-preview where not relevant * skip here too --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2541ddd9e543..e28a22542bc0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -75,9 +75,11 @@ jobs: if: matrix.PYTHON.RUST - run: rustup component add llvm-tools-preview + if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' - name: Clone wycheproof timeout-minutes: 2 uses: ./.github/actions/wycheproof + if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' && matrix.PYTHON.NOXSESSION != 'rust' - name: Compute config hash and set config vars run: | DEFAULT_CONFIG_FLAGS="shared no-ssl2 no-ssl3" From 3e45f98807856d822aaee0c35b6bb34fd7098662 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 31 Oct 2023 21:03:37 -0400 Subject: [PATCH 0634/1014] Bump BoringSSL and/or OpenSSL in CI (#9808) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e28a22542bc0..8e155e5a9df6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Oct 27, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "3309ca66385ecb0c37f1ac1be9f88712e25aa8ec"}} - # Latest commit on the OpenSSL master branch, as of Oct 31, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "497a7810bcee48781aa12d4db870f6a565bd0592"}} + # Latest commit on the BoringSSL master branch, as of Nov 01, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "2a33faebe1827956e7fca8cbb15e2ca79b292d9c"}} + # Latest commit on the OpenSSL master branch, as of Nov 01, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8d13d9e7305643c28c69c57df798b553b78c2876"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 086da142a02720a1c04cf646b14f16fcf066213a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Nov 2023 13:30:59 -0400 Subject: [PATCH 0635/1014] Bump charset-normalizer from 3.3.1 to 3.3.2 in /.github/requirements (#9809) Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.3.1 to 3.3.2. - [Release notes](https://github.com/Ousret/charset_normalizer/releases) - [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/Ousret/charset_normalizer/compare/3.3.1...3.3.2) --- updated-dependencies: - dependency-name: charset-normalizer dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 186 +++++++++--------- 1 file changed, 95 insertions(+), 91 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 0a8068fa6d2f..67325ca32099 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -74,97 +74,97 @@ cffi==1.16.0 \ --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via cryptography -charset-normalizer==3.3.1 \ - --hash=sha256:06cf46bdff72f58645434d467bf5228080801298fbba19fe268a01b4534467f5 \ - --hash=sha256:0c8c61fb505c7dad1d251c284e712d4e0372cef3b067f7ddf82a7fa82e1e9a93 \ - --hash=sha256:10b8dd31e10f32410751b3430996f9807fc4d1587ca69772e2aa940a82ab571a \ - --hash=sha256:1171ef1fc5ab4693c5d151ae0fdad7f7349920eabbaca6271f95969fa0756c2d \ - --hash=sha256:17a866d61259c7de1bdadef418a37755050ddb4b922df8b356503234fff7932c \ - --hash=sha256:1d6bfc32a68bc0933819cfdfe45f9abc3cae3877e1d90aac7259d57e6e0f85b1 \ - --hash=sha256:1ec937546cad86d0dce5396748bf392bb7b62a9eeb8c66efac60e947697f0e58 \ - --hash=sha256:223b4d54561c01048f657fa6ce41461d5ad8ff128b9678cfe8b2ecd951e3f8a2 \ - --hash=sha256:2465aa50c9299d615d757c1c888bc6fef384b7c4aec81c05a0172b4400f98557 \ - --hash=sha256:28f512b9a33235545fbbdac6a330a510b63be278a50071a336afc1b78781b147 \ - --hash=sha256:2c092be3885a1b7899cd85ce24acedc1034199d6fca1483fa2c3a35c86e43041 \ - --hash=sha256:2c4c99f98fc3a1835af8179dcc9013f93594d0670e2fa80c83aa36346ee763d2 \ - --hash=sha256:31445f38053476a0c4e6d12b047b08ced81e2c7c712e5a1ad97bc913256f91b2 \ - --hash=sha256:31bbaba7218904d2eabecf4feec0d07469284e952a27400f23b6628439439fa7 \ - --hash=sha256:34d95638ff3613849f473afc33f65c401a89f3b9528d0d213c7037c398a51296 \ - --hash=sha256:352a88c3df0d1fa886562384b86f9a9e27563d4704ee0e9d56ec6fcd270ea690 \ - --hash=sha256:39b70a6f88eebe239fa775190796d55a33cfb6d36b9ffdd37843f7c4c1b5dc67 \ - --hash=sha256:3c66df3f41abee950d6638adc7eac4730a306b022570f71dd0bd6ba53503ab57 \ - --hash=sha256:3f70fd716855cd3b855316b226a1ac8bdb3caf4f7ea96edcccc6f484217c9597 \ - --hash=sha256:3f9bc2ce123637a60ebe819f9fccc614da1bcc05798bbbaf2dd4ec91f3e08846 \ - --hash=sha256:3fb765362688821404ad6cf86772fc54993ec11577cd5a92ac44b4c2ba52155b \ - --hash=sha256:45f053a0ece92c734d874861ffe6e3cc92150e32136dd59ab1fb070575189c97 \ - --hash=sha256:46fb9970aa5eeca547d7aa0de5d4b124a288b42eaefac677bde805013c95725c \ - --hash=sha256:4cb50a0335382aac15c31b61d8531bc9bb657cfd848b1d7158009472189f3d62 \ - --hash=sha256:4e12f8ee80aa35e746230a2af83e81bd6b52daa92a8afaef4fea4a2ce9b9f4fa \ - --hash=sha256:4f3100d86dcd03c03f7e9c3fdb23d92e32abbca07e7c13ebd7ddfbcb06f5991f \ - --hash=sha256:4f6e2a839f83a6a76854d12dbebde50e4b1afa63e27761549d006fa53e9aa80e \ - --hash=sha256:4f861d94c2a450b974b86093c6c027888627b8082f1299dfd5a4bae8e2292821 \ - --hash=sha256:501adc5eb6cd5f40a6f77fbd90e5ab915c8fd6e8c614af2db5561e16c600d6f3 \ - --hash=sha256:520b7a142d2524f999447b3a0cf95115df81c4f33003c51a6ab637cbda9d0bf4 \ - --hash=sha256:548eefad783ed787b38cb6f9a574bd8664468cc76d1538215d510a3cd41406cb \ - --hash=sha256:555fe186da0068d3354cdf4bbcbc609b0ecae4d04c921cc13e209eece7720727 \ - --hash=sha256:55602981b2dbf8184c098bc10287e8c245e351cd4fdcad050bd7199d5a8bf514 \ - --hash=sha256:58e875eb7016fd014c0eea46c6fa92b87b62c0cb31b9feae25cbbe62c919f54d \ - --hash=sha256:5a3580a4fdc4ac05f9e53c57f965e3594b2f99796231380adb2baaab96e22761 \ - --hash=sha256:5b70bab78accbc672f50e878a5b73ca692f45f5b5e25c8066d748c09405e6a55 \ - --hash=sha256:5ceca5876032362ae73b83347be8b5dbd2d1faf3358deb38c9c88776779b2e2f \ - --hash=sha256:61f1e3fb621f5420523abb71f5771a204b33c21d31e7d9d86881b2cffe92c47c \ - --hash=sha256:633968254f8d421e70f91c6ebe71ed0ab140220469cf87a9857e21c16687c034 \ - --hash=sha256:63a6f59e2d01310f754c270e4a257426fe5a591dc487f1983b3bbe793cf6bac6 \ - --hash=sha256:63accd11149c0f9a99e3bc095bbdb5a464862d77a7e309ad5938fbc8721235ae \ - --hash=sha256:6db3cfb9b4fcecb4390db154e75b49578c87a3b9979b40cdf90d7e4b945656e1 \ - --hash=sha256:71ef3b9be10070360f289aea4838c784f8b851be3ba58cf796262b57775c2f14 \ - --hash=sha256:7ae8e5142dcc7a49168f4055255dbcced01dc1714a90a21f87448dc8d90617d1 \ - --hash=sha256:7b6cefa579e1237ce198619b76eaa148b71894fb0d6bcf9024460f9bf30fd228 \ - --hash=sha256:800561453acdecedaac137bf09cd719c7a440b6800ec182f077bb8e7025fb708 \ - --hash=sha256:82ca51ff0fc5b641a2d4e1cc8c5ff108699b7a56d7f3ad6f6da9dbb6f0145b48 \ - --hash=sha256:851cf693fb3aaef71031237cd68699dded198657ec1e76a76eb8be58c03a5d1f \ - --hash=sha256:854cc74367180beb327ab9d00f964f6d91da06450b0855cbbb09187bcdb02de5 \ - --hash=sha256:87071618d3d8ec8b186d53cb6e66955ef2a0e4fa63ccd3709c0c90ac5a43520f \ - --hash=sha256:871d045d6ccc181fd863a3cd66ee8e395523ebfbc57f85f91f035f50cee8e3d4 \ - --hash=sha256:8aee051c89e13565c6bd366813c386939f8e928af93c29fda4af86d25b73d8f8 \ - --hash=sha256:8af5a8917b8af42295e86b64903156b4f110a30dca5f3b5aedea123fbd638bff \ - --hash=sha256:8ec8ef42c6cd5856a7613dcd1eaf21e5573b2185263d87d27c8edcae33b62a61 \ - --hash=sha256:91e43805ccafa0a91831f9cd5443aa34528c0c3f2cc48c4cb3d9a7721053874b \ - --hash=sha256:9505dc359edb6a330efcd2be825fdb73ee3e628d9010597aa1aee5aa63442e97 \ - --hash=sha256:985c7965f62f6f32bf432e2681173db41336a9c2611693247069288bcb0c7f8b \ - --hash=sha256:9a74041ba0bfa9bc9b9bb2cd3238a6ab3b7618e759b41bd15b5f6ad958d17605 \ - --hash=sha256:9edbe6a5bf8b56a4a84533ba2b2f489d0046e755c29616ef8830f9e7d9cf5728 \ - --hash=sha256:a15c1fe6d26e83fd2e5972425a772cca158eae58b05d4a25a4e474c221053e2d \ - --hash=sha256:a66bcdf19c1a523e41b8e9d53d0cedbfbac2e93c649a2e9502cb26c014d0980c \ - --hash=sha256:ae4070f741f8d809075ef697877fd350ecf0b7c5837ed68738607ee0a2c572cf \ - --hash=sha256:ae55d592b02c4349525b6ed8f74c692509e5adffa842e582c0f861751701a673 \ - --hash=sha256:b578cbe580e3b41ad17b1c428f382c814b32a6ce90f2d8e39e2e635d49e498d1 \ - --hash=sha256:b891a2f68e09c5ef989007fac11476ed33c5c9994449a4e2c3386529d703dc8b \ - --hash=sha256:baec8148d6b8bd5cee1ae138ba658c71f5b03e0d69d5907703e3e1df96db5e41 \ - --hash=sha256:bb06098d019766ca16fc915ecaa455c1f1cd594204e7f840cd6258237b5079a8 \ - --hash=sha256:bc791ec3fd0c4309a753f95bb6c749ef0d8ea3aea91f07ee1cf06b7b02118f2f \ - --hash=sha256:bd28b31730f0e982ace8663d108e01199098432a30a4c410d06fe08fdb9e93f4 \ - --hash=sha256:be4d9c2770044a59715eb57c1144dedea7c5d5ae80c68fb9959515037cde2008 \ - --hash=sha256:c0c72d34e7de5604df0fde3644cc079feee5e55464967d10b24b1de268deceb9 \ - --hash=sha256:c0e842112fe3f1a4ffcf64b06dc4c61a88441c2f02f373367f7b4c1aa9be2ad5 \ - --hash=sha256:c15070ebf11b8b7fd1bfff7217e9324963c82dbdf6182ff7050519e350e7ad9f \ - --hash=sha256:c2000c54c395d9e5e44c99dc7c20a64dc371f777faf8bae4919ad3e99ce5253e \ - --hash=sha256:c30187840d36d0ba2893bc3271a36a517a717f9fd383a98e2697ee890a37c273 \ - --hash=sha256:cb7cd68814308aade9d0c93c5bd2ade9f9441666f8ba5aa9c2d4b389cb5e2a45 \ - --hash=sha256:cd805513198304026bd379d1d516afbf6c3c13f4382134a2c526b8b854da1c2e \ - --hash=sha256:d0bf89afcbcf4d1bb2652f6580e5e55a840fdf87384f6063c4a4f0c95e378656 \ - --hash=sha256:d9137a876020661972ca6eec0766d81aef8a5627df628b664b234b73396e727e \ - --hash=sha256:dbd95e300367aa0827496fe75a1766d198d34385a58f97683fe6e07f89ca3e3c \ - --hash=sha256:dced27917823df984fe0c80a5c4ad75cf58df0fbfae890bc08004cd3888922a2 \ - --hash=sha256:de0b4caa1c8a21394e8ce971997614a17648f94e1cd0640fbd6b4d14cab13a72 \ - --hash=sha256:debb633f3f7856f95ad957d9b9c781f8e2c6303ef21724ec94bea2ce2fcbd056 \ - --hash=sha256:e372d7dfd154009142631de2d316adad3cc1c36c32a38b16a4751ba78da2a397 \ - --hash=sha256:ecd26be9f112c4f96718290c10f4caea6cc798459a3a76636b817a0ed7874e42 \ - --hash=sha256:edc0202099ea1d82844316604e17d2b175044f9bcb6b398aab781eba957224bd \ - --hash=sha256:f194cce575e59ffe442c10a360182a986535fd90b57f7debfaa5c845c409ecc3 \ - --hash=sha256:f5fb672c396d826ca16a022ac04c9dce74e00a1c344f6ad1a0fdc1ba1f332213 \ - --hash=sha256:f6a02a3c7950cafaadcd46a226ad9e12fc9744652cc69f9e5534f98b47f3bbcf \ - --hash=sha256:fe81b35c33772e56f4b6cf62cf4aedc1762ef7162a31e6ac7fe5e40d0149eb67 +charset-normalizer==3.3.2 \ + --hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \ + --hash=sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087 \ + --hash=sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786 \ + --hash=sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8 \ + --hash=sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09 \ + --hash=sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185 \ + --hash=sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574 \ + --hash=sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e \ + --hash=sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519 \ + --hash=sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898 \ + --hash=sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269 \ + --hash=sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3 \ + --hash=sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f \ + --hash=sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6 \ + --hash=sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8 \ + --hash=sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a \ + --hash=sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73 \ + --hash=sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc \ + --hash=sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714 \ + --hash=sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2 \ + --hash=sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc \ + --hash=sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce \ + --hash=sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d \ + --hash=sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e \ + --hash=sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6 \ + --hash=sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269 \ + --hash=sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96 \ + --hash=sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d \ + --hash=sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a \ + --hash=sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4 \ + --hash=sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77 \ + --hash=sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d \ + --hash=sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0 \ + --hash=sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed \ + --hash=sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068 \ + --hash=sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac \ + --hash=sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25 \ + --hash=sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8 \ + --hash=sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab \ + --hash=sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26 \ + --hash=sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2 \ + --hash=sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db \ + --hash=sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f \ + --hash=sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5 \ + --hash=sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99 \ + --hash=sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c \ + --hash=sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d \ + --hash=sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811 \ + --hash=sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa \ + --hash=sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a \ + --hash=sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03 \ + --hash=sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b \ + --hash=sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04 \ + --hash=sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c \ + --hash=sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001 \ + --hash=sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458 \ + --hash=sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389 \ + --hash=sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99 \ + --hash=sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985 \ + --hash=sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537 \ + --hash=sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238 \ + --hash=sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f \ + --hash=sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d \ + --hash=sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796 \ + --hash=sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a \ + --hash=sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143 \ + --hash=sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8 \ + --hash=sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c \ + --hash=sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5 \ + --hash=sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5 \ + --hash=sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711 \ + --hash=sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4 \ + --hash=sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6 \ + --hash=sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c \ + --hash=sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7 \ + --hash=sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4 \ + --hash=sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b \ + --hash=sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae \ + --hash=sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12 \ + --hash=sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c \ + --hash=sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae \ + --hash=sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8 \ + --hash=sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887 \ + --hash=sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b \ + --hash=sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4 \ + --hash=sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f \ + --hash=sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5 \ + --hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \ + --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ + --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests cryptography==41.0.5 \ --hash=sha256:0c327cac00f082013c7c9fb6c46b7cc9fa3c288ca702c74773968173bda421bf \ @@ -237,6 +237,10 @@ importlib-metadata==6.8.0 \ # via # keyring # twine +importlib-resources==5.13.0 \ + --hash=sha256:82d5c6cca930697dbbd86c93333bb2c2e72861d4789a11c2662b933e5ad2b528 \ + --hash=sha256:9f7bd0c97b79972a6cce36a366356d16d5e13b09679c11a58f1014bfdf8e64b2 + # via sigstore jaraco-classes==3.3.0 \ --hash=sha256:10afa92b6743f25c0cf5f37c6bb6e18e2c5bb84a16527ccfc0040ea377e7aaeb \ --hash=sha256:c063dd08e89217cee02c8d5e5ec560f2c8ce6cdc2fcdc2e68f7b2e5547ed3621 From 0dc5a80d2da5522df76f789025ecbdfb04543368 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Nov 2023 13:31:27 -0400 Subject: [PATCH 0636/1014] Bump charset-normalizer from 3.3.1 to 3.3.2 (#9810) Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.3.1 to 3.3.2. - [Release notes](https://github.com/Ousret/charset_normalizer/releases) - [Changelog](https://github.com/Ousret/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/Ousret/charset_normalizer/compare/3.3.1...3.3.2) --- updated-dependencies: - dependency-name: charset-normalizer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index da11c2fde4c0..3c4cdaa7984d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -19,7 +19,7 @@ build==1.0.3 # cryptography (pyproject.toml) certifi==2023.7.22 # via requests -charset-normalizer==3.3.1 +charset-normalizer==3.3.2 # via requests check-sdist==0.1.3 # via cryptography (pyproject.toml) From fcc2bba8a0e694346695fe11ab008e645c547b98 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 1 Nov 2023 11:06:42 -0700 Subject: [PATCH 0637/1014] Simplify noxfile interaction with pyproject.toml (#9807) --- .github/workflows/ci.yml | 8 ++++---- noxfile.py | 32 ++++++++++++++++++-------------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8e155e5a9df6..3638939846f0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -124,7 +124,7 @@ jobs: # pypy3-3.8 and pypy3-3.9 -- both of them show up as 7.3.11. key: ${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-${{ matrix.PYTHON.NOXSESSION }}-${{ env.OPENSSL_HASH }} - - run: python -m pip install -c ci-constraints-requirements.txt 'nox' + - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' - name: Create nox environment run: | nox -v --install-only @@ -198,7 +198,7 @@ jobs: - run: | echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV if: matrix.IMAGE.FIPS - - run: /venv/bin/python -m pip install -c ci-constraints-requirements.txt 'nox' + - run: /venv/bin/python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' - run: '/venv/bin/nox -v --install-only' env: CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} @@ -249,7 +249,7 @@ jobs: cache-dependency-path: ci-constraints-requirements.txt - run: rustup component add llvm-tools-preview - - run: python -m pip install -c ci-constraints-requirements.txt 'nox' + - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' - name: Clone wycheproof timeout-minutes: 2 @@ -312,7 +312,7 @@ jobs: timeout-minutes: 2 with: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - - run: python -m pip install -c ci-constraints-requirements.txt "nox" + - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 with: diff --git a/noxfile.py b/noxfile.py index a8b10a6fbf25..05cfdd70abf0 100644 --- a/noxfile.py +++ b/noxfile.py @@ -14,6 +14,11 @@ import nox +try: + import tomllib +except ImportError: + import tomli as tomllib # type: ignore[import-not-found,no-redef] + nox.options.reuse_existing_virtualenvs = True @@ -27,6 +32,11 @@ def install(session: nox.Session, *args: str) -> None: ) +def load_pyproject_toml() -> dict: + with (pathlib.Path(__file__).parent / "pyproject.toml").open("rb") as f: + return tomllib.load(f) + + @nox.session @nox.session(name="tests-ssh") @nox.session(name="tests-randomorder") @@ -152,22 +162,16 @@ def docs_linkcheck(session: nox.Session) -> None: @nox.session def flake(session: nox.Session) -> None: - # Just install the dependencies needed for these tests - basically - # `pip install .[pep8test,test,ssh,nox]`, but without installing `.` # TODO: Ideally there'd be a pip flag to install just our dependencies, # but not install us. + pyproject_data = load_pyproject_toml() install( session, - "setuptools-rust", - "cffi>=1.12; platform_python_implementation != 'PyPy'", - "wheel", - "ruff", - "check-sdist", - "mypy", - "bcrypt", - "click", - "pytest", - "nox", + *pyproject_data["build-system"]["requires"], + *pyproject_data["project"]["optional-dependencies"]["pep8test"], + *pyproject_data["project"]["optional-dependencies"]["test"], + *pyproject_data["project"]["optional-dependencies"]["ssh"], + *pyproject_data["project"]["optional-dependencies"]["nox"], ) install(session, "-e", "vectors/") @@ -198,10 +202,10 @@ def rust(session: nox.Session) -> None: } ) - # Just install the dependencies needed for the Rust build.rs # TODO: Ideally there'd be a pip flag to install just our dependencies, # but not install us. - install(session, "cffi", "setuptools") + pyproject_data = load_pyproject_toml() + install(session, *pyproject_data["build-system"]["requires"]) with session.chdir("src/rust/"): session.run("cargo", "fmt", "--all", "--", "--check", external=True) From 70b81ac3eb600adaa171487ce72a126f38c35de4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 1 Nov 2023 14:06:11 -0700 Subject: [PATCH 0638/1014] Bump argcomplete (#9815) * Bump argcomplete from 3.1.2 to 3.1.3 Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.1.2...v3.1.3) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Limit python_version of argcomplete --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3c4cdaa7984d..55ae4844d001 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.13 # via sphinx -argcomplete==3.1.2 +argcomplete==3.1.3; python_version >= "3.8" # via nox babel==2.13.1 # via sphinx From 4782de04cb67c0bff7f68156afb108cb26fee505 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Nov 2023 21:08:04 +0000 Subject: [PATCH 0639/1014] Bump openssl-sys from 0.9.93 to 0.9.94 in /src/rust (#9813) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.93 to 0.9.94. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.93...openssl-sys-v0.9.94) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index bbd2846492cd..638fca0bf05b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -203,9 +203,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.93" +version = "0.9.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db4d56a4c0478783083cfafcc42493dd4a981d41669da64b4572a2a089b51b1d" +checksum = "2f55da20b29f956fb01f0add8683eb26ee13ebe3ebd935e49898717c6b4b2830" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index b7a366dc4ceb..e7817c3d4403 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -18,7 +18,7 @@ cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.57" -openssl-sys = "0.9.93" +openssl-sys = "0.9.94" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index e0ff392ffd74..93bdd76648c5 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3-py37"] } -openssl-sys = "0.9.93" +openssl-sys = "0.9.94" [build-dependencies] cc = "1.0.83" From a712d562a785c431e057e7dd78df8d1c39eece18 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Nov 2023 21:18:23 +0000 Subject: [PATCH 0640/1014] Bump openssl from 0.10.57 to 0.10.58 in /src/rust (#9816) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.57 to 0.10.58. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.57...openssl-v0.10.58) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 638fca0bf05b..f4c4a61b6167 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -177,9 +177,9 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] name = "openssl" -version = "0.10.57" +version = "0.10.58" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bac25ee399abb46215765b1cb35bc0212377e58a061560d8b29b024fd0430e7c" +checksum = "a9dfc0783362704e97ef3bd24261995a699468440099ef95d869b4d9732f829a" dependencies = [ "bitflags 2.4.0", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e7817c3d4403..e607c1c8c227 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.57" +openssl = "0.10.58" openssl-sys = "0.9.94" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index e629b3717236..65c099f01712 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -openssl = "0.10.57" +openssl = "0.10.58" ffi = { package = "openssl-sys", version = "0.9.91" } foreign-types = "0.3" foreign-types-shared = "0.1" From f11a5ce9f7e37d9105339a3e271c078b3d6fc2dc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 1 Nov 2023 14:33:26 -0700 Subject: [PATCH 0641/1014] Convert CMAC to Rust (#9639) --- .../hazmat/backends/openssl/backend.py | 5 - .../hazmat/backends/openssl/cmac.py | 89 ----------- .../bindings/_rust/openssl/__init__.pyi | 2 + .../hazmat/bindings/_rust/openssl/cmac.pyi | 18 +++ src/cryptography/hazmat/primitives/cmac.py | 61 +------- src/rust/build.rs | 6 + src/rust/cryptography-openssl/src/cmac.rs | 71 +++++++++ src/rust/cryptography-openssl/src/hmac.rs | 4 +- src/rust/cryptography-openssl/src/lib.rs | 1 + src/rust/src/backend/ciphers.rs | 148 ++++++++++++++++++ src/rust/src/backend/cmac.rs | 105 +++++++++++++ src/rust/src/backend/mod.rs | 3 + src/rust/src/types.rs | 50 ++++++ tests/hazmat/backends/test_openssl.py | 7 - tests/hazmat/primitives/test_cmac.py | 16 +- 15 files changed, 423 insertions(+), 163 deletions(-) delete mode 100644 src/cryptography/hazmat/backends/openssl/cmac.py create mode 100644 src/cryptography/hazmat/bindings/_rust/openssl/cmac.pyi create mode 100644 src/rust/cryptography-openssl/src/cmac.rs create mode 100644 src/rust/src/backend/ciphers.rs create mode 100644 src/rust/src/backend/cmac.rs diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 52b536908dec..7852e0d27245 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -13,7 +13,6 @@ from cryptography.exceptions import UnsupportedAlgorithm, _Reasons from cryptography.hazmat.backends.openssl import aead from cryptography.hazmat.backends.openssl.ciphers import _CipherContext -from cryptography.hazmat.backends.openssl.cmac import _CMACContext from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding from cryptography.hazmat.primitives import hashes, serialization @@ -31,7 +30,6 @@ PublicKeyTypes, ) from cryptography.hazmat.primitives.ciphers import ( - BlockCipherAlgorithm, CipherAlgorithm, ) from cryptography.hazmat.primitives.ciphers.algorithms import ( @@ -571,9 +569,6 @@ def cmac_algorithm_supported(self, algorithm) -> bool: algorithm, CBC(b"\x00" * algorithm.block_size) ) - def create_cmac_ctx(self, algorithm: BlockCipherAlgorithm) -> _CMACContext: - return _CMACContext(self, algorithm) - def load_pem_private_key( self, data: bytes, diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py deleted file mode 100644 index bdd7fec611d1..000000000000 --- a/src/cryptography/hazmat/backends/openssl/cmac.py +++ /dev/null @@ -1,89 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -import typing - -from cryptography.exceptions import ( - InvalidSignature, - UnsupportedAlgorithm, - _Reasons, -) -from cryptography.hazmat.primitives import constant_time -from cryptography.hazmat.primitives.ciphers.modes import CBC - -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.backend import Backend - from cryptography.hazmat.primitives import ciphers - - -class _CMACContext: - def __init__( - self, - backend: Backend, - algorithm: ciphers.BlockCipherAlgorithm, - ctx=None, - ) -> None: - if not backend.cmac_algorithm_supported(algorithm): - raise UnsupportedAlgorithm( - "This backend does not support CMAC.", - _Reasons.UNSUPPORTED_CIPHER, - ) - - self._backend = backend - self._key = algorithm.key - self._algorithm = algorithm - self._output_length = algorithm.block_size // 8 - - if ctx is None: - registry = self._backend._cipher_registry - adapter = registry[type(algorithm), CBC] - - evp_cipher = adapter(self._backend, algorithm, CBC) - - ctx = self._backend._lib.CMAC_CTX_new() - - self._backend.openssl_assert(ctx != self._backend._ffi.NULL) - ctx = self._backend._ffi.gc(ctx, self._backend._lib.CMAC_CTX_free) - - key_ptr = self._backend._ffi.from_buffer(self._key) - res = self._backend._lib.CMAC_Init( - ctx, - key_ptr, - len(self._key), - evp_cipher, - self._backend._ffi.NULL, - ) - self._backend.openssl_assert(res == 1) - - self._ctx = ctx - - def update(self, data: bytes) -> None: - res = self._backend._lib.CMAC_Update(self._ctx, data, len(data)) - self._backend.openssl_assert(res == 1) - - def finalize(self) -> bytes: - buf = self._backend._ffi.new("unsigned char[]", self._output_length) - length = self._backend._ffi.new("size_t *", self._output_length) - res = self._backend._lib.CMAC_Final(self._ctx, buf, length) - self._backend.openssl_assert(res == 1) - - self._ctx = None - - return self._backend._ffi.buffer(buf)[:] - - def copy(self) -> _CMACContext: - copied_ctx = self._backend._lib.CMAC_CTX_new() - copied_ctx = self._backend._ffi.gc( - copied_ctx, self._backend._lib.CMAC_CTX_free - ) - res = self._backend._lib.CMAC_CTX_copy(copied_ctx, self._ctx) - self._backend.openssl_assert(res == 1) - return _CMACContext(self._backend, self._algorithm, ctx=copied_ctx) - - def verify(self, signature: bytes) -> None: - digest = self.finalize() - if not constant_time.bytes_eq(digest, signature): - raise InvalidSignature("Signature did not match digest.") diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 21c860265867..e95bc15457ae 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -6,6 +6,7 @@ import typing from cryptography.hazmat.bindings._rust.openssl import ( aead, + cmac, dh, dsa, ec, @@ -24,6 +25,7 @@ __all__ = [ "openssl_version", "raise_openssl_error", "aead", + "cmac", "dh", "dsa", "ec", diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/cmac.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/cmac.pyi new file mode 100644 index 000000000000..9c03508bc89b --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/openssl/cmac.pyi @@ -0,0 +1,18 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import typing + +from cryptography.hazmat.primitives import ciphers + +class CMAC: + def __init__( + self, + algorithm: ciphers.BlockCipherAlgorithm, + backend: typing.Any = None, + ) -> None: ... + def update(self, data: bytes) -> None: ... + def finalize(self) -> bytes: ... + def verify(self, signature: bytes) -> None: ... + def copy(self) -> CMAC: ... diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py index 1a8a622c6953..2c67ce2206e4 100644 --- a/src/cryptography/hazmat/primitives/cmac.py +++ b/src/cryptography/hazmat/primitives/cmac.py @@ -4,62 +4,7 @@ from __future__ import annotations -import typing +from cryptography.hazmat.bindings._rust import openssl as rust_openssl -from cryptography import utils -from cryptography.exceptions import AlreadyFinalized -from cryptography.hazmat.primitives import ciphers - -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.cmac import _CMACContext - - -class CMAC: - _ctx: _CMACContext | None - _algorithm: ciphers.BlockCipherAlgorithm - - def __init__( - self, - algorithm: ciphers.BlockCipherAlgorithm, - backend: typing.Any = None, - ctx: _CMACContext | None = None, - ) -> None: - if not isinstance(algorithm, ciphers.BlockCipherAlgorithm): - raise TypeError("Expected instance of BlockCipherAlgorithm.") - self._algorithm = algorithm - - if ctx is None: - from cryptography.hazmat.backends.openssl.backend import ( - backend as ossl, - ) - - self._ctx = ossl.create_cmac_ctx(self._algorithm) - else: - self._ctx = ctx - - def update(self, data: bytes) -> None: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - - utils._check_bytes("data", data) - self._ctx.update(data) - - def finalize(self) -> bytes: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - digest = self._ctx.finalize() - self._ctx = None - return digest - - def verify(self, signature: bytes) -> None: - utils._check_bytes("signature", signature) - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - - ctx, self._ctx = self._ctx, None - ctx.verify(signature) - - def copy(self) -> CMAC: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - return CMAC(self._algorithm, ctx=self._ctx.copy()) +__all__ = ["CMAC"] +CMAC = rust_openssl.cmac.CMAC diff --git a/src/rust/build.rs b/src/rust/build.rs index a0b4566a753c..87c074b42e23 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -21,4 +21,10 @@ fn main() { if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL"); } + + if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { + for var in vars.split(',') { + println!("cargo:rustc-cfg=CRYPTOGRAPHY_OSSLCONF=\"{}\"", var); + } + } } diff --git a/src/rust/cryptography-openssl/src/cmac.rs b/src/rust/cryptography-openssl/src/cmac.rs new file mode 100644 index 000000000000..5215b88358d4 --- /dev/null +++ b/src/rust/cryptography-openssl/src/cmac.rs @@ -0,0 +1,71 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::hmac::DigestBytes; +use crate::{cvt, cvt_p, OpenSSLResult}; +use foreign_types_shared::{ForeignType, ForeignTypeRef}; +use std::ptr; + +foreign_types::foreign_type! { + type CType = ffi::CMAC_CTX; + fn drop = ffi::CMAC_CTX_free; + + pub struct Cmac; + pub struct CmacRef; +} + +// SAFETY: It's safe to have `&` references from multiple threads. +unsafe impl Sync for Cmac {} +// SAFETY: It's safe to move the `Cmac` from one thread to another. +unsafe impl Send for Cmac {} + +impl Cmac { + pub fn new(key: &[u8], cipher: &openssl::symm::Cipher) -> OpenSSLResult { + // SAFETY: All FFI conditions are handled. + unsafe { + let ctx = Cmac::from_ptr(cvt_p(ffi::CMAC_CTX_new())?); + cvt(ffi::CMAC_Init( + ctx.as_ptr(), + key.as_ptr().cast(), + key.len(), + cipher.as_ptr(), + ptr::null_mut(), + ))?; + Ok(ctx) + } + } +} + +impl CmacRef { + pub fn update(&mut self, data: &[u8]) -> OpenSSLResult<()> { + // SAFETY: All FFI conditions are handled. + unsafe { + cvt(ffi::CMAC_Update( + self.as_ptr(), + data.as_ptr().cast(), + data.len(), + ))?; + } + Ok(()) + } + + pub fn finish(&mut self) -> OpenSSLResult { + let mut buf = [0; ffi::EVP_MAX_MD_SIZE as usize]; + let mut len = ffi::EVP_MAX_MD_SIZE as usize; + // SAFETY: All FFI conditions are handled. + unsafe { + cvt(ffi::CMAC_Final(self.as_ptr(), buf.as_mut_ptr(), &mut len))?; + } + Ok(DigestBytes { buf, len }) + } + + pub fn copy(&self) -> OpenSSLResult { + // SAFETY: All FFI conditions are handled. + unsafe { + let h = Cmac::from_ptr(cvt_p(ffi::CMAC_CTX_new())?); + cvt(ffi::CMAC_CTX_copy(h.as_ptr(), self.as_ptr()))?; + Ok(h) + } + } +} diff --git a/src/rust/cryptography-openssl/src/hmac.rs b/src/rust/cryptography-openssl/src/hmac.rs index d2c14431853b..282efa79bd60 100644 --- a/src/rust/cryptography-openssl/src/hmac.rs +++ b/src/rust/cryptography-openssl/src/hmac.rs @@ -71,8 +71,8 @@ impl HmacRef { } pub struct DigestBytes { - buf: [u8; ffi::EVP_MAX_MD_SIZE as usize], - len: usize, + pub(crate) buf: [u8; ffi::EVP_MAX_MD_SIZE as usize], + pub(crate) len: usize, } impl std::ops::Deref for DigestBytes { diff --git a/src/rust/cryptography-openssl/src/lib.rs b/src/rust/cryptography-openssl/src/lib.rs index 7d2ab1bc7d8c..41938246fc5d 100644 --- a/src/rust/cryptography-openssl/src/lib.rs +++ b/src/rust/cryptography-openssl/src/lib.rs @@ -4,6 +4,7 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +pub mod cmac; pub mod fips; pub mod hmac; #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs new file mode 100644 index 000000000000..5182843c2439 --- /dev/null +++ b/src/rust/src/backend/ciphers.rs @@ -0,0 +1,148 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::error::CryptographyResult; +use crate::types; +use openssl::symm::Cipher; +use std::collections::HashMap; + +struct RegistryKey { + algorithm: pyo3::PyObject, + mode: pyo3::PyObject, + key_size: Option, + + algorithm_hash: isize, + mode_hash: isize, +} + +impl RegistryKey { + fn new( + py: pyo3::Python<'_>, + algorithm: pyo3::PyObject, + mode: pyo3::PyObject, + key_size: Option, + ) -> CryptographyResult { + Ok(Self { + algorithm: algorithm.clone_ref(py), + mode: mode.clone_ref(py), + key_size, + algorithm_hash: algorithm.as_ref(py).hash()?, + mode_hash: mode.as_ref(py).hash()?, + }) + } +} + +impl PartialEq for RegistryKey { + fn eq(&self, other: &RegistryKey) -> bool { + self.algorithm.is(&other.algorithm) + && self.mode.is(&other.mode) + && (self.key_size == other.key_size + || self.key_size.is_none() + || other.key_size.is_none()) + } +} + +impl Eq for RegistryKey {} + +impl std::hash::Hash for RegistryKey { + fn hash(&self, state: &mut H) { + self.algorithm_hash.hash(state); + self.mode_hash.hash(state); + } +} + +fn add_cipher( + py: pyo3::Python<'_>, + m: &mut HashMap, + algorithm: &pyo3::PyAny, + mode: &pyo3::PyAny, + key_size: Option, + cipher: openssl::symm::Cipher, +) -> CryptographyResult<()> { + m.insert( + RegistryKey::new(py, algorithm.into(), mode.into(), key_size)?, + cipher, + ); + + Ok(()) +} + +fn get_cipher_registry( + py: pyo3::Python<'_>, +) -> CryptographyResult<&HashMap> { + static REGISTRY: pyo3::once_cell::GILOnceCell> = + pyo3::once_cell::GILOnceCell::new(); + + REGISTRY.get_or_try_init(py, || { + let mut r = HashMap::new(); + let m = &mut r; + + let aes = types::AES.get(py)?; + let aes128 = types::AES128.get(py)?; + let aes256 = types::AES256.get(py)?; + let triple_des = types::TRIPLE_DES.get(py)?; + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] + let camellia = types::CAMELLIA.get(py)?; + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] + let blowfish = types::BLOWFISH.get(py)?; + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] + let cast5 = types::CAST5.get(py)?; + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] + let idea = types::IDEA.get(py)?; + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] + let sm4 = types::SM4.get(py)?; + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] + let seed = types::SEED.get(py)?; + + let cbc = types::CBC.get(py)?; + + add_cipher(py, m, aes, cbc, Some(128), Cipher::aes_128_cbc())?; + add_cipher(py, m, aes, cbc, Some(192), Cipher::aes_192_cbc())?; + add_cipher(py, m, aes, cbc, Some(256), Cipher::aes_256_cbc())?; + + add_cipher(py, m, aes128, cbc, Some(128), Cipher::aes_128_cbc())?; + add_cipher(py, m, aes256, cbc, Some(256), Cipher::aes_256_cbc())?; + + add_cipher(py, m, triple_des, cbc, Some(192), Cipher::des_ede3_cbc())?; + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] + add_cipher(py, m, camellia, cbc, Some(128), Cipher::camellia_128_cbc())?; + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] + add_cipher(py, m, camellia, cbc, Some(192), Cipher::camellia_192_cbc())?; + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] + add_cipher(py, m, camellia, cbc, Some(256), Cipher::camellia_256_cbc())?; + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] + add_cipher(py, m, sm4, cbc, Some(128), Cipher::sm4_cbc())?; + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] + add_cipher(py, m, seed, cbc, Some(128), Cipher::seed_cbc())?; + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] + add_cipher(py, m, blowfish, cbc, None, Cipher::bf_cbc())?; + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] + add_cipher(py, m, cast5, cbc, None, Cipher::cast5_cbc())?; + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] + add_cipher(py, m, idea, cbc, Some(128), Cipher::idea_cbc())?; + + Ok(r) + }) +} + +pub(crate) fn get_cipher( + py: pyo3::Python<'_>, + algorithm: &pyo3::PyAny, + mode_cls: &pyo3::PyAny, +) -> CryptographyResult> { + let registry = get_cipher_registry(py)?; + + let key_size = algorithm + .getattr(pyo3::intern!(py, "key_size"))? + .extract()?; + let key = RegistryKey::new(py, algorithm.get_type().into(), mode_cls.into(), key_size)?; + + Ok(registry.get(&key).cloned()) +} diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs new file mode 100644 index 000000000000..283812b9038b --- /dev/null +++ b/src/rust/src/backend/cmac.rs @@ -0,0 +1,105 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::backend::ciphers; +use crate::backend::hashes::already_finalized_error; +use crate::buf::CffiBuf; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::{exceptions, types}; + +#[pyo3::prelude::pyclass( + module = "cryptography.hazmat.bindings._rust.openssl.cmac", + name = "CMAC" +)] +struct Cmac { + ctx: Option, +} + +impl Cmac { + fn get_ctx(&self) -> CryptographyResult<&cryptography_openssl::cmac::Cmac> { + if let Some(ctx) = self.ctx.as_ref() { + return Ok(ctx); + }; + Err(already_finalized_error()) + } + + fn get_mut_ctx(&mut self) -> CryptographyResult<&mut cryptography_openssl::cmac::Cmac> { + if let Some(ctx) = self.ctx.as_mut() { + return Ok(ctx); + } + Err(already_finalized_error()) + } +} + +#[pyo3::pymethods] +impl Cmac { + #[new] + fn new( + py: pyo3::Python<'_>, + algorithm: &pyo3::PyAny, + backend: Option<&pyo3::PyAny>, + ) -> CryptographyResult { + let _ = backend; + + if !algorithm.is_instance(types::BLOCK_CIPHER_ALGORITHM.get(py)?)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "Expected instance of BlockCipherAlgorithm.", + ), + )); + } + + let cipher = ciphers::get_cipher(py, algorithm, types::CBC.get(py)?)?.ok_or_else(|| { + exceptions::UnsupportedAlgorithm::new_err(( + "CMAC is not supported with this algorithm", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )) + })?; + + let key = algorithm + .getattr(pyo3::intern!(py, "key"))? + .extract::>()?; + let ctx = cryptography_openssl::cmac::Cmac::new(key.as_bytes(), &cipher)?; + Ok(Cmac { ctx: Some(ctx) }) + } + + fn update(&mut self, data: CffiBuf<'_>) -> CryptographyResult<()> { + self.get_mut_ctx()?.update(data.as_bytes())?; + Ok(()) + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let data = self.get_mut_ctx()?.finish()?; + self.ctx = None; + Ok(pyo3::types::PyBytes::new(py, &data)) + } + + fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> { + let actual = self.finalize(py)?.as_bytes(); + if actual.len() != signature.len() || !openssl::memcmp::eq(actual, signature) { + return Err(CryptographyError::from( + exceptions::InvalidSignature::new_err("Signature did not match digest."), + )); + } + + Ok(()) + } + + fn copy(&self) -> CryptographyResult { + Ok(Cmac { + ctx: Some(self.get_ctx()?.copy()?), + }) + } +} + +pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { + let m = pyo3::prelude::PyModule::new(py, "cmac")?; + + m.add_class::()?; + + Ok(m) +} diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 4251bacfbaf3..3b32bed6bbbf 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -3,6 +3,8 @@ // for complete details. pub(crate) mod aead; +pub(crate) mod ciphers; +pub(crate) mod cmac; pub(crate) mod dh; pub(crate) mod dsa; pub(crate) mod ec; @@ -21,6 +23,7 @@ pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_submodule(aead::create_module(module.py())?)?; + module.add_submodule(cmac::create_module(module.py())?)?; module.add_submodule(dh::create_module(module.py())?)?; module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 1e1dca93a19e..1ee030a40f9b 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -486,6 +486,56 @@ pub static DSA_PRIVATE_NUMBERS: LazyPyImport = LazyPyImport::new( pub static EXTRACT_BUFFER_LENGTH: LazyPyImport = LazyPyImport::new("cryptography.utils", &["_extract_buffer_length"]); +pub static BLOCK_CIPHER_ALGORITHM: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers", + &["BlockCipherAlgorithm"], +); + +pub static TRIPLE_DES: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["TripleDES"], +); +pub static AES: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["AES"], +); +pub static AES128: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["AES128"], +); +pub static AES256: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["AES256"], +); +pub static SM4: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["SM4"], +); +pub static SEED: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["_SEEDInternal"], +); +pub static CAMELLIA: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["Camellia"], +); +pub static BLOWFISH: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["_BlowfishInternal"], +); +pub static CAST5: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["_CAST5Internal"], +); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] +pub static IDEA: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["_IDEAInternal"], +); + +pub static CBC: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CBC"]); + #[cfg(test)] mod tests { use super::LazyPyImport; diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index a47470b9a243..5b33d76ef245 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -19,7 +19,6 @@ from ...doubles import ( DummyAsymmetricPadding, - DummyBlockCipherAlgorithm, DummyCipherAlgorithm, DummyHashAlgorithm, DummyMode, @@ -251,12 +250,6 @@ def test_unsupported_mgf1_hash_algorithm_md5_decrypt(self, rsa_key_2048): ) -class TestOpenSSLCMAC: - def test_unsupported_cipher(self): - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - backend.create_cmac_ctx(DummyBlockCipherAlgorithm(b"bad")) - - class TestOpenSSLSerializationWithOpenSSL: def test_pem_password_cb(self): userdata = backend._ffi.new("CRYPTOGRAPHY_PASSWORD_DATA *") diff --git a/tests/hazmat/primitives/test_cmac.py b/tests/hazmat/primitives/test_cmac.py index c9e7fdd88fa1..18ba898e7a85 100644 --- a/tests/hazmat/primitives/test_cmac.py +++ b/tests/hazmat/primitives/test_cmac.py @@ -7,7 +7,11 @@ import pytest -from cryptography.exceptions import AlreadyFinalized, InvalidSignature +from cryptography.exceptions import ( + AlreadyFinalized, + InvalidSignature, + _Reasons, +) from cryptography.hazmat.primitives.ciphers.algorithms import ( AES, ARC4, @@ -15,7 +19,12 @@ ) from cryptography.hazmat.primitives.cmac import CMAC -from ...utils import load_nist_vectors, load_vectors_from_file +from ...doubles import DummyBlockCipherAlgorithm +from ...utils import ( + load_nist_vectors, + load_vectors_from_file, + raises_unsupported_algorithm, +) vectors_aes128 = load_vectors_from_file( "CMAC/nist-800-38b-aes128.txt", load_nist_vectors @@ -136,6 +145,9 @@ def test_invalid_algorithm(self, backend): with pytest.raises(TypeError): CMAC(ARC4(key), backend) # type: ignore[arg-type] + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + CMAC(DummyBlockCipherAlgorithm(b"bad"), backend) + @pytest.mark.supported( only_if=lambda backend: backend.cmac_algorithm_supported( AES(fake_key) From 1a0ed48bbf89ad8483433368d6251035a8a9b4da Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 1 Nov 2023 14:54:47 -0700 Subject: [PATCH 0642/1014] Cleanups to rust cipher registry (#9817) * Rename ciphers to cipher_registry * Better API for cipher registration --- .../{ciphers.rs => cipher_registry.rs} | 78 +++++++++++-------- src/rust/src/backend/cmac.rs | 15 ++-- src/rust/src/backend/mod.rs | 2 +- 3 files changed, 56 insertions(+), 39 deletions(-) rename src/rust/src/backend/{ciphers.rs => cipher_registry.rs} (68%) diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/cipher_registry.rs similarity index 68% rename from src/rust/src/backend/ciphers.rs rename to src/rust/src/backend/cipher_registry.rs index 5182843c2439..76547b189308 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -52,20 +52,37 @@ impl std::hash::Hash for RegistryKey { } } -fn add_cipher( - py: pyo3::Python<'_>, - m: &mut HashMap, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, - key_size: Option, - cipher: openssl::symm::Cipher, -) -> CryptographyResult<()> { - m.insert( - RegistryKey::new(py, algorithm.into(), mode.into(), key_size)?, - cipher, - ); - - Ok(()) +struct RegisteryBuilder<'p> { + py: pyo3::Python<'p>, + m: HashMap, +} + +impl<'p> RegisteryBuilder<'p> { + fn new(py: pyo3::Python<'p>) -> Self { + RegisteryBuilder { + py, + m: HashMap::new(), + } + } + + fn add( + &mut self, + algorithm: &pyo3::PyAny, + mode: &pyo3::PyAny, + key_size: Option, + cipher: openssl::symm::Cipher, + ) -> CryptographyResult<()> { + self.m.insert( + RegistryKey::new(self.py, algorithm.into(), mode.into(), key_size)?, + cipher, + ); + + Ok(()) + } + + fn build(self) -> HashMap { + self.m + } } fn get_cipher_registry( @@ -75,8 +92,7 @@ fn get_cipher_registry( pyo3::once_cell::GILOnceCell::new(); REGISTRY.get_or_try_init(py, || { - let mut r = HashMap::new(); - let m = &mut r; + let mut m = RegisteryBuilder::new(py); let aes = types::AES.get(py)?; let aes128 = types::AES128.get(py)?; @@ -97,38 +113,38 @@ fn get_cipher_registry( let cbc = types::CBC.get(py)?; - add_cipher(py, m, aes, cbc, Some(128), Cipher::aes_128_cbc())?; - add_cipher(py, m, aes, cbc, Some(192), Cipher::aes_192_cbc())?; - add_cipher(py, m, aes, cbc, Some(256), Cipher::aes_256_cbc())?; + m.add(aes, cbc, Some(128), Cipher::aes_128_cbc())?; + m.add(aes, cbc, Some(192), Cipher::aes_192_cbc())?; + m.add(aes, cbc, Some(256), Cipher::aes_256_cbc())?; - add_cipher(py, m, aes128, cbc, Some(128), Cipher::aes_128_cbc())?; - add_cipher(py, m, aes256, cbc, Some(256), Cipher::aes_256_cbc())?; + m.add(aes128, cbc, Some(128), Cipher::aes_128_cbc())?; + m.add(aes256, cbc, Some(256), Cipher::aes_256_cbc())?; - add_cipher(py, m, triple_des, cbc, Some(192), Cipher::des_ede3_cbc())?; + m.add(triple_des, cbc, Some(192), Cipher::des_ede3_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - add_cipher(py, m, camellia, cbc, Some(128), Cipher::camellia_128_cbc())?; + m.add(camellia, cbc, Some(128), Cipher::camellia_128_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - add_cipher(py, m, camellia, cbc, Some(192), Cipher::camellia_192_cbc())?; + m.add(camellia, cbc, Some(192), Cipher::camellia_192_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - add_cipher(py, m, camellia, cbc, Some(256), Cipher::camellia_256_cbc())?; + m.add(camellia, cbc, Some(256), Cipher::camellia_256_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] - add_cipher(py, m, sm4, cbc, Some(128), Cipher::sm4_cbc())?; + m.add(sm4, cbc, Some(128), Cipher::sm4_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] - add_cipher(py, m, seed, cbc, Some(128), Cipher::seed_cbc())?; + m.add(seed, cbc, Some(128), Cipher::seed_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] - add_cipher(py, m, blowfish, cbc, None, Cipher::bf_cbc())?; + m.add(blowfish, cbc, None, Cipher::bf_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] - add_cipher(py, m, cast5, cbc, None, Cipher::cast5_cbc())?; + m.add(cast5, cbc, None, Cipher::cast5_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] - add_cipher(py, m, idea, cbc, Some(128), Cipher::idea_cbc())?; + m.add(idea, cbc, Some(128), Cipher::idea_cbc())?; - Ok(r) + Ok(m.build()) }) } diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 283812b9038b..339921723814 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::backend::ciphers; +use crate::backend::cipher_registry; use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; @@ -50,12 +50,13 @@ impl Cmac { )); } - let cipher = ciphers::get_cipher(py, algorithm, types::CBC.get(py)?)?.ok_or_else(|| { - exceptions::UnsupportedAlgorithm::new_err(( - "CMAC is not supported with this algorithm", - exceptions::Reasons::UNSUPPORTED_CIPHER, - )) - })?; + let cipher = + cipher_registry::get_cipher(py, algorithm, types::CBC.get(py)?)?.ok_or_else(|| { + exceptions::UnsupportedAlgorithm::new_err(( + "CMAC is not supported with this algorithm", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )) + })?; let key = algorithm .getattr(pyo3::intern!(py, "key"))? diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 3b32bed6bbbf..99de91f94801 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -3,7 +3,7 @@ // for complete details. pub(crate) mod aead; -pub(crate) mod ciphers; +pub(crate) mod cipher_registry; pub(crate) mod cmac; pub(crate) mod dh; pub(crate) mod dsa; From 759fde563a2392b0426d85eeb17102ff832f8f9f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 1 Nov 2023 19:00:36 -0700 Subject: [PATCH 0643/1014] Bump BoringSSL and/or OpenSSL in CI (#9818) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3638939846f0..ceb355106c2a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 01, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "2a33faebe1827956e7fca8cbb15e2ca79b292d9c"}} - # Latest commit on the OpenSSL master branch, as of Nov 01, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8d13d9e7305643c28c69c57df798b553b78c2876"}} + # Latest commit on the BoringSSL master branch, as of Nov 02, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f714cb2935906a2f085c3b89d7e206af94627b56"}} + # Latest commit on the OpenSSL master branch, as of Nov 02, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d13488b93690121bd50c97599760a19ead6bcd1f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 5adef8e229f000e96f8311e874abb127738a0b28 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 Nov 2023 10:05:20 -0400 Subject: [PATCH 0644/1014] Bump argcomplete from 3.1.3 to 3.1.4 (#9819) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.1.3...v3.1.4) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 55ae4844d001..533434d9756f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.13 # via sphinx -argcomplete==3.1.3; python_version >= "3.8" +argcomplete==3.1.4; python_version >= "3.8" # via nox babel==2.13.1 # via sphinx From 1944271fe6201ad4a3695fc5620815b01f33604d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 2 Nov 2023 18:36:36 -0700 Subject: [PATCH 0645/1014] Bump BoringSSL and/or OpenSSL in CI (#9822) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ceb355106c2a..710752fd3c48 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 02, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f714cb2935906a2f085c3b89d7e206af94627b56"}} - # Latest commit on the OpenSSL master branch, as of Nov 02, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d13488b93690121bd50c97599760a19ead6bcd1f"}} + # Latest commit on the OpenSSL master branch, as of Nov 03, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "04b53878ea498582a6c2cfa93c570584818bbe47"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 01278608f7653699b2acb734f1c0df4b6e868586 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 3 Nov 2023 00:59:27 -0400 Subject: [PATCH 0646/1014] x509/validation: make algo sets non-optional (#9821) Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 38 ++++++------------- 1 file changed, 12 insertions(+), 26 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 5d1a92cc6630..35c7f019ef32 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -217,21 +217,11 @@ pub struct Policy<'a, B: CryptoOps> { /// The set of permitted public key algorithms, identified by their /// algorithm identifiers. - /// - /// If not `None`, all certificates validated by this policy MUST - /// have a public key algorithm in this set. - /// - /// If `None`, all public key algorithms are permitted. - pub permitted_public_key_algorithms: Option>>, + pub permitted_public_key_algorithms: HashSet>, /// The set of permitted signature algorithms, identified by their /// algorithm identifiers. - /// - /// If not `None`, all certificates validated by this policy MUST - /// have a signature algorithm in this set. - /// - /// If `None`, all signature algorithms are permitted. - pub permitted_signature_algorithms: Option>>, + pub permitted_signature_algorithms: HashSet>, pub critical_ca_extensions: HashSet, pub critical_ee_extensions: HashSet, @@ -247,20 +237,16 @@ impl<'a, B: CryptoOps> Policy<'a, B> { subject, validation_time: time, extended_key_usage: EKU_SERVER_AUTH_OID.clone(), - permitted_public_key_algorithms: Some( - WEBPKI_PERMITTED_SPKI_ALGORITHMS - .clone() - .into_iter() - .cloned() - .collect(), - ), - permitted_signature_algorithms: Some( - WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS - .clone() - .into_iter() - .cloned() - .collect(), - ), + permitted_public_key_algorithms: WEBPKI_PERMITTED_SPKI_ALGORITHMS + .clone() + .into_iter() + .cloned() + .collect(), + permitted_signature_algorithms: WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS + .clone() + .into_iter() + .cloned() + .collect(), critical_ca_extensions: RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect(), critical_ee_extensions: RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect(), } From 195bf51aff087d7063c47be6b188b2c1689af390 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Nov 2023 14:54:13 +0000 Subject: [PATCH 0647/1014] Bump openssl-sys from 0.9.94 to 0.9.95 in /src/rust (#9823) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.94 to 0.9.95. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.94...openssl-sys-v0.9.95) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f4c4a61b6167..650cee29e007 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -203,9 +203,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.94" +version = "0.9.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f55da20b29f956fb01f0add8683eb26ee13ebe3ebd935e49898717c6b4b2830" +checksum = "40a4130519a360279579c2053038317e40eff64d13fd3f004f9e1b72b8a6aaf9" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e607c1c8c227..2f06c400f916 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -18,7 +18,7 @@ cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.58" -openssl-sys = "0.9.94" +openssl-sys = "0.9.95" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 93bdd76648c5..5815488b37fc 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3-py37"] } -openssl-sys = "0.9.94" +openssl-sys = "0.9.95" [build-dependencies] cc = "1.0.83" From c5c0355204a64c56ecd1b1eb57b57138604eb541 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 3 Nov 2023 08:04:15 -0700 Subject: [PATCH 0648/1014] test on libressl 3.8.2 (#9824) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 710752fd3c48..fb89c1861d2a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-beta1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 02, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f714cb2935906a2f085c3b89d7e206af94627b56"}} From 9d5682e9337f6f3927f4d65e9f7735cf1ab1d3dc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Nov 2023 15:04:54 +0000 Subject: [PATCH 0649/1014] Bump openssl from 0.10.58 to 0.10.59 in /src/rust (#9825) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.58 to 0.10.59. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.58...openssl-v0.10.59) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 650cee29e007..1ef651c08954 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -177,9 +177,9 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] name = "openssl" -version = "0.10.58" +version = "0.10.59" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9dfc0783362704e97ef3bd24261995a699468440099ef95d869b4d9732f829a" +checksum = "7a257ad03cd8fb16ad4172fedf8094451e1af1c4b70097636ef2eac9a5f0cc33" dependencies = [ "bitflags 2.4.0", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 2f06c400f916..7fc2e547a1e6 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.58" +openssl = "0.10.59" openssl-sys = "0.9.95" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 65c099f01712..8266519de67a 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -openssl = "0.10.58" +openssl = "0.10.59" ffi = { package = "openssl-sys", version = "0.9.91" } foreign-types = "0.3" foreign-types-shared = "0.1" From 1d5a5b12c4e27da7ec1296e2fe8e6dd4ca36ca44 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 3 Nov 2023 10:48:41 -0700 Subject: [PATCH 0650/1014] Refactor key conversion to be in rust (#9826) * Refactor key conversion to be in rust removes a lot of unsafe * GHA * Update keys.rs --- src/_cffi_src/openssl/cryptography.py | 10 ++ .../hazmat/backends/openssl/backend.py | 130 ++---------------- .../bindings/_rust/openssl/__init__.pyi | 2 + .../hazmat/bindings/_rust/openssl/dh.pyi | 2 - .../hazmat/bindings/_rust/openssl/dsa.pyi | 2 - .../hazmat/bindings/_rust/openssl/ec.pyi | 2 - .../hazmat/bindings/_rust/openssl/ed25519.pyi | 2 - .../hazmat/bindings/_rust/openssl/ed448.pyi | 2 - .../hazmat/bindings/_rust/openssl/keys.pyi | 14 ++ .../hazmat/bindings/_rust/openssl/rsa.pyi | 5 - .../hazmat/bindings/_rust/openssl/x25519.pyi | 2 - .../hazmat/bindings/_rust/openssl/x448.pyi | 2 - src/rust/build.rs | 7 +- src/rust/src/backend/dh.rs | 21 ++- src/rust/src/backend/dsa.rs | 21 ++- src/rust/src/backend/ec.rs | 23 ++-- src/rust/src/backend/ed25519.rs | 21 ++- src/rust/src/backend/ed448.rs | 21 ++- src/rust/src/backend/keys.rs | 121 ++++++++++++++++ src/rust/src/backend/mod.rs | 2 + src/rust/src/backend/rsa.rs | 21 +-- src/rust/src/backend/x25519.rs | 21 ++- src/rust/src/backend/x448.rs | 21 ++- tests/hazmat/primitives/test_rsa.py | 18 ++- 24 files changed, 241 insertions(+), 252 deletions(-) create mode 100644 src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi create mode 100644 src/rust/src/backend/keys.rs diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 44c325749172..5b81cd6fcad3 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -51,6 +51,14 @@ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \ (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL) + +#if CRYPTOGRAPHY_IS_LIBRESSL +#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 \ + (LIBRESSL_VERSION_NUMBER < 0x3080000f) + +#else +#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 (0) +#endif """ TYPES = """ @@ -58,6 +66,8 @@ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E; +static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380; + static const int CRYPTOGRAPHY_IS_LIBRESSL; static const int CRYPTOGRAPHY_IS_BORINGSSL; """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 7852e0d27245..7c08862b3070 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -392,127 +392,19 @@ def _evp_pkey_to_private_key( Return the appropriate type of PrivateKey given an evp_pkey cdata pointer. """ - - key_type = self._lib.EVP_PKEY_id(evp_pkey) - - if key_type == self._lib.EVP_PKEY_RSA: - return rust_openssl.rsa.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)), - unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, - ) - elif ( - key_type == self._lib.EVP_PKEY_RSA_PSS - and not self._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL - and not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E - ): - # At the moment the way we handle RSA PSS keys is to strip the - # PSS constraints from them and treat them as normal RSA keys - # Unfortunately the RSA * itself tracks this data so we need to - # extract, serialize, and reload it without the constraints. - rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey) - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - bio = self._create_mem_bio_gc() - res = self._lib.i2d_RSAPrivateKey_bio(bio, rsa_cdata) - self.openssl_assert(res == 1) - return self.load_der_private_key( - self._read_mem_bio(bio), - password=None, - unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, - ) - elif key_type == self._lib.EVP_PKEY_DSA: - return rust_openssl.dsa.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type == self._lib.EVP_PKEY_EC: - return rust_openssl.ec.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type in self._dh_types: - return rust_openssl.dh.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type == getattr(self._lib, "EVP_PKEY_ED25519", None): - # EVP_PKEY_ED25519 is not present in CRYPTOGRAPHY_IS_LIBRESSL - return rust_openssl.ed25519.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type == getattr(self._lib, "EVP_PKEY_X448", None): - # EVP_PKEY_X448 is not present in CRYPTOGRAPHY_IS_LIBRESSL - return rust_openssl.x448.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type == self._lib.EVP_PKEY_X25519: - return rust_openssl.x25519.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type == getattr(self._lib, "EVP_PKEY_ED448", None): - # EVP_PKEY_ED448 is not present in CRYPTOGRAPHY_IS_LIBRESSL - return rust_openssl.ed448.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - else: - raise UnsupportedAlgorithm("Unsupported key type.") + return rust_openssl.keys.private_key_from_ptr( + int(self._ffi.cast("uintptr_t", evp_pkey)), + unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, + ) def _evp_pkey_to_public_key(self, evp_pkey) -> PublicKeyTypes: """ Return the appropriate type of PublicKey given an evp_pkey cdata pointer. """ - - key_type = self._lib.EVP_PKEY_id(evp_pkey) - - if key_type == self._lib.EVP_PKEY_RSA: - return rust_openssl.rsa.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif ( - key_type == self._lib.EVP_PKEY_RSA_PSS - and not self._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL - and not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E - ): - rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey) - self.openssl_assert(rsa_cdata != self._ffi.NULL) - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - bio = self._create_mem_bio_gc() - res = self._lib.i2d_RSAPublicKey_bio(bio, rsa_cdata) - self.openssl_assert(res == 1) - return self.load_der_public_key(self._read_mem_bio(bio)) - elif key_type == self._lib.EVP_PKEY_DSA: - return rust_openssl.dsa.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type == self._lib.EVP_PKEY_EC: - return rust_openssl.ec.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type in self._dh_types: - return rust_openssl.dh.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type == getattr(self._lib, "EVP_PKEY_ED25519", None): - # EVP_PKEY_ED25519 is not present in CRYPTOGRAPHY_IS_LIBRESSL - return rust_openssl.ed25519.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type == getattr(self._lib, "EVP_PKEY_X448", None): - # EVP_PKEY_X448 is not present in CRYPTOGRAPHY_IS_LIBRESSL - return rust_openssl.x448.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type == self._lib.EVP_PKEY_X25519: - return rust_openssl.x25519.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - elif key_type == getattr(self._lib, "EVP_PKEY_ED448", None): - # EVP_PKEY_ED448 is not present in CRYPTOGRAPHY_IS_LIBRESSL - return rust_openssl.ed448.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - else: - raise UnsupportedAlgorithm("Unsupported key type.") + return rust_openssl.keys.public_key_from_ptr( + int(self._ffi.cast("uintptr_t", evp_pkey)) + ) def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and isinstance(algorithm, hashes.SHA1): @@ -620,9 +512,7 @@ def load_pem_public_key(self, data: bytes) -> PublicKeyTypes: if rsa_cdata != self._ffi.NULL: rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return rust_openssl.rsa.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) + return self._evp_pkey_to_public_key(evp_pkey) else: self._handle_key_loading_error() @@ -685,9 +575,7 @@ def load_der_public_key(self, data: bytes) -> PublicKeyTypes: if rsa_cdata != self._ffi.NULL: rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return rust_openssl.rsa.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) + return self._evp_pkey_to_public_key(evp_pkey) else: self._handle_key_loading_error() diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index e95bc15457ae..9cdb4d6a5c6e 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -15,6 +15,7 @@ from cryptography.hazmat.bindings._rust.openssl import ( hashes, hmac, kdf, + keys, poly1305, rsa, x448, @@ -32,6 +33,7 @@ __all__ = [ "hashes", "hmac", "kdf", + "keys", "ed448", "ed25519", "rsa", diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi index bfd005d99fec..e11203df3ab8 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi @@ -11,8 +11,6 @@ class DHPublicKey: ... class DHParameters: ... def generate_parameters(generator: int, key_size: int) -> dh.DHParameters: ... -def private_key_from_ptr(ptr: int) -> dh.DHPrivateKey: ... -def public_key_from_ptr(ptr: int) -> dh.DHPublicKey: ... def from_pem_parameters(data: bytes) -> dh.DHParameters: ... def from_der_parameters(data: bytes) -> dh.DHParameters: ... def from_private_numbers(numbers: dh.DHPrivateNumbers) -> dh.DHPrivateKey: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/dsa.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/dsa.pyi index 5a56f256d52d..1a4a0062bed9 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/dsa.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/dsa.pyi @@ -9,8 +9,6 @@ class DSAPublicKey: ... class DSAParameters: ... def generate_parameters(key_size: int) -> dsa.DSAParameters: ... -def private_key_from_ptr(ptr: int) -> dsa.DSAPrivateKey: ... -def public_key_from_ptr(ptr: int) -> dsa.DSAPublicKey: ... def from_private_numbers( numbers: dsa.DSAPrivateNumbers, ) -> dsa.DSAPrivateKey: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi index f4fdf3856fc3..d57d47923a0c 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi @@ -8,8 +8,6 @@ class ECPrivateKey: ... class ECPublicKey: ... def curve_supported(curve: ec.EllipticCurve) -> bool: ... -def private_key_from_ptr(ptr: int) -> ec.EllipticCurvePrivateKey: ... -def public_key_from_ptr(ptr: int) -> ec.EllipticCurvePublicKey: ... def generate_private_key( curve: ec.EllipticCurve, ) -> ec.EllipticCurvePrivateKey: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/ed25519.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/ed25519.pyi index c7f127f0b157..5233f9a1d1c8 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/ed25519.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/ed25519.pyi @@ -8,7 +8,5 @@ class Ed25519PrivateKey: ... class Ed25519PublicKey: ... def generate_key() -> ed25519.Ed25519PrivateKey: ... -def private_key_from_ptr(ptr: int) -> ed25519.Ed25519PrivateKey: ... -def public_key_from_ptr(ptr: int) -> ed25519.Ed25519PublicKey: ... def from_private_bytes(data: bytes) -> ed25519.Ed25519PrivateKey: ... def from_public_bytes(data: bytes) -> ed25519.Ed25519PublicKey: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/ed448.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/ed448.pyi index 1cf5f1773a0b..7a06520380a0 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/ed448.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/ed448.pyi @@ -8,7 +8,5 @@ class Ed448PrivateKey: ... class Ed448PublicKey: ... def generate_key() -> ed448.Ed448PrivateKey: ... -def private_key_from_ptr(ptr: int) -> ed448.Ed448PrivateKey: ... -def public_key_from_ptr(ptr: int) -> ed448.Ed448PublicKey: ... def from_private_bytes(data: bytes) -> ed448.Ed448PrivateKey: ... def from_public_bytes(data: bytes) -> ed448.Ed448PublicKey: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi new file mode 100644 index 000000000000..931d3e9c369d --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi @@ -0,0 +1,14 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from cryptography.hazmat.primitives.asymmetric.types import ( + PrivateKeyTypes, + PublicKeyTypes, +) + +def private_key_from_ptr( + ptr: int, + unsafe_skip_rsa_key_validation: bool, +) -> PrivateKeyTypes: ... +def public_key_from_ptr(ptr: int) -> PublicKeyTypes: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi index d42134f72c74..d2abda968543 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi @@ -11,11 +11,6 @@ def generate_private_key( public_exponent: int, key_size: int, ) -> rsa.RSAPrivateKey: ... -def private_key_from_ptr( - ptr: int, - unsafe_skip_rsa_key_validation: bool, -) -> rsa.RSAPrivateKey: ... -def public_key_from_ptr(ptr: int) -> rsa.RSAPublicKey: ... def from_private_numbers( numbers: rsa.RSAPrivateNumbers, unsafe_skip_rsa_key_validation: bool, diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/x25519.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/x25519.pyi index 90f7cbdda950..da0f3ec588b9 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/x25519.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/x25519.pyi @@ -8,7 +8,5 @@ class X25519PrivateKey: ... class X25519PublicKey: ... def generate_key() -> x25519.X25519PrivateKey: ... -def private_key_from_ptr(ptr: int) -> x25519.X25519PrivateKey: ... -def public_key_from_ptr(ptr: int) -> x25519.X25519PublicKey: ... def from_private_bytes(data: bytes) -> x25519.X25519PrivateKey: ... def from_public_bytes(data: bytes) -> x25519.X25519PublicKey: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/x448.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/x448.pyi index d326c8d2d7c5..e51cfebe15f6 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/x448.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/x448.pyi @@ -8,7 +8,5 @@ class X448PrivateKey: ... class X448PublicKey: ... def generate_key() -> x448.X448PrivateKey: ... -def private_key_from_ptr(ptr: int) -> x448.X448PrivateKey: ... -def public_key_from_ptr(ptr: int) -> x448.X448PublicKey: ... def from_private_bytes(data: bytes) -> x448.X448PrivateKey: ... def from_public_bytes(data: bytes) -> x448.X448PublicKey: ... diff --git a/src/rust/build.rs b/src/rust/build.rs index 87c074b42e23..27f6d12f77f7 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -14,8 +14,13 @@ fn main() { } } - if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { + if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { + let version = u64::from_str_radix(&version, 16).unwrap(); + println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL"); + if version >= 0x3_08_00_00_0 { + println!("cargo:rustc-cfg=CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER"); + } } if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index eb177cde44fe..99e04ed76bfd 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -7,17 +7,16 @@ use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{types, x509}; use cryptography_x509::common; -use foreign_types_shared::ForeignTypeRef; const MIN_MODULUS_SIZE: u32 = 512; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] -struct DHPrivateKey { +pub(crate) struct DHPrivateKey { pkey: openssl::pkey::PKey, } #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] -struct DHPublicKey { +pub(crate) struct DHPublicKey { pkey: openssl::pkey::PKey, } @@ -47,19 +46,17 @@ fn generate_parameters(generator: u32, key_size: u32) -> CryptographyResult DHPrivateKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn private_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> DHPrivateKey { DHPrivateKey { pkey: pkey.to_owned(), } } -#[pyo3::prelude::pyfunction] -fn public_key_from_ptr(ptr: usize) -> DHPublicKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn public_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> DHPublicKey { DHPublicKey { pkey: pkey.to_owned(), } @@ -390,8 +387,6 @@ impl DHParameters { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "dh")?; m.add_function(pyo3::wrap_pyfunction!(generate_parameters, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_der_parameters, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_pem_parameters, m)?)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index fa4c9ae9d0ed..ce39cbb058b4 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -5,14 +5,13 @@ use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use foreign_types_shared::ForeignTypeRef; #[pyo3::prelude::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAPrivateKey" )] -struct DsaPrivateKey { +pub(crate) struct DsaPrivateKey { pkey: openssl::pkey::PKey, } @@ -21,7 +20,7 @@ struct DsaPrivateKey { module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAPublicKey" )] -struct DsaPublicKey { +pub(crate) struct DsaPublicKey { pkey: openssl::pkey::PKey, } @@ -34,19 +33,17 @@ struct DsaParameters { dsa: openssl::dsa::Dsa, } -#[pyo3::prelude::pyfunction] -fn private_key_from_ptr(ptr: usize) -> DsaPrivateKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn private_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> DsaPrivateKey { DsaPrivateKey { pkey: pkey.to_owned(), } } -#[pyo3::prelude::pyfunction] -fn public_key_from_ptr(ptr: usize) -> DsaPublicKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn public_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> DsaPublicKey { DsaPublicKey { pkey: pkey.to_owned(), } @@ -293,8 +290,6 @@ impl DsaParameters { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "dsa")?; - m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(generate_parameters, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?; diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 885a5cbf4dc2..276ae12a2b4d 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,18 +5,17 @@ use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use foreign_types_shared::ForeignTypeRef; use pyo3::ToPyObject; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] -struct ECPrivateKey { +pub(crate) struct ECPrivateKey { pkey: openssl::pkey::PKey, #[pyo3(get)] curve: pyo3::Py, } #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] -struct ECPublicKey { +pub(crate) struct ECPublicKey { pkey: openssl::pkey::PKey, #[pyo3(get)] curve: pyo3::Py, @@ -121,10 +120,10 @@ fn curve_supported(py: pyo3::Python<'_>, py_curve: &pyo3::PyAny) -> bool { curve_from_py_curve(py, py_curve).is_ok() } -#[pyo3::prelude::pyfunction] -fn private_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn private_key_from_pkey( + py: pyo3::Python<'_>, + pkey: &openssl::pkey::PKeyRef, +) -> CryptographyResult { let curve = py_curve_from_curve(py, pkey.ec_key().unwrap().group())?; check_key_infinity(&pkey.ec_key().unwrap())?; Ok(ECPrivateKey { @@ -133,10 +132,10 @@ fn private_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult< }) } -#[pyo3::prelude::pyfunction] -fn public_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn public_key_from_pkey( + py: pyo3::Python<'_>, + pkey: &openssl::pkey::PKeyRef, +) -> CryptographyResult { let ec = pkey.ec_key().map_err(|e| { pyo3::exceptions::PyValueError::new_err(format!("Unable to load EC key: {}", e)) })?; @@ -505,8 +504,6 @@ impl ECPublicKey { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "ec")?; m.add_function(pyo3::wrap_pyfunction!(curve_supported, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(generate_private_key, m)?)?; m.add_function(pyo3::wrap_pyfunction!(derive_private_key, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 93ea3f6e8a87..f68da83bfb47 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -6,15 +6,14 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use foreign_types_shared::ForeignTypeRef; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] -struct Ed25519PrivateKey { +pub(crate) struct Ed25519PrivateKey { pkey: openssl::pkey::PKey, } #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] -struct Ed25519PublicKey { +pub(crate) struct Ed25519PublicKey { pkey: openssl::pkey::PKey, } @@ -25,19 +24,17 @@ fn generate_key() -> CryptographyResult { }) } -#[pyo3::prelude::pyfunction] -fn private_key_from_ptr(ptr: usize) -> Ed25519PrivateKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn private_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> Ed25519PrivateKey { Ed25519PrivateKey { pkey: pkey.to_owned(), } } -#[pyo3::prelude::pyfunction] -fn public_key_from_ptr(ptr: usize) -> Ed25519PublicKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn public_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> Ed25519PublicKey { Ed25519PublicKey { pkey: pkey.to_owned(), } @@ -164,8 +161,6 @@ impl Ed25519PublicKey { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "ed25519")?; m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 9950cf4b19c5..eeed28e92f6e 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -6,15 +6,14 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use foreign_types_shared::ForeignTypeRef; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] -struct Ed448PrivateKey { +pub(crate) struct Ed448PrivateKey { pkey: openssl::pkey::PKey, } #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] -struct Ed448PublicKey { +pub(crate) struct Ed448PublicKey { pkey: openssl::pkey::PKey, } @@ -25,19 +24,17 @@ fn generate_key() -> CryptographyResult { }) } -#[pyo3::prelude::pyfunction] -fn private_key_from_ptr(ptr: usize) -> Ed448PrivateKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn private_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> Ed448PrivateKey { Ed448PrivateKey { pkey: pkey.to_owned(), } } -#[pyo3::prelude::pyfunction] -fn public_key_from_ptr(ptr: usize) -> Ed448PublicKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn public_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> Ed448PublicKey { Ed448PublicKey { pkey: pkey.to_owned(), } @@ -161,8 +158,6 @@ impl Ed448PublicKey { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "ed448")?; m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs new file mode 100644 index 000000000000..2e5108e8c82b --- /dev/null +++ b/src/rust/src/backend/keys.rs @@ -0,0 +1,121 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::error::{CryptographyError, CryptographyResult}; +use crate::exceptions; +use foreign_types_shared::ForeignTypeRef; +use pyo3::IntoPy; + +#[pyo3::prelude::pyfunction] +fn private_key_from_ptr( + py: pyo3::Python<'_>, + ptr: usize, + unsafe_skip_rsa_key_validation: bool, +) -> CryptographyResult { + // SAFETY: Caller is responsible for passing a valid pointer. + let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; + match pkey.id() { + openssl::pkey::Id::RSA => Ok(crate::backend::rsa::private_key_from_pkey( + pkey, + unsafe_skip_rsa_key_validation, + )? + .into_py(py)), + #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER))] + openssl::pkey::Id::RSA_PSS => { + // At the moment the way we handle RSA PSS keys is to strip the + // PSS constraints from them and treat them as normal RSA keys + // Unfortunately the RSA * itself tracks this data so we need to + // extract, serialize, and reload it without the constraints. + let der_bytes = pkey.rsa()?.private_key_to_der()?; + let rsa = openssl::rsa::Rsa::private_key_from_der(&der_bytes)?; + let pkey = openssl::pkey::PKey::from_rsa(rsa)?; + Ok( + crate::backend::rsa::private_key_from_pkey(&pkey, unsafe_skip_rsa_key_validation)? + .into_py(py), + ) + } + openssl::pkey::Id::EC => { + Ok(crate::backend::ec::private_key_from_pkey(py, pkey)?.into_py(py)) + } + openssl::pkey::Id::X25519 => { + Ok(crate::backend::x25519::private_key_from_pkey(pkey).into_py(py)) + } + + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + openssl::pkey::Id::X448 => { + Ok(crate::backend::x448::private_key_from_pkey(pkey).into_py(py)) + } + + openssl::pkey::Id::ED25519 => { + Ok(crate::backend::ed25519::private_key_from_pkey(pkey).into_py(py)) + } + + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + openssl::pkey::Id::ED448 => { + Ok(crate::backend::ed448::private_key_from_pkey(pkey).into_py(py)) + } + openssl::pkey::Id::DSA => Ok(crate::backend::dsa::private_key_from_pkey(pkey).into_py(py)), + openssl::pkey::Id::DH => Ok(crate::backend::dh::private_key_from_pkey(pkey).into_py(py)), + + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + openssl::pkey::Id::DHX => Ok(crate::backend::dh::private_key_from_pkey(pkey).into_py(py)), + _ => Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err("Unsupported key type."), + )), + } +} + +#[pyo3::prelude::pyfunction] +fn public_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult { + // SAFETY: Caller is responsible for passing a valid pointer. + let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; + match pkey.id() { + openssl::pkey::Id::RSA => Ok(crate::backend::rsa::public_key_from_pkey(pkey).into_py(py)), + #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER))] + openssl::pkey::Id::RSA_PSS => { + // At the moment the way we handle RSA PSS keys is to strip the + // PSS constraints from them and treat them as normal RSA keys + // Unfortunately the RSA * itself tracks this data so we need to + // extract, serialize, and reload it without the constraints. + let der_bytes = pkey.rsa()?.public_key_to_der()?; + let rsa = openssl::rsa::Rsa::public_key_from_der(&der_bytes)?; + let pkey = openssl::pkey::PKey::from_rsa(rsa)?; + Ok(crate::backend::rsa::public_key_from_pkey(&pkey).into_py(py)) + } + openssl::pkey::Id::EC => { + Ok(crate::backend::ec::public_key_from_pkey(py, pkey)?.into_py(py)) + } + openssl::pkey::Id::X25519 => { + Ok(crate::backend::x25519::public_key_from_pkey(pkey).into_py(py)) + } + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + openssl::pkey::Id::X448 => Ok(crate::backend::x448::public_key_from_pkey(pkey).into_py(py)), + + openssl::pkey::Id::ED25519 => { + Ok(crate::backend::ed25519::public_key_from_pkey(pkey).into_py(py)) + } + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + openssl::pkey::Id::ED448 => { + Ok(crate::backend::ed448::public_key_from_pkey(pkey).into_py(py)) + } + + openssl::pkey::Id::DSA => Ok(crate::backend::dsa::public_key_from_pkey(pkey).into_py(py)), + openssl::pkey::Id::DH => Ok(crate::backend::dh::public_key_from_pkey(pkey).into_py(py)), + + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + openssl::pkey::Id::DHX => Ok(crate::backend::dh::public_key_from_pkey(pkey).into_py(py)), + + _ => Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err("Unsupported key type."), + )), + } +} + +pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { + let m = pyo3::prelude::PyModule::new(py, "keys")?; + m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; + + Ok(m) +} diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 99de91f94801..7e085d623b40 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -14,6 +14,7 @@ pub(crate) mod ed448; pub(crate) mod hashes; pub(crate) mod hmac; pub(crate) mod kdf; +pub(crate) mod keys; pub(crate) mod poly1305; pub(crate) mod rsa; pub(crate) mod utils; @@ -27,6 +28,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(dh::create_module(module.py())?)?; module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; + module.add_submodule(keys::create_module(module.py())?)?; module.add_submodule(ed25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 86168e3b8d8f..3398b0ca377d 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -5,14 +5,13 @@ use crate::backend::{hashes, utils}; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use foreign_types_shared::ForeignTypeRef; #[pyo3::prelude::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.rsa", name = "RSAPrivateKey" )] -struct RsaPrivateKey { +pub(crate) struct RsaPrivateKey { pkey: openssl::pkey::PKey, } @@ -21,7 +20,7 @@ struct RsaPrivateKey { module = "cryptography.hazmat.bindings._rust.openssl.rsa", name = "RSAPublicKey" )] -struct RsaPublicKey { +pub(crate) struct RsaPublicKey { pkey: openssl::pkey::PKey, } @@ -37,13 +36,10 @@ fn check_rsa_private_key( Ok(()) } -#[pyo3::prelude::pyfunction] -fn private_key_from_ptr( - ptr: usize, +pub(crate) fn private_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, unsafe_skip_rsa_key_validation: bool, ) -> CryptographyResult { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; if !unsafe_skip_rsa_key_validation { check_rsa_private_key(&pkey.rsa().unwrap())?; } @@ -52,10 +48,9 @@ fn private_key_from_ptr( }) } -#[pyo3::prelude::pyfunction] -fn public_key_from_ptr(ptr: usize) -> RsaPublicKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn public_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> RsaPublicKey { RsaPublicKey { pkey: pkey.to_owned(), } @@ -568,8 +563,6 @@ impl RsaPublicKey { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "rsa")?; - m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(generate_private_key, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?; diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 8c9c93f066f6..076bfe87d96b 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -5,15 +5,14 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use foreign_types_shared::ForeignTypeRef; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] -struct X25519PrivateKey { +pub(crate) struct X25519PrivateKey { pkey: openssl::pkey::PKey, } #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] -struct X25519PublicKey { +pub(crate) struct X25519PublicKey { pkey: openssl::pkey::PKey, } @@ -24,19 +23,17 @@ fn generate_key() -> CryptographyResult { }) } -#[pyo3::prelude::pyfunction] -fn private_key_from_ptr(ptr: usize) -> X25519PrivateKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn private_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> X25519PrivateKey { X25519PrivateKey { pkey: pkey.to_owned(), } } -#[pyo3::prelude::pyfunction] -fn public_key_from_ptr(ptr: usize) -> X25519PublicKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn public_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> X25519PublicKey { X25519PublicKey { pkey: pkey.to_owned(), } @@ -152,8 +149,6 @@ impl X25519PublicKey { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "x25519")?; m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index c466c337b222..eb4718f5f100 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -5,15 +5,14 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use foreign_types_shared::ForeignTypeRef; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] -struct X448PrivateKey { +pub(crate) struct X448PrivateKey { pkey: openssl::pkey::PKey, } #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] -struct X448PublicKey { +pub(crate) struct X448PublicKey { pkey: openssl::pkey::PKey, } @@ -24,19 +23,17 @@ fn generate_key() -> CryptographyResult { }) } -#[pyo3::prelude::pyfunction] -fn private_key_from_ptr(ptr: usize) -> X448PrivateKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn private_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> X448PrivateKey { X448PrivateKey { pkey: pkey.to_owned(), } } -#[pyo3::prelude::pyfunction] -fn public_key_from_ptr(ptr: usize) -> X448PublicKey { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; +pub(crate) fn public_key_from_pkey( + pkey: &openssl::pkey::PKeyRef, +) -> X448PublicKey { X448PublicKey { pkey: pkey.to_owned(), } @@ -151,8 +148,6 @@ impl X448PublicKey { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "x448")?; m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 7d8a1fd05507..2d72e57f4236 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -291,9 +291,12 @@ def test_load_pss_keys_strips_constraints(self, path, backend): @pytest.mark.supported( only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - and not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E + not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL + and ( + not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E + or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL + and not backend._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 + ) ), skip_message="Does not support RSA PSS loading", ) @@ -315,9 +318,12 @@ def test_load_pss_pub_keys_strips_constraints(self, backend): @pytest.mark.supported( only_if=lambda backend: ( - backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - or backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - or backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E + backend._lib.CRYPTOGRAPHY_IS_BORINGSSL + and ( + not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E + or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL + and not backend._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 + ) ), skip_message="Test requires a backend without RSA-PSS key support", ) From 77bcf278d6ff179dd83f23c34efe797308abae15 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 3 Nov 2023 10:56:27 -0700 Subject: [PATCH 0651/1014] Run this test on libressl 3.8.0+ (#9827) --- tests/hazmat/primitives/test_rsa.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 2d72e57f4236..205f294bffe6 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -252,9 +252,12 @@ def test_load_pss_vect_example_keys(self, pkcs1_example): @pytest.mark.supported( only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - and not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E + not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL + and ( + not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E + or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL + and not backend._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 + ) ), skip_message="Does not support RSA PSS loading", ) From fc5af0aa73f20af94bb12dd28dbebf19268a5ae9 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 3 Nov 2023 23:49:46 -0400 Subject: [PATCH 0652/1014] Bump BoringSSL and/or OpenSSL in CI (#9828) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fb89c1861d2a..01f8c46634de 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 02, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f714cb2935906a2f085c3b89d7e206af94627b56"}} - # Latest commit on the OpenSSL master branch, as of Nov 03, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "04b53878ea498582a6c2cfa93c570584818bbe47"}} + # Latest commit on the BoringSSL master branch, as of Nov 04, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "478b28ab12f2001a03261624261fd041f5439706"}} + # Latest commit on the OpenSSL master branch, as of Nov 04, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1aa08644ecd4005c0f55276b2e8dabd8a2a758f0"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From e95837478562d2f72f07736e577e1f24f0129b32 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 3 Nov 2023 21:59:39 -0700 Subject: [PATCH 0653/1014] add support for signing PKCS7 using RSA PSS (#9829) * add support for signing PKCS7 using RSA PSS * mypy fixes --- CHANGELOG.rst | 2 + .../primitives/asymmetric/serialization.rst | 14 ++- .../hazmat/primitives/serialization/pkcs7.py | 16 +++- src/rust/src/pkcs7.rs | 15 +-- tests/hazmat/primitives/test_pkcs7.py | 93 ++++++++++++++++++- 5 files changed, 126 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5bdb89901a87..53c432076d9a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -41,6 +41,8 @@ Changelog * Added support for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20` on LibreSSL. +* Added support for RSA PSS signatures in PKCS7 with + :meth:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder.add_signer`. .. _v41-0-5: diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst index c60accca6b40..402915c45540 100644 --- a/docs/hazmat/primitives/asymmetric/serialization.rst +++ b/docs/hazmat/primitives/asymmetric/serialization.rst @@ -1127,7 +1127,7 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``, :param data: The data to be hashed and signed. :type data: :term:`bytes-like` - .. method:: add_signer(certificate, private_key, hash_algorithm) + .. method:: add_signer(certificate, private_key, hash_algorithm, *, rsa_padding=None) :param certificate: The :class:`~cryptography.x509.Certificate`. @@ -1142,6 +1142,18 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``, will be used to generate the signature. This must be one of the types in :data:`PKCS7HashTypes`. + :param rsa_padding: + + .. versionadded:: 42.0.0 + + This is a keyword-only argument. If ``private_key`` is an + ``RSAPrivateKey`` then this can be set to either + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15` or + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` to sign + with those respective paddings. If this is ``None`` then RSA + keys will default to ``PKCS1v15`` padding. All other key types **must** + not pass a value other than ``None``. + .. method:: add_certificate(certificate) Add an additional certificate (typically used to help build a diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py index 1d7d9c1b6869..b6feb1ee823b 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py @@ -14,7 +14,7 @@ from cryptography import utils, x509 from cryptography.hazmat.bindings._rust import pkcs7 as rust_pkcs7 from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import ec, rsa +from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa from cryptography.utils import _check_byteslike @@ -67,6 +67,7 @@ def __init__( x509.Certificate, PKCS7PrivateKeyTypes, PKCS7HashTypes, + padding.PSS | padding.PKCS1v15 | None, ] ] = [], additional_certs: list[x509.Certificate] = [], @@ -87,6 +88,8 @@ def add_signer( certificate: x509.Certificate, private_key: PKCS7PrivateKeyTypes, hash_algorithm: PKCS7HashTypes, + *, + rsa_padding: padding.PSS | padding.PKCS1v15 | None = None, ) -> PKCS7SignatureBuilder: if not isinstance( hash_algorithm, @@ -109,9 +112,18 @@ def add_signer( ): raise TypeError("Only RSA & EC keys are supported at this time.") + if rsa_padding is not None: + if not isinstance(rsa_padding, (padding.PSS, padding.PKCS1v15)): + raise TypeError("Padding must be PSS or PKCS1v15") + if not isinstance(private_key, rsa.RSAPrivateKey): + raise TypeError("Padding is only supported for RSA keys") + return PKCS7SignatureBuilder( self._data, - [*self._signers, (certificate, private_key, hash_algorithm)], + [ + *self._signers, + (certificate, private_key, hash_algorithm, rsa_padding), + ], ) def add_certificate( diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 1acbae457fb3..eb81bddc5412 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -105,6 +105,7 @@ fn sign_and_serialize<'p>( pyo3::PyRef<'p, x509::certificate::Certificate>, &pyo3::PyAny, &pyo3::PyAny, + &pyo3::PyAny, )> = builder.getattr(pyo3::intern!(py, "_signers"))?.extract()?; let py_certs: Vec> = builder @@ -117,7 +118,7 @@ fn sign_and_serialize<'p>( .iter() .map(|p| p.raw.borrow_dependent()) .collect::>(); - for (cert, py_private_key, py_hash_alg) in &py_signers { + for (cert, py_private_key, py_hash_alg, rsa_padding) in &py_signers { let (authenticated_attrs, signature) = if options .contains(types::PKCS7_NO_ATTRIBUTES.get(py)?)? { @@ -127,7 +128,7 @@ fn sign_and_serialize<'p>( py, py_private_key, py_hash_alg, - py.None().into_ref(py), + rsa_padding, &data_with_header, )?, ) @@ -174,13 +175,7 @@ fn sign_and_serialize<'p>( Some(common::Asn1ReadableOrWritable::new_write( asn1::SetOfWriter::new(authenticated_attrs), )), - x509::sign::sign_data( - py, - py_private_key, - py_hash_alg, - py.None().into_ref(py), - &signed_data, - )?, + x509::sign::sign_data(py, py_private_key, py_hash_alg, rsa_padding, &signed_data)?, ) }; @@ -206,7 +201,7 @@ fn sign_and_serialize<'p>( py, py_private_key, py_hash_alg, - py.None().into_ref(py), + rsa_padding, )?, encrypted_digest: signature, unauthenticated_attributes: None, diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index a634cffe763a..0987110c44f7 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -12,7 +12,7 @@ from cryptography import x509 from cryptography.exceptions import _Reasons from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import ed25519, rsa +from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa from cryptography.hazmat.primitives.serialization import pkcs7 from ...utils import load_vectors_from_file, raises_unsupported_algorithm @@ -624,6 +624,97 @@ def test_sign_no_certs(self, backend): sig_no = builder.sign(serialization.Encoding.DER, options) assert sig_no.count(cert.public_bytes(serialization.Encoding.DER)) == 0 + @pytest.mark.parametrize( + "pad", + [ + padding.PKCS1v15(), + None, + padding.PSS( + mgf=padding.MGF1(hashes.SHA512()), + salt_length=padding.PSS.DIGEST_LENGTH, + ), + ], + ) + def test_rsa_pkcs_padding_options(self, pad, backend): + data = b"hello world" + rsa_key = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_key.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read(), None, unsafe_skip_rsa_key_validation=True + ), + mode="rb", + ) + assert isinstance(rsa_key, rsa.RSAPrivateKey) + rsa_cert = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_ca.pem"), + loader=lambda pemfile: x509.load_pem_x509_certificate( + pemfile.read() + ), + mode="rb", + ) + builder = ( + pkcs7.PKCS7SignatureBuilder() + .set_data(data) + .add_signer(rsa_cert, rsa_key, hashes.SHA512(), rsa_padding=pad) + ) + options: typing.List[pkcs7.PKCS7Options] = [] + sig = builder.sign(serialization.Encoding.DER, options) + # This should be a pkcs1 sha512 signature + if isinstance(pad, padding.PSS): + # PKCS7_verify can't verify a PSS sig and we don't bind CMS so + # we instead just check that a few things are present in the + # output. + # There should be four SHA512 OIDs in this structure + assert sig.count(b"\x06\t`\x86H\x01e\x03\x04\x02\x03") == 4 + # There should be one MGF1 OID in this structure + assert ( + sig.count(b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x08") == 1 + ) + else: + # This should be a pkcs1 sha512 signature + assert ( + sig.count(b"\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D") == 1 + ) + _pkcs7_verify( + serialization.Encoding.DER, + sig, + None, + [rsa_cert], + options, + backend, + ) + + def test_not_rsa_key_with_padding(self, backend): + cert, key = _load_cert_key() + with pytest.raises(TypeError): + pkcs7.PKCS7SignatureBuilder().add_signer( + cert, key, hashes.SHA512(), rsa_padding=padding.PKCS1v15() + ) + + def test_rsa_invalid_padding(self, backend): + rsa_key = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_key.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read(), None, unsafe_skip_rsa_key_validation=True + ), + mode="rb", + ) + assert isinstance(rsa_key, rsa.RSAPrivateKey) + rsa_cert = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_ca.pem"), + loader=lambda pemfile: x509.load_pem_x509_certificate( + pemfile.read() + ), + mode="rb", + ) + with pytest.raises(TypeError): + pkcs7.PKCS7SignatureBuilder().add_signer( + rsa_cert, + rsa_key, + hashes.SHA512(), + rsa_padding=object(), # type: ignore[arg-type] + ) + def test_multiple_signers(self, backend): data = b"hello world" cert, key = _load_cert_key() From 9328745ea15b56457ffa60dc3749af903360d1ca Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 4 Nov 2023 21:25:50 -0400 Subject: [PATCH 0654/1014] Bump BoringSSL and/or OpenSSL in CI (#9830) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 01f8c46634de..62ced7291819 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 04, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "478b28ab12f2001a03261624261fd041f5439706"}} - # Latest commit on the OpenSSL master branch, as of Nov 04, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1aa08644ecd4005c0f55276b2e8dabd8a2a758f0"}} + # Latest commit on the OpenSSL master branch, as of Nov 05, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f1e0c94545a6eb02914a31c3d94bf96387ebc68d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 6c702572b5bcc9f5cb65c4ce8ddc4e4ea2334cc6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 6 Nov 2023 08:12:03 -0500 Subject: [PATCH 0655/1014] Temporarily allow a new clippy warning (#9835) * Temporarily allow a new clippy warning * Update lib.rs * Update lib.rs --- src/rust/src/lib.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index c245649f985e..381a67305eb9 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -3,6 +3,8 @@ // for complete details. #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +// Work-around for https://github.com/PyO3/pyo3/issues/3561 +#![allow(unknown_lints, clippy::unnecessary_fallible_conversions)] mod asn1; mod backend; From 7f8698ccff7ef092b1bbc40b122ab4d0f951adeb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Nov 2023 13:27:32 +0000 Subject: [PATCH 0656/1014] Bump libc from 0.2.149 to 0.2.150 in /src/rust (#9832) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.149 to 0.2.150. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.149...0.2.150) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1ef651c08954..6c865b4f421f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -146,9 +146,9 @@ checksum = "1e186cfbae8084e513daff4240b4797e342f988cecda4fb6c939150f96315fd8" [[package]] name = "libc" -version = "0.2.149" +version = "0.2.150" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a08173bc88b7955d1b3145aa561539096c421ac8debde8cbc3612ec635fee29b" +checksum = "89d92a4743f9a61002fae18374ed11e7973f530cb3a3255fb354818118b2203c" [[package]] name = "lock_api" From 805badd3f657489df7f4c16ff00c644abfef8c01 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Nov 2023 13:33:04 +0000 Subject: [PATCH 0657/1014] Bump syn from 2.0.38 to 2.0.39 in /src/rust (#9833) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.38 to 2.0.39. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.38...2.0.39) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6c865b4f421f..24e32c33b131 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a" [[package]] name = "syn" -version = "2.0.38" +version = "2.0.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e96b79aaa137db8f61e26363a0c9b47d8b4ec75da28b7d1d614c2303e232408b" +checksum = "23e78b90f2fcf45d3e842032ce32e3f2d1545ba6636271dcbf24fa306d87be7a" dependencies = [ "proc-macro2", "quote", From 4c07d8eb289aaa0fbcdbcf370724122905fade02 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Nov 2023 08:36:57 -0500 Subject: [PATCH 0658/1014] Bump ruff from 0.1.3 to 0.1.4 (#9834) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.3 to 0.1.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.3...v0.1.4) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 533434d9756f..b5669ea431ed 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -132,7 +132,7 @@ rfc3986==2.0.0 # via twine rich==13.6.0 # via twine -ruff==0.1.3 +ruff==0.1.4 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From b3908d4599010e59a73057559990370a4de2dc52 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 7 Nov 2023 00:16:28 +0000 Subject: [PATCH 0659/1014] Bump BoringSSL and/or OpenSSL in CI (#9836) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62ced7291819..f391967f29b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 04, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "478b28ab12f2001a03261624261fd041f5439706"}} - # Latest commit on the OpenSSL master branch, as of Nov 05, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f1e0c94545a6eb02914a31c3d94bf96387ebc68d"}} + # Latest commit on the BoringSSL master branch, as of Nov 07, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ad57528d2c978543106f9b115bd0eb658f3ebdd2"}} + # Latest commit on the OpenSSL master branch, as of Nov 07, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bc224e7edf87bbb353d51e9cb5c5999af8828856"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 01d55b2af8ae167315288c03b192c59c86425009 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 8 Nov 2023 00:19:54 +0000 Subject: [PATCH 0660/1014] Bump BoringSSL and/or OpenSSL in CI (#9837) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f391967f29b5..6bef506f4353 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 07, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ad57528d2c978543106f9b115bd0eb658f3ebdd2"}} - # Latest commit on the OpenSSL master branch, as of Nov 07, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bc224e7edf87bbb353d51e9cb5c5999af8828856"}} + # Latest commit on the OpenSSL master branch, as of Nov 08, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1c6a37975495dd633847ff0c07747fae272d5e4d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 7aeadf319018dbf7863e011f2c6e7872536b9bd9 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 9 Nov 2023 00:15:29 +0000 Subject: [PATCH 0661/1014] Bump BoringSSL and/or OpenSSL in CI (#9840) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6bef506f4353..4f650c6d1052 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 07, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ad57528d2c978543106f9b115bd0eb658f3ebdd2"}} - # Latest commit on the OpenSSL master branch, as of Nov 08, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1c6a37975495dd633847ff0c07747fae272d5e4d"}} + # Latest commit on the OpenSSL master branch, as of Nov 09, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4d4657cb6ba364dfa60681948b0a30c40bee31ca"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 71bdfc0dd771bdcdc4fa864172ffa0b53b4035c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 9 Nov 2023 12:08:00 +0000 Subject: [PATCH 0662/1014] Bump ruff from 0.1.4 to 0.1.5 (#9841) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.4 to 0.1.5. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.4...v0.1.5) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b5669ea431ed..a2051c541361 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -132,7 +132,7 @@ rfc3986==2.0.0 # via twine rich==13.6.0 # via twine -ruff==0.1.4 +ruff==0.1.5 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From 7d451dbd9a343d3f6b5fc8546536ddf659c0176b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 15:34:27 -0500 Subject: [PATCH 0663/1014] src, tests: add max_chain_depth to validation API (#9844) * src, tests: all max_chain_depth to validation API Signed-off-by: William Woodruff * docs: document max_chain_depth Signed-off-by: William Woodruff * verify: simplify type Signed-off-by: William Woodruff * validation: document DEFAULT_MAX_CHAIN_DEPTH Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- docs/x509/verification.rst | 14 +++++++++ .../hazmat/bindings/_rust/x509.pyi | 3 ++ src/cryptography/x509/verification.py | 17 ++++++++++ .../src/policy/extension.rs | 10 +++--- .../src/policy/mod.rs | 31 ++++++++++++++----- src/rust/src/x509/verify.rs | 8 +++++ tests/x509/test_verification.py | 7 +++++ 7 files changed, 77 insertions(+), 13 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 2a074b945ccc..8979618b2084 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -89,6 +89,20 @@ chain building, etc. :returns: A new instance of :class:`PolicyBuilder` + .. method:: max_chain_depth(new_max_chain_depth) + + Sets the verifier's maximum chain building depth. + + This depth behaves tracks the length of the intermediate CA + chain: a maximum depth of zero means that the leaf must be directly + issued by a member of the store, a depth of one means no more than + one intermediate CA, and so forth. Note that self-issued intermediates + don't count against the chain depth, per RFC 5280. + + :param new_max_chain_depth: The maximum depth to allow in the verifier + + :returns: A new instance of :class:`PolicyBuilder` + .. method:: build_server_verifier(subject) Builds a verifier for verifying server certificates. diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index c1ef852ee76e..47e8494ca6b1 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -41,6 +41,7 @@ def create_server_verifier( name: x509.verification.Subject, store: Store, time: datetime.datetime | None, + max_chain_depth: int | None, ) -> x509.verification.ServerVerifier: ... class Sct: ... @@ -56,6 +57,8 @@ class ServerVerifier: def validation_time(self) -> datetime.datetime: ... @property def store(self) -> Store: ... + @property + def max_chain_depth(self) -> int: ... def verify( self, leaf: x509.Certificate, diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index bf200f73a724..a91998ed623d 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -25,9 +25,11 @@ def __init__( *, time: datetime.datetime | None = None, store: Store | None = None, + max_chain_depth: int | None = None, ): self._time = time self._store = store + self._max_chain_depth = max_chain_depth def time(self, new_time: datetime.datetime) -> PolicyBuilder: """ @@ -48,6 +50,20 @@ def store(self, new_store: Store) -> PolicyBuilder: return PolicyBuilder(time=self._time, store=new_store) + def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: + """ + Sets the maximum chain depth. + """ + + if self._max_chain_depth is not None: + raise ValueError("The maximum chain depth may only be set once.") + + return PolicyBuilder( + time=self._time, + store=self._store, + max_chain_depth=new_max_chain_depth, + ) + def build_server_verifier(self, subject: Subject) -> ServerVerifier: """ Builds a verifier for verifying server certificates. @@ -60,4 +76,5 @@ def build_server_verifier(self, subject: Subject) -> ServerVerifier: subject, self._store, self._time, + self._max_chain_depth, ) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 06d88c4e3ad7..57fea5519366 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -236,7 +236,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch()); + let policy = Policy::new(ops, None, epoch(), None); // Test a policy that stipulates that a given extension MUST be present. let extension_policy = ExtensionPolicy::present( @@ -280,7 +280,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch()); + let policy = Policy::new(ops, None, epoch(), None); // Test a policy that stipulates that a given extension CAN be present. let extension_policy = ExtensionPolicy::maybe_present( @@ -316,7 +316,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch()); + let policy = Policy::new(ops, None, epoch(), None); // Test a policy that stipulates that a given extension MUST NOT be present. let extension_policy = ExtensionPolicy::not_present(BASIC_CONSTRAINTS_OID); @@ -348,7 +348,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch()); + let policy = Policy::new(ops, None, epoch(), None); // Test a present policy that stipulates that a given extension MUST be critical. let extension_policy = ExtensionPolicy::present( @@ -376,7 +376,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch()); + let policy = Policy::new(ops, None, epoch(), None); // Test a maybe present policy that stipulates that a given extension MUST be critical. let extension_policy = ExtensionPolicy::maybe_present( diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 35c7f019ef32..f7df4a68c48b 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -148,6 +148,17 @@ const RFC5280_CRITICAL_CA_EXTENSIONS: &[asn1::ObjectIdentifier] = const RFC5280_CRITICAL_EE_EXTENSIONS: &[asn1::ObjectIdentifier] = &[BASIC_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID]; +/// A default reasonable maximum chain depth. +/// +/// This depth was chosen to balance between common validation lengths +/// (chains in the Web PKI are ordinarily no longer than 2 or 3 intermediates +/// in the longest cases) and support for pathological cases. +/// +/// Relatively little prior art for selecting a default depth exists; +/// OpenSSL defaults to a limit of 100, which is far more permissive than +/// necessary. +const DEFAULT_MAX_CHAIN_DEPTH: u8 = 8; + pub enum PolicyError { Other(&'static str), } @@ -195,12 +206,11 @@ impl From for Subject<'_> { pub struct Policy<'a, B: CryptoOps> { _ops: B, - /// A top-level constraint on the length of paths constructed under - /// this policy. + /// A top-level constraint on the length of intermediate CA paths + /// constructed under this policy. /// - /// Note that this has different semantics from `pathLenConstraint`: - /// it controls the *overall* non-self-issued chain length, not the number - /// of non-self-issued intermediates in the chain. + /// Per RFC 5280, this limits the length of the non-self-issued intermediate + /// CA chain, without counting either the leaf or trust anchor. pub max_chain_depth: u8, /// A subject (i.e. DNS name or other name format) that any EE certificates @@ -230,10 +240,15 @@ pub struct Policy<'a, B: CryptoOps> { impl<'a, B: CryptoOps> Policy<'a, B> { /// Create a new policy with defaults for the certificate profile defined in /// the CA/B Forum's Basic Requirements. - pub fn new(ops: B, subject: Option>, time: asn1::DateTime) -> Self { + pub fn new( + ops: B, + subject: Option>, + time: asn1::DateTime, + max_chain_depth: Option, + ) -> Self { Self { _ops: ops, - max_chain_depth: 8, + max_chain_depth: max_chain_depth.unwrap_or(DEFAULT_MAX_CHAIN_DEPTH), subject, validation_time: time, extended_key_usage: EKU_SERVER_AUTH_OID.clone(), @@ -383,7 +398,7 @@ mod tests { #[test] fn test_policy_critical_extensions() { let time = asn1::DateTime::new(2023, 9, 12, 1, 1, 1).unwrap(); - let policy = Policy::new(NullOps {}, None, time); + let policy = Policy::new(NullOps {}, None, time, None); assert_eq!( policy.critical_ca_extensions, diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 992d27fbf73e..2db4ee959406 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -8,6 +8,7 @@ use cryptography_x509_validation::{ policy::{Policy, Subject}, types::{DNSName, IPAddress}, }; +use pyo3::IntoPy; use crate::error::{CryptographyError, CryptographyResult}; use crate::types; @@ -93,6 +94,11 @@ impl PyServerVerifier { datetime_to_py(py, &self.as_policy().validation_time) } + #[getter] + fn max_chain_depth(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { + Ok(self.as_policy().max_chain_depth.into_py(py)) + } + fn verify<'p>( &self, _py: pyo3::Python<'p>, @@ -155,6 +161,7 @@ fn create_server_verifier( subject: pyo3::Py, store: pyo3::Py, time: Option<&pyo3::PyAny>, + max_chain_depth: Option, ) -> pyo3::PyResult { let time = match time { Some(time) => py_to_datetime(py, time)?, @@ -168,6 +175,7 @@ fn create_server_verifier( PyCryptoOps {}, subject, time, + max_chain_depth, ))) })?; diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index d5e575a4724f..3a7b0843ad1d 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -35,6 +35,10 @@ def test_store_already_set(self): with pytest.raises(ValueError): PolicyBuilder().store(dummy_store()).store(dummy_store()) + def test_max_chain_depth_already_set(self): + with pytest.raises(ValueError): + PolicyBuilder().max_chain_depth(8).max_chain_depth(9) + def test_ipaddress_subject(self): policy = ( PolicyBuilder() @@ -71,15 +75,18 @@ def test_subject_bad_types(self): def test_builder_pattern(self): now = datetime.datetime.now().replace(microsecond=0) store = dummy_store() + max_chain_depth = 16 builder = PolicyBuilder() builder = builder.time(now) builder = builder.store(store) + builder = builder.max_chain_depth(max_chain_depth) verifier = builder.build_server_verifier(DNSName("cryptography.io")) assert verifier.subject == DNSName("cryptography.io") assert verifier.validation_time == now assert verifier.store == store + assert verifier.max_chain_depth == max_chain_depth def test_build_server_verifier_missing_store(self): with pytest.raises( From 8caafd741df5b5d080cbd09d73c48f6c992d7dbf Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 17:03:11 -0500 Subject: [PATCH 0664/1014] validation: subject is non-optional (#9846) Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 38 ++++++++++++++++--- .../src/policy/mod.rs | 12 ++++-- src/rust/src/x509/verify.rs | 6 +-- 3 files changed, 43 insertions(+), 13 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index 57fea5519366..f6f1e79c2515 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -176,7 +176,8 @@ mod tests { use super::{Criticality, ExtensionPolicy}; use crate::ops::tests::{cert, v1_cert_pem, NullOps}; use crate::ops::CryptoOps; - use crate::policy::{Policy, PolicyError}; + use crate::policy::{Policy, PolicyError, Subject}; + use crate::types::DNSName; use asn1::{ObjectIdentifier, SimpleAsn1Writable}; use cryptography_x509::certificate::Certificate; use cryptography_x509::extensions::{BasicConstraints, Extension, Extensions}; @@ -236,7 +237,12 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch(), None); + let policy = Policy::new( + ops, + Subject::DNS(DNSName::new("example.com").unwrap()), + epoch(), + None, + ); // Test a policy that stipulates that a given extension MUST be present. let extension_policy = ExtensionPolicy::present( @@ -280,7 +286,12 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch(), None); + let policy = Policy::new( + ops, + Subject::DNS(DNSName::new("example.com").unwrap()), + epoch(), + None, + ); // Test a policy that stipulates that a given extension CAN be present. let extension_policy = ExtensionPolicy::maybe_present( @@ -316,7 +327,12 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch(), None); + let policy = Policy::new( + ops, + Subject::DNS(DNSName::new("example.com").unwrap()), + epoch(), + None, + ); // Test a policy that stipulates that a given extension MUST NOT be present. let extension_policy = ExtensionPolicy::not_present(BASIC_CONSTRAINTS_OID); @@ -348,7 +364,12 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch(), None); + let policy = Policy::new( + ops, + Subject::DNS(DNSName::new("example.com").unwrap()), + epoch(), + None, + ); // Test a present policy that stipulates that a given extension MUST be critical. let extension_policy = ExtensionPolicy::present( @@ -376,7 +397,12 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = NullOps {}; - let policy = Policy::new(ops, None, epoch(), None); + let policy = Policy::new( + ops, + Subject::DNS(DNSName::new("example.com").unwrap()), + epoch(), + None, + ); // Test a maybe present policy that stipulates that a given extension MUST be critical. let extension_policy = ExtensionPolicy::maybe_present( diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index f7df4a68c48b..6be0538333a1 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -215,8 +215,7 @@ pub struct Policy<'a, B: CryptoOps> { /// A subject (i.e. DNS name or other name format) that any EE certificates /// validated by this policy must match. - /// If `None`, the EE certificate must not contain a SAN. - pub subject: Option>, + pub subject: Subject<'a>, /// The validation time. All certificates validated by this policy must /// be valid at this time. @@ -242,7 +241,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { /// the CA/B Forum's Basic Requirements. pub fn new( ops: B, - subject: Option>, + subject: Subject<'a>, time: asn1::DateTime, max_chain_depth: Option, ) -> Self { @@ -398,7 +397,12 @@ mod tests { #[test] fn test_policy_critical_extensions() { let time = asn1::DateTime::new(2023, 9, 12, 1, 1, 1).unwrap(); - let policy = Policy::new(NullOps {}, None, time, None); + let policy = Policy::new( + NullOps {}, + Subject::DNS(DNSName::new("example.com").unwrap()), + time, + None, + ); assert_eq!( policy.critical_ca_extensions, diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 2db4ee959406..a404fdf76a65 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -138,19 +138,19 @@ fn build_subject_owner( fn build_subject<'a>( py: pyo3::Python<'_>, subject: &'a SubjectOwner, -) -> pyo3::PyResult>> { +) -> pyo3::PyResult> { match subject { SubjectOwner::DNSName(dns_name) => { let dns_name = DNSName::new(dns_name) .ok_or_else(|| pyo3::exceptions::PyValueError::new_err("invalid domain name"))?; - Ok(Some(Subject::DNS(dns_name))) + Ok(Subject::DNS(dns_name)) } SubjectOwner::IPAddress(ip_addr) => { let ip_addr = IPAddress::from_bytes(ip_addr.as_bytes(py)) .ok_or_else(|| pyo3::exceptions::PyValueError::new_err("invalid IP address"))?; - Ok(Some(Subject::IP(ip_addr))) + Ok(Subject::IP(ip_addr)) } } } From e7dbca62602ea0c1c0a3aa92664d92eee63df1e0 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 9 Nov 2023 17:43:03 -0500 Subject: [PATCH 0665/1014] verification: add missing max_chain_depth kwargs (#9847) Missed these on the original PR. Signed-off-by: William Woodruff --- docs/x509/verification.rst | 6 ++++++ src/cryptography/x509/verification.py | 12 ++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 8979618b2084..273cd303009b 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -57,6 +57,12 @@ chain building, etc. The verifier's validation time. + .. attribute:: max_chain_depth + + :type: :class:`int` + + The verifier's maximum intermediate CA chain depth. + .. attribute:: store :type: :class:`Store` diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index a91998ed623d..06bb42b91f15 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -38,7 +38,11 @@ def time(self, new_time: datetime.datetime) -> PolicyBuilder: if self._time is not None: raise ValueError("The validation time may only be set once.") - return PolicyBuilder(time=new_time, store=self._store) + return PolicyBuilder( + time=new_time, + store=self._store, + max_chain_depth=self._max_chain_depth, + ) def store(self, new_store: Store) -> PolicyBuilder: """ @@ -48,7 +52,11 @@ def store(self, new_store: Store) -> PolicyBuilder: if self._store is not None: raise ValueError("The trust store may only be set once.") - return PolicyBuilder(time=self._time, store=new_store) + return PolicyBuilder( + time=self._time, + store=new_store, + max_chain_depth=self._max_chain_depth, + ) def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: """ From e92c3ba11092a1001e5b8f02d44a9a147c6ee467 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 9 Nov 2023 18:37:36 -0500 Subject: [PATCH 0666/1014] fixed #9838 -- handle hashes with algorithm identifiers that have no parameters in OCSP (#9839) --- src/rust/src/x509/ocsp.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 81163964b677..29f3acac0ebf 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -15,10 +15,15 @@ pub(crate) static ALGORITHM_PARAMETERS_TO_HASH: Lazy< HashMap, &str>, > = Lazy::new(|| { let mut h = HashMap::new(); + h.insert(common::AlgorithmParameters::Sha1(None), "SHA1"); h.insert(common::AlgorithmParameters::Sha1(Some(())), "SHA1"); + h.insert(common::AlgorithmParameters::Sha224(None), "SHA224"); h.insert(common::AlgorithmParameters::Sha224(Some(())), "SHA224"); + h.insert(common::AlgorithmParameters::Sha256(None), "SHA256"); h.insert(common::AlgorithmParameters::Sha256(Some(())), "SHA256"); + h.insert(common::AlgorithmParameters::Sha384(None), "SHA384"); h.insert(common::AlgorithmParameters::Sha384(Some(())), "SHA384"); + h.insert(common::AlgorithmParameters::Sha512(None), "SHA512"); h.insert(common::AlgorithmParameters::Sha512(Some(())), "SHA512"); h }); From 420ad4e2453024f97f28b25d655740692f117cd5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 9 Nov 2023 18:37:56 -0500 Subject: [PATCH 0667/1014] Fix some warnings from `ruff --preview` (#9842) --- docs/development/custom-vectors/cast5/generate_cast5.py | 6 +++--- docs/development/custom-vectors/idea/generate_idea.py | 6 +++--- docs/development/custom-vectors/seed/generate_seed.py | 6 +++--- src/cryptography/hazmat/primitives/serialization/ssh.py | 5 +++-- tests/hazmat/primitives/test_pkcs12.py | 2 +- tests/hazmat/primitives/test_pkcs7.py | 2 +- tests/x509/test_ocsp.py | 4 ++-- 7 files changed, 16 insertions(+), 15 deletions(-) diff --git a/docs/development/custom-vectors/cast5/generate_cast5.py b/docs/development/custom-vectors/cast5/generate_cast5.py index 38d68c0b6df7..38eddbf187fe 100644 --- a/docs/development/custom-vectors/cast5/generate_cast5.py +++ b/docs/development/custom-vectors/cast5/generate_cast5.py @@ -35,14 +35,14 @@ def build_vectors(mode, filename): ) output.append(f"\nCOUNT = {count}") count += 1 - name, key = line.split(" = ") + _, key = line.split(" = ") output.append(f"KEY = {key}") elif line.startswith("IV"): - name, iv = line.split(" = ") + _, iv = line.split(" = ") iv = iv[0:16] output.append(f"IV = {iv}") elif line.startswith("PLAINTEXT"): - name, plaintext = line.split(" = ") + _, plaintext = line.split(" = ") output.append(f"PLAINTEXT = {plaintext}") output.append(f"CIPHERTEXT = {encrypt(mode, key, iv, plaintext)}") return "\n".join(output) diff --git a/docs/development/custom-vectors/idea/generate_idea.py b/docs/development/custom-vectors/idea/generate_idea.py index c0e93ee52a48..c7a3b715652b 100644 --- a/docs/development/custom-vectors/idea/generate_idea.py +++ b/docs/development/custom-vectors/idea/generate_idea.py @@ -32,14 +32,14 @@ def build_vectors(mode, filename): ) output.append(f"\nCOUNT = {count}") count += 1 - name, key = line.split(" = ") + _, key = line.split(" = ") output.append(f"KEY = {key}") elif line.startswith("IV"): - name, iv = line.split(" = ") + _, iv = line.split(" = ") iv = iv[0:16] output.append(f"IV = {iv}") elif line.startswith("PLAINTEXT"): - name, plaintext = line.split(" = ") + _, plaintext = line.split(" = ") output.append(f"PLAINTEXT = {plaintext}") output.append(f"CIPHERTEXT = {encrypt(mode, key, iv, plaintext)}") diff --git a/docs/development/custom-vectors/seed/generate_seed.py b/docs/development/custom-vectors/seed/generate_seed.py index c2ebf4b2b2b9..ef9910d891b0 100644 --- a/docs/development/custom-vectors/seed/generate_seed.py +++ b/docs/development/custom-vectors/seed/generate_seed.py @@ -32,13 +32,13 @@ def build_vectors(mode, filename): ) output.append(f"\nCOUNT = {count}") count += 1 - name, key = line.split(" = ") + _, key = line.split(" = ") output.append(f"KEY = {key}") elif line.startswith("IV"): - name, iv = line.split(" = ") + _, iv = line.split(" = ") output.append(f"IV = {iv}") elif line.startswith("PLAINTEXT"): - name, plaintext = line.split(" = ") + _, plaintext = line.split(" = ") output.append(f"PLAINTEXT = {plaintext}") output.append(f"CIPHERTEXT = {encrypt(mode, key, iv, plaintext)}") diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index da686abadb06..f33edd55e0ea 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -468,7 +468,7 @@ def load_public( self, data: memoryview ) -> tuple[ec.EllipticCurvePublicKey, memoryview]: """Make ECDSA public key from data.""" - (curve_name, point), data = self.get_public(data) + (_, point), data = self.get_public(data) public_key = ec.EllipticCurvePublicKey.from_encoded_point( self.curve, point.tobytes() ) @@ -684,7 +684,8 @@ def load_ssh_private_key( if key_type != pub_key_type: raise ValueError("Corrupt data: key type mismatch") private_key, edata = kformat.load_private(edata, pubfields) - comment, edata = _get_sshstr(edata) + # We don't use the comment + _, edata = _get_sshstr(edata) # yes, SSH does padding check *after* all other parsing is done. # need to follow as it writes zero-byte padding too. diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 957eea6cfd68..2159242bb263 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -728,7 +728,7 @@ def make_cert(name): ) # Parse them out. The API should report them in the same order. - (key, cert, certs) = load_key_and_certificates(p12, None) + (_, cert, certs) = load_key_and_certificates(p12, None) assert cert == a_cert assert certs == [b_cert, c_cert] diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 0987110c44f7..ceb84e5fb48e 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -200,7 +200,7 @@ def test_unsupported_hash_alg(self, backend): ) def test_not_a_cert(self, backend): - cert, key = _load_cert_key() + _, key = _load_cert_key() with pytest.raises(TypeError): pkcs7.PKCS7SignatureBuilder().add_signer( b"notacert", # type: ignore[arg-type] diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 94a08bc6cfaa..335694c7f9a9 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -307,7 +307,7 @@ def test_create_ocsp_request_with_extension(self, ext, critical): assert req.extensions[0].critical is critical def test_add_cert_by_hash(self): - cert, issuer = _cert_and_issuer() + cert, _ = _cert_and_issuer() builder = ocsp.OCSPRequestBuilder() h = hashes.Hash(hashes.SHA1()) h.update(cert.issuer.public_bytes()) @@ -842,7 +842,7 @@ def test_sign_responder_id_key_hash(self): def test_invalid_sign_responder_cert_does_not_match_private_key(self): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() - root_cert, private_key = _generate_root() + root_cert, _ = _generate_root() current_time = ( datetime.datetime.now(datetime.timezone.utc) .replace(tzinfo=None) From 9afc26374022f766ae5c3431194dde938036c3da Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 10 Nov 2023 00:16:54 +0000 Subject: [PATCH 0668/1014] Bump BoringSSL and/or OpenSSL in CI (#9849) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f650c6d1052..c5b1eec8f79a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 07, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ad57528d2c978543106f9b115bd0eb658f3ebdd2"}} - # Latest commit on the OpenSSL master branch, as of Nov 09, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4d4657cb6ba364dfa60681948b0a30c40bee31ca"}} + # Latest commit on the OpenSSL master branch, as of Nov 10, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a2b1ab6100d5f0fb50b61d241471eea087415632"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From f00d175496dd076629ed5d077dcc23c57c950e90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Nov 2023 08:35:20 -0500 Subject: [PATCH 0669/1014] Bump smallvec from 1.11.1 to 1.11.2 in /src/rust (#9852) Bumps [smallvec](https://github.com/servo/rust-smallvec) from 1.11.1 to 1.11.2. - [Release notes](https://github.com/servo/rust-smallvec/releases) - [Commits](https://github.com/servo/rust-smallvec/compare/v1.11.1...v1.11.2) --- updated-dependencies: - dependency-name: smallvec dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 24e32c33b131..0bf3b7a39c31 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -353,9 +353,9 @@ checksum = "4c309e515543e67811222dbc9e3dd7e1056279b782e1dacffe4242b718734fb6" [[package]] name = "smallvec" -version = "1.11.1" +version = "1.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a" +checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" [[package]] name = "syn" From f1faacceb0f5478c1e3bac8d61dbcd97288a60f6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 10 Nov 2023 10:11:56 -0500 Subject: [PATCH 0670/1014] Fixes #9845 -- raise correct exception on unsupported HMAC hash (#9850) --- src/rust/src/backend/hmac.rs | 7 ++++++- tests/hazmat/primitives/test_hmac.py | 3 +++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index 13509b859024..d035a6156c3d 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -46,7 +46,12 @@ impl Hmac { let _ = backend; let md = message_digest_from_algorithm(py, algorithm)?; - let ctx = cryptography_openssl::hmac::Hmac::new(key.as_bytes(), md)?; + let ctx = cryptography_openssl::hmac::Hmac::new(key.as_bytes(), md).map_err(|_| { + exceptions::UnsupportedAlgorithm::new_err(( + "Digest is not supported for HMAC", + exceptions::Reasons::UNSUPPORTED_HASH, + )) + })?; Ok(Hmac { ctx: Some(ctx), diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 862b8340d736..04c3e8588f01 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -83,6 +83,9 @@ def test_unsupported_hash(self, backend): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): hmac.HMAC(b"key", DummyHashAlgorithm(), backend) + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): + hmac.HMAC(b"key", hashes.SHAKE256(digest_size=256), backend) + def test_buffer_protocol(self, backend): key = bytearray(b"2b7e151628aed2a6abf7158809cf4f3c") h = hmac.HMAC(key, hashes.SHA256(), backend) From b7096f74e5ed41f56c5cef21f147765a5850f319 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 10 Nov 2023 10:41:04 -0500 Subject: [PATCH 0671/1014] actions: generalize the wycheproof fetch action (#9848) * actions: add a fetch-limbo action Not hooked up to anything yet. Signed-off-by: William Woodruff * actions: combined vector fetching Signed-off-by: William Woodruff * dependabot: change ref Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/actions/fetch-vectors/action.yml | 18 ++++++++++++++++++ .github/actions/wycheproof/action.yml | 12 ------------ .github/dependabot.yml | 4 ++-- .github/workflows/ci.yml | 16 ++++++++-------- 4 files changed, 28 insertions(+), 22 deletions(-) create mode 100644 .github/actions/fetch-vectors/action.yml delete mode 100644 .github/actions/wycheproof/action.yml diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml new file mode 100644 index 000000000000..152a962a4486 --- /dev/null +++ b/.github/actions/fetch-vectors/action.yml @@ -0,0 +1,18 @@ +name: Clone test vectors +description: Clones the wycheproof and x509-limbo repositories + +runs: + using: "composite" + + steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + repository: "google/wycheproof" + path: "wycheproof" + ref: "master" + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + repository: "trailofbits/x509-limbo" + path: "x509-limbo" + ref: "main" diff --git a/.github/actions/wycheproof/action.yml b/.github/actions/wycheproof/action.yml deleted file mode 100644 index 7d2718871921..000000000000 --- a/.github/actions/wycheproof/action.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: Clone wycheproof -description: Clones the wycheproof repository - -runs: - using: "composite" - - steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - with: - repository: "google/wycheproof" - path: "wycheproof" - ref: "master" diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8a3b8d517b14..225922bd21a6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,7 +23,7 @@ updates: timezone: "America/New_York" open-pull-requests-limit: 1024 - package-ecosystem: "github-actions" - directory: "/.github/actions/wycheproof/" + directory: "/.github/actions/fetch-vectors/" schedule: interval: "daily" time: "06:00" @@ -51,7 +51,7 @@ updates: # Also update indirect dependencies - dependency-type: all open-pull-requests-limit: 1024 - + - package-ecosystem: pip directory: "/.github/requirements/" schedule: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c5b1eec8f79a..8318f53e243e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,9 +76,9 @@ jobs: - run: rustup component add llvm-tools-preview if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' - - name: Clone wycheproof + - name: Clone test vectors timeout-minutes: 2 - uses: ./.github/actions/wycheproof + uses: ./.github/actions/fetch-vectors if: matrix.PYTHON.NOXSESSION != 'flake' && matrix.PYTHON.NOXSESSION != 'docs' && matrix.PYTHON.NOXSESSION != 'rust' - name: Compute config hash and set config vars run: | @@ -188,9 +188,9 @@ jobs: timeout-minutes: 2 with: key: ${{ matrix.IMAGE.IMAGE }} - - name: Clone wycheproof + - name: Clone test vectors timeout-minutes: 2 - uses: ./.github/actions/wycheproof + uses: ./.github/actions/fetch-vectors # When run in a docker container the home directory doesn't have the same owner as the # apparent user so pip refuses to create a cache dir - name: create pip cache dir @@ -251,9 +251,9 @@ jobs: - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' - - name: Clone wycheproof + - name: Clone test vectors timeout-minutes: 2 - uses: ./.github/actions/wycheproof + uses: ./.github/actions/fetch-vectors - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 with: @@ -328,9 +328,9 @@ jobs: echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV shell: bash - - name: Clone wycheproof + - name: Clone test vectors timeout-minutes: 2 - uses: ./.github/actions/wycheproof + uses: ./.github/actions/fetch-vectors - name: Build nox environment run: nox -v --install-only From 18c0c6bd50c96eab0cce3866f25948e7fd05f48f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Nov 2023 15:50:40 +0000 Subject: [PATCH 0672/1014] Bump mypy from 1.6.1 to 1.7.0 (#9854) Bumps [mypy](https://github.com/python/mypy) from 1.6.1 to 1.7.0. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.6.1...v1.7.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a2051c541361..45ae64b0031b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -66,7 +66,7 @@ mdurl==0.1.2 # via markdown-it-py more-itertools==10.1.0 # via jaraco-classes -mypy==1.6.1 +mypy==1.7.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via From 587206f8ea1c9cab1537a58d6e4d95f773ab708b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 10 Nov 2023 11:35:49 -0500 Subject: [PATCH 0673/1014] validation/policy: remove old critical ext check logic (#9855) Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 39 ++----------------- 1 file changed, 3 insertions(+), 36 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 6be0538333a1..2fbd82bd6c5b 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -16,10 +16,7 @@ use cryptography_x509::common::{ }; use cryptography_x509::extensions::SubjectAlternativeName; use cryptography_x509::name::GeneralName; -use cryptography_x509::oid::{ - BASIC_CONSTRAINTS_OID, EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID, - KEY_USAGE_OID, SUBJECT_ALTERNATIVE_NAME_OID, -}; +use cryptography_x509::oid::{EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID}; use crate::ops::CryptoOps; use crate::types::{DNSName, DNSPattern, IPAddress, IPConstraint}; @@ -143,11 +140,6 @@ pub static WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS: Lazy { /// The set of permitted signature algorithms, identified by their /// algorithm identifiers. pub permitted_signature_algorithms: HashSet>, - - pub critical_ca_extensions: HashSet, - pub critical_ee_extensions: HashSet, } impl<'a, B: CryptoOps> Policy<'a, B> { @@ -261,8 +250,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .into_iter() .cloned() .collect(), - critical_ca_extensions: RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect(), - critical_ee_extensions: RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect(), } } } @@ -280,8 +267,8 @@ mod tests { use crate::{ ops::tests::NullOps, policy::{ - Subject, RFC5280_CRITICAL_CA_EXTENSIONS, RFC5280_CRITICAL_EE_EXTENSIONS, SPKI_RSA, - SPKI_SECP256R1, SPKI_SECP384R1, SPKI_SECP521R1, WEBPKI_PERMITTED_SPKI_ALGORITHMS, + Subject, SPKI_RSA, SPKI_SECP256R1, SPKI_SECP384R1, SPKI_SECP521R1, + WEBPKI_PERMITTED_SPKI_ALGORITHMS, }, types::{DNSName, IPAddress}, }; @@ -394,26 +381,6 @@ mod tests { } } - #[test] - fn test_policy_critical_extensions() { - let time = asn1::DateTime::new(2023, 9, 12, 1, 1, 1).unwrap(); - let policy = Policy::new( - NullOps {}, - Subject::DNS(DNSName::new("example.com").unwrap()), - time, - None, - ); - - assert_eq!( - policy.critical_ca_extensions, - RFC5280_CRITICAL_CA_EXTENSIONS.iter().cloned().collect() - ); - assert_eq!( - policy.critical_ee_extensions, - RFC5280_CRITICAL_EE_EXTENSIONS.iter().cloned().collect() - ); - } - #[test] fn test_subject_from_impls() { assert!(matches!( From 76163ae1e7b93cde41ee1814dd5780d80e50584f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Nov 2023 12:00:49 -0500 Subject: [PATCH 0674/1014] Bump self_cell from 1.0.1 to 1.0.2 in /src/rust (#9856) Bumps [self_cell](https://github.com/Voultapher/self_cell) from 1.0.1 to 1.0.2. - [Release notes](https://github.com/Voultapher/self_cell/releases) - [Commits](https://github.com/Voultapher/self_cell/compare/v1.0.1...v1.0.2) --- updated-dependencies: - dependency-name: self_cell dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0bf3b7a39c31..b578d3057d12 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -347,9 +347,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "self_cell" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c309e515543e67811222dbc9e3dd7e1056279b782e1dacffe4242b718734fb6" +checksum = "e388332cd64eb80cd595a00941baf513caffae8dce9cfd0467fc9c66397dade6" [[package]] name = "smallvec" From 9836c112361fe8a6ffeb7965e9f6bc7c7a2eec49 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 11 Nov 2023 00:18:42 +0000 Subject: [PATCH 0675/1014] Bump BoringSSL and/or OpenSSL in CI (#9858) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8318f53e243e..db47a263dbed 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 07, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ad57528d2c978543106f9b115bd0eb658f3ebdd2"}} - # Latest commit on the OpenSSL master branch, as of Nov 10, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a2b1ab6100d5f0fb50b61d241471eea087415632"}} + # Latest commit on the OpenSSL master branch, as of Nov 11, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9e75a0b911ffb2ad99190a72a3d740d100edf61f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From dafb7fd49c85ed302ee006417e9c1d1bb703730d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 11 Nov 2023 15:22:02 -0500 Subject: [PATCH 0676/1014] Raise an exception if a tag is provided 2x: (#9861) Once in GCM() and a second time via finalize_with_tag --- .../hazmat/primitives/ciphers/base.py | 5 +++++ tests/hazmat/primitives/test_ciphers.py | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/src/cryptography/hazmat/primitives/ciphers/base.py b/src/cryptography/hazmat/primitives/ciphers/base.py index 7f3132b7d1b7..2082df669a23 100644 --- a/src/cryptography/hazmat/primitives/ciphers/base.py +++ b/src/cryptography/hazmat/primitives/ciphers/base.py @@ -250,6 +250,11 @@ class _AEADDecryptionContext(_AEADCipherContext, AEADDecryptionContext): def finalize_with_tag(self, tag: bytes) -> bytes: if self._ctx is None: raise AlreadyFinalized("Context was already finalized.") + if self._ctx._tag is not None: + raise ValueError( + "tag provided both in mode and in call with finalize_with_tag:" + " tag should only be provided once" + ) data = self._ctx.finalize_with_tag(tag) self._tag = self._ctx.tag self._ctx = None diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py index 786992d34f3d..19affeb7d07a 100644 --- a/tests/hazmat/primitives/test_ciphers.py +++ b/tests/hazmat/primitives/test_ciphers.py @@ -290,6 +290,21 @@ def test_finalize_with_tag_already_finalized(self, backend): with pytest.raises(AlreadyFinalized): decryptor.finalize_with_tag(encryptor.tag) + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"0" * 12) + ), + skip_message="Does not support AES GCM", + ) + def test_finalize_with_tag_duplicate_tag(self, backend): + decryptor = ciphers.Cipher( + AES(b"\x00" * 16), + modes.GCM(b"\x00" * 12, tag=b"\x00" * 16), + backend, + ).decryptor() + with pytest.raises(ValueError): + decryptor.finalize_with_tag(b"\x00" * 16) + @pytest.mark.parametrize( "params", load_vectors_from_file( From 4c5d2a47484b12370c68babbb76c18e69908fba2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 11 Nov 2023 15:23:40 -0500 Subject: [PATCH 0677/1014] Expand and improve tests for GCM limits (#9860) refs #9859 --- tests/hazmat/primitives/test_aes_gcm.py | 46 +++++++++++++++++-------- 1 file changed, 32 insertions(+), 14 deletions(-) diff --git a/tests/hazmat/primitives/test_aes_gcm.py b/tests/hazmat/primitives/test_aes_gcm.py index c1154a96292b..7802a0e23d81 100644 --- a/tests/hazmat/primitives/test_aes_gcm.py +++ b/tests/hazmat/primitives/test_aes_gcm.py @@ -14,6 +14,14 @@ from .utils import generate_aead_test +def _advance(ctx, n): + ctx._bytes_processed += n + + +def _advance_aad(ctx, n): + ctx._aad_bytes_processed += n + + @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( algorithms.AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) @@ -66,35 +74,45 @@ def test_gcm_ciphertext_with_no_aad(self, backend): assert encryptor.tag == tag def test_gcm_ciphertext_limit(self, backend): - encryptor = base.Cipher( + cipher = base.Cipher( algorithms.AES(b"\x00" * 16), modes.GCM(b"\x01" * 16), backend=backend, - ).encryptor() - new_max = modes.GCM._MAX_ENCRYPTED_BYTES - 16 - encryptor._bytes_processed = new_max # type: ignore[attr-defined] + ) + encryptor = cipher.encryptor() + _advance(encryptor, modes.GCM._MAX_ENCRYPTED_BYTES - 16) encryptor.update(b"0" * 16) - max = modes.GCM._MAX_ENCRYPTED_BYTES - assert encryptor._bytes_processed == max # type: ignore[attr-defined] with pytest.raises(ValueError): encryptor.update(b"0") + with pytest.raises(ValueError): + encryptor.update_into(b"0", bytearray(1)) + + decryptor = cipher.decryptor() + _advance(decryptor, modes.GCM._MAX_ENCRYPTED_BYTES - 16) + decryptor.update(b"0" * 16) + with pytest.raises(ValueError): + decryptor.update(b"0") + with pytest.raises(ValueError): + decryptor.update_into(b"0", bytearray(1)) def test_gcm_aad_limit(self, backend): - encryptor = base.Cipher( + cipher = base.Cipher( algorithms.AES(b"\x00" * 16), modes.GCM(b"\x01" * 16), backend=backend, - ).encryptor() - new_max = modes.GCM._MAX_AAD_BYTES - 16 - encryptor._aad_bytes_processed = new_max # type: ignore[attr-defined] - encryptor.authenticate_additional_data(b"0" * 16) - max = modes.GCM._MAX_AAD_BYTES - assert ( - encryptor._aad_bytes_processed == max # type: ignore[attr-defined] ) + encryptor = cipher.encryptor() + _advance_aad(encryptor, modes.GCM._MAX_AAD_BYTES - 16) + encryptor.authenticate_additional_data(b"0" * 16) with pytest.raises(ValueError): encryptor.authenticate_additional_data(b"0") + decryptor = cipher.decryptor() + _advance_aad(decryptor, modes.GCM._MAX_AAD_BYTES - 16) + decryptor.authenticate_additional_data(b"0" * 16) + with pytest.raises(ValueError): + decryptor.authenticate_additional_data(b"0") + def test_gcm_ciphertext_increments(self, backend): encryptor = base.Cipher( algorithms.AES(b"\x00" * 16), From 1e7136bd81ff35281430194eb8eed81f016da58e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 11 Nov 2023 16:34:24 -0500 Subject: [PATCH 0678/1014] Added another test (#9862) We only have one for encryptor --- tests/hazmat/primitives/utils.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 056b31ee55c8..b15955fd25fb 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -285,6 +285,8 @@ def aead_exception_test(backend, cipher_factory, mode_factory): ) decryptor = cipher.decryptor() decryptor.update(b"a" * 16) + with pytest.raises(AlreadyUpdated): + decryptor.authenticate_additional_data(b"b" * 16) with pytest.raises(AttributeError): decryptor.tag # type: ignore[attr-defined] From 1fb0d8a27711e751eff682bd379c4bd3bb924063 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 11 Nov 2023 16:40:14 -0500 Subject: [PATCH 0679/1014] Added a test for update_into with an empty out buf (#9863) refs #9859 --- tests/hazmat/primitives/test_aes_gcm.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/tests/hazmat/primitives/test_aes_gcm.py b/tests/hazmat/primitives/test_aes_gcm.py index 7802a0e23d81..d82e37470cae 100644 --- a/tests/hazmat/primitives/test_aes_gcm.py +++ b/tests/hazmat/primitives/test_aes_gcm.py @@ -206,22 +206,24 @@ def test_gcm_tag_decrypt_finalize_tag_length(self, tag, backend): def test_buffer_protocol(self, backend): data = bytearray(b"helloworld") - enc = base.Cipher( + c = base.Cipher( algorithms.AES(bytearray(b"\x00" * 16)), modes.GCM(bytearray(b"\x00" * 12)), backend, - ).encryptor() + ) + enc = c.encryptor() enc.authenticate_additional_data(bytearray(b"foo")) ct = enc.update(data) + enc.finalize() - dec = base.Cipher( - algorithms.AES(bytearray(b"\x00" * 16)), - modes.GCM(bytearray(b"\x00" * 12), enc.tag), - backend, - ).decryptor() + + dec = c.decryptor() dec.authenticate_additional_data(bytearray(b"foo")) - pt = dec.update(ct) + dec.finalize() + pt = dec.update(ct) + dec.finalize_with_tag(enc.tag) assert pt == data + enc = c.encryptor() + with pytest.raises(ValueError): + enc.update_into(b"abc123", bytearray(0)) + @pytest.mark.parametrize("size", [8, 128]) def test_gcm_min_max_iv(self, size, backend): if backend._fips_enabled: From 08fcf8ef7091760c0973ac5db2c8faf131a11898 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 12 Nov 2023 09:40:47 -0500 Subject: [PATCH 0680/1014] Remove unused monkeypatches (#9865) --- tests/test_fernet.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/test_fernet.py b/tests/test_fernet.py index 360b569136d8..ef4ef70e25b0 100644 --- a/tests/test_fernet.py +++ b/tests/test_fernet.py @@ -127,7 +127,7 @@ def test_timestamp_ignored_no_ttl(self, monkeypatch, backend): monkeypatch.setattr(time, "time", pretend.raiser(ValueError)) assert f.decrypt(token, ttl=None) == pt - def test_ttl_required_in_decrypt_at_time(self, monkeypatch, backend): + def test_ttl_required_in_decrypt_at_time(self, backend): f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) pt = b"encrypt me" token = f.encrypt(pt) @@ -148,7 +148,7 @@ def test_bad_key(self, backend, key): with pytest.raises(ValueError): Fernet(key, backend=backend) - def test_extract_timestamp(self, monkeypatch, backend): + def test_extract_timestamp(self, backend): f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) current_time = 1526138327 token = f.encrypt_at_time(b"encrypt me", current_time) @@ -250,7 +250,7 @@ def test_rotate_str(self, backend): with pytest.raises(InvalidToken): mf1.decrypt(rotated) - def test_rotate_preserves_timestamp(self, backend, monkeypatch): + def test_rotate_preserves_timestamp(self, backend): f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend) From 65d98809f5bdec9f04596f0139bec52a11663967 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 12 Nov 2023 11:29:00 -0500 Subject: [PATCH 0681/1014] Rewrite the chunking test to use mmap (#9864) This makes it no longer rely on implementation details --- .../hazmat/backends/openssl/ciphers.py | 2 +- tests/hazmat/primitives/test_ciphers.py | 55 +++++++------------ 2 files changed, 20 insertions(+), 37 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py index 64c4690540fc..3916b1a510ad 100644 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py @@ -17,7 +17,7 @@ class _CipherContext: _ENCRYPT = 1 _DECRYPT = 0 - _MAX_CHUNK_SIZE = 2**30 - 1 + _MAX_CHUNK_SIZE = 2**29 def __init__(self, backend: Backend, cipher, mode, operation: int) -> None: self._backend = backend diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py index 19affeb7d07a..1659fa2cd605 100644 --- a/tests/hazmat/primitives/test_ciphers.py +++ b/tests/hazmat/primitives/test_ciphers.py @@ -4,7 +4,9 @@ import binascii +import mmap import os +import sys import pytest @@ -355,39 +357,20 @@ def test_update_into_buffer_too_small_gcm(self, backend): with pytest.raises(ValueError): encryptor.update_into(b"testing", buf) - def test_update_into_auto_chunking(self, backend, monkeypatch): - key = b"\x00" * 16 - c = ciphers.Cipher(AES(key), modes.ECB(), backend) - encryptor = c.encryptor() - # Lower max chunk size so we can test chunking - monkeypatch.setattr( - encryptor._ctx, # type: ignore[attr-defined] - "_MAX_CHUNK_SIZE", - 40, - ) - buf = bytearray(527) - pt = b"abcdefghijklmnopqrstuvwxyz012345" * 16 # 512 bytes - processed = encryptor.update_into(pt, buf) - assert processed == 512 - decryptor = c.decryptor() - # Change max chunk size to verify alternate boundaries don't matter - monkeypatch.setattr( - decryptor._ctx, # type: ignore[attr-defined] - "_MAX_CHUNK_SIZE", - 73, - ) - decbuf = bytearray(527) - decprocessed = decryptor.update_into(buf[:processed], decbuf) - assert decbuf[:decprocessed] == pt - - def test_max_chunk_size_fits_in_int32(self, backend): - # max chunk must fit in signed int32 or else a call large enough to - # cause chunking will result in the very OverflowError we want to - # avoid with chunking. - key = b"\x00" * 16 - c = ciphers.Cipher(AES(key), modes.ECB(), backend) - encryptor = c.encryptor() - backend._ffi.new( - "int *", - encryptor._ctx._MAX_CHUNK_SIZE, # type: ignore[attr-defined] - ) + +@pytest.mark.skipif( + sys.platform not in {"linux", "darwin"}, reason="mmap required" +) +def test_update_auto_chunking(): + large_data = mmap.mmap(-1, 2**29 + 2**20, prot=mmap.PROT_READ) + + key = b"\x00" * 16 + c = ciphers.Cipher(AES(key), modes.ECB()) + encryptor = c.encryptor() + + result = encryptor.update(memoryview(large_data)) + assert len(result) == len(large_data) + + decryptor = c.decryptor() + result = decryptor.update(result) + assert result == large_data[:] From 92b1c119f14735900dc0faf8d4cdacf85267399d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 02:19:39 +0000 Subject: [PATCH 0682/1014] Bump pytest-xdist from 3.3.1 to 3.4.0 (#9867) Bumps [pytest-xdist](https://github.com/pytest-dev/pytest-xdist) from 3.3.1 to 3.4.0. - [Changelog](https://github.com/pytest-dev/pytest-xdist/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-xdist/compare/v3.3.1...v3.4.0) --- updated-dependencies: - dependency-name: pytest-xdist dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 45ae64b0031b..83a4a5f806e7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -117,7 +117,7 @@ pytest-cov==4.1.0 # via cryptography (pyproject.toml) pytest-randomly==3.15.0 # via cryptography (pyproject.toml) -pytest-xdist==3.3.1 +pytest-xdist==3.4.0 # via cryptography (pyproject.toml) readme-renderer==42.0 # via twine From 352fe220edaac2d6cd81b8fbf1cc6071e683bc0c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 02:20:07 +0000 Subject: [PATCH 0683/1014] Bump cc from 1.0.83 to 1.0.84 in /src/rust (#9866) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.83 to 1.0.84. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.83...1.0.84) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b578d3057d12..1956a9b75fa8 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "b4682ae6287fcf752ecaabbfcc7b6f9b72aa33933dc23a554d853aea8eea8635" [[package]] name = "cc" -version = "1.0.83" +version = "1.0.84" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" +checksum = "0f8e7c90afad890484a21653d08b6e209ae34770fb5ee298f9c699fcc1e5c856" dependencies = [ "libc", ] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 7fc2e547a1e6..ad5d2ec30c7f 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -23,7 +23,7 @@ foreign-types-shared = "0.1" self_cell = "1" [build-dependencies] -cc = "1.0.83" +cc = "1.0.84" [features] extension-module = ["pyo3/extension-module"] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 5815488b37fc..23d88361f306 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3-py37"] } openssl-sys = "0.9.95" [build-dependencies] -cc = "1.0.83" +cc = "1.0.84" From 554c7afd92ec5fb9e2a43932957d75e4727c0197 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 02:25:08 +0000 Subject: [PATCH 0684/1014] Bump argcomplete from 3.1.4 to 3.1.6 (#9868) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.1.4 to 3.1.6. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.1.4...v3.1.6) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 83a4a5f806e7..617372b8c41e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.13 # via sphinx -argcomplete==3.1.4; python_version >= "3.8" +argcomplete==3.1.6; python_version >= "3.8" # via nox babel==2.13.1 # via sphinx From c82631ba073b4d772334a1dba7b6308dabb953ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 02:28:08 +0000 Subject: [PATCH 0685/1014] Bump keyring from 24.2.0 to 24.3.0 (#9869) Bumps [keyring](https://github.com/jaraco/keyring) from 24.2.0 to 24.3.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v24.2.0...v24.3.0) --- updated-dependencies: - dependency-name: keyring dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 617372b8c41e..fce421c4151c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -56,7 +56,7 @@ jaraco-classes==3.3.0 # via keyring jinja2==3.1.2 # via sphinx -keyring==24.2.0 +keyring==24.3.0 # via twine markdown-it-py==3.0.0 # via rich From e673bd2140535f8c16e7f031854921dcc0924df8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 08:54:33 -0600 Subject: [PATCH 0686/1014] Bump keyring from 24.2.0 to 24.3.0 in /.github/requirements (#9870) * Bump keyring from 24.2.0 to 24.3.0 in /.github/requirements Bumps [keyring](https://github.com/jaraco/keyring) from 24.2.0 to 24.3.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v24.2.0...v24.3.0) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 67325ca32099..9ca5167ea62c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -251,9 +251,9 @@ jeepney==0.8.0 \ # via # keyring # secretstorage -keyring==24.2.0 \ - --hash=sha256:4901caaf597bfd3bbd78c9a0c7c4c29fcd8310dab2cffefe749e916b6527acd6 \ - --hash=sha256:ca0746a19ec421219f4d713f848fa297a661a8a8c1504867e55bfb5e09091509 +keyring==24.3.0 \ + --hash=sha256:4446d35d636e6a10b8bce7caa66913dd9eca5fd222ca03a3d42c38608ac30836 \ + --hash=sha256:e730ecffd309658a08ee82535a3b5ec4b4c8669a9be11efb66249d8e0aeb9a25 # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ From f89ce7bcc501a98c85f561a54a68bfa62a3440d1 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 14:48:28 -0500 Subject: [PATCH 0687/1014] tests, ci: plumb x509-limbo-root (#9871) Signed-off-by: William Woodruff --- .github/workflows/ci.yml | 8 ++++---- tests/conftest.py | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index db47a263dbed..d42220561626 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -133,7 +133,7 @@ jobs: CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - name: Tests run: | - nox --no-install -- --color=yes --wycheproof-root=wycheproof ${{ matrix.PYTHON.NOXARGS }} + nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo ${{ matrix.PYTHON.NOXARGS }} env: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} COLUMNS: 80 @@ -205,7 +205,7 @@ jobs: # OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream OPENSSL_ENABLE_SHA1_SIGNATURES: 1 NOXSESSION: ${{ matrix.IMAGE.NOXSESSION }} - - run: '/venv/bin/nox --no-install -- --color=yes --wycheproof-root="wycheproof"' + - run: '/venv/bin/nox --no-install -- --color=yes --wycheproof-root="wycheproof" --x509-limbo-root="x509-limbo"' env: COLUMNS: 80 # OPENSSL_ENABLE_SHA1_SIGNATURES is for CentOS 9 Stream @@ -274,7 +274,7 @@ jobs: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - name: Tests - run: nox --no-install -- --color=yes --wycheproof-root=wycheproof + run: nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo env: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} COLUMNS: 80 @@ -338,7 +338,7 @@ jobs: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} - name: Tests - run: nox --no-install -- --color=yes --wycheproof-root=wycheproof + run: nox --no-install -- --color=yes --wycheproof-root=wycheproof --x509-limbo-root=x509-limbo env: NOXSESSION: ${{ matrix.PYTHON.NOXSESSION }} COLUMNS: 80 diff --git a/tests/conftest.py b/tests/conftest.py index d99bb76c1913..d1f11abbb3c7 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -27,6 +27,7 @@ def pytest_report_header(config): def pytest_addoption(parser): parser.addoption("--wycheproof-root", default=None) + parser.addoption("--x509-limbo-root", default=None) parser.addoption("--enable-fips", default=False) From ac9f27bba35e7a2818d29c061f199a925b99f2e4 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 15:01:40 -0500 Subject: [PATCH 0688/1014] validation/policy: breakout test changes (#9872) Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 40 +++++++------------ 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 2fbd82bd6c5b..4aeb9bba40da 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -19,7 +19,7 @@ use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID}; use crate::ops::CryptoOps; -use crate::types::{DNSName, DNSPattern, IPAddress, IPConstraint}; +use crate::types::{DNSName, DNSPattern, IPAddress}; // SubjectPublicKeyInfo AlgorithmIdentifier constants, as defined in CA/B 7.1.3.1. @@ -169,7 +169,7 @@ impl Subject<'_> { DNSPattern::new(pattern.0).map_or(false, |p| p.matches(name)) } (GeneralName::IPAddress(pattern), Self::IP(name)) => { - IPConstraint::from_bytes(pattern).map_or(false, |p| p.matches(name)) + IPAddress::from_bytes(pattern).map_or(false, |addr| addr == *name) } _ => false, } @@ -265,7 +265,6 @@ mod tests { }; use crate::{ - ops::tests::NullOps, policy::{ Subject, SPKI_RSA, SPKI_SECP256R1, SPKI_SECP384R1, SPKI_SECP521R1, WEBPKI_PERMITTED_SPKI_ALGORITHMS, @@ -274,9 +273,9 @@ mod tests { }; use super::{ - Policy, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, - RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, - RSASSA_PSS_SHA512, WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, + ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, RSASSA_PKCS1V15_SHA384, + RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, RSASSA_PSS_SHA512, + WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, }; #[test] @@ -412,26 +411,25 @@ mod tests { // Single SAN, IP range. { - // 127.0.0.1/24 - let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 255, 255, 255, 0]); + let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1]); let san_der = asn1::write_single(&SequenceOfWriter::new([ip_gn])).unwrap(); - let local_24 = asn1::parse_single::>(&san_der).unwrap(); + let localhost = asn1::parse_single::>(&san_der).unwrap(); - assert!(ip_sub.matches(&local_24)); - assert!(!domain_sub.matches(&local_24)); + assert!(ip_sub.matches(&localhost)); + assert!(!domain_sub.matches(&localhost)); } - // Multiple SANs, both domain wildcard and IP range. + // Multiple SANs, both domain wildcard and IP address. { let domain_gn = GeneralName::DNSName(UnvalidatedIA5String("*.cryptography.io")); - let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 255, 255, 255, 0]); + let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1]); let san_der = asn1::write_single(&SequenceOfWriter::new([domain_gn, ip_gn])).unwrap(); - let any_cryptography_io_or_local_24 = + let any_cryptography_io_or_localhost = asn1::parse_single::>(&san_der).unwrap(); - assert!(domain_sub.matches(&any_cryptography_io_or_local_24)); - assert!(ip_sub.matches(&any_cryptography_io_or_local_24)); + assert!(domain_sub.matches(&any_cryptography_io_or_localhost)); + assert!(ip_sub.matches(&any_cryptography_io_or_localhost)); } // Single SAN, invalid domain pattern. @@ -443,15 +441,5 @@ mod tests { assert!(!domain_sub.matches(&any_cryptography_io)); } - - // Single SAN, invalid IP range. - { - // 127.0.0.1/24 - let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1, 1, 255, 1, 0]); - let san_der = asn1::write_single(&SequenceOfWriter::new([ip_gn])).unwrap(); - let local_24 = asn1::parse_single::>(&san_der).unwrap(); - - assert!(!ip_sub.matches(&local_24)); - } } } From 9ba13da43719873f76cd754d2d59575bd2dbfb68 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 16:21:32 -0500 Subject: [PATCH 0689/1014] verification: add VerificationError, doc APIs (#9873) Signed-off-by: William Woodruff --- docs/x509/verification.rst | 20 ++++++++++++++++++++ src/cryptography/x509/verification.py | 4 ++++ src/rust/src/exceptions.rs | 1 + src/rust/src/x509/verify.rs | 7 +++++-- tests/x509/test_verification.py | 8 ++++++-- 5 files changed, 36 insertions(+), 4 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 273cd303009b..ae8b20ef0360 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -69,6 +69,12 @@ chain building, etc. The verifier's trust store. +.. class:: VerificationError + + .. versionadded:: 42.0.0 + + The error raised when path validation fails. + .. class:: PolicyBuilder .. versionadded:: 42.0.0 @@ -116,3 +122,17 @@ chain building, etc. :param subject: A :class:`Subject` to use in the verifier :returns: An instance of :class:`ServerVerifier` + + .. method:: verify(leaf, intermediates) + + Performs path validation on ``leaf``, returning a valid path + if one exists. The path is returned in leaf-first order: + the first member is ``leaf``, followed by the intermediates used + (if any), followed by a member of the ``store``. + + :param leaf: The leaf :class:`~cryptography.x509.Certificate` to validate + :param intermediates: A :class:`list` of intermediate :class:`~cryptography.x509.Certificate` to attempt to use + + :returns: A list containing a valid chain from ``leaf`` to a member of :class:`ServerVerifier.store`. + + :raises VerificationError: If a valid chain cannot be constructed diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index 06bb42b91f15..e8f910f97025 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -19,6 +19,10 @@ ServerVerifier = rust_x509.ServerVerifier +class VerificationError(Exception): + pass + + class PolicyBuilder: def __init__( self, diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index c9456513993d..1354d1b596b8 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -32,6 +32,7 @@ pyo3::import_exception!(cryptography.x509, AttributeNotFound); pyo3::import_exception!(cryptography.x509, DuplicateExtension); pyo3::import_exception!(cryptography.x509, UnsupportedGeneralNameType); pyo3::import_exception!(cryptography.x509, InvalidVersion); +pyo3::import_exception!(cryptography.x509.verification, VerificationError); pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let submod = pyo3::prelude::PyModule::new(py, "exceptions")?; diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index a404fdf76a65..9e266f1160aa 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -10,11 +10,14 @@ use cryptography_x509_validation::{ }; use pyo3::IntoPy; -use crate::error::{CryptographyError, CryptographyResult}; use crate::types; use crate::x509::certificate::Certificate as PyCertificate; use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime}; use crate::x509::sign; +use crate::{ + error::{CryptographyError, CryptographyResult}, + exceptions::VerificationError, +}; pub(crate) struct PyCryptoOps {} @@ -105,7 +108,7 @@ impl PyServerVerifier { _leaf: &PyCertificate, _intermediates: &'p pyo3::types::PyList, ) -> CryptographyResult> { - Err(pyo3::exceptions::PyNotImplementedError::new_err("unimplemented").into()) + Err(VerificationError::new_err("unimplemented").into()) } } diff --git a/tests/x509/test_verification.py b/tests/x509/test_verification.py index 3a7b0843ad1d..73012dee03e1 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/test_verification.py @@ -11,7 +11,11 @@ from cryptography import x509 from cryptography.x509.general_name import DNSName, IPAddress -from cryptography.x509.verification import PolicyBuilder, Store +from cryptography.x509.verification import ( + PolicyBuilder, + Store, + VerificationError, +) from tests.x509.test_x509 import _load_cert @@ -116,5 +120,5 @@ def test_not_implemented(self): os.path.join("x509", "cryptography.io.pem"), x509.load_pem_x509_certificate, ) - with pytest.raises(NotImplementedError): + with pytest.raises(VerificationError): verifier.verify(cert, []) From 380fda6cbc396ef9b1bf6d65982943c0b9aff0f0 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 13 Nov 2023 16:36:11 -0500 Subject: [PATCH 0690/1014] Fix transposed doc, simplify type in trust store test (#9874) * trust_store: simplify assert RHS type Signed-off-by: William Woodruff * docs/verification: fix transposed doc item Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- docs/x509/verification.rst | 28 +++++++++---------- .../src/trust_store.rs | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index ae8b20ef0360..a275190fa3b9 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -69,6 +69,20 @@ chain building, etc. The verifier's trust store. + .. method:: verify(leaf, intermediates) + + Performs path validation on ``leaf``, returning a valid path + if one exists. The path is returned in leaf-first order: + the first member is ``leaf``, followed by the intermediates used + (if any), followed by a member of the ``store``. + + :param leaf: The leaf :class:`~cryptography.x509.Certificate` to validate + :param intermediates: A :class:`list` of intermediate :class:`~cryptography.x509.Certificate` to attempt to use + + :returns: A list containing a valid chain from ``leaf`` to a member of :class:`ServerVerifier.store`. + + :raises VerificationError: If a valid chain cannot be constructed + .. class:: VerificationError .. versionadded:: 42.0.0 @@ -122,17 +136,3 @@ chain building, etc. :param subject: A :class:`Subject` to use in the verifier :returns: An instance of :class:`ServerVerifier` - - .. method:: verify(leaf, intermediates) - - Performs path validation on ``leaf``, returning a valid path - if one exists. The path is returned in leaf-first order: - the first member is ``leaf``, followed by the intermediates used - (if any), followed by a member of the ``store``. - - :param leaf: The leaf :class:`~cryptography.x509.Certificate` to validate - :param intermediates: A :class:`list` of intermediate :class:`~cryptography.x509.Certificate` to attempt to use - - :returns: A list containing a valid chain from ``leaf`` to a member of :class:`ServerVerifier.store`. - - :raises VerificationError: If a valid chain cannot be constructed diff --git a/src/rust/cryptography-x509-validation/src/trust_store.rs b/src/rust/cryptography-x509-validation/src/trust_store.rs index 0b2556d5337a..a6722d90573a 100644 --- a/src/rust/cryptography-x509-validation/src/trust_store.rs +++ b/src/rust/cryptography-x509-validation/src/trust_store.rs @@ -39,6 +39,6 @@ mod tests { let store = Store::new([cert.clone()]); assert!(store.contains(&cert)); - assert!(store.iter().collect::>() == Vec::from([&cert])); + assert!(store.iter().collect::>() == [&cert]); } } From c2cb52ec90f8c85e394b84aa2fa700f6fb19ea12 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 21:22:29 -0500 Subject: [PATCH 0691/1014] Bump BoringSSL and/or OpenSSL in CI (#9875) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d42220561626..c18da0e09393 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 07, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ad57528d2c978543106f9b115bd0eb658f3ebdd2"}} - # Latest commit on the OpenSSL master branch, as of Nov 11, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9e75a0b911ffb2ad99190a72a3d740d100edf61f"}} + # Latest commit on the OpenSSL master branch, as of Nov 14, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9890cc42daff5e2d0cad01ac4bf78c391f599a6e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 7e0da8725d267865320802a8fc2fac0172413629 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 Nov 2023 06:53:41 -0500 Subject: [PATCH 0692/1014] Bump urllib3 from 2.0.7 to 2.1.0 (#9877) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.7 to 2.1.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.7...2.1.0) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index fce421c4151c..28850370db6a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -174,7 +174,7 @@ twine==4.0.2 # via cryptography (pyproject.toml) typing-extensions==4.8.0; python_version >= "3.8" # via mypy -urllib3==2.0.7 +urllib3==2.1.0 # via # requests # twine From bd1b6c5836ea92cbb922165d529ca133f11d025c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 Nov 2023 06:54:32 -0500 Subject: [PATCH 0693/1014] Bump dessant/lock-threads from 4.0.1 to 5.0.0 (#9876) Bumps [dessant/lock-threads](https://github.com/dessant/lock-threads) from 4.0.1 to 5.0.0. - [Release notes](https://github.com/dessant/lock-threads/releases) - [Changelog](https://github.com/dessant/lock-threads/blob/main/CHANGELOG.md) - [Commits](https://github.com/dessant/lock-threads/compare/be8aa5be94131386884a6da4189effda9b14aa21...d42e5f49803f3c4e14ffee0378e31481265dda22) --- updated-dependencies: - dependency-name: dessant/lock-threads dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lock.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index b934d29bcbca..5c11590c3d6f 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -12,7 +12,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4.0.1 + - uses: dessant/lock-threads@d42e5f49803f3c4e14ffee0378e31481265dda22 # v5.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} issue-inactive-days: 90 From abf16861b251dc3c1c679935d1f0a272329ea257 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 Nov 2023 07:24:09 -0600 Subject: [PATCH 0694/1014] Bump urllib3 from 2.0.7 to 2.1.0 in /.github/requirements (#9878) * Bump urllib3 from 2.0.7 to 2.1.0 in /.github/requirements Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.7 to 2.1.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.7...2.1.0) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 9ca5167ea62c..8417211204a9 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -568,9 +568,9 @@ typing-extensions==4.8.0 \ # via # pydantic # pydantic-core -urllib3==2.0.7 \ - --hash=sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84 \ - --hash=sha256:fdb6d215c776278489906c2f8916e6e7d4f5a9b602ccbcfdf7f016fc8da0596e +urllib3==2.1.0 \ + --hash=sha256:55901e917a5896a349ff771be919f8bd99aff50b79fe58fec595eb37bbc56bb3 \ + --hash=sha256:df7aa8afb0148fa78488e7899b2c59b5f4ffcfa82e6c54ccb9dd37c1d7b52d54 # via # requests # twine From fe97e8689f12f95821bf91a396b0aac0ae785d9d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 14 Nov 2023 21:04:30 -0600 Subject: [PATCH 0695/1014] Bump BoringSSL and/or OpenSSL in CI (#9880) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c18da0e09393..223c6e74434a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 07, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ad57528d2c978543106f9b115bd0eb658f3ebdd2"}} - # Latest commit on the OpenSSL master branch, as of Nov 14, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9890cc42daff5e2d0cad01ac4bf78c391f599a6e"}} + # Latest commit on the BoringSSL master branch, as of Nov 15, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c5a99415cc722455451175869580b5080acf0924"}} + # Latest commit on the OpenSSL master branch, as of Nov 15, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fe487609c17dac049f867f230e09ee090b65e966"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From 0d1035feed968177e681e9fa75965ae98fe472f3 Mon Sep 17 00:00:00 2001 From: Logan Hunt <39638017+dosisod@users.noreply.github.com> Date: Wed, 15 Nov 2023 15:02:45 -0800 Subject: [PATCH 0696/1014] Remove `u` prefix from strings (#9882) --- docs/x509/tutorial.rst | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst index 57693a79d176..45729f28ce15 100644 --- a/docs/x509/tutorial.rst +++ b/docs/x509/tutorial.rst @@ -60,17 +60,17 @@ a few details: >>> # Generate a CSR >>> csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([ ... # Provide various details about who we are. - ... x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), - ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"), - ... x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), - ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), - ... x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"), + ... x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "California"), + ... x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"), + ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Company"), + ... x509.NameAttribute(NameOID.COMMON_NAME, "mysite.com"), ... ])).add_extension( ... x509.SubjectAlternativeName([ ... # Describe what sites we want this certificate for. - ... x509.DNSName(u"mysite.com"), - ... x509.DNSName(u"www.mysite.com"), - ... x509.DNSName(u"subdomain.mysite.com"), + ... x509.DNSName("mysite.com"), + ... x509.DNSName("www.mysite.com"), + ... x509.DNSName("subdomain.mysite.com"), ... ]), ... critical=False, ... # Sign the CSR with our private key. @@ -119,11 +119,11 @@ Then we generate the certificate itself: >>> # Various details about who we are. For a self-signed certificate the >>> # subject and issuer are always the same. >>> subject = issuer = x509.Name([ - ... x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), - ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"), - ... x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), - ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), - ... x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"), + ... x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "California"), + ... x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"), + ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Company"), + ... x509.NameAttribute(NameOID.COMMON_NAME, "mysite.com"), ... ]) >>> cert = x509.CertificateBuilder().subject_name( ... subject @@ -139,7 +139,7 @@ Then we generate the certificate itself: ... # Our certificate will be valid for 10 days ... datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10) ... ).add_extension( - ... x509.SubjectAlternativeName([x509.DNSName(u"localhost")]), + ... x509.SubjectAlternativeName([x509.DNSName("localhost")]), ... critical=False, ... # Sign our certificate with our private key ... ).sign(key, hashes.SHA256()) From ec933bb22c2e20485ec88566a23632d74996e05f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 16 Nov 2023 00:16:11 +0000 Subject: [PATCH 0697/1014] Bump BoringSSL and/or OpenSSL in CI (#9883) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 223c6e74434a..af67b0ba5266 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 15, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c5a99415cc722455451175869580b5080acf0924"}} - # Latest commit on the OpenSSL master branch, as of Nov 15, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fe487609c17dac049f867f230e09ee090b65e966"}} + # Latest commit on the OpenSSL master branch, as of Nov 16, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cf6342bc024868f5a55f2225f2e083415fb1329a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin From b7d52c7f9da556215242ae58cedc894580fe3d4e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 15 Nov 2023 19:20:37 -0500 Subject: [PATCH 0698/1014] Remove more u prefixes (#9884) --- docs/x509/reference.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 40de24983992..ee007ed622c7 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -862,10 +862,10 @@ X.509 Certificate Builder >>> public_key = private_key.public_key() >>> builder = x509.CertificateBuilder() >>> builder = builder.subject_name(x509.Name([ - ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + ... x509.NameAttribute(NameOID.COMMON_NAME, 'cryptography.io'), ... ])) >>> builder = builder.issuer_name(x509.Name([ - ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + ... x509.NameAttribute(NameOID.COMMON_NAME, 'cryptography.io'), ... ])) >>> builder = builder.not_valid_before(datetime.datetime.today() - one_day) >>> builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 30)) @@ -873,7 +873,7 @@ X.509 Certificate Builder >>> builder = builder.public_key(public_key) >>> builder = builder.add_extension( ... x509.SubjectAlternativeName( - ... [x509.DNSName(u'cryptography.io')] + ... [x509.DNSName('cryptography.io')] ... ), ... critical=False ... ) @@ -1150,7 +1150,7 @@ X.509 Certificate Revocation List Builder ... ) >>> builder = x509.CertificateRevocationListBuilder() >>> builder = builder.issuer_name(x509.Name([ - ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io CA'), + ... x509.NameAttribute(NameOID.COMMON_NAME, 'cryptography.io CA'), ... ])) >>> builder = builder.last_update(datetime.datetime.today()) >>> builder = builder.next_update(datetime.datetime.today() + one_day) @@ -1369,7 +1369,7 @@ X.509 CSR (Certificate Signing Request) Builder Object ... ) >>> builder = x509.CertificateSigningRequestBuilder() >>> builder = builder.subject_name(x509.Name([ - ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + ... x509.NameAttribute(NameOID.COMMON_NAME, 'cryptography.io'), ... ])) >>> builder = builder.add_extension( ... x509.BasicConstraints(ca=False, path_length=None), critical=True, From 4996874d3ba4375048a9ea9d65e150d94f6b0d74 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 15 Nov 2023 21:03:21 -0500 Subject: [PATCH 0699/1014] Write down another reason we care about MSRV of 1.64 (#9886) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index af67b0ba5266..481fd34b4e6f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -48,7 +48,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cf6342bc024868f5a55f2225f2e083415fb1329a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: - # 1.64 - maturin + # 1.64 - maturin, workspace inheritance # 1.65 - Generic associated types (GATs) - {VERSION: "3.12", NOXSESSION: "rust-noclippy,tests", RUST: "1.63.0"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.64.0"} From 8274b1fc165172e26837392e5a3ac160acc434bd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 15 Nov 2023 21:03:40 -0500 Subject: [PATCH 0700/1014] Downgrade cc version (#9885) 1.0.84 was yanked --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1956a9b75fa8..b578d3057d12 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "b4682ae6287fcf752ecaabbfcc7b6f9b72aa33933dc23a554d853aea8eea8635" [[package]] name = "cc" -version = "1.0.84" +version = "1.0.83" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f8e7c90afad890484a21653d08b6e209ae34770fb5ee298f9c699fcc1e5c856" +checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" dependencies = [ "libc", ] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index ad5d2ec30c7f..7fc2e547a1e6 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -23,7 +23,7 @@ foreign-types-shared = "0.1" self_cell = "1" [build-dependencies] -cc = "1.0.84" +cc = "1.0.83" [features] extension-module = ["pyo3/extension-module"] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 23d88361f306..5815488b37fc 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3-py37"] } openssl-sys = "0.9.95" [build-dependencies] -cc = "1.0.84" +cc = "1.0.83" From 8b88dff9498274aafb48ed8ec044ea78807ca66b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Nov 2023 06:50:12 -0500 Subject: [PATCH 0701/1014] Bump rich from 13.6.0 to 13.7.0 in /.github/requirements (#9887) Bumps [rich](https://github.com/Textualize/rich) from 13.6.0 to 13.7.0. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.6.0...v13.7.0) --- updated-dependencies: - dependency-name: rich dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8417211204a9..d81ce2ef1f58 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -237,10 +237,6 @@ importlib-metadata==6.8.0 \ # via # keyring # twine -importlib-resources==5.13.0 \ - --hash=sha256:82d5c6cca930697dbbd86c93333bb2c2e72861d4789a11c2662b933e5ad2b528 \ - --hash=sha256:9f7bd0c97b79972a6cce36a366356d16d5e13b09679c11a58f1014bfdf8e64b2 - # via sigstore jaraco-classes==3.3.0 \ --hash=sha256:10afa92b6743f25c0cf5f37c6bb6e18e2c5bb84a16527ccfc0040ea377e7aaeb \ --hash=sha256:c063dd08e89217cee02c8d5e5ec560f2c8ce6cdc2fcdc2e68f7b2e5547ed3621 @@ -524,9 +520,9 @@ rfc3986==2.0.0 \ --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c # via twine -rich==13.6.0 \ - --hash=sha256:2b38e2fe9ca72c9a00170a1a2d20c63c790d0e10ef1fe35eba76e1e7b1d7d245 \ - --hash=sha256:5c14d22737e6d5084ef4771b62d5d4363165b403455a30a1c8ca39dc7b644bef +rich==13.7.0 \ + --hash=sha256:5cb5123b5cf9ee70584244246816e9114227e0b98ad9176eede6ad54bf5403fa \ + --hash=sha256:6da14c108c4866ee9520bbffa71f6fe3962e193b7da68720583850cd4548e235 # via twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ From cbefe73a6cccb5a411e54fea79a865c841471138 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Nov 2023 06:50:23 -0500 Subject: [PATCH 0702/1014] Bump rich from 13.6.0 to 13.7.0 (#9888) Bumps [rich](https://github.com/Textualize/rich) from 13.6.0 to 13.7.0. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.6.0...v13.7.0) --- updated-dependencies: - dependency-name: rich dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 28850370db6a..5d7e4c43422c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -130,7 +130,7 @@ requests-toolbelt==1.0.0 # via twine rfc3986==2.0.0 # via twine -rich==13.6.0 +rich==13.7.0 # via twine ruff==0.1.5 # via cryptography (pyproject.toml) From 3befdf47cfec5210bd24e9c73748c498cd45dc9b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 16 Nov 2023 19:34:20 -0500 Subject: [PATCH 0703/1014] Bump BoringSSL and/or OpenSSL in CI (#9889) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 481fd34b4e6f..62acf5bda02e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 15, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c5a99415cc722455451175869580b5080acf0924"}} + # Latest commit on the BoringSSL master branch, as of Nov 17, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "1b7fdbd9101dedc3e0aa3fcf4ff74eacddb34ecc"}} # Latest commit on the OpenSSL master branch, as of Nov 16, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cf6342bc024868f5a55f2225f2e083415fb1329a"}} # Builds with various Rust versions. Includes MSRV and next From 44c95b0d416cfb9812425e883a30e6d334a18ced Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 17 Nov 2023 18:31:47 -0500 Subject: [PATCH 0704/1014] validation: flatten error types (#9890) * validation: flatten error types Signed-off-by: William Woodruff * validation: remove From, static strs for now Signed-off-by: William Woodruff * validation: remove untested derives Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../cryptography-x509-validation/src/lib.rs | 4 +++ .../src/policy/extension.rs | 25 ++++++++++--------- .../src/policy/mod.rs | 4 --- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index db654a547540..4cb7f363ce2b 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -10,3 +10,7 @@ pub mod ops; pub mod policy; pub mod trust_store; pub mod types; + +pub enum ValidationError { + Other(&'static str), +} diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index f6f1e79c2515..e4f1397bb8d2 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -8,9 +8,9 @@ use cryptography_x509::{ extensions::{Extension, Extensions}, }; -use crate::ops::CryptoOps; +use crate::{ops::CryptoOps, ValidationError}; -use super::{Policy, PolicyError}; +use super::Policy; // TODO: Remove `dead_code` attributes once we start using these helpers. @@ -40,11 +40,11 @@ impl Criticality { #[allow(dead_code)] type PresentExtensionValidatorCallback = - fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> Result<(), PolicyError>; + fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> Result<(), ValidationError>; #[allow(dead_code)] type MaybeExtensionValidatorCallback = - fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), PolicyError>; + fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), ValidationError>; /// Represents different validation states for an extension. #[allow(dead_code)] @@ -117,16 +117,16 @@ impl ExtensionPolicy { policy: &Policy<'_, B>, cert: &Certificate<'_>, extensions: &Extensions<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { match (&self.validator, extensions.get_extension(&self.oid)) { // Extension MUST NOT be present and isn't; OK. (ExtensionValidator::NotPresent, None) => Ok(()), // Extension MUST NOT be present but is; NOT OK. - (ExtensionValidator::NotPresent, Some(_)) => Err(PolicyError::Other( + (ExtensionValidator::NotPresent, Some(_)) => Err(ValidationError::Other( "EE certificate contains prohibited extension", )), // Extension MUST be present but is not; NOT OK. - (ExtensionValidator::Present { .. }, None) => Err(PolicyError::Other( + (ExtensionValidator::Present { .. }, None) => Err(ValidationError::Other( "EE certificate is missing required extension", )), // Extension MUST be present and is; check it. @@ -138,7 +138,7 @@ impl ExtensionPolicy { Some(extn), ) => { if !criticality.permits(extn.critical) { - return Err(PolicyError::Other( + return Err(ValidationError::Other( "EE certificate extension has incorrect criticality", )); } @@ -159,7 +159,7 @@ impl ExtensionPolicy { .as_ref() .map_or(false, |extn| !criticality.permits(extn.critical)) { - return Err(PolicyError::Other( + return Err(ValidationError::Other( "EE certificate extension has incorrect criticality", )); } @@ -176,8 +176,9 @@ mod tests { use super::{Criticality, ExtensionPolicy}; use crate::ops::tests::{cert, v1_cert_pem, NullOps}; use crate::ops::CryptoOps; - use crate::policy::{Policy, PolicyError, Subject}; + use crate::policy::{Policy, Subject}; use crate::types::DNSName; + use crate::ValidationError; use asn1::{ObjectIdentifier, SimpleAsn1Writable}; use cryptography_x509::certificate::Certificate; use cryptography_x509::extensions::{BasicConstraints, Extension, Extensions}; @@ -227,7 +228,7 @@ mod tests { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, _ext: &Extension<'_>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { Ok(()) } @@ -276,7 +277,7 @@ mod tests { _policy: &Policy<'_, B>, _cert: &Certificate<'_>, _ext: Option<&Extension<'_>>, - ) -> Result<(), PolicyError> { + ) -> Result<(), ValidationError> { Ok(()) } diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 4aeb9bba40da..358914e2beb1 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -151,10 +151,6 @@ pub static WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS: Lazy { From 4598e04c239cc0daf2da030c10129f4be1532784 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 17 Nov 2023 18:52:39 -0500 Subject: [PATCH 0705/1014] validation: remove unused From impls (#9891) Signed-off-by: William Woodruff --- .../src/policy/mod.rs | 29 ++----------------- 1 file changed, 2 insertions(+), 27 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 358914e2beb1..2e89f2ebbeb2 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -178,18 +178,6 @@ impl Subject<'_> { } } -impl<'a> From> for Subject<'a> { - fn from(value: DNSName<'a>) -> Self { - Self::DNS(value) - } -} - -impl From for Subject<'_> { - fn from(value: IPAddress) -> Self { - Self::IP(value) - } -} - /// A `Policy` describes user-configurable aspects of X.509 path validation. pub struct Policy<'a, B: CryptoOps> { _ops: B, @@ -376,23 +364,10 @@ mod tests { } } - #[test] - fn test_subject_from_impls() { - assert!(matches!( - Subject::from(DNSName::new("cryptography.io").unwrap()), - Subject::DNS(_) - )); - - assert!(matches!( - Subject::from(IPAddress::from_str("1.1.1.1").unwrap()), - Subject::IP(_) - )); - } - #[test] fn test_subject_matches() { - let domain_sub = Subject::from(DNSName::new("test.cryptography.io").unwrap()); - let ip_sub = Subject::from(IPAddress::from_str("127.0.0.1").unwrap()); + let domain_sub = Subject::DNS(DNSName::new("test.cryptography.io").unwrap()); + let ip_sub = Subject::IP(IPAddress::from_str("127.0.0.1").unwrap()); // Single SAN, domain wildcard. { From 9c459234f096d9bfe1856fec1de129ee4ce3d0ed Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 18 Nov 2023 00:45:48 +0000 Subject: [PATCH 0706/1014] Bump BoringSSL and/or OpenSSL in CI (#9892) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62acf5bda02e..2d4c8b08f5d0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 17, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "1b7fdbd9101dedc3e0aa3fcf4ff74eacddb34ecc"}} + # Latest commit on the BoringSSL master branch, as of Nov 18, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "39cc892c73d6c3faf2e604c44509f132c232f24c"}} # Latest commit on the OpenSSL master branch, as of Nov 16, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cf6342bc024868f5a55f2225f2e083415fb1329a"}} # Builds with various Rust versions. Includes MSRV and next From fcaaaf45371e6b9c8106e1c797e8f75365fbdfc2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 18 Nov 2023 03:10:53 +0000 Subject: [PATCH 0707/1014] Bump certifi from 2023.7.22 to 2023.11.17 (#9893) Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.7.22 to 2023.11.17. - [Commits](https://github.com/certifi/python-certifi/compare/2023.07.22...2023.11.17) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5d7e4c43422c..678f5ac1b727 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -17,7 +17,7 @@ build==1.0.3 # via # check-sdist # cryptography (pyproject.toml) -certifi==2023.7.22 +certifi==2023.11.17 # via requests charset-normalizer==3.3.2 # via requests From c9ca24b66a52f23b89583dca91d9cf56be23199c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 18 Nov 2023 03:13:14 +0000 Subject: [PATCH 0708/1014] Bump ruff from 0.1.5 to 0.1.6 (#9894) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.5 to 0.1.6. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.5...v0.1.6) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 678f5ac1b727..5b2e1fdff9ff 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -132,7 +132,7 @@ rfc3986==2.0.0 # via twine rich==13.7.0 # via twine -ruff==0.1.5 +ruff==0.1.6 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From c80da818a6c7e292b03fbf88a1b605a2110926c1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 Nov 2023 22:18:04 -0500 Subject: [PATCH 0709/1014] Bump certifi from 2023.7.22 to 2023.11.17 in /.github/requirements (#9895) Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.7.22 to 2023.11.17. - [Commits](https://github.com/certifi/python-certifi/compare/2023.07.22...2023.11.17) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d81ce2ef1f58..977f6e6dcf94 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -16,9 +16,9 @@ betterproto==2.0.0b6 \ --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ --hash=sha256:a0839ec165d110a69d0d116f4d0e2bec8d186af4db826257931f0831dab73fcf # via sigstore-protobuf-specs -certifi==2023.7.22 \ - --hash=sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082 \ - --hash=sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9 +certifi==2023.11.17 \ + --hash=sha256:9b469f3a900bf28dc19b8cfbf8019bf47f7fdd1a65a1d4ffb98fc14166beb4d1 \ + --hash=sha256:e036ab49d5b79556f99cfc2d9320b34cfbe5be05c5871b51de9329f0603b0474 # via requests cffi==1.16.0 \ --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ From 79fc4cc772e8f8f064b4079d57c7cdd0d20f617b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 18 Nov 2023 11:32:25 -0500 Subject: [PATCH 0710/1014] Remove pointless lifetimes (#9896) --- src/rust/cryptography-x509/src/common.rs | 27 ++++++++++---------- src/rust/cryptography-x509/src/crl.rs | 3 +-- src/rust/cryptography-x509/src/csr.rs | 2 -- src/rust/cryptography-x509/src/extensions.rs | 6 ----- src/rust/cryptography-x509/src/name.rs | 2 -- src/rust/cryptography-x509/src/ocsp_req.rs | 1 - src/rust/cryptography-x509/src/ocsp_resp.rs | 2 -- 7 files changed, 14 insertions(+), 29 deletions(-) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 263d78e0d18f..f09805e0da11 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -4,7 +4,6 @@ use crate::oid; use asn1::Asn1DefinedByWritable; -use std::marker::PhantomData; #[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash, Clone, Eq, Debug)] pub struct AlgorithmIdentifier<'a> { @@ -180,30 +179,30 @@ impl Time { } #[derive(Hash, PartialEq, Eq, Clone)] -pub enum Asn1ReadableOrWritable<'a, T, U> { - Read(T, PhantomData<&'a ()>), - Write(U, PhantomData<&'a ()>), +pub enum Asn1ReadableOrWritable { + Read(T), + Write(U), } -impl<'a, T, U> Asn1ReadableOrWritable<'a, T, U> { +impl Asn1ReadableOrWritable { pub fn new_read(v: T) -> Self { - Asn1ReadableOrWritable::Read(v, PhantomData) + Asn1ReadableOrWritable::Read(v) } pub fn new_write(v: U) -> Self { - Asn1ReadableOrWritable::Write(v, PhantomData) + Asn1ReadableOrWritable::Write(v) } pub fn unwrap_read(&self) -> &T { match self { - Asn1ReadableOrWritable::Read(v, _) => v, - Asn1ReadableOrWritable::Write(_, _) => panic!("unwrap_read called on a Write value"), + Asn1ReadableOrWritable::Read(v) => v, + Asn1ReadableOrWritable::Write(_) => panic!("unwrap_read called on a Write value"), } } } impl<'a, T: asn1::SimpleAsn1Readable<'a>, U> asn1::SimpleAsn1Readable<'a> - for Asn1ReadableOrWritable<'a, T, U> + for Asn1ReadableOrWritable { const TAG: asn1::Tag = T::TAG; fn parse_data(data: &'a [u8]) -> asn1::ParseResult { @@ -211,14 +210,14 @@ impl<'a, T: asn1::SimpleAsn1Readable<'a>, U> asn1::SimpleAsn1Readable<'a> } } -impl<'a, T: asn1::SimpleAsn1Writable, U: asn1::SimpleAsn1Writable> asn1::SimpleAsn1Writable - for Asn1ReadableOrWritable<'a, T, U> +impl asn1::SimpleAsn1Writable + for Asn1ReadableOrWritable { const TAG: asn1::Tag = U::TAG; fn write_data(&self, w: &mut asn1::WriteBuf) -> asn1::WriteResult { match self { - Asn1ReadableOrWritable::Read(v, _) => T::write_data(v, w), - Asn1ReadableOrWritable::Write(v, _) => U::write_data(v, w), + Asn1ReadableOrWritable::Read(v) => T::write_data(v, w), + Asn1ReadableOrWritable::Write(v) => U::write_data(v, w), } } } diff --git a/src/rust/cryptography-x509/src/crl.rs b/src/rust/cryptography-x509/src/crl.rs index fc9b21ae46ab..a5b72f023002 100644 --- a/src/rust/cryptography-x509/src/crl.rs +++ b/src/rust/cryptography-x509/src/crl.rs @@ -9,7 +9,7 @@ use crate::{ }; pub type ReasonFlags<'a> = - Option, asn1::OwnedBitString>>; + Option, asn1::OwnedBitString>>; #[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash)] pub struct CertificateRevocationList<'a> { @@ -20,7 +20,6 @@ pub struct CertificateRevocationList<'a> { pub type RevokedCertificates<'a> = Option< common::Asn1ReadableOrWritable< - 'a, asn1::SequenceOf<'a, RevokedCertificate<'a>>, asn1::SequenceOfWriter<'a, RevokedCertificate<'a>, Vec>>, >, diff --git a/src/rust/cryptography-x509/src/csr.rs b/src/rust/cryptography-x509/src/csr.rs index d2cf9b5e2739..483bae9f3ba4 100644 --- a/src/rust/cryptography-x509/src/csr.rs +++ b/src/rust/cryptography-x509/src/csr.rs @@ -54,7 +54,6 @@ pub fn check_attribute_length<'a>( } pub type Attributes<'a> = common::Asn1ReadableOrWritable< - 'a, asn1::SetOf<'a, Attribute<'a>>, asn1::SetOfWriter<'a, Attribute<'a>, Vec>>, >; @@ -63,7 +62,6 @@ pub type Attributes<'a> = common::Asn1ReadableOrWritable< pub struct Attribute<'a> { pub type_id: asn1::ObjectIdentifier, pub values: common::Asn1ReadableOrWritable< - 'a, asn1::SetOf<'a, asn1::Tlv<'a>>, asn1::SetOfWriter<'a, common::RawTlv<'a>, [common::RawTlv<'a>; 1]>, >, diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index f4deb7c8451f..db7cdd82a5e8 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -11,7 +11,6 @@ use crate::name; pub struct DuplicateExtensionsError(pub asn1::ObjectIdentifier); pub type RawExtensions<'a> = common::Asn1ReadableOrWritable< - 'a, asn1::SequenceOf<'a, Extension<'a>>, asn1::SequenceOfWriter<'a, Extension<'a>, Vec>>, >; @@ -95,14 +94,12 @@ pub struct AccessDescription<'a> { } pub type SequenceOfAccessDescriptions<'a> = common::Asn1ReadableOrWritable< - 'a, asn1::SequenceOf<'a, AccessDescription<'a>>, asn1::SequenceOfWriter<'a, AccessDescription<'a>, Vec>>, >; // Needed due to clippy type complexity warning. type SequenceOfPolicyQualifiers<'a> = common::Asn1ReadableOrWritable< - 'a, asn1::SequenceOf<'a, PolicyQualifierInfo<'a>>, asn1::SequenceOfWriter<'a, PolicyQualifierInfo<'a>, Vec>>, >; @@ -135,7 +132,6 @@ pub struct UserNotice<'a> { pub struct NoticeReference<'a> { pub organization: DisplayText<'a>, pub notice_numbers: common::Asn1ReadableOrWritable< - 'a, asn1::SequenceOf<'a, asn1::BigUint<'a>>, asn1::SequenceOfWriter<'a, asn1::BigUint<'a>, Vec>>, >, @@ -154,7 +150,6 @@ pub enum DisplayText<'a> { // Needed due to clippy type complexity warning. pub type SequenceOfSubtrees<'a> = common::Asn1ReadableOrWritable< - 'a, asn1::SequenceOf<'a, GeneralSubtree<'a>>, asn1::SequenceOfWriter<'a, GeneralSubtree<'a>, Vec>>, >; @@ -207,7 +202,6 @@ pub enum DistributionPointName<'a> { #[implicit(1)] NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable< - 'a, asn1::SetOf<'a, common::AttributeTypeValue<'a>>, asn1::SetOfWriter< 'a, diff --git a/src/rust/cryptography-x509/src/name.rs b/src/rust/cryptography-x509/src/name.rs index 90688b3d7026..21b6cc8fca9a 100644 --- a/src/rust/cryptography-x509/src/name.rs +++ b/src/rust/cryptography-x509/src/name.rs @@ -7,7 +7,6 @@ use crate::common; pub type NameReadable<'a> = asn1::SequenceOf<'a, asn1::SetOf<'a, common::AttributeTypeValue<'a>>>; pub type Name<'a> = common::Asn1ReadableOrWritable< - 'a, NameReadable<'a>, asn1::SequenceOfWriter< 'a, @@ -84,7 +83,6 @@ pub enum GeneralName<'a> { } pub(crate) type SequenceOfGeneralName<'a> = common::Asn1ReadableOrWritable< - 'a, asn1::SequenceOf<'a, GeneralName<'a>>, asn1::SequenceOfWriter<'a, GeneralName<'a>, Vec>>, >; diff --git a/src/rust/cryptography-x509/src/ocsp_req.rs b/src/rust/cryptography-x509/src/ocsp_req.rs index ba54d391f506..9cf7540302e0 100644 --- a/src/rust/cryptography-x509/src/ocsp_req.rs +++ b/src/rust/cryptography-x509/src/ocsp_req.rs @@ -16,7 +16,6 @@ pub struct TBSRequest<'a> { #[explicit(1)] pub requestor_name: Option>, pub request_list: common::Asn1ReadableOrWritable< - 'a, asn1::SequenceOf<'a, Request<'a>>, asn1::SequenceOfWriter<'a, Request<'a>>, >, diff --git a/src/rust/cryptography-x509/src/ocsp_resp.rs b/src/rust/cryptography-x509/src/ocsp_resp.rs index 21f01e2c7375..5dbe90f4f5d2 100644 --- a/src/rust/cryptography-x509/src/ocsp_resp.rs +++ b/src/rust/cryptography-x509/src/ocsp_resp.rs @@ -23,7 +23,6 @@ pub struct ResponseBytes<'a> { pub type OCSPCerts<'a> = Option< common::Asn1ReadableOrWritable< - 'a, asn1::SequenceOf<'a, certificate::Certificate<'a>>, asn1::SequenceOfWriter<'a, certificate::Certificate<'a>, Vec>>, >, @@ -46,7 +45,6 @@ pub struct ResponseData<'a> { pub responder_id: ResponderId<'a>, pub produced_at: asn1::GeneralizedTime, pub responses: common::Asn1ReadableOrWritable< - 'a, asn1::SequenceOf<'a, SingleResponse<'a>>, asn1::SequenceOfWriter<'a, SingleResponse<'a>, Vec>>, >, From d517aae74264da4f614eadbdd08016bfa24bfb90 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 18 Nov 2023 16:03:57 -0500 Subject: [PATCH 0711/1014] Negative serial numbers are mega deprecated (#9897) --- CHANGELOG.rst | 3 +++ src/rust/src/x509/certificate.rs | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 53c432076d9a..be056eaeee48 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -43,6 +43,9 @@ Changelog on LibreSSL. * Added support for RSA PSS signatures in PKCS7 with :meth:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder.add_signer`. +* In the next release (43.0.0) of cryptography, loading an X.509 certificate + with a negative serial number will raise an exception. This has been + deprecated since 36.0.0. .. _v41-0-5: diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index a7817f4be582..fac37c400454 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -398,7 +398,7 @@ fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyRes pyo3::PyErr::warn( py, warning_cls, - "Parsed a negative serial number, which is disallowed by RFC 5280.", + "Parsed a negative serial number, which is disallowed by RFC 5280. Loading this certificate will cause an exception in the next release of cryptography.", 1, )?; } From d25397864ba65de301e4f0f4dc6c07ac8d72af28 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 07:07:15 -0500 Subject: [PATCH 0712/1014] Bump pygments from 2.16.1 to 2.17.1 (#9899) Bumps [pygments](https://github.com/pygments/pygments) from 2.16.1 to 2.17.1. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.16.1...2.17.1) --- updated-dependencies: - dependency-name: pygments dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5b2e1fdff9ff..aac4c6f7d97b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -97,7 +97,7 @@ pyenchant==3.2.2 # via # cryptography (pyproject.toml) # sphinxcontrib-spelling -pygments==2.16.1 +pygments==2.17.1 # via # readme-renderer # rich From ca159191ca054344df2cc03635e6eedd10515928 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 07:13:59 -0500 Subject: [PATCH 0713/1014] Bump pygments from 2.16.1 to 2.17.1 in /.github/requirements (#9900) Bumps [pygments](https://github.com/pygments/pygments) from 2.16.1 to 2.17.1. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.16.1...2.17.1) --- updated-dependencies: - dependency-name: pygments dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 977f6e6dcf94..53312b2335f2 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -480,9 +480,9 @@ pydantic-core==2.10.1 \ --hash=sha256:fa7db7558607afeccb33c0e4bf1c9a9a835e26599e76af6fe2fcea45904083a6 \ --hash=sha256:fcb83175cc4936a5425dde3356f079ae03c0802bbdf8ff82c035f8a54b333521 # via pydantic -pygments==2.16.1 \ - --hash=sha256:13fc09fa63bc8d8671a6d247e1eb303c4b343eaee81d861f3404db2935653692 \ - --hash=sha256:1daff0494820c69bc8941e407aa20f577374ee88364ee10a98fdbe0aece96e29 +pygments==2.17.1 \ + --hash=sha256:1b37f1b1e1bff2af52ecaf28cc601e2ef7077000b227a0675da25aef85784bc4 \ + --hash=sha256:e45a0e74bf9c530f564ca81b8952343be986a29f6afe7f5ad95c5f06b7bdf5e8 # via # readme-renderer # rich From 8499ad213c7e687f3cfb3f37129ec2e032891354 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 21 Nov 2023 00:15:19 +0000 Subject: [PATCH 0714/1014] Bump BoringSSL and/or OpenSSL in CI (#9901) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2d4c8b08f5d0..2a976b624459 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 18, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "39cc892c73d6c3faf2e604c44509f132c232f24c"}} + # Latest commit on the BoringSSL master branch, as of Nov 21, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "aa533e0bdf75d91039511e4ec3b82068b207ff75"}} # Latest commit on the OpenSSL master branch, as of Nov 16, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cf6342bc024868f5a55f2225f2e083415fb1329a"}} # Builds with various Rust versions. Includes MSRV and next From cfe30f027ff1a7870bd12ac0644a4341fa50ee1b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Nov 2023 07:10:13 -0500 Subject: [PATCH 0715/1014] Bump exceptiongroup from 1.1.3 to 1.2.0 (#9902) Bumps [exceptiongroup](https://github.com/agronholm/exceptiongroup) from 1.1.3 to 1.2.0. - [Release notes](https://github.com/agronholm/exceptiongroup/releases) - [Changelog](https://github.com/agronholm/exceptiongroup/blob/main/CHANGES.rst) - [Commits](https://github.com/agronholm/exceptiongroup/compare/1.1.3...1.2.0) --- updated-dependencies: - dependency-name: exceptiongroup dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index aac4c6f7d97b..a3aae6172a0f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -36,7 +36,7 @@ docutils==0.18.1 # readme-renderer # sphinx # sphinx-rtd-theme -exceptiongroup==1.1.3 +exceptiongroup==1.2.0 # via pytest execnet==2.0.2 # via pytest-xdist From 189f208e3c2503aa302677e500f7047a04ebbdc3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Nov 2023 07:12:39 -0500 Subject: [PATCH 0716/1014] Bump setuptools from 68.2.2 to 69.0.1 in /.github/requirements (#9903) Bumps [setuptools](https://github.com/pypa/setuptools) from 68.2.2 to 69.0.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v68.2.2...v69.0.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 02760a9d87e5..729e51a85ea9 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.41.3 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==68.2.2 \ - --hash=sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87 \ - --hash=sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a +setuptools==69.0.1 \ + --hash=sha256:6875bbd06382d857b1b90cd07cee6a2df701a164f241095706b5192bc56c5c62 \ + --hash=sha256:f25195d54deb649832182d6455bffba7ac3d8fe71d35185e738d2198a4310044 # via # -r build-requirements.in # setuptools-rust From e5c91a90d810b95d38fb9f939f239020e530838b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Nov 2023 18:17:25 +0000 Subject: [PATCH 0717/1014] Bump virtualenv from 20.24.6 to 20.24.7 (#9904) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.24.6 to 20.24.7. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/20.24.7/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.24.6...20.24.7) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a3aae6172a0f..9db4c3e7049d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -178,7 +178,7 @@ urllib3==2.1.0 # via # requests # twine -virtualenv==20.24.6 +virtualenv==20.24.7 # via nox webencodings==0.5.1 # via bleach From 8ccb8f3c3270aab9c98237221c6dcfa053f230d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Nov 2023 18:25:11 +0000 Subject: [PATCH 0718/1014] Bump platformdirs from 3.11.0 to 4.0.0 (#9857) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 3.11.0 to 4.0.0. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/3.11.0...4.0.0) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9db4c3e7049d..9b6bc882fb08 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -84,7 +84,7 @@ pathspec==0.11.2 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==3.11.0 +platformdirs==4.0.0 # via # virtualenv pluggy==1.3.0; python_version >= "3.8" From 843e0e967e47e8a3ee9d81d0ed86916eba8acf90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Nov 2023 20:56:23 +0000 Subject: [PATCH 0719/1014] Bump pytest-xdist from 3.4.0 to 3.5.0 (#9905) Bumps [pytest-xdist](https://github.com/pytest-dev/pytest-xdist) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/pytest-dev/pytest-xdist/releases) - [Changelog](https://github.com/pytest-dev/pytest-xdist/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-xdist/compare/v3.4.0...v3.5.0) --- updated-dependencies: - dependency-name: pytest-xdist dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9b6bc882fb08..e2026110dfb5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -117,7 +117,7 @@ pytest-cov==4.1.0 # via cryptography (pyproject.toml) pytest-randomly==3.15.0 # via cryptography (pyproject.toml) -pytest-xdist==3.4.0 +pytest-xdist==3.5.0 # via cryptography (pyproject.toml) readme-renderer==42.0 # via twine From 9a84af52463286330d4abf82d8b8d49fe497560f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 22 Nov 2023 00:22:12 +0000 Subject: [PATCH 0720/1014] Bump BoringSSL and/or OpenSSL in CI (#9906) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2a976b624459..eaabcabcecaf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 21, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "aa533e0bdf75d91039511e4ec3b82068b207ff75"}} - # Latest commit on the OpenSSL master branch, as of Nov 16, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cf6342bc024868f5a55f2225f2e083415fb1329a"}} + # Latest commit on the BoringSSL master branch, as of Nov 22, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "439ce287f11c258153b85ebf45bacb6c5eac4911"}} + # Latest commit on the OpenSSL master branch, as of Nov 22, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6d552a532754f6ee66d6cc604655deaeb5425b16"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 05267f58908e51209bc37587b1d4d7957d26bd77 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Nov 2023 06:35:27 -0500 Subject: [PATCH 0721/1014] Bump pygments from 2.17.1 to 2.17.2 (#9908) Bumps [pygments](https://github.com/pygments/pygments) from 2.17.1 to 2.17.2. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.17.1...2.17.2) --- updated-dependencies: - dependency-name: pygments dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e2026110dfb5..5b61be6aae9d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -97,7 +97,7 @@ pyenchant==3.2.2 # via # cryptography (pyproject.toml) # sphinxcontrib-spelling -pygments==2.17.1 +pygments==2.17.2 # via # readme-renderer # rich From 5f9f7df607a8ef474180d50646e099c0277e3de9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Nov 2023 06:36:22 -0500 Subject: [PATCH 0722/1014] Bump dessant/lock-threads from 5.0.0 to 5.0.1 (#9907) Bumps [dessant/lock-threads](https://github.com/dessant/lock-threads) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/dessant/lock-threads/releases) - [Changelog](https://github.com/dessant/lock-threads/blob/main/CHANGELOG.md) - [Commits](https://github.com/dessant/lock-threads/compare/d42e5f49803f3c4e14ffee0378e31481265dda22...1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771) --- updated-dependencies: - dependency-name: dessant/lock-threads dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lock.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 5c11590c3d6f..88379415f801 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -12,7 +12,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@d42e5f49803f3c4e14ffee0378e31481265dda22 # v5.0.0 + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} issue-inactive-days: 90 From 0d4f57ba93f6e56fc25435e39686c86eb23e3da4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Nov 2023 06:59:59 -0500 Subject: [PATCH 0723/1014] Bump pygments from 2.17.1 to 2.17.2 in /.github/requirements (#9909) Bumps [pygments](https://github.com/pygments/pygments) from 2.17.1 to 2.17.2. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.17.1...2.17.2) --- updated-dependencies: - dependency-name: pygments dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 53312b2335f2..795832ec6771 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -480,9 +480,9 @@ pydantic-core==2.10.1 \ --hash=sha256:fa7db7558607afeccb33c0e4bf1c9a9a835e26599e76af6fe2fcea45904083a6 \ --hash=sha256:fcb83175cc4936a5425dde3356f079ae03c0802bbdf8ff82c035f8a54b333521 # via pydantic -pygments==2.17.1 \ - --hash=sha256:1b37f1b1e1bff2af52ecaf28cc601e2ef7077000b227a0675da25aef85784bc4 \ - --hash=sha256:e45a0e74bf9c530f564ca81b8952343be986a29f6afe7f5ad95c5f06b7bdf5e8 +pygments==2.17.2 \ + --hash=sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c \ + --hash=sha256:da46cec9fd2de5be3a8a784f434e4c4ab670b4ff54d605c4c2717e9d49c4c367 # via # readme-renderer # rich From b87b98cc22966652b9aeca24206f77f06ecddb2d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 Nov 2023 08:02:32 -0600 Subject: [PATCH 0724/1014] Bump setuptools from 69.0.1 to 69.0.2 in /.github/requirements (#9910) * Bump setuptools from 69.0.1 to 69.0.2 in /.github/requirements Bumps [setuptools](https://github.com/pypa/setuptools) from 69.0.1 to 69.0.2. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.0.1...v69.0.2) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update build-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 729e51a85ea9..42eb57edb38f 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.41.3 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.0.1 \ - --hash=sha256:6875bbd06382d857b1b90cd07cee6a2df701a164f241095706b5192bc56c5c62 \ - --hash=sha256:f25195d54deb649832182d6455bffba7ac3d8fe71d35185e738d2198a4310044 +setuptools==69.0.2 \ + --hash=sha256:1e8fdff6797d3865f37397be788a4e3cba233608e9b509382a2777d25ebde7f2 \ + --hash=sha256:735896e78a4742605974de002ac60562d286fa8051a7e2299445e8e8fbb01aa6 # via # -r build-requirements.in # setuptools-rust From de7b7b1770c5b5757bce64c04ee7a431cb8509a8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 22 Nov 2023 19:18:15 -0500 Subject: [PATCH 0725/1014] Bump BoringSSL and/or OpenSSL in CI (#9911) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eaabcabcecaf..de6203ea0b9e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 22, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "439ce287f11c258153b85ebf45bacb6c5eac4911"}} - # Latest commit on the OpenSSL master branch, as of Nov 22, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6d552a532754f6ee66d6cc604655deaeb5425b16"}} + # Latest commit on the BoringSSL master branch, as of Nov 23, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "698aa894c96412d4df20e2bb031d9eb9c9d5919a"}} + # Latest commit on the OpenSSL master branch, as of Nov 23, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1750689767cc922bdbe73358f7256475f0838c67"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 162e6b20471cc42403bd9baf6dbd83ce7f39dba8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 23 Nov 2023 02:09:04 +0000 Subject: [PATCH 0726/1014] Bump openssl-sys from 0.9.95 to 0.9.96 in /src/rust (#9912) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.95 to 0.9.96. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.95...openssl-sys-v0.9.96) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b578d3057d12..364f90d67b7a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -203,9 +203,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.95" +version = "0.9.96" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "40a4130519a360279579c2053038317e40eff64d13fd3f004f9e1b72b8a6aaf9" +checksum = "3812c071ba60da8b5677cc12bcb1d42989a65553772897a7e0355545a819838f" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 7fc2e547a1e6..eb679e7a6c58 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -18,7 +18,7 @@ cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.59" -openssl-sys = "0.9.95" +openssl-sys = "0.9.96" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 5815488b37fc..c78c498a2bf4 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3-py37"] } -openssl-sys = "0.9.95" +openssl-sys = "0.9.96" [build-dependencies] cc = "1.0.83" From bedc9902fcf6f3730a02eea4a942838067192dfb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 23 Nov 2023 02:17:43 +0000 Subject: [PATCH 0727/1014] Bump openssl from 0.10.59 to 0.10.60 in /src/rust (#9913) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.59 to 0.10.60. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.59...openssl-v0.10.60) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 364f90d67b7a..56daec285db8 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -177,9 +177,9 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] name = "openssl" -version = "0.10.59" +version = "0.10.60" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a257ad03cd8fb16ad4172fedf8094451e1af1c4b70097636ef2eac9a5f0cc33" +checksum = "79a4c6c3a2b158f7f8f2a2fc5a969fa3a068df6fc9dbb4a43845436e3af7c800" dependencies = [ "bitflags 2.4.0", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index eb679e7a6c58..66d83c304c09 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.59" +openssl = "0.10.60" openssl-sys = "0.9.96" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 8266519de67a..eb4064e6dda4 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -openssl = "0.10.59" +openssl = "0.10.60" ffi = { package = "openssl-sys", version = "0.9.91" } foreign-types = "0.3" foreign-types-shared = "0.1" From 8bbe619253bea0fa4dd0971c803da7c12ff648df Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 23 Nov 2023 09:17:21 -0500 Subject: [PATCH 0728/1014] Begin testing with 3.2.0 (#9914) --- .github/workflows/ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index de6203ea0b9e..ebe30f5ac8aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,16 +29,16 @@ jobs: PYTHON: - {VERSION: "3.12", NOXSESSION: "flake"} - {VERSION: "3.12", NOXSESSION: "rust"} - - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4"}} + - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.12"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-beta1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From 08e1b518842612e0709710d480f7be51a7d6144c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 23 Nov 2023 09:38:05 -0500 Subject: [PATCH 0729/1014] Missed one builder that should be 3.20 (#9915) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ebe30f5ac8aa..dfda1a391a94 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,7 +38,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.0"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From 0b0791ef302071dce2cf631024728f369146b626 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 23 Nov 2023 20:10:11 -0500 Subject: [PATCH 0730/1014] Bump BoringSSL and/or OpenSSL in CI (#9916) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dfda1a391a94..f19b08ee5ee7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 23, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "698aa894c96412d4df20e2bb031d9eb9c9d5919a"}} - # Latest commit on the OpenSSL master branch, as of Nov 23, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1750689767cc922bdbe73358f7256475f0838c67"}} + # Latest commit on the BoringSSL master branch, as of Nov 24, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b3d1666b989c39c6e2f78d9c37de79b308c57a92"}} + # Latest commit on the OpenSSL master branch, as of Nov 24, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f58d39fb9f6072b58f14faa8d6df40c4fdd83113"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From fd658411ccde7e50d9268b82622ab38f23825409 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 24 Nov 2023 05:29:37 -0500 Subject: [PATCH 0731/1014] validation/policy: rename var (#9917) Signed-off-by: William Woodruff --- src/rust/cryptography-x509-validation/src/policy/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 2e89f2ebbeb2..4e897c3c932e 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -164,8 +164,8 @@ impl Subject<'_> { (GeneralName::DNSName(pattern), Self::DNS(name)) => { DNSPattern::new(pattern.0).map_or(false, |p| p.matches(name)) } - (GeneralName::IPAddress(pattern), Self::IP(name)) => { - IPAddress::from_bytes(pattern).map_or(false, |addr| addr == *name) + (GeneralName::IPAddress(addr), Self::IP(name)) => { + IPAddress::from_bytes(addr).map_or(false, |addr| addr == *name) } _ => false, } From 2d464e2f60e8112e640ab5b02bf95bffeeef7991 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 24 Nov 2023 07:23:01 -0500 Subject: [PATCH 0732/1014] Bump mypy from 1.7.0 to 1.7.1 (#9918) Bumps [mypy](https://github.com/python/mypy) from 1.7.0 to 1.7.1. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.7.0...v1.7.1) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5b61be6aae9d..b6c255012152 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -66,7 +66,7 @@ mdurl==0.1.2 # via markdown-it-py more-itertools==10.1.0 # via jaraco-classes -mypy==1.7.0 +mypy==1.7.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via From 184f1a2f123141ea1aab10b3afc86d6109b8035e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 24 Nov 2023 19:41:54 -0500 Subject: [PATCH 0733/1014] Bump BoringSSL and/or OpenSSL in CI (#9919) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f19b08ee5ee7..536005533b18 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 24, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b3d1666b989c39c6e2f78d9c37de79b308c57a92"}} - # Latest commit on the OpenSSL master branch, as of Nov 24, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f58d39fb9f6072b58f14faa8d6df40c4fdd83113"}} + # Latest commit on the OpenSSL master branch, as of Nov 25, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1da7c09f7987a227701b6324e56003a89e9febf2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From d7b12c9618df95c8f5e76037eb3516305e1e485b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 25 Nov 2023 19:27:13 -0500 Subject: [PATCH 0734/1014] Bump BoringSSL and/or OpenSSL in CI (#9920) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 536005533b18..b3f8fe2884fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Nov 24, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b3d1666b989c39c6e2f78d9c37de79b308c57a92"}} - # Latest commit on the OpenSSL master branch, as of Nov 25, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1da7c09f7987a227701b6324e56003a89e9febf2"}} + # Latest commit on the OpenSSL master branch, as of Nov 26, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e64ad80c72b0743871f02badfe199d713b0cdadd"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From d08289aa677785171330b2f9e72fe25892cf85d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 Nov 2023 20:00:12 +0000 Subject: [PATCH 0735/1014] Bump proc-macro2 from 1.0.69 to 1.0.70 in /src/rust (#9921) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.69 to 1.0.70. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.69...1.0.70) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 56daec285db8..b916131afb20 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -253,9 +253,9 @@ checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" [[package]] name = "proc-macro2" -version = "1.0.69" +version = "1.0.70" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da" +checksum = "39278fbbf5fb4f646ce651690877f89d1c5811a3d4acb27700c1cb3cdb78fd3b" dependencies = [ "unicode-ident", ] From 29a9ee9df1cb2a3477a7e41ff4294a6e259102e3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 Nov 2023 15:04:21 -0500 Subject: [PATCH 0736/1014] Bump idna from 3.4 to 3.6 (#9923) Bumps [idna](https://github.com/kjd/idna) from 3.4 to 3.6. - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.4...v3.6) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b6c255012152..bc2cc3ccc185 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -42,7 +42,7 @@ execnet==2.0.2 # via pytest-xdist filelock==3.13.1; python_version >= "3.8" # via virtualenv -idna==3.4 +idna==3.6 # via requests imagesize==1.4.1 # via sphinx From 551a380f9c73709ff2cec51cf0e545f81ca87b72 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 Nov 2023 15:13:53 -0500 Subject: [PATCH 0737/1014] Bump idna from 3.4 to 3.6 in /.github/requirements (#9924) Bumps [idna](https://github.com/kjd/idna) from 3.4 to 3.6. - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.4...v3.6) --- updated-dependencies: - dependency-name: idna dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 795832ec6771..8f0a76f8dc8b 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -225,9 +225,9 @@ id==1.1.0 \ --hash=sha256:726b995ffea6954ecbe3f2bb9e9d52b8502b2683b8470b13c58a429cd8e701e8 \ --hash=sha256:a15f919fa1e847f57572748d37cf40192913a861a2669059b4cb5079bbbbbdbd # via sigstore -idna==3.4 \ - --hash=sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4 \ - --hash=sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2 +idna==3.6 \ + --hash=sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca \ + --hash=sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f # via # email-validator # requests From 73879839405d6e93100bb429ee0e8f2e2d657042 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 Nov 2023 16:49:01 -0600 Subject: [PATCH 0738/1014] Bump wheel from 0.41.3 to 0.42.0 in /.github/requirements (#9922) * Bump wheel from 0.41.3 to 0.42.0 in /.github/requirements Bumps [wheel](https://github.com/pypa/wheel) from 0.41.3 to 0.42.0. - [Release notes](https://github.com/pypa/wheel/releases) - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](https://github.com/pypa/wheel/compare/0.41.3...0.42.0) --- updated-dependencies: - dependency-name: wheel dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update build-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 42eb57edb38f..389e172714b2 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -74,9 +74,9 @@ tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f # via setuptools-rust -wheel==0.41.3 \ - --hash=sha256:488609bc63a29322326e05560731bf7bfea8e48ad646e1f5e40d366607de0942 \ - --hash=sha256:4d4987ce51a49370ea65c0bfd2234e8ce80a12780820d9dc462597a6e60d0841 +wheel==0.42.0 \ + --hash=sha256:177f9c9b0d45c47873b619f5b650346d632cdc35fb5e4d25058e09c9e581433d \ + --hash=sha256:c45be39f7882c9d34243236f2d63cbd58039e360f85d0913425fbd7ceea617a8 # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: From 69ab6f96c5bb4782466e82c1db2383d227136102 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 27 Nov 2023 09:30:37 -0500 Subject: [PATCH 0739/1014] Simplify code (#9925) --- src/rust/src/backend/aead.rs | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 0965b71a7005..7ae93ff06b11 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -235,30 +235,30 @@ impl AesSiv { } }; - #[cfg(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER))] - { - return Err(CryptographyError::from( - exceptions::UnsupportedAlgorithm::new_err(( - "AES-SIV is not supported by this version of OpenSSL", - exceptions::Reasons::UNSUPPORTED_CIPHER, - )), - )); - } - #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] - { - if cryptography_openssl::fips::is_enabled() { + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + if cryptography_openssl::fips::is_enabled() { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-SIV is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } + + let cipher = openssl::cipher::Cipher::fetch(None, cipher_name, None)?; + Ok(AesSiv { + ctx: EvpCipherAead::new(&cipher, key_buf.as_bytes(), 16, true)?, + }) + } else { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "AES-SIV is not supported by this version of OpenSSL", exceptions::Reasons::UNSUPPORTED_CIPHER, )), )); - } - let cipher = openssl::cipher::Cipher::fetch(None, cipher_name, None)?; - Ok(AesSiv { - ctx: EvpCipherAead::new(&cipher, key_buf.as_bytes(), 16, true)?, - }) + } } } From 1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 27 Nov 2023 13:08:17 -0500 Subject: [PATCH 0740/1014] Fixed crash when loading a PKCS#7 bundle with no certificates (#9926) --- src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 7c08862b3070..adfd7aefe5f0 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1111,9 +1111,12 @@ def _load_pkcs7_certificates(self, p7) -> list[x509.Certificate]: _Reasons.UNSUPPORTED_SERIALIZATION, ) + certs: list[x509.Certificate] = [] + if p7.d.sign == self._ffi.NULL: + return certs + sk_x509 = p7.d.sign.cert num = self._lib.sk_X509_num(sk_x509) - certs = [] for i in range(num): x509 = self._lib.sk_X509_value(sk_x509, i) self.openssl_assert(x509 != self._ffi.NULL) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index ceb84e5fb48e..434a361057f2 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -89,6 +89,12 @@ def test_load_pkcs7_unsupported_type(self, backend): mode="rb", ) + def test_load_pkcs7_empty_certificates(self): + der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" + + certificates = pkcs7.load_der_pkcs7_certificates(der) + assert certificates == [] + # We have no public verification API and won't be adding one until we get # some requirements from users so this function exists to give us basic From 64b3658ee53780e66fa6f152888c4d1dcefa351c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 27 Nov 2023 14:40:13 -0600 Subject: [PATCH 0741/1014] port 41.0.6 changelog (#9928) * port 41.0.6 changelog * spelling --- CHANGELOG.rst | 9 +++++++++ docs/spelling_wordlist.txt | 1 + 2 files changed, 10 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index be056eaeee48..2b58862422df 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -47,6 +47,15 @@ Changelog with a negative serial number will raise an exception. This has been deprecated since 36.0.0. +.. _v41-0-6: + +41.0.6 - 2023-11-27 +~~~~~~~~~~~~~~~~~~~ + +* Fixed a null-pointer-dereference and segfault that could occur when loading + certificates from a PKCS#7 bundle. Credit to **pkuzco** for reporting the + issue. **CVE-2023-49083** + .. _v41-0-5: 41.0.5 - 2023-10-24 diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 69a5f68ea0f8..f72955fc696b 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -38,6 +38,7 @@ decrypted decrypting deprecations DER +dereference deserialize deserialized Deserialization From 3601b48c73abe5d09843767ac522fc578f7f5089 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 28 Nov 2023 00:15:03 +0000 Subject: [PATCH 0742/1014] Bump BoringSSL and/or OpenSSL in CI (#9932) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b3f8fe2884fb..0e73e088a6bd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 24, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b3d1666b989c39c6e2f78d9c37de79b308c57a92"}} - # Latest commit on the OpenSSL master branch, as of Nov 26, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e64ad80c72b0743871f02badfe199d713b0cdadd"}} + # Latest commit on the BoringSSL master branch, as of Nov 28, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "df67e20de66fd95fd94b4d2837034a264f347c2c"}} + # Latest commit on the OpenSSL master branch, as of Nov 28, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b0e9d0370262ade64c55f2385fbb09ec6aa81e76"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 050ef7c1d3a3b632e8d661bf96052443f91b06cb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 27 Nov 2023 19:58:36 -0500 Subject: [PATCH 0743/1014] Forward port 41.0.7 changelog (#9933) --- CHANGELOG.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 2b58862422df..82ef930811f3 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -47,6 +47,13 @@ Changelog with a negative serial number will raise an exception. This has been deprecated since 36.0.0. +.. _v41-0-7: + +41.0.7 - 2023-11-27 +~~~~~~~~~~~~~~~~~~~ + +* Fixed compilation when using LibreSSL 3.8.2. + .. _v41-0-6: 41.0.6 - 2023-11-27 From 23fa2aabe19c797ec9f74f6df1c2a9ee3bf6ffff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 28 Nov 2023 07:08:29 -0500 Subject: [PATCH 0744/1014] Bump sphinx-rtd-theme from 1.3.0 to 2.0.0 (#9936) Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 1.3.0 to 2.0.0. - [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst) - [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/1.3.0...2.0.0) --- updated-dependencies: - dependency-name: sphinx-rtd-theme dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bc2cc3ccc185..662bfa43e8cd 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -144,7 +144,7 @@ sphinx==7.2.6 # sphinx-rtd-theme # sphinxcontrib-jquery # sphinxcontrib-spelling -sphinx-rtd-theme==1.3.0 +sphinx-rtd-theme==2.0.0 # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.7 # via sphinx From 579a725b389a1a61b7e51de152b2e53c3bcfa084 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 28 Nov 2023 07:08:45 -0500 Subject: [PATCH 0745/1014] Bump cryptography from 41.0.5 to 41.0.7 in /.github/requirements (#9935) Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.5 to 41.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/41.0.5...41.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8f0a76f8dc8b..bf371abdfa9a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,30 +166,30 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==41.0.5 \ - --hash=sha256:0c327cac00f082013c7c9fb6c46b7cc9fa3c288ca702c74773968173bda421bf \ - --hash=sha256:0d2a6a598847c46e3e321a7aef8af1436f11c27f1254933746304ff014664d84 \ - --hash=sha256:227ec057cd32a41c6651701abc0328135e472ed450f47c2766f23267b792a88e \ - --hash=sha256:22892cc830d8b2c89ea60148227631bb96a7da0c1b722f2aac8824b1b7c0b6b8 \ - --hash=sha256:392cb88b597247177172e02da6b7a63deeff1937fa6fec3bbf902ebd75d97ec7 \ - --hash=sha256:3be3ca726e1572517d2bef99a818378bbcf7d7799d5372a46c79c29eb8d166c1 \ - --hash=sha256:573eb7128cbca75f9157dcde974781209463ce56b5804983e11a1c462f0f4e88 \ - --hash=sha256:580afc7b7216deeb87a098ef0674d6ee34ab55993140838b14c9b83312b37b86 \ - --hash=sha256:5a70187954ba7292c7876734183e810b728b4f3965fbe571421cb2434d279179 \ - --hash=sha256:73801ac9736741f220e20435f84ecec75ed70eda90f781a148f1bad546963d81 \ - --hash=sha256:7d208c21e47940369accfc9e85f0de7693d9a5d843c2509b3846b2db170dfd20 \ - --hash=sha256:8254962e6ba1f4d2090c44daf50a547cd5f0bf446dc658a8e5f8156cae0d8548 \ - --hash=sha256:88417bff20162f635f24f849ab182b092697922088b477a7abd6664ddd82291d \ - --hash=sha256:a48e74dad1fb349f3dc1d449ed88e0017d792997a7ad2ec9587ed17405667e6d \ - --hash=sha256:b948e09fe5fb18517d99994184854ebd50b57248736fd4c720ad540560174ec5 \ - --hash=sha256:c707f7afd813478e2019ae32a7c49cd932dd60ab2d2a93e796f68236b7e1fbf1 \ - --hash=sha256:d38e6031e113b7421db1de0c1b1f7739564a88f1684c6b89234fbf6c11b75147 \ - --hash=sha256:d3977f0e276f6f5bf245c403156673db103283266601405376f075c849a0b936 \ - --hash=sha256:da6a0ff8f1016ccc7477e6339e1d50ce5f59b88905585f77193ebd5068f1e797 \ - --hash=sha256:e270c04f4d9b5671ebcc792b3ba5d4488bf7c42c3c241a3748e2599776f29696 \ - --hash=sha256:e886098619d3815e0ad5790c973afeee2c0e6e04b4da90b88e6bd06e2a0b1b72 \ - --hash=sha256:ec3b055ff8f1dce8e6ef28f626e0972981475173d7973d63f271b29c8a2897da \ - --hash=sha256:fba1e91467c65fe64a82c689dc6cf58151158993b13eb7a7f3f4b7f395636723 +cryptography==41.0.7 \ + --hash=sha256:079b85658ea2f59c4f43b70f8119a52414cdb7be34da5d019a77bf96d473b960 \ + --hash=sha256:09616eeaef406f99046553b8a40fbf8b1e70795a91885ba4c96a70793de5504a \ + --hash=sha256:13f93ce9bea8016c253b34afc6bd6a75993e5c40672ed5405a9c832f0d4a00bc \ + --hash=sha256:37a138589b12069efb424220bf78eac59ca68b95696fc622b6ccc1c0a197204a \ + --hash=sha256:3c78451b78313fa81607fa1b3f1ae0a5ddd8014c38a02d9db0616133987b9cdf \ + --hash=sha256:43f2552a2378b44869fe8827aa19e69512e3245a219104438692385b0ee119d1 \ + --hash=sha256:48a0476626da912a44cc078f9893f292f0b3e4c739caf289268168d8f4702a39 \ + --hash=sha256:49f0805fc0b2ac8d4882dd52f4a3b935b210935d500b6b805f321addc8177406 \ + --hash=sha256:5429ec739a29df2e29e15d082f1d9ad683701f0ec7709ca479b3ff2708dae65a \ + --hash=sha256:5a1b41bc97f1ad230a41657d9155113c7521953869ae57ac39ac7f1bb471469a \ + --hash=sha256:68a2dec79deebc5d26d617bfdf6e8aab065a4f34934b22d3b5010df3ba36612c \ + --hash=sha256:7a698cb1dac82c35fcf8fe3417a3aaba97de16a01ac914b89a0889d364d2f6be \ + --hash=sha256:841df4caa01008bad253bce2a6f7b47f86dc9f08df4b433c404def869f590a15 \ + --hash=sha256:90452ba79b8788fa380dfb587cca692976ef4e757b194b093d845e8d99f612f2 \ + --hash=sha256:928258ba5d6f8ae644e764d0f996d61a8777559f72dfeb2eea7e2fe0ad6e782d \ + --hash=sha256:af03b32695b24d85a75d40e1ba39ffe7db7ffcb099fe507b39fd41a565f1b157 \ + --hash=sha256:b640981bf64a3e978a56167594a0e97db71c89a479da8e175d8bb5be5178c003 \ + --hash=sha256:c5ca78485a255e03c32b513f8c2bc39fedb7f5c5f8535545bdc223a03b24f248 \ + --hash=sha256:c7f3201ec47d5207841402594f1d7950879ef890c0c495052fa62f58283fde1a \ + --hash=sha256:d5ec85080cce7b0513cfd233914eb8b7bbd0633f1d1703aa28d1dd5a72f678ec \ + --hash=sha256:d6c391c021ab1f7a82da5d8d0b3cee2f4b2c455ec86c8aebbc84837a631ff309 \ + --hash=sha256:e3114da6d7f95d2dee7d3f4eec16dacff819740bbab931aff8648cb13c5ff5e7 \ + --hash=sha256:f983596065a18a2183e7f79ab3fd4c475205b839e02cbc0efbbf9666c4b3083d # via # pyopenssl # secretstorage From 66cac36f80b346cf92b522d173bd0a1eb678b593 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 28 Nov 2023 12:34:30 -0500 Subject: [PATCH 0746/1014] Update releaes.py for people with different remote names (#9934) --- release.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release.py b/release.py index 2315a43e9df2..bd50130f9033 100644 --- a/release.py +++ b/release.py @@ -38,7 +38,7 @@ def release(version: str) -> None: # Tag and push the tag (this will trigger the wheel builder in Actions) run("git", "tag", "-s", version, "-m", f"{version} release") - run("git", "push", "--tags") + run("git", "push", "--tags", "git@github.com:pyca/cryptography.git") def replace_version( From f02c69f667f61ac105c07847f69bcce5e7183152 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 29 Nov 2023 00:15:24 +0000 Subject: [PATCH 0747/1014] Bump BoringSSL and/or OpenSSL in CI (#9938) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0e73e088a6bd..f0cbd77551dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 28, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "df67e20de66fd95fd94b4d2837034a264f347c2c"}} - # Latest commit on the OpenSSL master branch, as of Nov 28, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b0e9d0370262ade64c55f2385fbb09ec6aa81e76"}} + # Latest commit on the BoringSSL master branch, as of Nov 29, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "2139aba2e3e28cd1cdefbd9b48e2c31a75441203"}} + # Latest commit on the OpenSSL master branch, as of Nov 29, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a435d786046fabc85acdb89cbf47f154a09796e1"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 11e92173875d643dc27e73617d5234d1ea1c98fb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 28 Nov 2023 21:31:45 -0500 Subject: [PATCH 0748/1014] Refer to GILOnceCell via the proper module (#9939) It's been in sync since 0.19 --- src/rust/src/backend/cipher_registry.rs | 4 ++-- src/rust/src/types.rs | 4 ++-- src/rust/src/x509/certificate.rs | 4 ++-- src/rust/src/x509/common.rs | 2 +- src/rust/src/x509/crl.rs | 16 ++++++++-------- src/rust/src/x509/csr.rs | 4 ++-- src/rust/src/x509/ocsp_req.rs | 4 ++-- src/rust/src/x509/ocsp_resp.rs | 10 +++++----- 8 files changed, 24 insertions(+), 24 deletions(-) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 76547b189308..9b5013e4a32f 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -88,8 +88,8 @@ impl<'p> RegisteryBuilder<'p> { fn get_cipher_registry( py: pyo3::Python<'_>, ) -> CryptographyResult<&HashMap> { - static REGISTRY: pyo3::once_cell::GILOnceCell> = - pyo3::once_cell::GILOnceCell::new(); + static REGISTRY: pyo3::sync::GILOnceCell> = + pyo3::sync::GILOnceCell::new(); REGISTRY.get_or_try_init(py, || { let mut m = RegisteryBuilder::new(py); diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 1ee030a40f9b..1719c6a535fe 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -5,7 +5,7 @@ pub struct LazyPyImport { module: &'static str, names: &'static [&'static str], - value: pyo3::once_cell::GILOnceCell, + value: pyo3::sync::GILOnceCell, } impl LazyPyImport { @@ -13,7 +13,7 @@ impl LazyPyImport { LazyPyImport { module, names, - value: pyo3::once_cell::GILOnceCell::new(), + value: pyo3::sync::GILOnceCell::new(), } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index fac37c400454..52f82a1ce5db 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -38,7 +38,7 @@ self_cell::self_cell!( #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] pub(crate) struct Certificate { pub(crate) raw: OwnedCertificate, - pub(crate) cached_extensions: pyo3::once_cell::GILOnceCell, + pub(crate) cached_extensions: pyo3::sync::GILOnceCell, } #[pyo3::prelude::pymethods] @@ -388,7 +388,7 @@ fn load_der_x509_certificate( Ok(Certificate { raw, - cached_extensions: pyo3::once_cell::GILOnceCell::new(), + cached_extensions: pyo3::sync::GILOnceCell::new(), }) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index d541a27b8fc9..98f0a528baf5 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -359,7 +359,7 @@ pub(crate) fn parse_and_cache_extensions< F: Fn(&Extension<'_>) -> Result, CryptographyError>, >( py: pyo3::Python<'p>, - cached_extensions: &pyo3::once_cell::GILOnceCell, + cached_extensions: &pyo3::sync::GILOnceCell, raw_extensions: &Option>, parse_ext: F, ) -> pyo3::PyResult { diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index bdea230a3898..3d782c46b06b 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -42,8 +42,8 @@ fn load_der_x509_crl( Ok(CertificateRevocationList { owned: Arc::new(owned), - revoked_certs: pyo3::once_cell::GILOnceCell::new(), - cached_extensions: pyo3::once_cell::GILOnceCell::new(), + revoked_certs: pyo3::sync::GILOnceCell::new(), + cached_extensions: pyo3::sync::GILOnceCell::new(), }) } @@ -75,8 +75,8 @@ self_cell::self_cell!( struct CertificateRevocationList { owned: Arc, - revoked_certs: pyo3::once_cell::GILOnceCell>, - cached_extensions: pyo3::once_cell::GILOnceCell, + revoked_certs: pyo3::sync::GILOnceCell>, + cached_extensions: pyo3::sync::GILOnceCell, } impl CertificateRevocationList { @@ -87,7 +87,7 @@ impl CertificateRevocationList { fn revoked_cert(&self, py: pyo3::Python<'_>, idx: usize) -> RevokedCertificate { RevokedCertificate { owned: self.revoked_certs.get(py).unwrap()[idx].clone(), - cached_extensions: pyo3::once_cell::GILOnceCell::new(), + cached_extensions: pyo3::sync::GILOnceCell::new(), } } @@ -375,7 +375,7 @@ impl CertificateRevocationList { match owned { Ok(o) => Ok(Some(RevokedCertificate { owned: o, - cached_extensions: pyo3::once_cell::GILOnceCell::new(), + cached_extensions: pyo3::sync::GILOnceCell::new(), })), Err(()) => Ok(None), } @@ -464,7 +464,7 @@ impl CRLIterator { .ok()?; Some(RevokedCertificate { owned: revoked, - cached_extensions: pyo3::once_cell::GILOnceCell::new(), + cached_extensions: pyo3::sync::GILOnceCell::new(), }) } } @@ -492,7 +492,7 @@ impl Clone for OwnedRevokedCertificate { #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct RevokedCertificate { owned: OwnedRevokedCertificate, - cached_extensions: pyo3::once_cell::GILOnceCell, + cached_extensions: pyo3::sync::GILOnceCell, } #[pyo3::prelude::pymethods] diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 6adb7abb4c3d..431a3e46c34f 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -25,7 +25,7 @@ self_cell::self_cell!( #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateSigningRequest { raw: OwnedCsr, - cached_extensions: pyo3::once_cell::GILOnceCell, + cached_extensions: pyo3::sync::GILOnceCell, } #[pyo3::prelude::pymethods] @@ -256,7 +256,7 @@ fn load_der_x509_csr( Ok(CertificateSigningRequest { raw, - cached_extensions: pyo3::once_cell::GILOnceCell::new(), + cached_extensions: pyo3::sync::GILOnceCell::new(), }) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 97547097d09e..b5688ba77dd1 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -45,7 +45,7 @@ fn load_der_ocsp_request( Ok(OCSPRequest { raw, - cached_extensions: pyo3::once_cell::GILOnceCell::new(), + cached_extensions: pyo3::sync::GILOnceCell::new(), }) } @@ -53,7 +53,7 @@ fn load_der_ocsp_request( struct OCSPRequest { raw: OwnedOCSPRequest, - cached_extensions: pyo3::once_cell::GILOnceCell, + cached_extensions: pyo3::sync::GILOnceCell, } impl OCSPRequest { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index f4251089d69a..0f44afd89514 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -57,8 +57,8 @@ fn load_der_ocsp_response( }; Ok(OCSPResponse { raw: Arc::new(raw), - cached_extensions: pyo3::once_cell::GILOnceCell::new(), - cached_single_extensions: pyo3::once_cell::GILOnceCell::new(), + cached_extensions: pyo3::sync::GILOnceCell::new(), + cached_single_extensions: pyo3::sync::GILOnceCell::new(), }) } @@ -74,8 +74,8 @@ self_cell::self_cell!( struct OCSPResponse { raw: Arc, - cached_extensions: pyo3::once_cell::GILOnceCell, - cached_single_extensions: pyo3::once_cell::GILOnceCell, + cached_extensions: pyo3::sync::GILOnceCell, + cached_single_extensions: pyo3::sync::GILOnceCell, } impl OCSPResponse { @@ -243,7 +243,7 @@ impl OCSPResponse { py, x509::certificate::Certificate { raw: raw_cert, - cached_extensions: pyo3::once_cell::GILOnceCell::new(), + cached_extensions: pyo3::sync::GILOnceCell::new(), }, )?)?; } From 7c81ad69f23b023fb3cbcc06e86bd567e374fe75 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 29 Nov 2023 19:26:51 -0500 Subject: [PATCH 0749/1014] Bump BoringSSL and/or OpenSSL in CI (#9941) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f0cbd77551dc..713302ef5b5d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 29, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "2139aba2e3e28cd1cdefbd9b48e2c31a75441203"}} - # Latest commit on the OpenSSL master branch, as of Nov 29, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a435d786046fabc85acdb89cbf47f154a09796e1"}} + # Latest commit on the BoringSSL master branch, as of Nov 30, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "9d479673ccd027eaee60e4c382ed4a463d471a96"}} + # Latest commit on the OpenSSL master branch, as of Nov 30, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cc82b09cbde0b809d37c23cb1ef9f1f41fc7f959"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 102e1adfb9f63b8861b96a222158aebd8af03920 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 29 Nov 2023 19:28:52 -0500 Subject: [PATCH 0750/1014] Use format!() inlined variables (#9940) --- src/rust/build.rs | 2 +- src/rust/cryptography-cffi/build.rs | 6 +++--- src/rust/src/backend/dh.rs | 3 +-- src/rust/src/backend/ec.rs | 6 +++--- src/rust/src/backend/hashes.rs | 2 +- src/rust/src/backend/kdf.rs | 3 +-- src/rust/src/backend/x25519.rs | 3 +-- src/rust/src/backend/x448.rs | 3 +-- src/rust/src/error.rs | 8 +++----- src/rust/src/x509/certificate.rs | 4 ++-- src/rust/src/x509/common.rs | 9 +++------ src/rust/src/x509/crl.rs | 5 ++--- src/rust/src/x509/csr.rs | 4 ++-- src/rust/src/x509/ocsp_resp.rs | 3 +-- src/rust/src/x509/sct.rs | 6 ++---- src/rust/src/x509/sign.rs | 3 +-- 16 files changed, 28 insertions(+), 42 deletions(-) diff --git a/src/rust/build.rs b/src/rust/build.rs index 27f6d12f77f7..4587c9b1f6ea 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -29,7 +29,7 @@ fn main() { if let Ok(vars) = env::var("DEP_OPENSSL_CONF") { for var in vars.split(',') { - println!("cargo:rustc-cfg=CRYPTOGRAPHY_OSSLCONF=\"{}\"", var); + println!("cargo:rustc-cfg=CRYPTOGRAPHY_OSSLCONF=\"{var}\""); } } } diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 384af1ddb114..5f73714f3415 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -18,7 +18,7 @@ fn main() { // More details at https://github.com/alexcrichton/curl-rust/issues/279. if let Some(path) = macos_link_search_path() { println!("cargo:rustc-link-lib=clang_rt.osx"); - println!("cargo:rustc-link-search={}", path); + println!("cargo:rustc-link-search={path}"); } } @@ -46,7 +46,7 @@ fn main() { "import platform; print(platform.python_implementation(), end='')", ) .unwrap(); - println!("cargo:rustc-cfg=python_implementation=\"{}\"", python_impl); + println!("cargo:rustc-cfg=python_implementation=\"{python_impl}\""); let python_includes = run_python_script( &python, "import os; \ @@ -127,7 +127,7 @@ fn macos_link_search_path() -> Option { for line in stdout.lines() { if line.contains("libraries: =") { let path = line.split('=').nth(1)?; - return Some(format!("{}/lib/darwin", path)); + return Some(format!("{path}/lib/darwin")); } } diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 99e04ed76bfd..cf05a904d95c 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -30,8 +30,7 @@ fn generate_parameters(generator: u32, key_size: u32) -> CryptographyResult { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( - format!("Curve {} is not supported", curve_name), + format!("Curve {curve_name} is not supported"), exceptions::Reasons::UNSUPPORTED_ELLIPTIC_CURVE, )), )); @@ -95,7 +95,7 @@ fn py_curve_from_curve<'p>( .get_item(name)? .ok_or_else(|| { CryptographyError::from(exceptions::UnsupportedAlgorithm::new_err(( - format!("{} is not a supported elliptic curve", name), + format!("{name} is not a supported elliptic curve"), exceptions::Reasons::UNSUPPORTED_ELLIPTIC_CURVE, ))) })? @@ -137,7 +137,7 @@ pub(crate) fn public_key_from_pkey( pkey: &openssl::pkey::PKeyRef, ) -> CryptographyResult { let ec = pkey.ec_key().map_err(|e| { - pyo3::exceptions::PyValueError::new_err(format!("Unable to load EC key: {}", e)) + pyo3::exceptions::PyValueError::new_err(format!("Unable to load EC key: {e}")) })?; let curve = py_curve_from_curve(py, ec.group())?; check_key_infinity(&ec)?; diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index f315761f26dd..1f8ecbcc353b 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -62,7 +62,7 @@ pub(crate) fn message_digest_from_algorithm( Some(md) => Ok(md), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( - format!("{} is not a supported hash on this backend", name), + format!("{name} is not a supported hash on this backend"), exceptions::Reasons::UNSUPPORTED_HASH, )), )), diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index de527f4671da..35cf0eb266a3 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -42,8 +42,7 @@ fn derive_scrypt<'p>( // https://blog.filippo.io/the-scrypt-parameters/ let min_memory = 128 * n * r / (1024 * 1024); pyo3::exceptions::PyMemoryError::new_err(format!( - "Not enough memory to derive key. These parameters require {}MB of memory.", - min_memory + "Not enough memory to derive key. These parameters require {min_memory}MB of memory." )) }) })?) diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 076bfe87d96b..00e2866cfc39 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -45,8 +45,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { openssl::pkey::PKey::private_key_from_raw_bytes(data.as_bytes(), openssl::pkey::Id::X25519) .map_err(|e| { pyo3::exceptions::PyValueError::new_err(format!( - "An X25519 private key is 32 bytes long: {}", - e + "An X25519 private key is 32 bytes long: {e}" )) })?; Ok(X25519PrivateKey { pkey }) diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index eb4718f5f100..07c84bc36aca 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -45,8 +45,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { openssl::pkey::PKey::private_key_from_raw_bytes(data.as_bytes(), openssl::pkey::Id::X448) .map_err(|e| { pyo3::exceptions::PyValueError::new_err(format!( - "An X448 private key is 56 bytes long: {}", - e + "An X448 private key is 56 bytes long: {e}" )) })?; Ok(X448PrivateKey { pkey }) diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index fff5cf756937..843235cc2189 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -45,8 +45,7 @@ impl From for CryptographyError { impl From for CryptographyError { fn from(e: pem::PemError) -> CryptographyError { CryptographyError::Py(pyo3::exceptions::PyValueError::new_err(format!( - "Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. {:?}", - e + "Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. {e:?}" ))) } } @@ -55,7 +54,7 @@ impl From for pyo3::PyErr { fn from(e: CryptographyError) -> pyo3::PyErr { match e { CryptographyError::Asn1Parse(asn1_error) => pyo3::exceptions::PyValueError::new_err( - format!("error parsing asn1 value: {:?}", asn1_error), + format!("error parsing asn1 value: {asn1_error:?}"), ), CryptographyError::Asn1Write(asn1::WriteError::AllocationError) => { pyo3::exceptions::PyMemoryError::new_err( @@ -81,8 +80,7 @@ impl From for pyo3::PyErr { that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with - information on how to reproduce this. ({:?})", - errors + information on how to reproduce this. ({errors:?})" ), errors.to_object(py), )) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 52f82a1ce5db..dcd8b3f11c24 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -56,7 +56,7 @@ impl Certificate { fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let subject = self.subject(py)?; let subject_repr = subject.repr()?.extract::<&str>()?; - Ok(format!("", subject_repr)) + Ok(format!("")) } fn __deepcopy__(slf: pyo3::PyRef<'_, Self>, _memo: pyo3::PyObject) -> pyo3::PyRef<'_, Self> { @@ -324,7 +324,7 @@ fn cert_version(py: pyo3::Python<'_>, version: u8) -> Result<&pyo3::PyAny, Crypt 2 => Ok(types::CERTIFICATE_VERSION_V3.get(py)?), _ => Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( - format!("{} is not a valid X509 version", version), + format!("{version} is not a valid X509 version"), version, )), )), diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 98f0a528baf5..10d438a12834 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -127,8 +127,7 @@ pub(crate) fn encode_general_name<'a>( type_id: py_oid_to_oid(gn.getattr(pyo3::intern!(py, "type_id"))?)?, value: asn1::parse_single(gn_value.extract::<&[u8]>()?).map_err(|e| { pyo3::exceptions::PyValueError::new_err(format!( - "OtherName value must be valid DER: {:?}", - e + "OtherName value must be valid DER: {e:?}" )) })?, })) @@ -437,8 +436,7 @@ pub(crate) fn encode_extensions< } None => { return Err(pyo3::exceptions::PyNotImplementedError::new_err(format!( - "Extension not supported: {}", - oid + "Extension not supported: {oid}" ))) } } @@ -465,8 +463,7 @@ fn encode_extension_value<'p>( } Err(pyo3::exceptions::PyNotImplementedError::new_err(format!( - "Extension not supported: {}", - oid + "Extension not supported: {oid}" ))) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 3d782c46b06b..c97ade81b5c8 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -34,7 +34,7 @@ fn load_der_x509_crl( if version != 1 { return Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( - format!("{} is not a valid CRL version", version), + format!("{version} is not a valid CRL version"), version, )), )); @@ -557,8 +557,7 @@ pub(crate) fn parse_crl_reason_flags<'p>( value => { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err(format!( - "Unsupported reason code: {}", - value + "Unsupported reason code: {value}" )), )) } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 431a3e46c34f..ccaf7529c5a1 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -149,7 +149,7 @@ impl CertificateSigningRequest { } } Err(exceptions::AttributeNotFound::new_err(( - format!("No {} attribute was found", oid), + format!("No {oid} attribute was found"), oid.into_py(py), ))) } @@ -248,7 +248,7 @@ fn load_der_x509_csr( if version != 0 { return Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( - format!("{} is not a valid CSR version", version), + format!("{version} is not a valid CSR version"), version, )), )); diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 0f44afd89514..9b2d21d26521 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -445,8 +445,7 @@ fn single_response<'a>( if num_responses != 1 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err(format!( - "OCSP response contains {} SINGLERESP structures. Use .response_iter to iterate through them", - num_responses + "OCSP response contains {num_responses} SINGLERESP structures. Use .response_iter to iterate through them" )) )); } diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index 119def248453..d9c9d6559193 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -71,8 +71,7 @@ impl TryFrom for HashAlgorithm { 6 => HashAlgorithm::Sha512, _ => { return Err(pyo3::exceptions::PyValueError::new_err(format!( - "Invalid/unsupported hash algorithm for SCT: {}", - value + "Invalid/unsupported hash algorithm for SCT: {value}" ))) } }) @@ -119,8 +118,7 @@ impl TryFrom for SignatureAlgorithm { 3 => SignatureAlgorithm::Ecdsa, _ => { return Err(pyo3::exceptions::PyValueError::new_err(format!( - "Invalid/unsupported signature algorithm for SCT: {}", - value + "Invalid/unsupported signature algorithm for SCT: {value}" ))) } }) diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 47212b555c42..e1f452cc46c3 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -91,8 +91,7 @@ fn identify_hash_type( "sha3-384" => Ok(HashType::Sha3_384), "sha3-512" => Ok(HashType::Sha3_512), name => Err(exceptions::UnsupportedAlgorithm::new_err(format!( - "Hash algorithm {:?} not supported for signatures", - name + "Hash algorithm {name:?} not supported for signatures" ))), } } From d146423d7f0b60560de95b94583efe22bec18664 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos Orfanos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Thu, 30 Nov 2023 16:05:10 +0100 Subject: [PATCH 0751/1014] Fix misspellings (#9943) --- src/cryptography/hazmat/primitives/asymmetric/x25519.py | 2 +- src/cryptography/utils.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cryptography/hazmat/primitives/asymmetric/x25519.py b/src/cryptography/hazmat/primitives/asymmetric/x25519.py index 912f8f2ca5c9..0cfa36e346ad 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/x25519.py +++ b/src/cryptography/hazmat/primitives/asymmetric/x25519.py @@ -78,7 +78,7 @@ def from_private_bytes(cls, data: bytes) -> X25519PrivateKey: @abc.abstractmethod def public_key(self) -> X25519PublicKey: """ - Returns the public key assosciated with this private key + Returns the public key associated with this private key """ @abc.abstractmethod diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index 01403fc179b3..a0ec7a3cd76d 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -12,7 +12,7 @@ # We use a UserWarning subclass, instead of DeprecationWarning, because CPython -# decided deprecation warnings should be invisble by default. +# decided deprecation warnings should be invisible by default. class CryptographyDeprecationWarning(UserWarning): pass From 3fa1405c717a276455023cfc2e8fc3025d88db0c Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos Orfanos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Thu, 30 Nov 2023 17:10:23 +0100 Subject: [PATCH 0752/1014] Apply a couple refurb suggestions (#9944) * Apply refurb suggestion [FURB138]: Consider using list comprehension * Apply refurb suggestion [FURB108]: Replace `x == y or x == z` with `x in (y, z)` --- .../hazmat/backends/openssl/backend.py | 2 +- src/cryptography/x509/name.py | 5 +---- tests/hazmat/primitives/test_aead.py | 18 ++++++++++-------- 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index adfd7aefe5f0..755431f29410 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -174,7 +174,7 @@ def openssl_version_number(self) -> int: return self._lib.OpenSSL_version_num() def _evp_md_from_algorithm(self, algorithm: hashes.HashAlgorithm): - if algorithm.name == "blake2b" or algorithm.name == "blake2s": + if algorithm.name in ("blake2b", "blake2s"): alg = f"{algorithm.name}{algorithm.digest_size * 8}".encode( "ascii" ) diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py index c237f8647cb7..5e8ccfff5994 100644 --- a/src/cryptography/x509/name.py +++ b/src/cryptography/x509/name.py @@ -132,10 +132,7 @@ def __init__( if not isinstance(value, str): raise TypeError("value argument must be a str") - if ( - oid == NameOID.COUNTRY_NAME - or oid == NameOID.JURISDICTION_COUNTRY_NAME - ): + if oid in (NameOID.COUNTRY_NAME, NameOID.JURISDICTION_COUNTRY_NAME): assert isinstance(value, str) c_len = len(value.encode("utf8")) if c_len != 2 and _validate is True: diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 5cf5bca546a1..57ddf1816ab6 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -732,10 +732,11 @@ def test_vectors(self, backend, subtests): aad1 = vector.get("aad", None) aad2 = vector.get("aad2", None) aad3 = vector.get("aad3", None) - aad = [] - for a in [aad1, aad2, aad3]: - if a is not None: - aad.append(binascii.unhexlify(a)) + aad = [ + binascii.unhexlify(a) + for a in (aad1, aad2, aad3) + if a is not None + ] ct = binascii.unhexlify(vector["ciphertext"]) tag = binascii.unhexlify(vector["tag"]) pt = binascii.unhexlify(vector.get("plaintext", b"")) @@ -757,10 +758,11 @@ def test_vectors_invalid(self, backend, subtests): aad1 = vector.get("aad", None) aad2 = vector.get("aad2", None) aad3 = vector.get("aad3", None) - aad = [] - for a in [aad1, aad2, aad3]: - if a is not None: - aad.append(binascii.unhexlify(a)) + aad = [ + binascii.unhexlify(a) + for a in (aad1, aad2, aad3) + if a is not None + ] ct = binascii.unhexlify(vector["ciphertext"]) aessiv = AESSIV(key) From 6deb2b55b616ae982a8ddfbeafe43e56035ae95b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 30 Nov 2023 14:23:21 -0500 Subject: [PATCH 0753/1014] Add top-level permissions to pypi (#9945) which are then overridden by the one job. the various bots like this better --- .github/workflows/pypi-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 666b56940bee..7d762a53d5a6 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -18,6 +18,9 @@ on: env: PUBLISH_REQUIREMENTS_PATH: .github/requirements/publish-requirements.txt +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest From f7db900d2f0fec484626552a09565a80e07f1370 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 1 Dec 2023 01:54:42 +0000 Subject: [PATCH 0754/1014] Bump BoringSSL and/or OpenSSL in CI (#9946) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 713302ef5b5d..b69be5b361c3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Nov 30, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "9d479673ccd027eaee60e4c382ed4a463d471a96"}} - # Latest commit on the OpenSSL master branch, as of Nov 30, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cc82b09cbde0b809d37c23cb1ef9f1f41fc7f959"}} + # Latest commit on the BoringSSL master branch, as of Dec 01, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "15c811b8f5743476d0fc8e9f9d92f3f1658513f7"}} + # Latest commit on the OpenSSL master branch, as of Dec 01, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "db04cf25f3e0dda77a3b054ae12ae1874b1ae977"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 6359dc0e0483b123bb81a329e393314786cb7dff Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 1 Dec 2023 17:46:29 +0100 Subject: [PATCH 0755/1014] Add test vectors for AES-GCM-SIV (#9930) --- .../custom-vectors/aes-192-gcm-siv.rst | 28 + .../aes-192-gcm-siv/generate_aes192gcmsiv.py | 86 +++ .../verify-aes192gcmsiv/Cargo.toml | 11 + .../verify-aes192gcmsiv/src/main.rs | 116 +++++ docs/development/test-vectors.rst | 5 + .../ciphers/AES/GCM-SIV/aes-192-gcm-siv.txt | 399 ++++++++++++++ .../ciphers/AES/GCM-SIV/openssl.txt | 492 ++++++++++++++++++ 7 files changed, 1137 insertions(+) create mode 100644 docs/development/custom-vectors/aes-192-gcm-siv.rst create mode 100644 docs/development/custom-vectors/aes-192-gcm-siv/generate_aes192gcmsiv.py create mode 100644 docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/Cargo.toml create mode 100644 docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/src/main.rs create mode 100644 vectors/cryptography_vectors/ciphers/AES/GCM-SIV/aes-192-gcm-siv.txt create mode 100644 vectors/cryptography_vectors/ciphers/AES/GCM-SIV/openssl.txt diff --git a/docs/development/custom-vectors/aes-192-gcm-siv.rst b/docs/development/custom-vectors/aes-192-gcm-siv.rst new file mode 100644 index 000000000000..1900eb87959d --- /dev/null +++ b/docs/development/custom-vectors/aes-192-gcm-siv.rst @@ -0,0 +1,28 @@ +AES-GCM-SIV vector creation +=========================== + +This page documents the code that was used to generate the AES-GCM-SIV test +vectors for key lengths not available in the OpenSSL test vectors. All the +vectors were generated using OpenSSL and verified with Rust. + +Creation +-------- + +The following Python script was run to generate the vector files. The OpenSSL +test vectors were used as a base and modified to have 192-bit key length. + +.. literalinclude:: /development/custom-vectors/aes-192-gcm-siv/generate_aes192gcmsiv.py + +Download link: :download:`generate_aes192gcmsiv.py +` + + +Verification +------------ + +The following Rust program was used to verify the vectors. + +.. literalinclude:: /development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/src/main.rs + +Download link: :download:`main.rs +` diff --git a/docs/development/custom-vectors/aes-192-gcm-siv/generate_aes192gcmsiv.py b/docs/development/custom-vectors/aes-192-gcm-siv/generate_aes192gcmsiv.py new file mode 100644 index 000000000000..a9d48198bd56 --- /dev/null +++ b/docs/development/custom-vectors/aes-192-gcm-siv/generate_aes192gcmsiv.py @@ -0,0 +1,86 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import binascii + +from cryptography.hazmat.primitives.ciphers.aead import AESGCMSIV + + +def convert_key_to_192_bits(key: str) -> str: + """ + This takes existing 128 and 256-bit keys from test vectors from OpenSSL + and makes them 192-bit by either appending 0 or truncating the key. + """ + new_key = binascii.unhexlify(key) + if len(new_key) == 16: + new_key += b"\x00" * 8 + elif len(new_key) == 32: + new_key = new_key[0:24] + else: + raise RuntimeError( + "Unexpected key length. OpenSSL AES-GCM-SIV test vectors only " + "contain 128-bit and 256-bit keys" + ) + + return binascii.hexlify(new_key).decode("ascii") + + +def encrypt(key: str, iv: str, plaintext: str, aad: str) -> (str, str): + aesgcmsiv = AESGCMSIV(binascii.unhexlify(key)) + encrypted_output = aesgcmsiv.encrypt( + binascii.unhexlify(iv), + binascii.unhexlify(plaintext), + binascii.unhexlify(aad) if aad else None, + ) + ciphertext, tag = encrypted_output[:-16], encrypted_output[-16:] + + return ( + binascii.hexlify(ciphertext).decode("ascii"), + binascii.hexlify(tag).decode("ascii"), + ) + + +def build_vectors(filename): + count = 0 + output = [] + key = None + iv = None + aad = None + plaintext = None + + with open(filename) as vector_file: + for line in vector_file: + line = line.strip() + if line.startswith("Key"): + if count != 0: + ciphertext, tag = encrypt(key, iv, plaintext, aad) + output.append(f"Tag = {tag}\nCiphertext = {ciphertext}\n") + output.append(f"\nCOUNT = {count}") + count += 1 + aad = None + _, key = line.split(" = ") + key = convert_key_to_192_bits(key) + output.append(f"Key = {key}") + elif line.startswith("IV"): + _, iv = line.split(" = ") + output.append(f"IV = {iv}") + elif line.startswith("AAD"): + _, aad = line.split(" = ") + output.append(f"AAD = {aad}") + elif line.startswith("Plaintext"): + _, plaintext = line.split(" = ") + output.append(f"Plaintext = {plaintext}") + + ciphertext, tag = encrypt(key, iv, plaintext, aad) + output.append(f"Tag = {tag}\nCiphertext = {ciphertext}\n") + return "\n".join(output) + + +def write_file(data, filename): + with open(filename, "w") as f: + f.write(data) + + +path = "vectors/cryptography_vectors/ciphers/AES/GCM-SIV/openssl.txt" +write_file(build_vectors(path), "aes-192-gcm-siv.txt") diff --git a/docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/Cargo.toml b/docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/Cargo.toml new file mode 100644 index 000000000000..ef9317059c30 --- /dev/null +++ b/docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/Cargo.toml @@ -0,0 +1,11 @@ +[package] +name = "verify-aes192gcmsiv" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +aes-gcm-siv = "0.11.1" +aes = "0.8.1" +hex = "0.4.3" diff --git a/docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/src/main.rs b/docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/src/main.rs new file mode 100644 index 000000000000..d4dfdf99b0e6 --- /dev/null +++ b/docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/src/main.rs @@ -0,0 +1,116 @@ +use aes_gcm_siv::{ + aead::{Aead, KeyInit}, + AesGcmSiv, Nonce, +}; + +use aes::Aes192; +use aes_gcm_siv::aead::generic_array::GenericArray; +use aes_gcm_siv::aead::Payload; +use std::fs::File; +use std::io; +use std::io::BufRead; +use std::path::Path; + +pub type Aes192GcmSiv = AesGcmSiv; + +struct VectorArgs { + nonce: String, + key: String, + aad: String, + tag: String, + plaintext: String, + ciphertext: String, +} + +fn validate(v: &VectorArgs) { + let key_bytes = hex::decode(&v.key).unwrap(); + let nonce_bytes = hex::decode(&v.nonce).unwrap(); + let aad_bytes = hex::decode(&v.aad).unwrap(); + let plaintext_bytes = hex::decode(&v.plaintext).unwrap(); + let expected_ciphertext_bytes = hex::decode(&v.ciphertext).unwrap(); + let expected_tag_bytes = hex::decode(&v.tag).unwrap(); + + let key_array: [u8; 24] = key_bytes.try_into().unwrap(); + let cipher = Aes192GcmSiv::new(&GenericArray::from(key_array)); + + let payload = Payload { + msg: plaintext_bytes.as_slice(), + aad: aad_bytes.as_slice(), + }; + let encrypted_bytes = cipher + .encrypt(Nonce::from_slice(nonce_bytes.as_slice()), payload) + .unwrap(); + let (ciphertext_bytes, tag_bytes) = encrypted_bytes.split_at(plaintext_bytes.len()); + assert_eq!(ciphertext_bytes, expected_ciphertext_bytes); + assert_eq!(tag_bytes, expected_tag_bytes); +} + +fn validate_vectors(filename: &Path) { + let file = File::open(filename).expect("Failed to open file"); + let reader = io::BufReader::new(file); + + let mut vector: Option = None; + + for line in reader.lines() { + let line = line.expect("Failed to read line"); + let segments: Vec<&str> = line.splitn(2, " = ").collect(); + + match segments.first() { + Some(&"COUNT") => { + if let Some(v) = vector.take() { + validate(&v); + } + vector = Some(VectorArgs { + nonce: String::new(), + key: String::new(), + aad: String::new(), + tag: String::new(), + plaintext: String::new(), + ciphertext: String::new(), + }); + } + Some(&"IV") => { + if let Some(v) = &mut vector { + v.nonce = segments[1].parse().expect("Failed to parse IV"); + } + } + Some(&"Key") => { + if let Some(v) = &mut vector { + v.key = segments[1].to_string(); + } + } + Some(&"AAD") => { + if let Some(v) = &mut vector { + v.aad = segments[1].to_string(); + } + } + Some(&"Tag") => { + if let Some(v) = &mut vector { + v.tag = segments[1].to_string(); + } + } + Some(&"Plaintext") => { + if let Some(v) = &mut vector { + v.plaintext = segments[1].to_string(); + } + } + Some(&"Ciphertext") => { + if let Some(v) = &mut vector { + v.ciphertext = segments[1].to_string(); + } + } + _ => {} + } + } + + if let Some(v) = vector { + validate(&v); + } +} + +fn main() { + validate_vectors(Path::new( + "vectors/cryptography_vectors/ciphers/AES/GCM-SIV/aes-192-gcm-siv.txt", + )); + println!("AES-192-GCM-SIV OK.") +} diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 82050b9d30e6..ff43285db18b 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -939,6 +939,9 @@ Symmetric ciphers * AES (CBC, CFB, ECB, GCM, OFB, CCM) from `NIST CAVP`_. * AES CTR from :rfc:`3686`. +* AES-GCM-SIV (KEY-LENGTH: 128, 256) from OpenSSL's `evpciph_aes_gcm_siv.txt`_. +* AES-GCM-SIV (KEY-LENGTH: 192) generated by this project. + See :doc:`/development/custom-vectors/aes-192-gcm-siv` * AES OCB3 from :rfc:`7253`, `dkg's additional OCB3 vectors`_, and `OpenSSL's OCB vectors`_. * AES SIV from OpenSSL's `evpciph_aes_siv.txt`_. * 3DES (CBC, CFB, ECB, OFB) from `NIST CAVP`_. @@ -992,6 +995,7 @@ Created Vectors .. toctree:: :maxdepth: 1 + custom-vectors/aes-192-gcm-siv custom-vectors/arc4 custom-vectors/cast5 custom-vectors/chacha20 @@ -1055,6 +1059,7 @@ header format (substituting the correct information): .. _`root-ed25519.pem`: https://github.com/openssl/openssl/blob/2a1e2fe145c6eb8e75aa2e1b3a8c3a49384b2852/test/certs/root-ed25519.pem .. _`server-ed25519-cert.pem`: https://github.com/openssl/openssl/blob/2a1e2fe145c6eb8e75aa2e1b3a8c3a49384b2852/test/certs/server-ed25519-cert.pem .. _`server-ed448-cert.pem`: https://github.com/openssl/openssl/blob/2a1e2fe145c6eb8e75aa2e1b3a8c3a49384b2852/test/certs/server-ed448-cert.pem +.. _`evpciph_aes_gcm_siv.txt`: https://github.com/openssl/openssl/blob/a2b1ab6100d5f0fb50b61d241471eea087415632/test/recipes/30-test_evp_data/evpciph_aes_gcm_siv.txt .. _`evpciph_aes_siv.txt`: https://github.com/openssl/openssl/blob/d830526c711074fdcd82c70c24c31444366a1ed8/test/recipes/30-test_evp_data/evpciph_aes_siv.txt .. _`dkg's additional OCB3 vectors`: https://gitlab.com/dkg/ocb-test-vectors .. _`OpenSSL's OCB vectors`: https://github.com/openssl/openssl/commit/2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be diff --git a/vectors/cryptography_vectors/ciphers/AES/GCM-SIV/aes-192-gcm-siv.txt b/vectors/cryptography_vectors/ciphers/AES/GCM-SIV/aes-192-gcm-siv.txt new file mode 100644 index 000000000000..c4ba6703c1b4 --- /dev/null +++ b/vectors/cryptography_vectors/ciphers/AES/GCM-SIV/aes-192-gcm-siv.txt @@ -0,0 +1,399 @@ + +COUNT = 0 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 0100000000000000 +Tag = 6b0606875a845eec145f44ae5b92e834 +Ciphertext = 0e49fb119666c8ae + + +COUNT = 1 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 010000000000000000000000 +Tag = 9f2131df8b794bc6d9af9e5a8a96318e +Ciphertext = 3938f3fe1dad8464114dc42a + + +COUNT = 2 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 01000000000000000000000000000000 +Tag = 82e6a81be803dc33f56a637fcaa70fec +Ciphertext = 75a96f1f1cbfa93e2cd69e8a18bf3bab + + +COUNT = 3 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 0100000000000000000000000000000002000000000000000000000000000000 +Tag = def094dd94cb68942b1b96a85a8eab28 +Ciphertext = 3022f43d5ca420345420c52de08ddaa28b8fb840aeb41bd44addc78d07e0835b + + +COUNT = 4 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000 +Tag = 6c64163e992cd475d847b9348ff1798a +Ciphertext = b2848264495ddec52a6f28a0b8112e031b78f4b78eb6590c54d68f14232850e2e4c4fdf78b8c63770ee0f07d43deb520 + + +COUNT = 5 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +AAD = 01 +Tag = c7eb28d9cd1fe3b3b2bd75705e747c9b +Ciphertext = bbec4e4329672818200ae2185c45dfa8e21757d044298da5f2a1ae8157737b4934ab76fb05fcba19b641971270c012c3d223ba5150687128e702fd0a656e2644 + + +COUNT = 6 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 0200000000000000 +AAD = 01 +Tag = 894e72c67363ad0eab00784b92b10cba +Ciphertext = 8b2eed8f172b2227 + + +COUNT = 7 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 020000000000000000000000 +AAD = 01 +Tag = 41d21d1b764e3ffdd253c2b0a4695e2a +Ciphertext = 307a6cdfcaa3ca0d9f8a9c31 + + +COUNT = 8 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 02000000000000000000000000000000 +AAD = 01 +Tag = aafde8488bdcb22dfa65fad6e094c6da +Ciphertext = 30d9630474420eea90bee4dbca3c4ae0 + + +COUNT = 9 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 0200000000000000000000000000000003000000000000000000000000000000 +AAD = 01 +Tag = 03902234c1db8adcc4b6a2bc09c28401 +Ciphertext = abc2b17cc5a7a89745b684844b1699757528f3a008090cdb0dd6bfbdfea9550e + + +COUNT = 10 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +AAD = 01 +Tag = bd5a9b90b763e05e69ea0ffe3d850abf +Ciphertext = 335910f4402db51cecc5c35fb49eda857f705de55c9a69824598420431dd0ad3f1d01db404118f0b48b1e405ca4360f6 + + +COUNT = 11 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000 +AAD = 010000000000000000000000 +Tag = fa6414f191bf4d9150463ea5576419e7 +Ciphertext = 4a079678501f40450cec428417910b3193a222cbb123dfdbc813da04e1e1b4d8d103bc2e50f732b2f5426adfe97a8c7be4c9469781e84db13a2d20701187da52 + + +COUNT = 12 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 02000000 +AAD = 010000000000000000000000000000000200 +Tag = a55b45c4a6eae8d73458616043f2e613 +Ciphertext = ff75102b + + +COUNT = 13 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 0300000000000000000000000000000004000000 +AAD = 0100000000000000000000000000000002000000 +Tag = eb23533e1cfa48dd66312068522ffbcd +Ciphertext = 800a331bc9fd057346f967d0b74b6e0c28f87dde + + +COUNT = 14 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 030000000000000000000000000000000400 +AAD = 46bb91c3c5 +Tag = 1262580dd140a8f15a3cfaa61dae6228 +Ciphertext = 5fcd136fbe93ff59312419db8dc88592d04d + + +COUNT = 15 +Key = 36864200e0eaf5284d884a0e77d316460000000000000000 +IV = bae8e37fc83441b16034566b +Plaintext = 7a806c +AAD = fc880c94a95198874296 +Tag = 0b12efedd62766899d8d71dd2b60efb7 +Ciphertext = e9d247 + + +COUNT = 16 +Key = aedb64a6c590bc84d1a5e269e4b478010000000000000000 +IV = afc0577e34699b9e671fdd4f +Plaintext = bdc66f146545 +AAD = 046787f3ea22c127aaf195d1894728 +Tag = 300a8b293f061d9a240f28e3e8d01c80 +Ciphertext = c3fe5dc13711 + + +COUNT = 17 +Key = d5cc1fd161320b6920ce07787f86743b0000000000000000 +IV = 275d1ab32f6d1f0434d8848c +Plaintext = 1177441f195495860f +AAD = c9882e5386fd9f92ec489c8fde2be2cf97e74e93 +Tag = 2f836454f4067fd55487b2ee9f98969f +Ciphertext = b2adb4f1ee87054334 + + +COUNT = 18 +Key = b3fed1473c528b8426a582995929a1490000000000000000 +IV = 9e9ad8780c8d63d0ab4149c0 +Plaintext = 9f572c614b4745914474e7c7 +AAD = 2950a70d5a1db2316fd568378da107b52b0da55210cc1c1b0a +Tag = e807b12ad6e986df56634d368618736b +Ciphertext = 55bbffc06e088d5e84a91645 + + +COUNT = 19 +Key = 2d4ed87da44102952ef94b02b805249b0000000000000000 +IV = ac80e6f61455bfac8308a2d4 +Plaintext = 0d8c8451178082355c9e940fea2f58 +AAD = 1860f762ebfbd08284e421702de0de18baa9c9596291b08466f37de21c7f +Tag = b17d76ae290eb80fab2ce7b442e5eff8 +Ciphertext = f253ab63b9ddb0a504bb89d7433af2 + + +COUNT = 20 +Key = bde3b2f204d1e9f8b06bc47f9745b3d10000000000000000 +IV = ae06556fb6aa7890bebc18fe +Plaintext = 6b3db4da3d57aa94842b9803a96e07fb6de7 +AAD = 7576f7028ec6eb5ea7e298342a94d4b202b370ef9768ec6561c4fe6b7e7296fa859c21 +Tag = 052d42f547b265c1c3df2ef3825e98f9 +Ciphertext = 2cf3f09fe425322a2780ec29ddb7223157e2 + + +COUNT = 21 +Key = f901cfe8a69615a93fdf7a98cad481790000000000000000 +IV = 6245709fb18853f68d833640 +Plaintext = e42a3c02c25b64869e146d7b233987bddfc240871d +Tag = ef016675dc2db7d0b99fc180ab22a3a9 +Ciphertext = 8fb444f874828ddc73c2fa86bfd0458da27919b1a9 + + +COUNT = 22 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 0100000000000000 +Tag = 6b0606875a845eec145f44ae5b92e834 +Ciphertext = 0e49fb119666c8ae + + +COUNT = 23 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 010000000000000000000000 +Tag = 9f2131df8b794bc6d9af9e5a8a96318e +Ciphertext = 3938f3fe1dad8464114dc42a + + +COUNT = 24 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 01000000000000000000000000000000 +Tag = 82e6a81be803dc33f56a637fcaa70fec +Ciphertext = 75a96f1f1cbfa93e2cd69e8a18bf3bab + + +COUNT = 25 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 0100000000000000000000000000000002000000000000000000000000000000 +Tag = def094dd94cb68942b1b96a85a8eab28 +Ciphertext = 3022f43d5ca420345420c52de08ddaa28b8fb840aeb41bd44addc78d07e0835b + + +COUNT = 26 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000 +Tag = 6c64163e992cd475d847b9348ff1798a +Ciphertext = b2848264495ddec52a6f28a0b8112e031b78f4b78eb6590c54d68f14232850e2e4c4fdf78b8c63770ee0f07d43deb520 + + +COUNT = 27 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +AAD = 01 +Tag = c7eb28d9cd1fe3b3b2bd75705e747c9b +Ciphertext = bbec4e4329672818200ae2185c45dfa8e21757d044298da5f2a1ae8157737b4934ab76fb05fcba19b641971270c012c3d223ba5150687128e702fd0a656e2644 + + +COUNT = 28 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 0200000000000000 +AAD = 01 +Tag = 894e72c67363ad0eab00784b92b10cba +Ciphertext = 8b2eed8f172b2227 + + +COUNT = 29 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 020000000000000000000000 +AAD = 01 +Tag = 41d21d1b764e3ffdd253c2b0a4695e2a +Ciphertext = 307a6cdfcaa3ca0d9f8a9c31 + + +COUNT = 30 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 02000000000000000000000000000000 +AAD = 01 +Tag = aafde8488bdcb22dfa65fad6e094c6da +Ciphertext = 30d9630474420eea90bee4dbca3c4ae0 + + +COUNT = 31 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 0200000000000000000000000000000003000000000000000000000000000000 +AAD = 01 +Tag = 03902234c1db8adcc4b6a2bc09c28401 +Ciphertext = abc2b17cc5a7a89745b684844b1699757528f3a008090cdb0dd6bfbdfea9550e + + +COUNT = 32 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +AAD = 01 +Tag = bd5a9b90b763e05e69ea0ffe3d850abf +Ciphertext = 335910f4402db51cecc5c35fb49eda857f705de55c9a69824598420431dd0ad3f1d01db404118f0b48b1e405ca4360f6 + + +COUNT = 33 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000 +AAD = 010000000000000000000000 +Tag = fa6414f191bf4d9150463ea5576419e7 +Ciphertext = 4a079678501f40450cec428417910b3193a222cbb123dfdbc813da04e1e1b4d8d103bc2e50f732b2f5426adfe97a8c7be4c9469781e84db13a2d20701187da52 + + +COUNT = 34 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 02000000 +AAD = 010000000000000000000000000000000200 +Tag = a55b45c4a6eae8d73458616043f2e613 +Ciphertext = ff75102b + + +COUNT = 35 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 0300000000000000000000000000000004000000 +AAD = 0100000000000000000000000000000002000000 +Tag = eb23533e1cfa48dd66312068522ffbcd +Ciphertext = 800a331bc9fd057346f967d0b74b6e0c28f87dde + + +COUNT = 36 +Key = 010000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Plaintext = 030000000000000000000000000000000400 +AAD = 4fbdc66f14 +Tag = d4a18ab742502dcae4dd17390cb2acd9 +Ciphertext = 4f566a1cfa8b324963dc1d50193dff4c9188 + + +COUNT = 37 +Key = bae8e37fc83441b16034566b7a806c46bb91c3c5aedb64a6 +IV = e4b47801afc0577e34699b9e +Plaintext = 671fdd +AAD = 6787f3ea22c127aaf195 +Tag = 638269643cda66e000734bf9f0c821f4 +Ciphertext = c76264 + + +COUNT = 38 +Key = 6545fc880c94a95198874296d5cc1fd161320b6920ce0778 +IV = 2f6d1f0434d8848c1177441f +Plaintext = 195495860f04 +AAD = 489c8fde2be2cf97e74e932d4ed87d +Tag = 4925f70d2e7ed024a7c7a4c6cb2cce2d +Ciphertext = 36583f07a52f + + +COUNT = 39 +Key = d1894728b3fed1473c528b8426a582995929a1499e9ad878 +IV = 9f572c614b4745914474e7c7 +Plaintext = c9882e5386fd9f92ec +AAD = 0da55210cc1c1b0abde3b2f204d1e9f8b06bc47f +Tag = 4cc78a269c9a89853cdb774a666af987 +Ciphertext = cb04c5de6874c6a146 + + +COUNT = 40 +Key = a44102952ef94b02b805249bac80e6f61455bfac8308a2d4 +IV = 5c9e940fea2f582950a70d5a +Plaintext = 1db2316fd568378da107b52b +AAD = f37de21c7ff901cfe8a69615a93fdf7a98cad481796245709f +Tag = c8039defe751d0376d2dfe270098087b +Ciphertext = 754f8b19e96a82d3f2d65fc9 + + +COUNT = 41 +Key = 9745b3d1ae06556fb6aa7890bebc18fe6b3db4da3d57aa94 +IV = 6de71860f762ebfbd08284e4 +Plaintext = 21702de0de18baa9c9596291b08466 +AAD = 9c2159058b1f0fe91433a5bdc20e214eab7fecef4454a10ef0657df21ac7 +Tag = 7b3f0297b430ea449da03edbd733c09f +Ciphertext = b435bc3278d03b21c9617fe61e5d38 + + +COUNT = 42 +Key = b18853f68d833640e42a3c02c25b64869e146d7b233987bd +IV = 028ec6eb5ea7e298342a94d4 +Plaintext = b202b370ef9768ec6561c4fe6b7e7296fa85 +AAD = 734320ccc9d9bbbb19cb81b2af4ecbc3e72834321f7aa0f70b7282b4f33df23f167541 +Tag = 5202d95e07513016c4297bb6931645fa +Ciphertext = a1b8a596c157c466388807c4a4dae95cbca9 + + +COUNT = 43 +Key = 3c535de192eaed3822a2fbbe2ca9dfc88255e14a661b8aa8 +IV = 688089e55540db1872504e1c +Plaintext = ced532ce4159b035277d4dfbb7db62968b13cd4eec +Tag = dfea23246312c3a465c07c31181b843e +Ciphertext = 240a8f822438d841f7762d8ff7d5491abf1a522cfa + + +COUNT = 44 +Key = 000000000000000000000000000000000000000000000000 +IV = 000000000000000000000000 +Plaintext = 000000000000000000000000000000004db923dc793ee6497c76dcc03a98e108 +Tag = 186ba2cd0e9b336b7ff602360de21986 +Ciphertext = f6ec502b997e31fd7760f9c775db0a88597efe1053d343775195f0e3416e51b2 + + +COUNT = 45 +Key = 000000000000000000000000000000000000000000000000 +IV = 000000000000000000000000 +Plaintext = eb3640277c7ffd1303c7a542d02d3e4c0000000000000000 +Tag = f23ebe966130dcc9e2a8eb7a91193ac8 +Ciphertext = c67f39b25f3dc2d5a9d400dd29275f10b4291b0efb6d32de diff --git a/vectors/cryptography_vectors/ciphers/AES/GCM-SIV/openssl.txt b/vectors/cryptography_vectors/ciphers/AES/GCM-SIV/openssl.txt new file mode 100644 index 000000000000..148dd47483db --- /dev/null +++ b/vectors/cryptography_vectors/ciphers/AES/GCM-SIV/openssl.txt @@ -0,0 +1,492 @@ +#Cipher = aes-128-gcm-siv +COUNT = 0 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 578782fff6013b815b287c22493a364c +Plaintext = 0100000000000000 +Ciphertext = b5d839330ac7b786 + + + +#Cipher = aes-128-gcm-siv +COUNT = 1 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = a4978db357391a0bc4fdec8b0d106639 +Plaintext = 010000000000000000000000 +Ciphertext = 7323ea61d05932260047d942 + + + +#Cipher = aes-128-gcm-siv +COUNT = 2 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 303aaf90f6fe21199c6068577437a0c4 +Plaintext = 01000000000000000000000000000000 +Ciphertext = 743f7c8077ab25f8624e2e948579cf77 + + + +#Cipher = aes-128-gcm-siv +COUNT = 3 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 1a8e45dcd4578c667cd86847bf6155ff +Plaintext = 0100000000000000000000000000000002000000000000000000000000000000 +Ciphertext = 84e07e62ba83a6585417245d7ec413a9fe427d6315c09b57ce45f2e3936a9445 + + + +#Cipher = aes-128-gcm-siv +COUNT = 4 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 5e6e311dbf395d35b0fe39c2714388f8 +Plaintext = 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = 3fd24ce1f5a67b75bf2351f181a475c7b800a5b4d3dcf70106b1eea82fa1d64df42bf7226122fa92e17a40eeaac1201b + + + +#Cipher = aes-128-gcm-siv +COUNT = 5 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 8a263dd317aa88d56bdf3936dba75bb8 +Plaintext = 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = 2433668f1058190f6d43e360f4f35cd8e475127cfca7028ea8ab5c20f7ab2af02516a2bdcbc08d521be37ff28c152bba36697f25b4cd169c6590d1dd39566d3f + + + +#Cipher = aes-128-gcm-siv +COUNT = 6 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 3b0a1a2560969cdf790d99759abd1508 +Plaintext = 0200000000000000 +Ciphertext = 1e6daba35669f427 + + + +#Cipher = aes-128-gcm-siv +COUNT = 7 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 08299c5102745aaa3a0c469fad9e075a +Plaintext = 020000000000000000000000 +Ciphertext = 296c7889fd99f41917f44620 + + + +#Cipher = aes-128-gcm-siv +COUNT = 8 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 8f8936ec039e4e4bb97ebd8c4457441f +Plaintext = 02000000000000000000000000000000 +Ciphertext = e2b0c5da79a901c1745f700525cb335b + + + +#Cipher = aes-128-gcm-siv +COUNT = 9 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = e6af6a7f87287da059a71684ed3498e1 +Plaintext = 0200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = 620048ef3c1e73e57e02bb8562c416a319e73e4caac8e96a1ecb2933145a1d71 + + + +#Cipher = aes-128-gcm-siv +COUNT = 10 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 6a8cc3865f76897c2e4b245cf31c51f2 +Plaintext = 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = 50c8303ea93925d64090d07bd109dfd9515a5a33431019c17d93465999a8b0053201d723120a8562b838cdff25bf9d1e + + + +#Cipher = aes-128-gcm-siv +COUNT = 11 +AAD = 01 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = cdc46ae475563de037001ef84ae21744 +Plaintext = 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000 +Ciphertext = 2f5c64059db55ee0fb847ed513003746aca4e61c711b5de2e7a77ffd02da42feec601910d3467bb8b36ebbaebce5fba30d36c95f48a3e7980f0e7ac299332a80 + + + +#Cipher = aes-128-gcm-siv +COUNT = 12 +AAD = 010000000000000000000000 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 07eb1f84fb28f8cb73de8e99e2f48a14 +Plaintext = 02000000 +Ciphertext = a8fe3e87 + + + +#Cipher = aes-128-gcm-siv +COUNT = 13 +AAD = 010000000000000000000000000000000200 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 24afc9805e976f451e6d87f6fe106514 +Plaintext = 0300000000000000000000000000000004000000 +Ciphertext = 6bb0fecf5ded9b77f902c7d5da236a4391dd0297 + + + +#Cipher = aes-128-gcm-siv +COUNT = 14 +AAD = 0100000000000000000000000000000002000000 +Key = 01000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = bff9b2ef00fb47920cc72a0c0f13b9fd +Plaintext = 030000000000000000000000000000000400 +Ciphertext = 44d0aaf6fb2f1f34add5e8064e83e12a2ada + + +#Cipher = aes-128-gcm-siv +COUNT = 15 +AAD = 46bb91c3c5 +Key = 36864200e0eaf5284d884a0e77d31646 +IV = bae8e37fc83441b16034566b +Tag = 711bd85bc1e4d3e0a462e074eea428a8 +Plaintext = 7a806c +Ciphertext = af60eb + + + +#Cipher = aes-128-gcm-siv +COUNT = 16 +AAD = fc880c94a95198874296 +Key = aedb64a6c590bc84d1a5e269e4b47801 +IV = afc0577e34699b9e671fdd4f +Tag = d6a9c45545cfc11f03ad743dba20f966 +Plaintext = bdc66f146545 +Ciphertext = bb93a3e34d3c + + + +#Cipher = aes-128-gcm-siv +COUNT = 17 +AAD = 046787f3ea22c127aaf195d1894728 +Key = d5cc1fd161320b6920ce07787f86743b +IV = 275d1ab32f6d1f0434d8848c +Tag = 1d02fd0cd174c84fc5dae2f60f52fd2b +Plaintext = 1177441f195495860f +Ciphertext = 4f37281f7ad12949d0 + + + +#Cipher = aes-128-gcm-siv +COUNT = 18 +AAD = c9882e5386fd9f92ec489c8fde2be2cf97e74e93 +Key = b3fed1473c528b8426a582995929a149 +IV = 9e9ad8780c8d63d0ab4149c0 +Tag = c1dc2f871fb7561da1286e655e24b7b0 +Plaintext = 9f572c614b4745914474e7c7 +Ciphertext = f54673c5ddf710c745641c8b + + + +#Cipher = aes-128-gcm-siv +COUNT = 19 +AAD = 2950a70d5a1db2316fd568378da107b52b0da55210cc1c1b0a +Key = 2d4ed87da44102952ef94b02b805249b +IV = ac80e6f61455bfac8308a2d4 +Tag = 83b3449b9f39552de99dc214a1190b0b +Plaintext = 0d8c8451178082355c9e940fea2f58 +Ciphertext = c9ff545e07b88a015f05b274540aa1 + + + +#Cipher = aes-128-gcm-siv +COUNT = 20 +AAD = 1860f762ebfbd08284e421702de0de18baa9c9596291b08466f37de21c7f +Key = bde3b2f204d1e9f8b06bc47f9745b3d1 +IV = ae06556fb6aa7890bebc18fe +Tag = 3e377094f04709f64d7b985310a4db84 +Plaintext = 6b3db4da3d57aa94842b9803a96e07fb6de7 +Ciphertext = 6298b296e24e8cc35dce0bed484b7f30d580 + + + +#Cipher = aes-128-gcm-siv +COUNT = 21 +AAD = 7576f7028ec6eb5ea7e298342a94d4b202b370ef9768ec6561c4fe6b7e7296fa859c21 +Key = f901cfe8a69615a93fdf7a98cad48179 +IV = 6245709fb18853f68d833640 +Tag = 2d15506c84a9edd65e13e9d24a2a6e70 +Plaintext = e42a3c02c25b64869e146d7b233987bddfc240871d +Ciphertext = 391cc328d484a4f46406181bcd62efd9b3ee197d05 + + +# AES_256_GCM_SIV + + + +#Cipher = aes-256-gcm-siv +COUNT = 22 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 843122130f7364b761e0b97427e3df28 +Plaintext = 0100000000000000 +Ciphertext = c2ef328e5c71c83b + + + +#Cipher = aes-256-gcm-siv +COUNT = 23 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 8ca50da9ae6559e48fd10f6e5c9ca17e +Plaintext = 010000000000000000000000 +Ciphertext = 9aab2aeb3faa0a34aea8e2b1 + + + +#Cipher = aes-256-gcm-siv +COUNT = 24 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = c9eac6fa700942702e90862383c6c366 +Plaintext = 01000000000000000000000000000000 +Ciphertext = 85a01b63025ba19b7fd3ddfc033b3e76 + + + +#Cipher = aes-256-gcm-siv +COUNT = 25 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = e819e63abcd020b006a976397632eb5d +Plaintext = 0100000000000000000000000000000002000000000000000000000000000000 +Ciphertext = 4a6a9db4c8c6549201b9edb53006cba821ec9cf850948a7c86c68ac7539d027f + + + +#Cipher = aes-256-gcm-siv +COUNT = 26 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 790bc96880a99ba804bd12c0e6a22cc4 +Plaintext = 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = c00d121893a9fa603f48ccc1ca3c57ce7499245ea0046db16c53c7c66fe717e39cf6c748837b61f6ee3adcee17534ed5 + + + +#Cipher = aes-256-gcm-siv +COUNT = 27 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 112864c269fc0d9d88c61fa47e39aa08 +Plaintext = 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = c2d5160a1f8683834910acdafc41fbb1632d4a353e8b905ec9a5499ac34f96c7e1049eb080883891a4db8caaa1f99dd004d80487540735234e3744512c6f90ce + + + +#Cipher = aes-256-gcm-siv +COUNT = 28 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 91213f267e3b452f02d01ae33e4ec854 +Plaintext = 0200000000000000 +Ciphertext = 1de22967237a8132 + + + +#Cipher = aes-256-gcm-siv +COUNT = 29 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = c1a4a19ae800941ccdc57cc8413c277f +Plaintext = 020000000000000000000000 +Ciphertext = 163d6f9cc1b346cd453a2e4c + + + +#Cipher = aes-256-gcm-siv +COUNT = 30 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = b292d28ff61189e8e49f3875ef91aff7 +Plaintext = 02000000000000000000000000000000 +Ciphertext = c91545823cc24f17dbb0e9e807d5ec17 + + + +#Cipher = aes-256-gcm-siv +COUNT = 31 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = aea1bad12702e1965604374aab96dbbc +Plaintext = 0200000000000000000000000000000003000000000000000000000000000000 +Ciphertext = 07dad364bfc2b9da89116d7bef6daaaf6f255510aa654f920ac81b94e8bad365 + + + +#Cipher = aes-256-gcm-siv +COUNT = 32 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 03332742b228c647173616cfd44c54eb +Plaintext = 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000 +Ciphertext = c67a1f0f567a5198aa1fcc8e3f21314336f7f51ca8b1af61feac35a86416fa47fbca3b5f749cdf564527f2314f42fe25 + + + +#Cipher = aes-256-gcm-siv +COUNT = 33 +AAD = 01 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 5bde0285037c5de81e5b570a049b62a0 +Plaintext = 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000 +Ciphertext = 67fd45e126bfb9a79930c43aad2d36967d3f0e4d217c1e551f59727870beefc98cb933a8fce9de887b1e40799988db1fc3f91880ed405b2dd298318858467c89 + + + +#Cipher = aes-256-gcm-siv +COUNT = 34 +AAD = 010000000000000000000000 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = 1835e517741dfddccfa07fa4661b74cf +Plaintext = 02000000 +Ciphertext = 22b3f4cd + + + +#Cipher = aes-256-gcm-siv +COUNT = 35 +AAD = 010000000000000000000000000000000200 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = b879ad976d8242acc188ab59cabfe307 +Plaintext = 0300000000000000000000000000000004000000 +Ciphertext = 43dd0163cdb48f9fe3212bf61b201976067f342b + + + +#Cipher = aes-256-gcm-siv +COUNT = 36 +AAD = 0100000000000000000000000000000002000000 +Key = 0100000000000000000000000000000000000000000000000000000000000000 +IV = 030000000000000000000000 +Tag = cfcdf5042112aa29685c912fc2056543 +Plaintext = 030000000000000000000000000000000400 +Ciphertext = 462401724b5ce6588d5a54aae5375513a075 + + +#Cipher = aes-256-gcm-siv +COUNT = 37 +AAD = 4fbdc66f14 +Key = bae8e37fc83441b16034566b7a806c46bb91c3c5aedb64a6c590bc84d1a5e269 +IV = e4b47801afc0577e34699b9e +Tag = 93da9bb81333aee0c785b240d319719d +Plaintext = 671fdd +Ciphertext = 0eaccb + + + +#Cipher = aes-256-gcm-siv +COUNT = 38 +AAD = 6787f3ea22c127aaf195 +Key = 6545fc880c94a95198874296d5cc1fd161320b6920ce07787f86743b275d1ab3 +IV = 2f6d1f0434d8848c1177441f +Tag = 6b62b84dc40c84636a5ec12020ec8c2c +Plaintext = 195495860f04 +Ciphertext = a254dad4f3f9 + + + +#Cipher = aes-256-gcm-siv +COUNT = 39 +AAD = 489c8fde2be2cf97e74e932d4ed87d +Key = d1894728b3fed1473c528b8426a582995929a1499e9ad8780c8d63d0ab4149c0 +IV = 9f572c614b4745914474e7c7 +Tag = c0fd3dc6628dfe55ebb0b9fb2295c8c2 +Plaintext = c9882e5386fd9f92ec +Ciphertext = 0df9e308678244c44b + + + +#Cipher = aes-256-gcm-siv +COUNT = 40 +AAD = 0da55210cc1c1b0abde3b2f204d1e9f8b06bc47f +Key = a44102952ef94b02b805249bac80e6f61455bfac8308a2d40d8c845117808235 +IV = 5c9e940fea2f582950a70d5a +Tag = 404099c2587f64979f21826706d497d5 +Plaintext = 1db2316fd568378da107b52b +Ciphertext = 8dbeb9f7255bf5769dd56692 + + + +#Cipher = aes-256-gcm-siv +COUNT = 41 +AAD = f37de21c7ff901cfe8a69615a93fdf7a98cad481796245709f +Key = 9745b3d1ae06556fb6aa7890bebc18fe6b3db4da3d57aa94842b9803a96e07fb +IV = 6de71860f762ebfbd08284e4 +Tag = b3080d28f6ebb5d3648ce97bd5ba67fd +Plaintext = 21702de0de18baa9c9596291b08466 +Ciphertext = 793576dfa5c0f88729a7ed3c2f1bff + + + +#Cipher = aes-256-gcm-siv +COUNT = 42 +AAD = 9c2159058b1f0fe91433a5bdc20e214eab7fecef4454a10ef0657df21ac7 +Key = b18853f68d833640e42a3c02c25b64869e146d7b233987bddfc240871d7576f7 +IV = 028ec6eb5ea7e298342a94d4 +Tag = 454fc2a154fea91f8363a39fec7d0a49 +Plaintext = b202b370ef9768ec6561c4fe6b7e7296fa85 +Ciphertext = 857e16a64915a787637687db4a9519635cdd + + + +#Cipher = aes-256-gcm-siv +COUNT = 43 +AAD = 734320ccc9d9bbbb19cb81b2af4ecbc3e72834321f7aa0f70b7282b4f33df23f167541 +Key = 3c535de192eaed3822a2fbbe2ca9dfc88255e14a661b8aa82cc54236093bbc23 +IV = 688089e55540db1872504e1c +Tag = 9d6c7029675b89eaf4ba1ded1a286594 +Plaintext = ced532ce4159b035277d4dfbb7db62968b13cd4eec +Ciphertext = 626660c26ea6612fb17ad91e8e767639edd6c9faee + +# The tests in this section use AEAD_AES_256_GCM_SIV and are crafted to +# test correct wrapping of the block counter. + + +#Cipher = aes-256-gcm-siv +COUNT = 44 +Key = 0000000000000000000000000000000000000000000000000000000000000000 +IV = 000000000000000000000000 +Tag = ffffffff000000000000000000000000 +Plaintext = 000000000000000000000000000000004db923dc793ee6497c76dcc03a98e108 +Ciphertext = f3f80f2cf0cb2dd9c5984fcda908456cc537703b5ba70324a6793a7bf218d3ea + + + +#Cipher = aes-256-gcm-siv +COUNT = 45 +Key = 0000000000000000000000000000000000000000000000000000000000000000 +IV = 000000000000000000000000 +Tag = ffffffff000000000000000000000000 +Plaintext = eb3640277c7ffd1303c7a542d02d3e4c0000000000000000 +Ciphertext = 18ce4f0b8cb4d0cac65fea8f79257b20888e53e72299e56d From 3165db8efc82d8e379c4931453f6c776ab8db013 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 1 Dec 2023 13:26:38 -0600 Subject: [PATCH 0756/1014] raise an exception instead of returning an empty list for pkcs7 cert loading (#9947) * raise an exception instead of returning an empty list as davidben points out in #9926 we are calling a specific load certificates function and an empty value doesn't necessarily mean empty because PKCS7 contains multitudes. erroring is more correct. * changelog * Update CHANGELOG.rst Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- CHANGELOG.rst | 5 +++++ src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++-- tests/hazmat/primitives/test_pkcs7.py | 4 ++-- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 82ef930811f3..d71e9c006b81 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -9,6 +9,11 @@ Changelog .. note:: This version is not yet released and is under active development. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7. +* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` + or + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` + will now raise a ``ValueError`` rather than return an empty list. * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 755431f29410..ea7d171e6136 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1111,12 +1111,15 @@ def _load_pkcs7_certificates(self, p7) -> list[x509.Certificate]: _Reasons.UNSUPPORTED_SERIALIZATION, ) - certs: list[x509.Certificate] = [] if p7.d.sign == self._ffi.NULL: - return certs + raise ValueError( + "The provided PKCS7 has no certificate data, but a cert " + "loading method was called." + ) sk_x509 = p7.d.sign.cert num = self._lib.sk_X509_num(sk_x509) + certs: list[x509.Certificate] = [] for i in range(num): x509 = self._lib.sk_X509_value(sk_x509, i) self.openssl_assert(x509 != self._ffi.NULL) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 434a361057f2..dffc4ab2c1d0 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -92,8 +92,8 @@ def test_load_pkcs7_unsupported_type(self, backend): def test_load_pkcs7_empty_certificates(self): der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" - certificates = pkcs7.load_der_pkcs7_certificates(der) - assert certificates == [] + with pytest.raises(ValueError): + pkcs7.load_der_pkcs7_certificates(der) # We have no public verification API and won't be adding one until we get From f1817f80779969438686a8e2026e46d70d8928db Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 1 Dec 2023 19:42:42 -0500 Subject: [PATCH 0757/1014] Slightly alter AEAD benchmark code to solve problem AES-GCM-SIV hit (#9948) --- .../aes-192-gcm-siv/verify-aes192gcmsiv/Cargo.toml | 2 -- tests/bench/test_aead.py | 9 ++++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/Cargo.toml b/docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/Cargo.toml index ef9317059c30..cbda93468545 100644 --- a/docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/Cargo.toml +++ b/docs/development/custom-vectors/aes-192-gcm-siv/verify-aes192gcmsiv/Cargo.toml @@ -3,8 +3,6 @@ name = "verify-aes192gcmsiv" version = "0.1.0" edition = "2021" -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html - [dependencies] aes-gcm-siv = "0.11.1" aes = "0.8.1" diff --git a/tests/bench/test_aead.py b/tests/bench/test_aead.py index f93c4e8892eb..7a309682f90d 100644 --- a/tests/bench/test_aead.py +++ b/tests/bench/test_aead.py @@ -4,6 +4,7 @@ import pytest +from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives.ciphers.aead import ( AESCCM, AESGCM, @@ -12,7 +13,13 @@ ChaCha20Poly1305, ) -from ..hazmat.primitives.test_aead import _aead_supported + +def _aead_supported(cls): + try: + cls(b"0" * 32) + return True + except UnsupportedAlgorithm: + return False @pytest.mark.skipif( From ca4f40621d57cd0e9b0d31ae4380b757d4163e90 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Sat, 2 Dec 2023 16:39:19 +0100 Subject: [PATCH 0758/1014] Add support for AES-GCM-SIV using OpenSSL>=3.2.0 (#9843) --- CHANGELOG.rst | 3 + docs/hazmat/primitives/aead.rst | 73 +++++++++ .../hazmat/bindings/_rust/openssl/aead.pyi | 17 ++ .../hazmat/primitives/ciphers/aead.py | 2 + src/rust/build.rs | 3 + src/rust/src/backend/aead.rs | 110 +++++++++++++ tests/hazmat/primitives/test_aead.py | 153 ++++++++++++++++++ 7 files changed, 361 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index d71e9c006b81..721a3892fd1f 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -51,6 +51,9 @@ Changelog * In the next release (43.0.0) of cryptography, loading an X.509 certificate with a negative serial number will raise an exception. This has been deprecated since 36.0.0. +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSIV` when using + OpenSSL 3.2.0+. .. _v41-0-7: diff --git a/docs/hazmat/primitives/aead.rst b/docs/hazmat/primitives/aead.rst index db9ef96d1ab7..776f9b77271a 100644 --- a/docs/hazmat/primitives/aead.rst +++ b/docs/hazmat/primitives/aead.rst @@ -164,6 +164,79 @@ also support providing integrity for associated data which is not encrypted. when the ciphertext has been changed, but will also occur when the key, nonce, or associated data are wrong. +.. class:: AESGCMSIV(key) + + .. versionadded:: 42.0.0 + + The AES-GCM-SIV construction is defined in :rfc:`8452` and is composed of + the :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` block + cipher utilizing Galois Counter Mode (GCM) and a synthetic initialization + vector (SIV). + + :param key: A 128, 192, or 256-bit key. This **must** be kept secret. + :type key: :term:`bytes-like` + + :raises cryptography.exceptions.UnsupportedAlgorithm: If the version of + OpenSSL does not support AES-GCM-SIV. + + .. doctest:: + + >>> import os + >>> from cryptography.hazmat.primitives.ciphers.aead import AESGCMSIV + >>> data = b"a secret message" + >>> aad = b"authenticated but unencrypted data" + >>> key = AESGCMSIV.generate_key(bit_length=128) + >>> aesgcmsiv = AESGCMSIV(key) + >>> nonce = os.urandom(12) + >>> ct = aesgcmsiv.encrypt(nonce, data, aad) + >>> aesgcmsiv.decrypt(nonce, ct, aad) + b'a secret message' + + .. classmethod:: generate_key(bit_length) + + Securely generates a random AES-GCM-SIV key. + + :param bit_length: The bit length of the key to generate. Must be + 128, 192, or 256. + + :returns bytes: The generated key. + + .. method:: encrypt(nonce, data, associated_data) + + Encrypts and authenticates the ``data`` provided as well as + authenticating the ``associated_data``. The output of this can be + passed directly to the ``decrypt`` method. + + :param nonce: A 12-byte value. + :type nonce: :term:`bytes-like` + :param data: The data to encrypt. + :type data: :term:`bytes-like` + :param associated_data: Additional data that should be + authenticated with the key, but is not encrypted. Can be ``None``. + :type associated_data: :term:`bytes-like` + :returns bytes: The ciphertext bytes with the 16 byte tag appended. + :raises OverflowError: If ``data`` or ``associated_data`` is larger + than 2\ :sup:`32` - 1 bytes. + + .. method:: decrypt(nonce, data, associated_data) + + Decrypts the ``data`` and authenticates the ``associated_data``. If you + called encrypt with ``associated_data`` you must pass the same + ``associated_data`` in decrypt or the integrity check will fail. + + :param nonce: A 12-byte value. + :type nonce: :term:`bytes-like` + :param data: The data to decrypt (with tag appended). + :type data: :term:`bytes-like` + :param associated_data: Additional data to authenticate. Can be + ``None`` if none was passed during encryption. + :type associated_data: :term:`bytes-like` + :returns bytes: The original plaintext. + :raises cryptography.exceptions.InvalidTag: If the authentication tag + doesn't validate this exception will be raised. This will occur + when the ciphertext has been changed, but will also occur when the + key, nonce, or associated data are wrong. + .. class:: AESOCB3(key) .. versionadded:: 36.0.0 diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi index 981d69d13219..62f1d8772b0b 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -33,3 +33,20 @@ class AESOCB3: data: bytes, associated_data: bytes | None, ) -> bytes: ... + +class AESGCMSIV: + def __init__(self, key: bytes) -> None: ... + @staticmethod + def generate_key(key_size: int) -> bytes: ... + def encrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + def decrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index 291513d75f04..9752d786cea3 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -16,12 +16,14 @@ "ChaCha20Poly1305", "AESCCM", "AESGCM", + "AESGCMSIV", "AESOCB3", "AESSIV", ] AESSIV = rust_openssl.aead.AESSIV AESOCB3 = rust_openssl.aead.AESOCB3 +AESGCMSIV = rust_openssl.aead.AESGCMSIV class ChaCha20Poly1305: diff --git a/src/rust/build.rs b/src/rust/build.rs index 4587c9b1f6ea..f247822e0dcd 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -12,6 +12,9 @@ fn main() { if version >= 0x3_00_00_00_0 { println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_300_OR_GREATER"); } + if version >= 0x3_02_00_00_0 { + println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_320_OR_GREATER"); + } } if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 7ae93ff06b11..ba14900d5f71 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -410,11 +410,121 @@ impl AesOcb3 { } } +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.bindings._rust.openssl.aead", + name = "AESGCMSIV" +)] +struct AesGcmSiv { + ctx: EvpCipherAead, +} + +#[pyo3::prelude::pymethods] +impl AesGcmSiv { + #[new] + fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { + let key_buf = key.extract::>(py)?; + let cipher_name = match key_buf.as_bytes().len() { + 16 => "aes-128-gcm-siv", + 24 => "aes-192-gcm-siv", + 32 => "aes-256-gcm-siv", + _ => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "AES-GCM-SIV key must be 128, 192 or 256 bits.", + ), + )) + } + }; + + cfg_if::cfg_if! { + if #[cfg(not(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER))] { + let _ = cipher_name; + Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-GCM-SIV is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )) + } else { + if cryptography_openssl::fips::is_enabled() { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-GCM-SIV is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } + let cipher = openssl::cipher::Cipher::fetch(None, cipher_name, None)?; + Ok(AesGcmSiv { + ctx: EvpCipherAead::new(&cipher, key_buf.as_bytes(), 16, false)?, + }) + } + } + } + + #[staticmethod] + fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + if bit_length != 128 && bit_length != 192 && bit_length != 256 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), + )); + } + + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + } + + #[pyo3(signature = (nonce, data, associated_data))] + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let data_bytes = data.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if data_bytes.is_empty() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("data must not be zero length"), + )); + }; + if nonce_bytes.len() != 12 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be 12 bytes long"), + )); + } + self.ctx.encrypt(py, data_bytes, aad, Some(nonce_bytes)) + } + + #[pyo3(signature = (nonce, data, associated_data))] + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let aad = associated_data.map(Aad::Single); + if nonce_bytes.len() != 12 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be 12 bytes long"), + )); + } + self.ctx + .decrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) + } +} + pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "aead")?; m.add_class::()?; m.add_class::()?; + m.add_class::()?; Ok(m) } diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 57ddf1816ab6..a4624cefc555 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -14,6 +14,7 @@ from cryptography.hazmat.primitives.ciphers.aead import ( AESCCM, AESGCM, + AESGCMSIV, AESOCB3, AESSIV, ChaCha20Poly1305, @@ -830,3 +831,155 @@ def test_buffer_protocol(self, backend): assert ct2 == ct computed_pt2 = aessiv.decrypt(ct2, ad) assert computed_pt2 == pt + + +@pytest.mark.skipif( + not _aead_supported(AESGCMSIV), + reason="Does not support AESGCMSIV", +) +class TestAESGCMSIV: + @pytest.mark.skipif( + sys.platform not in {"linux", "darwin"}, reason="mmap required" + ) + def test_data_too_large(self): + key = AESGCMSIV.generate_key(256) + nonce = os.urandom(12) + aesgcmsiv = AESGCMSIV(key) + + large_data = large_mmap() + + with pytest.raises(OverflowError): + aesgcmsiv.encrypt(nonce, large_data, None) + + with pytest.raises(OverflowError): + aesgcmsiv.encrypt(nonce, b"irrelevant", large_data) + + with pytest.raises(OverflowError): + aesgcmsiv.decrypt(nonce, b"very very irrelevant", large_data) + + def test_invalid_nonce_length(self, backend): + key = AESGCMSIV.generate_key(128) + aesgcmsiv = AESGCMSIV(key) + pt = b"hello" + nonce = os.urandom(14) + with pytest.raises(ValueError): + aesgcmsiv.encrypt(nonce, pt, None) + + with pytest.raises(ValueError): + aesgcmsiv.decrypt(nonce, pt, None) + + def test_no_empty_encryption(self): + key = AESGCMSIV.generate_key(256) + aesgcmsiv = AESGCMSIV(key) + nonce = os.urandom(12) + + with pytest.raises(ValueError): + aesgcmsiv.encrypt(nonce, b"", None) + + with pytest.raises(InvalidTag): + aesgcmsiv.decrypt(nonce, b"", None) + + def test_vectors(self, backend, subtests): + vectors = _load_all_params( + os.path.join("ciphers", "AES", "GCM-SIV"), + [ + "openssl.txt", + "aes-192-gcm-siv.txt", + ], + load_nist_vectors, + ) + for vector in vectors: + with subtests.test(): + key = binascii.unhexlify(vector["key"]) + nonce = binascii.unhexlify(vector["iv"]) + aad = binascii.unhexlify(vector.get("aad", b"")) + ct = binascii.unhexlify(vector["ciphertext"]) + tag = binascii.unhexlify(vector["tag"]) + pt = binascii.unhexlify(vector.get("plaintext", b"")) + aesgcmsiv = AESGCMSIV(key) + computed_ct = aesgcmsiv.encrypt(nonce, pt, aad) + assert computed_ct[:-16] == ct + assert computed_ct[-16:] == tag + computed_pt = aesgcmsiv.decrypt(nonce, computed_ct, aad) + assert computed_pt == pt + + def test_vectors_invalid(self, backend, subtests): + vectors = _load_all_params( + os.path.join("ciphers", "AES", "GCM-SIV"), + [ + "openssl.txt", + "aes-192-gcm-siv.txt", + ], + load_nist_vectors, + ) + for vector in vectors: + with subtests.test(): + key = binascii.unhexlify(vector["key"]) + nonce = binascii.unhexlify(vector["iv"]) + aad = binascii.unhexlify(vector.get("aad", b"")) + ct = binascii.unhexlify(vector["ciphertext"]) + aesgcmsiv = AESGCMSIV(key) + with pytest.raises(InvalidTag): + badkey = AESGCMSIV(AESGCMSIV.generate_key(256)) + badkey.decrypt(nonce, ct, aad) + with pytest.raises(InvalidTag): + aesgcmsiv.decrypt(nonce, ct, b"nonsense") + with pytest.raises(InvalidTag): + aesgcmsiv.decrypt(nonce, b"nonsense", aad) + + @pytest.mark.parametrize( + ("nonce", "data", "associated_data"), + [ + [object(), b"data", b""], + [b"0" * 12, object(), b""], + [b"0" * 12, b"data", object()], + ], + ) + def test_params_not_bytes(self, nonce, data, associated_data, backend): + key = AESGCMSIV.generate_key(256) + aesgcmsiv = AESGCMSIV(key) + with pytest.raises(TypeError): + aesgcmsiv.encrypt(nonce, data, associated_data) + + with pytest.raises(TypeError): + aesgcmsiv.decrypt(nonce, data, associated_data) + + def test_bad_key(self, backend): + with pytest.raises(TypeError): + AESGCMSIV(object()) # type:ignore[arg-type] + + with pytest.raises(ValueError): + AESGCMSIV(b"0" * 31) + + def test_bad_generate_key(self, backend): + with pytest.raises(TypeError): + AESGCMSIV.generate_key(object()) # type:ignore[arg-type] + + with pytest.raises(ValueError): + AESGCMSIV.generate_key(129) + + def test_associated_data_none_equal_to_empty_bytestring(self, backend): + key = AESGCMSIV.generate_key(256) + aesgcmsiv = AESGCMSIV(key) + nonce = os.urandom(12) + ct1 = aesgcmsiv.encrypt(nonce, b"some_data", None) + ct2 = aesgcmsiv.encrypt(nonce, b"some_data", b"") + assert ct1 == ct2 + pt1 = aesgcmsiv.decrypt(nonce, ct1, None) + pt2 = aesgcmsiv.decrypt(nonce, ct2, b"") + assert pt1 == pt2 + + def test_buffer_protocol(self, backend): + key = AESGCMSIV.generate_key(256) + aesgcmsiv = AESGCMSIV(key) + nonce = os.urandom(12) + pt = b"encrypt me" + ad = b"additional" + ct = aesgcmsiv.encrypt(nonce, pt, ad) + computed_pt = aesgcmsiv.decrypt(nonce, ct, ad) + assert computed_pt == pt + aesgcmsiv = AESGCMSIV(bytearray(key)) + ct2 = aesgcmsiv.encrypt(nonce, pt, ad) + assert ct2 == ct + computed_pt2 = aesgcmsiv.decrypt(nonce, ct2, ad) + assert computed_pt2 == pt From ef7c435688db22c917ff396ca75a1877c72171f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 3 Dec 2023 13:56:05 +0000 Subject: [PATCH 0759/1014] Bump virtualenv from 20.24.7 to 20.25.0 (#9953) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.24.7 to 20.25.0. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.24.7...20.25.0) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 662bfa43e8cd..befdbf2712e5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -178,7 +178,7 @@ urllib3==2.1.0 # via # requests # twine -virtualenv==20.24.7 +virtualenv==20.25.0 # via nox webencodings==0.5.1 # via bleach From 2db676067c0ebfcfb3a5e093796687b498418d5b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 3 Dec 2023 13:56:12 +0000 Subject: [PATCH 0760/1014] Bump importlib-metadata from 6.8.0 to 6.9.0 (#9952) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 6.8.0 to 6.9.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v6.8.0...v6.9.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index befdbf2712e5..693ef29abac0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -46,7 +46,7 @@ idna==3.6 # via requests imagesize==1.4.1 # via sphinx -importlib-metadata==6.8.0; python_version >= "3.8" +importlib-metadata==6.9.0; python_version >= "3.8" # via # keyring # twine From dd4970bb66a01faf81d7de565ba5e2c771df5cef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 3 Dec 2023 13:57:47 +0000 Subject: [PATCH 0761/1014] Bump colorlog from 6.7.0 to 6.8.0 (#9954) Bumps [colorlog](https://github.com/borntyping/python-colorlog) from 6.7.0 to 6.8.0. - [Release notes](https://github.com/borntyping/python-colorlog/releases) - [Commits](https://github.com/borntyping/python-colorlog/compare/v6.7.0...v6.8.0) --- updated-dependencies: - dependency-name: colorlog dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 693ef29abac0..05943a1a959d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ check-sdist==0.1.3 # via cryptography (pyproject.toml) click==8.1.7 # via cryptography (pyproject.toml) -colorlog==6.7.0 +colorlog==6.8.0 # via nox coverage==7.3.2; python_version >= "3.8" # via pytest-cov From 004e15ae850948fb78dc05443e41fe90d3e194e3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 3 Dec 2023 09:05:47 -0500 Subject: [PATCH 0762/1014] Bump importlib-metadata from 6.8.0 to 6.9.0 in /.github/requirements (#9955) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 6.8.0 to 6.9.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v6.8.0...v6.9.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index bf371abdfa9a..e33075ff2ec4 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -231,9 +231,9 @@ idna==3.6 \ # via # email-validator # requests -importlib-metadata==6.8.0 \ - --hash=sha256:3ebb78df84a805d7698245025b975d9d67053cd94c79245ba4b3eb694abe68bb \ - --hash=sha256:dbace7892d8c0c4ac1ad096662232f831d4e64f4c4545bd53016a3e9d4654743 +importlib-metadata==6.9.0 \ + --hash=sha256:1c8dc6839ddc9771412596926f24cb5a553bbd40624ee2c7e55e531542bed3b8 \ + --hash=sha256:e8acb523c335a91822674e149b46c0399ec4d328c4d1f6e49c273da5ff0201b9 # via # keyring # twine From 253af26ef35b268f3812890aade2f7e76536ab22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 12:52:08 +0100 Subject: [PATCH 0763/1014] Bump importlib-metadata from 6.9.0 to 7.0.0 in /.github/requirements (#9956) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 6.9.0 to 7.0.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v6.9.0...v7.0.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e33075ff2ec4..a0f0bca7d244 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -231,9 +231,9 @@ idna==3.6 \ # via # email-validator # requests -importlib-metadata==6.9.0 \ - --hash=sha256:1c8dc6839ddc9771412596926f24cb5a553bbd40624ee2c7e55e531542bed3b8 \ - --hash=sha256:e8acb523c335a91822674e149b46c0399ec4d328c4d1f6e49c273da5ff0201b9 +importlib-metadata==7.0.0 \ + --hash=sha256:7fc841f8b8332803464e5dc1c63a2e59121f46ca186c0e2e182e80bf8c1319f7 \ + --hash=sha256:d97503976bb81f40a193d41ee6570868479c69d5068651eb039c40d850c59d67 # via # keyring # twine From 683192663d8eecb626fc37139f2c106f62e72685 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 13:00:50 +0100 Subject: [PATCH 0764/1014] Bump securesystemslib from 0.30.0 to 0.31.0 in /.github/requirements (#9957) Bumps [securesystemslib](https://github.com/secure-systems-lab/securesystemslib) from 0.30.0 to 0.31.0. - [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases) - [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md) - [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v0.30.0...v0.31.0) --- updated-dependencies: - dependency-name: securesystemslib dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index a0f0bca7d244..b72b492bcaaa 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -528,9 +528,9 @@ secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 # via keyring -securesystemslib==0.30.0 \ - --hash=sha256:6a769e4816921ac4059c8c149ab5f69ed7cd92859857f0e17b67a3dd7bbee866 \ - --hash=sha256:8b290de294aa0972c4ac6ecb036da24ed86e312de980c57adf1b92ad37667e43 +securesystemslib==0.31.0 \ + --hash=sha256:549d70f7be6460252d016f03edc5ec0128fee56af55d2b863a5db14541ddbf18 \ + --hash=sha256:c1594afbcd5db198ec90c487e1720154afb71743d9f4bccf3dfda84de650c478 # via # sigstore # tuf From a8862844c0f6561fb25240135ccf167064bc4c56 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 07:03:13 -0500 Subject: [PATCH 0765/1014] Bump importlib-metadata from 6.9.0 to 7.0.0 (#9958) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 6.9.0 to 7.0.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v6.9.0...v7.0.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 05943a1a959d..795fe67a8ddb 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -46,7 +46,7 @@ idna==3.6 # via requests imagesize==1.4.1 # via sphinx -importlib-metadata==6.9.0; python_version >= "3.8" +importlib-metadata==7.0.0; python_version >= "3.8" # via # keyring # twine From 4017cd99c9c6646ca7afa6a3f622021ae6ac8ace Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 06:46:02 -0500 Subject: [PATCH 0766/1014] Bump actions/setup-python from 4.7.1 to 4.8.0 (#9959) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.1 to 4.8.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236...b64ffcaf5b410884ad320a9cfac8866006a109aa) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index eda9e5d7c3cd..aa13b8f7497c 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -35,7 +35,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b69be5b361c3..aa00ae666e4d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -241,7 +241,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 @@ -300,7 +300,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -375,7 +375,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: ${{ matrix.PYTHON }} cache: pip @@ -420,7 +420,7 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: '3.12' cache: pip diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 67774a07931c..99e9207cb215 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 7d762a53d5a6..d5a366781d62 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -31,7 +31,7 @@ jobs: permissions: id-token: "write" steps: - - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: "3.11" - name: Get publish-requirements.txt from repository diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 6ba5b072d2b3..b9a03556e587 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -215,7 +215,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -306,7 +306,7 @@ jobs: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 + uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From e5e3a57f99523060e556c5c1018e16c156015871 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 11:48:49 +0000 Subject: [PATCH 0767/1014] Bump ruff from 0.1.6 to 0.1.7 (#9960) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.6 to 0.1.7. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.6...v0.1.7) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 795fe67a8ddb..b66685e53a5b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -132,7 +132,7 @@ rfc3986==2.0.0 # via twine rich==13.7.0 # via twine -ruff==0.1.6 +ruff==0.1.7 # via cryptography (pyproject.toml) six==1.16.0 # via bleach From c295fe59e5d73e9e5cc3bd0504fa359e8ed4744c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 12:05:39 +0000 Subject: [PATCH 0768/1014] Bump openssl-sys from 0.9.96 to 0.9.97 in /src/rust (#9962) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.96 to 0.9.97. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.96...openssl-sys-v0.9.97) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b916131afb20..a716d4373dca 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -203,9 +203,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.96" +version = "0.9.97" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3812c071ba60da8b5677cc12bcb1d42989a65553772897a7e0355545a819838f" +checksum = "c3eaad34cdd97d81de97964fc7f29e2d104f483840d906ef56daa1912338460b" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 66d83c304c09..0955cab5e0e8 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -18,7 +18,7 @@ cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.60" -openssl-sys = "0.9.96" +openssl-sys = "0.9.97" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index c78c498a2bf4..8f00a0777297 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3-py37"] } -openssl-sys = "0.9.96" +openssl-sys = "0.9.97" [build-dependencies] cc = "1.0.83" From b0ae6e3ff1a7dbcf43254221950f1a33359b713b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 12:14:02 +0000 Subject: [PATCH 0769/1014] Bump openssl from 0.10.60 to 0.10.61 in /src/rust (#9963) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.60 to 0.10.61. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.60...openssl-v0.10.61) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a716d4373dca..a2d743a8b1e4 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -177,9 +177,9 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] name = "openssl" -version = "0.10.60" +version = "0.10.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79a4c6c3a2b158f7f8f2a2fc5a969fa3a068df6fc9dbb4a43845436e3af7c800" +checksum = "6b8419dc8cc6d866deb801274bba2e6f8f6108c1bb7fcc10ee5ab864931dbb45" dependencies = [ "bitflags 2.4.0", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 0955cab5e0e8..f3ad413af5e3 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.60" +openssl = "0.10.61" openssl-sys = "0.9.97" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index eb4064e6dda4..9d13a259fb87 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -openssl = "0.10.60" +openssl = "0.10.61" ffi = { package = "openssl-sys", version = "0.9.91" } foreign-types = "0.3" foreign-types-shared = "0.1" From f9b6f0ca39061c49fdb8bc148bb51c86c79ce40d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 13:20:56 +0100 Subject: [PATCH 0770/1014] Bump platformdirs from 4.0.0 to 4.1.0 (#9961) * Bump platformdirs from 4.0.0 to 4.1.0 Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/4.0.0...4.1.0) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * platformdirs now requires >=3.8 --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b66685e53a5b..3492c192927b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -84,7 +84,7 @@ pathspec==0.11.2 # check-sdist pkginfo==1.9.6 # via twine -platformdirs==4.0.0 +platformdirs==4.1.0; python_version >= "3.8" # via # virtualenv pluggy==1.3.0; python_version >= "3.8" From dfa9dff5f85498a03e58acaa800166c88bc7e30c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 12:21:33 +0000 Subject: [PATCH 0771/1014] Bump BoringSSL and/or OpenSSL in CI (#9949) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aa00ae666e4d..362ef95d8f3c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Dec 01, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "15c811b8f5743476d0fc8e9f9d92f3f1658513f7"}} - # Latest commit on the OpenSSL master branch, as of Dec 01, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "db04cf25f3e0dda77a3b054ae12ae1874b1ae977"}} + # Latest commit on the BoringSSL master branch, as of Dec 05, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "1fa9cc20f6601f471f80d3debdaa084fc23c4f69"}} + # Latest commit on the OpenSSL master branch, as of Dec 05, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7ebaab7689f66ede1f960c42be3446922e3f5e21"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From d06a6a17cb3dc60c238dc07bbfd57324bf48ad48 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 5 Dec 2023 15:21:37 +0100 Subject: [PATCH 0772/1014] regenerate x509/custom/ca/ca.pem to expire in 2100 (#9964) The existing cert doesn't expire until late 2038 but this simplifies 2038 checks for some downstream consumers. We shift the original cert/key into a new pkcs12/ca directory so that we don't need to regenerate all the PKCS12 vectors (which don't care about expiry anyway) --- docs/development/test-vectors.rst | 52 ++++++++++--------- tests/hazmat/primitives/test_pkcs12.py | 35 ++----------- vectors/cryptography_vectors/pkcs12/ca/ca.pem | 10 ++++ .../cryptography_vectors/pkcs12/ca/ca_key.pem | 5 ++ .../x509/custom/ca/ca.pem | 16 +++--- 5 files changed, 56 insertions(+), 62 deletions(-) create mode 100644 vectors/cryptography_vectors/pkcs12/ca/ca.pem create mode 100644 vectors/cryptography_vectors/pkcs12/ca/ca_key.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index ff43285db18b..29ffef7d940d 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -107,7 +107,9 @@ Custom asymmetric vectors ``asymmetric/public/PKCS1/rsa.pub.der`` are PKCS1 conversions of the public key from ``asymmetric/PKCS8/unenc-rsa-pkcs8.pem`` using PEM and DER encoding. * ``x509/custom/ca/ca_key.pem`` - An unencrypted PCKS8 ``secp256r1`` key. It is - the private key for the certificate ``x509/custom/ca/ca.pem``. This key is + the private key for the certificate ``x509/custom/ca/ca.pem``. +* ``pkcs12/ca/ca_key.pem`` - An unencrypted PCKS8 ``secp256r1`` key. It is + the private key for the certificate ``pkcs12/ca/ca.pem``. This key is encoded in several of the PKCS12 custom vectors. * ``x509/custom/ca/rsa_key.pem`` - An unencrypted PCKS8 4096 bit RSA key. It is the private key for the certificate ``x509/custom/ca/rsa_ca.pem``. @@ -464,8 +466,10 @@ Custom X.509 Vectors information access extension with both a CA repository entry and a custom OID entry. * ``ca/ca.pem`` - A self-signed certificate with ``basicConstraints`` set to - true. Its private key is ``ca/ca_key.pem``. This certificate is encoded in - several of the PKCS12 custom vectors. + true. Its private key is ``ca/ca_key.pem``. +* ``pkcs12/ca/ca.pem`` - A self-signed certificate with ``basicConstraints`` + set to true. Its private key is ``pkcs12/ca/ca_key.pem``. This key is + encoded in several of the PKCS12 custom vectors. * ``negative_serial.pem`` - A certificate with a serial number that is a negative number. * ``rsa_pss.pem`` - A certificate with an RSA PSS signature. @@ -686,90 +690,90 @@ Custom X.509 OCSP Test Vectors Custom PKCS12 Test Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~ * ``pkcs12/cert-key-aes256cbc.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) both encrypted with AES 256 CBC with the password ``cryptography``. * ``pkcs12/cert-none-key-none.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with no encryption. The password (used for integrity checking only) is ``cryptography``. * ``pkcs12/cert-rc2-key-3des.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) encrypted with RC2 and key - (``x509/custom/ca/ca_key.pem``) encrypted via 3DES with the password + (``pkcs12/ca/ca.pem``) encrypted with RC2 and key + (``pkcs12/ca/ca_key.pem``) encrypted via 3DES with the password ``cryptography``. * ``pkcs12/no-password.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) with no + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with no encryption and no password. * ``pkcs12/no-cert-key-aes256cbc.p12`` - A PKCS12 file containing a key - (``x509/custom/ca/ca_key.pem``) encrypted via AES 256 CBC with the + (``pkcs12/ca/ca_key.pem``) encrypted via AES 256 CBC with the password ``cryptography`` and no certificate. * ``pkcs12/cert-aes256cbc-no-key.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) encrypted via AES 256 CBC with the + (``pkcs12/ca/ca.pem``) encrypted via AES 256 CBC with the password ``cryptography`` and no private key. * ``pkcs12/no-name-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``). * ``pkcs12/name-all-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``name``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``name2`` and ``name3``, respectively. * ``pkcs12/name-1-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``name``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``). * ``pkcs12/name-2-3-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``name2`` and ``name3``, respectively. * ``pkcs12/name-2-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), the first having friendly name ``name2``. * ``pkcs12/name-3-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), the latter having friendly name ``name3``. * ``pkcs12/name-unicode-no-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``☺``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``ä`` and ``ç``, respectively. * ``pkcs12/no-name-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-all-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``name``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``name2`` and ``name3`` respectively, encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-1-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``name``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-2-3-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``name2` and ``name3`` respectively, encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-2-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), the first having friendly name ``name2``, encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-3-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``), + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``), the latter having friendly name ``name2``, encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-unicode-pwd.p12`` - A PKCS12 file containing a cert - (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) + (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``) with friendly name ``☺``, as well as two additional certificates (``x509/cryptography.io.pem`` and ``x509/letsencryptx3.pem``) with friendly names ``ä`` and ``ç`` respectively, encrypted via diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 2159242bb263..cd9c279ac4b0 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -49,20 +49,7 @@ def _skip_curve_unsupported(backend, curve): ) class TestPKCS12Loading: def _test_load_pkcs12_ec_keys(self, filename, password, backend): - cert = load_vectors_from_file( - os.path.join("x509", "custom", "ca", "ca.pem"), - lambda pemfile: x509.load_pem_x509_certificate( - pemfile.read(), backend - ), - mode="rb", - ) - key = load_vectors_from_file( - os.path.join("x509", "custom", "ca", "ca_key.pem"), - lambda pemfile: load_pem_private_key( - pemfile.read(), None, backend - ), - mode="rb", - ) + cert, key = _load_ca(backend) assert isinstance(key, ec.EllipticCurvePrivateKey) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( os.path.join("pkcs12", filename), @@ -101,13 +88,7 @@ def test_load_pkcs12_ec_keys_rc2(self, filename, password, backend): self._test_load_pkcs12_ec_keys(filename, password, backend) def test_load_pkcs12_cert_only(self, backend): - cert = load_vectors_from_file( - os.path.join("x509", "custom", "ca", "ca.pem"), - lambda pemfile: x509.load_pem_x509_certificate( - pemfile.read(), backend - ), - mode="rb", - ) + cert, _ = _load_ca(backend) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( os.path.join("pkcs12", "cert-aes256cbc-no-key.p12"), lambda data: load_key_and_certificates( @@ -120,13 +101,7 @@ def test_load_pkcs12_cert_only(self, backend): assert parsed_more_certs == [cert] def test_load_pkcs12_key_only(self, backend): - key = load_vectors_from_file( - os.path.join("x509", "custom", "ca", "ca_key.pem"), - lambda pemfile: load_pem_private_key( - pemfile.read(), None, backend - ), - mode="rb", - ) + _, key = _load_ca(backend) assert isinstance(key, ec.EllipticCurvePrivateKey) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( os.path.join("pkcs12", "no-cert-key-aes256cbc.p12"), @@ -290,9 +265,9 @@ def _load_cert(backend, path): def _load_ca(backend): - cert = _load_cert(backend, os.path.join("x509", "custom", "ca", "ca.pem")) + cert = _load_cert(backend, os.path.join("pkcs12", "ca", "ca.pem")) key = load_vectors_from_file( - os.path.join("x509", "custom", "ca", "ca_key.pem"), + os.path.join("pkcs12", "ca", "ca_key.pem"), lambda pemfile: load_pem_private_key(pemfile.read(), None, backend), mode="rb", ) diff --git a/vectors/cryptography_vectors/pkcs12/ca/ca.pem b/vectors/cryptography_vectors/pkcs12/ca/ca.pem new file mode 100644 index 000000000000..5ca80286ecc5 --- /dev/null +++ b/vectors/cryptography_vectors/pkcs12/ca/ca.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBUTCB96ADAgECAgIDCTAKBggqhkjOPQQDAjAnMQswCQYDVQQGEwJVUzEYMBYG +A1UEAwwPY3J5cHRvZ3JhcGh5IENBMB4XDTE3MDEwMTEyMDEwMFoXDTM4MTIzMTA4 +MzAwMFowJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABBj/z7v5Obj13cPuwECLBnUGq0/N2CxS +JE4f4BBGZ7VfFblivTvPDG++Gve0oQ+0uctuhrNQ+WxRv8GC177F+QWjEzARMA8G +A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANES742XWm64tkGnz8Dn +pG6u2lHkZFQr3oaVvPcemvlbAiEA0WGGzmYx5C9UvfXIK7NEziT4pQtyESE0uRVK +Xw4nMqk= +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/pkcs12/ca/ca_key.pem b/vectors/cryptography_vectors/pkcs12/ca/ca_key.pem new file mode 100644 index 000000000000..2fb5394195cb --- /dev/null +++ b/vectors/cryptography_vectors/pkcs12/ca/ca_key.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgA8Zqz5vLeR0ePZUe +jBfdyMmnnI4U5uAJApWTsMn/RuWhRANCAAQY/8+7+Tm49d3D7sBAiwZ1BqtPzdgs +UiROH+AQRme1XxW5Yr07zwxvvhr3tKEPtLnLboazUPlsUb/Bgte+xfkF +-----END PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/x509/custom/ca/ca.pem b/vectors/cryptography_vectors/x509/custom/ca/ca.pem index 5ca80286ecc5..0574924b5d66 100644 --- a/vectors/cryptography_vectors/x509/custom/ca/ca.pem +++ b/vectors/cryptography_vectors/x509/custom/ca/ca.pem @@ -1,10 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIBUTCB96ADAgECAgIDCTAKBggqhkjOPQQDAjAnMQswCQYDVQQGEwJVUzEYMBYG -A1UEAwwPY3J5cHRvZ3JhcGh5IENBMB4XDTE3MDEwMTEyMDEwMFoXDTM4MTIzMTA4 -MzAwMFowJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTBZ -MBMGByqGSM49AgEGCCqGSM49AwEHA0IABBj/z7v5Obj13cPuwECLBnUGq0/N2CxS -JE4f4BBGZ7VfFblivTvPDG++Gve0oQ+0uctuhrNQ+WxRv8GC177F+QWjEzARMA8G -A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhANES742XWm64tkGnz8Dn -pG6u2lHkZFQr3oaVvPcemvlbAiEA0WGGzmYx5C9UvfXIK7NEziT4pQtyESE0uRVK -Xw4nMqk= +MIIBUzCB+aADAgECAgIDCTAKBggqhkjOPQQDAjAnMQswCQYDVQQGEwJVUzEYMBYG +A1UEAwwPY3J5cHRvZ3JhcGh5IENBMCAXDTE3MDEwMTAxMDAwMFoYDzIxMDAwMTAx +MDAwMDAwWjAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5IENB +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGP/Pu/k5uPXdw+7AQIsGdQarT83Y +LFIkTh/gEEZntV8VuWK9O88Mb74a97ShD7S5y26Gs1D5bFG/wYLXvsX5BaMTMBEw +DwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEAvbYZS/FHzNtLGGyt +HRNVDdcwLWISWOBz6p9ZvS6C42sCIQDThR22DuYZPUMQ3/AEylxYnMN+yBHiUUfU +7hDv+IKvTA== -----END CERTIFICATE----- From dd4cc6eed47cbe893d6911b625438874bdaa3250 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 6 Dec 2023 00:14:07 +0000 Subject: [PATCH 0773/1014] Bump BoringSSL and/or OpenSSL in CI (#9965) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 362ef95d8f3c..65e3d1d1175c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Dec 05, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "1fa9cc20f6601f471f80d3debdaa084fc23c4f69"}} - # Latest commit on the OpenSSL master branch, as of Dec 05, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7ebaab7689f66ede1f960c42be3446922e3f5e21"}} + # Latest commit on the BoringSSL master branch, as of Dec 06, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "59906b3aa8d9f48ad7303edc540912bd588a8e46"}} + # Latest commit on the OpenSSL master branch, as of Dec 06, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "de8e0851a1c0d22533801f081781a9f0be56c2c2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From b9f76a401b14486a6bca468a75d24ffde43720e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Dec 2023 07:38:58 -0500 Subject: [PATCH 0774/1014] Bump actions/setup-python from 4.8.0 to 5.0.0 (#9966) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.8.0 to 5.0.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/b64ffcaf5b410884ad320a9cfac8866006a109aa...0a5c61591373683505ea898e09a3ea4f39ef2b9c) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index aa13b8f7497c..910f985d9d05 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -35,7 +35,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 65e3d1d1175c..df811db39cb4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -241,7 +241,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 @@ -300,7 +300,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -375,7 +375,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: ${{ matrix.PYTHON }} cache: pip @@ -420,7 +420,7 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: '3.12' cache: pip diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 99e9207cb215..d4fb20e091f5 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index d5a366781d62..622d98e950bb 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -31,7 +31,7 @@ jobs: permissions: id-token: "write" steps: - - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 + - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: "3.11" - name: Get publish-requirements.txt from repository diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index b9a03556e587..27e3c00d7ac1 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -215,7 +215,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -306,7 +306,7 @@ jobs: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@b64ffcaf5b410884ad320a9cfac8866006a109aa # v4.8.0 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From deb2453a4f2cfa8aba64409816e36da0d701b3b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 08:38:11 -0500 Subject: [PATCH 0775/1014] Bump once_cell from 1.18.0 to 1.19.0 in /src/rust (#9970) Bumps [once_cell](https://github.com/matklad/once_cell) from 1.18.0 to 1.19.0. - [Changelog](https://github.com/matklad/once_cell/blob/master/CHANGELOG.md) - [Commits](https://github.com/matklad/once_cell/compare/v1.18.0...v1.19.0) --- updated-dependencies: - dependency-name: once_cell dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a2d743a8b1e4..341cb1d626f5 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -171,9 +171,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.18.0" +version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" +checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "openssl" From efacb2209b632d155a9bdb7e27704cac0bdc1897 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Dec 2023 07:23:35 -0500 Subject: [PATCH 0776/1014] Bump nh3 from 0.2.14 to 0.2.15 in /.github/requirements (#9972) Bumps [nh3](https://github.com/messense/nh3) from 0.2.14 to 0.2.15. - [Release notes](https://github.com/messense/nh3/releases) - [Commits](https://github.com/messense/nh3/compare/v0.2.14...v0.2.15) --- updated-dependencies: - dependency-name: nh3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b72b492bcaaa..4ed8f217f36d 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -339,23 +339,23 @@ multidict==6.0.4 \ --hash=sha256:fc35cb4676846ef752816d5be2193a1e8367b4c1397b74a565a9d0389c433a1d \ --hash=sha256:ff959bee35038c4624250473988b24f846cbeb2c6639de3602c073f10410ceba # via grpclib -nh3==0.2.14 \ - --hash=sha256:116c9515937f94f0057ef50ebcbcc10600860065953ba56f14473ff706371873 \ - --hash=sha256:18415df36db9b001f71a42a3a5395db79cf23d556996090d293764436e98e8ad \ - --hash=sha256:203cac86e313cf6486704d0ec620a992c8bc164c86d3a4fd3d761dd552d839b5 \ - --hash=sha256:2b0be5c792bd43d0abef8ca39dd8acb3c0611052ce466d0401d51ea0d9aa7525 \ - --hash=sha256:377aaf6a9e7c63962f367158d808c6a1344e2b4f83d071c43fbd631b75c4f0b2 \ - --hash=sha256:525846c56c2bcd376f5eaee76063ebf33cf1e620c1498b2a40107f60cfc6054e \ - --hash=sha256:5529a3bf99402c34056576d80ae5547123f1078da76aa99e8ed79e44fa67282d \ - --hash=sha256:7771d43222b639a4cd9e341f870cee336b9d886de1ad9bec8dddab22fe1de450 \ - --hash=sha256:88c753efbcdfc2644a5012938c6b9753f1c64a5723a67f0301ca43e7b85dcf0e \ - --hash=sha256:93a943cfd3e33bd03f77b97baa11990148687877b74193bf777956b67054dcc6 \ - --hash=sha256:9be2f68fb9a40d8440cbf34cbf40758aa7f6093160bfc7fb018cce8e424f0c3a \ - --hash=sha256:a0c509894fd4dccdff557068e5074999ae3b75f4c5a2d6fb5415e782e25679c4 \ - --hash=sha256:ac8056e937f264995a82bf0053ca898a1cb1c9efc7cd68fa07fe0060734df7e4 \ - --hash=sha256:aed56a86daa43966dd790ba86d4b810b219f75b4bb737461b6886ce2bde38fd6 \ - --hash=sha256:e8986f1dd3221d1e741fda0a12eaa4a273f1d80a35e31a1ffe579e7c621d069e \ - --hash=sha256:f99212a81c62b5f22f9e7c3e347aa00491114a5647e1f13bbebd79c3e5f08d75 +nh3==0.2.15 \ + --hash=sha256:0d02d0ff79dfd8208ed25a39c12cbda092388fff7f1662466e27d97ad011b770 \ + --hash=sha256:3277481293b868b2715907310c7be0f1b9d10491d5adf9fce11756a97e97eddf \ + --hash=sha256:3b803a5875e7234907f7d64777dfde2b93db992376f3d6d7af7f3bc347deb305 \ + --hash=sha256:427fecbb1031db085eaac9931362adf4a796428ef0163070c484b5a768e71601 \ + --hash=sha256:5f0d77272ce6d34db6c87b4f894f037d55183d9518f948bba236fe81e2bb4e28 \ + --hash=sha256:60684857cfa8fdbb74daa867e5cad3f0c9789415aba660614fe16cd66cbb9ec7 \ + --hash=sha256:6f42f99f0cf6312e470b6c09e04da31f9abaadcd3eb591d7d1a88ea931dca7f3 \ + --hash=sha256:86e447a63ca0b16318deb62498db4f76fc60699ce0a1231262880b38b6cff911 \ + --hash=sha256:8d595df02413aa38586c24811237e95937ef18304e108b7e92c890a06793e3bf \ + --hash=sha256:9c0d415f6b7f2338f93035bba5c0d8c1b464e538bfbb1d598acd47d7969284f0 \ + --hash=sha256:a5167a6403d19c515217b6bcaaa9be420974a6ac30e0da9e84d4fc67a5d474c5 \ + --hash=sha256:ac19c0d68cd42ecd7ead91a3a032fdfff23d29302dbb1311e641a130dfefba97 \ + --hash=sha256:b1e97221cedaf15a54f5243f2c5894bb12ca951ae4ddfd02a9d4ea9df9e1a29d \ + --hash=sha256:bc2d086fb540d0fa52ce35afaded4ea526b8fc4d3339f783db55c95de40ef02e \ + --hash=sha256:d1e30ff2d8d58fb2a14961f7aac1bbb1c51f9bdd7da727be35c63826060b0bf3 \ + --hash=sha256:f3b53ba93bb7725acab1e030bc2ecd012a817040fd7851b332f86e2f9bb98dc6 # via readme-renderer pkginfo==1.9.6 \ --hash=sha256:4b7a555a6d5a22169fcc9cf7bfd78d296b0361adad412a346c1226849af5e546 \ From 4a916a42c5b97f390916371d6ea977b0284b9f09 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Dec 2023 07:25:37 -0500 Subject: [PATCH 0777/1014] Bump actions/stale from 8.0.0 to 9.0.0 (#9971) Bumps [actions/stale](https://github.com/actions/stale) from 8.0.0 to 9.0.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/1160a2240286f5da8ec72b1c0816ce2481aabf84...28ca1036281a5e5922ead5184a1bbf96e5fc984e) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/auto-close-stale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-close-stale.yml b/.github/workflows/auto-close-stale.yml index 3da5e1924ad7..de269c8aceac 100644 --- a/.github/workflows/auto-close-stale.yml +++ b/.github/workflows/auto-close-stale.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: only-labels: waiting-on-reporter days-before-stale: 3 From cfa52d99411cac6fc5f8bf14fbc572d320df5b29 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 8 Dec 2023 15:29:17 -0500 Subject: [PATCH 0778/1014] run downstreams with 3.12 (#9974) * [testing] try running downstreams with 3.12 * Update ci.yml --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index df811db39cb4..721138c54117 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -363,7 +363,7 @@ jobs: - mitmproxy - scapy PYTHON: - - '3.11' + - '3.12' name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: @@ -381,7 +381,7 @@ jobs: cache: pip cache-dependency-path: ci-constraints-requirements.txt - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install - - run: pip install . + - run: pip install . setuptools env: CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} # cryptography main has a version of "(X+1).0.0.dev1" where X is the From 737fd82ec9c5d32c781f1e62ecffd0823651ab23 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 8 Dec 2023 15:37:35 -0500 Subject: [PATCH 0779/1014] Refresh ci-constraints-requriements.txt (#9973) --- ci-constraints-requirements.txt | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3492c192927b..be73d260768b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,8 +11,6 @@ argcomplete==3.1.6; python_version >= "3.8" # via nox babel==2.13.1 # via sphinx -bleach==6.1.0 - # via readme-renderer build==1.0.3 # via # check-sdist @@ -31,7 +29,7 @@ coverage==7.3.2; python_version >= "3.8" # via pytest-cov distlib==0.3.7 # via virtualenv -docutils==0.18.1 +docutils==0.20.1 # via # readme-renderer # sphinx @@ -69,8 +67,9 @@ more-itertools==10.1.0 mypy==1.7.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 - # via - # mypy + # via mypy +nh3==0.2.15 + # via readme-renderer nox==2023.4.22 # via cryptography (pyproject.toml) packaging==23.2 @@ -80,8 +79,7 @@ packaging==23.2 # pytest # sphinx pathspec==0.11.2 - # via - # check-sdist + # via check-sdist pkginfo==1.9.6 # via twine platformdirs==4.1.0; python_version >= "3.8" @@ -134,15 +132,18 @@ rich==13.7.0 # via twine ruff==0.1.7 # via cryptography (pyproject.toml) -six==1.16.0 - # via bleach snowballstemmer==2.2.0 # via sphinx sphinx==7.2.6 # via # cryptography (pyproject.toml) # sphinx-rtd-theme + # sphinxcontrib-applehelp + # sphinxcontrib-devhelp + # sphinxcontrib-htmlhelp # sphinxcontrib-jquery + # sphinxcontrib-qthelp + # sphinxcontrib-serializinghtml # sphinxcontrib-spelling sphinx-rtd-theme==2.0.0 # via cryptography (pyproject.toml) @@ -180,8 +181,6 @@ urllib3==2.1.0 # twine virtualenv==20.25.0 # via nox -webencodings==0.5.1 - # via bleach zipp==3.17.0; python_version >= "3.8" # via importlib-metadata From 61676b5b05c32556712c4bf750598de9dc08527a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Dec 2023 09:36:46 -0500 Subject: [PATCH 0780/1014] Update development docs (#9977) - No special configuration is required for brew or macports OpenSSL anymore - There's no point in documenting building local docs, it's basically never necessary --- docs/development/getting-started.rst | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst index ad4ffd91ddc8..2ef12cfb0663 100644 --- a/docs/development/getting-started.rst +++ b/docs/development/getting-started.rst @@ -20,9 +20,8 @@ installed with ``pip``. OpenSSL on macOS ~~~~~~~~~~~~~~~~ -You must have installed `OpenSSL`_ (via `Homebrew`_ , `MacPorts`_, or a custom -build) and must configure the build `as documented here`_ before calling -``nox`` or else pip will fail to compile. +You must have installed `OpenSSL`_ (via `Homebrew`_ , `MacPorts`_) before +invoking ``nox`` or else pip will fail to compile. Running tests ------------- @@ -44,22 +43,6 @@ You can also specify a subset of tests to run as positional arguments: $ # run the whole x509 testsuite, plus the fernet tests $ nox -e tests -p py310 -- tests/x509/ tests/test_fernet.py -Building documentation ----------------------- - -``cryptography`` documentation is stored in the ``docs/`` directory. It is -written in `reStructured Text`_ and rendered using `Sphinx`_. - -Use `nox`_ to build the documentation. For example: - -.. code-block:: console - - $ nox -e docs - ... - nox > Session docs was successful. - -The HTML documentation index can now be found at -``docs/_build/html/index.html``. .. _`Homebrew`: https://brew.sh .. _`MacPorts`: https://www.macports.org @@ -68,6 +51,4 @@ The HTML documentation index can now be found at .. _`nox`: https://pypi.org/project/nox/ .. _`virtualenv`: https://pypi.org/project/virtualenv/ .. _`pip`: https://pypi.org/project/pip/ -.. _`sphinx`: https://pypi.org/project/Sphinx/ -.. _`reStructured Text`: https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html .. _`as documented here`: https://docs.rs/openssl/latest/openssl/#automatic From 14c16ebb9febbb5a69d9bb883db4267d03fc6e65 Mon Sep 17 00:00:00 2001 From: Adi Roiban Date: Sat, 9 Dec 2023 20:08:45 +0000 Subject: [PATCH 0781/1014] #9969 Expose SSL_session_reused. (#9978) * Expose SSL_session_reused. * Fix test name. * Don't name the parameters :) Co-authored-by: Alex Gaynor * Remove test as requested by Alex. --------- Co-authored-by: Alex Gaynor --- src/_cffi_src/openssl/ssl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 7e7b2b8bd91b..c78d681dca8d 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -142,6 +142,7 @@ const char *SSL_state_string_long(const SSL *); SSL_SESSION *SSL_get1_session(SSL *); int SSL_set_session(SSL *, SSL_SESSION *); +int SSL_session_reused(const SSL *); SSL *SSL_new(SSL_CTX *); void SSL_free(SSL *); int SSL_set_fd(SSL *, int); From 18f35d3d7bfb5ad8becc633ff71553541002a584 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 Dec 2023 16:51:49 +0000 Subject: [PATCH 0782/1014] Bump libc from 0.2.150 to 0.2.151 in /src/rust (#9979) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.150 to 0.2.151. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.150...0.2.151) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 341cb1d626f5..8804f1572628 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -146,9 +146,9 @@ checksum = "1e186cfbae8084e513daff4240b4797e342f988cecda4fb6c939150f96315fd8" [[package]] name = "libc" -version = "0.2.150" +version = "0.2.151" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "89d92a4743f9a61002fae18374ed11e7973f530cb3a3255fb354818118b2203c" +checksum = "302d7ab3130588088d277783b1e2d2e10c9e9e4a16dd9050e6ec93fb3e7048f4" [[package]] name = "lock_api" From 38b7ae9f84c85c77665f528667d3fa639ff8bb42 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 Dec 2023 16:52:44 +0000 Subject: [PATCH 0783/1014] Bump argcomplete from 3.1.6 to 3.2.1 (#9980) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.1.6 to 3.2.1. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.1.6...v3.2.1) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index be73d260768b..0e725bcbb556 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.13 # via sphinx -argcomplete==3.1.6; python_version >= "3.8" +argcomplete==3.2.1; python_version >= "3.8" # via nox babel==2.13.1 # via sphinx From 4eff703c51c43ea3c58c2c5ef37b8101f4347654 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 Dec 2023 16:53:30 +0000 Subject: [PATCH 0784/1014] Bump typing-extensions from 4.8.0 to 4.9.0 (#9981) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.8.0 to 4.9.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.8.0...4.9.0) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0e725bcbb556..e8d8692fbdcb 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -173,7 +173,7 @@ tomli==2.0.1 # pytest twine==4.0.2 # via cryptography (pyproject.toml) -typing-extensions==4.8.0; python_version >= "3.8" +typing-extensions==4.9.0; python_version >= "3.8" # via mypy urllib3==2.1.0 # via From 30956989e181c8c1b63aeab9b5c91f7076fc8b59 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 Dec 2023 16:59:01 +0000 Subject: [PATCH 0785/1014] Bump pathspec from 0.11.2 to 0.12.0 (#9983) Bumps [pathspec](https://github.com/cpburnz/python-pathspec) from 0.11.2 to 0.12.0. - [Release notes](https://github.com/cpburnz/python-pathspec/releases) - [Changelog](https://github.com/cpburnz/python-pathspec/blob/master/CHANGES.rst) - [Commits](https://github.com/cpburnz/python-pathspec/compare/v0.11.2...v0.12.0) --- updated-dependencies: - dependency-name: pathspec dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e8d8692fbdcb..d82e76e6beab 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -78,7 +78,7 @@ packaging==23.2 # nox # pytest # sphinx -pathspec==0.11.2 +pathspec==0.12.0 # via check-sdist pkginfo==1.9.6 # via twine From 6924c25aa6d53a312785a0d968ed217b1f6caee0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 Dec 2023 11:59:34 -0500 Subject: [PATCH 0786/1014] Bump typing-extensions from 4.8.0 to 4.9.0 in /.github/requirements (#9982) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.8.0 to 4.9.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.8.0...4.9.0) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 4ed8f217f36d..c6a1cde3e41b 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -558,9 +558,9 @@ twine==4.0.2 \ --hash=sha256:929bc3c280033347a00f847236564d1c52a3e61b1ac2516c97c48f3ceab756d8 \ --hash=sha256:9e102ef5fdd5a20661eb88fad46338806c3bd32cf1db729603fe3697b1bc83c8 # via -r publish-requirements.in -typing-extensions==4.8.0 \ - --hash=sha256:8f92fc8806f9a6b641eaa5318da32b44d401efaac0f6678c9bc448ba3605faa0 \ - --hash=sha256:df8e4339e9cb77357558cbdbceca33c303714cf861d1eef15e1070055ae8b7ef +typing-extensions==4.9.0 \ + --hash=sha256:23478f88c37f27d76ac8aee6c905017a143b0b1b886c3c9f66bc2fd94f9f5783 \ + --hash=sha256:af72aea155e91adfc61c3ae9e0e342dbc0cba726d6cba4b6c72c1f34e47291cd # via # pydantic # pydantic-core From 0a1f26b48f293b2efb645ce525ddc987e336622c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 10 Dec 2023 12:29:29 -0500 Subject: [PATCH 0787/1014] Document tests-nocoverage in our dev docs (#9984) There's limited value in running coverage locally, since no single build produces 100% coverage --- docs/development/getting-started.rst | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst index 2ef12cfb0663..b2ba3cd15325 100644 --- a/docs/development/getting-started.rst +++ b/docs/development/getting-started.rst @@ -14,8 +14,7 @@ installed with ``pip``. $ # Create a virtualenv and activate it $ # Set up your cryptography build environment $ pip install nox - $ # Specify your Python version here. - $ nox -e tests -p py310 + $ nox -e tests-nocoverage OpenSSL on macOS ~~~~~~~~~~~~~~~~ @@ -31,9 +30,9 @@ designed to be run using `pytest`_. ``nox`` automatically invokes ``pytest``: .. code-block:: console - $ nox -e tests -p py310 + $ nox -e tests-nocoverage ... - 62746 passed in 220.43 seconds + ===== 3062 passed, 61 skipped in 16.02s ===== You can also specify a subset of tests to run as positional arguments: @@ -41,7 +40,7 @@ You can also specify a subset of tests to run as positional arguments: .. code-block:: console $ # run the whole x509 testsuite, plus the fernet tests - $ nox -e tests -p py310 -- tests/x509/ tests/test_fernet.py + $ nox -e tests-nocoverage -- tests/x509/ tests/test_fernet.py .. _`Homebrew`: https://brew.sh From cd9cb8b48859c59c3d349b57abf849d29a62af65 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 10 Dec 2023 12:39:06 -0500 Subject: [PATCH 0788/1014] Remind people about rust in the dev docs (#9985) --- docs/development/getting-started.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst index b2ba3cd15325..12cce7540085 100644 --- a/docs/development/getting-started.rst +++ b/docs/development/getting-started.rst @@ -6,8 +6,8 @@ Development dependencies Working on ``cryptography`` requires the installation of a small number of development dependencies in addition to the dependencies for -:doc:`/installation`. These are handled by the use of ``nox``, which can be -installed with ``pip``. +:doc:`/installation` (including :ref:`Rust`). These are +handled by the use of ``nox``, which can be installed with ``pip``. .. code-block:: console From 81576d362ab107c2ce994a2d11c14032beda7874 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Dec 2023 07:04:43 -0500 Subject: [PATCH 0789/1014] Bump syn from 2.0.39 to 2.0.40 in /src/rust (#9986) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.39 to 2.0.40. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.39...2.0.40) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 8804f1572628..a58343e48356 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" [[package]] name = "syn" -version = "2.0.39" +version = "2.0.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23e78b90f2fcf45d3e842032ce32e3f2d1545ba6636271dcbf24fa306d87be7a" +checksum = "13fa70a4ee923979ffb522cacce59d34421ebdea5625e1073c4326ef9d2dd42e" dependencies = [ "proc-macro2", "quote", From 46ce4cc83a088e89755a29862c9199604c46bc5c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Dec 2023 07:05:26 -0500 Subject: [PATCH 0790/1014] Bump pathspec from 0.12.0 to 0.12.1 (#9987) Bumps [pathspec](https://github.com/cpburnz/python-pathspec) from 0.12.0 to 0.12.1. - [Release notes](https://github.com/cpburnz/python-pathspec/releases) - [Changelog](https://github.com/cpburnz/python-pathspec/blob/master/CHANGES.rst) - [Commits](https://github.com/cpburnz/python-pathspec/compare/v0.12.0...v0.12.1) --- updated-dependencies: - dependency-name: pathspec dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d82e76e6beab..f6d1e5e1eba1 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -78,7 +78,7 @@ packaging==23.2 # nox # pytest # sphinx -pathspec==0.12.0 +pathspec==0.12.1 # via check-sdist pkginfo==1.9.6 # via twine From d81fd662f7e201575e7f263d726eee622a5526ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Dec 2023 07:01:30 -0500 Subject: [PATCH 0791/1014] Bump distlib from 0.3.7 to 0.3.8 (#9989) Bumps [distlib](https://github.com/pypa/distlib) from 0.3.7 to 0.3.8. - [Release notes](https://github.com/pypa/distlib/releases) - [Changelog](https://github.com/pypa/distlib/blob/master/CHANGES.rst) - [Commits](https://github.com/pypa/distlib/compare/0.3.7...0.3.8) --- updated-dependencies: - dependency-name: distlib dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f6d1e5e1eba1..e39f72435dc4 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -27,7 +27,7 @@ colorlog==6.8.0 # via nox coverage==7.3.2; python_version >= "3.8" # via pytest-cov -distlib==0.3.7 +distlib==0.3.8 # via virtualenv docutils==0.20.1 # via From a8b96dab9b83769bb65ac9a29d63102011cfbf7d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 12 Dec 2023 09:09:51 -0500 Subject: [PATCH 0792/1014] Simplify the release process: No need to pass the version to release.py (#9990) --- docs/doing-a-release.rst | 6 +++--- release.py | 12 +++++------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/doing-a-release.rst b/docs/doing-a-release.rst index c7e82ffb4df2..85fe7c52a326 100644 --- a/docs/doing-a-release.rst +++ b/docs/doing-a-release.rst @@ -50,10 +50,10 @@ Performing the release ---------------------- The commit that merged the version number bump is now the official release -commit for this release. You will need to have ``gpg`` installed and a ``gpg`` -key in order to do a release. Once this has happened: +commit for this release. You will need to have ``git`` configured to perform +signed tags. Once this has happened: -* Run ``python release.py release {version}``. +* Run ``python release.py release``. The release should now be available on PyPI and a tag should be available in the repository. diff --git a/release.py b/release.py index bd50130f9033..4abac1a2ed3e 100644 --- a/release.py +++ b/release.py @@ -8,6 +8,7 @@ import click import tomllib +from packaging.version import Version def run(*args: str) -> None: @@ -22,18 +23,15 @@ def cli(): @cli.command() @click.argument("version") -def release(version: str) -> None: - """ - ``version`` should be a string like '0.4' or '1.0'. - """ +def release() -> None: base_dir = pathlib.Path(__file__).parent with (base_dir / "pyproject.toml").open("rb") as f: pyproject = tomllib.load(f) - pyproject_version = pyproject["project"]["version"] + version = pyproject["project"]["version"] - if version != pyproject_version: + if Version(version).is_prerelease: raise RuntimeError( - f"Version mismatch: pyproject.toml has {pyproject_version}" + f"Can't release, pyproject.toml version is pre-release: {version}" ) # Tag and push the tag (this will trigger the wheel builder in Actions) From 70b2bc77ca277036b6517bbb4c662618c1cfbae7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 12 Dec 2023 15:24:27 -0500 Subject: [PATCH 0793/1014] Simplify verifying README.rst in CI (#9991) --- ci-constraints-requirements.txt | 45 +++++---------------------------- noxfile.py | 7 +++-- pyproject.toml | 2 +- 3 files changed, 11 insertions(+), 43 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e39f72435dc4..28c1d89dadfe 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -26,7 +26,9 @@ click==8.1.7 colorlog==6.8.0 # via nox coverage==7.3.2; python_version >= "3.8" - # via pytest-cov + # via + # coverage + # pytest-cov distlib==0.3.8 # via virtualenv docutils==0.20.1 @@ -44,26 +46,12 @@ idna==3.6 # via requests imagesize==1.4.1 # via sphinx -importlib-metadata==7.0.0; python_version >= "3.8" - # via - # keyring - # twine iniconfig==2.0.0 # via pytest -jaraco-classes==3.3.0 - # via keyring jinja2==3.1.2 # via sphinx -keyring==24.3.0 - # via twine -markdown-it-py==3.0.0 - # via rich markupsafe==2.1.3 # via jinja2 -mdurl==0.1.2 - # via markdown-it-py -more-itertools==10.1.0 - # via jaraco-classes mypy==1.7.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 @@ -80,11 +68,8 @@ packaging==23.2 # sphinx pathspec==0.12.1 # via check-sdist -pkginfo==1.9.6 - # via twine platformdirs==4.1.0; python_version >= "3.8" - # via - # virtualenv + # via virtualenv pluggy==1.3.0; python_version >= "3.8" # via pytest pretend==1.0.9 @@ -98,7 +83,6 @@ pyenchant==3.2.2 pygments==2.17.2 # via # readme-renderer - # rich # sphinx pyproject-hooks==1.0.0 # via build @@ -118,18 +102,9 @@ pytest-randomly==3.15.0 pytest-xdist==3.5.0 # via cryptography (pyproject.toml) readme-renderer==42.0 - # via twine + # via cryptography (pyproject.toml) requests==2.31.0 - # via - # requests-toolbelt - # sphinx - # twine -requests-toolbelt==1.0.0 - # via twine -rfc3986==2.0.0 - # via twine -rich==13.7.0 - # via twine + # via sphinx ruff==0.1.7 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 @@ -171,18 +146,12 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -twine==4.0.2 - # via cryptography (pyproject.toml) typing-extensions==4.9.0; python_version >= "3.8" # via mypy urllib3==2.1.0 - # via - # requests - # twine + # via requests virtualenv==20.25.0 # via nox -zipp==3.17.0; python_version >= "3.8" - # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: # cffi diff --git a/noxfile.py b/noxfile.py index 05cfdd70abf0..b55849d7a397 100644 --- a/noxfile.py +++ b/noxfile.py @@ -145,10 +145,9 @@ def docs(session: nox.Session) -> None: "docs/_build/html", ) - # This is in the docs job because `twine check` verifies that the README - # is valid reStructuredText. - session.run("python", "-m", "build", "--sdist") - session.run("twine", "check", "dist/*") + session.run( + "python3", "-m", "readme_renderer", "README.rst", "-o", "/dev/null" + ) @nox.session(name="docs-linkcheck") diff --git a/pyproject.toml b/pyproject.toml index 7c6b616b1660..42a4860187fd 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -78,7 +78,7 @@ test = [ ] test-randomorder = ["pytest-randomly"] docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=1.1.1"] -docstest = ["pyenchant >=1.6.11", "twine >=1.12.0", "sphinxcontrib-spelling >=4.0.1"] +docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] sdist = ["build"] # `click` included because its needed to type check `release.py` pep8test = ["ruff", "mypy", "check-sdist", "click"] From 8f2be00dfeec49d53b16182fbbe7fa0d972fc61c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 07:05:31 -0500 Subject: [PATCH 0794/1014] Bump dawidd6/action-download-artifact from 2.28.0 to 3.0.0 (#9992) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 2.28.0 to 3.0.0. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/268677152d06ba59fcec7a7f0b5d961b6ccd7e1e...e7466d1a7587ed14867642c2ca74b5bcc1e19a2d) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 721138c54117..a4d98424b39f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -255,7 +255,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 + - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -314,7 +314,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 + - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 622d98e950bb..ed495cba8e5a 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -44,7 +44,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 + - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 27e3c00d7ac1..026a66c5dc0d 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -219,7 +219,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 + - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -315,7 +315,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2.28.0 + - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 with: repo: pyca/infra workflow: build-windows-openssl.yml From d4ebfc677a48753f3cc864640c60e0d0f4a6ae12 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 07:11:03 -0500 Subject: [PATCH 0795/1014] Bump babel from 2.13.1 to 2.14.0 (#9993) Bumps [babel](https://github.com/python-babel/babel) from 2.13.1 to 2.14.0. - [Release notes](https://github.com/python-babel/babel/releases) - [Changelog](https://github.com/python-babel/babel/blob/master/CHANGES.rst) - [Commits](https://github.com/python-babel/babel/compare/v2.13.1...v2.14.0) --- updated-dependencies: - dependency-name: babel dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 28c1d89dadfe..a641e21a3547 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -9,7 +9,7 @@ alabaster==0.7.13 # via sphinx argcomplete==3.2.1; python_version >= "3.8" # via nox -babel==2.13.1 +babel==2.14.0 # via sphinx build==1.0.3 # via From c56d7d56b7f841d956013ca192b38799ad774530 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 07:13:39 -0500 Subject: [PATCH 0796/1014] Bump id from 1.1.0 to 1.2.1 in /.github/requirements (#9994) Bumps [id](https://github.com/di/id) from 1.1.0 to 1.2.1. - [Release notes](https://github.com/di/id/releases) - [Changelog](https://github.com/di/id/blob/main/CHANGELOG.md) - [Commits](https://github.com/di/id/compare/v1.1.0...v1.2.1) --- updated-dependencies: - dependency-name: id dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index c6a1cde3e41b..8f57974005bf 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -221,9 +221,9 @@ hyperframe==6.0.1 \ --hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \ --hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914 # via h2 -id==1.1.0 \ - --hash=sha256:726b995ffea6954ecbe3f2bb9e9d52b8502b2683b8470b13c58a429cd8e701e8 \ - --hash=sha256:a15f919fa1e847f57572748d37cf40192913a861a2669059b4cb5079bbbbbdbd +id==1.2.1 \ + --hash=sha256:339fe8d7a0edf20514ed5e5dc841e504c99f38c7b7d7a2849724c6dfedc89860 \ + --hash=sha256:51021c5ba12c6ee88fb58240a58f788f43aa9c4f629280d6a97a1192f3cefdb9 # via sigstore idna==3.6 \ --hash=sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca \ From 2657f1eb84045a9439d56bc3537cea0ec940f303 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 07:16:17 -0500 Subject: [PATCH 0797/1014] Bump syn from 2.0.40 to 2.0.41 in /src/rust (#9996) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.40 to 2.0.41. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.40...2.0.41) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a58343e48356..3bbeec98ca0b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" [[package]] name = "syn" -version = "2.0.40" +version = "2.0.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13fa70a4ee923979ffb522cacce59d34421ebdea5625e1073c4326ef9d2dd42e" +checksum = "44c8b28c477cc3bf0e7966561e3460130e1255f7a1cf71931075f1c5e7a7e269" dependencies = [ "proc-macro2", "quote", From 414ec22fec511a9279341811f0dc78698bd71f6b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 12:21:00 +0000 Subject: [PATCH 0798/1014] Bump pem from 3.0.2 to 3.0.3 in /src/rust (#9997) Bumps [pem](https://github.com/jcreekmore/pem-rs) from 3.0.2 to 3.0.3. - [Changelog](https://github.com/jcreekmore/pem-rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/jcreekmore/pem-rs/compare/v3.0.2...v3.0.3) --- updated-dependencies: - dependency-name: pem dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3bbeec98ca0b..26c836aa9a06 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -238,9 +238,9 @@ dependencies = [ [[package]] name = "pem" -version = "3.0.2" +version = "3.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3163d2912b7c3b52d651a055f2c7eec9ba5cd22d26ef75b8dd3a59980b185923" +checksum = "1b8fcc794035347fb64beda2d3b462595dd2753e3f268d89c5aae77e8cf2c310" dependencies = [ "base64", ] From 68efdda0080f7fbe6208ee6bcef4c3aa34582db4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Dec 2023 12:29:44 +0000 Subject: [PATCH 0799/1014] Bump sigstore from 2.0.1 to 2.1.0 in /.github/requirements (#9995) Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 2.0.1 to 2.1.0. - [Release notes](https://github.com/sigstore/sigstore-python/releases) - [Changelog](https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/sigstore-python/compare/v2.0.1...v2.1.0) --- updated-dependencies: - dependency-name: sigstore dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8f57974005bf..83d18cb80fdc 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -523,7 +523,9 @@ rfc3986==2.0.0 \ rich==13.7.0 \ --hash=sha256:5cb5123b5cf9ee70584244246816e9114227e0b98ad9176eede6ad54bf5403fa \ --hash=sha256:6da14c108c4866ee9520bbffa71f6fe3962e193b7da68720583850cd4548e235 - # via twine + # via + # sigstore + # twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 @@ -534,9 +536,9 @@ securesystemslib==0.31.0 \ # via # sigstore # tuf -sigstore==2.0.1 \ - --hash=sha256:1ec613be4e9623e3b7992cf92be7e127c470141ecae691fdc417d2855f7b25f4 \ - --hash=sha256:78013eaa2207c054ac803b361f8722011766d243bcbfa50c6e48003df2e3ca2f +sigstore==2.1.0 \ + --hash=sha256:68761c3078aca9bb97af8459602959ff47ce648bf722a8c2c868e45b46aad7e1 \ + --hash=sha256:7c64b4c6eccee0ec1b54d524d7be57dabc1f1f3651dd723cf195aa6b1f94b4f7 # via -r publish-requirements.in sigstore-protobuf-specs==0.2.2 \ --hash=sha256:62c7beabc6910fb570dc4c600e33e81f2d2d683f785202ee109ca394bd829e94 \ From bbf3003f518d81b23adc114f2da436d11d877e59 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 13 Dec 2023 22:46:40 -0500 Subject: [PATCH 0800/1014] Disable twisted downstream tests for now (#9999) --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a4d98424b39f..82b3a164d00e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -355,7 +355,8 @@ jobs: - paramiko - pyopenssl - pyopenssl-release - - twisted + # TODO: https://github.com/twisted/twisted/issues/12052 + # - twisted - aws-encryption-sdk - dynamodb-encryption-sdk - certbot From e27b956ff6a2f9ee021624d63b082c13fed97056 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 14 Dec 2023 07:04:20 -0500 Subject: [PATCH 0801/1014] Bump ruff from 0.1.7 to 0.1.8 (#10000) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.7 to 0.1.8. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.7...v0.1.8) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a641e21a3547..3220f0912db5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.1.7 +ruff==0.1.8 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From e0d18129b459e66b828d53b008490dc18d90f7f4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Dec 2023 06:54:45 -0500 Subject: [PATCH 0802/1014] Bump coverage from 7.3.2 to 7.3.3 (#10001) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.3.2 to 7.3.3. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.3.2...7.3.3) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3220f0912db5..6610011b3689 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.0 # via nox -coverage==7.3.2; python_version >= "3.8" +coverage==7.3.3; python_version >= "3.8" # via # coverage # pytest-cov From 58f2483f78e2abcd24eec532f2ab8d562eab484c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 16 Dec 2023 08:48:19 -0500 Subject: [PATCH 0803/1014] Use newer upload-artifacts action in one place (#10008) --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 82b3a164d00e..81b47a77963a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -472,14 +472,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: _html-rust-report path: rust-coverage From 783803d6762786fb780e024fd83dc9e1409d82a8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 17 Dec 2023 16:23:51 -0500 Subject: [PATCH 0804/1014] Various (pedantic) clippy cleanups (#10010) --- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/common.rs | 4 ++-- src/rust/src/x509/csr.rs | 4 ++-- src/rust/src/x509/verify.rs | 5 ++--- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index dcd8b3f11c24..7753974ac6a4 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -635,7 +635,7 @@ pub(crate) fn encode_distribution_point_reasons( let bit = reason_flag_mapping .get_item(py_reason?)? .extract::()?; - set_bit(&mut bits, bit, true) + set_bit(&mut bits, bit, true); } if bits[1] == 0 { bits.truncate(1); diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 10d438a12834..2d6ae5ec01c9 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -99,7 +99,7 @@ pub(crate) fn encode_general_names<'a>( let mut gns = vec![]; for el in py_gns.iter()? { let gn = encode_general_name(py, el?)?; - gns.push(gn) + gns.push(gn); } Ok(gns) } @@ -432,7 +432,7 @@ pub(crate) fn encode_extensions< extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, extn_value: py_data.as_bytes(), - }) + }); } None => { return Err(pyo3::exceptions::PyNotImplementedError::new_err(format!( diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index ccaf7529c5a1..49182c845d01 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -291,7 +291,7 @@ fn create_x509_csr( values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ asn1::parse_single(&ext_bytes)?, ])), - }) + }); } for py_attr in builder.getattr(pyo3::intern!(py, "_attributes"))?.iter()? { @@ -315,7 +315,7 @@ fn create_x509_csr( values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ common::RawTlv::new(tag, value), ])), - }) + }); } let py_subject_name = builder.getattr(pyo3::intern!(py, "_subject_name"))?; diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 9e266f1160aa..e074b9cb3009 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -8,7 +8,6 @@ use cryptography_x509_validation::{ policy::{Policy, Subject}, types::{DNSName, IPAddress}, }; -use pyo3::IntoPy; use crate::types; use crate::x509::certificate::Certificate as PyCertificate; @@ -98,8 +97,8 @@ impl PyServerVerifier { } #[getter] - fn max_chain_depth(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - Ok(self.as_policy().max_chain_depth.into_py(py)) + fn max_chain_depth(&self) -> u8 { + self.as_policy().max_chain_depth } fn verify<'p>( From 57e0d44008e147132f9cee1a8a5099485d38d29d Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Sun, 17 Dec 2023 17:20:15 -0500 Subject: [PATCH 0805/1014] Remove unused X509_STORE_set_get_issuer bindings (#10011) This was added in https://github.com/pyca/cryptography/pull/3546 for AIA chasing, but it doesn't seem to have ever been used. Moreover, I'm not sure this is safe for use with AIA chasing anyway. This callback replaces the built-in lookup within an X509_STORE, but certificates from an X509_STORE are "trusted" certificates: https://github.com/openssl/openssl/blob/openssl-3.2.0/crypto/x509/x509_vfy.c#L3184-L3198 While this does not automatically make it a trust anchor, it makes it eligible for being a trust anchor. Trust anchors are determined by some combination of out-of-band metadata (X509_add1_trust_object) and a "compatibility" step of whether the certificate is self-signed: https://man.openbsd.org/X509_check_trust.3 This means, if an application uses this callback to implement AIA fetching, in most configurations, if the (should be untrusted) AIA fetch returned any self-signed certificate, it would automatically be treated as a trust anchor! Remove this binding before someone inadvertently does this. --- src/_cffi_src/openssl/x509_vfy.py | 11 ----------- .../hazmat/bindings/openssl/_conditional.py | 9 --------- 2 files changed, 20 deletions(-) diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py index d32b0d7abc29..6df80cd0f3fc 100644 --- a/src/_cffi_src/openssl/x509_vfy.py +++ b/src/_cffi_src/openssl/x509_vfy.py @@ -19,8 +19,6 @@ """ TYPES = """ -static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER; - typedef ... Cryptography_STACK_OF_ASN1_OBJECT; typedef ... Cryptography_STACK_OF_X509_OBJECT; @@ -174,16 +172,7 @@ Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *); X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *); -void X509_STORE_set_get_issuer(X509_STORE *, X509_STORE_CTX_get_issuer_fn); """ CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_LIBRESSL -static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 0; -typedef void *X509_STORE_CTX_get_issuer_fn; -void (*X509_STORE_set_get_issuer)(X509_STORE *, - X509_STORE_CTX_get_issuer_fn) = NULL; -#else -static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1; -#endif """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index d40cbd8f963e..47bbf71a3572 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -40,12 +40,6 @@ def cryptography_has_mem_functions() -> list[str]: ] -def cryptography_has_x509_store_ctx_get_issuer() -> list[str]: - return [ - "X509_STORE_set_get_issuer", - ] - - def cryptography_has_ed448() -> list[str]: return [ "EVP_PKEY_ED448", @@ -227,9 +221,6 @@ def cryptography_has_evp_aead() -> list[str]: "Cryptography_HAS_TLS_ST": cryptography_has_tls_st, "Cryptography_HAS_EVP_PKEY_DHX": cryptography_has_evp_pkey_dhx, "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions, - "Cryptography_HAS_X509_STORE_CTX_GET_ISSUER": ( - cryptography_has_x509_store_ctx_get_issuer - ), "Cryptography_HAS_ED448": cryptography_has_ed448, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, "Cryptography_HAS_PSK": cryptography_has_psk, From 9ca6fd1e156a26afb36737d0200c13d6a46af7e3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Dec 2023 09:26:51 -0500 Subject: [PATCH 0806/1014] Remove unused argument (#10012) --- .../hazmat/backends/openssl/backend.py | 2 +- .../hazmat/bindings/openssl/binding.py | 14 +++++--------- tests/hazmat/bindings/test_openssl.py | 2 +- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index ea7d171e6136..6e80e428f033 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -150,7 +150,7 @@ def openssl_assert( ok: bool, errors: list[rust_openssl.OpenSSLError] | None = None, ) -> None: - return binding._openssl_assert(self._lib, ok, errors=errors) + return binding._openssl_assert(ok, errors=errors) def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index d2cf1d6f08e9..40814f2a58a0 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -18,7 +18,6 @@ def _openssl_assert( - lib, ok: bool, errors: list[openssl.OpenSSLError] | None = None, ) -> None: @@ -86,18 +85,18 @@ def __init__(self) -> None: def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that # have the FIPS provider installed properly. - _openssl_assert(self.lib, self.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) + _openssl_assert(self.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) self._base_provider = self.lib.OSSL_PROVIDER_load( self.ffi.NULL, b"base" ) - _openssl_assert(self.lib, self._base_provider != self.ffi.NULL) + _openssl_assert(self._base_provider != self.ffi.NULL) self.lib._fips_provider = self.lib.OSSL_PROVIDER_load( self.ffi.NULL, b"fips" ) - _openssl_assert(self.lib, self.lib._fips_provider != self.ffi.NULL) + _openssl_assert(self.lib._fips_provider != self.ffi.NULL) res = self.lib.EVP_default_properties_enable_fips(self.ffi.NULL, 1) - _openssl_assert(self.lib, res == 1) + _openssl_assert(res == 1) @classmethod def _ensure_ffi_initialized(cls) -> None: @@ -125,9 +124,7 @@ def _ensure_ffi_initialized(cls) -> None: cls._default_provider = cls.lib.OSSL_PROVIDER_load( cls.ffi.NULL, b"default" ) - _openssl_assert( - cls.lib, cls._default_provider != cls.ffi.NULL - ) + _openssl_assert(cls._default_provider != cls.ffi.NULL) @classmethod def init_static_locks(cls) -> None: @@ -157,7 +154,6 @@ def _verify_package_version(version: str) -> None: ) _openssl_assert( - _openssl.lib, _openssl.lib.OpenSSL_version_num() == openssl.openssl_version(), ) diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index c061c9bf11b0..64c3cfdec05c 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -72,7 +72,7 @@ def test_openssl_assert_error_on_stack(self): -1, ) with pytest.raises(InternalError) as exc_info: - _openssl_assert(b.lib, False) + _openssl_assert(False) error = exc_info.value.err_code[0] assert error.lib == b.lib.ERR_LIB_EVP From 2525eb048a00e5743950a98bf1e5cdfc5a469347 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 18 Dec 2023 16:54:38 -0600 Subject: [PATCH 0807/1014] support RSA PSS for CRLs (#10013) adds rsa_padding kwarg to sign and also adds signature_algorithm_parameters as a method to CRLs --- CHANGELOG.rst | 10 ++- docs/x509/reference.rst | 39 +++++++++- .../hazmat/bindings/_rust/x509.pyi | 5 +- src/cryptography/x509/base.py | 21 +++++- src/rust/src/x509/crl.rs | 29 ++++---- tests/x509/test_x509_crlbuilder.py | 74 ++++++++++++++++++- 6 files changed, 157 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 721a3892fd1f..adb4580b31d9 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -18,12 +18,16 @@ Changelog values, as documented in the 41.0.2 release notes. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. * Support :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` for - X.509 certificate signing requests with the keyword-only argument - ``rsa_padding`` on - :meth:`~cryptography.x509.CertificateSigningRequestBuilder.sign`. + X.509 certificate signing requests and certificate revocation lists with the + keyword-only argument ``rsa_padding`` on the ``sign`` methods for + :class:`~cryptography.x509.CertificateSigningRequestBuilder` and + :class:`~cryptography.x509.CertificateRevocationListBuilder`. * Added support for obtaining X.509 certificate signing request signature algorithm parameters (including PSS) via :meth:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_parameters`. +* Added support for obtaining X.509 certificate revocation list signature + algorithm parameters (including PSS) via + :meth:`~cryptography.x509.CertificateRevocationList.signature_algorithm_parameters`. * Added `mgf` property to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. * Added `algorithm` and `mgf` properties to diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index ee007ed622c7..aa22d7c1f2ba 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -716,6 +716,27 @@ X.509 CRL (Certificate Revocation List) Object >>> crl.signature_algorithm_oid + .. attribute:: signature_algorithm_parameters + + .. versionadded:: 42.0.0 + + Returns the parameters of the signature algorithm used to sign the + certificate revocation list. For RSA signatures it will return either a + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15` or + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` object. + + For ECDSA signatures it will + return an :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA`. + + For EdDSA and DSA signatures it will return ``None``. + + These objects can be used to verify the CRL signature. + + :returns: None, + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`, + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`, or + :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA` + .. attribute:: issuer :type: :class:`Name` @@ -1212,7 +1233,7 @@ X.509 Certificate Revocation List Builder obtained from an existing CRL or created with :class:`~cryptography.x509.RevokedCertificateBuilder`. - .. method:: sign(private_key, algorithm) + .. method:: sign(private_key, algorithm, *, rsa_padding=None) Sign this CRL using the CA's private key. @@ -1231,6 +1252,22 @@ X.509 Certificate Revocation List Builder :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` otherwise. + :param rsa_padding: + + .. versionadded:: 42.0.0 + + This is a keyword-only argument. If ``private_key`` is an + ``RSAPrivateKey`` then this can be set to either + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15` or + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` to sign + with those respective paddings. If this is ``None`` then RSA + keys will default to ``PKCS1v15`` padding. All other key types **must** + not pass a value other than ``None``. + + :type rsa_padding: ``None``, + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`, + or :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` + :returns: :class:`~cryptography.x509.CertificateRevocationList` X.509 Revoked Certificate Object diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 47e8494ca6b1..e4e77136bdc2 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -24,18 +24,19 @@ def create_x509_certificate( builder: x509.CertificateBuilder, private_key: PrivateKeyTypes, hash_algorithm: hashes.HashAlgorithm | None, - padding: PKCS1v15 | PSS | None, + rsa_padding: PKCS1v15 | PSS | None, ) -> x509.Certificate: ... def create_x509_csr( builder: x509.CertificateSigningRequestBuilder, private_key: PrivateKeyTypes, hash_algorithm: hashes.HashAlgorithm | None, - padding: PKCS1v15 | PSS | None, + rsa_padding: PKCS1v15 | PSS | None, ) -> x509.CertificateSigningRequest: ... def create_x509_crl( builder: x509.CertificateRevocationListBuilder, private_key: PrivateKeyTypes, hash_algorithm: hashes.HashAlgorithm | None, + rsa_padding: PKCS1v15 | PSS | None, ) -> x509.CertificateRevocationList: ... def create_server_verifier( name: x509.verification.Subject, diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 5d229c7e9d77..624bc44bd678 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -423,6 +423,15 @@ def signature_algorithm_oid(self) -> ObjectIdentifier: Returns the ObjectIdentifier of the signature algorithm. """ + @property + @abc.abstractmethod + def signature_algorithm_parameters( + self, + ) -> None | padding.PSS | padding.PKCS1v15 | ec.ECDSA: + """ + Returns the signature algorithm parameters. + """ + @property @abc.abstractmethod def issuer(self) -> Name: @@ -1146,6 +1155,8 @@ def sign( private_key: CertificateIssuerPrivateKeyTypes, algorithm: _AllowedHashTypes | None, backend: typing.Any = None, + *, + rsa_padding: padding.PSS | padding.PKCS1v15 | None = None, ) -> CertificateRevocationList: if self._issuer_name is None: raise ValueError("A CRL must have an issuer name") @@ -1156,7 +1167,15 @@ def sign( if self._next_update is None: raise ValueError("A CRL must have a next update time") - return rust_x509.create_x509_crl(self, private_key, algorithm) + if rsa_padding is not None: + if not isinstance(rsa_padding, (padding.PSS, padding.PKCS1v15)): + raise TypeError("Padding must be PSS or PKCS1v15") + if not isinstance(private_key, rsa.RSAPrivateKey): + raise TypeError("Padding is only supported for RSA keys") + + return rust_x509.create_x509_crl( + self, private_key, algorithm, rsa_padding + ) class RevokedCertificateBuilder: diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index c97ade81b5c8..4610a6a3dfeb 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -194,6 +194,17 @@ impl CertificateRevocationList { } } + #[getter] + fn signature_algorithm_parameters<'p>( + &'p self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::PyAny> { + sign::identify_signature_algorithm_parameters( + py, + &self.owned.borrow_dependent().signature_algorithm, + ) + } + #[getter] fn signature(&self) -> &[u8] { self.owned.borrow_dependent().signature_value.as_bytes() @@ -594,13 +605,10 @@ fn create_x509_crl( builder: &pyo3::PyAny, private_key: &pyo3::PyAny, hash_algorithm: &pyo3::PyAny, + rsa_padding: &pyo3::PyAny, ) -> CryptographyResult { - let sigalg = x509::sign::compute_signature_algorithm( - py, - private_key, - hash_algorithm, - py.None().into_ref(py), - )?; + let sigalg = + x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)?; let mut revoked_certs = vec![]; for py_revoked_cert in builder .getattr(pyo3::intern!(py, "_revoked_certificates"))? @@ -648,13 +656,8 @@ fn create_x509_crl( }; let tbs_bytes = asn1::write_single(&tbs_cert_list)?; - let signature = x509::sign::sign_data( - py, - private_key, - hash_algorithm, - py.None().into_ref(py), - &tbs_bytes, - )?; + let signature = + x509::sign::sign_data(py, private_key, hash_algorithm, rsa_padding, &tbs_bytes)?; let data = asn1::write_single(&crl::CertificateRevocationList { tbs_cert_list, signature_algorithm: sigalg, diff --git a/tests/x509/test_x509_crlbuilder.py b/tests/x509/test_x509_crlbuilder.py index 749c4ecb783f..afa8380216c5 100644 --- a/tests/x509/test_x509_crlbuilder.py +++ b/tests/x509/test_x509_crlbuilder.py @@ -10,7 +10,13 @@ from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import ec, ed448, ed25519, rsa +from cryptography.hazmat.primitives.asymmetric import ( + ec, + ed448, + ed25519, + padding, + rsa, +) from cryptography.x509.oid import ( AuthorityInformationAccessOID, NameOID, @@ -204,6 +210,38 @@ def test_no_next_update(self, rsa_key_2048: rsa.RSAPrivateKey, backend): with pytest.raises(ValueError): builder.sign(private_key, hashes.SHA256(), backend) + def test_sign_invalid_padding( + self, rsa_key_2048: rsa.RSAPrivateKey, backend + ): + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + builder = ( + x509.CertificateRevocationListBuilder() + .issuer_name( + x509.Name( + [ + x509.NameAttribute( + NameOID.COMMON_NAME, "cryptography.io CA" + ) + ] + ) + ) + .last_update(last_update) + .next_update(next_update) + ) + + with pytest.raises(TypeError): + builder.sign( + rsa_key_2048, + hashes.SHA256(), + rsa_padding=b"notapadding", # type: ignore[arg-type] + ) + eckey = ec.generate_private_key(ec.SECP256R1()) + with pytest.raises(TypeError): + builder.sign( + eckey, hashes.SHA256(), rsa_padding=padding.PKCS1v15() + ) + def test_sign_empty_list(self, rsa_key_2048: rsa.RSAPrivateKey, backend): private_key = rsa_key_2048 last_update = datetime.datetime(2002, 1, 1, 12, 1) @@ -235,6 +273,40 @@ def test_sign_empty_list(self, rsa_key_2048: rsa.RSAPrivateKey, backend): tzinfo=datetime.timezone.utc ) + def test_sign_pss(self, rsa_key_2048: rsa.RSAPrivateKey, backend): + private_key = rsa_key_2048 + last_update = datetime.datetime(2002, 1, 1, 12, 1) + next_update = datetime.datetime(2030, 1, 1, 12, 1) + builder = ( + x509.CertificateRevocationListBuilder() + .issuer_name( + x509.Name( + [ + x509.NameAttribute( + NameOID.COMMON_NAME, "cryptography.io CA" + ) + ] + ) + ) + .last_update(last_update) + .next_update(next_update) + ) + + pss = padding.PSS( + mgf=padding.MGF1(hashes.SHA256()), + salt_length=padding.PSS.DIGEST_LENGTH, + ) + crl = builder.sign(private_key, hashes.SHA256(), rsa_padding=pss) + assert len(crl) == 0 + assert isinstance(crl.signature_algorithm_parameters, padding.PSS) + assert crl.signature_algorithm_parameters._salt_length == 32 + private_key.public_key().verify( + crl.signature, + crl.tbs_certlist_bytes, + crl.signature_algorithm_parameters, + hashes.SHA256(), + ) + @pytest.mark.parametrize( "extension", [ From a9a4f5df1d87d6d839c83c981c5f83fcde39167f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Dec 2023 22:38:18 -0500 Subject: [PATCH 0808/1014] Build cp39 wheels in addition to cp37 ones (#9998) --- .github/workflows/wheel-builder.yml | 18 ++++++++++++++++-- CHANGELOG.rst | 3 +++ pyproject.toml | 2 +- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 5 files changed, 22 insertions(+), 5 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 026a66c5dc0d..0d2c5774721f 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -58,6 +58,7 @@ jobs: matrix: PYTHON: - { VERSION: "cp311-cp311", ABI_VERSION: 'cp37' } + - { VERSION: "cp311-cp311", ABI_VERSION: 'cp39' } - { VERSION: "pp39-pypy39_pp73" } - { VERSION: "pp310-pypy310_pp73" } MANYLINUX: @@ -154,7 +155,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: - name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}" + name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse/ macos: @@ -176,6 +177,18 @@ jobs: # This will change in the future as we change the base Python we # build against _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' + - VERSION: '3.11' + ABI_VERSION: 'cp39' + # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel + DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' + BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' + DEPLOYMENT_TARGET: '10.12' + # This archflags is default, but let's be explicit + ARCHFLAGS: '-arch x86_64 -arch arm64' + # See https://github.com/pypa/cibuildwheel/blob/c8876b5c54a6c6b08de5d4b1586906b56203bd9e/cibuildwheel/macos.py#L257-L269 + # This will change in the future as we change the base Python we + # build against + _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - VERSION: '3.11' ABI_VERSION: 'cp37' DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' @@ -281,6 +294,7 @@ jobs: - {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'} PYTHON: - {VERSION: "3.11", "ABI_VERSION": "cp37"} + - {VERSION: "3.11", "ABI_VERSION": "cp39"} - {VERSION: "pypy-3.9"} - {VERSION: "pypy-3.10"} exclude: @@ -348,5 +362,5 @@ jobs: - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: - name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION}}" + name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse\ diff --git a/CHANGELOG.rst b/CHANGELOG.rst index adb4580b31d9..da3f220e4cff 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -17,6 +17,9 @@ Changelog * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. +* We now publish both ``py37`` and ``py39`` ``abi3`` wheels. This should + resolve some errors relating to initializing a module multiple times per + process. * Support :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` for X.509 certificate signing requests and certificate revocation lists with the keyword-only argument ``rsa_padding`` on the ``sign`` methods for diff --git a/pyproject.toml b/pyproject.toml index 42a4860187fd..ff4995ca4169 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -86,7 +86,7 @@ pep8test = ["ruff", "mypy", "check-sdist", "click"] [[tool.setuptools-rust.ext-modules]] target = "cryptography.hazmat.bindings._rust" path = "src/rust/Cargo.toml" -py-limited-api = true +py-limited-api = "auto" rust-version = ">=1.63.0" diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index f3ad413af5e3..552c7bee3dae 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.63.0" [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.20", features = ["abi3-py37"] } +pyo3 = { version = "0.20", features = ["abi3"] } asn1 = { version = "0.15.5", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 8f00a0777297..91834e5dc186 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -pyo3 = { version = "0.20", features = ["abi3-py37"] } +pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.97" [build-dependencies] From 9b83ac5e6ff226537f3f9c0b82a8145eb0135a14 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 19 Dec 2023 23:14:27 -0500 Subject: [PATCH 0809/1014] Remove unused attribute (#10018) --- src/cryptography/hazmat/backends/openssl/backend.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 6e80e428f033..060713500e38 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -134,9 +134,6 @@ def __init__(self) -> None: typing.Callable, ] = {} self._register_default_ciphers() - self._dh_types = [self._lib.EVP_PKEY_DH] - if self._lib.Cryptography_HAS_EVP_PKEY_DHX: - self._dh_types.append(self._lib.EVP_PKEY_DHX) def __repr__(self) -> str: return "".format( From 7b5591709784748291cf41cb190d31826f21feec Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 19 Dec 2023 23:18:43 -0500 Subject: [PATCH 0810/1014] re-enable twisted downstream (#10019) --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 81b47a77963a..d01a918af8b1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -355,8 +355,7 @@ jobs: - paramiko - pyopenssl - pyopenssl-release - # TODO: https://github.com/twisted/twisted/issues/12052 - # - twisted + - twisted - aws-encryption-sdk - dynamodb-encryption-sdk - certbot From d6a9343614380b322dd605abf600a3f7c02c2920 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Dec 2023 17:11:35 +0000 Subject: [PATCH 0811/1014] Bump pkg-config from 0.3.27 to 0.3.28 in /src/rust (#10020) Bumps [pkg-config](https://github.com/rust-lang/pkg-config-rs) from 0.3.27 to 0.3.28. - [Changelog](https://github.com/rust-lang/pkg-config-rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/pkg-config-rs/compare/0.3.27...0.3.28) --- updated-dependencies: - dependency-name: pkg-config dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 26c836aa9a06..5bdf747d3f4f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -247,9 +247,9 @@ dependencies = [ [[package]] name = "pkg-config" -version = "0.3.27" +version = "0.3.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" +checksum = "69d3587f8a9e599cc7ec2c00e331f71c4e69a5f9a4b8a6efd5b07466b9736f9a" [[package]] name = "proc-macro2" From 34b2ee32688df12b139c553c38ea9733e1a5feaf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Dec 2023 17:14:00 +0000 Subject: [PATCH 0812/1014] Bump self_cell from 1.0.2 to 1.0.3 in /src/rust (#10021) Bumps [self_cell](https://github.com/Voultapher/self_cell) from 1.0.2 to 1.0.3. - [Release notes](https://github.com/Voultapher/self_cell/releases) - [Commits](https://github.com/Voultapher/self_cell/compare/v1.0.2...v1.0.3) --- updated-dependencies: - dependency-name: self_cell dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5bdf747d3f4f..08530a767154 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -347,9 +347,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "self_cell" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e388332cd64eb80cd595a00941baf513caffae8dce9cfd0467fc9c66397dade6" +checksum = "58bf37232d3bb9a2c4e641ca2a11d83b5062066f88df7fed36c28772046d65ba" [[package]] name = "smallvec" From a2ddd9607cd6d161b819a7611a4a7aedbe2de63b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 20 Dec 2023 13:52:08 -0500 Subject: [PATCH 0813/1014] Try enabling X25519 with FIPS (#10017) * Try enabling X25519 with FIPS * Added version check --- .github/workflows/ci.yml | 1 + src/_cffi_src/openssl/cryptography.py | 3 +++ src/cryptography/hazmat/backends/openssl/backend.py | 12 ++++++++++-- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d01a918af8b1..72d099bcd52d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,6 +38,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.0"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 5b81cd6fcad3..b3543ade73cb 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -48,6 +48,8 @@ #define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_320_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x30200000 && !CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \ (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL) @@ -63,6 +65,7 @@ TYPES = """ static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; +static const int CRYPTOGRAPHY_OPENSSL_320_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E; diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 060713500e38..58cef907c812 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -751,12 +751,20 @@ def dh_x942_serialization_supported(self) -> bool: return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1 def x25519_supported(self) -> bool: - if self._fips_enabled: + # Beginning with OpenSSL 3.2.0, X25519 is considered FIPS. + if ( + self._fips_enabled + and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER + ): return False return True def x448_supported(self) -> bool: - if self._fips_enabled: + # Beginning with OpenSSL 3.2.0, X448 is considered FIPS. + if ( + self._fips_enabled + and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER + ): return False return ( not self._lib.CRYPTOGRAPHY_IS_LIBRESSL From dd4df8912dcea2e03b08d057146ee1ce8919ae42 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Dec 2023 07:10:01 -0500 Subject: [PATCH 0814/1014] Bump coverage from 7.3.3 to 7.3.4 (#10023) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.3.3 to 7.3.4. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.3.3...7.3.4) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6610011b3689..dd297014bc87 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.0 # via nox -coverage==7.3.3; python_version >= "3.8" +coverage==7.3.4; python_version >= "3.8" # via # coverage # pytest-cov From ac6497f6f023039f111bbead829f42e381c7a049 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Dec 2023 07:10:10 -0500 Subject: [PATCH 0815/1014] Bump syn from 2.0.41 to 2.0.42 in /src/rust (#10022) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.41 to 2.0.42. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.41...2.0.42) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 08530a767154..169755e3bab7 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" [[package]] name = "syn" -version = "2.0.41" +version = "2.0.42" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44c8b28c477cc3bf0e7966561e3460130e1255f7a1cf71931075f1c5e7a7e269" +checksum = "5b7d0a2c048d661a1a59fcd7355baa232f7ed34e0ee4df2eef3c1c1c0d3852d8" dependencies = [ "proc-macro2", "quote", From fb4c72c8bf786a41a413bb74e4cca09b4b6d87ca Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 21 Dec 2023 09:30:36 -0500 Subject: [PATCH 0816/1014] Added wycheproof vectors for pbkdf2 (#10024) --- docs/development/test-vectors.rst | 2 +- tests/utils.py | 4 +-- tests/wycheproof/test_aes.py | 1 - tests/wycheproof/test_chacha20poly1305.py | 1 - tests/wycheproof/test_cmac.py | 1 - tests/wycheproof/test_dsa.py | 1 - tests/wycheproof/test_ecdh.py | 1 - tests/wycheproof/test_ecdsa.py | 1 - tests/wycheproof/test_eddsa.py | 1 - tests/wycheproof/test_hkdf.py | 1 - tests/wycheproof/test_hmac.py | 1 - tests/wycheproof/test_keywrap.py | 1 - tests/wycheproof/test_pbkdf2.py | 42 +++++++++++++++++++++++ tests/wycheproof/test_rsa.py | 1 - tests/wycheproof/test_utils.py | 1 - tests/wycheproof/test_x25519.py | 1 - tests/wycheproof/test_x448.py | 1 - tests/wycheproof/utils.py | 6 ++-- 18 files changed, 49 insertions(+), 19 deletions(-) create mode 100644 tests/wycheproof/test_pbkdf2.py diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 29ffef7d940d..d23946e55ef3 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -22,7 +22,7 @@ for various cryptographic algorithms. These are not included in the repository continuous integration environments. We have ensured all test vectors are used as of commit -``b063b4aedae951c69df014cd25fa6d69ae9e8cb9``. +``d9f6ec7d8bd8c96da05368999094e4a75ba5cb3d``. Asymmetric ciphers ~~~~~~~~~~~~~~~~~~ diff --git a/tests/utils.py b/tests/utils.py index bad0f87da164..595e8dc04e1c 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -918,8 +918,8 @@ def cache_value_to_group(self, cache_key: str, func): return cache_val -def load_wycheproof_tests(wycheproof, test_file): - path = os.path.join(wycheproof, "testvectors", test_file) +def load_wycheproof_tests(wycheproof, test_file, subdir): + path = os.path.join(wycheproof, subdir, test_file) with open(path) as f: data = json.load(f) for group in data.pop("testGroups"): diff --git a/tests/wycheproof/test_aes.py b/tests/wycheproof/test_aes.py index ce83fe3c0fa2..0d2c2d4445e8 100644 --- a/tests/wycheproof/test_aes.py +++ b/tests/wycheproof/test_aes.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_chacha20poly1305.py b/tests/wycheproof/test_chacha20poly1305.py index 06d6fc76a092..3b6aeb6c4adc 100644 --- a/tests/wycheproof/test_chacha20poly1305.py +++ b/tests/wycheproof/test_chacha20poly1305.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_cmac.py b/tests/wycheproof/test_cmac.py index bca84805d7b9..f1508c046f56 100644 --- a/tests/wycheproof/test_cmac.py +++ b/tests/wycheproof/test_cmac.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_dsa.py b/tests/wycheproof/test_dsa.py index fd76a938bfd3..c15a198839d0 100644 --- a/tests/wycheproof/test_dsa.py +++ b/tests/wycheproof/test_dsa.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_ecdh.py b/tests/wycheproof/test_ecdh.py index e2624a45a53c..851cd7d240f1 100644 --- a/tests/wycheproof/test_ecdh.py +++ b/tests/wycheproof/test_ecdh.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_ecdsa.py b/tests/wycheproof/test_ecdsa.py index d853909fd577..c0e9b6a44a71 100644 --- a/tests/wycheproof/test_ecdsa.py +++ b/tests/wycheproof/test_ecdsa.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_eddsa.py b/tests/wycheproof/test_eddsa.py index 3b5dae37749f..624f99fff004 100644 --- a/tests/wycheproof/test_eddsa.py +++ b/tests/wycheproof/test_eddsa.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_hkdf.py b/tests/wycheproof/test_hkdf.py index 3d54e44ffc6e..ccfe8e4cde70 100644 --- a/tests/wycheproof/test_hkdf.py +++ b/tests/wycheproof/test_hkdf.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_hmac.py b/tests/wycheproof/test_hmac.py index 4a42dc1eda5f..a99d34f37608 100644 --- a/tests/wycheproof/test_hmac.py +++ b/tests/wycheproof/test_hmac.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_keywrap.py b/tests/wycheproof/test_keywrap.py index 7aec26989b20..da3744be1059 100644 --- a/tests/wycheproof/test_keywrap.py +++ b/tests/wycheproof/test_keywrap.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_pbkdf2.py b/tests/wycheproof/test_pbkdf2.py new file mode 100644 index 000000000000..f5f0da18ed38 --- /dev/null +++ b/tests/wycheproof/test_pbkdf2.py @@ -0,0 +1,42 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import binascii + +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC + +from .utils import wycheproof_tests + +_HASH_ALGORITHMS = { + "PBKDF2-HMACSHA1": hashes.SHA1(), + "PBKDF2-HMACSHA224": hashes.SHA224(), + "PBKDF2-HMACSHA256": hashes.SHA256(), + "PBKDF2-HMACSHA384": hashes.SHA384(), + "PBKDF2-HMACSHA512": hashes.SHA512(), +} + + +@wycheproof_tests( + "pbkdf2_hmacsha1_test.json", + "pbkdf2_hmacsha224_test.json", + "pbkdf2_hmacsha256_test.json", + "pbkdf2_hmacsha384_test.json", + "pbkdf2_hmacsha512_test.json", + subdir="testvectors_v1", +) +def test_pbkdf2(backend, wycheproof): + assert wycheproof.valid + + algorithm = _HASH_ALGORITHMS[wycheproof.testfiledata["algorithm"]] + + p = PBKDF2HMAC( + algorithm=algorithm, + length=wycheproof.testcase["dkLen"], + salt=binascii.unhexlify(wycheproof.testcase["salt"]), + iterations=wycheproof.testcase["iterationCount"], + ) + assert p.derive( + binascii.unhexlify(wycheproof.testcase["password"]) + ) == binascii.unhexlify(wycheproof.testcase["dk"]) diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py index 996b3cd52c36..c85eb6e7a669 100644 --- a/tests/wycheproof/test_rsa.py +++ b/tests/wycheproof/test_rsa.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_utils.py b/tests/wycheproof/test_utils.py index b0c36d4797d8..f186fb368588 100644 --- a/tests/wycheproof/test_utils.py +++ b/tests/wycheproof/test_utils.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - from ..utils import WycheproofTest diff --git a/tests/wycheproof/test_x25519.py b/tests/wycheproof/test_x25519.py index 17aef36fe2e1..571c1d137573 100644 --- a/tests/wycheproof/test_x25519.py +++ b/tests/wycheproof/test_x25519.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/test_x448.py b/tests/wycheproof/test_x448.py index 8e7b321484c3..bdad0cb8510f 100644 --- a/tests/wycheproof/test_x448.py +++ b/tests/wycheproof/test_x448.py @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. - import binascii import pytest diff --git a/tests/wycheproof/utils.py b/tests/wycheproof/utils.py index eebbe7ce3bf6..42fff417ec67 100644 --- a/tests/wycheproof/utils.py +++ b/tests/wycheproof/utils.py @@ -1,14 +1,16 @@ from ..utils import load_wycheproof_tests -def wycheproof_tests(*paths): +def wycheproof_tests(*paths, subdir="testvectors"): def wrapper(func): def run_wycheproof(backend, subtests, pytestconfig): wycheproof_root = pytestconfig.getoption( "--wycheproof-root", skip=True ) for path in paths: - for test in load_wycheproof_tests(wycheproof_root, path): + for test in load_wycheproof_tests( + wycheproof_root, path, subdir + ): with subtests.test(): func(backend, test) From d844fd455607dd694249513ae06b33bf36c8d274 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 21 Dec 2023 13:16:49 -0500 Subject: [PATCH 0817/1014] Split wycheproof tests up by file (#10025) This provides greater parallelism. 25% faster at running wycheproof tests locally --- tests/wycheproof/utils.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/tests/wycheproof/utils.py b/tests/wycheproof/utils.py index 42fff417ec67..7644b52a8ee9 100644 --- a/tests/wycheproof/utils.py +++ b/tests/wycheproof/utils.py @@ -1,18 +1,22 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import pytest + from ..utils import load_wycheproof_tests def wycheproof_tests(*paths, subdir="testvectors"): def wrapper(func): - def run_wycheproof(backend, subtests, pytestconfig): + @pytest.mark.parametrize("path", paths) + def run_wycheproof(backend, subtests, pytestconfig, path): wycheproof_root = pytestconfig.getoption( "--wycheproof-root", skip=True ) - for path in paths: - for test in load_wycheproof_tests( - wycheproof_root, path, subdir - ): - with subtests.test(): - func(backend, test) + for test in load_wycheproof_tests(wycheproof_root, path, subdir): + with subtests.test(): + func(backend, test) return run_wycheproof From 3ecbf8ea8713d140a23f8dde38b7e0a350addc4a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Dec 2023 20:27:57 +0000 Subject: [PATCH 0818/1014] Bump ruff from 0.1.8 to 0.1.9 (#10026) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.8 to 0.1.9. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.8...v0.1.9) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index dd297014bc87..3ecc2d01807d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.1.8 +ruff==0.1.9 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From b63c0f40e26136a5a2f8d164e003ac6b3208a547 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Dec 2023 20:32:44 +0000 Subject: [PATCH 0819/1014] Bump proc-macro2 from 1.0.70 to 1.0.71 in /src/rust (#10027) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.70 to 1.0.71. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.70...1.0.71) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 169755e3bab7..f1473552299a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -253,9 +253,9 @@ checksum = "69d3587f8a9e599cc7ec2c00e331f71c4e69a5f9a4b8a6efd5b07466b9736f9a" [[package]] name = "proc-macro2" -version = "1.0.70" +version = "1.0.71" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "39278fbbf5fb4f646ce651690877f89d1c5811a3d4acb27700c1cb3cdb78fd3b" +checksum = "75cb1540fadbd5b8fbccc4dddad2734eba435053f725621c070711a14bb5f4b8" dependencies = [ "unicode-ident", ] From ea5cfdad49d55799f1fbca69bc498e9c518625fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Dec 2023 20:36:46 +0000 Subject: [PATCH 0820/1014] Bump mypy from 1.7.1 to 1.8.0 (#10028) Bumps [mypy](https://github.com/python/mypy) from 1.7.1 to 1.8.0. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.7.1...v1.8.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3ecc2d01807d..18e4257507dd 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.2 # via sphinx markupsafe==2.1.3 # via jinja2 -mypy==1.7.1 +mypy==1.8.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From 7b3e3e5247c85cb9d55e41af686e658d9ab30802 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Dec 2023 13:29:26 +0000 Subject: [PATCH 0821/1014] Bump openssl-sys from 0.9.97 to 0.9.98 in /src/rust (#10030) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.97 to 0.9.98. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.97...openssl-sys-v0.9.98) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f1473552299a..fe4bfa5911c6 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -203,9 +203,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.97" +version = "0.9.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c3eaad34cdd97d81de97964fc7f29e2d104f483840d906ef56daa1912338460b" +checksum = "c1665caf8ab2dc9aef43d1c0023bd904633a6a05cb30b0ad59bec2ae986e57a7" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 552c7bee3dae..5b3211694d89 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -18,7 +18,7 @@ cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.61" -openssl-sys = "0.9.97" +openssl-sys = "0.9.98" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 91834e5dc186..8e2a99e8e5f3 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3"] } -openssl-sys = "0.9.97" +openssl-sys = "0.9.98" [build-dependencies] cc = "1.0.83" From 58de809f6dc45a4e5e789ad4f5b2226afd844b36 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Dec 2023 13:42:31 +0000 Subject: [PATCH 0822/1014] Bump openssl from 0.10.61 to 0.10.62 in /src/rust (#10031) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.61 to 0.10.62. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.61...openssl-v0.10.62) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fe4bfa5911c6..bd7e87764c04 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -177,9 +177,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "openssl" -version = "0.10.61" +version = "0.10.62" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6b8419dc8cc6d866deb801274bba2e6f8f6108c1bb7fcc10ee5ab864931dbb45" +checksum = "8cde4d2d9200ad5909f8dac647e29482e07c3a35de8a13fce7c9c7747ad9f671" dependencies = [ "bitflags 2.4.0", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 5b3211694d89..eff129d572ea 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-validation = { path = "cryptography-x509-validation" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.61" +openssl = "0.10.62" openssl-sys = "0.9.98" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 9d13a259fb87..993a9201d9be 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -openssl = "0.10.61" +openssl = "0.10.62" ffi = { package = "openssl-sys", version = "0.9.91" } foreign-types = "0.3" foreign-types-shared = "0.1" From a47bfb6737d860cdae623ad83968e6e2ccc847db Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 22 Dec 2023 13:55:09 +0000 Subject: [PATCH 0823/1014] Bump BoringSSL and/or OpenSSL in CI (#9968) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72d099bcd52d..060203a8423c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Dec 06, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "59906b3aa8d9f48ad7303edc540912bd588a8e46"}} - # Latest commit on the OpenSSL master branch, as of Dec 06, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "de8e0851a1c0d22533801f081781a9f0be56c2c2"}} + # Latest commit on the BoringSSL master branch, as of Dec 22, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6e0eba6e62333652290514e51b75b966b27b27c"}} + # Latest commit on the OpenSSL master branch, as of Dec 22, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8f0f814d791e0825b96c30494594de619da3e5a5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 3763aa79b6d05e245973ee273f9a04cbab6eaab6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 22 Dec 2023 16:40:08 -0500 Subject: [PATCH 0824/1014] add initial X.509 path validation implementation (#8873) --- .../src/certificate.rs | 26 +- .../cryptography-x509-validation/src/lib.rs | 328 +++++++++++++- .../cryptography-x509-validation/src/ops.rs | 32 -- .../src/policy/extension.rs | 325 ++++++++++++-- .../src/policy/mod.rs | 408 +++++++++++++++++- src/rust/cryptography-x509/src/extensions.rs | 1 + src/rust/src/x509/verify.rs | 44 +- tests/x509/verification/__init__.py | 0 tests/x509/verification/test_limbo.py | 147 +++++++ .../{ => verification}/test_verification.py | 21 +- 10 files changed, 1215 insertions(+), 117 deletions(-) create mode 100644 tests/x509/verification/__init__.py create mode 100644 tests/x509/verification/test_limbo.py rename tests/x509/{ => verification}/test_verification.py (86%) diff --git a/src/rust/cryptography-x509-validation/src/certificate.rs b/src/rust/cryptography-x509-validation/src/certificate.rs index 8aa65a4a8ac8..335312ccd265 100644 --- a/src/rust/cryptography-x509-validation/src/certificate.rs +++ b/src/rust/cryptography-x509-validation/src/certificate.rs @@ -6,38 +6,24 @@ use cryptography_x509::certificate::Certificate; -use crate::ops::CryptoOps; - -// TODO: Remove these attributes once we start using these helpers. -#[allow(dead_code)] pub(crate) fn cert_is_self_issued(cert: &Certificate<'_>) -> bool { cert.issuer() == cert.subject() } -#[allow(dead_code)] -pub(crate) fn cert_is_self_signed(cert: &Certificate<'_>, ops: &B) -> bool { - match ops.public_key(cert) { - Ok(pk) => cert_is_self_issued(cert) && ops.verify_signed_by(cert, pk).is_ok(), - Err(_) => false, - } -} - #[cfg(test)] -mod tests { +pub(crate) mod tests { use crate::certificate::Certificate; - use crate::ops::tests::{cert, v1_cert_pem, NullOps}; + use crate::ops::tests::{cert, v1_cert_pem}; use crate::ops::CryptoOps; - use super::{cert_is_self_issued, cert_is_self_signed}; + use super::cert_is_self_issued; #[test] fn test_certificate_v1() { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; assert!(!cert_is_self_issued(&cert)); - assert!(!cert_is_self_signed(&cert, &ops)); } fn ca_pem() -> pem::Pem { @@ -61,13 +47,11 @@ Xw4nMqk= fn test_certificate_ca() { let cert_pem = ca_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; assert!(cert_is_self_issued(&cert)); - assert!(cert_is_self_signed(&cert, &ops)); } - struct PublicKeyErrorOps {} + pub(crate) struct PublicKeyErrorOps {} impl CryptoOps for PublicKeyErrorOps { type Key = (); type Err = (); @@ -90,10 +74,8 @@ Xw4nMqk= fn test_certificate_public_key_error() { let cert_pem = ca_pem(); let cert = cert(&cert_pem); - let ops = PublicKeyErrorOps {}; assert!(cert_is_self_issued(&cert)); - assert!(!cert_is_self_signed(&cert, &ops)); } #[test] diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 4cb7f363ce2b..084eb2a505da 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -11,6 +11,332 @@ pub mod policy; pub mod trust_store; pub mod types; +use std::collections::HashSet; +use std::vec; + +use crate::certificate::cert_is_self_issued; +use crate::types::{DNSConstraint, IPAddress, IPConstraint}; +use crate::ApplyNameConstraintStatus::{Applied, Skipped}; +use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions}; +use cryptography_x509::{ + certificate::Certificate, + extensions::{NameConstraints, SubjectAlternativeName}, + name::GeneralName, + oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, +}; +use ops::CryptoOps; +use policy::Policy; +use trust_store::Store; +use types::DNSName; + +#[derive(Debug, PartialEq, Eq)] pub enum ValidationError { - Other(&'static str), + CandidatesExhausted(Box), + Malformed(asn1::ParseError), + DuplicateExtension(DuplicateExtensionsError), + Other(String), +} + +impl From for ValidationError { + fn from(value: asn1::ParseError) -> Self { + Self::Malformed(value) + } +} + +impl From for ValidationError { + fn from(value: DuplicateExtensionsError) -> Self { + Self::DuplicateExtension(value) + } +} + +struct NameChain<'a, 'chain> { + child: Option<&'a NameChain<'a, 'chain>>, + sans: Vec>, +} + +impl<'a, 'chain> NameChain<'a, 'chain> { + fn new( + child: Option<&'a NameChain<'a, 'chain>>, + extensions: &Extensions<'chain>, + self_issued_intermediate: bool, + ) -> Result { + let sans = match ( + self_issued_intermediate, + extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID), + ) { + (false, Some(sans)) => sans.value::>()?.collect(), + _ => vec![], + }; + + Ok(Self { child, sans }) + } + + fn evaluate_single_constraint( + &self, + constraint: &GeneralName<'chain>, + san: &GeneralName<'chain>, + ) -> Result { + match (constraint, san) { + (GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => { + match (DNSConstraint::new(pattern.0), DNSName::new(name.0)) { + (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), + (_, None) => Err(ValidationError::Other(format!( + "unsatisfiable DNS name constraint: malformed SAN {}", + name.0 + ))), + (None, _) => Err(ValidationError::Other(format!( + "malformed DNS name constraint: {}", + pattern.0 + ))), + } + } + (GeneralName::IPAddress(pattern), GeneralName::IPAddress(name)) => { + match ( + IPConstraint::from_bytes(pattern), + IPAddress::from_bytes(name), + ) { + (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), + (_, None) => Err(ValidationError::Other(format!( + "unsatisfiable IP name constraint: malformed SAN {:?}", + name, + ))), + (None, _) => Err(ValidationError::Other(format!( + "malformed IP name constraints: {:?}", + pattern + ))), + } + } + _ => Ok(Skipped), + } + } + + fn evaluate_constraints( + &self, + constraints: &NameConstraints<'chain>, + ) -> Result<(), ValidationError> { + if let Some(child) = self.child { + child.evaluate_constraints(constraints)?; + } + + for san in &self.sans { + // If there are no applicable constraints, the SAN is considered valid so the default is true. + let mut permit = true; + if let Some(permitted_subtrees) = &constraints.permitted_subtrees { + for p in permitted_subtrees.unwrap_read().clone() { + let status = self.evaluate_single_constraint(&p.base, san)?; + if status.is_applied() { + permit = status.is_match(); + if permit { + break; + } + } + } + } + + if !permit { + return Err(ValidationError::Other( + "no permitted name constraints matched SAN".into(), + )); + } + + if let Some(excluded_subtrees) = &constraints.excluded_subtrees { + for e in excluded_subtrees.unwrap_read().clone() { + let status = self.evaluate_single_constraint(&e.base, san)?; + if status.is_match() { + return Err(ValidationError::Other( + "excluded name constraint matched SAN".into(), + )); + } + } + } + } + + Ok(()) + } +} + +pub type Chain<'c> = Vec>; + +pub fn verify<'a, 'chain, B: CryptoOps>( + leaf: &'a Certificate<'chain>, + intermediates: impl IntoIterator>, + policy: &Policy<'_, B>, + store: &'a Store<'chain>, +) -> Result, ValidationError> { + let builder = ChainBuilder::new(intermediates.into_iter().collect(), policy, store); + + builder.build_chain(leaf) +} + +struct ChainBuilder<'a, 'chain, B: CryptoOps> { + intermediates: HashSet>, + policy: &'a Policy<'a, B>, + store: &'a Store<'chain>, +} + +// When applying a name constraint, we need to distinguish between a few different scenarios: +// * `Applied(true)`: The name constraint is the same type as the SAN and matches. +// * `Applied(false)`: The name constraint is the same type as the SAN and does not match. +// * `Skipped`: The name constraint is a different type to the SAN. +enum ApplyNameConstraintStatus { + Applied(bool), + Skipped, +} + +impl ApplyNameConstraintStatus { + fn is_applied(&self) -> bool { + matches!(self, Applied(_)) + } + + fn is_match(&self) -> bool { + matches!(self, Applied(true)) + } +} + +impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { + fn new( + intermediates: HashSet>, + policy: &'a Policy<'a, B>, + store: &'a Store<'chain>, + ) -> Self { + Self { + intermediates, + policy, + store, + } + } + + fn potential_issuers( + &'a self, + cert: &'a Certificate<'chain>, + ) -> impl Iterator> + '_ { + // TODO: Optimizations: + // * Use a backing structure that allows us to search by name + // rather than doing a linear scan + // * Search by AKI and other identifiers? + self.store + .iter() + .chain(self.intermediates.iter()) + .filter(|&candidate| candidate.subject() == cert.issuer()) + } + + fn build_chain_inner( + &self, + working_cert: &'a Certificate<'chain>, + current_depth: u8, + working_cert_extensions: &'a Extensions<'chain>, + name_chain: NameChain<'a, 'chain>, + ) -> Result, ValidationError> { + if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { + name_chain.evaluate_constraints(&nc.value()?)?; + } + + // Look in the store's root set to see if the working cert is listed. + // If it is, we've reached the end. + if self.store.contains(working_cert) { + return Ok(vec![working_cert.clone()]); + } + + // Check that our current depth does not exceed our policy-configured + // max depth. We do this after the root set check, since the depth + // only measures the intermediate chain's length, not the root or leaf. + if current_depth > self.policy.max_chain_depth { + return Err(ValidationError::Other( + "chain construction exceeds max depth".into(), + )); + } + + // Otherwise, we collect a list of potential issuers for this cert, + // and continue with the first that verifies. + let mut last_err: Option = None; + for issuing_cert_candidate in self.potential_issuers(working_cert) { + // A candidate issuer is said to verify if it both + // signs for the working certificate and conforms to the + // policy. + let issuer_extensions = issuing_cert_candidate.extensions()?; + match self.policy.valid_issuer( + issuing_cert_candidate, + working_cert, + current_depth, + &issuer_extensions, + ) { + Ok(_) => { + match self.build_chain_inner( + issuing_cert_candidate, + // NOTE(ww): According to RFC 5280, we should only + // increase the chain depth when the certificate is **not** + // self-issued. In practice however, implementations widely + // ignore this requirement, and unconditionally increment + // the depth with every chain member. We choose to do the same; + // see `pathlen::self-issued-certs-pathlen` from x509-limbo + // for the testcase we intentionally fail. + // + // Implementation note for someone looking to change this in the future: + // care should be taken to avoid infinite recursion with self-signed + // certificates in the intermediate set; changing this behavior will + // also require a "is not self-signed" check on intermediate candidates. + // + // See https://gist.github.com/woodruffw/776153088e0df3fc2f0675c5e835f7b8 + // for an example of this change. + current_depth.checked_add(1).ok_or_else(|| { + ValidationError::Other( + "current depth calculation overflowed".to_string(), + ) + })?, + &issuer_extensions, + NameChain::new( + Some(&name_chain), + &issuer_extensions, + // Per RFC 5280 4.2.1.10: Name constraints are not applied + // to subjects in self-issued certificates, *unless* the + // certificate is the "final" (i.e., leaf) certificate in the path. + // We accomplish this by only collecting the SANs when the issuing + // candidate (which is a non-leaf by definition) isn't self-issued. + cert_is_self_issued(issuing_cert_candidate), + )?, + ) { + Ok(mut chain) => { + chain.insert(0, working_cert.clone()); + return Ok(chain); + } + Err(e) => last_err = Some(e), + }; + } + Err(e) => last_err = Some(e), + }; + } + + // We only reach this if we fail to hit our base case above, or if + // a chain building step fails to find a next valid certificate. + Err(ValidationError::CandidatesExhausted(last_err.map_or_else( + || { + Box::new(ValidationError::Other( + "all candidates exhausted with no interior errors".to_string(), + )) + }, + |e| match e { + // Avoid spamming the user with nested `CandidatesExhausted` errors. + ValidationError::CandidatesExhausted(e) => e, + _ => Box::new(e), + }, + ))) + } + + fn build_chain(&self, leaf: &'a Certificate<'chain>) -> Result, ValidationError> { + // Before anything else, check whether the given leaf cert + // is well-formed according to our policy (and its underlying + // certificate profile). + // + // The leaf must be an EE; a CA cert in the leaf position will be rejected. + let leaf_extensions = leaf.extensions()?; + + self.policy.permits_ee(leaf, &leaf_extensions)?; + + self.build_chain_inner( + leaf, + 0, + &leaf_extensions, + NameChain::new(None, &leaf_extensions, false)?, + ) + } } diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-validation/src/ops.rs index 47529cf0bc0f..719d9aa04617 100644 --- a/src/rust/cryptography-x509-validation/src/ops.rs +++ b/src/rust/cryptography-x509-validation/src/ops.rs @@ -25,26 +25,6 @@ pub trait CryptoOps { pub(crate) mod tests { use cryptography_x509::certificate::Certificate; - use super::CryptoOps; - - pub(crate) struct NullOps {} - impl CryptoOps for NullOps { - type Key = (); - type Err = (); - - fn public_key(&self, _cert: &Certificate<'_>) -> Result { - Ok(()) - } - - fn verify_signed_by( - &self, - _cert: &Certificate<'_>, - _key: Self::Key, - ) -> Result<(), Self::Err> { - Ok(()) - } - } - pub(crate) fn v1_cert_pem() -> pem::Pem { pem::parse( " @@ -65,16 +45,4 @@ zl9HYIMxATFyqSiD9jsx pub(crate) fn cert(cert_pem: &pem::Pem) -> Certificate<'_> { asn1::parse_single(cert_pem.contents()).unwrap() } - - #[test] - fn test_nullops() { - let cert_pem = v1_cert_pem(); - let cert = cert(&cert_pem); - - let ops = NullOps {}; - assert_eq!(ops.public_key(&cert), Ok(())); - assert!(ops - .verify_signed_by(&cert, ops.public_key(&cert).unwrap()) - .is_ok()); - } } diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-validation/src/policy/extension.rs index e4f1397bb8d2..834506af6594 100644 --- a/src/rust/cryptography-x509-validation/src/policy/extension.rs +++ b/src/rust/cryptography-x509-validation/src/policy/extension.rs @@ -8,14 +8,9 @@ use cryptography_x509::{ extensions::{Extension, Extensions}, }; -use crate::{ops::CryptoOps, ValidationError}; - -use super::Policy; - -// TODO: Remove `dead_code` attributes once we start using these helpers. +use crate::{ops::CryptoOps, policy::Policy, ValidationError}; /// Represents different criticality states for an extension. -#[allow(dead_code)] pub(crate) enum Criticality { /// The extension MUST be marked as critical. Critical, @@ -25,7 +20,6 @@ pub(crate) enum Criticality { NonCritical, } -#[allow(dead_code)] impl Criticality { pub(crate) fn permits(&self, critical: bool) -> bool { match (self, critical) { @@ -38,16 +32,13 @@ impl Criticality { } } -#[allow(dead_code)] type PresentExtensionValidatorCallback = fn(&Policy<'_, B>, &Certificate<'_>, &Extension<'_>) -> Result<(), ValidationError>; -#[allow(dead_code)] type MaybeExtensionValidatorCallback = fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), ValidationError>; /// Represents different validation states for an extension. -#[allow(dead_code)] pub(crate) enum ExtensionValidator { /// The extension MUST NOT be present. NotPresent, @@ -69,13 +60,11 @@ pub(crate) enum ExtensionValidator { /// A "policy" for validating a specific X.509v3 extension, identified by /// its OID. -#[allow(dead_code)] pub(crate) struct ExtensionPolicy { pub(crate) oid: asn1::ObjectIdentifier, pub(crate) validator: ExtensionValidator, } -#[allow(dead_code)] impl ExtensionPolicy { pub(crate) fn not_present(oid: ObjectIdentifier) -> Self { Self { @@ -123,12 +112,13 @@ impl ExtensionPolicy { (ExtensionValidator::NotPresent, None) => Ok(()), // Extension MUST NOT be present but is; NOT OK. (ExtensionValidator::NotPresent, Some(_)) => Err(ValidationError::Other( - "EE certificate contains prohibited extension", + "EE certificate contains prohibited extension".to_string(), )), // Extension MUST be present but is not; NOT OK. - (ExtensionValidator::Present { .. }, None) => Err(ValidationError::Other( - "EE certificate is missing required extension", - )), + (ExtensionValidator::Present { .. }, None) => Err(ValidationError::Other(format!( + "EE certificate is missing required extension: {}", + self.oid + ))), // Extension MUST be present and is; check it. ( ExtensionValidator::Present { @@ -139,7 +129,7 @@ impl ExtensionPolicy { ) => { if !criticality.permits(extn.critical) { return Err(ValidationError::Other( - "EE certificate extension has incorrect criticality", + "EE certificate extension has incorrect criticality".to_string(), )); } @@ -160,7 +150,7 @@ impl ExtensionPolicy { .map_or(false, |extn| !criticality.permits(extn.critical)) { return Err(ValidationError::Other( - "EE certificate extension has incorrect criticality", + "EE certificate extension has incorrect criticality".to_string(), )); } @@ -171,14 +161,297 @@ impl ExtensionPolicy { } } +pub(crate) mod ee { + use cryptography_x509::{ + certificate::Certificate, + extensions::{ + BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage, SubjectAlternativeName, + }, + }; + + use crate::{ + ops::CryptoOps, + policy::{Policy, ValidationError}, + }; + + pub(crate) fn basic_constraints( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + let basic_constraints: BasicConstraints = extn.value()?; + + if basic_constraints.ca { + return Err(ValidationError::Other( + "basicConstraints.cA must not be asserted in an EE certificate".to_string(), + )); + } + } + + Ok(()) + } + + pub(crate) fn subject_alternative_name( + policy: &Policy<'_, B>, + cert: &Certificate<'_>, + extn: &Extension<'_>, + ) -> Result<(), ValidationError> { + match (cert.subject().is_empty(), extn.critical) { + // If the subject is empty, the SAN MUST be critical. + (true, false) => { + return Err(ValidationError::Other( + "EE subjectAltName MUST be critical when subject is empty".to_string(), + )); + } + // If the subject is non-empty, the SAN MUST NOT be critical. + (false, true) => { + return Err(ValidationError::Other( + "EE subjectAltName MUST NOT be critical when subject is nonempty".to_string(), + )) + } + _ => (), + }; + + let san: SubjectAlternativeName<'_> = extn.value()?; + if !policy.subject.matches(&san) { + return Err(ValidationError::Other( + "leaf certificate has no matching subjectAltName".into(), + )); + } + + Ok(()) + } + + pub(crate) fn extended_key_usage( + policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; + + // CABF requires EKUs in EE certs, but this is widely ignored + // by implementations (which treat a missing EKU as "any EKU"). + // On the other hand, if the EKU is present, it **must** be + // the one specified in the policy (e.g., `serverAuth`) and + // **must not** be the explicit `anyExtendedKeyUsage` EKU. + // See: CABF 7.1.2.7.10. + if ekus.any(|eku| eku == policy.extended_key_usage) { + Ok(()) + } else { + Err(ValidationError::Other("required EKU not found".to_string())) + } + } else { + Ok(()) + } + } + + pub(crate) fn key_usage( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + let key_usage: KeyUsage<'_> = extn.value()?; + + if key_usage.key_cert_sign() { + return Err(ValidationError::Other( + "EE keyUsage must not assert keyCertSign".to_string(), + )); + } + } + + Ok(()) + } +} + +pub(crate) mod ca { + use cryptography_x509::{ + certificate::Certificate, + extensions::{ + AuthorityKeyIdentifier, BasicConstraints, ExtendedKeyUsage, Extension, KeyUsage, + NameConstraints, + }, + oid::EKU_ANY_KEY_USAGE_OID, + }; + + use crate::{ + ops::CryptoOps, + policy::{Policy, ValidationError}, + }; + + pub(crate) fn authority_key_identifier( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + // CABF: AKI is required on all CA certificates *except* root CA certificates, + // where is it merely recommended. This is slightly different from RFC 5280, + // which requires AKI on all CA certificates *except* self-signed root CA certificates. + // + // This discrepancy poses a challenge: from a strict CABF perspective we should + // require the AKI unless we're on a root CA, but we lack the context to determine that + // here. We *could* infer that we're on a root by checking whether the CA is self-signed, + // but many root CAs still use RSA with SHA-1 (which is intentionally unsupported + // for signature verification). + // + // Consequently, the best we can currently do here is check whether the AKI conforms + // to the CABF mandated format, *if* it exists. This means that we will accept + // some chains that are not strictly CABF compliant (e.g. ones where intermediate + // CAs are missing AKIs), but this is a relatively minor discrepancy. + if let Some(extn) = extn { + let aki: AuthorityKeyIdentifier<'_> = extn.value()?; + // 7.1.2.11.1 Authority Key Identifier: + + // keyIdentifier MUST be present. + // TODO: Check that keyIdentifier matches subjectKeyIdentifier. + if aki.key_identifier.is_none() { + return Err(ValidationError::Other( + "authorityKeyIdentifier must contain keyIdentifier".to_string(), + )); + } + + // authorityCertIssuer and authorityCertSerialNumber MUST NOT be present. + if aki.authority_cert_issuer.is_some() { + return Err(ValidationError::Other( + "authorityKeyIdentifier must not contain authorityCertIssuer".to_string(), + )); + } + + if aki.authority_cert_serial_number.is_some() { + return Err(ValidationError::Other( + "authorityKeyIdentifier must not contain authorityCertSerialNumber".to_string(), + )); + } + } + + Ok(()) + } + + pub(crate) fn key_usage( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: &Extension<'_>, + ) -> Result<(), ValidationError> { + let key_usage: KeyUsage<'_> = extn.value()?; + + if !key_usage.key_cert_sign() { + return Err(ValidationError::Other( + "keyUsage.keyCertSign must be asserted in a CA certificate".to_string(), + )); + } + + Ok(()) + } + + pub(crate) fn basic_constraints( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: &Extension<'_>, + ) -> Result<(), ValidationError> { + let basic_constraints: BasicConstraints = extn.value()?; + + if !basic_constraints.ca { + return Err(ValidationError::Other( + "basicConstraints.cA must be asserted in a CA certificate".to_string(), + )); + } + + // NOTE: basicConstraints.pathLength is checked as part of + // `Policy::permits_ca`, since we need the current chain building + // depth to check it. + + Ok(()) + } + + pub(crate) fn name_constraints( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + let name_constraints: NameConstraints<'_> = extn.value()?; + + let permitted_subtrees_empty = name_constraints + .permitted_subtrees + .as_ref() + .map_or(true, |pst| pst.unwrap_read().is_empty()); + let excluded_subtrees_empty = name_constraints + .excluded_subtrees + .as_ref() + .map_or(true, |est| est.unwrap_read().is_empty()); + + if permitted_subtrees_empty && excluded_subtrees_empty { + return Err(ValidationError::Other( + "nameConstraints must have non-empty permittedSubtrees or excludedSubtrees" + .to_string(), + )); + } + + // NOTE: Both RFC 5280 and CABF require each `GeneralSubtree` + // to have `minimum=0` and `maximum=NULL`, but experimentally + // not many validators check for this. + } + + Ok(()) + } + + pub(crate) fn extended_key_usage( + policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + let mut ekus: ExtendedKeyUsage<'_> = extn.value()?; + + // NOTE: CABF explicitly forbids anyEKU in and most CA certs, + // but this is widely (universally?) ignored by other implementations. + if ekus.any(|eku| eku == policy.extended_key_usage || eku == EKU_ANY_KEY_USAGE_OID) { + Ok(()) + } else { + Err(ValidationError::Other("required EKU not found".to_string())) + } + } else { + Ok(()) + } + } +} + +pub(crate) mod common { + use cryptography_x509::{ + certificate::Certificate, + extensions::{Extension, SequenceOfAccessDescriptions}, + }; + + use crate::{ + ops::CryptoOps, + policy::{Policy, ValidationError}, + }; + + pub(crate) fn authority_information_access( + _policy: &Policy<'_, B>, + _cert: &Certificate<'_>, + extn: Option<&Extension<'_>>, + ) -> Result<(), ValidationError> { + if let Some(extn) = extn { + // We don't currently do anything useful with these, but we + // do check that they're well-formed. + let _: SequenceOfAccessDescriptions<'_> = extn.value()?; + } + + Ok(()) + } +} + #[cfg(test)] mod tests { use super::{Criticality, ExtensionPolicy}; - use crate::ops::tests::{cert, v1_cert_pem, NullOps}; + use crate::certificate::tests::PublicKeyErrorOps; + use crate::ops::tests::{cert, v1_cert_pem}; use crate::ops::CryptoOps; - use crate::policy::{Policy, Subject}; + use crate::policy::{Policy, Subject, ValidationError}; use crate::types::DNSName; - use crate::ValidationError; use asn1::{ObjectIdentifier, SimpleAsn1Writable}; use cryptography_x509::certificate::Certificate; use cryptography_x509::extensions::{BasicConstraints, Extension, Extensions}; @@ -237,7 +510,7 @@ mod tests { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; + let ops = PublicKeyErrorOps {}; let policy = Policy::new( ops, Subject::DNS(DNSName::new("example.com").unwrap()), @@ -286,7 +559,7 @@ mod tests { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; + let ops = PublicKeyErrorOps {}; let policy = Policy::new( ops, Subject::DNS(DNSName::new("example.com").unwrap()), @@ -327,7 +600,7 @@ mod tests { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; + let ops = PublicKeyErrorOps {}; let policy = Policy::new( ops, Subject::DNS(DNSName::new("example.com").unwrap()), @@ -364,7 +637,7 @@ mod tests { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; + let ops = PublicKeyErrorOps {}; let policy = Policy::new( ops, Subject::DNS(DNSName::new("example.com").unwrap()), @@ -397,7 +670,7 @@ mod tests { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); - let ops = NullOps {}; + let ops = PublicKeyErrorOps {}; let policy = Policy::new( ops, Subject::DNS(DNSName::new("example.com").unwrap()), diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs index 4e897c3c932e..2e3652505e57 100644 --- a/src/rust/cryptography-x509-validation/src/policy/mod.rs +++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs @@ -5,21 +5,30 @@ mod extension; use std::collections::HashSet; +use std::ops::Range; use asn1::ObjectIdentifier; +use cryptography_x509::certificate::Certificate; use once_cell::sync::Lazy; use cryptography_x509::common::{ - AlgorithmIdentifier, AlgorithmParameters, EcParameters, RsaPssParameters, PSS_SHA256_HASH_ALG, - PSS_SHA256_MASK_GEN_ALG, PSS_SHA384_HASH_ALG, PSS_SHA384_MASK_GEN_ALG, PSS_SHA512_HASH_ALG, - PSS_SHA512_MASK_GEN_ALG, + AlgorithmIdentifier, AlgorithmParameters, EcParameters, RsaPssParameters, Time, + PSS_SHA256_HASH_ALG, PSS_SHA256_MASK_GEN_ALG, PSS_SHA384_HASH_ALG, PSS_SHA384_MASK_GEN_ALG, + PSS_SHA512_HASH_ALG, PSS_SHA512_MASK_GEN_ALG, }; -use cryptography_x509::extensions::SubjectAlternativeName; +use cryptography_x509::extensions::{BasicConstraints, Extensions, SubjectAlternativeName}; use cryptography_x509::name::GeneralName; -use cryptography_x509::oid::{EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID}; +use cryptography_x509::oid::{ + AUTHORITY_INFORMATION_ACCESS_OID, AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID, + EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID, EXTENDED_KEY_USAGE_OID, + KEY_USAGE_OID, NAME_CONSTRAINTS_OID, POLICY_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID, + SUBJECT_DIRECTORY_ATTRIBUTES_OID, SUBJECT_KEY_IDENTIFIER_OID, +}; +use self::extension::{ca, common, ee, Criticality, ExtensionPolicy}; use crate::ops::CryptoOps; use crate::types::{DNSName, DNSPattern, IPAddress}; +use crate::ValidationError; // SubjectPublicKeyInfo AlgorithmIdentifier constants, as defined in CA/B 7.1.3.1. @@ -180,7 +189,7 @@ impl Subject<'_> { /// A `Policy` describes user-configurable aspects of X.509 path validation. pub struct Policy<'a, B: CryptoOps> { - _ops: B, + pub ops: B, /// A top-level constraint on the length of intermediate CA paths /// constructed under this policy. @@ -207,6 +216,10 @@ pub struct Policy<'a, B: CryptoOps> { /// The set of permitted signature algorithms, identified by their /// algorithm identifiers. pub permitted_signature_algorithms: HashSet>, + + common_extension_policies: Vec>, + ca_extension_policies: Vec>, + ee_extension_policies: Vec>, } impl<'a, B: CryptoOps> Policy<'a, B> { @@ -219,7 +232,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { max_chain_depth: Option, ) -> Self { Self { - _ops: ops, + ops, max_chain_depth: max_chain_depth.unwrap_or(DEFAULT_MAX_CHAIN_DEPTH), subject, validation_time: time, @@ -234,15 +247,333 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .into_iter() .cloned() .collect(), + common_extension_policies: Vec::from([ + // 5280 4.2.1.8: Subject Directory Attributes + ExtensionPolicy::maybe_present( + SUBJECT_DIRECTORY_ATTRIBUTES_OID, + Criticality::NonCritical, + None, + ), + // 5280 4.2.2.1: Authority Information Access + ExtensionPolicy::maybe_present( + AUTHORITY_INFORMATION_ACCESS_OID, + Criticality::NonCritical, + Some(common::authority_information_access), + ), + ]), + ca_extension_policies: Vec::from([ + // 5280 4.2.1.1: Authority Key Identifier + ExtensionPolicy::maybe_present( + AUTHORITY_KEY_IDENTIFIER_OID, + Criticality::NonCritical, + Some(ca::authority_key_identifier), + ), + // 5280 4.2.1.2: Subject Key Identifier + // NOTE: CABF requires SKI in CA certificates, but many older CAs lack it. + // We choose to be permissive here. + ExtensionPolicy::maybe_present( + SUBJECT_KEY_IDENTIFIER_OID, + Criticality::NonCritical, + None, + ), + // 5280 4.2.1.3: Key Usage + ExtensionPolicy::present(KEY_USAGE_OID, Criticality::Agnostic, Some(ca::key_usage)), + // 5280 4.2.1.9: Basic Constraints + ExtensionPolicy::present( + BASIC_CONSTRAINTS_OID, + Criticality::Critical, + Some(ca::basic_constraints), + ), + // 5280 4.2.1.10: Name Constraints + // NOTE: MUST be critical in 5280, but CABF relaxes to MAY. + ExtensionPolicy::maybe_present( + NAME_CONSTRAINTS_OID, + Criticality::Agnostic, + Some(ca::name_constraints), + ), + // 5280 4.2.1.11: Policy Constraints + ExtensionPolicy::maybe_present(POLICY_CONSTRAINTS_OID, Criticality::Critical, None), + // 5280: 4.2.1.12: Extended Key Usage + // NOTE: CABF requires EKUs in many non-root CA certs, but validators widely + // ignore this requirement and treat a missing EKU as "any EKU". + // We choose to be permissive here. + ExtensionPolicy::maybe_present( + EXTENDED_KEY_USAGE_OID, + Criticality::NonCritical, + Some(ca::extended_key_usage), + ), + ]), + ee_extension_policies: Vec::from([ + // 5280 4.2.1.1.: Authority Key Identifier + ExtensionPolicy::present( + AUTHORITY_KEY_IDENTIFIER_OID, + Criticality::NonCritical, + None, + ), + // 5280 4.2.1.3: Key Usage + ExtensionPolicy::maybe_present( + KEY_USAGE_OID, + Criticality::Agnostic, + Some(ee::key_usage), + ), + // CA/B 7.1.2.7.12 Subscriber Certificate Subject Alternative Name + ExtensionPolicy::present( + SUBJECT_ALTERNATIVE_NAME_OID, + Criticality::Agnostic, + Some(ee::subject_alternative_name), + ), + // 5280 4.2.1.9: Basic Constraints + ExtensionPolicy::maybe_present( + BASIC_CONSTRAINTS_OID, + Criticality::Agnostic, + Some(ee::basic_constraints), + ), + // 5280 4.2.1.10: Name Constraints + ExtensionPolicy::not_present(NAME_CONSTRAINTS_OID), + // CA/B: 7.1.2.7.10: Subscriber Certificate Extended Key Usage + // NOTE: CABF requires EKUs in EE certs, while RFC 5280 does not. + ExtensionPolicy::maybe_present( + EXTENDED_KEY_USAGE_OID, + Criticality::NonCritical, + Some(ee::extended_key_usage), + ), + ]), + } + } + + fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), ValidationError> { + let extensions = cert.extensions()?; + + // CA/B 7.1.1: + // Certificates MUST be of type X.509 v3. + if cert.tbs_cert.version != 2 { + return Err(ValidationError::Other( + "certificate must be an X509v3 certificate".to_string(), + )); + } + + // 5280 4.1.1.2 / 4.1.2.3: signatureAlgorithm / TBS Certificate Signature + // The top-level signatureAlgorithm and TBSCert signature algorithm + // MUST match. + if cert.signature_alg != cert.tbs_cert.signature_alg { + return Err(ValidationError::Other( + "mismatch between signatureAlgorithm and SPKI algorithm".to_string(), + )); + } + + // 5280 4.1.2.2: Serial Number + // Per 5280: The serial number MUST be a positive integer. + // In practice, there are a few roots in common trust stores (like certifi) + // that have `serial == 0`, so we can't enforce this yet. + let serial_bytes = cert.tbs_cert.serial.as_bytes(); + if !(1..=21).contains(&serial_bytes.len()) { + // Conforming CAs MUST NOT use serial numbers longer than 20 octets. + // NOTE: In practice, this requires us to check for an encoding of + // 21 octets, since some CAs generate 20 bytes of randomness and + // then forget to check whether that number would be negative, resulting + // in a 21-byte encoding. + return Err(ValidationError::Other( + "certificate must have a serial between 1 and 20 octets".to_string(), + )); + } else if serial_bytes[0] & 0x80 == 0x80 { + // TODO: replace with `is_negative`: https://github.com/alex/rust-asn1/pull/425 + return Err(ValidationError::Other( + "certificate serial number cannot be negative".to_string(), + )); + } + + // 5280 4.1.2.4: Issuer + // The issuer MUST be a non-empty distinguished name. + if cert.issuer().is_empty() { + return Err(ValidationError::Other( + "certificate must have a non-empty Issuer".to_string(), + )); + } + + // 5280 4.1.2.5: Validity + // Validity dates before 2050 MUST be encoded as UTCTime; + // dates in or after 2050 MUST be encoded as GeneralizedTime. + let not_before = cert.tbs_cert.validity.not_before.as_datetime(); + let not_after = cert.tbs_cert.validity.not_after.as_datetime(); + permits_validity_date(&cert.tbs_cert.validity.not_before)?; + permits_validity_date(&cert.tbs_cert.validity.not_after)?; + if &self.validation_time < not_before || &self.validation_time > not_after { + return Err(ValidationError::Other( + "cert is not valid at validation time".to_string(), + )); + } + + // Extension policy checks. + for ext_policy in self.common_extension_policies.iter() { + ext_policy.permits(self, cert, &extensions)?; + } + + // Check that all critical extensions in this certificate are accounted for. + let critical_extensions = extensions + .iter() + .filter(|e| e.critical) + .map(|e| e.extn_id) + .collect::>(); + let checked_extensions = self + .common_extension_policies + .iter() + .chain(self.ca_extension_policies.iter()) + .chain(self.ee_extension_policies.iter()) + .map(|p| p.oid.clone()) + .collect::>(); + + if critical_extensions + .difference(&checked_extensions) + .next() + .is_some() + { + // TODO: Render the OIDs here. + return Err(ValidationError::Other( + "certificate contains unaccounted-for critical extensions".to_string(), + )); + } + + Ok(()) + } + + /// Checks whether the given CA certificate is compatible with this policy. + pub(crate) fn permits_ca( + &self, + cert: &Certificate<'_>, + current_depth: u8, + extensions: &Extensions<'_>, + ) -> Result<(), ValidationError> { + self.permits_basic(cert)?; + + // 5280 4.1.2.6: Subject + // CA certificates MUST have a subject populated with a non-empty distinguished name. + // No check required here: `permits_basic` checks that the issuer is non-empty + // and `ChainBuilder::potential_issuers` enforces subject/issuer matching, + // meaning that an CA with an empty subject cannot occur in a built chain. + + // NOTE: This conceptually belongs in `valid_issuer`, but is easier + // to test here. It's also conceptually an extension policy, but + // requires a bit of extra external state (`current_depth`) that isn't + // presently convenient to push into that layer. + // + // NOTE: BasicConstraints is required via `ca_extension_policies`, + // so we always take this branch. + if let Some(bc) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) { + let bc: BasicConstraints = bc.value()?; + + if bc + .path_length + .map_or(false, |len| u64::from(current_depth) > len) + { + return Err(ValidationError::Other( + "path length constraint violated".to_string(), + ))?; + } + } + + for ext_policy in self.ca_extension_policies.iter() { + ext_policy.permits(self, cert, extensions)?; + } + + Ok(()) + } + + /// Checks whether the given EE certificate is compatible with this policy. + pub(crate) fn permits_ee( + &self, + cert: &Certificate<'_>, + extensions: &Extensions<'_>, + ) -> Result<(), ValidationError> { + self.permits_basic(cert)?; + + for ext_policy in self.ee_extension_policies.iter() { + ext_policy.permits(self, cert, extensions)?; + } + + Ok(()) + } + + /// Checks whether `issuer` is a valid issuing CA for `child` at a + /// path-building depth of `current_depth`. + /// + /// This checks that `issuer` is permitted under this policy and that + /// it was used to sign for `child`. + /// + /// As a precondition, the caller must have already checked that + /// `issuer.subject() == child.issuer()`. + /// + /// On success, this function returns the new path-building depth. This + /// may or may not be a higher number than the original depth, depending + /// on the kind of validation performed (e.g., whether the issuer was + /// self-issued). + pub(crate) fn valid_issuer( + &self, + issuer: &Certificate<'_>, + child: &Certificate<'_>, + current_depth: u8, + issuer_extensions: &Extensions<'_>, + ) -> Result<(), ValidationError> { + // The issuer needs to be a valid CA at the current depth. + self.permits_ca(issuer, current_depth, issuer_extensions)?; + + // CA/B 7.1.3.1 SubjectPublicKeyInfo + if !self + .permitted_public_key_algorithms + .contains(&child.tbs_cert.spki.algorithm) + { + return Err(ValidationError::Other(format!( + "Forbidden public key algorithm: {:?}", + &child.tbs_cert.spki.algorithm + ))); + } + + // CA/B 7.1.3.2 Signature AlgorithmIdentifier + if !self + .permitted_signature_algorithms + .contains(&child.signature_alg) + { + return Err(ValidationError::Other(format!( + "Forbidden signature algorithm: {:?}", + &child.signature_alg + ))); + } + + let pk = self + .ops + .public_key(issuer) + .map_err(|_| ValidationError::Other("issuer has malformed public key".to_string()))?; + if self.ops.verify_signed_by(child, pk).is_err() { + return Err(ValidationError::Other( + "signature does not match".to_string(), + )); + } + + Ok(()) + } +} + +fn permits_validity_date(validity_date: &Time) -> Result<(), ValidationError> { + const GENERALIZED_DATE_INVALIDITY_RANGE: Range = 1950..2050; + + // NOTE: The inverse check on `asn1::UtcTime` is already done for us + // by the variant's constructor. + if let Time::GeneralizedTime(_) = validity_date { + if GENERALIZED_DATE_INVALIDITY_RANGE.contains(&validity_date.as_datetime().year()) { + return Err(ValidationError::Other( + "validity dates between 1950 and 2049 must be UtcTime".to_string(), + )); } } + + Ok(()) } #[cfg(test)] mod tests { use std::ops::Deref; - use asn1::SequenceOfWriter; + use asn1::{DateTime, SequenceOfWriter}; + use cryptography_x509::common::Time; use cryptography_x509::{ extensions::SubjectAlternativeName, name::{GeneralName, UnvalidatedIA5String}, @@ -257,9 +588,9 @@ mod tests { }; use super::{ - ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, RSASSA_PKCS1V15_SHA384, - RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, RSASSA_PSS_SHA512, - WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, + permits_validity_date, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, + RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, }; #[test] @@ -380,7 +711,7 @@ mod tests { assert!(!ip_sub.matches(&any_cryptography_io)); } - // Single SAN, IP range. + // Single SAN, IP address. { let ip_gn = GeneralName::IPAddress(&[127, 0, 0, 1]); let san_der = asn1::write_single(&SequenceOfWriter::new([ip_gn])).unwrap(); @@ -413,4 +744,57 @@ mod tests { assert!(!domain_sub.matches(&any_cryptography_io)); } } + + #[test] + fn test_validity_date() { + { + // Pre-2050 date. + let utc_dt = DateTime::new(1980, 1, 1, 0, 0, 0).unwrap(); + let generalized_dt = utc_dt.clone(); + let utc_validity = Time::UtcTime(asn1::UtcTime::new(utc_dt).unwrap()); + let generalized_validity = + Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + assert!(permits_validity_date(&utc_validity).is_ok()); + assert!(permits_validity_date(&generalized_validity).is_err()); + } + { + // 2049 date. + let utc_dt = DateTime::new(2049, 1, 1, 0, 0, 0).unwrap(); + let generalized_dt = utc_dt.clone(); + let utc_validity = Time::UtcTime(asn1::UtcTime::new(utc_dt).unwrap()); + let generalized_validity = + Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + assert!(permits_validity_date(&utc_validity).is_ok()); + assert!(permits_validity_date(&generalized_validity).is_err()); + } + { + // 2050 date. + let utc_dt = DateTime::new(2050, 1, 1, 0, 0, 0).unwrap(); + let generalized_dt = utc_dt.clone(); + assert!(asn1::UtcTime::new(utc_dt).is_err()); + let generalized_validity = + Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + assert!(permits_validity_date(&generalized_validity).is_ok()); + } + { + // 2051 date. + let utc_dt = DateTime::new(2051, 1, 1, 0, 0, 0).unwrap(); + let generalized_dt = utc_dt.clone(); + // The `asn1::UtcTime` constructor prevents this. + assert!(asn1::UtcTime::new(utc_dt).is_err()); + let generalized_validity = + Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + assert!(permits_validity_date(&generalized_validity).is_ok()); + } + { + // Post-2050 date. + let utc_dt = DateTime::new(3050, 1, 1, 0, 0, 0).unwrap(); + let generalized_dt = utc_dt.clone(); + // The `asn1::UtcTime` constructor prevents this. + assert!(asn1::UtcTime::new(utc_dt).is_err()); + let generalized_validity = + Time::GeneralizedTime(asn1::GeneralizedTime::new(generalized_dt).unwrap()); + assert!(permits_validity_date(&generalized_validity).is_ok()); + } + } } diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index db7cdd82a5e8..15c495147759 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -8,6 +8,7 @@ use crate::common; use crate::crl; use crate::name; +#[derive(Debug, PartialEq, Eq)] pub struct DuplicateExtensionsError(pub asn1::ObjectIdentifier); pub type RawExtensions<'a> = common::Asn1ReadableOrWritable< diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index e074b9cb3009..d664e3814bba 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -6,6 +6,7 @@ use cryptography_x509::certificate::Certificate; use cryptography_x509_validation::{ ops::CryptoOps, policy::{Policy, Subject}, + trust_store::Store, types::{DNSName, IPAddress}, }; @@ -18,6 +19,8 @@ use crate::{ exceptions::VerificationError, }; +use super::certificate::OwnedCertificate; + pub(crate) struct PyCryptoOps {} impl CryptoOps for PyCryptoOps { @@ -103,11 +106,44 @@ impl PyServerVerifier { fn verify<'p>( &self, - _py: pyo3::Python<'p>, - _leaf: &PyCertificate, - _intermediates: &'p pyo3::types::PyList, + py: pyo3::Python<'p>, + leaf: &PyCertificate, + intermediates: Vec>, ) -> CryptographyResult> { - Err(VerificationError::new_err("unimplemented").into()) + let store = Store::new( + self.store + .as_ref(py) + .get() + .0 + .iter() + .map(|t| t.get().raw.borrow_dependent().clone()), + ); + + let policy = self.as_policy(); + let chain = cryptography_x509_validation::verify( + leaf.raw.borrow_dependent(), + intermediates + .iter() + .map(|i| i.raw.borrow_dependent().clone()), + policy, + &store, + ) + .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; + + // TODO: Optimize this? Turning a Certificate back into a PyCertificate + // involves a full round-trip back through DER, which isn't ideal. + chain + .iter() + .map(|c| { + let raw = pyo3::types::PyBytes::new(py, &asn1::write_single(c)?); + Ok(PyCertificate { + raw: OwnedCertificate::try_new(raw.into(), |raw| { + asn1::parse_single(raw.as_bytes(py)) + })?, + cached_extensions: pyo3::once_cell::GILOnceCell::new(), + }) + }) + .collect() } } diff --git a/tests/x509/verification/__init__.py b/tests/x509/verification/__init__.py new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py new file mode 100644 index 000000000000..2d2f1fd6fe0f --- /dev/null +++ b/tests/x509/verification/test_limbo.py @@ -0,0 +1,147 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import datetime +import ipaddress +import json +import os + +import pytest + +from cryptography import x509 +from cryptography.x509 import load_pem_x509_certificate +from cryptography.x509.verification import ( + PolicyBuilder, + Store, + VerificationError, +) + +LIMBO_UNSUPPORTED_FEATURES = { + # NOTE: Path validation is required to reject wildcards on public suffixes, + # however this isn't practical and most implementations make no attempt to + # comply with this. + "pedantic-public-suffix-wildcard", + # TODO: We don't support Distinguished Name Constraints yet. + "name-constraint-dn", + # Our support for custom EKUs is limited, and we (like most impls.) don't + # handle all EKU conditions under CABF. + "pedantic-webpki-eku", + # Similarly: contains tests that fail based on a strict reading of RFC 5280 + # but are widely ignored by validators. + "pedantic-rfc5280", + # In rare circumstances, CABF relaxes RFC 5280's prescriptions in + # incompatible ways. Our validator always tries (by default) to comply + # closer to CABF, so we skip these. + "rfc5280-incompatible-with-webpki", +} + +LIMBO_SKIP_TESTCASES = { + # We unconditionally count intermediate certificates for pathlen and max + # depth constraint purposes, even when self-issued. + # This is a violation of RFC 5280, but is consistent with Go's crypto/x509 + # and Rust's webpki crate do. + "pathlen::self-issued-certs-pathlen", + "pathlen::max-chain-depth-1-self-issued", + # We allow certificates with serial numbers of zero. This is + # invalid under RFC 5280 but is widely violated by certs in common + # trust stores. + "rfc5280::serial::zero", + # We allow CAs that don't have AKIs, which is forbidden under + # RFC 5280. This is consistent with what Go's crypto/x509 and Rust's + # webpki crate do. + "rfc5280::ski::root-missing-ski", + "rfc5280::ski::intermediate-missing-ski", + # We currently allow intermediate CAs that don't have AKIs, which + # is technically forbidden under CABF. This is consistent with what + # Go's crypto/x509 and Rust's webpki crate do. + "rfc5280::aki::intermediate-missing-aki", + # We allow root CAs where the AKI and SKI mismatch, which is technically + # forbidden under CABF. This is consistent with what + # Go's crypto/x509 and Rust's webpki crate do. + "webpki::aki::root-with-aki-ski-mismatch", + # We disallow CAs in the leaf position, which is explicitly forbidden + # by CABF (but implicitly permitted under RFC 5280). This is consistent + # with what webpki and rustls do, but inconsistent with Go and OpenSSL. + "rfc5280::ca-as-leaf", + "pathlen::validation-ignores-pathlen-in-leaf", +} + + +def _get_limbo_peer(expected_peer): + kind = expected_peer["kind"] + assert kind in ("DNS", "IP") + value = expected_peer["value"] + if kind == "DNS": + return x509.DNSName(value) + else: + return x509.IPAddress(ipaddress.ip_address(value)) + + +def _limbo_testcase(id_, testcase): + if id_ in LIMBO_SKIP_TESTCASES: + return + + features = testcase["features"] + if LIMBO_UNSUPPORTED_FEATURES.intersection(features): + return + assert testcase["validation_kind"] == "SERVER" + assert testcase["signature_algorithms"] == [] + assert testcase["extended_key_usage"] == [] or testcase[ + "extended_key_usage" + ] == ["serverAuth"] + assert testcase["expected_peer_names"] == [] + + trusted_certs = [ + load_pem_x509_certificate(cert.encode()) + for cert in testcase["trusted_certs"] + ] + untrusted_intermediates = [ + load_pem_x509_certificate(cert.encode()) + for cert in testcase["untrusted_intermediates"] + ] + peer_certificate = load_pem_x509_certificate( + testcase["peer_certificate"].encode() + ) + peer_name = _get_limbo_peer(testcase["expected_peer_name"]) + validation_time = testcase["validation_time"] + validation_time = ( + datetime.datetime.fromisoformat(validation_time) + if validation_time is not None + else None + ) + max_chain_depth = testcase["max_chain_depth"] + should_pass = testcase["expected_result"] == "SUCCESS" + + verifier = PolicyBuilder( + time=validation_time, + store=Store(trusted_certs), + max_chain_depth=max_chain_depth, + ).build_server_verifier(peer_name) + + if should_pass: + built_chain = verifier.verify( + peer_certificate, untrusted_intermediates + ) + + # Assert that the verifier returns chains in [EE, ..., TA] order. + assert built_chain[0] == peer_certificate + for intermediate in built_chain[1:-1]: + assert intermediate in untrusted_intermediates + assert built_chain[-1] in trusted_certs + else: + with pytest.raises(VerificationError): + verifier.verify(peer_certificate, untrusted_intermediates) + + +def test_limbo(subtests, pytestconfig): + limbo_root = pytestconfig.getoption("--x509-limbo-root", skip=True) + limbo_path = os.path.join(limbo_root, "limbo.json") + with open(limbo_path, mode="rb") as limbo_file: + limbo = json.load(limbo_file) + testcases = limbo["testcases"] + for testcase in testcases: + with subtests.test(): + # NOTE: Pass in the id separately to make pytest + # error renderings slightly nicer. + _limbo_testcase(testcase["id"], testcase) diff --git a/tests/x509/test_verification.py b/tests/x509/verification/test_verification.py similarity index 86% rename from tests/x509/test_verification.py rename to tests/x509/verification/test_verification.py index 73012dee03e1..d4b0bc07d606 100644 --- a/tests/x509/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -11,11 +11,7 @@ from cryptography import x509 from cryptography.x509.general_name import DNSName, IPAddress -from cryptography.x509.verification import ( - PolicyBuilder, - Store, - VerificationError, -) +from cryptography.x509.verification import PolicyBuilder, Store from tests.x509.test_x509 import _load_cert @@ -107,18 +103,3 @@ def test_store_rejects_empty_list(self): def test_store_rejects_non_certificates(self): with pytest.raises(TypeError): Store(["not a cert"]) # type: ignore[list-item] - - -class TestServerVerifier: - def test_not_implemented(self): - verifier = ( - PolicyBuilder() - .store(dummy_store()) - .build_server_verifier(DNSName("cryptography.io")) - ) - cert = _load_cert( - os.path.join("x509", "cryptography.io.pem"), - x509.load_pem_x509_certificate, - ) - with pytest.raises(VerificationError): - verifier.verify(cert, []) From 38461e1c6d9678a0dc1faad3877b075643556f21 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 22 Dec 2023 17:48:13 -0500 Subject: [PATCH 0825/1014] CHANGELOG: record #8873 (#10035) * CHANGELOG: record #8873 Signed-off-by: William Woodruff * docs/x509/verification: clean up, update note Signed-off-by: William Woodruff * add module ref Signed-off-by: William Woodruff * CHANGELOG: Cryptograpy's -> our Signed-off-by: William Woodruff * CHANGELOG: reflow, better linkage Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- CHANGELOG.rst | 4 ++++ docs/x509/verification.rst | 13 +++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index da3f220e4cff..9ecc48b739bd 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -61,6 +61,10 @@ Changelog * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSIV` when using OpenSSL 3.2.0+. +* Added the :mod:`X.509 path validation ` APIs + for :class:`~cryptography.x509.Certificate` chains. These APIs should be + considered unstable and not subject to our stability guarantees until + documented as such in a future release. .. _v41-0-7: diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index a275190fa3b9..893c71000275 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -1,15 +1,16 @@ -X.509 verification +X.509 Verification ================== .. currentmodule:: cryptography.x509.verification -Support for X.509 certificate verification, also known as path validation, -chain building, etc. +.. module:: cryptography.x509.verification + +Support for X.509 certificate verification, also known as path validation +or chain building. .. note:: - This module is a work in progress, and does not yet contain a fully usable - X.509 path validation implementation. These APIs should be considered - experimental and not yet subject to our backwards compatibility policy. + While usable, these APIs should be considered experimental and not yet + subject to our backwards compatibility policy. .. class:: Store(certs) From d3f28d3ad8f1584766ebbf460adf63b1240c389c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 22 Dec 2023 19:15:56 -0500 Subject: [PATCH 0826/1014] x509/verification: add an API usage example (#10036) * x509/verification: add an API usage example Signed-off-by: William Woodruff * Apply suggestions from code review Co-authored-by: Alex Gaynor --------- Signed-off-by: William Woodruff Co-authored-by: Alex Gaynor --- docs/x509/verification.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 893c71000275..9a4ef69384e5 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -12,6 +12,23 @@ or chain building. While usable, these APIs should be considered experimental and not yet subject to our backwards compatibility policy. +Example usage, with `certifi `_ providing +the root of trust: + +.. code-block:: python + + from cryptography.x509 import Certificate, DNSName, load_pem_x509_certificates + from cryptography.x509.verification import PolicyBuilder, Store + import certifi + + with open(certifi.where(), "rb") as pems: + store = Store(load_pem_x509_certificates(pems.read())) + + builder = PolicyBuilder().store(store) + verifier = builder().build_server_verifier(DNSName("cryptography.io")) + + chain = verifier.verify(peer, untrusted_intermediates) + .. class:: Store(certs) .. versionadded:: 42.0.0 From b67066662a7fd1740ab17fb50926db561bb01210 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 22 Dec 2023 19:16:16 -0500 Subject: [PATCH 0827/1014] Bump BoringSSL and/or OpenSSL in CI (#10037) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 060203a8423c..950dbfc73980 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Dec 22, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6e0eba6e62333652290514e51b75b966b27b27c"}} - # Latest commit on the OpenSSL master branch, as of Dec 22, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8f0f814d791e0825b96c30494594de619da3e5a5"}} + # Latest commit on the OpenSSL master branch, as of Dec 23, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d6e4056805f54bb1a0ef41fa3a6a35b70c94edba"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 6f77f13e16f67a499fa1836dd953bf2b35b861b1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Dec 2023 07:35:59 -0500 Subject: [PATCH 0828/1014] Use non-deprecated name (#10038) --- src/rust/src/x509/verify.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index d664e3814bba..4f05f152ef39 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -140,7 +140,7 @@ impl PyServerVerifier { raw: OwnedCertificate::try_new(raw.into(), |raw| { asn1::parse_single(raw.as_bytes(py)) })?, - cached_extensions: pyo3::once_cell::GILOnceCell::new(), + cached_extensions: pyo3::sync::GILOnceCell::new(), }) }) .collect() From 0d3af2266ed4bdbc1d80bb02a28034cc0990cfa2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Dec 2023 07:37:48 -0500 Subject: [PATCH 0829/1014] Rename x509-validation crate to verification for consistency with the Python API (#10039) --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 4 ++-- .../Cargo.toml | 2 +- .../src/certificate.rs | 0 .../src/lib.rs | 0 .../src/ops.rs | 0 .../src/policy/extension.rs | 0 .../src/policy/mod.rs | 0 .../src/trust_store.rs | 0 .../src/types.rs | 10 +++++----- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/verify.rs | 4 ++-- 12 files changed, 13 insertions(+), 13 deletions(-) rename src/rust/{cryptography-x509-validation => cryptography-x509-verification}/Cargo.toml (90%) rename src/rust/{cryptography-x509-validation => cryptography-x509-verification}/src/certificate.rs (100%) rename src/rust/{cryptography-x509-validation => cryptography-x509-verification}/src/lib.rs (100%) rename src/rust/{cryptography-x509-validation => cryptography-x509-verification}/src/ops.rs (100%) rename src/rust/{cryptography-x509-validation => cryptography-x509-verification}/src/policy/extension.rs (100%) rename src/rust/{cryptography-x509-validation => cryptography-x509-verification}/src/policy/mod.rs (100%) rename src/rust/{cryptography-x509-validation => cryptography-x509-verification}/src/trust_store.rs (100%) rename src/rust/{cryptography-x509-validation => cryptography-x509-verification}/src/types.rs (98%) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index bd7e87764c04..4aed604ed080 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -90,7 +90,7 @@ dependencies = [ "cryptography-cffi", "cryptography-openssl", "cryptography-x509", - "cryptography-x509-validation", + "cryptography-x509-verification", "foreign-types-shared", "once_cell", "openssl", @@ -108,7 +108,7 @@ dependencies = [ ] [[package]] -name = "cryptography-x509-validation" +name = "cryptography-x509-verification" version = "0.1.0" dependencies = [ "asn1", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index eff129d572ea..13e35e298a30 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -14,7 +14,7 @@ pyo3 = { version = "0.20", features = ["abi3"] } asn1 = { version = "0.15.5", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-x509 = { path = "cryptography-x509" } -cryptography-x509-validation = { path = "cryptography-x509-validation" } +cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.62" @@ -41,5 +41,5 @@ members = [ "cryptography-cffi", "cryptography-openssl", "cryptography-x509", - "cryptography-x509-validation", + "cryptography-x509-verification", ] diff --git a/src/rust/cryptography-x509-validation/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml similarity index 90% rename from src/rust/cryptography-x509-validation/Cargo.toml rename to src/rust/cryptography-x509-verification/Cargo.toml index 3e3a815551e5..1ed759074167 100644 --- a/src/rust/cryptography-x509-validation/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -1,5 +1,5 @@ [package] -name = "cryptography-x509-validation" +name = "cryptography-x509-verification" version = "0.1.0" authors = ["The cryptography developers "] edition = "2021" diff --git a/src/rust/cryptography-x509-validation/src/certificate.rs b/src/rust/cryptography-x509-verification/src/certificate.rs similarity index 100% rename from src/rust/cryptography-x509-validation/src/certificate.rs rename to src/rust/cryptography-x509-verification/src/certificate.rs diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs similarity index 100% rename from src/rust/cryptography-x509-validation/src/lib.rs rename to src/rust/cryptography-x509-verification/src/lib.rs diff --git a/src/rust/cryptography-x509-validation/src/ops.rs b/src/rust/cryptography-x509-verification/src/ops.rs similarity index 100% rename from src/rust/cryptography-x509-validation/src/ops.rs rename to src/rust/cryptography-x509-verification/src/ops.rs diff --git a/src/rust/cryptography-x509-validation/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs similarity index 100% rename from src/rust/cryptography-x509-validation/src/policy/extension.rs rename to src/rust/cryptography-x509-verification/src/policy/extension.rs diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs similarity index 100% rename from src/rust/cryptography-x509-validation/src/policy/mod.rs rename to src/rust/cryptography-x509-verification/src/policy/mod.rs diff --git a/src/rust/cryptography-x509-validation/src/trust_store.rs b/src/rust/cryptography-x509-verification/src/trust_store.rs similarity index 100% rename from src/rust/cryptography-x509-validation/src/trust_store.rs rename to src/rust/cryptography-x509-verification/src/trust_store.rs diff --git a/src/rust/cryptography-x509-validation/src/types.rs b/src/rust/cryptography-x509-verification/src/types.rs similarity index 98% rename from src/rust/cryptography-x509-validation/src/types.rs rename to src/rust/cryptography-x509-verification/src/types.rs index 2868c59cc3ef..f564715219cd 100644 --- a/src/rust/cryptography-x509-validation/src/types.rs +++ b/src/rust/cryptography-x509-verification/src/types.rs @@ -17,7 +17,7 @@ use std::str::FromStr; /// [RFC 1123 2.1]: https://datatracker.ietf.org/doc/html/rfc1123#section-2.1 /// /// ```rust -/// # use cryptography_x509_validation::types::DNSName; +/// # use cryptography_x509_verification::types::DNSName; /// assert_eq!(DNSName::new("foo.com").unwrap(), DNSName::new("FOO.com").unwrap()); /// ``` #[derive(Clone, Debug)] @@ -59,7 +59,7 @@ impl<'a> DNSName<'a> { /// Return this `DNSName`'s parent domain, if it has one. /// /// ```rust - /// # use cryptography_x509_validation::types::DNSName; + /// # use cryptography_x509_verification::types::DNSName; /// let domain = DNSName::new("foo.example.com").unwrap(); /// assert_eq!(domain.parent().unwrap().as_str(), "example.com"); /// ``` @@ -136,7 +136,7 @@ impl<'a> DNSConstraint<'a> { /// side of the name satisfies the name constraint. /// /// ```rust - /// # use cryptography_x509_validation::types::{DNSConstraint, DNSName}; + /// # use cryptography_x509_verification::types::{DNSConstraint, DNSName}; /// let example_com = DNSName::new("example.com").unwrap(); /// let badexample_com = DNSName::new("badexample.com").unwrap(); /// let foo_example_com = DNSName::new("foo.example.com").unwrap(); @@ -217,7 +217,7 @@ impl IPAddress { /// Returns a new `IPAddress` with the first `prefix` bits of the `IPAddress`. /// /// ```rust - /// # use cryptography_x509_validation::types::IPAddress; + /// # use cryptography_x509_verification::types::IPAddress; /// let ip = IPAddress::from_str("192.0.2.1").unwrap(); /// assert_eq!(ip.mask(24), IPAddress::from_str("192.0.2.0").unwrap()); /// ``` @@ -288,7 +288,7 @@ impl IPConstraint { /// Determines if the `addr` is within the `IPConstraint`. /// /// ```rust - /// # use cryptography_x509_validation::types::{IPAddress, IPConstraint}; + /// # use cryptography_x509_verification::types::{IPAddress, IPConstraint}; /// let range_bytes = b"\xc6\x33\x64\x00\xff\xff\xff\x00"; /// let range = IPConstraint::from_bytes(range_bytes).unwrap(); /// assert!(range.matches(&IPAddress::from_str("198.51.100.42").unwrap())); diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 7753974ac6a4..c2a46e0a1927 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -21,7 +21,7 @@ use cryptography_x509::extensions::{ }; use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; -use cryptography_x509_validation::ops::CryptoOps; +use cryptography_x509_verification::ops::CryptoOps; use pyo3::{IntoPy, ToPyObject}; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 4f05f152ef39..769814886b5d 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -3,7 +3,7 @@ // for complete details. use cryptography_x509::certificate::Certificate; -use cryptography_x509_validation::{ +use cryptography_x509_verification::{ ops::CryptoOps, policy::{Policy, Subject}, trust_store::Store, @@ -120,7 +120,7 @@ impl PyServerVerifier { ); let policy = self.as_policy(); - let chain = cryptography_x509_validation::verify( + let chain = cryptography_x509_verification::verify( leaf.raw.borrow_dependent(), intermediates .iter() From eac469a5c04bb77a67d6bf06b76d5f82b2d76419 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 23 Dec 2023 10:51:26 -0300 Subject: [PATCH 0830/1014] we call it unstable in the changelog and not experimental (#10040) let's be consistent --- docs/x509/verification.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 9a4ef69384e5..9524a79f29d3 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -9,7 +9,7 @@ Support for X.509 certificate verification, also known as path validation or chain building. .. note:: - While usable, these APIs should be considered experimental and not yet + While usable, these APIs should be considered unstable and not yet subject to our backwards compatibility policy. Example usage, with `certifi `_ providing From 135050a5c11b1789bc43d7306fc2f13fc8f0db62 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Dec 2023 10:42:56 -0500 Subject: [PATCH 0831/1014] Added certifi to test dependencies (#10043) Needed for https://github.com/pyca/cryptography/pull/10042 --- pyproject.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index ff4995ca4169..c5ee2561972f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -75,6 +75,7 @@ test = [ "pytest-cov", "pytest-xdist", "pretend", + "certifi", ] test-randomorder = ["pytest-randomly"] docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=1.1.1"] @@ -155,4 +156,4 @@ git-only = [ "ci-constraints-requirements.txt", ".gitattributes", ".gitignore", -] \ No newline at end of file +] From c9578f28a1acabf060b40792b931b7204509884f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Dec 2023 10:45:31 -0500 Subject: [PATCH 0832/1014] Fixed a typo in test-vectors documentation (#10041) --- docs/development/test-vectors.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index d23946e55ef3..a0a0261f1f95 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -232,7 +232,7 @@ X.509 ``cryptography.io.pem`` certificate. * ``cryptography.io.precert.pem`` - A pre-certificate with the CT poison extension for the cryptography website. -* ``cryptography-scts.io.pem`` - A leaf certificate issued by Let's Encrypt for +* ``cryptography-scts.pem`` - A leaf certificate issued by Let's Encrypt for the cryptography website which contains signed certificate timestamps. * ``wildcard_san.pem`` - A leaf certificate issued by a public CA for ``langui.sh`` that contains wildcard entries in the SAN extension. From 957e65e48ef7ff3b7009b23ebe59fe51075d2388 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 23 Dec 2023 12:49:12 -0300 Subject: [PATCH 0833/1014] add automatic PRs for new commits on x509-limbo and wycheproof (#10044) --- .github/actions/fetch-vectors/action.yml | 6 ++- .github/workflows/x509-limbo-version-bump.yml | 51 +++++++++++++++++++ 2 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/x509-limbo-version-bump.yml diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 152a962a4486..79ecbd83efd2 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -9,10 +9,12 @@ runs: with: repository: "google/wycheproof" path: "wycheproof" - ref: "master" + # Latest commit on the wycheproof master branch, as of Oct 28, 2023. + ref: "cd5d271eab5c841f734d044683e4e30b76f65abb" # wycheproof-ref - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - ref: "main" + # Latest commit on the x509-limbo main branch, as of Dec 21, 2023. + ref: "387386a6fc389c2114c8669b3318e1fe62b4bd1e" # x509-limbo-ref diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml new file mode 100644 index 000000000000..99708d9f7bba --- /dev/null +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -0,0 +1,51 @@ +name: Bump x509-limbo and/or wycheproof +permissions: + contents: read + +on: + workflow_dispatch: + schedule: + # Run daily + - cron: "0 0 * * *" + +jobs: + bump: + if: github.repository_owner == 'pyca' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - id: check-sha-x509-limbo + run: | + SHA=$(git ls-remote https://github.com/trailofbits/x509-limbo refs/heads/main | cut -f1) + LAST_COMMIT=$(grep x509-limbo-ref .github/actions/fetch-vectors/action.yml | grep -oE '[a-f0-9]{40}') + if ! grep -q "$SHA" .github/actions/fetch-vectors/action.yml; then + echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT + echo "COMMIT_MSG<> $GITHUB_OUTPUT + echo -e "## x509-limbo\n[Commit: ${SHA}](https://github.com/trailofbits/x509-limbo/commit/${SHA})\n\n[Diff](https://github.com/trailofbits/x509-limbo/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + fi + - name: Update x509-limbo + run: | + set -xe + CURRENT_DATE=$(date "+%b %d, %Y") + sed -E -i "s/Latest commit on the x509-limbo main branch.*/Latest commit on the x509-limbo main branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml + sed -E -i "s/ref: \"[0-9a-f]{40}\" # x509-limbo-ref/ref: \"${{ steps.check-sha-x509-limbo.outputs.COMMIT_SHA }}\" # x509-limbo-ref/" .github/actions/fetch-vectors/action.yml + git status + if: steps.check-sha-openssl.outputs.COMMIT_SHA + - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + id: generate-token + with: + app_id: ${{ secrets.BORINGBOT_APP_ID }} + private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} + if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA + - name: Create Pull Request + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 + with: + commit-message: "Bump x509-limbo and/or wycheproof in CI" + title: "Bump x509-limbo and/or wycheproof in CI" + author: "pyca-boringbot[bot] " + body: | + ${{ steps.check-sha-x509-limbo.outputs.COMMIT_MSG }} + ${{ steps.check-sha-wycheproof.outputs.COMMIT_MSG }} + token: ${{ steps.generate-token.outputs.token }} + if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA From eb06a6a83d2372c59ba32286ff0c059a905b9aab Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Dec 2023 10:55:21 -0500 Subject: [PATCH 0834/1014] Added a benchmark for x.509 verification (#10042) --- tests/bench/test_x509.py | 39 +++++++++++++++++++++++++++ tests/x509/verification/test_limbo.py | 12 +++++---- 2 files changed, 46 insertions(+), 5 deletions(-) diff --git a/tests/bench/test_x509.py b/tests/bench/test_x509.py index 87a60af0f597..3a8e916ed4be 100644 --- a/tests/bench/test_x509.py +++ b/tests/bench/test_x509.py @@ -2,8 +2,12 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import datetime +import json import os +import certifi + from cryptography import x509 from ..utils import load_vectors_from_file @@ -40,3 +44,38 @@ def test_load_pem_certificate(benchmark): ) benchmark(x509.load_pem_x509_certificate, cert_bytes) + + +def test_verify_docs_python_org(benchmark, pytestconfig): + limbo_root = pytestconfig.getoption("--x509-limbo-root", skip=True) + with open(os.path.join(limbo_root, "limbo.json"), "rb") as f: + [testcase] = [ + tc + for tc in json.load(f)["testcases"] + if tc["id"] == "online::docs.python.org" + ] + + with open(certifi.where(), "rb") as f: + store = x509.verification.Store( + x509.load_pem_x509_certificates(f.read()) + ) + + leaf = x509.load_pem_x509_certificate( + testcase["peer_certificate"].encode() + ) + intermediates = [ + x509.load_pem_x509_certificate(c.encode()) + for c in testcase["untrusted_intermediates"] + ] + time = datetime.datetime.fromisoformat(testcase["validation_time"]) + + def bench(): + verifier = ( + x509.verification.PolicyBuilder() + .store(store) + .time(time) + .build_server_verifier(x509.DNSName("docs.python.org")) + ) + verifier.verify(leaf, intermediates) + + benchmark(bench) diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 2d2f1fd6fe0f..e26ebe6a0161 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -113,11 +113,13 @@ def _limbo_testcase(id_, testcase): max_chain_depth = testcase["max_chain_depth"] should_pass = testcase["expected_result"] == "SUCCESS" - verifier = PolicyBuilder( - time=validation_time, - store=Store(trusted_certs), - max_chain_depth=max_chain_depth, - ).build_server_verifier(peer_name) + verifier = ( + PolicyBuilder() + .time(validation_time) + .store(Store(trusted_certs)) + .max_chain_depth(max_chain_depth) + .build_server_verifier(peer_name) + ) if should_pass: built_chain = verifier.verify( From cea8a236ae55eca0dce111b98e6cd5fe016fc66d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 23 Dec 2023 12:58:41 -0300 Subject: [PATCH 0835/1014] i grow weary of www.cosic.esat.kuleuven.be (#10045) --- docs/conf.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/conf.py b/docs/conf.py index 5d3b59f50473..4fa571dc8037 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -204,6 +204,8 @@ # GitHub changed how they do page renders so anchor detection # no longer works in source view r"https://github.com/.*/blob/.*#L\d+", + # Kuleuven struggles with the endless forward march of time + r"https://www.cosic.esat.kuleuven.be", ] autosectionlabel_prefix_document = True From 5efb0ec15c01c808fadbd3758a0f4cdb3ebd14aa Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 23 Dec 2023 13:10:23 -0300 Subject: [PATCH 0836/1014] finish the wycheproof/x509-limbo bump code (#10046) --- .github/workflows/x509-limbo-version-bump.yml | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 99708d9f7bba..5434dbccfd0f 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -31,13 +31,31 @@ jobs: sed -E -i "s/Latest commit on the x509-limbo main branch.*/Latest commit on the x509-limbo main branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml sed -E -i "s/ref: \"[0-9a-f]{40}\" # x509-limbo-ref/ref: \"${{ steps.check-sha-x509-limbo.outputs.COMMIT_SHA }}\" # x509-limbo-ref/" .github/actions/fetch-vectors/action.yml git status - if: steps.check-sha-openssl.outputs.COMMIT_SHA + if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA + - id: check-sha-wycheproof + run: | + SHA=$(git ls-remote https://github.com/google/wycheproof refs/heads/master | cut -f1) + LAST_COMMIT=$(grep wycheproof-ref .github/actions/fetch-vectors/action.yml | grep -oE '[a-f0-9]{40}') + if ! grep -q "$SHA" .github/actions/fetch-vectors/action.yml; then + echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT + echo "COMMIT_MSG<> $GITHUB_OUTPUT + echo -e "## wycheproof\n[Commit: ${SHA}](https://github.com/google/wycheproof/commit/${SHA})\n\n[Diff](https://github.com/google/wycheproof/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + fi + - name: Update wycheproof + run: | + set -xe + CURRENT_DATE=$(date "+%b %d, %Y") + sed -E -i "s/Latest commit on the wycheproof main branch.*/Latest commit on the wycheproof main branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml + sed -E -i "s/ref: \"[0-9a-f]{40}\" # wycheproof-ref/ref: \"${{ steps.check-sha-wycheproof.outputs.COMMIT_SHA }}\" # wycheproof-ref/" .github/actions/fetch-vectors/action.yml + git status + if: steps.check-sha-wycheproof.outputs.COMMIT_SHA - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token with: app_id: ${{ secrets.BORINGBOT_APP_ID }} private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} - if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA + if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 with: From 14f24e35c91457db14d37e7735ff8c82014868ff Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 23 Dec 2023 16:18:02 +0000 Subject: [PATCH 0837/1014] Bump x509-limbo and/or wycheproof in CI (#10048) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 79ecbd83efd2..4441503aa4d8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -10,11 +10,11 @@ runs: repository: "google/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Oct 28, 2023. - ref: "cd5d271eab5c841f734d044683e4e30b76f65abb" # wycheproof-ref + ref: "d9f6ec7d8bd8c96da05368999094e4a75ba5cb3d" # wycheproof-ref - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Dec 21, 2023. - ref: "387386a6fc389c2114c8669b3318e1fe62b4bd1e" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Dec 23, 2023. + ref: "2dfce6da5c6dca2dce0ce4caa93e9ea781202cd2" # x509-limbo-ref From 5b08c7576bebe5ec3fef7743cab1cbe3a86ab3ad Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Dec 2023 11:22:53 -0500 Subject: [PATCH 0838/1014] Have limbo available in benchmarks (#10049) --- .github/workflows/benchmark.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 910f985d9d05..d494688db74f 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -32,6 +32,9 @@ jobs: repository: "pyca/cryptography" path: "cryptography-base" ref: "${{ github.base_ref }}" + - name: Clone test vectors + timeout-minutes: 2 + uses: ./cryptography-base/.github/actions/fetch-vectors - name: Setup python id: setup-python @@ -49,9 +52,9 @@ jobs: .venv-pr/bin/pip install -v -c ./cryptography-pr/ci-constraints-requirements.txt "./cryptography-pr[test]" ./cryptography-pr/vectors/ - name: Run benchmarks (base) - run: .venv-base/bin/pytest --benchmark-enable --benchmark-only ./cryptography-pr/tests/bench/ --benchmark-json=bench-base.json + run: .venv-base/bin/pytest --benchmark-enable --benchmark-only ./cryptography-pr/tests/bench/ --benchmark-json=bench-base.json --x509-limbo-root=x509-limbo/ - name: Run benchmarks (PR) - run: .venv-pr/bin/pytest --benchmark-enable --benchmark-only ./cryptography-pr/tests/bench/ --benchmark-json=bench-pr.json + run: .venv-pr/bin/pytest --benchmark-enable --benchmark-only ./cryptography-pr/tests/bench/ --benchmark-json=bench-pr.json --x509-limbo-root=x509-limbo/ - name: Compare results run: python ./cryptography-pr/.github/compare_benchmarks.py bench-base.json bench-pr.json | tee -a $GITHUB_STEP_SUMMARY From 73b0cd38be5474f3cdfc320ba628fe27087c7e15 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Dec 2023 11:44:26 -0500 Subject: [PATCH 0839/1014] Avoid duplicate work building store on every verification (#10047) --- src/rust/src/x509/verify.rs | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 769814886b5d..6af3b45468f5 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -110,23 +110,16 @@ impl PyServerVerifier { leaf: &PyCertificate, intermediates: Vec>, ) -> CryptographyResult> { - let store = Store::new( - self.store - .as_ref(py) - .get() - .0 - .iter() - .map(|t| t.get().raw.borrow_dependent().clone()), - ); - let policy = self.as_policy(); + let store = self.store.as_ref(py).borrow(); + let chain = cryptography_x509_verification::verify( leaf.raw.borrow_dependent(), intermediates .iter() .map(|i| i.raw.borrow_dependent().clone()), policy, - &store, + store.raw.borrow_dependent(), ) .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; @@ -224,12 +217,23 @@ fn create_server_verifier( }) } +self_cell::self_cell!( + struct RawPyStore { + owner: Vec>, + + #[covariant] + dependent: Store, + } +); + #[pyo3::pyclass( frozen, name = "Store", module = "cryptography.hazmat.bindings._rust.x509" )] -struct PyStore(Vec>); +struct PyStore { + raw: RawPyStore, +} #[pyo3::pymethods] impl PyStore { @@ -240,7 +244,11 @@ impl PyStore { "can't create an empty store", )); } - Ok(Self(certs)) + Ok(Self { + raw: RawPyStore::new(certs, |v| { + Store::new(v.iter().map(|t| t.get().raw.borrow_dependent().clone())) + }), + }) } } From 4e839cc95219dd47d13e33591065cbd094b59fe9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Dec 2023 11:45:12 -0500 Subject: [PATCH 0840/1014] Remove a `Vec` that's not needed (#10050) We can just use the `SequenceOf`. --- src/rust/cryptography-x509-verification/src/lib.rs | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 084eb2a505da..ed2ad9e021f9 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -51,7 +51,7 @@ impl From for ValidationError { struct NameChain<'a, 'chain> { child: Option<&'a NameChain<'a, 'chain>>, - sans: Vec>, + sans: SubjectAlternativeName<'chain>, } impl<'a, 'chain> NameChain<'a, 'chain> { @@ -64,8 +64,10 @@ impl<'a, 'chain> NameChain<'a, 'chain> { self_issued_intermediate, extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID), ) { - (false, Some(sans)) => sans.value::>()?.collect(), - _ => vec![], + (false, Some(sans)) => sans.value::>()?, + // TODO: there really ought to be a better way to express an empty + // `asn1::SequenceOf`. + _ => asn1::parse_single(b"\x30\x00")?, }; Ok(Self { child, sans }) @@ -118,12 +120,12 @@ impl<'a, 'chain> NameChain<'a, 'chain> { child.evaluate_constraints(constraints)?; } - for san in &self.sans { + for san in self.sans.clone() { // If there are no applicable constraints, the SAN is considered valid so the default is true. let mut permit = true; if let Some(permitted_subtrees) = &constraints.permitted_subtrees { for p in permitted_subtrees.unwrap_read().clone() { - let status = self.evaluate_single_constraint(&p.base, san)?; + let status = self.evaluate_single_constraint(&p.base, &san)?; if status.is_applied() { permit = status.is_match(); if permit { @@ -141,7 +143,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { if let Some(excluded_subtrees) = &constraints.excluded_subtrees { for e in excluded_subtrees.unwrap_read().clone() { - let status = self.evaluate_single_constraint(&e.base, san)?; + let status = self.evaluate_single_constraint(&e.base, &san)?; if status.is_match() { return Err(ValidationError::Other( "excluded name constraint matched SAN".into(), From 74cb05bc3a799d587041bd39f19f7e378adfe7a9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Dec 2023 12:15:25 -0500 Subject: [PATCH 0841/1014] Avoid `insert(0)`, it's `O(n^2)` when done repeatedly (#10051) --- src/rust/cryptography-x509-verification/src/lib.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index ed2ad9e021f9..f15f6cd435a3 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -298,7 +298,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { )?, ) { Ok(mut chain) => { - chain.insert(0, working_cert.clone()); + chain.push(working_cert.clone()); return Ok(chain); } Err(e) => last_err = Some(e), @@ -334,11 +334,14 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { self.policy.permits_ee(leaf, &leaf_extensions)?; - self.build_chain_inner( + let mut chain = self.build_chain_inner( leaf, 0, &leaf_extensions, NameChain::new(None, &leaf_extensions, false)?, - ) + )?; + // We build the chain in reverse order, fix it now. + chain.reverse(); + Ok(chain) } } From 20aacdd6960312d901e0fb351b4ef28838a3ec13 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Dec 2023 14:08:46 -0500 Subject: [PATCH 0842/1014] Avoid linear scan of the entire trust store (#10052) --- .../cryptography-x509-verification/src/lib.rs | 10 ++++--- .../src/trust_store.rs | 29 +++++++++++++++---- 2 files changed, 30 insertions(+), 9 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index f15f6cd435a3..5bea76a4c133 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -213,13 +213,15 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { cert: &'a Certificate<'chain>, ) -> impl Iterator> + '_ { // TODO: Optimizations: - // * Use a backing structure that allows us to search by name - // rather than doing a linear scan // * Search by AKI and other identifiers? self.store + .get_by_subject(&cert.tbs_cert.issuer) .iter() - .chain(self.intermediates.iter()) - .filter(|&candidate| candidate.subject() == cert.issuer()) + .chain( + self.intermediates + .iter() + .filter(|&candidate| candidate.subject() == cert.issuer()), + ) } fn build_chain_inner( diff --git a/src/rust/cryptography-x509-verification/src/trust_store.rs b/src/rust/cryptography-x509-verification/src/trust_store.rs index a6722d90573a..4001fccd7f1d 100644 --- a/src/rust/cryptography-x509-verification/src/trust_store.rs +++ b/src/rust/cryptography-x509-verification/src/trust_store.rs @@ -2,27 +2,46 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use std::collections::HashSet; +use std::collections::{HashMap, HashSet}; use cryptography_x509::certificate::Certificate; +use cryptography_x509::name::Name; /// A `Store` represents the core state needed for X.509 path validation. -pub struct Store<'a>(HashSet>); +pub struct Store<'a> { + certs: HashSet>, + by_subject: HashMap, Vec>>, +} impl<'a> Store<'a> { /// Create a new `Store` from the given iterable certificate source. pub fn new(trusted: impl IntoIterator>) -> Self { - Store(HashSet::from_iter(trusted)) + let certs = HashSet::from_iter(trusted); + let mut by_subject: HashMap, Vec>> = HashMap::new(); + for cert in certs.iter() { + by_subject + .entry(cert.tbs_cert.subject.clone()) + .or_default() + .push(cert.clone()); + } + Store { certs, by_subject } } /// Returns whether this store contains the given certificate. pub fn contains(&self, cert: &Certificate<'a>) -> bool { - self.0.contains(cert) + self.certs.contains(cert) } /// Returns an iterator over all certificates in this store. pub fn iter(&self) -> impl Iterator> { - self.0.iter() + self.certs.iter() + } + + pub fn get_by_subject(&self, subject: &Name<'a>) -> &[Certificate<'a>] { + self.by_subject + .get(subject) + .map(|v| v.as_slice()) + .unwrap_or_default() } } From 8046ea1c498177c49322304fe0c77483ab19c161 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 23 Dec 2023 16:48:55 -0300 Subject: [PATCH 0843/1014] document that we raise CryptographyDeprecationWarning on deprecation more clearly (#10053) * document we raise CryptographyDeprecationWarning clearly * be a little louder about our deprecated ciphers --- docs/api-stability.rst | 4 ++-- src/cryptography/hazmat/primitives/ciphers/algorithms.py | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/api-stability.rst b/docs/api-stability.rst index eafbd1d9506e..0ed03dc2f605 100644 --- a/docs/api-stability.rst +++ b/docs/api-stability.rst @@ -66,9 +66,9 @@ entirely. In that case, here's how the process will work: * In ``cryptography X.0.0`` the feature exists. * In ``cryptography (X + 1).0.0`` using that feature will emit a - ``UserWarning``. + ``CryptographyDeprecationWarning`` (base class ``UserWarning``). * In ``cryptography (X + 2).0.0`` using that feature will emit a - ``UserWarning``. + ``CryptographyDeprecationWarning``. * In ``cryptography (X + 3).0.0`` the feature will be removed or changed. In short, code that runs without warnings will always continue to work for a diff --git a/src/cryptography/hazmat/primitives/ciphers/algorithms.py b/src/cryptography/hazmat/primitives/ciphers/algorithms.py index ebc9595c49fb..000bdcba97a4 100644 --- a/src/cryptography/hazmat/primitives/ciphers/algorithms.py +++ b/src/cryptography/hazmat/primitives/ciphers/algorithms.py @@ -104,7 +104,7 @@ def key_size(self) -> int: utils.deprecated( Blowfish, __name__, - "Blowfish has been deprecated", + "Blowfish has been deprecated and will be removed in a future release", utils.DeprecatedIn37, name="Blowfish", ) @@ -127,7 +127,7 @@ def key_size(self) -> int: utils.deprecated( CAST5, __name__, - "CAST5 has been deprecated", + "CAST5 has been deprecated and will be removed in a future release", utils.DeprecatedIn37, name="CAST5", ) @@ -162,7 +162,7 @@ def key_size(self) -> int: utils.deprecated( IDEA, __name__, - "IDEA has been deprecated", + "IDEA has been deprecated and will be removed in a future release", utils.DeprecatedIn37, name="IDEA", ) @@ -185,7 +185,7 @@ def key_size(self) -> int: utils.deprecated( SEED, __name__, - "SEED has been deprecated", + "SEED has been deprecated and will be removed in a future release", utils.DeprecatedIn37, name="SEED", ) From 1aea239f1dbdfd5de162f4e8eff935014692a60a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 25 Dec 2023 00:30:25 +0000 Subject: [PATCH 0844/1014] Bump x509-limbo and/or wycheproof in CI (#10055) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4441503aa4d8..47ff35686328 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Dec 23, 2023. - ref: "2dfce6da5c6dca2dce0ce4caa93e9ea781202cd2" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Dec 25, 2023. + ref: "4cc6c4a84e05d9bd12d1b9c619b72bfc43bf60e7" # x509-limbo-ref From 5c97027c772560796a6006a822dc6aea7d9b5a44 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 25 Dec 2023 06:11:14 -0500 Subject: [PATCH 0845/1014] Remove a few more lifetimes that aren't needed (#10059) --- src/rust/cryptography-x509-verification/src/lib.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 5bea76a4c133..31b6a3affed4 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -226,10 +226,10 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn build_chain_inner( &self, - working_cert: &'a Certificate<'chain>, + working_cert: &Certificate<'chain>, current_depth: u8, - working_cert_extensions: &'a Extensions<'chain>, - name_chain: NameChain<'a, 'chain>, + working_cert_extensions: &Extensions<'chain>, + name_chain: NameChain<'_, 'chain>, ) -> Result, ValidationError> { if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { name_chain.evaluate_constraints(&nc.value()?)?; @@ -326,7 +326,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { ))) } - fn build_chain(&self, leaf: &'a Certificate<'chain>) -> Result, ValidationError> { + fn build_chain(&self, leaf: &Certificate<'chain>) -> Result, ValidationError> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying // certificate profile). From 2dd00a1c44992e5ea2d53d74459079078e1aff80 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 25 Dec 2023 06:11:32 -0500 Subject: [PATCH 0846/1014] Remove some lifetimes that aren't required (#10057) --- src/rust/cryptography-x509-verification/src/lib.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 31b6a3affed4..8126239ea66f 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -159,11 +159,11 @@ impl<'a, 'chain> NameChain<'a, 'chain> { pub type Chain<'c> = Vec>; -pub fn verify<'a, 'chain, B: CryptoOps>( - leaf: &'a Certificate<'chain>, +pub fn verify<'chain, B: CryptoOps>( + leaf: &Certificate<'chain>, intermediates: impl IntoIterator>, policy: &Policy<'_, B>, - store: &'a Store<'chain>, + store: &Store<'chain>, ) -> Result, ValidationError> { let builder = ChainBuilder::new(intermediates.into_iter().collect(), policy, store); From e2e2f937cf7ebb5325423e7ccfa7c97ab25fd613 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Dec 2023 08:01:07 -0500 Subject: [PATCH 0847/1014] Bump syn from 2.0.42 to 2.0.43 in /src/rust (#10060) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.42 to 2.0.43. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.42...2.0.43) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4aed604ed080..e8e0517dcfbb 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" [[package]] name = "syn" -version = "2.0.42" +version = "2.0.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b7d0a2c048d661a1a59fcd7355baa232f7ed34e0ee4df2eef3c1c1c0d3852d8" +checksum = "ee659fb5f3d355364e1f3e5bc10fb82068efbf824a1e9d1c9504244a6469ad53" dependencies = [ "proc-macro2", "quote", From c6f87ef5c4e13c6a2e0ac1666d1756f406306af1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Dec 2023 08:03:02 -0500 Subject: [PATCH 0848/1014] Bump importlib-metadata from 7.0.0 to 7.0.1 in /.github/requirements (#10062) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.0.0 to 7.0.1. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.0.0...v7.0.1) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 83d18cb80fdc..c266d60dc69b 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -231,9 +231,9 @@ idna==3.6 \ # via # email-validator # requests -importlib-metadata==7.0.0 \ - --hash=sha256:7fc841f8b8332803464e5dc1c63a2e59121f46ca186c0e2e182e80bf8c1319f7 \ - --hash=sha256:d97503976bb81f40a193d41ee6570868479c69d5068651eb039c40d850c59d67 +importlib-metadata==7.0.1 \ + --hash=sha256:4805911c3a4ec7c3966410053e9ec6a1fecd629117df5adee56dfc9432a1081e \ + --hash=sha256:f238736bb06590ae52ac1fab06a3a9ef1d8dce2b7a35b5ab329371d6c8f5d2cc # via # keyring # twine From 471e850ecfb8d5a88b53784fbb8b78c186eba457 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Dec 2023 13:11:25 +0000 Subject: [PATCH 0849/1014] Bump grpclib from 0.4.6 to 0.4.7 in /.github/requirements (#10063) Bumps [grpclib](https://github.com/vmagamedov/grpclib) from 0.4.6 to 0.4.7. - [Commits](https://github.com/vmagamedov/grpclib/compare/v0.4.6...v0.4.7) --- updated-dependencies: - dependency-name: grpclib dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index c266d60dc69b..121b0c47faf2 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -206,8 +206,8 @@ email-validator==2.1.0.post1 \ --hash=sha256:a4b0bd1cf55f073b924258d19321b1f3aa74b4b5a71a42c305575dba920e1a44 \ --hash=sha256:c973053efbeddfef924dc0bd93f6e77a1ea7ee0fce935aea7103c7a3d6d2d637 # via pydantic -grpclib==0.4.6 \ - --hash=sha256:595d05236ca8b8f8e433f5bf6095e6354c1d8777d003ddaf5288efa9611e3fd6 +grpclib==0.4.7 \ + --hash=sha256:2988ef57c02b22b7a2e8e961792c41ccf97efc2ace91ae7a5b0de03c363823c3 # via betterproto h2==4.1.0 \ --hash=sha256:03a46bcf682256c95b5fd9e9a99c1323584c3eec6440d379b9903d709476bc6d \ From b75629a209da803bd220ca38163cf03e6dec292d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 27 Dec 2023 00:14:56 +0000 Subject: [PATCH 0850/1014] Bump BoringSSL and/or OpenSSL in CI (#10067) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 950dbfc73980..68ca48310e29 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Dec 22, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6e0eba6e62333652290514e51b75b966b27b27c"}} - # Latest commit on the OpenSSL master branch, as of Dec 23, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d6e4056805f54bb1a0ef41fa3a6a35b70c94edba"}} + # Latest commit on the OpenSSL master branch, as of Dec 27, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "62457fd9415d707baf76f219bbb9a29106ba092b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From d74c12871891003a0c1a23dab3baf4eb2b1ea744 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 27 Dec 2023 00:29:02 +0000 Subject: [PATCH 0851/1014] Bump x509-limbo and/or wycheproof in CI (#10068) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 47ff35686328..f4f14e83f347 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Dec 25, 2023. - ref: "4cc6c4a84e05d9bd12d1b9c619b72bfc43bf60e7" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Dec 27, 2023. + ref: "5259c75f3f573216844f74f66f1f65de7b3498e2" # x509-limbo-ref From e04d52de6a045df7bc9b25e4b25c51a1e3313232 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 28 Dec 2023 00:14:45 +0000 Subject: [PATCH 0852/1014] Bump BoringSSL and/or OpenSSL in CI (#10074) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 68ca48310e29..689d9031acc6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Dec 22, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6e0eba6e62333652290514e51b75b966b27b27c"}} - # Latest commit on the OpenSSL master branch, as of Dec 27, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "62457fd9415d707baf76f219bbb9a29106ba092b"}} + # Latest commit on the OpenSSL master branch, as of Dec 28, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3d68e2937ee5c50eacef5f4c34abdf7c0e4dc479"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 59ed61e0eb0df57a1c3a124ef78b003766eba24f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 27 Dec 2023 19:30:10 -0500 Subject: [PATCH 0853/1014] Bump x509-limbo and/or wycheproof in CI (#10075) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f4f14e83f347..89a2571af7c4 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Dec 27, 2023. - ref: "5259c75f3f573216844f74f66f1f65de7b3498e2" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Dec 28, 2023. + ref: "ec05ac7737dfdd822ecc8c4e88460b051d4b729f" # x509-limbo-ref From fc6e295fd898c22b771bf4a9e3cc0e5df2104c03 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Dec 2023 07:35:33 -0500 Subject: [PATCH 0854/1014] Bump coverage from 7.3.4 to 7.4.0 (#10077) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.3.4 to 7.4.0. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.3.4...7.4.0) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 18e4257507dd..6bf78f09884f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.0 # via nox -coverage==7.3.4; python_version >= "3.8" +coverage==7.4.0; python_version >= "3.8" # via # coverage # pytest-cov From d911018f0141358a7d752201bf1d92a9873d0a02 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 28 Dec 2023 13:04:01 -0500 Subject: [PATCH 0855/1014] Remove some weird and pointless syntax (#10070) --- src/rust/cryptography-x509/src/crl.rs | 6 +----- src/rust/cryptography-x509/src/ocsp_req.rs | 6 +----- src/rust/cryptography-x509/src/ocsp_resp.rs | 6 +----- 3 files changed, 3 insertions(+), 15 deletions(-) diff --git a/src/rust/cryptography-x509/src/crl.rs b/src/rust/cryptography-x509/src/crl.rs index a5b72f023002..acd4adb64eb0 100644 --- a/src/rust/cryptography-x509/src/crl.rs +++ b/src/rust/cryptography-x509/src/crl.rs @@ -2,11 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::{ - common, - extensions::{self}, - name, -}; +use crate::{common, extensions, name}; pub type ReasonFlags<'a> = Option, asn1::OwnedBitString>>; diff --git a/src/rust/cryptography-x509/src/ocsp_req.rs b/src/rust/cryptography-x509/src/ocsp_req.rs index 9cf7540302e0..163c40fa38b0 100644 --- a/src/rust/cryptography-x509/src/ocsp_req.rs +++ b/src/rust/cryptography-x509/src/ocsp_req.rs @@ -2,11 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::{ - common, - extensions::{self}, - name, -}; +use crate::{common, extensions, name}; #[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct TBSRequest<'a> { diff --git a/src/rust/cryptography-x509/src/ocsp_resp.rs b/src/rust/cryptography-x509/src/ocsp_resp.rs index 5dbe90f4f5d2..f40707ed2f75 100644 --- a/src/rust/cryptography-x509/src/ocsp_resp.rs +++ b/src/rust/cryptography-x509/src/ocsp_resp.rs @@ -2,11 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::{ - certificate, common, crl, - extensions::{self}, - name, ocsp_req, -}; +use crate::{certificate, common, crl, extensions, name, ocsp_req}; #[derive(asn1::Asn1Read, asn1::Asn1Write)] pub struct OCSPResponse<'a> { From 91541cf726e0e9144155b6c92c5cd92f4661a4ac Mon Sep 17 00:00:00 2001 From: Johnny Hsieh <32300164+mnixry@users.noreply.github.com> Date: Fri, 29 Dec 2023 21:56:29 +0800 Subject: [PATCH 0856/1014] Add support for GCM mode of SM4 cipher (#10072) * Add support for SM4-GCM cipher ref: #7503 ref: https://github.com/openssl/openssl/issues/13667 * Update SM4 GCM tests to use external test vector * Cite SM4 test vectors sources in document * Add tests for SM4ModeGCM finalize_with_tag * Update CHANGELOG.rst --- CHANGELOG.rst | 4 + docs/development/test-vectors.rst | 3 + .../hazmat/backends/openssl/backend.py | 2 +- tests/hazmat/primitives/test_sm4.py | 92 ++++++++++++++++++- .../ciphers/SM4/rfc8998.txt | 11 +++ 5 files changed, 109 insertions(+), 3 deletions(-) create mode 100644 vectors/cryptography_vectors/ciphers/SM4/rfc8998.txt diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 9ecc48b739bd..9ade854140f3 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -65,6 +65,10 @@ Changelog for :class:`~cryptography.x509.Certificate` chains. These APIs should be considered unstable and not subject to our stability guarantees until documented as such in a future release. +* Added support for + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4` + :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` + when using OpenSSL 3.0 or greater. .. _v41-0-7: diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index a0a0261f1f95..73eaeb5fbf13 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -969,6 +969,8 @@ Symmetric ciphers * SEED (CBC) from :rfc:`4196`. * SEED (CFB, OFB) generated by this project. See: :doc:`/development/custom-vectors/seed` +* SM4 (CBC, CFB, CTR, ECB, OFB) from `draft-ribose-cfrg-sm4-10`_. +* SM4 (GCM) from :rfc:`8998`. Two factor authentication ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1046,6 +1048,7 @@ header format (substituting the correct information): .. _`GnuTLS example keys`: https://gitlab.com/gnutls/gnutls/-/commit/ad2061deafdd7db78fd405f9d143b0a7c579da7b .. _`NESSIE IDEA vectors`: https://www.cosic.esat.kuleuven.be/nessie/testvectors/bc/idea/Idea-128-64.verified.test-vectors .. _`NESSIE`: https://en.wikipedia.org/wiki/NESSIE +.. _`draft-ribose-cfrg-sm4-10`: https://tools.ietf.org/html/draft-ribose-cfrg-sm4-10 .. _`Ed25519 website`: https://ed25519.cr.yp.to/software.html .. _`NIST SP-800-38B`: https://csrc.nist.gov/publications/detail/sp/800-38b/archive/2005-05-01 .. _`NIST PKI Testing`: https://csrc.nist.gov/Projects/PKI-Testing diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 58cef907c812..0e14bfb4e2b1 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -269,7 +269,7 @@ def _register_default_ciphers(self) -> None: ), ) self.register_cipher_adapter(AES, XTS, _get_xts_cipher) - for mode_cls in [ECB, CBC, OFB, CFB, CTR]: + for mode_cls in [ECB, CBC, OFB, CFB, CTR, GCM]: self.register_cipher_adapter( SM4, mode_cls, GetCipherByName("sm4-{mode.name}") ) diff --git a/tests/hazmat/primitives/test_sm4.py b/tests/hazmat/primitives/test_sm4.py index 53893eecedff..695987bc9604 100644 --- a/tests/hazmat/primitives/test_sm4.py +++ b/tests/hazmat/primitives/test_sm4.py @@ -7,9 +7,10 @@ import pytest -from cryptography.hazmat.primitives.ciphers import algorithms, modes +from cryptography.exceptions import InvalidTag +from cryptography.hazmat.primitives.ciphers import algorithms, base, modes -from ...utils import load_nist_vectors +from ...utils import load_nist_vectors, load_vectors_from_file from .utils import generate_encrypt_test @@ -91,3 +92,90 @@ class TestSM4ModeCTR: lambda key, **kwargs: algorithms.SM4(binascii.unhexlify(key)), lambda iv, **kwargs: modes.CTR(binascii.unhexlify(iv)), ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.SM4(b"\x00" * 16), modes.GCM(b"\x00" * 16) + ), + skip_message="Does not support SM4 GCM", +) +class TestSM4ModeGCM: + @pytest.mark.parametrize( + "vector", + load_vectors_from_file( + os.path.join("ciphers", "SM4", "rfc8998.txt"), + load_nist_vectors, + ), + ) + def test_encryption(self, vector, backend): + key = binascii.unhexlify(vector["key"]) + iv = binascii.unhexlify(vector["iv"]) + associated_data = binascii.unhexlify(vector["aad"]) + tag = binascii.unhexlify(vector["tag"]) + plaintext = binascii.unhexlify(vector["plaintext"]) + ciphertext = binascii.unhexlify(vector["ciphertext"]) + + cipher = base.Cipher(algorithms.SM4(key), modes.GCM(iv)) + encryptor = cipher.encryptor() + encryptor.authenticate_additional_data(associated_data) + computed_ct = encryptor.update(plaintext) + encryptor.finalize() + assert computed_ct == ciphertext + assert encryptor.tag == tag + + @pytest.mark.parametrize( + "vector", + load_vectors_from_file( + os.path.join("ciphers", "SM4", "rfc8998.txt"), + load_nist_vectors, + ), + ) + def test_decryption(self, vector, backend): + key = binascii.unhexlify(vector["key"]) + iv = binascii.unhexlify(vector["iv"]) + associated_data = binascii.unhexlify(vector["aad"]) + tag = binascii.unhexlify(vector["tag"]) + plaintext = binascii.unhexlify(vector["plaintext"]) + ciphertext = binascii.unhexlify(vector["ciphertext"]) + + cipher = base.Cipher(algorithms.SM4(key), modes.GCM(iv, tag)) + decryptor = cipher.decryptor() + decryptor.authenticate_additional_data(associated_data) + computed_pt = decryptor.update(ciphertext) + decryptor.finalize() + assert computed_pt == plaintext + + cipher_no_tag = base.Cipher(algorithms.SM4(key), modes.GCM(iv)) + decryptor = cipher_no_tag.decryptor() + decryptor.authenticate_additional_data(associated_data) + computed_pt = decryptor.update( + ciphertext + ) + decryptor.finalize_with_tag(tag) + assert computed_pt == plaintext + + @pytest.mark.parametrize( + "vector", + load_vectors_from_file( + os.path.join("ciphers", "SM4", "rfc8998.txt"), + load_nist_vectors, + ), + ) + def test_invalid_tag(self, vector, backend): + key = binascii.unhexlify(vector["key"]) + iv = binascii.unhexlify(vector["iv"]) + associated_data = binascii.unhexlify(vector["aad"]) + tag = binascii.unhexlify(vector["tag"]) + ciphertext = binascii.unhexlify(vector["ciphertext"]) + + cipher = base.Cipher(algorithms.SM4(key), modes.GCM(iv, tag)) + decryptor = cipher.decryptor() + decryptor.authenticate_additional_data(associated_data) + decryptor.update(ciphertext[:-1]) + with pytest.raises(InvalidTag): + decryptor.finalize() + + cipher_no_tag = base.Cipher(algorithms.SM4(key), modes.GCM(iv)) + decryptor = cipher_no_tag.decryptor() + decryptor.authenticate_additional_data(associated_data) + decryptor.update(ciphertext[:-1]) + with pytest.raises(InvalidTag): + decryptor.finalize_with_tag(tag) diff --git a/vectors/cryptography_vectors/ciphers/SM4/rfc8998.txt b/vectors/cryptography_vectors/ciphers/SM4/rfc8998.txt new file mode 100644 index 000000000000..9f2e8aff8ef1 --- /dev/null +++ b/vectors/cryptography_vectors/ciphers/SM4/rfc8998.txt @@ -0,0 +1,11 @@ +# Vectors from rfc8998.txt. Reformatted to work with the NIST loader +# SM4 GCM + +# A.2 +COUNT = 1 +KEY = 0123456789abcdeffedcba9876543210 +IV = 00001234567800000000abcd +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +TAG = 83de3541e4c2b58177e065a9bf7b62ec +PLAINTEXT = aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccddddddddddddddddeeeeeeeeeeeeeeeeffffffffffffffffeeeeeeeeeeeeeeeeaaaaaaaaaaaaaaaa +CIPHERTEXT = 17f399f08c67d5ee19d0dc9969c4bb7d5fd46fd3756489069157b282bb200735d82710ca5c22f0ccfa7cbf93d496ac15a56834cbcf98c397b4024a2691233b8d From ce31da6f8847bf3000e7d0e917222e2564eac1d3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 29 Dec 2023 18:58:43 -0500 Subject: [PATCH 0857/1014] Run mypy before check-sdist (#10082) --- noxfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index b55849d7a397..5651ea3c7156 100644 --- a/noxfile.py +++ b/noxfile.py @@ -176,7 +176,6 @@ def flake(session: nox.Session) -> None: session.run("ruff", ".") session.run("ruff", "format", "--check", ".") - session.run("check-sdist", "--no-isolation") session.run( "mypy", "src/cryptography/", @@ -185,6 +184,7 @@ def flake(session: nox.Session) -> None: "release.py", "noxfile.py", ) + session.run("check-sdist", "--no-isolation") @nox.session From 946cb9c06f951416b96c8f93474d20140d16525d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 29 Dec 2023 19:01:32 -0500 Subject: [PATCH 0858/1014] Migrate `calculate_digest_and_algorithm` to Rust (#10078) --- .../hazmat/backends/openssl/utils.py | 28 ------------------- src/rust/src/backend/dsa.rs | 14 +++------- src/rust/src/backend/ec.rs | 25 ++++++++--------- src/rust/src/backend/rsa.rs | 10 ++----- src/rust/src/backend/utils.rs | 27 ++++++++++++++++++ src/rust/src/types.rs | 4 --- 6 files changed, 45 insertions(+), 63 deletions(-) delete mode 100644 src/cryptography/hazmat/backends/openssl/utils.py diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py deleted file mode 100644 index 0c06f8f7108a..000000000000 --- a/src/cryptography/hazmat/backends/openssl/utils.py +++ /dev/null @@ -1,28 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric.utils import Prehashed - - -def _calculate_digest_and_algorithm( - data: bytes, - algorithm: Prehashed | hashes.HashAlgorithm, -) -> tuple[bytes, hashes.HashAlgorithm]: - if not isinstance(algorithm, Prehashed): - hash_ctx = hashes.Hash(algorithm) - hash_ctx.update(data) - data = hash_ctx.finalize() - else: - algorithm = algorithm._algorithm - - if len(data) != algorithm.digest_size: - raise ValueError( - "The provided data must be the same length as the hash " - "algorithm's digest size." - ) - - return (data, algorithm) diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index ce39cbb058b4..4034fec7da81 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -118,13 +118,10 @@ impl DsaPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &pyo3::types::PyBytes, + data: &[u8], algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let (data, _): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM - .get(py)? - .call1((data, algorithm))? - .extract()?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -204,13 +201,10 @@ impl DsaPublicKey { &self, py: pyo3::Python<'_>, signature: &[u8], - data: &pyo3::types::PyBytes, + data: &[u8], algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, _): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM - .get(py)? - .call1((data, algorithm))? - .extract()?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 8c88218edbe7..a2941437517a 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -339,7 +339,7 @@ impl ECPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &pyo3::types::PyBytes, + data: &[u8], algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if !algorithm.is_instance(types::ECDSA.get(py)?)? { @@ -351,10 +351,11 @@ impl ECPrivateKey { )); } - let (data, _): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM - .get(py)? - .call1((data, algorithm.getattr(pyo3::intern!(py, "algorithm"))?))? - .extract()?; + let (data, _) = utils::calculate_digest_and_algorithm( + py, + data, + algorithm.getattr(pyo3::intern!(py, "algorithm"))?, + )?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -433,7 +434,7 @@ impl ECPublicKey { &self, py: pyo3::Python<'_>, signature: &[u8], - data: &pyo3::types::PyBytes, + data: &[u8], signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { @@ -445,13 +446,11 @@ impl ECPublicKey { )); } - let (data, _): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM - .get(py)? - .call1(( - data, - signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, - ))? - .extract()?; + let (data, _) = utils::calculate_digest_and_algorithm( + py, + data, + signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, + )?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 3398b0ca377d..c6e9a392a718 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -322,10 +322,7 @@ impl RsaPrivateKey { padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::PyAny> { - let (data, algorithm): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM - .get(py)? - .call1((data, algorithm))? - .extract()?; + let (data, algorithm) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.sign_init().map_err(|_| { @@ -461,10 +458,7 @@ impl RsaPublicKey { padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, algorithm): (&[u8], &pyo3::PyAny) = types::CALCULATE_DIGEST_AND_ALGORITHM - .get(py)? - .call1((data, algorithm))? - .extract()?; + let (data, algorithm) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.verify_init()?; diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 09dc6d67cc3e..6e3666d5628c 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::types; @@ -348,3 +349,29 @@ pub(crate) fn pkey_public_bytes<'p>( pyo3::exceptions::PyValueError::new_err("format is invalid with this key"), )) } + +pub(crate) fn calculate_digest_and_algorithm<'p>( + py: pyo3::Python<'p>, + mut data: &'p [u8], + mut algorithm: &'p pyo3::PyAny, +) -> CryptographyResult<(&'p [u8], &'p pyo3::PyAny)> { + if algorithm.is_instance(types::PREHASHED.get(py)?)? { + algorithm = algorithm.getattr("_algorithm")?; + } else { + // Potential optimization: rather than allocate a PyBytes in + // `h.finalize()`, have a way to get the `DigestBytes` directly. + let mut h = Hash::new(py, algorithm, None)?; + h.update_bytes(data)?; + data = h.finalize(py)?.as_bytes(); + } + + if data.len() != algorithm.getattr("digest_size")?.extract()? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "The provided data must be the same length as the hash algorithm's digest size.", + ), + )); + } + + Ok((data, algorithm)) +} diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 1719c6a535fe..cf323bfd28af 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -384,10 +384,6 @@ pub static CRL_ENTRY_REASON_ENUM_TO_CODE: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.backends.openssl.decode_asn1", &["_CRL_ENTRY_REASON_ENUM_TO_CODE"], ); -pub static CALCULATE_DIGEST_AND_ALGORITHM: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.backends.openssl.utils", - &["_calculate_digest_and_algorithm"], -); pub static RSA_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.rsa", From 8cee865d3e616537f047ff67f87020100ef8ddb3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Dec 2023 21:02:02 -0300 Subject: [PATCH 0859/1014] Bump setuptools from 69.0.2 to 69.0.3 in /.github/requirements (#10061) * Bump setuptools from 69.0.2 to 69.0.3 in /.github/requirements Bumps [setuptools](https://github.com/pypa/setuptools) from 69.0.2 to 69.0.3. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.0.2...v69.0.3) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update build-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 389e172714b2..1b6bb11dcd3b 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.42.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.0.2 \ - --hash=sha256:1e8fdff6797d3865f37397be788a4e3cba233608e9b509382a2777d25ebde7f2 \ - --hash=sha256:735896e78a4742605974de002ac60562d286fa8051a7e2299445e8e8fbb01aa6 +setuptools==69.0.3 \ + --hash=sha256:385eb4edd9c9d5c17540511303e39a147ce2fc04bc55289c322b9e5904fe2c05 \ + --hash=sha256:be1af57fc409f93647f2e8e4573a142ed38724b8cdd389706a867bb4efcf1e78 # via # -r build-requirements.in # setuptools-rust From 201851abf2896a6d9568998ca02bd7c92ee56679 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 29 Dec 2023 19:04:30 -0500 Subject: [PATCH 0860/1014] Keep the original DER for an SPKI around (#10058) This lets us parse it without needing to re-serialize. Eventually we can extend this to TBS data itself. --- src/rust/cryptography-x509/src/certificate.rs | 2 +- src/rust/cryptography-x509/src/common.rs | 62 ++++++++++++++++++- src/rust/cryptography-x509/src/csr.rs | 2 +- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/csr.rs | 2 +- src/rust/src/x509/verify.rs | 2 +- 6 files changed, 66 insertions(+), 6 deletions(-) diff --git a/src/rust/cryptography-x509/src/certificate.rs b/src/rust/cryptography-x509/src/certificate.rs index b91f6a1eaf08..6db6eade0766 100644 --- a/src/rust/cryptography-x509/src/certificate.rs +++ b/src/rust/cryptography-x509/src/certificate.rs @@ -46,7 +46,7 @@ pub struct TbsCertificate<'a> { pub validity: Validity, pub subject: name::Name<'a>, - pub spki: common::SubjectPublicKeyInfo<'a>, + pub spki: common::WithTlv<'a, common::SubjectPublicKeyInfo<'a>>, #[implicit(1)] pub issuer_unique_id: Option>, #[implicit(2)] diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index f09805e0da11..79bf114ad552 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -354,9 +354,61 @@ impl<'a> asn1::SimpleAsn1Writable for UnvalidatedVisibleString<'a> { } } +#[derive(Clone)] +pub struct WithTlv<'a, T> { + tlv: asn1::Tlv<'a>, + value: T, +} + +impl<'a, T> WithTlv<'a, T> { + pub fn tlv(&self) -> &asn1::Tlv<'a> { + &self.tlv + } +} + +impl std::ops::Deref for WithTlv<'_, T> { + type Target = T; + + fn deref(&self) -> &Self::Target { + &self.value + } +} + +impl<'a, T: asn1::Asn1Readable<'a>> asn1::Asn1Readable<'a> for WithTlv<'a, T> { + fn parse(p: &mut asn1::Parser<'a>) -> asn1::ParseResult { + let tlv = p.read_element::>()?; + Ok(Self { + tlv, + value: tlv.parse()?, + }) + } + + fn can_parse(t: asn1::Tag) -> bool { + T::can_parse(t) + } +} + +impl<'a, T: asn1::Asn1Writable> asn1::Asn1Writable for WithTlv<'a, T> { + fn write(&self, w: &mut asn1::Writer<'_>) -> asn1::WriteResult<()> { + self.value.write(w) + } +} + +impl PartialEq for WithTlv<'_, T> { + fn eq(&self, other: &Self) -> bool { + self.value == other.value + } +} +impl Eq for WithTlv<'_, T> {} +impl std::hash::Hash for WithTlv<'_, T> { + fn hash(&self, state: &mut H) { + self.value.hash(state) + } +} + #[cfg(test)] mod tests { - use super::{Asn1ReadableOrWritable, RawTlv, UnvalidatedVisibleString}; + use super::{Asn1ReadableOrWritable, RawTlv, UnvalidatedVisibleString, WithTlv}; use asn1::Asn1Readable; #[test] @@ -383,4 +435,12 @@ mod tests { let t = asn1::Tag::from_bytes(&[0]).unwrap().0; assert!(RawTlv::can_parse(t)); } + + #[test] + fn test_with_raw_tlv_can_parse() { + let t = asn1::Tag::from_bytes(&[0x30]).unwrap().0; + + assert!(WithTlv::>::can_parse(t)); + assert!(!WithTlv::::can_parse(t)); + } } diff --git a/src/rust/cryptography-x509/src/csr.rs b/src/rust/cryptography-x509/src/csr.rs index 483bae9f3ba4..790134bacce0 100644 --- a/src/rust/cryptography-x509/src/csr.rs +++ b/src/rust/cryptography-x509/src/csr.rs @@ -18,7 +18,7 @@ pub struct Csr<'a> { pub struct CertificationRequestInfo<'a> { pub version: u8, pub subject: name::Name<'a>, - pub spki: common::SubjectPublicKeyInfo<'a>, + pub spki: common::WithTlv<'a, common::SubjectPublicKeyInfo<'a>>, #[implicit(0, required)] pub attributes: Attributes<'a>, } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index c2a46e0a1927..b8cbdd14b50b 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -67,7 +67,7 @@ impl Certificate { // This makes an unnecessary copy. It'd be nice to get rid of it. let serialized = pyo3::types::PyBytes::new( py, - &asn1::write_single(&self.raw.borrow_dependent().tbs_cert.spki)?, + self.raw.borrow_dependent().tbs_cert.spki.tlv().full_data(), ); Ok(types::LOAD_DER_PUBLIC_KEY.get(py)?.call1((serialized,))?) } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 49182c845d01..8b10e8a0a09b 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -48,7 +48,7 @@ impl CertificateSigningRequest { // This makes an unnecessary copy. It'd be nice to get rid of it. let serialized = pyo3::types::PyBytes::new( py, - &asn1::write_single(&self.raw.borrow_dependent().csr_info.spki)?, + self.raw.borrow_dependent().csr_info.spki.tlv().full_data(), ); Ok(types::LOAD_DER_PUBLIC_KEY.get(py)?.call1((serialized,))?) } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 6af3b45468f5..594ad7cef5ee 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -30,7 +30,7 @@ impl CryptoOps for PyCryptoOps { fn public_key(&self, cert: &Certificate<'_>) -> Result { pyo3::Python::with_gil(|py| -> Result { // This makes an unnecessary copy. It'd be nice to get rid of it. - let spki_der = pyo3::types::PyBytes::new(py, &asn1::write_single(&cert.tbs_cert.spki)?); + let spki_der = pyo3::types::PyBytes::new(py, cert.tbs_cert.spki.tlv().full_data()); Ok(types::LOAD_DER_PUBLIC_KEY .get(py)? From 223b52e8d09a1faac1f886758efe96909bc09ef6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 29 Dec 2023 19:05:12 -0500 Subject: [PATCH 0861/1014] Don't re-compute extensions in permits_basic (#10076) The callers already have it --- .../src/policy/mod.rs | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 2e3652505e57..56b2c055db0a 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -341,9 +341,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } } - fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), ValidationError> { - let extensions = cert.extensions()?; - + fn permits_basic( + &self, + cert: &Certificate<'_>, + extensions: &Extensions<'_>, + ) -> Result<(), ValidationError> { // CA/B 7.1.1: // Certificates MUST be of type X.509 v3. if cert.tbs_cert.version != 2 { @@ -405,7 +407,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // Extension policy checks. for ext_policy in self.common_extension_policies.iter() { - ext_policy.permits(self, cert, &extensions)?; + ext_policy.permits(self, cert, extensions)?; } // Check that all critical extensions in this certificate are accounted for. @@ -443,7 +445,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { current_depth: u8, extensions: &Extensions<'_>, ) -> Result<(), ValidationError> { - self.permits_basic(cert)?; + self.permits_basic(cert, extensions)?; // 5280 4.1.2.6: Subject // CA certificates MUST have a subject populated with a non-empty distinguished name. @@ -484,7 +486,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { cert: &Certificate<'_>, extensions: &Extensions<'_>, ) -> Result<(), ValidationError> { - self.permits_basic(cert)?; + self.permits_basic(cert, extensions)?; for ext_policy in self.ee_extension_policies.iter() { ext_policy.permits(self, cert, extensions)?; From bee00f98c674bdef3f3b4ba3f1f47c1293e41375 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 30 Dec 2023 00:22:57 +0000 Subject: [PATCH 0862/1014] Bump BoringSSL and/or OpenSSL in CI (#10084) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 689d9031acc6..188380b0f306 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Dec 22, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6e0eba6e62333652290514e51b75b966b27b27c"}} - # Latest commit on the OpenSSL master branch, as of Dec 28, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3d68e2937ee5c50eacef5f4c34abdf7c0e4dc479"}} + # Latest commit on the OpenSSL master branch, as of Dec 30, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8a1694f22588c0777d642253ffdc307a61245d51"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 2c9e7058e0126962a680fe1411166b872d0bbde0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Dec 2023 05:43:33 -0500 Subject: [PATCH 0863/1014] Use the newer openssl cipher module (#10085) It supports SM4-GCM --- src/rust/cryptography-openssl/src/cmac.rs | 2 +- src/rust/src/backend/cipher_registry.rs | 25 ++++++++++++----------- src/rust/src/backend/cmac.rs | 2 +- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/src/rust/cryptography-openssl/src/cmac.rs b/src/rust/cryptography-openssl/src/cmac.rs index 5215b88358d4..49646bb618e5 100644 --- a/src/rust/cryptography-openssl/src/cmac.rs +++ b/src/rust/cryptography-openssl/src/cmac.rs @@ -21,7 +21,7 @@ unsafe impl Sync for Cmac {} unsafe impl Send for Cmac {} impl Cmac { - pub fn new(key: &[u8], cipher: &openssl::symm::Cipher) -> OpenSSLResult { + pub fn new(key: &[u8], cipher: &openssl::cipher::CipherRef) -> OpenSSLResult { // SAFETY: All FFI conditions are handled. unsafe { let ctx = Cmac::from_ptr(cvt_p(ffi::CMAC_CTX_new())?); diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 9b5013e4a32f..5c62ff8c0f73 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -4,7 +4,7 @@ use crate::error::CryptographyResult; use crate::types; -use openssl::symm::Cipher; +use openssl::cipher::Cipher; use std::collections::HashMap; struct RegistryKey { @@ -54,7 +54,7 @@ impl std::hash::Hash for RegistryKey { struct RegisteryBuilder<'p> { py: pyo3::Python<'p>, - m: HashMap, + m: HashMap, } impl<'p> RegisteryBuilder<'p> { @@ -70,7 +70,7 @@ impl<'p> RegisteryBuilder<'p> { algorithm: &pyo3::PyAny, mode: &pyo3::PyAny, key_size: Option, - cipher: openssl::symm::Cipher, + cipher: &'static openssl::cipher::CipherRef, ) -> CryptographyResult<()> { self.m.insert( RegistryKey::new(self.py, algorithm.into(), mode.into(), key_size)?, @@ -80,16 +80,17 @@ impl<'p> RegisteryBuilder<'p> { Ok(()) } - fn build(self) -> HashMap { + fn build(self) -> HashMap { self.m } } fn get_cipher_registry( py: pyo3::Python<'_>, -) -> CryptographyResult<&HashMap> { - static REGISTRY: pyo3::sync::GILOnceCell> = - pyo3::sync::GILOnceCell::new(); +) -> CryptographyResult<&HashMap> { + static REGISTRY: pyo3::sync::GILOnceCell< + HashMap, + > = pyo3::sync::GILOnceCell::new(); REGISTRY.get_or_try_init(py, || { let mut m = RegisteryBuilder::new(py); @@ -123,11 +124,11 @@ fn get_cipher_registry( m.add(triple_des, cbc, Some(192), Cipher::des_ede3_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - m.add(camellia, cbc, Some(128), Cipher::camellia_128_cbc())?; + m.add(camellia, cbc, Some(128), Cipher::camellia128_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - m.add(camellia, cbc, Some(192), Cipher::camellia_192_cbc())?; + m.add(camellia, cbc, Some(192), Cipher::camellia192_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - m.add(camellia, cbc, Some(256), Cipher::camellia_256_cbc())?; + m.add(camellia, cbc, Some(256), Cipher::camellia256_cbc())?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] m.add(sm4, cbc, Some(128), Cipher::sm4_cbc())?; @@ -148,11 +149,11 @@ fn get_cipher_registry( }) } -pub(crate) fn get_cipher( +pub(crate) fn get_cipher<'a>( py: pyo3::Python<'_>, algorithm: &pyo3::PyAny, mode_cls: &pyo3::PyAny, -) -> CryptographyResult> { +) -> CryptographyResult> { let registry = get_cipher_registry(py)?; let key_size = algorithm diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 339921723814..acacbf02f6ad 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -61,7 +61,7 @@ impl Cmac { let key = algorithm .getattr(pyo3::intern!(py, "key"))? .extract::>()?; - let ctx = cryptography_openssl::cmac::Cmac::new(key.as_bytes(), &cipher)?; + let ctx = cryptography_openssl::cmac::Cmac::new(key.as_bytes(), cipher)?; Ok(Cmac { ctx: Some(ctx) }) } From a9e8b78a28114dbf4539e83461bfc735ae28d41f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 30 Dec 2023 22:19:48 +0000 Subject: [PATCH 0864/1014] Bump pyo3 from 0.20.0 to 0.20.1 in /src/rust (#10088) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.20.0 to 0.20.1. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.20.1/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.20.0...v0.20.1) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e8e0517dcfbb..5f295ece3657 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -262,9 +262,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.20.0" +version = "0.20.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04e8453b658fe480c3e70c8ed4e3d3ec33eb74988bd186561b0cc66b85c3bc4b" +checksum = "e82ad98ce1991c9c70c3464ba4187337b9c45fcbbb060d46dca15f0c075e14e2" dependencies = [ "cfg-if", "indoc", @@ -279,9 +279,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.20.0" +version = "0.20.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a96fe70b176a89cff78f2fa7b3c930081e163d5379b4dcdf993e3ae29ca662e5" +checksum = "5503d0b3aee2c7a8dbb389cd87cd9649f675d4c7f60ca33699a3e3859d81a891" dependencies = [ "once_cell", "target-lexicon", @@ -289,9 +289,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.20.0" +version = "0.20.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "214929900fd25e6604661ed9cf349727c8920d47deff196c4e28165a6ef2a96b" +checksum = "18a79e8d80486a00d11c0dcb27cd2aa17c022cc95c677b461f01797226ba8f41" dependencies = [ "libc", "pyo3-build-config", @@ -299,9 +299,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.20.0" +version = "0.20.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dac53072f717aa1bfa4db832b39de8c875b7c7af4f4a6fe93cdbf9264cf8383b" +checksum = "1f4b0dc7eaa578604fab11c8c7ff8934c71249c61d4def8e272c76ed879f03d4" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -311,9 +311,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.20.0" +version = "0.20.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7774b5a8282bd4f25f803b1f0d945120be959a36c72e08e7cd031c792fdfd424" +checksum = "816a4f709e29ddab2e3cdfe94600d554c5556cad0ddfeea95c47b580c3247fa4" dependencies = [ "heck", "proc-macro2", From f4066177766a75defbe15c35d7ecd2e0da3d69ae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Dec 2023 18:52:30 -0500 Subject: [PATCH 0865/1014] Remove warning ignore that's no longer required (#10090) --- src/rust/src/lib.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 381a67305eb9..c245649f985e 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -3,8 +3,6 @@ // for complete details. #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] -// Work-around for https://github.com/PyO3/pyo3/issues/3561 -#![allow(unknown_lints, clippy::unnecessary_fallible_conversions)] mod asn1; mod backend; From 3226373816b016fea3943a9a72106f05cbf60cd0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Dec 2023 18:52:53 -0500 Subject: [PATCH 0866/1014] Update mod.rs (#10086) --- src/rust/cryptography-x509-verification/src/policy/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 56b2c055db0a..04f59a5f103a 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -25,8 +25,8 @@ use cryptography_x509::oid::{ SUBJECT_DIRECTORY_ATTRIBUTES_OID, SUBJECT_KEY_IDENTIFIER_OID, }; -use self::extension::{ca, common, ee, Criticality, ExtensionPolicy}; use crate::ops::CryptoOps; +use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy}; use crate::types::{DNSName, DNSPattern, IPAddress}; use crate::ValidationError; From 2f4654d60ca47b2f89c2ce81cd6893177ec2d646 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Dec 2023 18:55:47 -0500 Subject: [PATCH 0867/1014] Small refactor of cipher registry (#10087) Makes it easy to add support for owned ciphers --- src/rust/src/backend/cipher_registry.rs | 30 +++++++++++++++++-------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 5c62ff8c0f73..fd0cc76cb742 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -52,9 +52,19 @@ impl std::hash::Hash for RegistryKey { } } +enum RegistryCipher { + Ref(&'static openssl::cipher::CipherRef), +} + +impl From<&'static openssl::cipher::CipherRef> for RegistryCipher { + fn from(c: &'static openssl::cipher::CipherRef) -> RegistryCipher { + RegistryCipher::Ref(c) + } +} + struct RegisteryBuilder<'p> { py: pyo3::Python<'p>, - m: HashMap, + m: HashMap, } impl<'p> RegisteryBuilder<'p> { @@ -70,27 +80,26 @@ impl<'p> RegisteryBuilder<'p> { algorithm: &pyo3::PyAny, mode: &pyo3::PyAny, key_size: Option, - cipher: &'static openssl::cipher::CipherRef, + cipher: impl Into, ) -> CryptographyResult<()> { self.m.insert( RegistryKey::new(self.py, algorithm.into(), mode.into(), key_size)?, - cipher, + cipher.into(), ); Ok(()) } - fn build(self) -> HashMap { + fn build(self) -> HashMap { self.m } } fn get_cipher_registry( py: pyo3::Python<'_>, -) -> CryptographyResult<&HashMap> { - static REGISTRY: pyo3::sync::GILOnceCell< - HashMap, - > = pyo3::sync::GILOnceCell::new(); +) -> CryptographyResult<&HashMap> { + static REGISTRY: pyo3::sync::GILOnceCell> = + pyo3::sync::GILOnceCell::new(); REGISTRY.get_or_try_init(py, || { let mut m = RegisteryBuilder::new(py); @@ -161,5 +170,8 @@ pub(crate) fn get_cipher<'a>( .extract()?; let key = RegistryKey::new(py, algorithm.get_type().into(), mode_cls.into(), key_size)?; - Ok(registry.get(&key).cloned()) + match registry.get(&key) { + Some(RegistryCipher::Ref(c)) => Ok(Some(c)), + None => Ok(None), + } } From 677cd1e574e2f595db7f43d9dd214e1efd8f1837 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Dec 2023 19:10:06 -0500 Subject: [PATCH 0868/1014] fix typo in struct name (#10091) --- src/rust/src/backend/cipher_registry.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index fd0cc76cb742..70fc4ff4483a 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -62,14 +62,14 @@ impl From<&'static openssl::cipher::CipherRef> for RegistryCipher { } } -struct RegisteryBuilder<'p> { +struct RegistryBuilder<'p> { py: pyo3::Python<'p>, m: HashMap, } -impl<'p> RegisteryBuilder<'p> { +impl<'p> RegistryBuilder<'p> { fn new(py: pyo3::Python<'p>) -> Self { - RegisteryBuilder { + RegistryBuilder { py, m: HashMap::new(), } @@ -102,7 +102,7 @@ fn get_cipher_registry( pyo3::sync::GILOnceCell::new(); REGISTRY.get_or_try_init(py, || { - let mut m = RegisteryBuilder::new(py); + let mut m = RegistryBuilder::new(py); let aes = types::AES.get(py)?; let aes128 = types::AES128.get(py)?; From c7a98d2081617535f7e6a13be59e760ff0865c34 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Dec 2023 19:25:59 -0500 Subject: [PATCH 0869/1014] Migrate DER public key parsing to Rust (#10066) --- .../hazmat/backends/openssl/backend.py | 33 +++-------------- .../hazmat/bindings/_rust/openssl/keys.pyi | 3 ++ .../hazmat/primitives/serialization/base.py | 6 ++-- src/rust/src/backend/keys.rs | 35 ++++++++++++++++++- src/rust/src/error.rs | 26 +++++++++----- src/rust/src/types.rs | 4 +++ 6 files changed, 66 insertions(+), 41 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 0e14bfb4e2b1..a35b767b4045 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -511,7 +511,7 @@ def load_pem_public_key(self, data: bytes) -> PublicKeyTypes: evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) return self._evp_pkey_to_public_key(evp_pkey) else: - self._handle_key_loading_error() + self._handle_key_loading_error(self._consume_errors()) def load_der_private_key( self, @@ -553,29 +553,6 @@ def _evp_pkey_from_der_traditional_key(self, bio_data, password): self._consume_errors() return None - def load_der_public_key(self, data: bytes) -> PublicKeyTypes: - mem_bio = self._bytes_to_bio(data) - evp_pkey = self._lib.d2i_PUBKEY_bio(mem_bio.bio, self._ffi.NULL) - if evp_pkey != self._ffi.NULL: - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - return self._evp_pkey_to_public_key(evp_pkey) - else: - # It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still - # need to check to see if it is a pure PKCS1 RSA public key (not - # embedded in a subjectPublicKeyInfo) - self._consume_errors() - res = self._lib.BIO_reset(mem_bio.bio) - self.openssl_assert(res == 1) - rsa_cdata = self._lib.d2i_RSAPublicKey_bio( - mem_bio.bio, self._ffi.NULL - ) - if rsa_cdata != self._ffi.NULL: - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return self._evp_pkey_to_public_key(evp_pkey) - else: - self._handle_key_loading_error() - def _cert2ossl(self, cert: x509.Certificate) -> typing.Any: data = cert.public_bytes(serialization.Encoding.DER) mem_bio = self._bytes_to_bio(data) @@ -640,7 +617,7 @@ def _load_key( "by this backend.".format(userdata.maxsize - 1) ) else: - self._handle_key_loading_error() + self._handle_key_loading_error(self._consume_errors()) evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) @@ -657,9 +634,9 @@ def _load_key( evp_pkey, unsafe_skip_rsa_key_validation ) - def _handle_key_loading_error(self) -> typing.NoReturn: - errors = self._consume_errors() - + def _handle_key_loading_error( + self, errors: list[rust_openssl.OpenSSLError] + ) -> typing.NoReturn: if not errors: raise ValueError( "Could not deserialize key data. The data may be in an " diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi index 931d3e9c369d..1918dd9deaf7 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi @@ -12,3 +12,6 @@ def private_key_from_ptr( unsafe_skip_rsa_key_validation: bool, ) -> PrivateKeyTypes: ... def public_key_from_ptr(ptr: int) -> PublicKeyTypes: ... +def load_der_public_key( + data: bytes, +) -> PublicKeyTypes: ... diff --git a/src/cryptography/hazmat/primitives/serialization/base.py b/src/cryptography/hazmat/primitives/serialization/base.py index 9df1a1e83588..d9131a2f8bb1 100644 --- a/src/cryptography/hazmat/primitives/serialization/base.py +++ b/src/cryptography/hazmat/primitives/serialization/base.py @@ -59,9 +59,9 @@ def load_der_private_key( def load_der_public_key( data: bytes, backend: typing.Any = None ) -> PublicKeyTypes: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.load_der_public_key(data) + return rust_openssl.keys.load_der_public_key( + data, + ) def load_der_parameters( diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 2e5108e8c82b..d2a79af38c12 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,8 +2,9 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; -use crate::exceptions; +use crate::{error, exceptions, types}; use foreign_types_shared::ForeignTypeRef; use pyo3::IntoPy; @@ -66,10 +67,39 @@ fn private_key_from_ptr( } } +#[pyo3::prelude::pyfunction] +fn load_der_public_key( + py: pyo3::Python<'_>, + data: CffiBuf<'_>, +) -> CryptographyResult { + if let Ok(pkey) = openssl::pkey::PKey::public_key_from_der(data.as_bytes()) { + return public_key_from_pkey(py, &pkey); + } + // It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still need to + // check to see if it is a pure PKCS1 RSA public key (not embedded in a + // subjectPublicKeyInfo) + let rsa = openssl::rsa::Rsa::public_key_from_der_pkcs1(data.as_bytes()).or_else(|e| { + let errors = error::list_from_openssl_error(py, e); + Err(types::BACKEND_HANDLE_KEY_LOADING_ERROR + .get(py)? + .call1((errors,)) + .unwrap_err()) + })?; + let pkey = openssl::pkey::PKey::from_rsa(rsa)?; + public_key_from_pkey(py, &pkey) +} + #[pyo3::prelude::pyfunction] fn public_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult { // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; + public_key_from_pkey(py, pkey) +} + +fn public_key_from_pkey( + py: pyo3::Python<'_>, + pkey: &openssl::pkey::PKeyRef, +) -> CryptographyResult { match pkey.id() { openssl::pkey::Id::RSA => Ok(crate::backend::rsa::public_key_from_pkey(pkey).into_py(py)), #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER))] @@ -114,6 +144,9 @@ fn public_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult

) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "keys")?; + + m.add_function(pyo3::wrap_pyfunction!(load_der_public_key, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 843235cc2189..23918fb0f34d 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -50,6 +50,22 @@ impl From for CryptographyError { } } +pub(crate) fn list_from_openssl_error( + py: pyo3::Python<'_>, + error_stack: openssl::error::ErrorStack, +) -> &pyo3::types::PyList { + let errors = pyo3::types::PyList::empty(py); + for e in error_stack.errors() { + errors + .append( + pyo3::PyCell::new(py, OpenSSLError { e: e.clone() }) + .expect("Failed to create OpenSSLError"), + ) + .expect("Failed to append to list"); + } + errors +} + impl From for pyo3::PyErr { fn from(e: CryptographyError) -> pyo3::PyErr { match e { @@ -63,15 +79,7 @@ impl From for pyo3::PyErr { } CryptographyError::Py(py_error) => py_error, CryptographyError::OpenSSL(error_stack) => pyo3::Python::with_gil(|py| { - let errors = pyo3::types::PyList::empty(py); - for e in error_stack.errors() { - errors - .append( - pyo3::PyCell::new(py, OpenSSLError { e: e.clone() }) - .expect("Failed to create OpenSSLError"), - ) - .expect("Failed to append to list"); - } + let errors = list_from_openssl_error(py, error_stack); exceptions::InternalError::new_err(( format!( "Unknown OpenSSL error. This error is commonly encountered diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index cf323bfd28af..0671a36db162 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -384,6 +384,10 @@ pub static CRL_ENTRY_REASON_ENUM_TO_CODE: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.backends.openssl.decode_asn1", &["_CRL_ENTRY_REASON_ENUM_TO_CODE"], ); +pub static BACKEND_HANDLE_KEY_LOADING_ERROR: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.backends.openssl.backend", + &["backend", "_handle_key_loading_error"], +); pub static RSA_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.rsa", From 71e5b98d71659eb840b932f1e9e246953c2dfcbc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Dec 2023 20:33:04 -0500 Subject: [PATCH 0870/1014] Remove unused bindings (#10093) --- src/_cffi_src/openssl/x509.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 120a23eb35e8..b43593543cee 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -138,10 +138,6 @@ const char *X509_get_default_cert_dir_env(void); const char *X509_get_default_cert_file_env(void); -int i2d_RSAPrivateKey_bio(BIO *, RSA *); -RSA *d2i_RSAPublicKey_bio(BIO *, RSA **); -int i2d_RSAPublicKey_bio(BIO *, RSA *); - int X509_get_ext_count(const X509 *); X509_EXTENSION *X509_get_ext(const X509 *, int); X509_NAME *X509_get_subject_name(const X509 *); From 48c267e638590b15f04cf4c6f566fa7c735b5c2d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 31 Dec 2023 05:09:18 -0500 Subject: [PATCH 0871/1014] Make a direct rust call for parsing SPKIs (#10092) This avoids the need to allocate a PyBytes --- src/rust/src/backend/keys.rs | 11 +++++++++-- src/rust/src/types.rs | 5 ----- src/rust/src/x509/certificate.rs | 10 ++++------ src/rust/src/x509/csr.rs | 11 +++++------ src/rust/src/x509/verify.rs | 9 ++------- 5 files changed, 20 insertions(+), 26 deletions(-) diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index d2a79af38c12..19419730faef 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -72,13 +72,20 @@ fn load_der_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, ) -> CryptographyResult { - if let Ok(pkey) = openssl::pkey::PKey::public_key_from_der(data.as_bytes()) { + load_der_public_key_bytes(py, data.as_bytes()) +} + +pub(crate) fn load_der_public_key_bytes( + py: pyo3::Python<'_>, + data: &[u8], +) -> CryptographyResult { + if let Ok(pkey) = openssl::pkey::PKey::public_key_from_der(data) { return public_key_from_pkey(py, &pkey); } // It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still need to // check to see if it is a pure PKCS1 RSA public key (not embedded in a // subjectPublicKeyInfo) - let rsa = openssl::rsa::Rsa::public_key_from_der_pkcs1(data.as_bytes()).or_else(|e| { + let rsa = openssl::rsa::Rsa::public_key_from_der_pkcs1(data).or_else(|e| { let errors = error::list_from_openssl_error(py, e); Err(types::BACKEND_HANDLE_KEY_LOADING_ERROR .get(py)? diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 0671a36db162..ed89d9a5ecc9 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -44,11 +44,6 @@ pub static DEPRECATED_IN_41: LazyPyImport = pub static DEPRECATED_IN_42: LazyPyImport = LazyPyImport::new("cryptography.utils", &["DeprecatedIn42"]); -pub static LOAD_DER_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.serialization", - &["load_der_public_key"], -); - pub static ENCODING: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization", &["Encoding"], diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index b8cbdd14b50b..f7f35f834cc6 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -5,7 +5,7 @@ use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, }; -use crate::backend::hashes; +use crate::backend::{hashes, keys}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::verify::PyCryptoOps; use crate::x509::{extensions, sct, sign}; @@ -63,13 +63,11 @@ impl Certificate { slf } - fn public_key<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { - // This makes an unnecessary copy. It'd be nice to get rid of it. - let serialized = pyo3::types::PyBytes::new( + fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { + keys::load_der_public_key_bytes( py, self.raw.borrow_dependent().tbs_cert.spki.tlv().full_data(), - ); - Ok(types::LOAD_DER_PUBLIC_KEY.get(py)?.call1((serialized,))?) + ) } fn fingerprint<'p>( diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 8b10e8a0a09b..de33f49f89ea 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -3,6 +3,7 @@ // for complete details. use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; +use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sign}; use crate::{exceptions, types, x509}; @@ -44,13 +45,11 @@ impl CertificateSigningRequest { self.raw.borrow_owner().as_bytes(py) == other.raw.borrow_owner().as_bytes(py) } - fn public_key<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { - // This makes an unnecessary copy. It'd be nice to get rid of it. - let serialized = pyo3::types::PyBytes::new( + fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { + keys::load_der_public_key_bytes( py, self.raw.borrow_dependent().csr_info.spki.tlv().full_data(), - ); - Ok(types::LOAD_DER_PUBLIC_KEY.get(py)?.call1((serialized,))?) + ) } #[getter] @@ -210,7 +209,7 @@ impl CertificateSigningRequest { let public_key = slf.public_key(py)?; Ok(sign::verify_signature_with_signature_algorithm( py, - public_key, + public_key.as_ref(py), &slf.raw.borrow_dependent().signature_alg, slf.raw.borrow_dependent().signature.as_bytes(), &asn1::write_single(&slf.raw.borrow_dependent().csr_info)?, diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 594ad7cef5ee..8dd9f16f3285 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -10,6 +10,7 @@ use cryptography_x509_verification::{ types::{DNSName, IPAddress}, }; +use crate::backend::keys; use crate::types; use crate::x509::certificate::Certificate as PyCertificate; use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime}; @@ -29,13 +30,7 @@ impl CryptoOps for PyCryptoOps { fn public_key(&self, cert: &Certificate<'_>) -> Result { pyo3::Python::with_gil(|py| -> Result { - // This makes an unnecessary copy. It'd be nice to get rid of it. - let spki_der = pyo3::types::PyBytes::new(py, cert.tbs_cert.spki.tlv().full_data()); - - Ok(types::LOAD_DER_PUBLIC_KEY - .get(py)? - .call1((spki_der,))? - .into()) + keys::load_der_public_key_bytes(py, cert.tbs_cert.spki.tlv().full_data()) }) } From e91672c39ba670777ac2793264c7aa9b29f36232 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 31 Dec 2023 16:43:41 +0000 Subject: [PATCH 0872/1014] Bump proc-macro2 from 1.0.71 to 1.0.72 in /src/rust (#10095) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.71 to 1.0.72. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.71...1.0.72) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5f295ece3657..00d7f5ab93e8 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -253,9 +253,9 @@ checksum = "69d3587f8a9e599cc7ec2c00e331f71c4e69a5f9a4b8a6efd5b07466b9736f9a" [[package]] name = "proc-macro2" -version = "1.0.71" +version = "1.0.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75cb1540fadbd5b8fbccc4dddad2734eba435053f725621c070711a14bb5f4b8" +checksum = "a293318316cf6478ec1ad2a21c49390a8d5b5eae9fab736467d93fbc0edc29c5" dependencies = [ "unicode-ident", ] From 90760a7434798a72675595ca3d73258574f5b19e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 31 Dec 2023 16:58:01 +0000 Subject: [PATCH 0873/1014] Bump pytest from 7.4.3 to 7.4.4 (#10096) Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.4.3 to 7.4.4. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/7.4.3...7.4.4) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6bf78f09884f..818f95ee5a04 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==7.4.3 +pytest==7.4.4 # via # cryptography (pyproject.toml) # pytest-benchmark From 7a59849a5dd5098db9e3ce668ae9db6de3e74114 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 31 Dec 2023 15:33:05 -0500 Subject: [PATCH 0874/1014] Remove linkcheck ignore for secg.org (#10099) They appear to have gotten rid of FF DH KEX entirely --- docs/conf.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/conf.py b/docs/conf.py index 4fa571dc8037..905bc645d64d 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -195,8 +195,6 @@ linkcheck_ignore = [ # Insecure renegotiation settings r"https://info.isl.ntt.co.jp/crypt/eng/camellia/", - # Inconsistent small DH params they seem incapable of fixing - r"https://www.secg.org/sec1-v2.pdf", # Cloudflare returns 403s for all non-browser requests r"https://speakerdeck.com", r"https://\w+.stackexchange.com", From 1014b1c112d769393f7661e542e1e857c9b7c593 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 31 Dec 2023 15:51:27 -0500 Subject: [PATCH 0875/1014] Added timeouts to setup-python actions (#10097) --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 188380b0f306..8d11972e6546 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,6 +68,7 @@ jobs: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip cache-dependency-path: ci-constraints-requirements.txt + timeout-minutes: 3 - name: Setup rust uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 with: @@ -248,6 +249,7 @@ jobs: architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 cache: pip cache-dependency-path: ci-constraints-requirements.txt + timeout-minutes: 3 - run: rustup component add llvm-tools-preview - run: python -m pip install -c ci-constraints-requirements.txt 'nox' 'tomli; python_version < "3.11"' @@ -307,6 +309,7 @@ jobs: architecture: ${{ matrix.WINDOWS.ARCH }} cache: pip cache-dependency-path: ci-constraints-requirements.txt + timeout-minutes: 3 - run: rustup component add llvm-tools-preview - name: Cache rust and pip uses: ./.github/actions/cache @@ -381,6 +384,7 @@ jobs: python-version: ${{ matrix.PYTHON }} cache: pip cache-dependency-path: ci-constraints-requirements.txt + timeout-minutes: 3 - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install - run: pip install . setuptools env: @@ -426,6 +430,7 @@ jobs: python-version: '3.12' cache: pip cache-dependency-path: ci-constraints-requirements.txt + timeout-minutes: 3 - run: pip install -c ci-constraints-requirements.txt coverage[toml] if: ${{ always() }} - name: Download coverage data From 9e866cc50dc63c6da9736e1fdcd539194c7ee4fa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 31 Dec 2023 15:56:51 -0500 Subject: [PATCH 0876/1014] Update various links in the docs for permanent redirects (#10098) --- docs/development/test-vectors.rst | 4 ++-- docs/hazmat/primitives/aead.rst | 2 +- docs/hazmat/primitives/asymmetric/ec.rst | 4 ++-- docs/hazmat/primitives/cryptographic-hashes.rst | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 73eaeb5fbf13..ec9214080757 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -1048,9 +1048,9 @@ header format (substituting the correct information): .. _`GnuTLS example keys`: https://gitlab.com/gnutls/gnutls/-/commit/ad2061deafdd7db78fd405f9d143b0a7c579da7b .. _`NESSIE IDEA vectors`: https://www.cosic.esat.kuleuven.be/nessie/testvectors/bc/idea/Idea-128-64.verified.test-vectors .. _`NESSIE`: https://en.wikipedia.org/wiki/NESSIE -.. _`draft-ribose-cfrg-sm4-10`: https://tools.ietf.org/html/draft-ribose-cfrg-sm4-10 +.. _`draft-ribose-cfrg-sm4-10`: https://datatracker.ietf.org/doc/html/draft-ribose-cfrg-sm4-10 .. _`Ed25519 website`: https://ed25519.cr.yp.to/software.html -.. _`NIST SP-800-38B`: https://csrc.nist.gov/publications/detail/sp/800-38b/archive/2005-05-01 +.. _`NIST SP-800-38B`: https://csrc.nist.gov/pubs/sp/800/38/b/final .. _`NIST PKI Testing`: https://csrc.nist.gov/Projects/PKI-Testing .. _`testx509.pem`: https://github.com/openssl/openssl/blob/master/test/testx509.pem .. _`DigiCert Global Root G3`: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt diff --git a/docs/hazmat/primitives/aead.rst b/docs/hazmat/primitives/aead.rst index 776f9b77271a..9c80c3a62049 100644 --- a/docs/hazmat/primitives/aead.rst +++ b/docs/hazmat/primitives/aead.rst @@ -493,4 +493,4 @@ also support providing integrity for associated data which is not encrypted. when the ciphertext has been changed, but will also occur when the key, nonce, or associated data are wrong. -.. _`recommends a 96-bit IV length`: https://csrc.nist.gov/publications/detail/sp/800-38d/final +.. _`recommends a 96-bit IV length`: https://csrc.nist.gov/pubs/sp/800/38/d/final diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index c75e46b7e3a5..561218c35c72 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -909,8 +909,8 @@ Elliptic Curve Object Identifiers :raises LookupError: Raised if no elliptic curve is found that matches the provided object identifier. -.. _`FIPS 186-3`: https://csrc.nist.gov/csrc/media/publications/fips/186/3/archive/2009-06-25/documents/fips_186-3.pdf -.. _`FIPS 186-4`: https://csrc.nist.gov/publications/detail/fips/186/4/final +.. _`FIPS 186-3`: https://csrc.nist.gov/files/pubs/fips/186-3/final/docs/fips_186-3.pdf +.. _`FIPS 186-4`: https://csrc.nist.gov/pubs/fips/186-4/final .. _`800-56A`: https://csrc.nist.gov/pubs/sp/800/56/a/r3/final .. _`some concern`: https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters .. _`less than 224 bits`: https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf diff --git a/docs/hazmat/primitives/cryptographic-hashes.rst b/docs/hazmat/primitives/cryptographic-hashes.rst index b6c889df4a81..c1c29cad27c6 100644 --- a/docs/hazmat/primitives/cryptographic-hashes.rst +++ b/docs/hazmat/primitives/cryptographic-hashes.rst @@ -290,7 +290,7 @@ Interfaces .. _`Lifetimes of cryptographic hash functions`: https://valerieaurora.org/hash.html -.. _`BLAKE2`: https://blake2.net +.. _`BLAKE2`: https://www.blake2.net/ .. _`length-extension attacks`: https://en.wikipedia.org/wiki/Length_extension_attack .. _`GM/T 0004-2012`: https://www.oscca.gov.cn/sca/xxgk/2010-12/17/1002389/files/302a3ada057c4a73830536d03e683110.pdf .. _`draft-sca-cfrg-sm3`: https://datatracker.ietf.org/doc/html/draft-sca-cfrg-sm3 From c514a1cd921c2c1c3740676c0ff4a611bc0656c1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 31 Dec 2023 16:21:51 -0500 Subject: [PATCH 0877/1014] Avoid re-parsing certificates after building chain (#10056) --- .../src/certificate.rs | 1 + .../cryptography-x509-verification/src/lib.rs | 63 ++++++++++--------- .../cryptography-x509-verification/src/ops.rs | 39 ++++++++++++ .../src/trust_store.rs | 32 +++++----- src/rust/src/x509/verify.rs | 59 +++++++++-------- 5 files changed, 118 insertions(+), 76 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/certificate.rs b/src/rust/cryptography-x509-verification/src/certificate.rs index 335312ccd265..9f78a0228ec9 100644 --- a/src/rust/cryptography-x509-verification/src/certificate.rs +++ b/src/rust/cryptography-x509-verification/src/certificate.rs @@ -55,6 +55,7 @@ Xw4nMqk= impl CryptoOps for PublicKeyErrorOps { type Key = (); type Err = (); + type CertificateExtra = (); fn public_key(&self, _cert: &Certificate<'_>) -> Result { // Simulate failing to retrieve a public key. diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 8126239ea66f..fef55e350207 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -15,19 +15,18 @@ use std::collections::HashSet; use std::vec; use crate::certificate::cert_is_self_issued; +use crate::ops::{CryptoOps, VerificationCertificate}; +use crate::policy::Policy; +use crate::trust_store::Store; +use crate::types::DNSName; use crate::types::{DNSConstraint, IPAddress, IPConstraint}; use crate::ApplyNameConstraintStatus::{Applied, Skipped}; use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions}; use cryptography_x509::{ - certificate::Certificate, extensions::{NameConstraints, SubjectAlternativeName}, name::GeneralName, oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, }; -use ops::CryptoOps; -use policy::Policy; -use trust_store::Store; -use types::DNSName; #[derive(Debug, PartialEq, Eq)] pub enum ValidationError { @@ -157,23 +156,23 @@ impl<'a, 'chain> NameChain<'a, 'chain> { } } -pub type Chain<'c> = Vec>; +pub type Chain<'c, B> = Vec>; pub fn verify<'chain, B: CryptoOps>( - leaf: &Certificate<'chain>, - intermediates: impl IntoIterator>, + leaf: &VerificationCertificate<'chain, B>, + intermediates: impl IntoIterator>, policy: &Policy<'_, B>, - store: &Store<'chain>, -) -> Result, ValidationError> { + store: &Store<'chain, B>, +) -> Result, ValidationError> { let builder = ChainBuilder::new(intermediates.into_iter().collect(), policy, store); builder.build_chain(leaf) } struct ChainBuilder<'a, 'chain, B: CryptoOps> { - intermediates: HashSet>, + intermediates: HashSet>, policy: &'a Policy<'a, B>, - store: &'a Store<'chain>, + store: &'a Store<'chain, B>, } // When applying a name constraint, we need to distinguish between a few different scenarios: @@ -197,9 +196,9 @@ impl ApplyNameConstraintStatus { impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn new( - intermediates: HashSet>, + intermediates: HashSet>, policy: &'a Policy<'a, B>, - store: &'a Store<'chain>, + store: &'a Store<'chain, B>, ) -> Self { Self { intermediates, @@ -210,27 +209,25 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn potential_issuers( &'a self, - cert: &'a Certificate<'chain>, - ) -> impl Iterator> + '_ { + cert: &'a VerificationCertificate<'chain, B>, + ) -> impl Iterator> + '_ { // TODO: Optimizations: // * Search by AKI and other identifiers? self.store - .get_by_subject(&cert.tbs_cert.issuer) + .get_by_subject(&cert.certificate().tbs_cert.issuer) .iter() - .chain( - self.intermediates - .iter() - .filter(|&candidate| candidate.subject() == cert.issuer()), - ) + .chain(self.intermediates.iter().filter(|&candidate| { + candidate.certificate().subject() == cert.certificate().issuer() + })) } fn build_chain_inner( &self, - working_cert: &Certificate<'chain>, + working_cert: &VerificationCertificate<'chain, B>, current_depth: u8, working_cert_extensions: &Extensions<'chain>, name_chain: NameChain<'_, 'chain>, - ) -> Result, ValidationError> { + ) -> Result, ValidationError> { if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { name_chain.evaluate_constraints(&nc.value()?)?; } @@ -257,10 +254,10 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // A candidate issuer is said to verify if it both // signs for the working certificate and conforms to the // policy. - let issuer_extensions = issuing_cert_candidate.extensions()?; + let issuer_extensions = issuing_cert_candidate.certificate().extensions()?; match self.policy.valid_issuer( - issuing_cert_candidate, - working_cert, + issuing_cert_candidate.certificate(), + working_cert.certificate(), current_depth, &issuer_extensions, ) { @@ -296,7 +293,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // certificate is the "final" (i.e., leaf) certificate in the path. // We accomplish this by only collecting the SANs when the issuing // candidate (which is a non-leaf by definition) isn't self-issued. - cert_is_self_issued(issuing_cert_candidate), + cert_is_self_issued(issuing_cert_candidate.certificate()), )?, ) { Ok(mut chain) => { @@ -326,15 +323,19 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { ))) } - fn build_chain(&self, leaf: &Certificate<'chain>) -> Result, ValidationError> { + fn build_chain( + &self, + leaf: &VerificationCertificate<'chain, B>, + ) -> Result, ValidationError> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying // certificate profile). // // The leaf must be an EE; a CA cert in the leaf position will be rejected. - let leaf_extensions = leaf.extensions()?; + let leaf_extensions = leaf.certificate().extensions()?; - self.policy.permits_ee(leaf, &leaf_extensions)?; + self.policy + .permits_ee(leaf.certificate(), &leaf_extensions)?; let mut chain = self.build_chain_inner( leaf, diff --git a/src/rust/cryptography-x509-verification/src/ops.rs b/src/rust/cryptography-x509-verification/src/ops.rs index 719d9aa04617..d596cf848de6 100644 --- a/src/rust/cryptography-x509-verification/src/ops.rs +++ b/src/rust/cryptography-x509-verification/src/ops.rs @@ -4,6 +4,42 @@ use cryptography_x509::certificate::Certificate; +pub struct VerificationCertificate<'a, B: CryptoOps> { + pub cert: Certificate<'a>, + pub extra: B::CertificateExtra, +} + +impl<'a, B: CryptoOps> VerificationCertificate<'a, B> { + pub fn new(cert: Certificate<'a>, extra: B::CertificateExtra) -> Self { + VerificationCertificate { cert, extra } + } + + pub fn certificate(&self) -> &Certificate<'a> { + &self.cert + } + + pub fn extra(&self) -> &B::CertificateExtra { + &self.extra + } +} + +impl PartialEq for VerificationCertificate<'_, B> { + fn eq(&self, other: &Self) -> bool { + self.cert == other.cert + } +} +impl Eq for VerificationCertificate<'_, B> {} +impl std::hash::Hash for VerificationCertificate<'_, B> { + fn hash(&self, state: &mut H) { + self.cert.hash(state) + } +} +impl Clone for VerificationCertificate<'_, B> { + fn clone(&self) -> Self { + VerificationCertificate::new(self.cert.clone(), self.extra.clone()) + } +} + pub trait CryptoOps { /// A public key type for this cryptographic backend. type Key; @@ -11,6 +47,9 @@ pub trait CryptoOps { /// An error type for this cryptographic backend. type Err; + /// Extra data that's passed around with the certificate. + type CertificateExtra: Clone; + /// Extracts the public key from the given `Certificate` in /// a `Key` format known by the cryptographic backend, or `None` /// if the key is malformed. diff --git a/src/rust/cryptography-x509-verification/src/trust_store.rs b/src/rust/cryptography-x509-verification/src/trust_store.rs index 4001fccd7f1d..558ceb7d7839 100644 --- a/src/rust/cryptography-x509-verification/src/trust_store.rs +++ b/src/rust/cryptography-x509-verification/src/trust_store.rs @@ -4,23 +4,24 @@ use std::collections::{HashMap, HashSet}; -use cryptography_x509::certificate::Certificate; +use crate::CryptoOps; +use crate::VerificationCertificate; use cryptography_x509::name::Name; /// A `Store` represents the core state needed for X.509 path validation. -pub struct Store<'a> { - certs: HashSet>, - by_subject: HashMap, Vec>>, +pub struct Store<'a, B: CryptoOps> { + certs: HashSet>, + by_subject: HashMap, Vec>>, } -impl<'a> Store<'a> { +impl<'a, B: CryptoOps> Store<'a, B> { /// Create a new `Store` from the given iterable certificate source. - pub fn new(trusted: impl IntoIterator>) -> Self { + pub fn new(trusted: impl IntoIterator>) -> Self { let certs = HashSet::from_iter(trusted); - let mut by_subject: HashMap, Vec>> = HashMap::new(); + let mut by_subject: HashMap, Vec>> = HashMap::new(); for cert in certs.iter() { by_subject - .entry(cert.tbs_cert.subject.clone()) + .entry(cert.certificate().tbs_cert.subject.clone()) .or_default() .push(cert.clone()); } @@ -28,16 +29,16 @@ impl<'a> Store<'a> { } /// Returns whether this store contains the given certificate. - pub fn contains(&self, cert: &Certificate<'a>) -> bool { + pub fn contains(&self, cert: &VerificationCertificate<'a, B>) -> bool { self.certs.contains(cert) } /// Returns an iterator over all certificates in this store. - pub fn iter(&self) -> impl Iterator> { + pub fn iter(&self) -> impl Iterator> { self.certs.iter() } - pub fn get_by_subject(&self, subject: &Name<'a>) -> &[Certificate<'a>] { + pub fn get_by_subject(&self, subject: &Name<'a>) -> &[VerificationCertificate<'a, B>] { self.by_subject .get(subject) .map(|v| v.as_slice()) @@ -47,15 +48,16 @@ impl<'a> Store<'a> { #[cfg(test)] mod tests { - use crate::ops::tests::{cert, v1_cert_pem}; - use super::Store; + use crate::certificate::tests::PublicKeyErrorOps; + use crate::ops::tests::{cert, v1_cert_pem}; + use crate::VerificationCertificate; #[test] fn test_store() { let cert_pem = v1_cert_pem(); - let cert = cert(&cert_pem); - let store = Store::new([cert.clone()]); + let cert = VerificationCertificate::new(cert(&cert_pem), ()); + let store = Store::<'_, PublicKeyErrorOps>::new([cert.clone()]); assert!(store.contains(&cert)); assert!(store.iter().collect::>() == [&cert]); diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 8dd9f16f3285..d8e849bc742c 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -4,7 +4,7 @@ use cryptography_x509::certificate::Certificate; use cryptography_x509_verification::{ - ops::CryptoOps, + ops::{CryptoOps, VerificationCertificate}, policy::{Policy, Subject}, trust_store::Store, types::{DNSName, IPAddress}, @@ -20,13 +20,12 @@ use crate::{ exceptions::VerificationError, }; -use super::certificate::OwnedCertificate; - pub(crate) struct PyCryptoOps {} impl CryptoOps for PyCryptoOps { type Key = pyo3::Py; type Err = CryptographyError; + type CertificateExtra = pyo3::Py; fn public_key(&self, cert: &Certificate<'_>) -> Result { pyo3::Python::with_gil(|py| -> Result { @@ -99,39 +98,32 @@ impl PyServerVerifier { self.as_policy().max_chain_depth } - fn verify<'p>( + fn verify( &self, - py: pyo3::Python<'p>, - leaf: &PyCertificate, - intermediates: Vec>, - ) -> CryptographyResult> { + py: pyo3::Python<'_>, + leaf: pyo3::Py, + intermediates: Vec>, + ) -> CryptographyResult>> { let policy = self.as_policy(); - let store = self.store.as_ref(py).borrow(); + let store = self.store.get(); let chain = cryptography_x509_verification::verify( - leaf.raw.borrow_dependent(), - intermediates - .iter() - .map(|i| i.raw.borrow_dependent().clone()), + &VerificationCertificate::new( + leaf.get().raw.borrow_dependent().clone(), + leaf.clone_ref(py), + ), + intermediates.iter().map(|i| { + VerificationCertificate::new( + i.get().raw.borrow_dependent().clone(), + i.clone_ref(py), + ) + }), policy, store.raw.borrow_dependent(), ) .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; - // TODO: Optimize this? Turning a Certificate back into a PyCertificate - // involves a full round-trip back through DER, which isn't ideal. - chain - .iter() - .map(|c| { - let raw = pyo3::types::PyBytes::new(py, &asn1::write_single(c)?); - Ok(PyCertificate { - raw: OwnedCertificate::try_new(raw.into(), |raw| { - asn1::parse_single(raw.as_bytes(py)) - })?, - cached_extensions: pyo3::sync::GILOnceCell::new(), - }) - }) - .collect() + Ok(chain.iter().map(|c| c.extra().clone_ref(py)).collect()) } } @@ -212,12 +204,14 @@ fn create_server_verifier( }) } +type PyCryptoOpsStore<'a> = Store<'a, PyCryptoOps>; + self_cell::self_cell!( struct RawPyStore { owner: Vec>, #[covariant] - dependent: Store, + dependent: PyCryptoOpsStore, } ); @@ -233,7 +227,7 @@ struct PyStore { #[pyo3::pymethods] impl PyStore { #[new] - fn new(certs: Vec>) -> pyo3::PyResult { + fn new(py: pyo3::Python<'_>, certs: Vec>) -> pyo3::PyResult { if certs.is_empty() { return Err(pyo3::exceptions::PyValueError::new_err( "can't create an empty store", @@ -241,7 +235,12 @@ impl PyStore { } Ok(Self { raw: RawPyStore::new(certs, |v| { - Store::new(v.iter().map(|t| t.get().raw.borrow_dependent().clone())) + Store::new(v.iter().map(|t| { + VerificationCertificate::new( + t.get().raw.borrow_dependent().clone(), + t.clone_ref(py), + ) + })) }), }) } From 42467135ad0c444061629bebe1788f1e1ab82464 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 1 Jan 2024 05:32:57 -0500 Subject: [PATCH 0878/1014] Bump copyright years (#10101) --- docs/conf.py | 2 +- src/cryptography/__about__.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/conf.py b/docs/conf.py index 905bc645d64d..cf0f25abcaa9 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -71,7 +71,7 @@ # General information about the project. project = "Cryptography" -copyright = "2013-2023, Individual Contributors" +copyright = "2013-2024, Individual Contributors" # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index f9f2823b87a7..103c77eb7b63 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -14,4 +14,4 @@ __author__ = "The Python Cryptographic Authority and individual contributors" -__copyright__ = f"Copyright 2013-2023 {__author__}" +__copyright__ = f"Copyright 2013-2024 {__author__}" From 33a9036f58f4766f47208b3cce00153bc4e8fea9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Jan 2024 08:46:03 -0500 Subject: [PATCH 0879/1014] Bump quote from 1.0.33 to 1.0.34 in /src/rust (#10102) Bumps [quote](https://github.com/dtolnay/quote) from 1.0.33 to 1.0.34. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.33...1.0.34) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 00d7f5ab93e8..a360b2375e1c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -323,9 +323,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.33" +version = "1.0.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae" +checksum = "22a37c9326af5ed140c86a46655b5278de879853be5573c01df185b6f49a580a" dependencies = [ "proc-macro2", ] From f3d62f7ce7d60aef02ce818c2f0397fc86db1fe7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Jan 2024 08:46:37 -0500 Subject: [PATCH 0880/1014] Bump proc-macro2 from 1.0.72 to 1.0.73 in /src/rust (#10103) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.72 to 1.0.73. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.72...1.0.73) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a360b2375e1c..395cdf291707 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -253,9 +253,9 @@ checksum = "69d3587f8a9e599cc7ec2c00e331f71c4e69a5f9a4b8a6efd5b07466b9736f9a" [[package]] name = "proc-macro2" -version = "1.0.72" +version = "1.0.73" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a293318316cf6478ec1ad2a21c49390a8d5b5eae9fab736467d93fbc0edc29c5" +checksum = "2dd5e8a1f1029c43224ad5898e50140c2aebb1705f19e67c918ebf5b9e797fe1" dependencies = [ "unicode-ident", ] From 7f3a029c999e2c40da9a09066c72e53fa09f6983 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Jan 2024 18:43:40 +0000 Subject: [PATCH 0881/1014] Bump syn from 2.0.43 to 2.0.44 in /src/rust (#10105) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.43 to 2.0.44. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.43...2.0.44) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 395cdf291707..4fd825fd01a6 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" [[package]] name = "syn" -version = "2.0.43" +version = "2.0.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ee659fb5f3d355364e1f3e5bc10fb82068efbf824a1e9d1c9504244a6469ad53" +checksum = "92d27c2c202598d05175a6dd3af46824b7f747f8d8e9b14c623f19fa5069735d" dependencies = [ "proc-macro2", "quote", From 71023b0a0cd81d038eb5718b6540a4a5f41935b0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 1 Jan 2024 14:17:08 -0500 Subject: [PATCH 0882/1014] Manually bump pydantic (#10106) * Manually bump pydantic For some reason, dependabot chokes on it * Update pyproject.toml --- .github/requirements/publish-requirements.txt | 219 +++++++++--------- pyproject.toml | 2 +- 2 files changed, 110 insertions(+), 111 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 121b0c47faf2..8e16964556f5 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -365,120 +365,119 @@ pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 # via cffi -pydantic[email]==2.4.2 \ - --hash=sha256:94f336138093a5d7f426aac732dcfe7ab4eb4da243c88f891d65deb4a2556ee7 \ - --hash=sha256:bc3ddf669d234f4220e6e1c4d96b061abe0998185a8d7855c0126782b7abc8c1 +pydantic[email]==2.5.3 \ + --hash=sha256:b3ef57c62535b0941697cce638c08900d87fcb67e29cfa99e8a68f747f393f7a \ + --hash=sha256:d0caf5954bee831b6bfe7e338c32b9e30c85dfe080c843680783ac2b631673b4 # via # id # sigstore # sigstore-rekor-types -pydantic-core==2.10.1 \ - --hash=sha256:042462d8d6ba707fd3ce9649e7bf268633a41018d6a998fb5fbacb7e928a183e \ - --hash=sha256:0523aeb76e03f753b58be33b26540880bac5aa54422e4462404c432230543f33 \ - --hash=sha256:05560ab976012bf40f25d5225a58bfa649bb897b87192a36c6fef1ab132540d7 \ - --hash=sha256:0675ba5d22de54d07bccde38997e780044dcfa9a71aac9fd7d4d7a1d2e3e65f7 \ - --hash=sha256:073d4a470b195d2b2245d0343569aac7e979d3a0dcce6c7d2af6d8a920ad0bea \ - --hash=sha256:07ec6d7d929ae9c68f716195ce15e745b3e8fa122fc67698ac6498d802ed0fa4 \ - --hash=sha256:0880e239827b4b5b3e2ce05e6b766a7414e5f5aedc4523be6b68cfbc7f61c5d0 \ - --hash=sha256:0c27f38dc4fbf07b358b2bc90edf35e82d1703e22ff2efa4af4ad5de1b3833e7 \ - --hash=sha256:0d8a8adef23d86d8eceed3e32e9cca8879c7481c183f84ed1a8edc7df073af94 \ - --hash=sha256:0e2a35baa428181cb2270a15864ec6286822d3576f2ed0f4cd7f0c1708472aff \ - --hash=sha256:0f8682dbdd2f67f8e1edddcbffcc29f60a6182b4901c367fc8c1c40d30bb0a82 \ - --hash=sha256:0fa467fd300a6f046bdb248d40cd015b21b7576c168a6bb20aa22e595c8ffcdd \ - --hash=sha256:128552af70a64660f21cb0eb4876cbdadf1a1f9d5de820fed6421fa8de07c893 \ - --hash=sha256:1396e81b83516b9d5c9e26a924fa69164156c148c717131f54f586485ac3c15e \ - --hash=sha256:149b8a07712f45b332faee1a2258d8ef1fb4a36f88c0c17cb687f205c5dc6e7d \ - --hash=sha256:14ac492c686defc8e6133e3a2d9eaf5261b3df26b8ae97450c1647286750b901 \ - --hash=sha256:14cfbb00959259e15d684505263d5a21732b31248a5dd4941f73a3be233865b9 \ - --hash=sha256:14e09ff0b8fe6e46b93d36a878f6e4a3a98ba5303c76bb8e716f4878a3bee92c \ - --hash=sha256:154ea7c52e32dce13065dbb20a4a6f0cc012b4f667ac90d648d36b12007fa9f7 \ - --hash=sha256:15d6bca84ffc966cc9976b09a18cf9543ed4d4ecbd97e7086f9ce9327ea48891 \ - --hash=sha256:1d40f55222b233e98e3921df7811c27567f0e1a4411b93d4c5c0f4ce131bc42f \ - --hash=sha256:25bd966103890ccfa028841a8f30cebcf5875eeac8c4bde4fe221364c92f0c9a \ - --hash=sha256:2cf5bb4dd67f20f3bbc1209ef572a259027c49e5ff694fa56bed62959b41e1f9 \ - --hash=sha256:2e0e2959ef5d5b8dc9ef21e1a305a21a36e254e6a34432d00c72a92fdc5ecda5 \ - --hash=sha256:320f14bd4542a04ab23747ff2c8a778bde727158b606e2661349557f0770711e \ - --hash=sha256:3625578b6010c65964d177626fde80cf60d7f2e297d56b925cb5cdeda6e9925a \ - --hash=sha256:39215d809470f4c8d1881758575b2abfb80174a9e8daf8f33b1d4379357e417c \ - --hash=sha256:3f0ac9fb8608dbc6eaf17956bf623c9119b4db7dbb511650910a82e261e6600f \ - --hash=sha256:417243bf599ba1f1fef2bb8c543ceb918676954734e2dcb82bf162ae9d7bd514 \ - --hash=sha256:420a692b547736a8d8703c39ea935ab5d8f0d2573f8f123b0a294e49a73f214b \ - --hash=sha256:443fed67d33aa85357464f297e3d26e570267d1af6fef1c21ca50921d2976302 \ - --hash=sha256:48525933fea744a3e7464c19bfede85df4aba79ce90c60b94d8b6e1eddd67096 \ - --hash=sha256:485a91abe3a07c3a8d1e082ba29254eea3e2bb13cbbd4351ea4e5a21912cc9b0 \ - --hash=sha256:4a5be350f922430997f240d25f8219f93b0c81e15f7b30b868b2fddfc2d05f27 \ - --hash=sha256:4d966c47f9dd73c2d32a809d2be529112d509321c5310ebf54076812e6ecd884 \ - --hash=sha256:524ff0ca3baea164d6d93a32c58ac79eca9f6cf713586fdc0adb66a8cdeab96a \ - --hash=sha256:53df009d1e1ba40f696f8995683e067e3967101d4bb4ea6f667931b7d4a01357 \ - --hash=sha256:5994985da903d0b8a08e4935c46ed8daf5be1cf217489e673910951dc533d430 \ - --hash=sha256:5cabb9710f09d5d2e9e2748c3e3e20d991a4c5f96ed8f1132518f54ab2967221 \ - --hash=sha256:5fdb39f67c779b183b0c853cd6b45f7db84b84e0571b3ef1c89cdb1dfc367325 \ - --hash=sha256:600d04a7b342363058b9190d4e929a8e2e715c5682a70cc37d5ded1e0dd370b4 \ - --hash=sha256:631cb7415225954fdcc2a024119101946793e5923f6c4d73a5914d27eb3d3a05 \ - --hash=sha256:63974d168b6233b4ed6a0046296803cb13c56637a7b8106564ab575926572a55 \ - --hash=sha256:64322bfa13e44c6c30c518729ef08fda6026b96d5c0be724b3c4ae4da939f875 \ - --hash=sha256:655f8f4c8d6a5963c9a0687793da37b9b681d9ad06f29438a3b2326d4e6b7970 \ - --hash=sha256:6835451b57c1b467b95ffb03a38bb75b52fb4dc2762bb1d9dbed8de31ea7d0fc \ - --hash=sha256:6db2eb9654a85ada248afa5a6db5ff1cf0f7b16043a6b070adc4a5be68c716d6 \ - --hash=sha256:7c4d1894fe112b0864c1fa75dffa045720a194b227bed12f4be7f6045b25209f \ - --hash=sha256:7eb037106f5c6b3b0b864ad226b0b7ab58157124161d48e4b30c4a43fef8bc4b \ - --hash=sha256:8282bab177a9a3081fd3d0a0175a07a1e2bfb7fcbbd949519ea0980f8a07144d \ - --hash=sha256:82f55187a5bebae7d81d35b1e9aaea5e169d44819789837cdd4720d768c55d15 \ - --hash=sha256:8572cadbf4cfa95fb4187775b5ade2eaa93511f07947b38f4cd67cf10783b118 \ - --hash=sha256:8cdbbd92154db2fec4ec973d45c565e767ddc20aa6dbaf50142676484cbff8ee \ - --hash=sha256:8f6e6aed5818c264412ac0598b581a002a9f050cb2637a84979859e70197aa9e \ - --hash=sha256:92f675fefa977625105708492850bcbc1182bfc3e997f8eecb866d1927c98ae6 \ - --hash=sha256:962ed72424bf1f72334e2f1e61b68f16c0e596f024ca7ac5daf229f7c26e4208 \ - --hash=sha256:9badf8d45171d92387410b04639d73811b785b5161ecadabf056ea14d62d4ede \ - --hash=sha256:9c120c9ce3b163b985a3b966bb701114beb1da4b0468b9b236fc754783d85aa3 \ - --hash=sha256:9f6f3e2598604956480f6c8aa24a3384dbf6509fe995d97f6ca6103bb8c2534e \ - --hash=sha256:a1254357f7e4c82e77c348dabf2d55f1d14d19d91ff025004775e70a6ef40ada \ - --hash=sha256:a1392e0638af203cee360495fd2cfdd6054711f2db5175b6e9c3c461b76f5175 \ - --hash=sha256:a1c311fd06ab3b10805abb72109f01a134019739bd3286b8ae1bc2fc4e50c07a \ - --hash=sha256:a5cb87bdc2e5f620693148b5f8f842d293cae46c5f15a1b1bf7ceeed324a740c \ - --hash=sha256:a7a7902bf75779bc12ccfc508bfb7a4c47063f748ea3de87135d433a4cca7a2f \ - --hash=sha256:aad7bd686363d1ce4ee930ad39f14e1673248373f4a9d74d2b9554f06199fb58 \ - --hash=sha256:aafdb89fdeb5fe165043896817eccd6434aee124d5ee9b354f92cd574ba5e78f \ - --hash=sha256:ae8a8843b11dc0b03b57b52793e391f0122e740de3df1474814c700d2622950a \ - --hash=sha256:b00bc4619f60c853556b35f83731bd817f989cba3e97dc792bb8c97941b8053a \ - --hash=sha256:b1f22a9ab44de5f082216270552aa54259db20189e68fc12484873d926426921 \ - --hash=sha256:b3c01c2fb081fced3bbb3da78510693dc7121bb893a1f0f5f4b48013201f362e \ - --hash=sha256:b3dcd587b69bbf54fc04ca157c2323b8911033e827fffaecf0cafa5a892a0904 \ - --hash=sha256:b4a6db486ac8e99ae696e09efc8b2b9fea67b63c8f88ba7a1a16c24a057a0776 \ - --hash=sha256:bec7dd208a4182e99c5b6c501ce0b1f49de2802448d4056091f8e630b28e9a52 \ - --hash=sha256:c0877239307b7e69d025b73774e88e86ce82f6ba6adf98f41069d5b0b78bd1bf \ - --hash=sha256:caa48fc31fc7243e50188197b5f0c4228956f97b954f76da157aae7f67269ae8 \ - --hash=sha256:cfe1090245c078720d250d19cb05d67e21a9cd7c257698ef139bc41cf6c27b4f \ - --hash=sha256:d43002441932f9a9ea5d6f9efaa2e21458221a3a4b417a14027a1d530201ef1b \ - --hash=sha256:d64728ee14e667ba27c66314b7d880b8eeb050e58ffc5fec3b7a109f8cddbd63 \ - --hash=sha256:d6495008733c7521a89422d7a68efa0a0122c99a5861f06020ef5b1f51f9ba7c \ - --hash=sha256:d8f1ebca515a03e5654f88411420fea6380fc841d1bea08effb28184e3d4899f \ - --hash=sha256:d99277877daf2efe074eae6338453a4ed54a2d93fb4678ddfe1209a0c93a2468 \ - --hash=sha256:da01bec0a26befab4898ed83b362993c844b9a607a86add78604186297eb047e \ - --hash=sha256:db9a28c063c7c00844ae42a80203eb6d2d6bbb97070cfa00194dff40e6f545ab \ - --hash=sha256:dda81e5ec82485155a19d9624cfcca9be88a405e2857354e5b089c2a982144b2 \ - --hash=sha256:e357571bb0efd65fd55f18db0a2fb0ed89d0bb1d41d906b138f088933ae618bb \ - --hash=sha256:e544246b859f17373bed915182ab841b80849ed9cf23f1f07b73b7c58baee5fb \ - --hash=sha256:e562617a45b5a9da5be4abe72b971d4f00bf8555eb29bb91ec2ef2be348cd132 \ - --hash=sha256:e570ffeb2170e116a5b17e83f19911020ac79d19c96f320cbfa1fa96b470185b \ - --hash=sha256:e6f31a17acede6a8cd1ae2d123ce04d8cca74056c9d456075f4f6f85de055607 \ - --hash=sha256:e9121b4009339b0f751955baf4543a0bfd6bc3f8188f8056b1a25a2d45099934 \ - --hash=sha256:ebedb45b9feb7258fac0a268a3f6bec0a2ea4d9558f3d6f813f02ff3a6dc6698 \ - --hash=sha256:ecaac27da855b8d73f92123e5f03612b04c5632fd0a476e469dfc47cd37d6b2e \ - --hash=sha256:ecdbde46235f3d560b18be0cb706c8e8ad1b965e5c13bbba7450c86064e96561 \ - --hash=sha256:ed550ed05540c03f0e69e6d74ad58d026de61b9eaebebbaaf8873e585cbb18de \ - --hash=sha256:eeb3d3d6b399ffe55f9a04e09e635554012f1980696d6b0aca3e6cf42a17a03b \ - --hash=sha256:ef337945bbd76cce390d1b2496ccf9f90b1c1242a3a7bc242ca4a9fc5993427a \ - --hash=sha256:f1365e032a477c1430cfe0cf2856679529a2331426f8081172c4a74186f1d595 \ - --hash=sha256:f23b55eb5464468f9e0e9a9935ce3ed2a870608d5f534025cd5536bca25b1402 \ - --hash=sha256:f2e9072d71c1f6cfc79a36d4484c82823c560e6f5599c43c1ca6b5cdbd54f881 \ - --hash=sha256:f323306d0556351735b54acbf82904fe30a27b6a7147153cbe6e19aaaa2aa429 \ - --hash=sha256:f36a3489d9e28fe4b67be9992a23029c3cec0babc3bd9afb39f49844a8c721c5 \ - --hash=sha256:f64f82cc3443149292b32387086d02a6c7fb39b8781563e0ca7b8d7d9cf72bd7 \ - --hash=sha256:f6defd966ca3b187ec6c366604e9296f585021d922e666b99c47e78738b5666c \ - --hash=sha256:f7c2b8eb9fc872e68b46eeaf835e86bccc3a58ba57d0eedc109cbb14177be531 \ - --hash=sha256:fa7db7558607afeccb33c0e4bf1c9a9a835e26599e76af6fe2fcea45904083a6 \ - --hash=sha256:fcb83175cc4936a5425dde3356f079ae03c0802bbdf8ff82c035f8a54b333521 +pydantic-core==2.14.6 \ + --hash=sha256:00646784f6cd993b1e1c0e7b0fdcbccc375d539db95555477771c27555e3c556 \ + --hash=sha256:00b1087dabcee0b0ffd104f9f53d7d3eaddfaa314cdd6726143af6bc713aa27e \ + --hash=sha256:0348b1dc6b76041516e8a854ff95b21c55f5a411c3297d2ca52f5528e49d8411 \ + --hash=sha256:036137b5ad0cb0004c75b579445a1efccd072387a36c7f217bb8efd1afbe5245 \ + --hash=sha256:095b707bb287bfd534044166ab767bec70a9bba3175dcdc3371782175c14e43c \ + --hash=sha256:0c08de15d50fa190d577e8591f0329a643eeaed696d7771760295998aca6bc66 \ + --hash=sha256:1302a54f87b5cd8528e4d6d1bf2133b6aa7c6122ff8e9dc5220fbc1e07bffebd \ + --hash=sha256:172de779e2a153d36ee690dbc49c6db568d7b33b18dc56b69a7514aecbcf380d \ + --hash=sha256:1b027c86c66b8627eb90e57aee1f526df77dc6d8b354ec498be9a757d513b92b \ + --hash=sha256:1ce830e480f6774608dedfd4a90c42aac4a7af0a711f1b52f807130c2e434c06 \ + --hash=sha256:1fd0c1d395372843fba13a51c28e3bb9d59bd7aebfeb17358ffaaa1e4dbbe948 \ + --hash=sha256:23598acb8ccaa3d1d875ef3b35cb6376535095e9405d91a3d57a8c7db5d29341 \ + --hash=sha256:24368e31be2c88bd69340fbfe741b405302993242ccb476c5c3ff48aeee1afe0 \ + --hash=sha256:26a92ae76f75d1915806b77cf459811e772d8f71fd1e4339c99750f0e7f6324f \ + --hash=sha256:27e524624eace5c59af499cd97dc18bb201dc6a7a2da24bfc66ef151c69a5f2a \ + --hash=sha256:2b8719037e570639e6b665a4050add43134d80b687288ba3ade18b22bbb29dd2 \ + --hash=sha256:2c5bcf3414367e29f83fd66f7de64509a8fd2368b1edf4351e862910727d3e51 \ + --hash=sha256:2dbe357bc4ddda078f79d2a36fc1dd0494a7f2fad83a0a684465b6f24b46fe80 \ + --hash=sha256:2f5fa187bde8524b1e37ba894db13aadd64faa884657473b03a019f625cee9a8 \ + --hash=sha256:2f6ffc6701a0eb28648c845f4945a194dc7ab3c651f535b81793251e1185ac3d \ + --hash=sha256:314ccc4264ce7d854941231cf71b592e30d8d368a71e50197c905874feacc8a8 \ + --hash=sha256:36026d8f99c58d7044413e1b819a67ca0e0b8ebe0f25e775e6c3d1fabb3c38fb \ + --hash=sha256:36099c69f6b14fc2c49d7996cbf4f87ec4f0e66d1c74aa05228583225a07b590 \ + --hash=sha256:36fa402dcdc8ea7f1b0ddcf0df4254cc6b2e08f8cd80e7010d4c4ae6e86b2a87 \ + --hash=sha256:370ffecb5316ed23b667d99ce4debe53ea664b99cc37bfa2af47bc769056d534 \ + --hash=sha256:3860c62057acd95cc84044e758e47b18dcd8871a328ebc8ccdefd18b0d26a21b \ + --hash=sha256:399ac0891c284fa8eb998bcfa323f2234858f5d2efca3950ae58c8f88830f145 \ + --hash=sha256:3a0b5db001b98e1c649dd55afa928e75aa4087e587b9524a4992316fa23c9fba \ + --hash=sha256:3dcf1978be02153c6a31692d4fbcc2a3f1db9da36039ead23173bc256ee3b91b \ + --hash=sha256:4241204e4b36ab5ae466ecec5c4c16527a054c69f99bba20f6f75232a6a534e2 \ + --hash=sha256:438027a975cc213a47c5d70672e0d29776082155cfae540c4e225716586be75e \ + --hash=sha256:43e166ad47ba900f2542a80d83f9fc65fe99eb63ceec4debec160ae729824052 \ + --hash=sha256:478e9e7b360dfec451daafe286998d4a1eeaecf6d69c427b834ae771cad4b622 \ + --hash=sha256:4ce8299b481bcb68e5c82002b96e411796b844d72b3e92a3fbedfe8e19813eab \ + --hash=sha256:4f86f1f318e56f5cbb282fe61eb84767aee743ebe32c7c0834690ebea50c0a6b \ + --hash=sha256:55a23dcd98c858c0db44fc5c04fc7ed81c4b4d33c653a7c45ddaebf6563a2f66 \ + --hash=sha256:599c87d79cab2a6a2a9df4aefe0455e61e7d2aeede2f8577c1b7c0aec643ee8e \ + --hash=sha256:5aa90562bc079c6c290f0512b21768967f9968e4cfea84ea4ff5af5d917016e4 \ + --hash=sha256:64634ccf9d671c6be242a664a33c4acf12882670b09b3f163cd00a24cffbd74e \ + --hash=sha256:667aa2eac9cd0700af1ddb38b7b1ef246d8cf94c85637cbb03d7757ca4c3fdec \ + --hash=sha256:6a31d98c0d69776c2576dda4b77b8e0c69ad08e8b539c25c7d0ca0dc19a50d6c \ + --hash=sha256:6af4b3f52cc65f8a0bc8b1cd9676f8c21ef3e9132f21fed250f6958bd7223bed \ + --hash=sha256:6c8edaea3089bf908dd27da8f5d9e395c5b4dc092dbcce9b65e7156099b4b937 \ + --hash=sha256:71d72ca5eaaa8d38c8df16b7deb1a2da4f650c41b58bb142f3fb75d5ad4a611f \ + --hash=sha256:72f9a942d739f09cd42fffe5dc759928217649f070056f03c70df14f5770acf9 \ + --hash=sha256:747265448cb57a9f37572a488a57d873fd96bf51e5bb7edb52cfb37124516da4 \ + --hash=sha256:75ec284328b60a4e91010c1acade0c30584f28a1f345bc8f72fe8b9e46ec6a96 \ + --hash=sha256:78d0768ee59baa3de0f4adac9e3748b4b1fffc52143caebddfd5ea2961595277 \ + --hash=sha256:78ee52ecc088c61cce32b2d30a826f929e1708f7b9247dc3b921aec367dc1b23 \ + --hash=sha256:7be719e4d2ae6c314f72844ba9d69e38dff342bc360379f7c8537c48e23034b7 \ + --hash=sha256:7e1f4744eea1501404b20b0ac059ff7e3f96a97d3e3f48ce27a139e053bb370b \ + --hash=sha256:7e90d6cc4aad2cc1f5e16ed56e46cebf4877c62403a311af20459c15da76fd91 \ + --hash=sha256:7ebe3416785f65c28f4f9441e916bfc8a54179c8dea73c23023f7086fa601c5d \ + --hash=sha256:7f41533d7e3cf9520065f610b41ac1c76bc2161415955fbcead4981b22c7611e \ + --hash=sha256:7f5025db12fc6de7bc1104d826d5aee1d172f9ba6ca936bf6474c2148ac336c1 \ + --hash=sha256:86c963186ca5e50d5c8287b1d1c9d3f8f024cbe343d048c5bd282aec2d8641f2 \ + --hash=sha256:86ce5fcfc3accf3a07a729779d0b86c5d0309a4764c897d86c11089be61da160 \ + --hash=sha256:8a14c192c1d724c3acbfb3f10a958c55a2638391319ce8078cb36c02283959b9 \ + --hash=sha256:8b93785eadaef932e4fe9c6e12ba67beb1b3f1e5495631419c784ab87e975670 \ + --hash=sha256:8ed1af8692bd8d2a29d702f1a2e6065416d76897d726e45a1775b1444f5928a7 \ + --hash=sha256:92879bce89f91f4b2416eba4429c7b5ca22c45ef4a499c39f0c5c69257522c7c \ + --hash=sha256:94fc0e6621e07d1e91c44e016cc0b189b48db053061cc22d6298a611de8071bb \ + --hash=sha256:982487f8931067a32e72d40ab6b47b1628a9c5d344be7f1a4e668fb462d2da42 \ + --hash=sha256:9862bf828112e19685b76ca499b379338fd4c5c269d897e218b2ae8fcb80139d \ + --hash=sha256:99b14dbea2fdb563d8b5a57c9badfcd72083f6006caf8e126b491519c7d64ca8 \ + --hash=sha256:9c6a5c79b28003543db3ba67d1df336f253a87d3112dac3a51b94f7d48e4c0e1 \ + --hash=sha256:a19b794f8fe6569472ff77602437ec4430f9b2b9ec7a1105cfd2232f9ba355e6 \ + --hash=sha256:a306cdd2ad3a7d795d8e617a58c3a2ed0f76c8496fb7621b6cd514eb1532cae8 \ + --hash=sha256:a3dde6cac75e0b0902778978d3b1646ca9f438654395a362cb21d9ad34b24acf \ + --hash=sha256:a874f21f87c485310944b2b2734cd6d318765bcbb7515eead33af9641816506e \ + --hash=sha256:a983cca5ed1dd9a35e9e42ebf9f278d344603bfcb174ff99a5815f953925140a \ + --hash=sha256:aca48506a9c20f68ee61c87f2008f81f8ee99f8d7f0104bff3c47e2d148f89d9 \ + --hash=sha256:b2602177668f89b38b9f84b7b3435d0a72511ddef45dc14446811759b82235a1 \ + --hash=sha256:b3e5fe4538001bb82e2295b8d2a39356a84694c97cb73a566dc36328b9f83b40 \ + --hash=sha256:b6ca36c12a5120bad343eef193cc0122928c5c7466121da7c20f41160ba00ba2 \ + --hash=sha256:b89f4477d915ea43b4ceea6756f63f0288941b6443a2b28c69004fe07fde0d0d \ + --hash=sha256:b9a9d92f10772d2a181b5ca339dee066ab7d1c9a34ae2421b2a52556e719756f \ + --hash=sha256:c99462ffc538717b3e60151dfaf91125f637e801f5ab008f81c402f1dff0cd0f \ + --hash=sha256:cb92f9061657287eded380d7dc455bbf115430b3aa4741bdc662d02977e7d0af \ + --hash=sha256:cdee837710ef6b56ebd20245b83799fce40b265b3b406e51e8ccc5b85b9099b7 \ + --hash=sha256:cf10b7d58ae4a1f07fccbf4a0a956d705356fea05fb4c70608bb6fa81d103cda \ + --hash=sha256:d15687d7d7f40333bd8266f3814c591c2e2cd263fa2116e314f60d82086e353a \ + --hash=sha256:d5c28525c19f5bb1e09511669bb57353d22b94cf8b65f3a8d141c389a55dec95 \ + --hash=sha256:d5f916acf8afbcab6bacbb376ba7dc61f845367901ecd5e328fc4d4aef2fcab0 \ + --hash=sha256:dab03ed811ed1c71d700ed08bde8431cf429bbe59e423394f0f4055f1ca0ea60 \ + --hash=sha256:db453f2da3f59a348f514cfbfeb042393b68720787bbef2b4c6068ea362c8149 \ + --hash=sha256:de2a0645a923ba57c5527497daf8ec5df69c6eadf869e9cd46e86349146e5975 \ + --hash=sha256:dea7fcd62915fb150cdc373212141a30037e11b761fbced340e9db3379b892d4 \ + --hash=sha256:dfcbebdb3c4b6f739a91769aea5ed615023f3c88cb70df812849aef634c25fbe \ + --hash=sha256:dfcebb950aa7e667ec226a442722134539e77c575f6cfaa423f24371bb8d2e94 \ + --hash=sha256:e0641b506486f0b4cd1500a2a65740243e8670a2549bb02bc4556a83af84ae03 \ + --hash=sha256:e33b0834f1cf779aa839975f9d8755a7c2420510c0fa1e9fa0497de77cd35d2c \ + --hash=sha256:e4ace1e220b078c8e48e82c081e35002038657e4b37d403ce940fa679e57113b \ + --hash=sha256:e4cf2d5829f6963a5483ec01578ee76d329eb5caf330ecd05b3edd697e7d768a \ + --hash=sha256:e574de99d735b3fc8364cba9912c2bec2da78775eba95cbb225ef7dda6acea24 \ + --hash=sha256:e646c0e282e960345314f42f2cea5e0b5f56938c093541ea6dbf11aec2862391 \ + --hash=sha256:e8a5ac97ea521d7bde7621d86c30e86b798cdecd985723c4ed737a2aa9e77d0c \ + --hash=sha256:eedf97be7bc3dbc8addcef4142f4b4164066df0c6f36397ae4aaed3eb187d8ab \ + --hash=sha256:ef633add81832f4b56d3b4c9408b43d530dfca29e68fb1b797dcb861a2c734cd \ + --hash=sha256:f27207e8ca3e5e021e2402ba942e5b4c629718e665c81b8b306f3c8b1ddbb786 \ + --hash=sha256:f85f3843bdb1fe80e8c206fe6eed7a1caeae897e496542cee499c374a85c6e08 \ + --hash=sha256:f8e81e4b55930e5ffab4a68db1af431629cf2e4066dbdbfef65348b8ab804ea8 \ + --hash=sha256:f96ae96a060a8072ceff4cfde89d261837b4294a4f28b84a28765470d502ccc6 \ + --hash=sha256:fd9e98b408384989ea4ab60206b8e100d8687da18b5c813c11e92fd8212a98e0 \ + --hash=sha256:ffff855100bc066ff2cd3aa4a60bc9534661816b110f0243e59503ec2df38421 # via pydantic pygments==2.17.2 \ --hash=sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c \ diff --git a/pyproject.toml b/pyproject.toml index c5ee2561972f..bb93dff82f52 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -46,7 +46,7 @@ classifiers = [ requires-python = ">=3.7" dependencies = [ # Must be kept in sync with `build-system.requires` - "cffi >=1.12", + "cffi>=1.12; platform_python_implementation != 'PyPy'", ] [project.urls] From 72dab5f46d552d9717d3760f5db65d294aa33df1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Jan 2024 20:32:50 +0000 Subject: [PATCH 0883/1014] Bump syn from 2.0.44 to 2.0.45 in /src/rust (#10107) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.44 to 2.0.45. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.44...2.0.45) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4fd825fd01a6..fd9767b8528a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" [[package]] name = "syn" -version = "2.0.44" +version = "2.0.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "92d27c2c202598d05175a6dd3af46824b7f747f8d8e9b14c623f19fa5069735d" +checksum = "0eae3c679c56dc214320b67a1bc04ef3dfbd6411f6443974b5e4893231298e66" dependencies = [ "proc-macro2", "quote", From 4a42c1c961c678d784de763d82794527c2374f2f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 1 Jan 2024 19:18:06 -0500 Subject: [PATCH 0884/1014] Bump BoringSSL and/or OpenSSL in CI (#10108) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8d11972e6546..2df4b8ceccc9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Dec 22, 2023. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6e0eba6e62333652290514e51b75b966b27b27c"}} - # Latest commit on the OpenSSL master branch, as of Dec 30, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8a1694f22588c0777d642253ffdc307a61245d51"}} + # Latest commit on the OpenSSL master branch, as of Jan 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "94be985cbcc1f0a5cf4f172d4a8d06c5c623122b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From bc667a8f63430e0f8fbd0065d2a14a79e9d4b336 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jan 2024 07:02:50 -0500 Subject: [PATCH 0885/1014] Bump quote from 1.0.34 to 1.0.35 in /src/rust (#10110) Bumps [quote](https://github.com/dtolnay/quote) from 1.0.34 to 1.0.35. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.34...1.0.35) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fd9767b8528a..9329186f1c39 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -253,9 +253,9 @@ checksum = "69d3587f8a9e599cc7ec2c00e331f71c4e69a5f9a4b8a6efd5b07466b9736f9a" [[package]] name = "proc-macro2" -version = "1.0.73" +version = "1.0.74" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2dd5e8a1f1029c43224ad5898e50140c2aebb1705f19e67c918ebf5b9e797fe1" +checksum = "2de98502f212cfcea8d0bb305bd0f49d7ebdd75b64ba0a68f937d888f4e0d6db" dependencies = [ "unicode-ident", ] @@ -323,9 +323,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.34" +version = "1.0.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22a37c9326af5ed140c86a46655b5278de879853be5573c01df185b6f49a580a" +checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" dependencies = [ "proc-macro2", ] From 92a724fb93bee33da0e659012aa0d4574fe72a55 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 2 Jan 2024 15:08:08 -0500 Subject: [PATCH 0886/1014] Cache public keys on VerificationCertificate (#10100) --- .../src/certificate.rs | 4 ++-- .../cryptography-x509-verification/src/lib.rs | 2 +- .../cryptography-x509-verification/src/ops.rs | 18 ++++++++++++++---- .../src/policy/mod.rs | 11 +++++------ src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/verify.rs | 2 +- 6 files changed, 24 insertions(+), 15 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/certificate.rs b/src/rust/cryptography-x509-verification/src/certificate.rs index 9f78a0228ec9..6d79fbfe71bd 100644 --- a/src/rust/cryptography-x509-verification/src/certificate.rs +++ b/src/rust/cryptography-x509-verification/src/certificate.rs @@ -65,7 +65,7 @@ Xw4nMqk= fn verify_signed_by( &self, _cert: &Certificate<'_>, - _key: Self::Key, + _key: &Self::Key, ) -> Result<(), Self::Err> { Ok(()) } @@ -87,6 +87,6 @@ Xw4nMqk= let ops = PublicKeyErrorOps {}; assert!(ops.public_key(&cert).is_err()); - assert!(ops.verify_signed_by(&cert, ()).is_ok()); + assert!(ops.verify_signed_by(&cert, &()).is_ok()); } } diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index fef55e350207..7e9112c07aaa 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -256,7 +256,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // policy. let issuer_extensions = issuing_cert_candidate.certificate().extensions()?; match self.policy.valid_issuer( - issuing_cert_candidate.certificate(), + issuing_cert_candidate, working_cert.certificate(), current_depth, &issuer_extensions, diff --git a/src/rust/cryptography-x509-verification/src/ops.rs b/src/rust/cryptography-x509-verification/src/ops.rs index d596cf848de6..991c9f997e98 100644 --- a/src/rust/cryptography-x509-verification/src/ops.rs +++ b/src/rust/cryptography-x509-verification/src/ops.rs @@ -5,19 +5,29 @@ use cryptography_x509::certificate::Certificate; pub struct VerificationCertificate<'a, B: CryptoOps> { - pub cert: Certificate<'a>, - pub extra: B::CertificateExtra, + cert: Certificate<'a>, + public_key: once_cell::sync::OnceCell, + extra: B::CertificateExtra, } impl<'a, B: CryptoOps> VerificationCertificate<'a, B> { pub fn new(cert: Certificate<'a>, extra: B::CertificateExtra) -> Self { - VerificationCertificate { cert, extra } + VerificationCertificate { + cert, + extra, + public_key: once_cell::sync::OnceCell::new(), + } } pub fn certificate(&self) -> &Certificate<'a> { &self.cert } + pub fn public_key(&self, ops: &B) -> Result<&B::Key, B::Err> { + self.public_key + .get_or_try_init(|| ops.public_key(self.certificate())) + } + pub fn extra(&self) -> &B::CertificateExtra { &self.extra } @@ -57,7 +67,7 @@ pub trait CryptoOps { /// Verifies the signature on `Certificate` using the given /// `Key`. - fn verify_signed_by(&self, cert: &Certificate<'_>, key: Self::Key) -> Result<(), Self::Err>; + fn verify_signed_by(&self, cert: &Certificate<'_>, key: &Self::Key) -> Result<(), Self::Err>; } #[cfg(test)] diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 04f59a5f103a..fa4be7cf68d3 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -28,7 +28,7 @@ use cryptography_x509::oid::{ use crate::ops::CryptoOps; use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy}; use crate::types::{DNSName, DNSPattern, IPAddress}; -use crate::ValidationError; +use crate::{ValidationError, VerificationCertificate}; // SubjectPublicKeyInfo AlgorithmIdentifier constants, as defined in CA/B 7.1.3.1. @@ -510,13 +510,13 @@ impl<'a, B: CryptoOps> Policy<'a, B> { /// self-issued). pub(crate) fn valid_issuer( &self, - issuer: &Certificate<'_>, + issuer: &VerificationCertificate<'_, B>, child: &Certificate<'_>, current_depth: u8, issuer_extensions: &Extensions<'_>, ) -> Result<(), ValidationError> { // The issuer needs to be a valid CA at the current depth. - self.permits_ca(issuer, current_depth, issuer_extensions)?; + self.permits_ca(issuer.certificate(), current_depth, issuer_extensions)?; // CA/B 7.1.3.1 SubjectPublicKeyInfo if !self @@ -540,9 +540,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ))); } - let pk = self - .ops - .public_key(issuer) + let pk = issuer + .public_key(&self.ops) .map_err(|_| ValidationError::Other("issuer has malformed public key".to_string()))?; if self.ops.verify_signed_by(child, pk).is_err() { return Err(ValidationError::Other( diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index f7f35f834cc6..48504dcd80a0 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -312,7 +312,7 @@ impl Certificate { let ops = PyCryptoOps {}; let issuer_key = ops.public_key(issuer.raw.borrow_dependent())?; - ops.verify_signed_by(self.raw.borrow_dependent(), issuer_key) + ops.verify_signed_by(self.raw.borrow_dependent(), &issuer_key) } } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index d8e849bc742c..7de6add959b2 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -33,7 +33,7 @@ impl CryptoOps for PyCryptoOps { }) } - fn verify_signed_by(&self, cert: &Certificate<'_>, key: Self::Key) -> Result<(), Self::Err> { + fn verify_signed_by(&self, cert: &Certificate<'_>, key: &Self::Key) -> Result<(), Self::Err> { pyo3::Python::with_gil(|py| -> CryptographyResult<()> { sign::verify_signature_with_signature_algorithm( py, From de3a225e0d0617abf5138a1e951743fff92039a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 2 Jan 2024 15:18:02 -0500 Subject: [PATCH 0887/1014] Parse PEM public keys in Rust (#10094) --- .../hazmat/backends/openssl/backend.py | 64 ------------------- .../hazmat/bindings/_rust/openssl/keys.pyi | 4 +- .../hazmat/primitives/serialization/base.py | 4 +- src/rust/src/backend/keys.rs | 53 ++++++++++++--- tests/hazmat/backends/test_openssl.py | 5 +- 5 files changed, 51 insertions(+), 79 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index a35b767b4045..edd7a0aa0266 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -27,7 +27,6 @@ ) from cryptography.hazmat.primitives.asymmetric.types import ( PrivateKeyTypes, - PublicKeyTypes, ) from cryptography.hazmat.primitives.ciphers import ( CipherAlgorithm, @@ -335,18 +334,6 @@ def generate_rsa_parameters_supported( and key_size >= 512 ) - def _create_evp_pkey_gc(self): - evp_pkey = self._lib.EVP_PKEY_new() - self.openssl_assert(evp_pkey != self._ffi.NULL) - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - return evp_pkey - - def _rsa_cdata_to_evp_pkey(self, rsa_cdata): - evp_pkey = self._create_evp_pkey_gc() - res = self._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata) - self.openssl_assert(res == 1) - return evp_pkey - def _bytes_to_bio(self, data: bytes) -> _MemoryBIO: """ Return a _MemoryBIO namedtuple of (BIO, char*). @@ -394,15 +381,6 @@ def _evp_pkey_to_private_key( unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, ) - def _evp_pkey_to_public_key(self, evp_pkey) -> PublicKeyTypes: - """ - Return the appropriate type of PublicKey given an evp_pkey cdata - pointer. - """ - return rust_openssl.keys.public_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)) - ) - def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and isinstance(algorithm, hashes.SHA1): return False @@ -471,48 +449,6 @@ def load_pem_private_key( unsafe_skip_rsa_key_validation, ) - def load_pem_public_key(self, data: bytes) -> PublicKeyTypes: - mem_bio = self._bytes_to_bio(data) - # In OpenSSL 3.0.x the PEM_read_bio_PUBKEY function will invoke - # the default password callback if you pass an encrypted private - # key. This is very, very, very bad as the default callback can - # trigger an interactive console prompt, which will hang the - # Python process. We therefore provide our own callback to - # catch this and error out properly. - userdata = self._ffi.new("CRYPTOGRAPHY_PASSWORD_DATA *") - evp_pkey = self._lib.PEM_read_bio_PUBKEY( - mem_bio.bio, - self._ffi.NULL, - self._ffi.addressof( - self._lib._original_lib, "Cryptography_pem_password_cb" - ), - userdata, - ) - if evp_pkey != self._ffi.NULL: - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - return self._evp_pkey_to_public_key(evp_pkey) - else: - # It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still - # need to check to see if it is a pure PKCS1 RSA public key (not - # embedded in a subjectPublicKeyInfo) - self._consume_errors() - res = self._lib.BIO_reset(mem_bio.bio) - self.openssl_assert(res == 1) - rsa_cdata = self._lib.PEM_read_bio_RSAPublicKey( - mem_bio.bio, - self._ffi.NULL, - self._ffi.addressof( - self._lib._original_lib, "Cryptography_pem_password_cb" - ), - userdata, - ) - if rsa_cdata != self._ffi.NULL: - rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return self._evp_pkey_to_public_key(evp_pkey) - else: - self._handle_key_loading_error(self._consume_errors()) - def load_der_private_key( self, data: bytes, diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi index 1918dd9deaf7..056212eec9ab 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi @@ -11,7 +11,9 @@ def private_key_from_ptr( ptr: int, unsafe_skip_rsa_key_validation: bool, ) -> PrivateKeyTypes: ... -def public_key_from_ptr(ptr: int) -> PublicKeyTypes: ... def load_der_public_key( data: bytes, ) -> PublicKeyTypes: ... +def load_pem_public_key( + data: bytes, +) -> PublicKeyTypes: ... diff --git a/src/cryptography/hazmat/primitives/serialization/base.py b/src/cryptography/hazmat/primitives/serialization/base.py index d9131a2f8bb1..b64a9d05cfd8 100644 --- a/src/cryptography/hazmat/primitives/serialization/base.py +++ b/src/cryptography/hazmat/primitives/serialization/base.py @@ -31,9 +31,7 @@ def load_pem_private_key( def load_pem_public_key( data: bytes, backend: typing.Any = None ) -> PublicKeyTypes: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.load_pem_public_key(data) + return rust_openssl.keys.load_pem_public_key(data) def load_pem_parameters( diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 19419730faef..a8727d440963 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -80,7 +80,7 @@ pub(crate) fn load_der_public_key_bytes( data: &[u8], ) -> CryptographyResult { if let Ok(pkey) = openssl::pkey::PKey::public_key_from_der(data) { - return public_key_from_pkey(py, &pkey); + return public_key_from_pkey(py, &pkey, pkey.id()); } // It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still need to // check to see if it is a pure PKCS1 RSA public key (not embedded in a @@ -93,21 +93,39 @@ pub(crate) fn load_der_public_key_bytes( .unwrap_err()) })?; let pkey = openssl::pkey::PKey::from_rsa(rsa)?; - public_key_from_pkey(py, &pkey) + public_key_from_pkey(py, &pkey, pkey.id()) } #[pyo3::prelude::pyfunction] -fn public_key_from_ptr(py: pyo3::Python<'_>, ptr: usize) -> CryptographyResult { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; - public_key_from_pkey(py, pkey) +fn load_pem_public_key( + py: pyo3::Python<'_>, + data: CffiBuf<'_>, +) -> CryptographyResult { + let p = pem::parse(data.as_bytes())?; + let pkey = match p.tag() { + "RSA PUBLIC KEY" => openssl::rsa::Rsa::public_key_from_der_pkcs1(p.contents()) + .and_then(openssl::pkey::PKey::from_rsa), + "PUBLIC KEY" => openssl::pkey::PKey::public_key_from_der(p.contents()), + _ => return Err(CryptographyError::from(pem::PemError::MalformedFraming)), + } + .or_else(|e| { + let errors = error::list_from_openssl_error(py, e); + Err(types::BACKEND_HANDLE_KEY_LOADING_ERROR + .get(py)? + .call1((errors,)) + .unwrap_err()) + })?; + public_key_from_pkey(py, &pkey, pkey.id()) } fn public_key_from_pkey( py: pyo3::Python<'_>, pkey: &openssl::pkey::PKeyRef, + id: openssl::pkey::Id, ) -> CryptographyResult { - match pkey.id() { + // `id` is a separate argument so we can test this while passing something + // unsupported. + match id { openssl::pkey::Id::RSA => Ok(crate::backend::rsa::public_key_from_pkey(pkey).into_py(py)), #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER))] openssl::pkey::Id::RSA_PSS => { @@ -153,9 +171,28 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu let m = pyo3::prelude::PyModule::new(py, "keys")?; m.add_function(pyo3::wrap_pyfunction!(load_der_public_key, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(load_pem_public_key, m)?)?; m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; Ok(m) } + +#[cfg(test)] +mod tests { + use super::public_key_from_pkey; + + #[test] + fn test_public_key_from_pkey_unknown_key() { + pyo3::prepare_freethreaded_python(); + + pyo3::Python::with_gil(|py| { + let pkey = + openssl::pkey::PKey::public_key_from_raw_bytes(&[0; 32], openssl::pkey::Id::X25519) + .unwrap(); + // Pass a nonsense id for this key to test the unsupported + // algorithm path. + assert!(public_key_from_pkey(py, &pkey, openssl::pkey::Id::CMAC).is_err()); + }); + } +} diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 5b33d76ef245..e250aa6fc05b 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -279,13 +279,12 @@ def test_pem_password_cb_no_password(self): assert userdata.error == -1 def test_unsupported_evp_pkey_type(self): - key = backend._create_evp_pkey_gc() + key = backend._lib.EVP_PKEY_new() + key = backend._ffi.gc(key, backend._lib.EVP_PKEY_free) with raises_unsupported_algorithm(None): backend._evp_pkey_to_private_key( key, unsafe_skip_rsa_key_validation=False ) - with raises_unsupported_algorithm(None): - backend._evp_pkey_to_public_key(key) def test_very_long_pem_serialization_password(self): password = b"x" * 1024 From 6c921f71897ff5833ef7e85744026a78eebea1ed Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 2 Jan 2024 18:59:28 -0500 Subject: [PATCH 0888/1014] Migrate EC Numbers to Rust (#10079) --- .../hazmat/bindings/_rust/openssl/ec.pyi | 27 ++ .../hazmat/primitives/asymmetric/ec.py | 93 +---- src/rust/src/backend/ec.rs | 340 ++++++++++++------ src/rust/src/types.rs | 12 +- tests/hazmat/primitives/test_ec.py | 4 +- 5 files changed, 272 insertions(+), 204 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi index d57d47923a0c..e43d4b7fa784 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi @@ -2,11 +2,38 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import typing + from cryptography.hazmat.primitives.asymmetric import ec class ECPrivateKey: ... class ECPublicKey: ... +class EllipticCurvePrivateNumbers: + def __init__( + self, private_value: int, public_numbers: EllipticCurvePublicNumbers + ) -> None: ... + def private_key( + self, backend: typing.Any = None + ) -> ec.EllipticCurvePrivateKey: ... + @property + def private_value(self) -> int: ... + @property + def public_numbers(self) -> EllipticCurvePublicNumbers: ... + +class EllipticCurvePublicNumbers: + def __init__(self, x: int, y: int, curve: ec.EllipticCurve) -> None: ... + def public_key( + self, backend: typing.Any = None + ) -> ec.EllipticCurvePublicKey: ... + @property + def x(self) -> int: ... + @property + def y(self) -> int: ... + @property + def curve(self) -> ec.EllipticCurve: ... + def __eq__(self, other: object) -> bool: ... + def curve_supported(curve: ec.EllipticCurve) -> bool: ... def generate_private_key( curve: ec.EllipticCurve, diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py index 661dd1dd8870..f3bd413d9d00 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ec.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py @@ -194,6 +194,9 @@ def __eq__(self, other: object) -> bool: EllipticCurvePublicKeyWithSerialization = EllipticCurvePublicKey EllipticCurvePublicKey.register(rust_openssl.ec.ECPublicKey) +EllipticCurvePrivateNumbers = rust_openssl.ec.EllipticCurvePrivateNumbers +EllipticCurvePublicNumbers = rust_openssl.ec.EllipticCurvePublicNumbers + class SECT571R1(EllipticCurve): name = "sect571r1" @@ -352,96 +355,6 @@ def derive_private_key( return rust_openssl.ec.derive_private_key(private_value, curve) -class EllipticCurvePublicNumbers: - def __init__(self, x: int, y: int, curve: EllipticCurve): - if not isinstance(x, int) or not isinstance(y, int): - raise TypeError("x and y must be integers.") - - if not isinstance(curve, EllipticCurve): - raise TypeError("curve must provide the EllipticCurve interface.") - - self._y = y - self._x = x - self._curve = curve - - def public_key(self, backend: typing.Any = None) -> EllipticCurvePublicKey: - return rust_openssl.ec.from_public_numbers(self) - - @property - def curve(self) -> EllipticCurve: - return self._curve - - @property - def x(self) -> int: - return self._x - - @property - def y(self) -> int: - return self._y - - def __eq__(self, other: object) -> bool: - if not isinstance(other, EllipticCurvePublicNumbers): - return NotImplemented - - return ( - self.x == other.x - and self.y == other.y - and self.curve.name == other.curve.name - and self.curve.key_size == other.curve.key_size - ) - - def __hash__(self) -> int: - return hash((self.x, self.y, self.curve.name, self.curve.key_size)) - - def __repr__(self) -> str: - return ( - "".format(self) - ) - - -class EllipticCurvePrivateNumbers: - def __init__( - self, private_value: int, public_numbers: EllipticCurvePublicNumbers - ): - if not isinstance(private_value, int): - raise TypeError("private_value must be an integer.") - - if not isinstance(public_numbers, EllipticCurvePublicNumbers): - raise TypeError( - "public_numbers must be an EllipticCurvePublicNumbers " - "instance." - ) - - self._private_value = private_value - self._public_numbers = public_numbers - - def private_key( - self, backend: typing.Any = None - ) -> EllipticCurvePrivateKey: - return rust_openssl.ec.from_private_numbers(self) - - @property - def private_value(self) -> int: - return self._private_value - - @property - def public_numbers(self) -> EllipticCurvePublicNumbers: - return self._public_numbers - - def __eq__(self, other: object) -> bool: - if not isinstance(other, EllipticCurvePrivateNumbers): - return NotImplemented - - return ( - self.private_value == other.private_value - and self.public_numbers == other.public_numbers - ) - - def __hash__(self) -> int: - return hash((self.private_value, self.public_numbers)) - - class ECDH: pass diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index a2941437517a..25d4c60b2855 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -6,6 +6,8 @@ use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; use pyo3::ToPyObject; +use std::collections::hash_map::DefaultHasher; +use std::hash::{Hash, Hasher}; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] pub(crate) struct ECPrivateKey { @@ -203,94 +205,6 @@ fn from_public_bytes( }) } -fn public_key_from_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, - curve: &openssl::ec::EcGroupRef, -) -> CryptographyResult> { - let py_x = numbers.getattr(pyo3::intern!(py, "x"))?; - let py_y = numbers.getattr(pyo3::intern!(py, "y"))?; - - let zero = (0).to_object(py); - if py_x.lt(&zero)? || py_y.lt(&zero)? { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err( - "Invalid EC key. Both x and y must be non-negative.", - ), - )); - } - - let x = utils::py_int_to_bn(py, py_x)?; - let y = utils::py_int_to_bn(py, py_y)?; - - let mut point = openssl::ec::EcPoint::new(curve)?; - let mut bn_ctx = openssl::bn::BigNumContext::new()?; - point - .set_affine_coordinates_gfp(curve, &x, &y, &mut bn_ctx) - .map_err(|_| { - pyo3::exceptions::PyValueError::new_err( - "Invalid EC key. Point is not on the curve specified.", - ) - })?; - - Ok(openssl::ec::EcKey::from_public_key(curve, &point)?) -} - -#[pyo3::prelude::pyfunction] -fn from_private_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, -) -> CryptographyResult { - let public_numbers = numbers.getattr(pyo3::intern!(py, "public_numbers"))?; - let py_curve = public_numbers.getattr(pyo3::intern!(py, "curve"))?; - - let curve = curve_from_py_curve(py, py_curve)?; - let public_key = public_key_from_numbers(py, public_numbers, &curve)?; - let private_value = - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "private_value"))?)?; - - let mut bn_ctx = openssl::bn::BigNumContext::new()?; - let mut expected_pub = openssl::ec::EcPoint::new(&curve)?; - expected_pub.mul_generator(&curve, &private_value, &bn_ctx)?; - if !expected_pub.eq(&curve, public_key.public_key(), &mut bn_ctx)? { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err("Invalid EC key."), - )); - } - - let private_key = openssl::ec::EcKey::from_private_components( - &curve, - &private_value, - public_key.public_key(), - ) - .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid EC key."))?; - - let pkey = openssl::pkey::PKey::from_ec_key(private_key)?; - - Ok(ECPrivateKey { - pkey, - curve: py_curve.into(), - }) -} - -#[pyo3::prelude::pyfunction] -fn from_public_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, -) -> CryptographyResult { - let py_curve = numbers.getattr(pyo3::intern!(py, "curve"))?; - - let curve = curve_from_py_curve(py, py_curve)?; - let public_key = public_key_from_numbers(py, numbers, &curve)?; - - let pkey = openssl::pkey::PKey::from_ec_key(public_key)?; - - Ok(ECPublicKey { - pkey, - curve: py_curve.into(), - }) -} - #[pyo3::prelude::pymethods] impl ECPrivateKey { #[getter] @@ -379,7 +293,10 @@ impl ECPrivateKey { }) } - fn private_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn private_numbers( + &self, + py: pyo3::Python<'_>, + ) -> CryptographyResult { let ec = self.pkey.ec_key().unwrap(); let mut bn_ctx = openssl::bn::BigNumContext::new()?; @@ -392,15 +309,16 @@ impl ECPrivateKey { let py_private_key = utils::bn_to_py_int(py, ec.private_key())?; - let public_numbers = types::ELLIPTIC_CURVE_PUBLIC_NUMBERS.get(py)?.call1(( - py_x, - py_y, - self.curve.clone_ref(py), - ))?; + let public_numbers = EllipticCurvePublicNumbers { + x: py_x.extract()?, + y: py_y.extract()?, + curve: self.curve.clone_ref(py), + }; - Ok(types::ELLIPTIC_CURVE_PRIVATE_NUMBERS - .get(py)? - .call1((py_private_key, public_numbers))?) + Ok(EllipticCurvePrivateNumbers { + private_value: py_private_key.extract()?, + public_numbers: pyo3::Py::new(py, public_numbers)?, + }) } fn private_bytes<'p>( @@ -464,7 +382,10 @@ impl ECPublicKey { Ok(()) } - fn public_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn public_numbers( + &self, + py: pyo3::Python<'_>, + ) -> CryptographyResult { let ec = self.pkey.ec_key().unwrap(); let mut bn_ctx = openssl::bn::BigNumContext::new()?; @@ -475,11 +396,11 @@ impl ECPublicKey { let py_x = utils::bn_to_py_int(py, &x)?; let py_y = utils::bn_to_py_int(py, &y)?; - Ok(types::ELLIPTIC_CURVE_PUBLIC_NUMBERS.get(py)?.call1(( - py_x, - py_y, - self.curve.clone_ref(py), - ))?) + Ok(EllipticCurvePublicNumbers { + x: py_x.extract()?, + y: py_y.extract()?, + curve: self.curve.clone_ref(py), + }) } fn public_bytes<'p>( @@ -500,17 +421,226 @@ impl ECPublicKey { } } +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] +struct EllipticCurvePrivateNumbers { + #[pyo3(get)] + private_value: pyo3::Py, + #[pyo3(get)] + public_numbers: pyo3::Py, +} + +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] +struct EllipticCurvePublicNumbers { + #[pyo3(get)] + x: pyo3::Py, + #[pyo3(get)] + y: pyo3::Py, + #[pyo3(get)] + curve: pyo3::Py, +} + +fn public_key_from_numbers( + py: pyo3::Python<'_>, + numbers: &EllipticCurvePublicNumbers, + curve: &openssl::ec::EcGroupRef, +) -> CryptographyResult> { + let zero = (0).to_object(py); + if numbers.x.as_ref(py).lt(&zero)? || numbers.y.as_ref(py).lt(&zero)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Invalid EC key. Both x and y must be non-negative.", + ), + )); + } + + let x = utils::py_int_to_bn(py, numbers.x.as_ref(py))?; + let y = utils::py_int_to_bn(py, numbers.y.as_ref(py))?; + + let mut point = openssl::ec::EcPoint::new(curve)?; + let mut bn_ctx = openssl::bn::BigNumContext::new()?; + point + .set_affine_coordinates_gfp(curve, &x, &y, &mut bn_ctx) + .map_err(|_| { + pyo3::exceptions::PyValueError::new_err( + "Invalid EC key. Point is not on the curve specified.", + ) + })?; + + Ok(openssl::ec::EcKey::from_public_key(curve, &point)?) +} + +#[pyo3::prelude::pymethods] +impl EllipticCurvePrivateNumbers { + #[new] + fn new( + private_value: pyo3::Py, + public_numbers: pyo3::Py, + ) -> EllipticCurvePrivateNumbers { + EllipticCurvePrivateNumbers { + private_value, + public_numbers, + } + } + + fn private_key( + &self, + py: pyo3::Python<'_>, + backend: Option<&pyo3::PyAny>, + ) -> CryptographyResult { + let _ = backend; + + let curve = curve_from_py_curve(py, self.public_numbers.get().curve.as_ref(py))?; + let public_key = public_key_from_numbers(py, self.public_numbers.get(), &curve)?; + let private_value = utils::py_int_to_bn(py, self.private_value.as_ref(py))?; + + let mut bn_ctx = openssl::bn::BigNumContext::new()?; + let mut expected_pub = openssl::ec::EcPoint::new(&curve)?; + expected_pub.mul_generator(&curve, &private_value, &bn_ctx)?; + if !expected_pub.eq(&curve, public_key.public_key(), &mut bn_ctx)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Invalid EC key."), + )); + } + + let private_key = openssl::ec::EcKey::from_private_components( + &curve, + &private_value, + public_key.public_key(), + ) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid EC key."))?; + + let pkey = openssl::pkey::PKey::from_ec_key(private_key)?; + + Ok(ECPrivateKey { + pkey, + curve: self.public_numbers.get().curve.clone_ref(py), + }) + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + Ok(self + .private_value + .as_ref(py) + .eq(other.private_value.as_ref(py))? + && self + .public_numbers + .as_ref(py) + .eq(other.public_numbers.as_ref(py))?) + } + + fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { + let mut hasher = DefaultHasher::new(); + self.private_value.as_ref(py).hash()?.hash(&mut hasher); + self.public_numbers.as_ref(py).hash()?.hash(&mut hasher); + Ok(hasher.finish()) + } +} + +#[pyo3::prelude::pymethods] +impl EllipticCurvePublicNumbers { + #[new] + fn new( + py: pyo3::Python<'_>, + x: pyo3::Py, + y: pyo3::Py, + curve: pyo3::Py, + ) -> CryptographyResult { + if !curve + .as_ref(py) + .is_instance(types::ELLIPTIC_CURVE.get(py)?)? + { + return Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "curve must provide the EllipticCurve interface.", + ), + )); + } + + Ok(EllipticCurvePublicNumbers { x, y, curve }) + } + + fn public_key( + &self, + py: pyo3::Python<'_>, + backend: Option<&pyo3::PyAny>, + ) -> CryptographyResult { + let _ = backend; + + let curve = curve_from_py_curve(py, self.curve.as_ref(py))?; + let public_key = public_key_from_numbers(py, self, &curve)?; + + let pkey = openssl::pkey::PKey::from_ec_key(public_key)?; + + Ok(ECPublicKey { + pkey, + curve: self.curve.clone_ref(py), + }) + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + Ok(self.x.as_ref(py).eq(other.x.as_ref(py))? + && self.y.as_ref(py).eq(other.y.as_ref(py))? + && self + .curve + .as_ref(py) + .getattr(pyo3::intern!(py, "name"))? + .eq(other.curve.as_ref(py).getattr(pyo3::intern!(py, "name"))?)? + && self + .curve + .as_ref(py) + .getattr(pyo3::intern!(py, "key_size"))? + .eq(other + .curve + .as_ref(py) + .getattr(pyo3::intern!(py, "key_size"))?)?) + } + + fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { + let mut hasher = DefaultHasher::new(); + self.x.as_ref(py).hash()?.hash(&mut hasher); + self.y.as_ref(py).hash()?.hash(&mut hasher); + self.curve + .as_ref(py) + .getattr(pyo3::intern!(py, "name"))? + .hash()? + .hash(&mut hasher); + self.curve + .as_ref(py) + .getattr(pyo3::intern!(py, "key_size"))? + .hash()? + .hash(&mut hasher); + Ok(hasher.finish()) + } + + fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { + let x = self.x.as_ref(py); + let y = self.y.as_ref(py); + let curve_name = self.curve.as_ref(py).getattr(pyo3::intern!(py, "name"))?; + Ok(format!( + "" + )) + } +} + pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "ec")?; m.add_function(pyo3::wrap_pyfunction!(curve_supported, m)?)?; m.add_function(pyo3::wrap_pyfunction!(generate_private_key, m)?)?; m.add_function(pyo3::wrap_pyfunction!(derive_private_key, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?; m.add_class::()?; m.add_class::()?; + m.add_class::()?; + m.add_class::()?; Ok(m) } diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index ed89d9a5ecc9..c75de1b113e4 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -401,6 +401,10 @@ pub static RSA_PRIVATE_NUMBERS: LazyPyImport = LazyPyImport::new( &["RSAPrivateNumbers"], ); +pub static ELLIPTIC_CURVE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.asymmetric.ec", + &["EllipticCurve"], +); pub static ELLIPTIC_CURVE_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.ec", &["EllipticCurvePrivateKey"], @@ -417,14 +421,6 @@ pub static ECDSA: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.asymmetric.ec", &["ECDSA"]); pub static ECDH: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.asymmetric.ec", &["ECDH"]); -pub static ELLIPTIC_CURVE_PUBLIC_NUMBERS: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.asymmetric.ec", - &["EllipticCurvePublicNumbers"], -); -pub static ELLIPTIC_CURVE_PRIVATE_NUMBERS: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.asymmetric.ec", - &["EllipticCurvePrivateNumbers"], -); pub static ED25519_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.ed25519", diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 73bfa122858a..9b775b4ca228 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -173,7 +173,9 @@ def test_invalid_private_numbers_public_numbers(): def test_ec_public_numbers_repr(): pn = ec.EllipticCurvePublicNumbers(2, 3, ec.SECP256R1()) - assert repr(pn) == "" + assert ( + repr(pn) == "" + ) def test_ec_public_numbers_hash(): From 6e106f5584d641552f634e87233294eb9ba189c2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 2 Jan 2024 19:00:20 -0500 Subject: [PATCH 0889/1014] Update various links in the docs for permanent redirects (#10109) --- docs/development/test-vectors.rst | 2 +- docs/doing-a-release.rst | 2 +- docs/hazmat/primitives/key-derivation-functions.rst | 4 ++-- docs/hazmat/primitives/symmetric-encryption.rst | 6 +++--- docs/x509/certificate-transparency.rst | 2 +- docs/x509/reference.rst | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index ec9214080757..63001e3304fa 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -1035,7 +1035,7 @@ header format (substituting the correct information): .. _`BoringSSL ChaCha20Poly1305 tests`: https://boringssl.googlesource.com/boringssl/+/2e2a226ac9201ac411a84b5e79ac3a7333d8e1c9/crypto/cipher_extra/test/chacha20_poly1305_tests.txt .. _`BoringSSL evp tests`: https://boringssl.googlesource.com/boringssl/+/ce3773f9fe25c3b54390bc51d72572f251c7d7e6/crypto/evp/evp_tests.txt .. _`RIPEMD website`: https://homes.esat.kuleuven.be/~bosselae/ripemd160.html -.. _`draft RFC`: https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01 +.. _`draft RFC`: https://datatracker.ietf.org/doc/html/draft-josefsson-scrypt-kdf-01 .. _`Specification repository`: https://github.com/fernet/spec .. _`errata`: https://www.rfc-editor.org/errata_search.php?rfc=6238 .. _`OpenSSL example key`: https://github.com/openssl/openssl/blob/d02b48c63a58ea4367a0e905979f140b7d090f86/test/testrsa.pem diff --git a/docs/doing-a-release.rst b/docs/doing-a-release.rst index 85fe7c52a326..cad1f3e312fe 100644 --- a/docs/doing-a-release.rst +++ b/docs/doing-a-release.rst @@ -100,4 +100,4 @@ Post-release tasks .. _`upgrading OpenSSL issue template`: https://github.com/pyca/cryptography/issues/new?template=openssl-release.md .. _`milestone`: https://github.com/pyca/cryptography/milestones .. _`mailing list`: https://mail.python.org/mailman/listinfo/cryptography-dev -.. _`python-announce`: https://mail.python.org/mailman/listinfo/python-announce-list +.. _`python-announce`: https://mail.python.org/mailman3/lists/python-announce-list.python.org/ diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index f96ae426cbbf..2715e3e56c5d 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -1025,7 +1025,7 @@ Interface .. [#nist] See `NIST SP 800-132`_. -.. _`NIST SP 800-132`: https://csrc.nist.gov/publications/detail/sp/800-132/final +.. _`NIST SP 800-132`: https://csrc.nist.gov/pubs/sp/800/132/final .. _`NIST SP 800-108`: https://csrc.nist.gov/pubs/sp/800/108/r1/final .. _`NIST SP 800-56Ar3`: https://csrc.nist.gov/pubs/sp/800/56/a/r3/final .. _`ANSI X9.63:2001`: https://webstore.ansi.org @@ -1036,6 +1036,6 @@ Interface .. _`HKDF`: https://en.wikipedia.org/wiki/HKDF .. _`HKDF paper`: https://eprint.iacr.org/2010/264 .. _`here`: https://stackoverflow.com/a/30308723/1170681 -.. _`recommends`: https://tools.ietf.org/html/rfc7914#section-2 +.. _`recommends`: https://datatracker.ietf.org/doc/html/rfc7914#section-2 .. _`The scrypt paper`: https://www.tarsnap.com/scrypt/scrypt.pdf .. _`understanding HKDF`: https://soatok.blog/2021/11/17/understanding-hkdf/ diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index e89b8acb0abb..e12ccac6ecf5 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -846,14 +846,14 @@ Exceptions .. _`described by Colin Percival`: https://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html -.. _`recommends a 96-bit IV length`: https://csrc.nist.gov/publications/detail/sp/800-38d/final +.. _`recommends a 96-bit IV length`: https://csrc.nist.gov/pubs/sp/800/38/d/final .. _`NIST SP-800-38D`: https://csrc.nist.gov/publications/detail/sp/800-38d/final .. _`Communications Security Establishment`: https://www.cse-cst.gc.ca .. _`encrypt`: https://ssd.eff.org/en/module/what-should-i-know-about-encryption -.. _`CRYPTREC`: https://www.cryptrec.go.jp/english/ +.. _`CRYPTREC`: https://www.cryptrec.go.jp/en/ .. _`original version`: https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant .. _`significant patterns in the output`: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_(ECB) .. _`International Data Encryption Algorithm`: https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm .. _`OpenPGP`: https://www.openpgp.org/ .. _`disk encryption`: https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS -.. _`draft-ribose-cfrg-sm4-10`: https://tools.ietf.org/html/draft-ribose-cfrg-sm4-10 +.. _`draft-ribose-cfrg-sm4-10`: https://datatracker.ietf.org/doc/html/draft-ribose-cfrg-sm4-10 diff --git a/docs/x509/certificate-transparency.rst b/docs/x509/certificate-transparency.rst index 33933384e19f..0e04ef3c5cab 100644 --- a/docs/x509/certificate-transparency.rst +++ b/docs/x509/certificate-transparency.rst @@ -125,4 +125,4 @@ issued. .. attribute:: ECDSA -.. _`Certificate Transparency`: https://www.certificate-transparency.org/ +.. _`Certificate Transparency`: https://certificate.transparency.dev/ diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index aa22d7c1f2ba..166c01f9a58a 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -3918,6 +3918,6 @@ Exceptions types can be found in `RFC 5280 section 4.2.1.6`_. -.. _`RFC 5280 section 4.2.1.1`: https://tools.ietf.org/html/rfc5280#section-4.2.1.1 -.. _`RFC 5280 section 4.2.1.6`: https://tools.ietf.org/html/rfc5280#section-4.2.1.6 +.. _`RFC 5280 section 4.2.1.1`: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1 +.. _`RFC 5280 section 4.2.1.6`: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 .. _`CABForum Guidelines`: https://cabforum.org/baseline-requirements-documents/ From 2e0440ff05af07c4e981cd89e74b132bca57e955 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 00:20:52 +0000 Subject: [PATCH 0890/1014] Bump BoringSSL and/or OpenSSL in CI (#10112) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2df4b8ceccc9..fbe80f873a37 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Dec 22, 2023. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6e0eba6e62333652290514e51b75b966b27b27c"}} - # Latest commit on the OpenSSL master branch, as of Jan 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "94be985cbcc1f0a5cf4f172d4a8d06c5c623122b"}} + # Latest commit on the BoringSSL master branch, as of Jan 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c0ae579dbbcd47ca60fd9539bf6cfc1bd0b434e9"}} + # Latest commit on the OpenSSL master branch, as of Jan 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d8fa4cf76308924daaf2335c6c0ff2f7334a5b26"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From b82e30b7db43fa125ab67a5e4e478b976f438d98 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 2 Jan 2024 19:27:07 -0500 Subject: [PATCH 0891/1014] Migrate RSA Numbers to Rust (#10080) --- .../hazmat/bindings/_rust/openssl/rsa.pyi | 47 ++- .../hazmat/primitives/asymmetric/rsa.py | 208 +--------- src/rust/src/backend/rsa.rs | 366 +++++++++++++++--- src/rust/src/types.rs | 8 - 4 files changed, 356 insertions(+), 273 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi index d2abda968543..ef7752ddb79d 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/rsa.pyi @@ -2,17 +2,54 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import typing + from cryptography.hazmat.primitives.asymmetric import rsa class RSAPrivateKey: ... class RSAPublicKey: ... +class RSAPrivateNumbers: + def __init__( + self, + p: int, + q: int, + d: int, + dmp1: int, + dmq1: int, + iqmp: int, + public_numbers: RSAPublicNumbers, + ) -> None: ... + @property + def p(self) -> int: ... + @property + def q(self) -> int: ... + @property + def d(self) -> int: ... + @property + def dmp1(self) -> int: ... + @property + def dmq1(self) -> int: ... + @property + def iqmp(self) -> int: ... + @property + def public_numbers(self) -> RSAPublicNumbers: ... + def private_key( + self, + backend: typing.Any = None, + *, + unsafe_skip_rsa_key_validation: bool = False, + ) -> rsa.RSAPrivateKey: ... + +class RSAPublicNumbers: + def __init__(self, e: int, n: int) -> None: ... + @property + def n(self) -> int: ... + @property + def e(self) -> int: ... + def public_key(self, backend: typing.Any = None) -> rsa.RSAPublicKey: ... + def generate_private_key( public_exponent: int, key_size: int, ) -> rsa.RSAPrivateKey: ... -def from_private_numbers( - numbers: rsa.RSAPrivateNumbers, - unsafe_skip_rsa_key_validation: bool, -) -> rsa.RSAPrivateKey: ... -def from_public_numbers(numbers: rsa.RSAPublicNumbers) -> rsa.RSAPublicKey: ... diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index bb24ffbfe86a..6420434d82b7 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -130,6 +130,9 @@ def __eq__(self, other: object) -> bool: RSAPublicKeyWithSerialization = RSAPublicKey RSAPublicKey.register(rust_openssl.rsa.RSAPublicKey) +RSAPrivateNumbers = rust_openssl.rsa.RSAPrivateNumbers +RSAPublicNumbers = rust_openssl.rsa.RSAPublicNumbers + def generate_private_key( public_exponent: int, @@ -151,64 +154,6 @@ def _verify_rsa_parameters(public_exponent: int, key_size: int) -> None: raise ValueError("key_size must be at least 512-bits.") -def _check_private_key_components( - p: int, - q: int, - private_exponent: int, - dmp1: int, - dmq1: int, - iqmp: int, - public_exponent: int, - modulus: int, -) -> None: - if modulus < 3: - raise ValueError("modulus must be >= 3.") - - if p >= modulus: - raise ValueError("p must be < modulus.") - - if q >= modulus: - raise ValueError("q must be < modulus.") - - if dmp1 >= modulus: - raise ValueError("dmp1 must be < modulus.") - - if dmq1 >= modulus: - raise ValueError("dmq1 must be < modulus.") - - if iqmp >= modulus: - raise ValueError("iqmp must be < modulus.") - - if private_exponent >= modulus: - raise ValueError("private_exponent must be < modulus.") - - if public_exponent < 3 or public_exponent >= modulus: - raise ValueError("public_exponent must be >= 3 and < modulus.") - - if public_exponent & 1 == 0: - raise ValueError("public_exponent must be odd.") - - if dmp1 & 1 == 0: - raise ValueError("dmp1 must be odd.") - - if dmq1 & 1 == 0: - raise ValueError("dmq1 must be odd.") - - if p * q != modulus: - raise ValueError("p*q must equal modulus.") - - -def _check_public_key_components(e: int, n: int) -> None: - if n < 3: - raise ValueError("n must be >= 3.") - - if e < 3 or e >= n: - raise ValueError("e must be >= 3 and < n.") - - if e & 1 == 0: - raise ValueError("e must be odd.") - - def _modinv(e: int, m: int) -> int: """ Modular Multiplicative Inverse. Returns x such that: (x*e) mod m == 1 @@ -292,150 +237,3 @@ def rsa_recover_prime_factors(n: int, e: int, d: int) -> tuple[int, int]: assert r == 0 p, q = sorted((p, q), reverse=True) return (p, q) - - -class RSAPrivateNumbers: - def __init__( - self, - p: int, - q: int, - d: int, - dmp1: int, - dmq1: int, - iqmp: int, - public_numbers: RSAPublicNumbers, - ): - if ( - not isinstance(p, int) - or not isinstance(q, int) - or not isinstance(d, int) - or not isinstance(dmp1, int) - or not isinstance(dmq1, int) - or not isinstance(iqmp, int) - ): - raise TypeError( - "RSAPrivateNumbers p, q, d, dmp1, dmq1, iqmp arguments must" - " all be an integers." - ) - - if not isinstance(public_numbers, RSAPublicNumbers): - raise TypeError( - "RSAPrivateNumbers public_numbers must be an RSAPublicNumbers" - " instance." - ) - - self._p = p - self._q = q - self._d = d - self._dmp1 = dmp1 - self._dmq1 = dmq1 - self._iqmp = iqmp - self._public_numbers = public_numbers - - @property - def p(self) -> int: - return self._p - - @property - def q(self) -> int: - return self._q - - @property - def d(self) -> int: - return self._d - - @property - def dmp1(self) -> int: - return self._dmp1 - - @property - def dmq1(self) -> int: - return self._dmq1 - - @property - def iqmp(self) -> int: - return self._iqmp - - @property - def public_numbers(self) -> RSAPublicNumbers: - return self._public_numbers - - def private_key( - self, - backend: typing.Any = None, - *, - unsafe_skip_rsa_key_validation: bool = False, - ) -> RSAPrivateKey: - _check_private_key_components( - self.p, - self.q, - self.d, - self.dmp1, - self.dmq1, - self.iqmp, - self.public_numbers.e, - self.public_numbers.n, - ) - return rust_openssl.rsa.from_private_numbers( - self, unsafe_skip_rsa_key_validation - ) - - def __eq__(self, other: object) -> bool: - if not isinstance(other, RSAPrivateNumbers): - return NotImplemented - - return ( - self.p == other.p - and self.q == other.q - and self.d == other.d - and self.dmp1 == other.dmp1 - and self.dmq1 == other.dmq1 - and self.iqmp == other.iqmp - and self.public_numbers == other.public_numbers - ) - - def __hash__(self) -> int: - return hash( - ( - self.p, - self.q, - self.d, - self.dmp1, - self.dmq1, - self.iqmp, - self.public_numbers, - ) - ) - - -class RSAPublicNumbers: - def __init__(self, e: int, n: int): - if not isinstance(e, int) or not isinstance(n, int): - raise TypeError("RSAPublicNumbers arguments must be integers.") - - self._e = e - self._n = n - - @property - def e(self) -> int: - return self._e - - @property - def n(self) -> int: - return self._n - - def public_key(self, backend: typing.Any = None) -> RSAPublicKey: - _check_public_key_components(self.e, self.n) - return rust_openssl.rsa.from_public_numbers(self) - - def __repr__(self) -> str: - return f"" - - def __eq__(self, other: object) -> bool: - if not isinstance(other, RSAPublicNumbers): - return NotImplemented - - return self.e == other.e and self.n == other.n - - def __hash__(self) -> int: - return hash((self.e, self.n)) diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index c6e9a392a718..4fdcde2ec8aa 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -5,6 +5,8 @@ use crate::backend::{hashes, utils}; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; +use std::collections::hash_map::DefaultHasher; +use std::hash::{Hash, Hasher}; #[pyo3::prelude::pyclass( frozen, @@ -64,46 +66,6 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu Ok(RsaPrivateKey { pkey }) } -#[pyo3::prelude::pyfunction] -fn from_private_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, - unsafe_skip_rsa_key_validation: bool, -) -> CryptographyResult { - let public_numbers = numbers.getattr(pyo3::intern!(py, "public_numbers"))?; - - let rsa = openssl::rsa::Rsa::from_private_components( - utils::py_int_to_bn(py, public_numbers.getattr(pyo3::intern!(py, "n"))?)?, - utils::py_int_to_bn(py, public_numbers.getattr(pyo3::intern!(py, "e"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "d"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "p"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "q"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "dmp1"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "dmq1"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "iqmp"))?)?, - ) - .unwrap(); - if !unsafe_skip_rsa_key_validation { - check_rsa_private_key(&rsa)?; - } - let pkey = openssl::pkey::PKey::from_rsa(rsa)?; - Ok(RsaPrivateKey { pkey }) -} - -#[pyo3::prelude::pyfunction] -fn from_public_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, -) -> CryptographyResult { - let rsa = openssl::rsa::Rsa::from_public_components( - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "n"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "e"))?)?, - ) - .unwrap(); - let pkey = openssl::pkey::PKey::from_rsa(rsa)?; - Ok(RsaPublicKey { pkey }) -} - fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) || md == &openssl::hash::MessageDigest::sha224() @@ -404,7 +366,7 @@ impl RsaPrivateKey { Ok(RsaPublicKey { pkey }) } - fn private_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn private_numbers(&self, py: pyo3::Python<'_>) -> CryptographyResult { let rsa = self.pkey.rsa().unwrap(); let py_p = utils::bn_to_py_int(py, rsa.p().unwrap())?; @@ -416,16 +378,19 @@ impl RsaPrivateKey { let py_e = utils::bn_to_py_int(py, rsa.e())?; let py_n = utils::bn_to_py_int(py, rsa.n())?; - let public_numbers = types::RSA_PUBLIC_NUMBERS.get(py)?.call1((py_e, py_n))?; - Ok(types::RSA_PRIVATE_NUMBERS.get(py)?.call1(( - py_p, - py_q, - py_d, - py_dmp1, - py_dmq1, - py_iqmp, - public_numbers, - ))?) + let public_numbers = RsaPublicNumbers { + e: py_e.extract()?, + n: py_n.extract()?, + }; + Ok(RsaPrivateNumbers { + p: py_p.extract()?, + q: py_q.extract()?, + d: py_d.extract()?, + dmp1: py_dmp1.extract()?, + dmq1: py_dmq1.extract()?, + iqmp: py_iqmp.extract()?, + public_numbers: pyo3::Py::new(py, public_numbers)?, + }) } fn private_bytes<'p>( @@ -528,13 +493,16 @@ impl RsaPublicKey { self.pkey.rsa().unwrap().n().num_bits() } - fn public_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn public_numbers(&self, py: pyo3::Python<'_>) -> CryptographyResult { let rsa = self.pkey.rsa().unwrap(); let py_e = utils::bn_to_py_int(py, rsa.e())?; let py_n = utils::bn_to_py_int(py, rsa.n())?; - Ok(types::RSA_PUBLIC_NUMBERS.get(py)?.call1((py_e, py_n))?) + Ok(RsaPublicNumbers { + e: py_e.extract()?, + n: py_n.extract()?, + }) } fn public_bytes<'p>( @@ -555,14 +523,302 @@ impl RsaPublicKey { } } +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.primitives.asymmetric.rsa", + name = "RSAPrivateNumbers" +)] +struct RsaPrivateNumbers { + #[pyo3(get)] + p: pyo3::Py, + #[pyo3(get)] + q: pyo3::Py, + #[pyo3(get)] + d: pyo3::Py, + #[pyo3(get)] + dmp1: pyo3::Py, + #[pyo3(get)] + dmq1: pyo3::Py, + #[pyo3(get)] + iqmp: pyo3::Py, + #[pyo3(get)] + public_numbers: pyo3::Py, +} + +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.primitives.asymmetric.rsa", + name = "RSAPublicNumbers" +)] +struct RsaPublicNumbers { + #[pyo3(get)] + e: pyo3::Py, + #[pyo3(get)] + n: pyo3::Py, +} + +#[allow(clippy::too_many_arguments)] +fn check_private_key_components( + p: &pyo3::types::PyLong, + q: &pyo3::types::PyLong, + private_exponent: &pyo3::types::PyLong, + dmp1: &pyo3::types::PyLong, + dmq1: &pyo3::types::PyLong, + iqmp: &pyo3::types::PyLong, + public_exponent: &pyo3::types::PyLong, + modulus: &pyo3::types::PyLong, +) -> CryptographyResult<()> { + if modulus.lt(3)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("modulus must be >= 3."), + )); + } + + if p.ge(modulus)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("p must be < modulus."), + )); + } + + if q.ge(modulus)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("q must be < modulus."), + )); + } + + if dmp1.ge(modulus)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("dmp1 must be < modulus."), + )); + } + + if dmq1.ge(modulus)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("dmq1 must be < modulus."), + )); + } + + if iqmp.ge(modulus)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("iqmp must be < modulus."), + )); + } + + if private_exponent.ge(modulus)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("private_exponent must be < modulus."), + )); + } + + if public_exponent.lt(3)? || public_exponent.ge(modulus)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("public_exponent must be >= 3 and < modulus."), + )); + } + + // No `bitand` method. + if public_exponent.call_method1("__and__", (1,))?.eq(0)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("public_exponent must be odd."), + )); + } + + if dmp1.call_method1("__and__", (1,))?.eq(0)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("dmp1 must be odd."), + )); + } + + if dmq1.call_method1("__and__", (1,))?.eq(0)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("dmq1 must be odd."), + )); + } + + if p.call_method1("__mul__", (q,))?.ne(modulus)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("p*q must equal modulus."), + )); + } + + Ok(()) +} + +#[pyo3::prelude::pymethods] +impl RsaPrivateNumbers { + #[new] + fn new( + p: pyo3::Py, + q: pyo3::Py, + d: pyo3::Py, + dmp1: pyo3::Py, + dmq1: pyo3::Py, + iqmp: pyo3::Py, + public_numbers: pyo3::Py, + ) -> RsaPrivateNumbers { + Self { + p, + q, + d, + dmp1, + dmq1, + iqmp, + public_numbers, + } + } + + #[pyo3(signature = (backend = None, *, unsafe_skip_rsa_key_validation = false))] + fn private_key( + &self, + py: pyo3::Python<'_>, + backend: Option<&pyo3::PyAny>, + unsafe_skip_rsa_key_validation: bool, + ) -> CryptographyResult { + let _ = backend; + + check_private_key_components( + self.p.as_ref(py), + self.q.as_ref(py), + self.d.as_ref(py), + self.dmp1.as_ref(py), + self.dmq1.as_ref(py), + self.iqmp.as_ref(py), + self.public_numbers.get().e.as_ref(py), + self.public_numbers.get().n.as_ref(py), + )?; + let public_numbers = self.public_numbers.get(); + let rsa = openssl::rsa::Rsa::from_private_components( + utils::py_int_to_bn(py, public_numbers.n.as_ref(py))?, + utils::py_int_to_bn(py, public_numbers.e.as_ref(py))?, + utils::py_int_to_bn(py, self.d.as_ref(py))?, + utils::py_int_to_bn(py, self.p.as_ref(py))?, + utils::py_int_to_bn(py, self.q.as_ref(py))?, + utils::py_int_to_bn(py, self.dmp1.as_ref(py))?, + utils::py_int_to_bn(py, self.dmq1.as_ref(py))?, + utils::py_int_to_bn(py, self.iqmp.as_ref(py))?, + ) + .unwrap(); + if !unsafe_skip_rsa_key_validation { + check_rsa_private_key(&rsa)?; + } + let pkey = openssl::pkey::PKey::from_rsa(rsa)?; + Ok(RsaPrivateKey { pkey }) + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + Ok(self.p.as_ref(py).eq(other.p.as_ref(py))? + && self.q.as_ref(py).eq(other.q.as_ref(py))? + && self.d.as_ref(py).eq(other.d.as_ref(py))? + && self.dmp1.as_ref(py).eq(other.dmp1.as_ref(py))? + && self.dmq1.as_ref(py).eq(other.dmq1.as_ref(py))? + && self.iqmp.as_ref(py).eq(other.iqmp.as_ref(py))? + && self + .public_numbers + .as_ref(py) + .eq(other.public_numbers.as_ref(py))?) + } + + fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { + let mut hasher = DefaultHasher::new(); + self.p.as_ref(py).hash()?.hash(&mut hasher); + self.q.as_ref(py).hash()?.hash(&mut hasher); + self.d.as_ref(py).hash()?.hash(&mut hasher); + self.dmp1.as_ref(py).hash()?.hash(&mut hasher); + self.dmq1.as_ref(py).hash()?.hash(&mut hasher); + self.iqmp.as_ref(py).hash()?.hash(&mut hasher); + self.public_numbers.as_ref(py).hash()?.hash(&mut hasher); + Ok(hasher.finish()) + } +} + +fn check_public_key_components( + e: &pyo3::types::PyLong, + n: &pyo3::types::PyLong, +) -> CryptographyResult<()> { + if n.lt(3)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("n must be >= 3."), + )); + } + + if e.lt(3)? || e.ge(n)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("e must be >= 3 and < n."), + )); + } + + // No `bitand` method. + if e.call_method1("__and__", (1,))?.eq(0)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("e must be odd."), + )); + } + + Ok(()) +} + +#[pyo3::prelude::pymethods] +impl RsaPublicNumbers { + #[new] + fn new(e: pyo3::Py, n: pyo3::Py) -> RsaPublicNumbers { + RsaPublicNumbers { e, n } + } + + fn public_key( + &self, + py: pyo3::Python<'_>, + backend: Option<&pyo3::PyAny>, + ) -> CryptographyResult { + let _ = backend; + + check_public_key_components(self.e.as_ref(py), self.n.as_ref(py))?; + + let rsa = openssl::rsa::Rsa::from_public_components( + utils::py_int_to_bn(py, self.n.as_ref(py))?, + utils::py_int_to_bn(py, self.e.as_ref(py))?, + ) + .unwrap(); + let pkey = openssl::pkey::PKey::from_rsa(rsa)?; + Ok(RsaPublicKey { pkey }) + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + Ok( + self.e.as_ref(py).eq(other.e.as_ref(py))? + && self.n.as_ref(py).eq(other.n.as_ref(py))?, + ) + } + + fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { + let mut hasher = DefaultHasher::new(); + self.e.as_ref(py).hash()?.hash(&mut hasher); + self.n.as_ref(py).hash()?.hash(&mut hasher); + Ok(hasher.finish()) + } + + fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { + let e = self.e.as_ref(py); + let n = self.n.as_ref(py); + Ok(format!("")) + } +} + pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "rsa")?; m.add_function(pyo3::wrap_pyfunction!(generate_private_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?; m.add_class::()?; m.add_class::()?; + m.add_class::()?; + m.add_class::()?; Ok(m) } diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index c75de1b113e4..1752636c638f 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -392,14 +392,6 @@ pub static RSA_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.rsa", &["RSAPublicKey"], ); -pub static RSA_PUBLIC_NUMBERS: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.asymmetric.rsa", - &["RSAPublicNumbers"], -); -pub static RSA_PRIVATE_NUMBERS: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.asymmetric.rsa", - &["RSAPrivateNumbers"], -); pub static ELLIPTIC_CURVE: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.ec", From 7ce98ee25e935a9719950fc6e27761e8a24064d5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 00:33:53 +0000 Subject: [PATCH 0892/1014] Bump x509-limbo and/or wycheproof in CI (#10113) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 89a2571af7c4..eaac6fc28fb1 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Dec 28, 2023. - ref: "ec05ac7737dfdd822ecc8c4e88460b051d4b729f" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 03, 2024. + ref: "e8aea0aad91a06f2fe1e4e8be56b95d28f177790" # x509-limbo-ref From ba9131eaf23669098997b54859174834edf19fb9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 2 Jan 2024 20:06:30 -0500 Subject: [PATCH 0893/1014] Migrate DH Numbers to Rust (#10081) --- .../hazmat/backends/openssl/backend.py | 14 +- .../hazmat/bindings/_rust/openssl/dh.pyi | 35 +- .../hazmat/primitives/asymmetric/dh.py | 113 +------ src/rust/src/backend/dh.rs | 299 +++++++++++++----- src/rust/src/types.rs | 13 - tests/hazmat/primitives/test_dh.py | 28 +- 6 files changed, 250 insertions(+), 252 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index edd7a0aa0266..ef7c8e2e5144 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -17,7 +17,7 @@ from cryptography.hazmat.bindings.openssl import binding from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding -from cryptography.hazmat.primitives.asymmetric import dh, ec +from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.asymmetric import utils as asym_utils from cryptography.hazmat.primitives.asymmetric.padding import ( MGF1, @@ -648,18 +648,6 @@ def elliptic_curve_exchange_algorithm_supported( def dh_supported(self) -> bool: return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL - def dh_parameters_supported( - self, p: int, g: int, q: int | None = None - ) -> bool: - try: - rust_openssl.dh.from_parameter_numbers( - dh.DHParameterNumbers(p=p, g=g, q=q) - ) - except ValueError: - return False - else: - return True - def dh_x942_serialization_supported(self) -> bool: return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1 diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi index e11203df3ab8..38343867e53b 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi @@ -2,6 +2,8 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import typing + from cryptography.hazmat.primitives.asymmetric import dh MIN_MODULUS_SIZE: int @@ -10,11 +12,34 @@ class DHPrivateKey: ... class DHPublicKey: ... class DHParameters: ... +class DHPrivateNumbers: + def __init__(self, x: int, public_numbers: DHPublicNumbers) -> None: ... + def private_key(self, backend: typing.Any = None) -> dh.DHPrivateKey: ... + @property + def x(self) -> int: ... + @property + def public_numbers(self) -> DHPublicNumbers: ... + +class DHPublicNumbers: + def __init__( + self, y: int, parameter_numbers: DHParameterNumbers + ) -> None: ... + def public_key(self, backend: typing.Any = None) -> dh.DHPublicKey: ... + @property + def y(self) -> int: ... + @property + def parameter_numbers(self) -> DHParameterNumbers: ... + +class DHParameterNumbers: + def __init__(self, p: int, g: int, q: int | None = None) -> None: ... + def parameters(self, backend: typing.Any = None) -> dh.DHParameters: ... + @property + def p(self) -> int: ... + @property + def g(self) -> int: ... + @property + def q(self) -> int | None: ... + def generate_parameters(generator: int, key_size: int) -> dh.DHParameters: ... def from_pem_parameters(data: bytes) -> dh.DHParameters: ... def from_der_parameters(data: bytes) -> dh.DHParameters: ... -def from_private_numbers(numbers: dh.DHPrivateNumbers) -> dh.DHPrivateKey: ... -def from_public_numbers(numbers: dh.DHPublicNumbers) -> dh.DHPublicKey: ... -def from_parameter_numbers( - numbers: dh.DHParameterNumbers, -) -> dh.DHParameters: ... diff --git a/src/cryptography/hazmat/primitives/asymmetric/dh.py b/src/cryptography/hazmat/primitives/asymmetric/dh.py index f3d5a71bd80a..cc3294965c02 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/dh.py +++ b/src/cryptography/hazmat/primitives/asymmetric/dh.py @@ -17,116 +17,9 @@ def generate_parameters( return rust_openssl.dh.generate_parameters(generator, key_size) -class DHParameterNumbers: - def __init__(self, p: int, g: int, q: int | None = None) -> None: - if not isinstance(p, int) or not isinstance(g, int): - raise TypeError("p and g must be integers") - if q is not None and not isinstance(q, int): - raise TypeError("q must be integer or None") - - if g < 2: - raise ValueError("DH generator must be 2 or greater") - - if p.bit_length() < rust_openssl.dh.MIN_MODULUS_SIZE: - raise ValueError( - f"p (modulus) must be at least " - f"{rust_openssl.dh.MIN_MODULUS_SIZE}-bit" - ) - - self._p = p - self._g = g - self._q = q - - def __eq__(self, other: object) -> bool: - if not isinstance(other, DHParameterNumbers): - return NotImplemented - - return ( - self._p == other._p and self._g == other._g and self._q == other._q - ) - - def parameters(self, backend: typing.Any = None) -> DHParameters: - return rust_openssl.dh.from_parameter_numbers(self) - - @property - def p(self) -> int: - return self._p - - @property - def g(self) -> int: - return self._g - - @property - def q(self) -> int | None: - return self._q - - -class DHPublicNumbers: - def __init__(self, y: int, parameter_numbers: DHParameterNumbers) -> None: - if not isinstance(y, int): - raise TypeError("y must be an integer.") - - if not isinstance(parameter_numbers, DHParameterNumbers): - raise TypeError( - "parameters must be an instance of DHParameterNumbers." - ) - - self._y = y - self._parameter_numbers = parameter_numbers - - def __eq__(self, other: object) -> bool: - if not isinstance(other, DHPublicNumbers): - return NotImplemented - - return ( - self._y == other._y - and self._parameter_numbers == other._parameter_numbers - ) - - def public_key(self, backend: typing.Any = None) -> DHPublicKey: - return rust_openssl.dh.from_public_numbers(self) - - @property - def y(self) -> int: - return self._y - - @property - def parameter_numbers(self) -> DHParameterNumbers: - return self._parameter_numbers - - -class DHPrivateNumbers: - def __init__(self, x: int, public_numbers: DHPublicNumbers) -> None: - if not isinstance(x, int): - raise TypeError("x must be an integer.") - - if not isinstance(public_numbers, DHPublicNumbers): - raise TypeError( - "public_numbers must be an instance of " "DHPublicNumbers." - ) - - self._x = x - self._public_numbers = public_numbers - - def __eq__(self, other: object) -> bool: - if not isinstance(other, DHPrivateNumbers): - return NotImplemented - - return ( - self._x == other._x - and self._public_numbers == other._public_numbers - ) - - def private_key(self, backend: typing.Any = None) -> DHPrivateKey: - return rust_openssl.dh.from_private_numbers(self) - - @property - def public_numbers(self) -> DHPublicNumbers: - return self._public_numbers - - @property - def x(self) -> int: - return self._x +DHPrivateNumbers = rust_openssl.dh.DHPrivateNumbers +DHPublicNumbers = rust_openssl.dh.DHPublicNumbers +DHParameterNumbers = rust_openssl.dh.DHParameterNumbers class DHParameters(metaclass=abc.ABCMeta): diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index cf05a904d95c..51e1f4618226 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -90,71 +90,19 @@ fn from_pem_parameters(data: &[u8]) -> CryptographyResult { fn dh_parameters_from_numbers( py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, + numbers: &DHParameterNumbers, ) -> CryptographyResult> { - let p = utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "p"))?)?; + let p = utils::py_int_to_bn(py, numbers.p.as_ref(py))?; let q = numbers - .getattr(pyo3::intern!(py, "q"))? - .extract::>()? - .map(|v| utils::py_int_to_bn(py, v)) + .q + .as_ref() + .map(|v| utils::py_int_to_bn(py, v.as_ref(py))) .transpose()?; - let g = utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "g"))?)?; + let g = utils::py_int_to_bn(py, numbers.g.as_ref(py))?; Ok(openssl::dh::Dh::from_pqg(p, q, g)?) } -#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] -#[pyo3::prelude::pyfunction] -fn from_private_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, -) -> CryptographyResult { - let public_numbers = numbers.getattr(pyo3::intern!(py, "public_numbers"))?; - let parameter_numbers = public_numbers.getattr(pyo3::intern!(py, "parameter_numbers"))?; - - let dh = dh_parameters_from_numbers(py, parameter_numbers)?; - - let pub_key = utils::py_int_to_bn(py, public_numbers.getattr(pyo3::intern!(py, "y"))?)?; - let priv_key = utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "x"))?)?; - - let dh = dh.set_key(pub_key, priv_key)?; - if !dh.check_key()? { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err( - "DH private numbers did not pass safety checks.", - ), - )); - } - - let pkey = openssl::pkey::PKey::from_dh(dh)?; - Ok(DHPrivateKey { pkey }) -} - -#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] -#[pyo3::prelude::pyfunction] -fn from_public_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, -) -> CryptographyResult { - let parameter_numbers = numbers.getattr(pyo3::intern!(py, "parameter_numbers"))?; - let dh = dh_parameters_from_numbers(py, parameter_numbers)?; - - let pub_key = utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "y"))?)?; - - let pkey = openssl::pkey::PKey::from_dh(dh.set_public_key(pub_key)?)?; - - Ok(DHPublicKey { pkey }) -} - -#[pyo3::prelude::pyfunction] -fn from_parameter_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, -) -> CryptographyResult { - let dh = dh_parameters_from_numbers(py, numbers)?; - Ok(DHParameters { dh }) -} - fn clone_dh( dh: &openssl::dh::Dh, ) -> CryptographyResult> { @@ -195,7 +143,7 @@ impl DHPrivateKey { })?) } - fn private_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn private_numbers(&self, py: pyo3::Python<'_>) -> CryptographyResult { let dh = self.pkey.dh().unwrap(); let py_p = utils::bn_to_py_int(py, dh.prime_p())?; @@ -208,16 +156,20 @@ impl DHPrivateKey { let py_pub_key = utils::bn_to_py_int(py, dh.public_key())?; let py_private_key = utils::bn_to_py_int(py, dh.private_key())?; - let parameter_numbers = types::DH_PARAMETER_NUMBERS - .get(py)? - .call1((py_p, py_g, py_q))?; - let public_numbers = types::DH_PUBLIC_NUMBERS - .get(py)? - .call1((py_pub_key, parameter_numbers))?; + let parameter_numbers = DHParameterNumbers { + p: py_p.extract()?, + q: py_q.map(|q| q.extract()).transpose()?, + g: py_g.extract()?, + }; + let public_numbers = DHPublicNumbers { + y: py_pub_key.extract()?, + parameter_numbers: pyo3::Py::new(py, parameter_numbers)?, + }; - Ok(types::DH_PRIVATE_NUMBERS - .get(py)? - .call1((py_private_key, public_numbers))?) + Ok(DHPrivateNumbers { + x: py_private_key.extract()?, + public_numbers: pyo3::Py::new(py, public_numbers)?, + }) } #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] @@ -295,7 +247,7 @@ impl DHPublicKey { }) } - fn public_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn public_numbers(&self, py: pyo3::Python<'_>) -> CryptographyResult { let dh = self.pkey.dh().unwrap(); let py_p = utils::bn_to_py_int(py, dh.prime_p())?; @@ -307,13 +259,16 @@ impl DHPublicKey { let py_pub_key = utils::bn_to_py_int(py, dh.public_key())?; - let parameter_numbers = types::DH_PARAMETER_NUMBERS - .get(py)? - .call1((py_p, py_g, py_q))?; + let parameter_numbers = DHParameterNumbers { + p: py_p.extract()?, + q: py_q.map(|q| q.extract()).transpose()?, + g: py_g.extract()?, + }; - Ok(types::DH_PUBLIC_NUMBERS - .get(py)? - .call1((py_pub_key, parameter_numbers))?) + Ok(DHPublicNumbers { + y: py_pub_key.extract()?, + parameter_numbers: pyo3::Py::new(py, parameter_numbers)?, + }) } fn __eq__(&self, other: pyo3::PyRef<'_, Self>) -> bool { @@ -335,7 +290,7 @@ impl DHParameters { }) } - fn parameter_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn parameter_numbers(&self, py: pyo3::Python<'_>) -> CryptographyResult { let py_p = utils::bn_to_py_int(py, self.dh.prime_p())?; let py_q = self .dh @@ -344,9 +299,11 @@ impl DHParameters { .transpose()?; let py_g = utils::bn_to_py_int(py, self.dh.generator())?; - Ok(types::DH_PARAMETER_NUMBERS - .get(py)? - .call1((py_p, py_g, py_q))?) + Ok(DHParameterNumbers { + p: py_p.extract()?, + q: py_q.map(|q| q.extract()).transpose()?, + g: py_g.extract()?, + }) } fn parameter_bytes<'p>( @@ -383,22 +340,192 @@ impl DHParameters { } } +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] +struct DHPrivateNumbers { + #[pyo3(get)] + x: pyo3::Py, + #[pyo3(get)] + public_numbers: pyo3::Py, +} + +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] +struct DHPublicNumbers { + #[pyo3(get)] + y: pyo3::Py, + #[pyo3(get)] + parameter_numbers: pyo3::Py, +} + +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] +struct DHParameterNumbers { + #[pyo3(get)] + p: pyo3::Py, + #[pyo3(get)] + g: pyo3::Py, + #[pyo3(get)] + q: Option>, +} + +#[pyo3::prelude::pymethods] +impl DHPrivateNumbers { + #[new] + fn new( + x: pyo3::Py, + public_numbers: pyo3::Py, + ) -> DHPrivateNumbers { + DHPrivateNumbers { x, public_numbers } + } + + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + fn private_key( + &self, + py: pyo3::Python<'_>, + backend: Option<&pyo3::PyAny>, + ) -> CryptographyResult { + let _ = backend; + + let dh = dh_parameters_from_numbers(py, self.public_numbers.get().parameter_numbers.get())?; + + let pub_key = utils::py_int_to_bn(py, self.public_numbers.get().y.as_ref(py))?; + let priv_key = utils::py_int_to_bn(py, self.x.as_ref(py))?; + + let dh = dh.set_key(pub_key, priv_key)?; + if !dh.check_key()? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "DH private numbers did not pass safety checks.", + ), + )); + } + + let pkey = openssl::pkey::PKey::from_dh(dh)?; + Ok(DHPrivateKey { pkey }) + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + Ok(self.x.as_ref(py).eq(other.x.as_ref(py))? + && self + .public_numbers + .as_ref(py) + .eq(other.public_numbers.as_ref(py))?) + } +} + +#[pyo3::prelude::pymethods] +impl DHPublicNumbers { + #[new] + fn new( + y: pyo3::Py, + parameter_numbers: pyo3::Py, + ) -> DHPublicNumbers { + DHPublicNumbers { + y, + parameter_numbers, + } + } + + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + fn public_key( + &self, + py: pyo3::Python<'_>, + backend: Option<&pyo3::PyAny>, + ) -> CryptographyResult { + let _ = backend; + + let dh = dh_parameters_from_numbers(py, self.parameter_numbers.get())?; + + let pub_key = utils::py_int_to_bn(py, self.y.as_ref(py))?; + + let pkey = openssl::pkey::PKey::from_dh(dh.set_public_key(pub_key)?)?; + + Ok(DHPublicKey { pkey }) + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + Ok(self.y.as_ref(py).eq(other.y.as_ref(py))? + && self + .parameter_numbers + .as_ref(py) + .eq(other.parameter_numbers.as_ref(py))?) + } +} + +#[pyo3::prelude::pymethods] +impl DHParameterNumbers { + #[new] + fn new( + py: pyo3::Python<'_>, + p: pyo3::Py, + g: pyo3::Py, + q: Option>, + ) -> CryptographyResult { + if g.as_ref(py).lt(2)? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("DH generator must be 2 or greater"), + )); + } + + if p.as_ref(py) + .call_method0("bit_length")? + .lt(MIN_MODULUS_SIZE)? + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "p (modulus) must be at least {MIN_MODULUS_SIZE}-bit" + )), + )); + } + + Ok(DHParameterNumbers { p, g, q }) + } + + fn parameters( + &self, + py: pyo3::Python<'_>, + backend: Option<&pyo3::PyAny>, + ) -> CryptographyResult { + let _ = backend; + + let dh = dh_parameters_from_numbers(py, self)?; + Ok(DHParameters { dh }) + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + let q_equal = match (self.q.as_ref(), other.q.as_ref()) { + (Some(self_q), Some(other_q)) => self_q.as_ref(py).eq(other_q.as_ref(py))?, + (None, None) => true, + _ => false, + }; + Ok(self.p.as_ref(py).eq(other.p.as_ref(py))? + && self.g.as_ref(py).eq(other.g.as_ref(py))? + && q_equal) + } +} + pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "dh")?; m.add_function(pyo3::wrap_pyfunction!(generate_parameters, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_der_parameters, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_pem_parameters, m)?)?; - #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?; - #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_parameter_numbers, m)?)?; m.add_class::()?; m.add_class::()?; m.add_class::()?; - - m.add("MIN_MODULUS_SIZE", MIN_MODULUS_SIZE)?; + m.add_class::()?; + m.add_class::()?; + m.add_class::()?; Ok(m) } diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 1752636c638f..13099ddf787f 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -432,19 +432,6 @@ pub static ED448_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( &["Ed448PublicKey"], ); -pub static DH_PARAMETER_NUMBERS: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.asymmetric.dh", - &["DHParameterNumbers"], -); -pub static DH_PUBLIC_NUMBERS: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.asymmetric.dh", - &["DHPublicNumbers"], -); -pub static DH_PRIVATE_NUMBERS: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.asymmetric.dh", - &["DHPrivateNumbers"], -); - pub static DSA_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.dsa", &["DSAPrivateKey"], diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index 3fc3ef17e8b7..33ab4121c30c 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -108,6 +108,9 @@ def test_dh_parameter_numbers_equality(): assert dh.DHParameterNumbers(P_1536, 2, 123) != dh.DHParameterNumbers( P_1536, 2, 456 ) + assert dh.DHParameterNumbers(P_1536, 2, 123) != dh.DHParameterNumbers( + P_1536, 2 + ) assert dh.DHParameterNumbers(P_1536, 5) != dh.DHParameterNumbers(P_1536, 2) assert dh.DHParameterNumbers(P_1536, 2) != object() @@ -153,19 +156,6 @@ def test_large_key_generate_dh(self, backend): with pytest.raises(ValueError): dh.generate_parameters(2, 1 << 30) - @pytest.mark.skip_fips(reason="non-FIPS parameters") - def test_dh_parameters_supported(self, backend): - valid_p = int( - b"907c7211ae61aaaba1825ff53b6cb71ac6df9f1a424c033f4a0a41ac42fad3a9" - b"bcfc7f938a269710ed69e330523e4039029b7900977c740990d46efed79b9bbe" - b"73505ae878808944ce4d9c6c52daecc0a87dc889c53499be93db8551ee685f30" - b"349bf1b443d4ebaee0d5e8b441a40d4e8178f8f612f657a5eb91e0a8e" - b"107755f", - 16, - ) - assert backend.dh_parameters_supported(valid_p, 5) - assert not backend.dh_parameters_supported(23, 22) - @pytest.mark.parametrize( "vector", load_vectors_from_file( @@ -201,18 +191,6 @@ def test_dh_parameters_allows_rfc3526_groups(self, backend, vector): # what we expect OpenSSL to have done here. assert serialized_params.q == (params.p - 1) // 2 - @pytest.mark.skip_fips(reason="non-FIPS parameters") - @pytest.mark.parametrize( - "vector", - load_vectors_from_file( - os.path.join("asymmetric", "DH", "RFC5114.txt"), load_nist_vectors - ), - ) - def test_dh_parameters_supported_with_q(self, backend, vector): - assert backend.dh_parameters_supported( - int(vector["p"], 16), int(vector["g"], 16), int(vector["q"], 16) - ) - @pytest.mark.skip_fips(reason="modulus too small for FIPS") @pytest.mark.parametrize("with_q", [False, True]) def test_convert_to_numbers(self, backend, with_q): From df3c75955bc40be52ddbb1b620ba350b3ae62b32 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 2 Jan 2024 20:10:20 -0500 Subject: [PATCH 0894/1014] Migrate DSA Numbers to Rust (#10083) --- .../hazmat/bindings/_rust/openssl/dsa.pyi | 37 +- .../hazmat/primitives/asymmetric/dsa.py | 139 +------ src/rust/src/backend/dsa.rs | 370 ++++++++++++++---- src/rust/src/types.rs | 12 - 4 files changed, 325 insertions(+), 233 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/dsa.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/dsa.pyi index 1a4a0062bed9..0922a4c4041a 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/dsa.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/dsa.pyi @@ -2,17 +2,40 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import typing + from cryptography.hazmat.primitives.asymmetric import dsa class DSAPrivateKey: ... class DSAPublicKey: ... class DSAParameters: ... +class DSAPrivateNumbers: + def __init__(self, x: int, public_numbers: DSAPublicNumbers) -> None: ... + @property + def x(self) -> int: ... + @property + def public_numbers(self) -> DSAPublicNumbers: ... + def private_key(self, backend: typing.Any = None) -> dsa.DSAPrivateKey: ... + +class DSAPublicNumbers: + def __init__( + self, y: int, parameter_numbers: DSAParameterNumbers + ) -> None: ... + @property + def y(self) -> int: ... + @property + def parameter_numbers(self) -> DSAParameterNumbers: ... + def public_key(self, backend: typing.Any = None) -> dsa.DSAPublicKey: ... + +class DSAParameterNumbers: + def __init__(self, p: int, q: int, g: int) -> None: ... + @property + def p(self) -> int: ... + @property + def q(self) -> int: ... + @property + def g(self) -> int: ... + def parameters(self, backend: typing.Any = None) -> dsa.DSAParameters: ... + def generate_parameters(key_size: int) -> dsa.DSAParameters: ... -def from_private_numbers( - numbers: dsa.DSAPrivateNumbers, -) -> dsa.DSAPrivateKey: ... -def from_public_numbers(numbers: dsa.DSAPublicNumbers) -> dsa.DSAPublicKey: ... -def from_parameter_numbers( - numbers: dsa.DSAParameterNumbers, -) -> dsa.DSAParameters: ... diff --git a/src/cryptography/hazmat/primitives/asymmetric/dsa.py b/src/cryptography/hazmat/primitives/asymmetric/dsa.py index ad521a03b0ae..6dd34c0e09b0 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/dsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/dsa.py @@ -133,120 +133,9 @@ def __eq__(self, other: object) -> bool: DSAPublicKeyWithSerialization = DSAPublicKey DSAPublicKey.register(rust_openssl.dsa.DSAPublicKey) - -class DSAParameterNumbers: - def __init__(self, p: int, q: int, g: int): - if ( - not isinstance(p, int) - or not isinstance(q, int) - or not isinstance(g, int) - ): - raise TypeError( - "DSAParameterNumbers p, q, and g arguments must be integers." - ) - - self._p = p - self._q = q - self._g = g - - @property - def p(self) -> int: - return self._p - - @property - def q(self) -> int: - return self._q - - @property - def g(self) -> int: - return self._g - - def parameters(self, backend: typing.Any = None) -> DSAParameters: - _check_dsa_parameters(self) - return rust_openssl.dsa.from_parameter_numbers(self) - - def __eq__(self, other: object) -> bool: - if not isinstance(other, DSAParameterNumbers): - return NotImplemented - - return self.p == other.p and self.q == other.q and self.g == other.g - - def __repr__(self) -> str: - return f"" - - -class DSAPublicNumbers: - def __init__(self, y: int, parameter_numbers: DSAParameterNumbers): - if not isinstance(y, int): - raise TypeError("DSAPublicNumbers y argument must be an integer.") - - if not isinstance(parameter_numbers, DSAParameterNumbers): - raise TypeError( - "parameter_numbers must be a DSAParameterNumbers instance." - ) - - self._y = y - self._parameter_numbers = parameter_numbers - - @property - def y(self) -> int: - return self._y - - @property - def parameter_numbers(self) -> DSAParameterNumbers: - return self._parameter_numbers - - def public_key(self, backend: typing.Any = None) -> DSAPublicKey: - _check_dsa_parameters(self.parameter_numbers) - return rust_openssl.dsa.from_public_numbers(self) - - def __eq__(self, other: object) -> bool: - if not isinstance(other, DSAPublicNumbers): - return NotImplemented - - return ( - self.y == other.y - and self.parameter_numbers == other.parameter_numbers - ) - - def __repr__(self) -> str: - return ( - f"" - ) - - -class DSAPrivateNumbers: - def __init__(self, x: int, public_numbers: DSAPublicNumbers): - if not isinstance(x, int): - raise TypeError("DSAPrivateNumbers x argument must be an integer.") - - if not isinstance(public_numbers, DSAPublicNumbers): - raise TypeError( - "public_numbers must be a DSAPublicNumbers instance." - ) - self._public_numbers = public_numbers - self._x = x - - @property - def x(self) -> int: - return self._x - - @property - def public_numbers(self) -> DSAPublicNumbers: - return self._public_numbers - - def private_key(self, backend: typing.Any = None) -> DSAPrivateKey: - _check_dsa_private_numbers(self) - return rust_openssl.dsa.from_private_numbers(self) - - def __eq__(self, other: object) -> bool: - if not isinstance(other, DSAPrivateNumbers): - return NotImplemented - - return ( - self.x == other.x and self.public_numbers == other.public_numbers - ) +DSAPrivateNumbers = rust_openssl.dsa.DSAPrivateNumbers +DSAPublicNumbers = rust_openssl.dsa.DSAPublicNumbers +DSAParameterNumbers = rust_openssl.dsa.DSAParameterNumbers def generate_parameters( @@ -263,25 +152,3 @@ def generate_private_key( ) -> DSAPrivateKey: parameters = generate_parameters(key_size) return parameters.generate_private_key() - - -def _check_dsa_parameters(parameters: DSAParameterNumbers) -> None: - if parameters.p.bit_length() not in [1024, 2048, 3072, 4096]: - raise ValueError( - "p must be exactly 1024, 2048, 3072, or 4096 bits long" - ) - if parameters.q.bit_length() not in [160, 224, 256]: - raise ValueError("q must be exactly 160, 224, or 256 bits long") - - if not (1 < parameters.g < parameters.p): - raise ValueError("g, p don't satisfy 1 < g < p.") - - -def _check_dsa_private_numbers(numbers: DSAPrivateNumbers) -> None: - parameters = numbers.public_numbers.parameter_numbers - _check_dsa_parameters(parameters) - if numbers.x <= 0 or numbers.x >= parameters.q: - raise ValueError("x must be > 0 and < q.") - - if numbers.public_numbers.y != pow(parameters.g, numbers.x, parameters.p): - raise ValueError("y must be equal to (g ** x % p).") diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 4034fec7da81..cf0824613fdb 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -4,7 +4,7 @@ use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; -use crate::{exceptions, types}; +use crate::exceptions; #[pyo3::prelude::pyclass( frozen, @@ -55,58 +55,6 @@ fn generate_parameters(key_size: u32) -> CryptographyResult { Ok(DsaParameters { dsa }) } -#[pyo3::prelude::pyfunction] -fn from_private_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, -) -> CryptographyResult { - let public_numbers = numbers.getattr(pyo3::intern!(py, "public_numbers"))?; - let parameter_numbers = public_numbers.getattr(pyo3::intern!(py, "parameter_numbers"))?; - - let dsa = openssl::dsa::Dsa::from_private_components( - utils::py_int_to_bn(py, parameter_numbers.getattr(pyo3::intern!(py, "p"))?)?, - utils::py_int_to_bn(py, parameter_numbers.getattr(pyo3::intern!(py, "q"))?)?, - utils::py_int_to_bn(py, parameter_numbers.getattr(pyo3::intern!(py, "g"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "x"))?)?, - utils::py_int_to_bn(py, public_numbers.getattr(pyo3::intern!(py, "y"))?)?, - ) - .unwrap(); - let pkey = openssl::pkey::PKey::from_dsa(dsa)?; - Ok(DsaPrivateKey { pkey }) -} - -#[pyo3::prelude::pyfunction] -fn from_public_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, -) -> CryptographyResult { - let parameter_numbers = numbers.getattr(pyo3::intern!(py, "parameter_numbers"))?; - - let dsa = openssl::dsa::Dsa::from_public_components( - utils::py_int_to_bn(py, parameter_numbers.getattr(pyo3::intern!(py, "p"))?)?, - utils::py_int_to_bn(py, parameter_numbers.getattr(pyo3::intern!(py, "q"))?)?, - utils::py_int_to_bn(py, parameter_numbers.getattr(pyo3::intern!(py, "g"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "y"))?)?, - ) - .unwrap(); - let pkey = openssl::pkey::PKey::from_dsa(dsa)?; - Ok(DsaPublicKey { pkey }) -} - -#[pyo3::prelude::pyfunction] -fn from_parameter_numbers( - py: pyo3::Python<'_>, - numbers: &pyo3::PyAny, -) -> CryptographyResult { - let dsa = openssl::dsa::Dsa::from_pqg( - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "p"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "q"))?)?, - utils::py_int_to_bn(py, numbers.getattr(pyo3::intern!(py, "g"))?)?, - ) - .unwrap(); - Ok(DsaParameters { dsa }) -} - fn clone_dsa_params( d: &openssl::dsa::Dsa, ) -> Result, openssl::error::ErrorStack> { @@ -153,7 +101,7 @@ impl DsaPrivateKey { Ok(DsaParameters { dsa }) } - fn private_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn private_numbers(&self, py: pyo3::Python<'_>) -> CryptographyResult { let dsa = self.pkey.dsa().unwrap(); let py_p = utils::bn_to_py_int(py, dsa.p())?; @@ -163,16 +111,19 @@ impl DsaPrivateKey { let py_pub_key = utils::bn_to_py_int(py, dsa.pub_key())?; let py_private_key = utils::bn_to_py_int(py, dsa.priv_key())?; - let parameter_numbers = types::DSA_PARAMETER_NUMBERS - .get(py)? - .call1((py_p, py_q, py_g))?; - let public_numbers = types::DSA_PUBLIC_NUMBERS - .get(py)? - .call1((py_pub_key, parameter_numbers))?; - - Ok(types::DSA_PRIVATE_NUMBERS - .get(py)? - .call1((py_private_key, public_numbers))?) + let parameter_numbers = DsaParameterNumbers { + p: py_p.extract()?, + q: py_q.extract()?, + g: py_g.extract()?, + }; + let public_numbers = DsaPublicNumbers { + y: py_pub_key.extract()?, + parameter_numbers: pyo3::Py::new(py, parameter_numbers)?, + }; + Ok(DsaPrivateNumbers { + x: py_private_key.extract()?, + public_numbers: pyo3::Py::new(py, public_numbers)?, + }) } fn private_bytes<'p>( @@ -228,7 +179,7 @@ impl DsaPublicKey { Ok(DsaParameters { dsa }) } - fn public_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn public_numbers(&self, py: pyo3::Python<'_>) -> CryptographyResult { let dsa = self.pkey.dsa().unwrap(); let py_p = utils::bn_to_py_int(py, dsa.p())?; @@ -237,12 +188,15 @@ impl DsaPublicKey { let py_pub_key = utils::bn_to_py_int(py, dsa.pub_key())?; - let parameter_numbers = types::DSA_PARAMETER_NUMBERS - .get(py)? - .call1((py_p, py_q, py_g))?; - Ok(types::DSA_PUBLIC_NUMBERS - .get(py)? - .call1((py_pub_key, parameter_numbers))?) + let parameter_numbers = DsaParameterNumbers { + p: py_p.extract()?, + q: py_q.extract()?, + g: py_g.extract()?, + }; + Ok(DsaPublicNumbers { + y: py_pub_key.extract()?, + parameter_numbers: pyo3::Py::new(py, parameter_numbers)?, + }) } fn public_bytes<'p>( @@ -271,27 +225,287 @@ impl DsaParameters { Ok(DsaPrivateKey { pkey }) } - fn parameter_numbers<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn parameter_numbers(&self, py: pyo3::Python<'_>) -> CryptographyResult { let py_p = utils::bn_to_py_int(py, self.dsa.p())?; let py_q = utils::bn_to_py_int(py, self.dsa.q())?; let py_g = utils::bn_to_py_int(py, self.dsa.g())?; - Ok(types::DSA_PARAMETER_NUMBERS - .get(py)? - .call1((py_p, py_q, py_g))?) + Ok(DsaParameterNumbers { + p: py_p.extract()?, + q: py_q.extract()?, + g: py_g.extract()?, + }) + } +} + +fn check_dsa_parameters( + py: pyo3::Python<'_>, + parameters: &DsaParameterNumbers, +) -> CryptographyResult<()> { + if ![1024, 2048, 3072, 4096].contains( + ¶meters + .p + .as_ref(py) + .call_method0("bit_length")? + .extract::()?, + ) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "p must be exactly 1024, 2048, 3072, or 4096 bits long", + ), + )); + } + + if ![160, 224, 256].contains( + ¶meters + .q + .as_ref(py) + .call_method0("bit_length")? + .extract::()?, + ) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("q must be exactly 160, 224, or 256 bits long"), + )); + } + + if parameters.g.as_ref(py).le(1)? || parameters.g.as_ref(py).ge(parameters.p.as_ref(py))? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("g, p don't satisfy 1 < g < p."), + )); + } + + Ok(()) +} + +fn check_dsa_private_numbers( + py: pyo3::Python<'_>, + numbers: &DsaPrivateNumbers, +) -> CryptographyResult<()> { + let params = numbers.public_numbers.get().parameter_numbers.get(); + check_dsa_parameters(py, params)?; + + if numbers.x.as_ref(py).le(0)? || numbers.x.as_ref(py).ge(params.q.as_ref(py))? { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("x must be > 0 and < q."), + )); + } + + if numbers + .public_numbers + .get() + .y + .as_ref(py) + .ne(params.g.as_ref(py).call_method1( + pyo3::intern!(py, "__pow__"), + (numbers.x.as_ref(py), params.p.as_ref(py)), + )?)? + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("y must be equal to (g ** x % p)."), + )); + } + + Ok(()) +} + +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.primitives.asymmetric.dsa", + name = "DSAPrivateNumbers" +)] +struct DsaPrivateNumbers { + #[pyo3(get)] + x: pyo3::Py, + #[pyo3(get)] + public_numbers: pyo3::Py, +} + +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.primitives.asymmetric.dsa", + name = "DSAPublicNumbers" +)] +struct DsaPublicNumbers { + #[pyo3(get)] + y: pyo3::Py, + #[pyo3(get)] + parameter_numbers: pyo3::Py, +} + +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.primitives.asymmetric.dsa", + name = "DSAParameterNumbers" +)] +struct DsaParameterNumbers { + #[pyo3(get)] + p: pyo3::Py, + #[pyo3(get)] + q: pyo3::Py, + #[pyo3(get)] + g: pyo3::Py, +} + +#[pyo3::prelude::pymethods] +impl DsaPrivateNumbers { + #[new] + fn new( + x: pyo3::Py, + public_numbers: pyo3::Py, + ) -> DsaPrivateNumbers { + DsaPrivateNumbers { x, public_numbers } + } + + fn private_key( + &self, + py: pyo3::Python<'_>, + backend: Option<&pyo3::PyAny>, + ) -> CryptographyResult { + let _ = backend; + + let public_numbers = self.public_numbers.get(); + let parameter_numbers = public_numbers.parameter_numbers.get(); + + check_dsa_private_numbers(py, self)?; + + let dsa = openssl::dsa::Dsa::from_private_components( + utils::py_int_to_bn(py, parameter_numbers.p.as_ref(py))?, + utils::py_int_to_bn(py, parameter_numbers.q.as_ref(py))?, + utils::py_int_to_bn(py, parameter_numbers.g.as_ref(py))?, + utils::py_int_to_bn(py, self.x.as_ref(py))?, + utils::py_int_to_bn(py, public_numbers.y.as_ref(py))?, + ) + .unwrap(); + let pkey = openssl::pkey::PKey::from_dsa(dsa)?; + Ok(DsaPrivateKey { pkey }) + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + Ok(self.x.as_ref(py).eq(other.x.as_ref(py))? + && self + .public_numbers + .as_ref(py) + .eq(other.public_numbers.as_ref(py))?) + } +} + +#[pyo3::prelude::pymethods] +impl DsaPublicNumbers { + #[new] + fn new( + y: pyo3::Py, + parameter_numbers: pyo3::Py, + ) -> DsaPublicNumbers { + DsaPublicNumbers { + y, + parameter_numbers, + } + } + + fn public_key( + &self, + py: pyo3::Python<'_>, + backend: Option<&pyo3::PyAny>, + ) -> CryptographyResult { + let _ = backend; + + let parameter_numbers = self.parameter_numbers.get(); + + check_dsa_parameters(py, parameter_numbers)?; + + let dsa = openssl::dsa::Dsa::from_public_components( + utils::py_int_to_bn(py, parameter_numbers.p.as_ref(py))?, + utils::py_int_to_bn(py, parameter_numbers.q.as_ref(py))?, + utils::py_int_to_bn(py, parameter_numbers.g.as_ref(py))?, + utils::py_int_to_bn(py, self.y.as_ref(py))?, + ) + .unwrap(); + let pkey = openssl::pkey::PKey::from_dsa(dsa)?; + Ok(DsaPublicKey { pkey }) + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + Ok(self.y.as_ref(py).eq(other.y.as_ref(py))? + && self + .parameter_numbers + .as_ref(py) + .eq(other.parameter_numbers.as_ref(py))?) + } + + fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { + let y = self.y.as_ref(py); + let parameter_numbers = self.parameter_numbers.as_ref(py).repr()?; + Ok(format!( + "" + )) + } +} + +#[pyo3::prelude::pymethods] +impl DsaParameterNumbers { + #[new] + fn new( + p: pyo3::Py, + q: pyo3::Py, + g: pyo3::Py, + ) -> DsaParameterNumbers { + DsaParameterNumbers { p, q, g } + } + + fn parameters( + &self, + py: pyo3::Python<'_>, + backend: Option<&pyo3::PyAny>, + ) -> CryptographyResult { + let _ = backend; + + check_dsa_parameters(py, self)?; + + let dsa = openssl::dsa::Dsa::from_pqg( + utils::py_int_to_bn(py, self.p.as_ref(py))?, + utils::py_int_to_bn(py, self.q.as_ref(py))?, + utils::py_int_to_bn(py, self.g.as_ref(py))?, + ) + .unwrap(); + Ok(DsaParameters { dsa }) + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + Ok(self.p.as_ref(py).eq(other.p.as_ref(py))? + && self.q.as_ref(py).eq(other.q.as_ref(py))? + && self.g.as_ref(py).eq(other.g.as_ref(py))?) + } + + fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { + let p = self.p.as_ref(py); + let q = self.q.as_ref(py); + let g = self.g.as_ref(py); + Ok(format!("")) } } pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "dsa")?; m.add_function(pyo3::wrap_pyfunction!(generate_parameters, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_parameter_numbers, m)?)?; m.add_class::()?; m.add_class::()?; m.add_class::()?; + m.add_class::()?; + m.add_class::()?; + m.add_class::()?; Ok(m) } diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 13099ddf787f..07cf417971b6 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -440,18 +440,6 @@ pub static DSA_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.dsa", &["DSAPublicKey"], ); -pub static DSA_PARAMETER_NUMBERS: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.asymmetric.dsa", - &["DSAParameterNumbers"], -); -pub static DSA_PUBLIC_NUMBERS: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.asymmetric.dsa", - &["DSAPublicNumbers"], -); -pub static DSA_PRIVATE_NUMBERS: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.asymmetric.dsa", - &["DSAPrivateNumbers"], -); pub static EXTRACT_BUFFER_LENGTH: LazyPyImport = LazyPyImport::new("cryptography.utils", &["_extract_buffer_length"]); From 8f3a5ade33cda79026a37d180c2247636bc85f13 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 2 Jan 2024 20:13:22 -0500 Subject: [PATCH 0895/1014] Format all the imports with (#10071) https://rust-lang.github.io/rustfmt/?version=v1.6.0&search=#group_imports using a value of `StdExternalCrate` This option isn't stable, so we can't enforce it in CI, which is annoying. --- src/rust/cryptography-openssl/src/cmac.rs | 6 +++-- src/rust/cryptography-openssl/src/hmac.rs | 6 +++-- .../src/certificate.rs | 3 +-- .../cryptography-x509-verification/src/lib.rs | 13 ++++++----- .../src/policy/extension.rs | 9 ++++---- .../src/policy/mod.rs | 14 +++++------- .../src/trust_store.rs | 3 ++- src/rust/cryptography-x509/src/common.rs | 6 +++-- src/rust/cryptography-x509/src/extensions.rs | 3 +-- src/rust/src/asn1.rs | 5 +++-- src/rust/src/backend/cipher_registry.rs | 6 +++-- src/rust/src/backend/dh.rs | 3 ++- src/rust/src/backend/ec.rs | 8 ++++--- src/rust/src/backend/hashes.rs | 3 ++- src/rust/src/backend/keys.rs | 5 +++-- src/rust/src/buf.rs | 3 ++- src/rust/src/error.rs | 3 ++- src/rust/src/oid.rs | 5 +++-- src/rust/src/pkcs7.rs | 17 ++++++++------ src/rust/src/x509/certificate.rs | 22 ++++++++++--------- src/rust/src/x509/common.rs | 7 +++--- src/rust/src/x509/crl.rs | 18 ++++++++------- src/rust/src/x509/csr.rs | 14 +++++++----- src/rust/src/x509/extensions.rs | 3 ++- src/rust/src/x509/ocsp.rs | 10 +++++---- src/rust/src/x509/ocsp_req.rs | 9 ++++---- src/rust/src/x509/ocsp_resp.rs | 12 +++++----- src/rust/src/x509/sct.rs | 8 ++++--- src/rust/src/x509/sign.rs | 11 ++++++---- 29 files changed, 136 insertions(+), 99 deletions(-) diff --git a/src/rust/cryptography-openssl/src/cmac.rs b/src/rust/cryptography-openssl/src/cmac.rs index 49646bb618e5..2f4d22653111 100644 --- a/src/rust/cryptography-openssl/src/cmac.rs +++ b/src/rust/cryptography-openssl/src/cmac.rs @@ -2,10 +2,12 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::ptr; + +use foreign_types_shared::{ForeignType, ForeignTypeRef}; + use crate::hmac::DigestBytes; use crate::{cvt, cvt_p, OpenSSLResult}; -use foreign_types_shared::{ForeignType, ForeignTypeRef}; -use std::ptr; foreign_types::foreign_type! { type CType = ffi::CMAC_CTX; diff --git a/src/rust/cryptography-openssl/src/hmac.rs b/src/rust/cryptography-openssl/src/hmac.rs index 282efa79bd60..84b3a1e3b9b5 100644 --- a/src/rust/cryptography-openssl/src/hmac.rs +++ b/src/rust/cryptography-openssl/src/hmac.rs @@ -2,10 +2,12 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::{cvt, cvt_p, OpenSSLResult}; -use foreign_types_shared::{ForeignType, ForeignTypeRef}; use std::ptr; +use foreign_types_shared::{ForeignType, ForeignTypeRef}; + +use crate::{cvt, cvt_p, OpenSSLResult}; + foreign_types::foreign_type! { type CType = ffi::HMAC_CTX; fn drop = ffi::HMAC_CTX_free; diff --git a/src/rust/cryptography-x509-verification/src/certificate.rs b/src/rust/cryptography-x509-verification/src/certificate.rs index 6d79fbfe71bd..2260fd6d9604 100644 --- a/src/rust/cryptography-x509-verification/src/certificate.rs +++ b/src/rust/cryptography-x509-verification/src/certificate.rs @@ -12,12 +12,11 @@ pub(crate) fn cert_is_self_issued(cert: &Certificate<'_>) -> bool { #[cfg(test)] pub(crate) mod tests { + use super::cert_is_self_issued; use crate::certificate::Certificate; use crate::ops::tests::{cert, v1_cert_pem}; use crate::ops::CryptoOps; - use super::cert_is_self_issued; - #[test] fn test_certificate_v1() { let cert_pem = v1_cert_pem(); diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 7e9112c07aaa..ef9cdae84205 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -14,6 +14,13 @@ pub mod types; use std::collections::HashSet; use std::vec; +use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions}; +use cryptography_x509::{ + extensions::{NameConstraints, SubjectAlternativeName}, + name::GeneralName, + oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, +}; + use crate::certificate::cert_is_self_issued; use crate::ops::{CryptoOps, VerificationCertificate}; use crate::policy::Policy; @@ -21,12 +28,6 @@ use crate::trust_store::Store; use crate::types::DNSName; use crate::types::{DNSConstraint, IPAddress, IPConstraint}; use crate::ApplyNameConstraintStatus::{Applied, Skipped}; -use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions}; -use cryptography_x509::{ - extensions::{NameConstraints, SubjectAlternativeName}, - name::GeneralName, - oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, -}; #[derive(Debug, PartialEq, Eq)] pub enum ValidationError { diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index 834506af6594..fd5035d87ab5 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -446,16 +446,17 @@ pub(crate) mod common { #[cfg(test)] mod tests { + use asn1::{ObjectIdentifier, SimpleAsn1Writable}; + use cryptography_x509::certificate::Certificate; + use cryptography_x509::extensions::{BasicConstraints, Extension, Extensions}; + use cryptography_x509::oid::BASIC_CONSTRAINTS_OID; + use super::{Criticality, ExtensionPolicy}; use crate::certificate::tests::PublicKeyErrorOps; use crate::ops::tests::{cert, v1_cert_pem}; use crate::ops::CryptoOps; use crate::policy::{Policy, Subject, ValidationError}; use crate::types::DNSName; - use asn1::{ObjectIdentifier, SimpleAsn1Writable}; - use cryptography_x509::certificate::Certificate; - use cryptography_x509::extensions::{BasicConstraints, Extension, Extensions}; - use cryptography_x509::oid::BASIC_CONSTRAINTS_OID; #[test] fn test_criticality_variants() { diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index fa4be7cf68d3..e67cf2fb0da6 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -9,8 +9,6 @@ use std::ops::Range; use asn1::ObjectIdentifier; use cryptography_x509::certificate::Certificate; -use once_cell::sync::Lazy; - use cryptography_x509::common::{ AlgorithmIdentifier, AlgorithmParameters, EcParameters, RsaPssParameters, Time, PSS_SHA256_HASH_ALG, PSS_SHA256_MASK_GEN_ALG, PSS_SHA384_HASH_ALG, PSS_SHA384_MASK_GEN_ALG, @@ -24,6 +22,7 @@ use cryptography_x509::oid::{ KEY_USAGE_OID, NAME_CONSTRAINTS_OID, POLICY_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID, SUBJECT_DIRECTORY_ATTRIBUTES_OID, SUBJECT_KEY_IDENTIFIER_OID, }; +use once_cell::sync::Lazy; use crate::ops::CryptoOps; use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy}; @@ -580,6 +579,11 @@ mod tests { name::{GeneralName, UnvalidatedIA5String}, }; + use super::{ + permits_validity_date, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, + RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, + RSASSA_PSS_SHA512, WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, + }; use crate::{ policy::{ Subject, SPKI_RSA, SPKI_SECP256R1, SPKI_SECP384R1, SPKI_SECP521R1, @@ -588,12 +592,6 @@ mod tests { types::{DNSName, IPAddress}, }; - use super::{ - permits_validity_date, ECDSA_SHA256, ECDSA_SHA384, ECDSA_SHA512, RSASSA_PKCS1V15_SHA256, - RSASSA_PKCS1V15_SHA384, RSASSA_PKCS1V15_SHA512, RSASSA_PSS_SHA256, RSASSA_PSS_SHA384, - RSASSA_PSS_SHA512, WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS, - }; - #[test] fn test_webpki_permitted_spki_algorithms_canonical_encodings() { { diff --git a/src/rust/cryptography-x509-verification/src/trust_store.rs b/src/rust/cryptography-x509-verification/src/trust_store.rs index 558ceb7d7839..eea444a80e2c 100644 --- a/src/rust/cryptography-x509-verification/src/trust_store.rs +++ b/src/rust/cryptography-x509-verification/src/trust_store.rs @@ -4,9 +4,10 @@ use std::collections::{HashMap, HashSet}; +use cryptography_x509::name::Name; + use crate::CryptoOps; use crate::VerificationCertificate; -use cryptography_x509::name::Name; /// A `Store` represents the core state needed for X.509 path validation. pub struct Store<'a, B: CryptoOps> { diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 79bf114ad552..8366edcfbaff 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -2,9 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::oid; use asn1::Asn1DefinedByWritable; +use crate::oid; + #[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Hash, Clone, Eq, Debug)] pub struct AlgorithmIdentifier<'a> { pub oid: asn1::DefinedByMarker, @@ -408,9 +409,10 @@ impl std::hash::Hash for WithTlv<'_, T> { #[cfg(test)] mod tests { - use super::{Asn1ReadableOrWritable, RawTlv, UnvalidatedVisibleString, WithTlv}; use asn1::Asn1Readable; + use super::{Asn1ReadableOrWritable, RawTlv, UnvalidatedVisibleString, WithTlv}; + #[test] #[should_panic] fn test_unvalidated_visible_string_write() { diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 15c495147759..bbd0f2377896 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -288,9 +288,8 @@ impl KeyUsage<'_> { #[cfg(test)] mod tests { - use crate::oid::{AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID}; - use super::{BasicConstraints, Extension, Extensions, KeyUsage}; + use crate::oid::{AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID}; #[test] fn test_get_extension() { diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 6bed105518d8..641417545fce 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -2,8 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::error::{CryptographyError, CryptographyResult}; -use crate::types; use asn1::SimpleAsn1Readable; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; @@ -11,6 +9,9 @@ use cryptography_x509::name::Name; use pyo3::types::IntoPyDict; use pyo3::ToPyObject; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::types; + pub(crate) fn py_oid_to_oid(py_oid: &pyo3::PyAny) -> pyo3::PyResult { Ok(py_oid .downcast::>()? diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 70fc4ff4483a..128f087ff498 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -2,10 +2,12 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::collections::HashMap; + +use openssl::cipher::Cipher; + use crate::error::CryptographyResult; use crate::types; -use openssl::cipher::Cipher; -use std::collections::HashMap; struct RegistryKey { algorithm: pyo3::PyObject, diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 51e1f4618226..f24198507ed2 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -2,11 +2,12 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use cryptography_x509::common; + use crate::asn1::encode_der_data; use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{types, x509}; -use cryptography_x509::common; const MIN_MODULUS_SIZE: u32 = 512; diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 25d4c60b2855..ffef07fa4fab 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -2,12 +2,14 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::collections::hash_map::DefaultHasher; +use std::hash::{Hash, Hasher}; + +use pyo3::ToPyObject; + use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::ToPyObject; -use std::collections::hash_map::DefaultHasher; -use std::hash::{Hash, Hasher}; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] pub(crate) struct ECPrivateKey { diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index 1f8ecbcc353b..ac5de597c354 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -2,10 +2,11 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::borrow::Cow; + use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use std::borrow::Cow; #[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.hashes")] pub(crate) struct Hash { diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index a8727d440963..5775f538f089 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,11 +2,12 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use foreign_types_shared::ForeignTypeRef; +use pyo3::IntoPy; + use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, exceptions, types}; -use foreign_types_shared::ForeignTypeRef; -use pyo3::IntoPy; #[pyo3::prelude::pyfunction] fn private_key_from_ptr( diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index 0a39a80f4341..0acb4bd0a106 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -2,9 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::types; use std::{ptr, slice}; +use crate::types; + pub(crate) struct CffiBuf<'p> { _pyobj: &'p pyo3::PyAny, _bufobj: &'p pyo3::PyAny, diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 23918fb0f34d..57648bf231bb 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -2,9 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::exceptions; use pyo3::ToPyObject; +use crate::exceptions; + pub enum CryptographyError { Asn1Parse(asn1::ParseError), Asn1Write(asn1::WriteError), diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 094b2c0b2110..4bf764eee408 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -2,11 +2,12 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::error::CryptographyResult; -use crate::types; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; +use crate::error::CryptographyResult; +use crate::types; + #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] pub(crate) struct ObjectIdentifier { pub(crate) oid: asn1::ObjectIdentifier, diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index eb81bddc5412..b7f6af216e49 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -2,16 +2,18 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::borrow::Cow; +use std::collections::HashMap; +use std::ops::Deref; + +use cryptography_x509::csr::Attribute; +use cryptography_x509::{common, oid, pkcs7}; +use once_cell::sync::Lazy; + use crate::asn1::encode_der_data; use crate::buf::CffiBuf; use crate::error::CryptographyResult; use crate::{types, x509}; -use cryptography_x509::csr::Attribute; -use cryptography_x509::{common, oid, pkcs7}; -use once_cell::sync::Lazy; -use std::borrow::Cow; -use std::collections::HashMap; -use std::ops::Deref; const PKCS7_CONTENT_TYPE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 3); const PKCS7_MESSAGE_DIGEST_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 4); @@ -299,10 +301,11 @@ pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::pr #[cfg(test)] mod tests { - use super::smime_canonicalize; use std::borrow::Cow; use std::ops::Deref; + use super::smime_canonicalize; + #[test] fn test_smime_canonicalize() { for ( diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 48504dcd80a0..6d76296d4b1f 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -2,14 +2,9 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::asn1::{ - big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, -}; -use crate::backend::{hashes, keys}; -use crate::error::{CryptographyError, CryptographyResult}; -use crate::x509::verify::PyCryptoOps; -use crate::x509::{extensions, sct, sign}; -use crate::{exceptions, types, x509}; +use std::collections::hash_map::DefaultHasher; +use std::hash::{Hash, Hasher}; + use cryptography_x509::certificate::Certificate as RawCertificate; use cryptography_x509::common::{AlgorithmParameters, Asn1ReadableOrWritable}; use cryptography_x509::extensions::{ @@ -23,8 +18,15 @@ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; use pyo3::{IntoPy, ToPyObject}; -use std::collections::hash_map::DefaultHasher; -use std::hash::{Hash, Hasher}; + +use crate::asn1::{ + big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, +}; +use crate::backend::{hashes, keys}; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::x509::verify::PyCryptoOps; +use crate::x509::{extensions, sct, sign}; +use crate::{exceptions, types, x509}; self_cell::self_cell!( pub(crate) struct OwnedCertificate { diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 2d6ae5ec01c9..42d08823430e 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -2,9 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; -use crate::error::{CryptographyError, CryptographyResult}; -use crate::{exceptions, types, x509}; use cryptography_x509::common::{Asn1ReadableOrWritable, AttributeTypeValue, RawTlv}; use cryptography_x509::extensions::{ AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, @@ -13,6 +10,10 @@ use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, Unvali use pyo3::types::IntoPyDict; use pyo3::{IntoPy, ToPyObject}; +use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::{exceptions, types, x509}; + /// Parse all sections in a PEM file and return the first matching section. /// If no matching sections are found, return an error. pub(crate) fn find_in_pem( diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 4610a6a3dfeb..94169069a09e 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -2,13 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::asn1::{ - big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, -}; -use crate::backend::hashes::Hash; -use crate::error::{CryptographyError, CryptographyResult}; -use crate::x509::{certificate, extensions, sign}; -use crate::{exceptions, types, x509}; +use std::sync::Arc; + use cryptography_x509::extensions::{Extension, IssuerAlternativeName}; use cryptography_x509::{ common, @@ -19,7 +14,14 @@ use cryptography_x509::{ name, oid, }; use pyo3::{IntoPy, ToPyObject}; -use std::sync::Arc; + +use crate::asn1::{ + big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, +}; +use crate::backend::hashes::Hash; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::x509::{certificate, extensions, sign}; +use crate::{exceptions, types, x509}; #[pyo3::prelude::pyfunction] fn load_der_x509_crl( diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index de33f49f89ea..ae0c5623173f 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -2,17 +2,19 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::collections::hash_map::DefaultHasher; +use std::hash::{Hash, Hasher}; + +use asn1::SimpleAsn1Readable; +use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; +use cryptography_x509::{common, oid}; +use pyo3::IntoPy; + use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sign}; use crate::{exceptions, types, x509}; -use asn1::SimpleAsn1Readable; -use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; -use cryptography_x509::{common, oid}; -use pyo3::IntoPy; -use std::collections::hash_map::DefaultHasher; -use std::hash::{Hash, Hasher}; self_cell::self_cell!( struct OwnedCsr { diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 94dfe8fe8ac2..03fd1da9ff07 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -2,11 +2,12 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use cryptography_x509::{common, crl, extensions, oid}; + use crate::asn1::{py_oid_to_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; -use cryptography_x509::{common, crl, extensions, oid}; fn encode_general_subtrees<'a>( py: pyo3::Python<'a>, diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 29f3acac0ebf..b86753110606 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -2,14 +2,16 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::collections::HashMap; + +use cryptography_x509::common; +use cryptography_x509::ocsp_req::CertID; +use once_cell::sync::Lazy; + use crate::backend::hashes::Hash; use crate::error::CryptographyResult; use crate::x509; use crate::x509::certificate::Certificate; -use cryptography_x509::common; -use cryptography_x509::ocsp_req::CertID; -use once_cell::sync::Lazy; -use std::collections::HashMap; pub(crate) static ALGORITHM_PARAMETERS_TO_HASH: Lazy< HashMap, &str>, diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index b5688ba77dd1..baa2dd00dfb4 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -2,10 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; -use crate::error::{CryptographyError, CryptographyResult}; -use crate::x509::{extensions, ocsp}; -use crate::{exceptions, types, x509}; use cryptography_x509::{ common, ocsp_req::{self, OCSPRequest as RawOCSPRequest}, @@ -13,6 +9,11 @@ use cryptography_x509::{ }; use pyo3::IntoPy; +use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::x509::{extensions, ocsp}; +use crate::{exceptions, types, x509}; + self_cell::self_cell!( struct OwnedOCSPRequest { owner: pyo3::Py, diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 9b2d21d26521..e5f8b479576a 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -2,10 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; -use crate::error::{CryptographyError, CryptographyResult}; -use crate::x509::{certificate, crl, extensions, ocsp, py_to_datetime, sct}; -use crate::{exceptions, types, x509}; +use std::sync::Arc; + use cryptography_x509::ocsp_resp::SingleResponse; use cryptography_x509::{ common, @@ -13,7 +11,11 @@ use cryptography_x509::{ oid, }; use pyo3::IntoPy; -use std::sync::Arc; + +use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::x509::{certificate, crl, extensions, ocsp, py_to_datetime, sct}; +use crate::{exceptions, types, x509}; const BASIC_RESPONSE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 1); diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index d9c9d6559193..b7cce3ff4036 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -2,12 +2,14 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::error::CryptographyError; -use crate::types; -use pyo3::ToPyObject; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; +use pyo3::ToPyObject; + +use crate::error::CryptographyError; +use crate::types; + struct TLSReader<'a> { data: &'a [u8], } diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index e1f452cc46c3..4d9637d1f2de 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -2,12 +2,14 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::collections::HashMap; + +use cryptography_x509::{common, oid}; +use once_cell::sync::Lazy; + use crate::asn1::oid_to_py_oid; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use cryptography_x509::{common, oid}; -use once_cell::sync::Lazy; -use std::collections::HashMap; // This is similar to a hashmap in ocsp.rs but contains more hash algorithms // that aren't allowable in OCSP @@ -515,11 +517,12 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( #[cfg(test)] mod tests { + use cryptography_x509::{common, oid}; + use super::{ identify_alg_params_for_hash_type, identify_key_type_for_algorithm_params, HashType, KeyType, }; - use cryptography_x509::{common, oid}; #[test] fn test_identify_key_type_for_algorithm_params() { From f63091de247cbb114ff1a1484e1b0be2dd6b8448 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 01:47:59 +0000 Subject: [PATCH 0896/1014] Bump ruff from 0.1.9 to 0.1.11 (#10114) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.9 to 0.1.11. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.9...v0.1.11) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 818f95ee5a04..9937756b4ba5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.1.9 +ruff==0.1.11 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 5c0e7462d1480d896b6056815c9d21495ae6260a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 01:51:44 +0000 Subject: [PATCH 0897/1014] Bump target-lexicon from 0.12.12 to 0.12.13 in /src/rust (#10115) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.12 to 0.12.13. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.12...v0.12.13) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9329186f1c39..d03f9f5d879a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -370,9 +370,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.12" +version = "0.12.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "14c39fd04924ca3a864207c66fc2cd7d22d7c016007f9ce846cbb9326331930a" +checksum = "69758bda2e78f098e4ccb393021a0963bb3442eac05f135c30f61b7370bbafae" [[package]] name = "unicode-ident" From c803d2508e6dcce41b711bb3460b4045f6933cf3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 01:57:41 +0000 Subject: [PATCH 0898/1014] Bump syn from 2.0.45 to 2.0.46 in /src/rust (#10116) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.45 to 2.0.46. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.45...2.0.46) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index d03f9f5d879a..4e850627f319 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -359,9 +359,9 @@ checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" [[package]] name = "syn" -version = "2.0.45" +version = "2.0.46" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0eae3c679c56dc214320b67a1bc04ef3dfbd6411f6443974b5e4893231298e66" +checksum = "89456b690ff72fddcecf231caedbe615c59480c93358a93dfae7fc29e3ebbf0e" dependencies = [ "proc-macro2", "quote", From 87959ea4f4d0881345c64e5bc6410269e2f48a16 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 3 Jan 2024 08:32:15 -0500 Subject: [PATCH 0899/1014] Migrate PolicyBuilder to Rust (#10069) --- .../hazmat/bindings/_rust/x509.pyi | 17 +- src/cryptography/x509/verification.py | 86 +--------- src/rust/src/exceptions.rs | 1 - src/rust/src/x509/verify.rs | 158 ++++++++++++++---- tests/x509/verification/test_limbo.py | 14 +- 5 files changed, 149 insertions(+), 127 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index e4e77136bdc2..ae2849627429 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -38,12 +38,6 @@ def create_x509_crl( hash_algorithm: hashes.HashAlgorithm | None, rsa_padding: PKCS1v15 | PSS | None, ) -> x509.CertificateRevocationList: ... -def create_server_verifier( - name: x509.verification.Subject, - store: Store, - time: datetime.datetime | None, - max_chain_depth: int | None, -) -> x509.verification.ServerVerifier: ... class Sct: ... class Certificate: ... @@ -51,6 +45,14 @@ class RevokedCertificate: ... class CertificateRevocationList: ... class CertificateSigningRequest: ... +class PolicyBuilder: + def time(self, new_time: datetime.datetime) -> PolicyBuilder: ... + def store(self, new_store: Store) -> PolicyBuilder: ... + def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: ... + def build_server_verifier( + self, subject: x509.verification.Subject + ) -> ServerVerifier: ... + class ServerVerifier: @property def subject(self) -> x509.verification.Subject: ... @@ -68,3 +70,6 @@ class ServerVerifier: class Store: def __init__(self, certs: list[x509.Certificate]) -> None: ... + +class VerificationError(Exception): + pass diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index e8f910f97025..ab1a37ae6b01 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -4,89 +4,21 @@ from __future__ import annotations -import datetime import typing from cryptography.hazmat.bindings._rust import x509 as rust_x509 from cryptography.x509.general_name import DNSName, IPAddress -__all__ = ["Store", "Subject", "ServerVerifier", "PolicyBuilder"] +__all__ = [ + "Store", + "Subject", + "ServerVerifier", + "PolicyBuilder", + "VerificationError", +] Store = rust_x509.Store - Subject = typing.Union[DNSName, IPAddress] - ServerVerifier = rust_x509.ServerVerifier - - -class VerificationError(Exception): - pass - - -class PolicyBuilder: - def __init__( - self, - *, - time: datetime.datetime | None = None, - store: Store | None = None, - max_chain_depth: int | None = None, - ): - self._time = time - self._store = store - self._max_chain_depth = max_chain_depth - - def time(self, new_time: datetime.datetime) -> PolicyBuilder: - """ - Sets the validation time. - """ - if self._time is not None: - raise ValueError("The validation time may only be set once.") - - return PolicyBuilder( - time=new_time, - store=self._store, - max_chain_depth=self._max_chain_depth, - ) - - def store(self, new_store: Store) -> PolicyBuilder: - """ - Sets the trust store. - """ - - if self._store is not None: - raise ValueError("The trust store may only be set once.") - - return PolicyBuilder( - time=self._time, - store=new_store, - max_chain_depth=self._max_chain_depth, - ) - - def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: - """ - Sets the maximum chain depth. - """ - - if self._max_chain_depth is not None: - raise ValueError("The maximum chain depth may only be set once.") - - return PolicyBuilder( - time=self._time, - store=self._store, - max_chain_depth=new_max_chain_depth, - ) - - def build_server_verifier(self, subject: Subject) -> ServerVerifier: - """ - Builds a verifier for verifying server certificates. - """ - - if self._store is None: - raise ValueError("A server verifier must have a trust store") - - return rust_x509.create_server_verifier( - subject, - self._store, - self._time, - self._max_chain_depth, - ) +PolicyBuilder = rust_x509.PolicyBuilder +VerificationError = rust_x509.VerificationError diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index 1354d1b596b8..c9456513993d 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -32,7 +32,6 @@ pyo3::import_exception!(cryptography.x509, AttributeNotFound); pyo3::import_exception!(cryptography.x509, DuplicateExtension); pyo3::import_exception!(cryptography.x509, UnsupportedGeneralNameType); pyo3::import_exception!(cryptography.x509, InvalidVersion); -pyo3::import_exception!(cryptography.x509.verification, VerificationError); pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let submod = pyo3::prelude::PyModule::new(py, "exceptions")?; diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 7de6add959b2..74f28e46bd7e 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -11,14 +11,11 @@ use cryptography_x509_verification::{ }; use crate::backend::keys; +use crate::error::{CryptographyError, CryptographyResult}; use crate::types; use crate::x509::certificate::Certificate as PyCertificate; use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime}; use crate::x509::sign; -use crate::{ - error::{CryptographyError, CryptographyResult}, - exceptions::VerificationError, -}; pub(crate) struct PyCryptoOps {} @@ -46,6 +43,121 @@ impl CryptoOps for PyCryptoOps { } } +pyo3::create_exception!( + cryptography.hazmat.bindings._rust.x509, + VerificationError, + pyo3::exceptions::PyException +); + +#[pyo3::pyclass(frozen, module = "cryptography.x509.verification")] +struct PolicyBuilder { + time: Option, + store: Option>, + max_chain_depth: Option, +} + +#[pyo3::pymethods] +impl PolicyBuilder { + #[new] + fn new() -> PolicyBuilder { + PolicyBuilder { + time: None, + store: None, + max_chain_depth: None, + } + } + + fn time( + &self, + py: pyo3::Python<'_>, + new_time: &pyo3::PyAny, + ) -> CryptographyResult { + if self.time.is_some() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "The validation time may only be set once.", + ), + )); + } + Ok(PolicyBuilder { + time: Some(py_to_datetime(py, new_time)?), + store: self.store.as_ref().map(|s| s.clone_ref(py)), + max_chain_depth: self.max_chain_depth, + }) + } + + fn store(&self, new_store: pyo3::Py) -> CryptographyResult { + if self.store.is_some() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("The trust store may only be set once."), + )); + } + Ok(PolicyBuilder { + time: self.time.clone(), + store: Some(new_store), + max_chain_depth: self.max_chain_depth, + }) + } + + fn max_chain_depth( + &self, + py: pyo3::Python<'_>, + new_max_chain_depth: u8, + ) -> CryptographyResult { + if self.max_chain_depth.is_some() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "The maximum chain depth may only be set once.", + ), + )); + } + Ok(PolicyBuilder { + time: self.time.clone(), + store: self.store.as_ref().map(|s| s.clone_ref(py)), + max_chain_depth: Some(new_max_chain_depth), + }) + } + + fn build_server_verifier( + &self, + py: pyo3::Python<'_>, + subject: pyo3::PyObject, + ) -> CryptographyResult { + let store = match self.store.as_ref() { + Some(s) => s.clone_ref(py), + None => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "A server verifier must have a trust store.", + ), + )); + } + }; + + let time = match self.time.as_ref() { + Some(t) => t.clone(), + None => datetime_now(py)?, + }; + let subject_owner = build_subject_owner(py, &subject)?; + + let policy = OwnedPolicy::try_new(subject_owner, |subject_owner| { + let subject = build_subject(py, subject_owner)?; + Ok::, pyo3::PyErr>(PyCryptoPolicy(Policy::new( + PyCryptoOps {}, + subject, + time, + self.max_chain_depth, + ))) + })?; + + Ok(PyServerVerifier { + py_subject: subject, + policy, + store, + }) + } +} + struct PyCryptoPolicy<'a>(Policy<'a, PyCryptoOps>); /// This enum exists solely to provide heterogeneously typed ownership for `OwnedPolicy`. @@ -69,6 +181,7 @@ self_cell::self_cell!( ); #[pyo3::pyclass( + frozen, name = "ServerVerifier", module = "cryptography.hazmat.bindings._rust.x509" )] @@ -173,37 +286,6 @@ fn build_subject<'a>( } } -#[pyo3::prelude::pyfunction] -fn create_server_verifier( - py: pyo3::Python<'_>, - subject: pyo3::Py, - store: pyo3::Py, - time: Option<&pyo3::PyAny>, - max_chain_depth: Option, -) -> pyo3::PyResult { - let time = match time { - Some(time) => py_to_datetime(py, time)?, - None => datetime_now(py)?, - }; - - let subject_owner = build_subject_owner(py, &subject)?; - let policy = OwnedPolicy::try_new(subject_owner, |subject_owner| { - let subject = build_subject(py, subject_owner)?; - Ok::, pyo3::PyErr>(PyCryptoPolicy(Policy::new( - PyCryptoOps {}, - subject, - time, - max_chain_depth, - ))) - })?; - - Ok(PyServerVerifier { - py_subject: subject, - policy, - store, - }) -} - type PyCryptoOpsStore<'a> = Store<'a, PyCryptoOps>; self_cell::self_cell!( @@ -249,7 +331,11 @@ impl PyStore { pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_class::()?; module.add_class::()?; - module.add_function(pyo3::wrap_pyfunction!(create_server_verifier, module)?)?; + module.add_class::()?; + module.add( + "VerificationError", + module.py().get_type::(), + )?; Ok(()) } diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index e26ebe6a0161..54aafe33c061 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -113,13 +113,13 @@ def _limbo_testcase(id_, testcase): max_chain_depth = testcase["max_chain_depth"] should_pass = testcase["expected_result"] == "SUCCESS" - verifier = ( - PolicyBuilder() - .time(validation_time) - .store(Store(trusted_certs)) - .max_chain_depth(max_chain_depth) - .build_server_verifier(peer_name) - ) + builder = PolicyBuilder().store(Store(trusted_certs)) + if validation_time is not None: + builder = builder.time(validation_time) + if max_chain_depth is not None: + builder = builder.max_chain_depth(max_chain_depth) + + verifier = builder.build_server_verifier(peer_name) if should_pass: built_chain = verifier.verify( From a542c5429a0835c1dc0daefae94c00bdf8afe37d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 3 Jan 2024 08:33:13 -0500 Subject: [PATCH 0900/1014] Bump bitflags (#10117) It's not automatically bumped by dependabot due to https://github.com/dependabot/dependabot-core/issues/2064 --- src/rust/Cargo.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4e850627f319..e502b141cf37 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.4.0" +version = "2.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4682ae6287fcf752ecaabbfcc7b6f9b72aa33933dc23a554d853aea8eea8635" +checksum = "327762f6e5a765692301e5bb513e0d9fef63be86bbc14528052b1cd3e6f03e07" [[package]] name = "cc" @@ -181,7 +181,7 @@ version = "0.10.62" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8cde4d2d9200ad5909f8dac647e29482e07c3a35de8a13fce7c9c7747ad9f671" dependencies = [ - "bitflags 2.4.0", + "bitflags 2.4.1", "cfg-if", "foreign-types", "libc", From 01fc9fb6bcf4a9e8a034c3262b0c0dbb10cf2bdc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 3 Jan 2024 09:02:55 -0500 Subject: [PATCH 0901/1014] Migrate RSA PKCS#1 parsing to pure-Rust (#10104) We no longer let OpenSSL parse anything. --- src/rust/Cargo.lock | 9 +++++ src/rust/Cargo.toml | 2 + src/rust/cryptography-key-parsing/Cargo.toml | 12 ++++++ src/rust/cryptography-key-parsing/src/lib.rs | 39 ++++++++++++++++++++ src/rust/cryptography-key-parsing/src/rsa.rs | 23 ++++++++++++ src/rust/src/backend/keys.rs | 35 +++++++----------- src/rust/src/backend/rsa.rs | 5 ++- src/rust/src/error.rs | 24 ++++++++++++ 8 files changed, 126 insertions(+), 23 deletions(-) create mode 100644 src/rust/cryptography-key-parsing/Cargo.toml create mode 100644 src/rust/cryptography-key-parsing/src/lib.rs create mode 100644 src/rust/cryptography-key-parsing/src/rsa.rs diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e502b141cf37..06fb324df458 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -70,6 +70,14 @@ dependencies = [ "pyo3", ] +[[package]] +name = "cryptography-key-parsing" +version = "0.1.0" +dependencies = [ + "asn1", + "openssl", +] + [[package]] name = "cryptography-openssl" version = "0.1.0" @@ -88,6 +96,7 @@ dependencies = [ "cc", "cfg-if", "cryptography-cffi", + "cryptography-key-parsing", "cryptography-openssl", "cryptography-x509", "cryptography-x509-verification", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 13e35e298a30..d816efc291e6 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -13,6 +13,7 @@ cfg-if = "1" pyo3 = { version = "0.20", features = ["abi3"] } asn1 = { version = "0.15.5", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } +cryptography-key-parsing = { path = "cryptography-key-parsing" } cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } @@ -39,6 +40,7 @@ overflow-checks = true [workspace] members = [ "cryptography-cffi", + "cryptography-key-parsing", "cryptography-openssl", "cryptography-x509", "cryptography-x509-verification", diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml new file mode 100644 index 000000000000..a6fed36e22b2 --- /dev/null +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -0,0 +1,12 @@ +[package] +name = "cryptography-key-parsing" +version = "0.1.0" +authors = ["The cryptography developers "] +edition = "2021" +publish = false +# This specifies the MSRV +rust-version = "1.63.0" + +[dependencies] +asn1 = { version = "0.15.5", default-features = false } +openssl = "0.10.62" diff --git a/src/rust/cryptography-key-parsing/src/lib.rs b/src/rust/cryptography-key-parsing/src/lib.rs new file mode 100644 index 000000000000..a5f7bc1d5579 --- /dev/null +++ b/src/rust/cryptography-key-parsing/src/lib.rs @@ -0,0 +1,39 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +pub mod rsa; + +pub enum KeyParsingError { + Parse(asn1::ParseError), + OpenSSL(openssl::error::ErrorStack), +} + +impl From for KeyParsingError { + fn from(e: asn1::ParseError) -> KeyParsingError { + KeyParsingError::Parse(e) + } +} + +impl From for KeyParsingError { + fn from(e: openssl::error::ErrorStack) -> KeyParsingError { + KeyParsingError::OpenSSL(e) + } +} + +pub type KeyParsingResult = Result; + +#[cfg(test)] +mod tests { + use super::KeyParsingError; + + #[test] + fn test_key_parsing_error_from() { + let e = openssl::error::ErrorStack::get(); + + assert!(matches!( + KeyParsingError::from(e), + KeyParsingError::OpenSSL(_) + )); + } +} diff --git a/src/rust/cryptography-key-parsing/src/rsa.rs b/src/rust/cryptography-key-parsing/src/rsa.rs new file mode 100644 index 000000000000..b1bbe2c13d38 --- /dev/null +++ b/src/rust/cryptography-key-parsing/src/rsa.rs @@ -0,0 +1,23 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::KeyParsingResult; + +#[derive(asn1::Asn1Read)] +struct Pksc1RsaPublicKey<'a> { + n: asn1::BigUint<'a>, + e: asn1::BigUint<'a>, +} + +pub fn parse_pkcs1_rsa_public_key( + data: &[u8], +) -> KeyParsingResult> { + let k = asn1::parse_single::(data)?; + + let n = openssl::bn::BigNum::from_slice(k.n.as_bytes())?; + let e = openssl::bn::BigNum::from_slice(k.e.as_bytes())?; + + let rsa = openssl::rsa::Rsa::from_public_components(n, e)?; + Ok(openssl::pkey::PKey::from_rsa(rsa)?) +} diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 5775f538f089..094bb20f32bc 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -6,8 +6,8 @@ use foreign_types_shared::ForeignTypeRef; use pyo3::IntoPy; use crate::buf::CffiBuf; -use crate::error::{CryptographyError, CryptographyResult}; -use crate::{error, exceptions, types}; +use crate::error::{self, CryptographyError, CryptographyResult}; +use crate::{exceptions, types}; #[pyo3::prelude::pyfunction] fn private_key_from_ptr( @@ -86,14 +86,7 @@ pub(crate) fn load_der_public_key_bytes( // It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still need to // check to see if it is a pure PKCS1 RSA public key (not embedded in a // subjectPublicKeyInfo) - let rsa = openssl::rsa::Rsa::public_key_from_der_pkcs1(data).or_else(|e| { - let errors = error::list_from_openssl_error(py, e); - Err(types::BACKEND_HANDLE_KEY_LOADING_ERROR - .get(py)? - .call1((errors,)) - .unwrap_err()) - })?; - let pkey = openssl::pkey::PKey::from_rsa(rsa)?; + let pkey = cryptography_key_parsing::rsa::parse_pkcs1_rsa_public_key(data)?; public_key_from_pkey(py, &pkey, pkey.id()) } @@ -104,18 +97,18 @@ fn load_pem_public_key( ) -> CryptographyResult { let p = pem::parse(data.as_bytes())?; let pkey = match p.tag() { - "RSA PUBLIC KEY" => openssl::rsa::Rsa::public_key_from_der_pkcs1(p.contents()) - .and_then(openssl::pkey::PKey::from_rsa), - "PUBLIC KEY" => openssl::pkey::PKey::public_key_from_der(p.contents()), + "RSA PUBLIC KEY" => { + cryptography_key_parsing::rsa::parse_pkcs1_rsa_public_key(p.contents())? + } + "PUBLIC KEY" => openssl::pkey::PKey::public_key_from_der(p.contents()).or_else(|e| { + let errors = error::list_from_openssl_error(py, e); + Err(types::BACKEND_HANDLE_KEY_LOADING_ERROR + .get(py)? + .call1((errors,)) + .unwrap_err()) + })?, _ => return Err(CryptographyError::from(pem::PemError::MalformedFraming)), - } - .or_else(|e| { - let errors = error::list_from_openssl_error(py, e); - Err(types::BACKEND_HANDLE_KEY_LOADING_ERROR - .get(py)? - .call1((errors,)) - .unwrap_err()) - })?; + }; public_key_from_pkey(py, &pkey, pkey.id()) } diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 4fdcde2ec8aa..35dd1053fdfc 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -2,11 +2,12 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use std::collections::hash_map::DefaultHasher; +use std::hash::{Hash, Hasher}; + use crate::backend::{hashes, utils}; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use std::collections::hash_map::DefaultHasher; -use std::hash::{Hash, Hasher}; #[pyo3::prelude::pyclass( frozen, diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 57648bf231bb..79ca0ea63c16 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -9,6 +9,7 @@ use crate::exceptions; pub enum CryptographyError { Asn1Parse(asn1::ParseError), Asn1Write(asn1::WriteError), + KeyParsing(asn1::ParseError), Py(pyo3::PyErr), OpenSSL(openssl::error::ErrorStack), } @@ -51,6 +52,15 @@ impl From for CryptographyError { } } +impl From for CryptographyError { + fn from(e: cryptography_key_parsing::KeyParsingError) -> CryptographyError { + match e { + cryptography_key_parsing::KeyParsingError::Parse(e) => CryptographyError::KeyParsing(e), + cryptography_key_parsing::KeyParsingError::OpenSSL(e) => CryptographyError::OpenSSL(e), + } + } +} + pub(crate) fn list_from_openssl_error( py: pyo3::Python<'_>, error_stack: openssl::error::ErrorStack, @@ -78,6 +88,9 @@ impl From for pyo3::PyErr { "failed to allocate memory while performing ASN.1 serialization", ) } + CryptographyError::KeyParsing(asn1_error) => pyo3::exceptions::PyValueError::new_err( + format!("Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters). Details: {asn1_error}"), + ), CryptographyError::Py(py_error) => py_error, CryptographyError::OpenSSL(error_stack) => pyo3::Python::with_gil(|py| { let errors = list_from_openssl_error(py, error_stack); @@ -103,6 +116,7 @@ impl CryptographyError { match self { CryptographyError::Py(e) => CryptographyError::Py(e), CryptographyError::Asn1Parse(e) => CryptographyError::Asn1Parse(e.add_location(loc)), + CryptographyError::KeyParsing(e) => CryptographyError::KeyParsing(e.add_location(loc)), CryptographyError::Asn1Write(e) => CryptographyError::Asn1Write(e), CryptographyError::OpenSSL(e) => CryptographyError::OpenSSL(e), } @@ -184,6 +198,12 @@ mod tests { let e: CryptographyError = pyo3::PyDowncastError::new(py.None().as_ref(py), "abc").into(); assert!(matches!(e, CryptographyError::Py(_))); + + let e = cryptography_key_parsing::KeyParsingError::OpenSSL( + openssl::error::ErrorStack::get(), + ) + .into(); + assert!(matches!(e, CryptographyError::OpenSSL(_))); }) } @@ -198,5 +218,9 @@ mod tests { let openssl_error = openssl::error::ErrorStack::get(); CryptographyError::from(openssl_error).add_location(asn1::ParseLocation::Field("meh")); + + let asn1_parse_error = asn1::ParseError::new(asn1::ParseErrorKind::InvalidValue); + CryptographyError::KeyParsing(asn1_parse_error) + .add_location(asn1::ParseLocation::Field("meh")); } } From 35dce91babab3e3e7553be2bbd10f87e06f25893 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 3 Jan 2024 09:05:24 -0500 Subject: [PATCH 0902/1014] Migrate private key parsing to Rust (#10064) It's still OpenSSL, but now there's more Rust --- .../hazmat/backends/openssl/backend.py | 122 +----------------- .../hazmat/bindings/_rust/openssl/keys.pyi | 12 ++ .../hazmat/primitives/serialization/base.py | 16 +-- src/rust/src/backend/keys.rs | 58 +++++++++ src/rust/src/backend/utils.rs | 66 +++++++++- tests/hazmat/backends/test_openssl.py | 12 +- 6 files changed, 153 insertions(+), 133 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index ef7c8e2e5144..1cb68c33ac74 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -369,18 +369,6 @@ def _read_mem_bio(self, bio) -> bytes: bio_data = self._ffi.buffer(buf[0], buf_len)[:] return bio_data - def _evp_pkey_to_private_key( - self, evp_pkey, unsafe_skip_rsa_key_validation: bool - ) -> PrivateKeyTypes: - """ - Return the appropriate type of PrivateKey given an evp_pkey cdata - pointer. - """ - return rust_openssl.keys.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)), - unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, - ) - def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and isinstance(algorithm, hashes.SHA1): return False @@ -436,59 +424,6 @@ def cmac_algorithm_supported(self, algorithm) -> bool: algorithm, CBC(b"\x00" * algorithm.block_size) ) - def load_pem_private_key( - self, - data: bytes, - password: bytes | None, - unsafe_skip_rsa_key_validation: bool, - ) -> PrivateKeyTypes: - return self._load_key( - self._lib.PEM_read_bio_PrivateKey, - data, - password, - unsafe_skip_rsa_key_validation, - ) - - def load_der_private_key( - self, - data: bytes, - password: bytes | None, - unsafe_skip_rsa_key_validation: bool, - ) -> PrivateKeyTypes: - # OpenSSL has a function called d2i_AutoPrivateKey that in theory - # handles this automatically, however it doesn't handle encrypted - # private keys. Instead we try to load the key two different ways. - # First we'll try to load it as a traditional key. - bio_data = self._bytes_to_bio(data) - key = self._evp_pkey_from_der_traditional_key(bio_data, password) - if key: - return self._evp_pkey_to_private_key( - key, unsafe_skip_rsa_key_validation - ) - else: - # Finally we try to load it with the method that handles encrypted - # PKCS8 properly. - return self._load_key( - self._lib.d2i_PKCS8PrivateKey_bio, - data, - password, - unsafe_skip_rsa_key_validation, - ) - - def _evp_pkey_from_der_traditional_key(self, bio_data, password): - key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL) - if key != self._ffi.NULL: - key = self._ffi.gc(key, self._lib.EVP_PKEY_free) - if password is not None: - raise TypeError( - "Password was given but private key is not encrypted." - ) - - return key - else: - self._consume_errors() - return None - def _cert2ossl(self, cert: x509.Certificate) -> typing.Any: data = cert.public_bytes(serialization.Encoding.DER) mem_bio = self._bytes_to_bio(data) @@ -518,58 +453,6 @@ def _key2ossl(self, key: PKCS12PrivateKeyTypes) -> typing.Any: self.openssl_assert(evp_pkey != self._ffi.NULL) return self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - def _load_key( - self, openssl_read_func, data, password, unsafe_skip_rsa_key_validation - ) -> PrivateKeyTypes: - mem_bio = self._bytes_to_bio(data) - - userdata = self._ffi.new("CRYPTOGRAPHY_PASSWORD_DATA *") - if password is not None: - utils._check_byteslike("password", password) - password_ptr = self._ffi.from_buffer(password) - userdata.password = password_ptr - userdata.length = len(password) - - evp_pkey = openssl_read_func( - mem_bio.bio, - self._ffi.NULL, - self._ffi.addressof( - self._lib._original_lib, "Cryptography_pem_password_cb" - ), - userdata, - ) - - if evp_pkey == self._ffi.NULL: - if userdata.error != 0: - self._consume_errors() - if userdata.error == -1: - raise TypeError( - "Password was not given but private key is encrypted" - ) - else: - assert userdata.error == -2 - raise ValueError( - "Passwords longer than {} bytes are not supported " - "by this backend.".format(userdata.maxsize - 1) - ) - else: - self._handle_key_loading_error(self._consume_errors()) - - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - - if password is not None and userdata.called == 0: - raise TypeError( - "Password was given but private key is not encrypted." - ) - - assert ( - password is not None and userdata.called == 1 - ) or password is None - - return self._evp_pkey_to_private_key( - evp_pkey, unsafe_skip_rsa_key_validation - ) - def _handle_key_loading_error( self, errors: list[rust_openssl.OpenSSLError] ) -> typing.NoReturn: @@ -764,8 +647,9 @@ def load_pkcs12( evp_pkey = self._ffi.gc(evp_pkey_ptr[0], self._lib.EVP_PKEY_free) # We don't support turning off RSA key validation when loading # PKCS12 keys - key = self._evp_pkey_to_private_key( - evp_pkey, unsafe_skip_rsa_key_validation=False + key = rust_openssl.keys.private_key_from_ptr( + int(self._ffi.cast("uintptr_t", evp_pkey)), + unsafe_skip_rsa_key_validation=False, ) if x509_ptr[0] != self._ffi.NULL: diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi index 056212eec9ab..f571350c108c 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi @@ -11,6 +11,18 @@ def private_key_from_ptr( ptr: int, unsafe_skip_rsa_key_validation: bool, ) -> PrivateKeyTypes: ... +def load_der_private_key( + data: bytes, + password: bytes | None, + *, + unsafe_skip_rsa_key_validation: bool, +) -> PrivateKeyTypes: ... +def load_pem_private_key( + data: bytes, + password: bytes | None, + *, + unsafe_skip_rsa_key_validation: bool, +) -> PrivateKeyTypes: ... def load_der_public_key( data: bytes, ) -> PublicKeyTypes: ... diff --git a/src/cryptography/hazmat/primitives/serialization/base.py b/src/cryptography/hazmat/primitives/serialization/base.py index b64a9d05cfd8..fd3680f68c23 100644 --- a/src/cryptography/hazmat/primitives/serialization/base.py +++ b/src/cryptography/hazmat/primitives/serialization/base.py @@ -21,10 +21,10 @@ def load_pem_private_key( *, unsafe_skip_rsa_key_validation: bool = False, ) -> PrivateKeyTypes: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.load_pem_private_key( - data, password, unsafe_skip_rsa_key_validation + return rust_openssl.keys.load_pem_private_key( + data, + password, + unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, ) @@ -47,10 +47,10 @@ def load_der_private_key( *, unsafe_skip_rsa_key_validation: bool = False, ) -> PrivateKeyTypes: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.load_der_private_key( - data, password, unsafe_skip_rsa_key_validation + return rust_openssl.keys.load_der_private_key( + data, + password, + unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, ) diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 094bb20f32bc..1dacd381ccbd 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -5,10 +5,58 @@ use foreign_types_shared::ForeignTypeRef; use pyo3::IntoPy; +use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{self, CryptographyError, CryptographyResult}; use crate::{exceptions, types}; +#[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, password, *, unsafe_skip_rsa_key_validation))] +fn load_der_private_key( + py: pyo3::Python<'_>, + data: CffiBuf<'_>, + password: Option>, + unsafe_skip_rsa_key_validation: bool, +) -> CryptographyResult { + if let Ok(pkey) = openssl::pkey::PKey::private_key_from_der(data.as_bytes()) { + if password.is_some() { + return Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "Password was given but private key is not encrypted.", + ), + )); + } + return private_key_from_pkey(py, &pkey, unsafe_skip_rsa_key_validation); + } + + let password = password.as_ref().map(CffiBuf::as_bytes); + let mut status = utils::PasswordCallbackStatus::Unused; + let pkey = openssl::pkey::PKey::private_key_from_pkcs8_callback( + data.as_bytes(), + utils::password_callback(&mut status, password), + ); + let pkey = utils::handle_key_load_result(py, pkey, status, password)?; + private_key_from_pkey(py, &pkey, unsafe_skip_rsa_key_validation) +} + +#[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, password, *, unsafe_skip_rsa_key_validation))] +fn load_pem_private_key( + py: pyo3::Python<'_>, + data: CffiBuf<'_>, + password: Option>, + unsafe_skip_rsa_key_validation: bool, +) -> CryptographyResult { + let password = password.as_ref().map(CffiBuf::as_bytes); + let mut status = utils::PasswordCallbackStatus::Unused; + let pkey = openssl::pkey::PKey::private_key_from_pem_callback( + data.as_bytes(), + utils::password_callback(&mut status, password), + ); + let pkey = utils::handle_key_load_result(py, pkey, status, password)?; + private_key_from_pkey(py, &pkey, unsafe_skip_rsa_key_validation) +} + #[pyo3::prelude::pyfunction] fn private_key_from_ptr( py: pyo3::Python<'_>, @@ -17,6 +65,14 @@ fn private_key_from_ptr( ) -> CryptographyResult { // SAFETY: Caller is responsible for passing a valid pointer. let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; + private_key_from_pkey(py, pkey, unsafe_skip_rsa_key_validation) +} + +fn private_key_from_pkey( + py: pyo3::Python<'_>, + pkey: &openssl::pkey::PKeyRef, + unsafe_skip_rsa_key_validation: bool, +) -> CryptographyResult { match pkey.id() { openssl::pkey::Id::RSA => Ok(crate::backend::rsa::private_key_from_pkey( pkey, @@ -164,6 +220,8 @@ fn public_key_from_pkey( pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "keys")?; + m.add_function(pyo3::wrap_pyfunction!(load_pem_private_key, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(load_der_private_key, m)?)?; m.add_function(pyo3::wrap_pyfunction!(load_der_public_key, m)?)?; m.add_function(pyo3::wrap_pyfunction!(load_pem_public_key, m)?)?; diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 6e3666d5628c..3373a565cf2c 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -4,7 +4,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; -use crate::types; +use crate::{error, types}; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, @@ -375,3 +375,67 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( Ok((data, algorithm)) } + +pub(crate) enum PasswordCallbackStatus { + Unused, + Used, + BufferTooSmall(usize), +} + +pub(crate) fn password_callback<'a>( + status: &'a mut PasswordCallbackStatus, + password: Option<&'a [u8]>, +) -> impl FnOnce(&mut [u8]) -> Result + 'a { + move |buf| { + *status = PasswordCallbackStatus::Used; + match password.as_ref() { + Some(p) if p.len() <= buf.len() => { + buf[..p.len()].copy_from_slice(p); + Ok(p.len()) + } + Some(_) => { + *status = PasswordCallbackStatus::BufferTooSmall(buf.len()); + Ok(0) + } + None => Ok(0), + } + } +} + +pub(crate) fn handle_key_load_result( + py: pyo3::Python<'_>, + pkey: Result, openssl::error::ErrorStack>, + status: PasswordCallbackStatus, + password: Option<&[u8]>, +) -> CryptographyResult> { + match (pkey, status, password) { + (Ok(k), PasswordCallbackStatus::Unused, None) + | (Ok(k), PasswordCallbackStatus::Used, Some(_)) => Ok(k), + + (Ok(_), PasswordCallbackStatus::Unused, Some(_)) => Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "Password was given but private key is not encrypted.", + ), + )), + + (_, PasswordCallbackStatus::Used, None | Some(b"")) => Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err( + "Password was not given but private key is encrypted", + ), + )), + (_, PasswordCallbackStatus::BufferTooSmall(size), _) => Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "Passwords longer than {size} bytes are not supported" + )), + )), + (Err(e), _, _) => { + let errors = error::list_from_openssl_error(py, e); + Err(CryptographyError::from( + types::BACKEND_HANDLE_KEY_LOADING_ERROR + .get(py)? + .call1((errors,)) + .unwrap_err(), + )) + } + } +} diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index e250aa6fc05b..f5bc6233f35c 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -11,6 +11,7 @@ from cryptography.exceptions import InternalError, _Reasons from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends.openssl.backend import backend +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives.ciphers import Cipher @@ -282,14 +283,15 @@ def test_unsupported_evp_pkey_type(self): key = backend._lib.EVP_PKEY_new() key = backend._ffi.gc(key, backend._lib.EVP_PKEY_free) with raises_unsupported_algorithm(None): - backend._evp_pkey_to_private_key( - key, unsafe_skip_rsa_key_validation=False + rust_openssl.keys.private_key_from_ptr( + int(backend._ffi.cast("uintptr_t", key)), + unsafe_skip_rsa_key_validation=False, ) def test_very_long_pem_serialization_password(self): - password = b"x" * 1024 + password = b"x" * 1025 - with pytest.raises(ValueError): + with pytest.raises(ValueError, match="Passwords longer than"): load_vectors_from_file( os.path.join( "asymmetric", @@ -297,7 +299,7 @@ def test_very_long_pem_serialization_password(self): "key1.pem", ), lambda pemfile: ( - backend.load_pem_private_key( + serialization.load_pem_private_key( pemfile.read().encode(), password, unsafe_skip_rsa_key_validation=False, From 0e44ccfd8222080feac1495a05077302e6b99a0e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 3 Jan 2024 17:59:30 -0300 Subject: [PATCH 0903/1014] remove indirection in pem/der loaders, use the rust funcs directly (#10119) --- .../hazmat/bindings/_rust/openssl/dh.pyi | 8 ++- .../hazmat/bindings/_rust/openssl/keys.pyi | 10 ++- .../hazmat/primitives/serialization/base.py | 65 ++----------------- src/rust/src/backend/dh.rs | 14 +++- src/rust/src/backend/keys.rs | 12 +++- 5 files changed, 41 insertions(+), 68 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi index 38343867e53b..e29ad46bd1b5 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi @@ -41,5 +41,9 @@ class DHParameterNumbers: def q(self) -> int | None: ... def generate_parameters(generator: int, key_size: int) -> dh.DHParameters: ... -def from_pem_parameters(data: bytes) -> dh.DHParameters: ... -def from_der_parameters(data: bytes) -> dh.DHParameters: ... +def from_pem_parameters( + data: bytes, backend: typing.Any = None +) -> dh.DHParameters: ... +def from_der_parameters( + data: bytes, backend: typing.Any = None +) -> dh.DHParameters: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi index f571350c108c..e312d51dc58b 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi @@ -2,6 +2,8 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +import typing + from cryptography.hazmat.primitives.asymmetric.types import ( PrivateKeyTypes, PublicKeyTypes, @@ -14,18 +16,22 @@ def private_key_from_ptr( def load_der_private_key( data: bytes, password: bytes | None, + backend: typing.Any = None, *, - unsafe_skip_rsa_key_validation: bool, + unsafe_skip_rsa_key_validation: bool = False, ) -> PrivateKeyTypes: ... def load_pem_private_key( data: bytes, password: bytes | None, + backend: typing.Any = None, *, - unsafe_skip_rsa_key_validation: bool, + unsafe_skip_rsa_key_validation: bool = False, ) -> PrivateKeyTypes: ... def load_der_public_key( data: bytes, + backend: typing.Any = None, ) -> PublicKeyTypes: ... def load_pem_public_key( data: bytes, + backend: typing.Any = None, ) -> PublicKeyTypes: ... diff --git a/src/cryptography/hazmat/primitives/serialization/base.py b/src/cryptography/hazmat/primitives/serialization/base.py index fd3680f68c23..b2c32f658646 100644 --- a/src/cryptography/hazmat/primitives/serialization/base.py +++ b/src/cryptography/hazmat/primitives/serialization/base.py @@ -2,67 +2,14 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -from __future__ import annotations - -import typing - from cryptography.hazmat.bindings._rust import openssl as rust_openssl -from cryptography.hazmat.primitives.asymmetric import dh -from cryptography.hazmat.primitives.asymmetric.types import ( - PrivateKeyTypes, - PublicKeyTypes, -) - - -def load_pem_private_key( - data: bytes, - password: bytes | None, - backend: typing.Any = None, - *, - unsafe_skip_rsa_key_validation: bool = False, -) -> PrivateKeyTypes: - return rust_openssl.keys.load_pem_private_key( - data, - password, - unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, - ) - - -def load_pem_public_key( - data: bytes, backend: typing.Any = None -) -> PublicKeyTypes: - return rust_openssl.keys.load_pem_public_key(data) - - -def load_pem_parameters( - data: bytes, backend: typing.Any = None -) -> dh.DHParameters: - return rust_openssl.dh.from_pem_parameters(data) - - -def load_der_private_key( - data: bytes, - password: bytes | None, - backend: typing.Any = None, - *, - unsafe_skip_rsa_key_validation: bool = False, -) -> PrivateKeyTypes: - return rust_openssl.keys.load_der_private_key( - data, - password, - unsafe_skip_rsa_key_validation=unsafe_skip_rsa_key_validation, - ) +load_pem_private_key = rust_openssl.keys.load_pem_private_key +load_der_private_key = rust_openssl.keys.load_der_private_key -def load_der_public_key( - data: bytes, backend: typing.Any = None -) -> PublicKeyTypes: - return rust_openssl.keys.load_der_public_key( - data, - ) +load_pem_public_key = rust_openssl.keys.load_pem_public_key +load_der_public_key = rust_openssl.keys.load_der_public_key -def load_der_parameters( - data: bytes, backend: typing.Any = None -) -> dh.DHParameters: - return rust_openssl.dh.from_der_parameters(data) +load_pem_parameters = rust_openssl.dh.from_pem_parameters +load_der_parameters = rust_openssl.dh.from_der_parameters diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index f24198507ed2..f4a80d7acc1e 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -63,7 +63,11 @@ pub(crate) fn public_key_from_pkey( } #[pyo3::prelude::pyfunction] -fn from_der_parameters(data: &[u8]) -> CryptographyResult { +fn from_der_parameters( + data: &[u8], + backend: Option<&pyo3::PyAny>, +) -> CryptographyResult { + let _ = backend; let asn1_params = asn1::parse_single::>(data)?; let p = openssl::bn::BigNum::from_slice(asn1_params.p.as_bytes())?; @@ -79,14 +83,18 @@ fn from_der_parameters(data: &[u8]) -> CryptographyResult { } #[pyo3::prelude::pyfunction] -fn from_pem_parameters(data: &[u8]) -> CryptographyResult { +fn from_pem_parameters( + data: &[u8], + backend: Option<&pyo3::PyAny>, +) -> CryptographyResult { + let _ = backend; let parsed = x509::find_in_pem( data, |p| p.tag() == "DH PARAMETERS" || p.tag() == "X9.42 DH PARAMETERS", "Valid PEM but no BEGIN DH PARAMETERS/END DH PARAMETERS delimiters. Are you sure this is a DH parameters?", )?; - from_der_parameters(parsed.contents()) + from_der_parameters(parsed.contents(), None) } fn dh_parameters_from_numbers( diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 1dacd381ccbd..18b20becf948 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -11,13 +11,15 @@ use crate::error::{self, CryptographyError, CryptographyResult}; use crate::{exceptions, types}; #[pyo3::prelude::pyfunction] -#[pyo3(signature = (data, password, *, unsafe_skip_rsa_key_validation))] +#[pyo3(signature = (data, password, backend=None, *, unsafe_skip_rsa_key_validation=false))] fn load_der_private_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, password: Option>, + backend: Option<&pyo3::PyAny>, unsafe_skip_rsa_key_validation: bool, ) -> CryptographyResult { + let _ = backend; if let Ok(pkey) = openssl::pkey::PKey::private_key_from_der(data.as_bytes()) { if password.is_some() { return Err(CryptographyError::from( @@ -40,13 +42,15 @@ fn load_der_private_key( } #[pyo3::prelude::pyfunction] -#[pyo3(signature = (data, password, *, unsafe_skip_rsa_key_validation))] +#[pyo3(signature = (data, password, backend=None, *, unsafe_skip_rsa_key_validation=false))] fn load_pem_private_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, password: Option>, + backend: Option<&pyo3::PyAny>, unsafe_skip_rsa_key_validation: bool, ) -> CryptographyResult { + let _ = backend; let password = password.as_ref().map(CffiBuf::as_bytes); let mut status = utils::PasswordCallbackStatus::Unused; let pkey = openssl::pkey::PKey::private_key_from_pem_callback( @@ -128,7 +132,9 @@ fn private_key_from_pkey( fn load_der_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, + backend: Option<&pyo3::PyAny>, ) -> CryptographyResult { + let _ = backend; load_der_public_key_bytes(py, data.as_bytes()) } @@ -150,7 +156,9 @@ pub(crate) fn load_der_public_key_bytes( fn load_pem_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, + backend: Option<&pyo3::PyAny>, ) -> CryptographyResult { + let _ = backend; let p = pem::parse(data.as_bytes())?; let pkey = match p.tag() { "RSA PUBLIC KEY" => { From 8926cfbd7d9dc8ff56b29690c90ac898add8bf06 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 3 Jan 2024 19:19:21 -0500 Subject: [PATCH 0904/1014] Bump BoringSSL and/or OpenSSL in CI (#10120) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fbe80f873a37..13f3efe4b0af 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c0ae579dbbcd47ca60fd9539bf6cfc1bd0b434e9"}} - # Latest commit on the OpenSSL master branch, as of Jan 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d8fa4cf76308924daaf2335c6c0ff2f7334a5b26"}} + # Latest commit on the BoringSSL master branch, as of Jan 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "cf00b172a128b6c998035fbe96c1f922a7bda3d8"}} + # Latest commit on the OpenSSL master branch, as of Jan 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8b9cf1bc2c3085b6e9493a057209ffd0bddf48a6"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From d713dfbcadcde412e79dd7b1988e1561d672a0d4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 3 Jan 2024 21:55:02 -0300 Subject: [PATCH 0905/1014] fix a typo in a benchmark name (#10122) --- tests/bench/test_x509.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/bench/test_x509.py b/tests/bench/test_x509.py index 3a8e916ed4be..abfbbf92a199 100644 --- a/tests/bench/test_x509.py +++ b/tests/bench/test_x509.py @@ -13,7 +13,7 @@ from ..utils import load_vectors_from_file -def test_object_identier_constructor(benchmark): +def test_object_identifier_constructor(benchmark): benchmark(x509.ObjectIdentifier, "1.3.6.1.4.1.11129.2.4.5") From afd675f42718ce903b30821533ff3ddab4351fce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jan 2024 11:23:50 +0000 Subject: [PATCH 0906/1014] Bump proc-macro2 from 1.0.74 to 1.0.75 in /src/rust (#10123) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.74 to 1.0.75. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.74...1.0.75) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 06fb324df458..edb9f97ebdf4 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -262,9 +262,9 @@ checksum = "69d3587f8a9e599cc7ec2c00e331f71c4e69a5f9a4b8a6efd5b07466b9736f9a" [[package]] name = "proc-macro2" -version = "1.0.74" +version = "1.0.75" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2de98502f212cfcea8d0bb305bd0f49d7ebdd75b64ba0a68f937d888f4e0d6db" +checksum = "907a61bd0f64c2f29cd1cf1dc34d05176426a3f504a78010f08416ddb7b13708" dependencies = [ "unicode-ident", ] From a97438b14c4745ef9de8a627cce1704deef82a5b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Jan 2024 12:41:22 -0500 Subject: [PATCH 0907/1014] Make extension handling in x.509 verifier less meta-programmed (#10054) We now iterate over the extensions only once. --- .../src/policy/extension.rs | 309 +++++++++++------- .../src/policy/mod.rs | 128 +++----- tests/x509/verification/test_limbo.py | 2 + 3 files changed, 223 insertions(+), 216 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index fd5035d87ab5..7006ad5dd110 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -2,7 +2,11 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use asn1::ObjectIdentifier; +use cryptography_x509::oid::{ + AUTHORITY_INFORMATION_ACCESS_OID, AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID, + EXTENDED_KEY_USAGE_OID, KEY_USAGE_OID, NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID, + SUBJECT_KEY_IDENTIFIER_OID, +}; use cryptography_x509::{ certificate::Certificate, extensions::{Extension, Extensions}, @@ -10,6 +14,114 @@ use cryptography_x509::{ use crate::{ops::CryptoOps, policy::Policy, ValidationError}; +pub(crate) struct ExtensionPolicy { + pub(crate) authority_information_access: ExtensionValidator, + pub(crate) authority_key_identifier: ExtensionValidator, + pub(crate) subject_key_identifier: ExtensionValidator, + pub(crate) key_usage: ExtensionValidator, + pub(crate) subject_alternative_name: ExtensionValidator, + pub(crate) basic_constraints: ExtensionValidator, + pub(crate) name_constraints: ExtensionValidator, + pub(crate) extended_key_usage: ExtensionValidator, +} + +impl ExtensionPolicy { + pub(crate) fn permits( + &self, + policy: &Policy<'_, B>, + cert: &Certificate<'_>, + extensions: &Extensions<'_>, + ) -> Result<(), ValidationError> { + let mut authority_information_access_seen = false; + let mut authority_key_identifier_seen = false; + let mut subject_key_identifier_seen = false; + let mut key_usage_seen = false; + let mut subject_alternative_name_seen = false; + let mut basic_constraints_seen = false; + let mut name_constraints_seen = false; + let mut extended_key_usage_seen = false; + + // Iterate over each extension and run its policy. + for ext in extensions.iter() { + match ext.extn_id { + AUTHORITY_INFORMATION_ACCESS_OID => { + authority_information_access_seen = true; + self.authority_information_access + .permits(policy, cert, Some(&ext))?; + } + AUTHORITY_KEY_IDENTIFIER_OID => { + authority_key_identifier_seen = true; + self.authority_key_identifier + .permits(policy, cert, Some(&ext))?; + } + SUBJECT_KEY_IDENTIFIER_OID => { + subject_key_identifier_seen = true; + self.subject_key_identifier + .permits(policy, cert, Some(&ext))?; + } + KEY_USAGE_OID => { + key_usage_seen = true; + self.key_usage.permits(policy, cert, Some(&ext))?; + } + SUBJECT_ALTERNATIVE_NAME_OID => { + subject_alternative_name_seen = true; + self.subject_alternative_name + .permits(policy, cert, Some(&ext))?; + } + BASIC_CONSTRAINTS_OID => { + basic_constraints_seen = true; + self.basic_constraints.permits(policy, cert, Some(&ext))?; + } + NAME_CONSTRAINTS_OID => { + name_constraints_seen = true; + self.name_constraints.permits(policy, cert, Some(&ext))?; + } + EXTENDED_KEY_USAGE_OID => { + extended_key_usage_seen = true; + self.extended_key_usage.permits(policy, cert, Some(&ext))?; + } + _ if ext.critical => { + return Err(ValidationError::Other(format!( + "certificate contains unaccounted-for critical extensions: {}", + ext.extn_id + ))); + } + _ => {} + } + } + + // Now we check if there were any required extensions that aren't + // present + if !authority_information_access_seen { + self.authority_information_access + .permits(policy, cert, None)?; + } + if !authority_key_identifier_seen { + self.authority_key_identifier.permits(policy, cert, None)?; + } + if !subject_key_identifier_seen { + self.subject_key_identifier.permits(policy, cert, None)?; + } + if !key_usage_seen { + self.key_usage.permits(policy, cert, None)?; + } + if !subject_alternative_name_seen { + self.subject_alternative_name.permits(policy, cert, None)?; + } + if !basic_constraints_seen { + self.basic_constraints.permits(policy, cert, None)?; + } + if !name_constraints_seen { + self.name_constraints.permits(policy, cert, None)?; + } + if !extended_key_usage_seen { + self.extended_key_usage.permits(policy, cert, None)?; + } + + Ok(()) + } +} + /// Represents different criticality states for an extension. pub(crate) enum Criticality { /// The extension MUST be marked as critical. @@ -58,46 +170,28 @@ pub(crate) enum ExtensionValidator { }, } -/// A "policy" for validating a specific X.509v3 extension, identified by -/// its OID. -pub(crate) struct ExtensionPolicy { - pub(crate) oid: asn1::ObjectIdentifier, - pub(crate) validator: ExtensionValidator, -} - -impl ExtensionPolicy { - pub(crate) fn not_present(oid: ObjectIdentifier) -> Self { - Self { - oid, - validator: ExtensionValidator::NotPresent, - } +impl ExtensionValidator { + pub(crate) fn not_present() -> Self { + Self::NotPresent } pub(crate) fn present( - oid: ObjectIdentifier, criticality: Criticality, validator: Option>, ) -> Self { - Self { - oid, - validator: ExtensionValidator::Present { - criticality, - validator, - }, + Self::Present { + criticality, + validator, } } pub(crate) fn maybe_present( - oid: ObjectIdentifier, criticality: Criticality, validator: Option>, ) -> Self { - Self { - oid, - validator: ExtensionValidator::MaybePresent { - criticality, - validator, - }, + Self::MaybePresent { + criticality, + validator, } } @@ -105,20 +199,19 @@ impl ExtensionPolicy { &self, policy: &Policy<'_, B>, cert: &Certificate<'_>, - extensions: &Extensions<'_>, + extension: Option<&Extension<'_>>, ) -> Result<(), ValidationError> { - match (&self.validator, extensions.get_extension(&self.oid)) { + match (self, extension) { // Extension MUST NOT be present and isn't; OK. (ExtensionValidator::NotPresent, None) => Ok(()), // Extension MUST NOT be present but is; NOT OK. (ExtensionValidator::NotPresent, Some(_)) => Err(ValidationError::Other( - "EE certificate contains prohibited extension".to_string(), + "Certificate contains prohibited extension".to_string(), )), // Extension MUST be present but is not; NOT OK. - (ExtensionValidator::Present { .. }, None) => Err(ValidationError::Other(format!( - "EE certificate is missing required extension: {}", - self.oid - ))), + (ExtensionValidator::Present { .. }, None) => Err(ValidationError::Other( + "Certificate is missing required extension".to_string(), + )), // Extension MUST be present and is; check it. ( ExtensionValidator::Present { @@ -129,12 +222,12 @@ impl ExtensionPolicy { ) => { if !criticality.permits(extn.critical) { return Err(ValidationError::Other( - "EE certificate extension has incorrect criticality".to_string(), + "Certificate extension has incorrect criticality".to_string(), )); } // If a custom validator is supplied, apply it. - validator.map_or(Ok(()), |v| v(policy, cert, &extn)) + validator.map_or(Ok(()), |v| v(policy, cert, extn)) } // Extension MAY be present. ( @@ -145,17 +238,14 @@ impl ExtensionPolicy { extn, ) => { // If the extension is present, apply our criticality check. - if extn - .as_ref() - .map_or(false, |extn| !criticality.permits(extn.critical)) - { + if extn.map_or(false, |extn| !criticality.permits(extn.critical)) { return Err(ValidationError::Other( - "EE certificate extension has incorrect criticality".to_string(), + "Certificate extension has incorrect criticality".to_string(), )); } // If a custom validator is supplied, apply it. - validator.map_or(Ok(()), |v| v(policy, cert, extn.as_ref())) + validator.map_or(Ok(()), |v| v(policy, cert, extn)) } } } @@ -448,10 +538,10 @@ pub(crate) mod common { mod tests { use asn1::{ObjectIdentifier, SimpleAsn1Writable}; use cryptography_x509::certificate::Certificate; - use cryptography_x509::extensions::{BasicConstraints, Extension, Extensions}; + use cryptography_x509::extensions::{BasicConstraints, Extension}; use cryptography_x509::oid::BASIC_CONSTRAINTS_OID; - use super::{Criticality, ExtensionPolicy}; + use super::{Criticality, ExtensionValidator}; use crate::certificate::tests::PublicKeyErrorOps; use crate::ops::tests::{cert, v1_cert_pem}; use crate::ops::CryptoOps; @@ -477,25 +567,18 @@ mod tests { asn1::DateTime::new(1970, 1, 1, 0, 0, 0).unwrap() } - fn create_encoded_extensions( + fn create_encoded_extension( oid: ObjectIdentifier, critical: bool, ext: &T, ) -> Vec { let ext_value = asn1::write_single(&ext).unwrap(); - let exts = vec![Extension { + let ext = Extension { extn_id: oid, critical, extn_value: &ext_value, - }]; - let der_exts = asn1::write_single(&asn1::SequenceOfWriter::new(exts)).unwrap(); - der_exts - } - - fn create_empty_encoded_extensions() -> Vec { - let exts: Vec> = vec![]; - let der_exts = asn1::write_single(&asn1::SequenceOfWriter::new(exts)).unwrap(); - der_exts + }; + asn1::write_single(&ext).unwrap() } fn present_extension_validator( @@ -507,7 +590,7 @@ mod tests { } #[test] - fn test_extension_policy_present() { + fn test_extension_validator_present() { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); @@ -520,31 +603,22 @@ mod tests { ); // Test a policy that stipulates that a given extension MUST be present. - let extension_policy = ExtensionPolicy::present( - BASIC_CONSTRAINTS_OID, - Criticality::Critical, - Some(present_extension_validator), - ); + let extension_validator = + ExtensionValidator::present(Criticality::Critical, Some(present_extension_validator)); // Check the case where the extension is present. let bc = BasicConstraints { ca: true, path_length: Some(3), }; - let der_exts = create_encoded_extensions(BASIC_CONSTRAINTS_OID, true, &bc); - let raw_exts = asn1::parse_single(&der_exts).unwrap(); - let exts = Extensions::from_raw_extensions(Some(&raw_exts)) - .ok() - .unwrap(); - assert!(extension_policy.permits(&policy, &cert, &exts).is_ok()); + let der_ext = create_encoded_extension(BASIC_CONSTRAINTS_OID, true, &bc); + let raw_ext = asn1::parse_single(&der_ext).unwrap(); + assert!(extension_validator + .permits(&policy, &cert, Some(&raw_ext)) + .is_ok()); // Check the case where the extension isn't present. - let der_exts: Vec = create_empty_encoded_extensions(); - let raw_exts = asn1::parse_single(&der_exts).unwrap(); - let exts = Extensions::from_raw_extensions(Some(&raw_exts)) - .ok() - .unwrap(); - assert!(extension_policy.permits(&policy, &cert, &exts).is_err()); + assert!(extension_validator.permits(&policy, &cert, None).is_err()); } fn maybe_extension_validator( @@ -556,7 +630,7 @@ mod tests { } #[test] - fn test_extension_policy_maybe() { + fn test_extension_validator_maybe() { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); @@ -568,9 +642,8 @@ mod tests { None, ); - // Test a policy that stipulates that a given extension CAN be present. - let extension_policy = ExtensionPolicy::maybe_present( - BASIC_CONSTRAINTS_OID, + // Test a validator that stipulates that a given extension CAN be present. + let extension_validator = ExtensionValidator::maybe_present( Criticality::Critical, Some(maybe_extension_validator), ); @@ -580,24 +653,18 @@ mod tests { ca: false, path_length: Some(3), }; - let der_exts = create_encoded_extensions(BASIC_CONSTRAINTS_OID, true, &bc); - let raw_exts = asn1::parse_single(&der_exts).unwrap(); - let exts = Extensions::from_raw_extensions(Some(&raw_exts)) - .ok() - .unwrap(); - assert!(extension_policy.permits(&policy, &cert, &exts).is_ok()); + let der_ext = create_encoded_extension(BASIC_CONSTRAINTS_OID, true, &bc); + let raw_ext = asn1::parse_single(&der_ext).unwrap(); + assert!(extension_validator + .permits(&policy, &cert, Some(&raw_ext)) + .is_ok()); // Check the case where the extension isn't present. - let der_exts: Vec = create_empty_encoded_extensions(); - let raw_exts = asn1::parse_single(&der_exts).unwrap(); - let exts = Extensions::from_raw_extensions(Some(&raw_exts)) - .ok() - .unwrap(); - assert!(extension_policy.permits(&policy, &cert, &exts).is_ok()); + assert!(extension_validator.permits(&policy, &cert, None).is_ok()); } #[test] - fn test_extension_policy_not_present() { + fn test_extension_validator_not_present() { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); @@ -609,32 +676,26 @@ mod tests { None, ); - // Test a policy that stipulates that a given extension MUST NOT be present. - let extension_policy = ExtensionPolicy::not_present(BASIC_CONSTRAINTS_OID); + // Test a validator that stipulates that a given extension MUST NOT be present. + let extension_validator = ExtensionValidator::not_present(); // Check the case where the extension is present. let bc = BasicConstraints { ca: false, path_length: Some(3), }; - let der_exts = create_encoded_extensions(BASIC_CONSTRAINTS_OID, true, &bc); - let raw_exts = asn1::parse_single(&der_exts).unwrap(); - let exts = Extensions::from_raw_extensions(Some(&raw_exts)) - .ok() - .unwrap(); - assert!(extension_policy.permits(&policy, &cert, &exts).is_err()); + let der_ext = create_encoded_extension(BASIC_CONSTRAINTS_OID, true, &bc); + let raw_ext = asn1::parse_single(&der_ext).unwrap(); + assert!(extension_validator + .permits(&policy, &cert, Some(&raw_ext)) + .is_err()); // Check the case where the extension isn't present. - let der_exts: Vec = create_empty_encoded_extensions(); - let raw_exts = asn1::parse_single(&der_exts).unwrap(); - let exts = Extensions::from_raw_extensions(Some(&raw_exts)) - .ok() - .unwrap(); - assert!(extension_policy.permits(&policy, &cert, &exts).is_ok()); + assert!(extension_validator.permits(&policy, &cert, None).is_ok()); } #[test] - fn test_extension_policy_present_incorrect_criticality() { + fn test_extension_validator_present_incorrect_criticality() { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); @@ -647,27 +708,23 @@ mod tests { ); // Test a present policy that stipulates that a given extension MUST be critical. - let extension_policy = ExtensionPolicy::present( - BASIC_CONSTRAINTS_OID, - Criticality::Critical, - Some(present_extension_validator), - ); + let extension_validator = + ExtensionValidator::present(Criticality::Critical, Some(present_extension_validator)); // Mark the extension as non-critical despite our policy stipulating that it must be critical. let bc = BasicConstraints { ca: true, path_length: Some(3), }; - let der_exts = create_encoded_extensions(BASIC_CONSTRAINTS_OID, false, &bc); - let raw_exts = asn1::parse_single(&der_exts).unwrap(); - let exts = Extensions::from_raw_extensions(Some(&raw_exts)) - .ok() - .unwrap(); - assert!(extension_policy.permits(&policy, &cert, &exts).is_err()); + let der_ext = create_encoded_extension(BASIC_CONSTRAINTS_OID, false, &bc); + let raw_ext = asn1::parse_single(&der_ext).unwrap(); + assert!(extension_validator + .permits(&policy, &cert, Some(&raw_ext)) + .is_err()); } #[test] - fn test_extension_policy_maybe_present_incorrect_criticality() { + fn test_extension_validator_maybe_present_incorrect_criticality() { // The certificate doesn't get used for this validator, so the certificate we use isn't important. let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); @@ -679,9 +736,8 @@ mod tests { None, ); - // Test a maybe present policy that stipulates that a given extension MUST be critical. - let extension_policy = ExtensionPolicy::maybe_present( - BASIC_CONSTRAINTS_OID, + // Test a maybe present validator that stipulates that a given extension MUST be critical. + let extension_validator = ExtensionValidator::maybe_present( Criticality::Critical, Some(maybe_extension_validator), ); @@ -691,11 +747,10 @@ mod tests { ca: true, path_length: Some(3), }; - let der_exts = create_encoded_extensions(BASIC_CONSTRAINTS_OID, false, &bc); - let raw_exts = asn1::parse_single(&der_exts).unwrap(); - let exts = Extensions::from_raw_extensions(Some(&raw_exts)) - .ok() - .unwrap(); - assert!(extension_policy.permits(&policy, &cert, &exts).is_err()); + let der_ext = create_encoded_extension(BASIC_CONSTRAINTS_OID, false, &bc); + let raw_ext = asn1::parse_single(&der_ext).unwrap(); + assert!(extension_validator + .permits(&policy, &cert, Some(&raw_ext)) + .is_err()); } } diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index e67cf2fb0da6..e51f0a1c413c 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -17,15 +17,12 @@ use cryptography_x509::common::{ use cryptography_x509::extensions::{BasicConstraints, Extensions, SubjectAlternativeName}; use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{ - AUTHORITY_INFORMATION_ACCESS_OID, AUTHORITY_KEY_IDENTIFIER_OID, BASIC_CONSTRAINTS_OID, - EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID, EXTENDED_KEY_USAGE_OID, - KEY_USAGE_OID, NAME_CONSTRAINTS_OID, POLICY_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID, - SUBJECT_DIRECTORY_ATTRIBUTES_OID, SUBJECT_KEY_IDENTIFIER_OID, + BASIC_CONSTRAINTS_OID, EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID, }; use once_cell::sync::Lazy; use crate::ops::CryptoOps; -use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy}; +use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy, ExtensionValidator}; use crate::types::{DNSName, DNSPattern, IPAddress}; use crate::{ValidationError, VerificationCertificate}; @@ -216,9 +213,8 @@ pub struct Policy<'a, B: CryptoOps> { /// algorithm identifiers. pub permitted_signature_algorithms: HashSet>, - common_extension_policies: Vec>, - ca_extension_policies: Vec>, - ee_extension_policies: Vec>, + ca_extension_policy: ExtensionPolicy, + ee_extension_policy: ExtensionPolicy, } impl<'a, B: CryptoOps> Policy<'a, B> { @@ -246,105 +242,93 @@ impl<'a, B: CryptoOps> Policy<'a, B> { .into_iter() .cloned() .collect(), - common_extension_policies: Vec::from([ - // 5280 4.2.1.8: Subject Directory Attributes - ExtensionPolicy::maybe_present( - SUBJECT_DIRECTORY_ATTRIBUTES_OID, - Criticality::NonCritical, - None, - ), + ca_extension_policy: ExtensionPolicy { // 5280 4.2.2.1: Authority Information Access - ExtensionPolicy::maybe_present( - AUTHORITY_INFORMATION_ACCESS_OID, + authority_information_access: ExtensionValidator::maybe_present( Criticality::NonCritical, Some(common::authority_information_access), ), - ]), - ca_extension_policies: Vec::from([ // 5280 4.2.1.1: Authority Key Identifier - ExtensionPolicy::maybe_present( - AUTHORITY_KEY_IDENTIFIER_OID, + authority_key_identifier: ExtensionValidator::maybe_present( Criticality::NonCritical, Some(ca::authority_key_identifier), ), // 5280 4.2.1.2: Subject Key Identifier // NOTE: CABF requires SKI in CA certificates, but many older CAs lack it. // We choose to be permissive here. - ExtensionPolicy::maybe_present( - SUBJECT_KEY_IDENTIFIER_OID, + subject_key_identifier: ExtensionValidator::maybe_present( Criticality::NonCritical, None, ), // 5280 4.2.1.3: Key Usage - ExtensionPolicy::present(KEY_USAGE_OID, Criticality::Agnostic, Some(ca::key_usage)), + key_usage: ExtensionValidator::present(Criticality::Agnostic, Some(ca::key_usage)), + subject_alternative_name: ExtensionValidator::maybe_present( + Criticality::Agnostic, + None, + ), // 5280 4.2.1.9: Basic Constraints - ExtensionPolicy::present( - BASIC_CONSTRAINTS_OID, + basic_constraints: ExtensionValidator::present( Criticality::Critical, Some(ca::basic_constraints), ), // 5280 4.2.1.10: Name Constraints // NOTE: MUST be critical in 5280, but CABF relaxes to MAY. - ExtensionPolicy::maybe_present( - NAME_CONSTRAINTS_OID, + name_constraints: ExtensionValidator::maybe_present( Criticality::Agnostic, Some(ca::name_constraints), ), - // 5280 4.2.1.11: Policy Constraints - ExtensionPolicy::maybe_present(POLICY_CONSTRAINTS_OID, Criticality::Critical, None), // 5280: 4.2.1.12: Extended Key Usage // NOTE: CABF requires EKUs in many non-root CA certs, but validators widely // ignore this requirement and treat a missing EKU as "any EKU". // We choose to be permissive here. - ExtensionPolicy::maybe_present( - EXTENDED_KEY_USAGE_OID, + extended_key_usage: ExtensionValidator::maybe_present( Criticality::NonCritical, Some(ca::extended_key_usage), ), - ]), - ee_extension_policies: Vec::from([ + }, + ee_extension_policy: ExtensionPolicy { + // 5280 4.2.2.1: Authority Information Access + authority_information_access: ExtensionValidator::maybe_present( + Criticality::NonCritical, + Some(common::authority_information_access), + ), // 5280 4.2.1.1.: Authority Key Identifier - ExtensionPolicy::present( - AUTHORITY_KEY_IDENTIFIER_OID, + authority_key_identifier: ExtensionValidator::present( Criticality::NonCritical, None, ), + subject_key_identifier: ExtensionValidator::maybe_present( + Criticality::Agnostic, + None, + ), // 5280 4.2.1.3: Key Usage - ExtensionPolicy::maybe_present( - KEY_USAGE_OID, + key_usage: ExtensionValidator::maybe_present( Criticality::Agnostic, Some(ee::key_usage), ), // CA/B 7.1.2.7.12 Subscriber Certificate Subject Alternative Name - ExtensionPolicy::present( - SUBJECT_ALTERNATIVE_NAME_OID, + subject_alternative_name: ExtensionValidator::present( Criticality::Agnostic, Some(ee::subject_alternative_name), ), // 5280 4.2.1.9: Basic Constraints - ExtensionPolicy::maybe_present( - BASIC_CONSTRAINTS_OID, + basic_constraints: ExtensionValidator::maybe_present( Criticality::Agnostic, Some(ee::basic_constraints), ), // 5280 4.2.1.10: Name Constraints - ExtensionPolicy::not_present(NAME_CONSTRAINTS_OID), + name_constraints: ExtensionValidator::not_present(), // CA/B: 7.1.2.7.10: Subscriber Certificate Extended Key Usage // NOTE: CABF requires EKUs in EE certs, while RFC 5280 does not. - ExtensionPolicy::maybe_present( - EXTENDED_KEY_USAGE_OID, + extended_key_usage: ExtensionValidator::maybe_present( Criticality::NonCritical, Some(ee::extended_key_usage), ), - ]), + }, } } - fn permits_basic( - &self, - cert: &Certificate<'_>, - extensions: &Extensions<'_>, - ) -> Result<(), ValidationError> { + fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), ValidationError> { // CA/B 7.1.1: // Certificates MUST be of type X.509 v3. if cert.tbs_cert.version != 2 { @@ -404,36 +388,6 @@ impl<'a, B: CryptoOps> Policy<'a, B> { )); } - // Extension policy checks. - for ext_policy in self.common_extension_policies.iter() { - ext_policy.permits(self, cert, extensions)?; - } - - // Check that all critical extensions in this certificate are accounted for. - let critical_extensions = extensions - .iter() - .filter(|e| e.critical) - .map(|e| e.extn_id) - .collect::>(); - let checked_extensions = self - .common_extension_policies - .iter() - .chain(self.ca_extension_policies.iter()) - .chain(self.ee_extension_policies.iter()) - .map(|p| p.oid.clone()) - .collect::>(); - - if critical_extensions - .difference(&checked_extensions) - .next() - .is_some() - { - // TODO: Render the OIDs here. - return Err(ValidationError::Other( - "certificate contains unaccounted-for critical extensions".to_string(), - )); - } - Ok(()) } @@ -444,7 +398,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { current_depth: u8, extensions: &Extensions<'_>, ) -> Result<(), ValidationError> { - self.permits_basic(cert, extensions)?; + self.permits_basic(cert)?; // 5280 4.1.2.6: Subject // CA certificates MUST have a subject populated with a non-empty distinguished name. @@ -472,9 +426,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } } - for ext_policy in self.ca_extension_policies.iter() { - ext_policy.permits(self, cert, extensions)?; - } + self.ca_extension_policy.permits(self, cert, extensions)?; Ok(()) } @@ -485,11 +437,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { cert: &Certificate<'_>, extensions: &Extensions<'_>, ) -> Result<(), ValidationError> { - self.permits_basic(cert, extensions)?; + self.permits_basic(cert)?; - for ext_policy in self.ee_extension_policies.iter() { - ext_policy.permits(self, cert, extensions)?; - } + self.ee_extension_policy.permits(self, cert, extensions)?; Ok(()) } diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 54aafe33c061..194b64f1f0bd 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -34,6 +34,8 @@ # incompatible ways. Our validator always tries (by default) to comply # closer to CABF, so we skip these. "rfc5280-incompatible-with-webpki", + # We do not support policy constraints. + "has-policy-constraints", } LIMBO_SKIP_TESTCASES = { From 110bdc41a22414be20030883a566af87041e4fb7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 5 Jan 2024 00:15:37 +0000 Subject: [PATCH 0908/1014] Bump BoringSSL and/or OpenSSL in CI (#10125) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 13f3efe4b0af..cc2868fd68d3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "cf00b172a128b6c998035fbe96c1f922a7bda3d8"}} - # Latest commit on the OpenSSL master branch, as of Jan 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8b9cf1bc2c3085b6e9493a057209ffd0bddf48a6"}} + # Latest commit on the BoringSSL master branch, as of Jan 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6694ec17488e13e14f2db27f8e7a75a207d696b"}} + # Latest commit on the OpenSSL master branch, as of Jan 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3348713ad390372ba5a0a0f98b46b2f637475e47"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 4ad655094707639e928b4900b68935ce7801fe08 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jan 2024 05:18:03 -0500 Subject: [PATCH 0909/1014] Remove unused bindings (#10127) --- src/_cffi_src/openssl/pem.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/_cffi_src/openssl/pem.py b/src/_cffi_src/openssl/pem.py index 5758181284f0..e069d6126999 100644 --- a/src/_cffi_src/openssl/pem.py +++ b/src/_cffi_src/openssl/pem.py @@ -24,9 +24,6 @@ PKCS7 *d2i_PKCS7_bio(BIO *, PKCS7 **); -EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *, EVP_PKEY **, pem_password_cb *, - void *); - int PEM_write_bio_X509_REQ(BIO *, X509_REQ *); X509_REQ *PEM_read_bio_X509_REQ(BIO *, X509_REQ **, pem_password_cb *, void *); @@ -39,8 +36,6 @@ DH *PEM_read_bio_DHparams(BIO *, DH **, pem_password_cb *, void *); -RSA *PEM_read_bio_RSAPublicKey(BIO *, RSA **, pem_password_cb *, void *); - EVP_PKEY *PEM_read_bio_PUBKEY(BIO *, EVP_PKEY **, pem_password_cb *, void *); int PEM_write_bio_PUBKEY(BIO *, EVP_PKEY *); """ From bbf2544c79ab11e0f9b0127824c0aab6132bf070 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jan 2024 05:19:16 -0500 Subject: [PATCH 0910/1014] Added two test cases for unsupported EC private keys (#10126) --- docs/development/test-vectors.rst | 4 ++++ tests/hazmat/primitives/test_ec.py | 22 +++++++++++++++++++ .../EC/explicit_parameters_private_key.pem | 10 +++++++++ .../asymmetric/EC/secp128r1_private_key.pem | 5 +++++ 4 files changed, 41 insertions(+) create mode 100644 vectors/cryptography_vectors/asymmetric/EC/explicit_parameters_private_key.pem create mode 100644 vectors/cryptography_vectors/asymmetric/EC/secp128r1_private_key.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 63001e3304fa..d80bcd40414d 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -115,6 +115,10 @@ Custom asymmetric vectors the private key for the certificate ``x509/custom/ca/rsa_ca.pem``. * ``asymmetric/EC/compressed_points.txt`` - Contains compressed public points generated using OpenSSL. +* ``asymmetric/EC/explicit_parameters_private_key.pem`` - Contains an EC + private key with an curve defined by explicit parameters. +* ``asymmetric/EC/secp128r1_private_key.pem`` - Contains an EC private key on + the curve ``secp128r1``. * ``asymmetric/X448/x448-pkcs8-enc.pem`` and ``asymmetric/X448/x448-pkcs8-enc.der`` contain an X448 key encrypted with AES 256 CBC with the password ``password``. diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 9b775b4ca228..55c18a8fb3f5 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -893,6 +893,28 @@ def test_public_bytes_from_derived_public_key(self, backend): parsed_public = serialization.load_pem_public_key(pem, backend) assert parsed_public + def test_load_private_key_explicit_parameters(self): + with pytest.raises(ValueError, match="explicit parameters"): + load_vectors_from_file( + os.path.join( + "asymmetric", "EC", "explicit_parameters_private_key.pem" + ), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read(), password=None + ), + mode="rb", + ) + + def test_load_private_key_unsupported_curve(self): + with pytest.raises((ValueError, exceptions.UnsupportedAlgorithm)): + load_vectors_from_file( + os.path.join("asymmetric", "EC", "secp128r1_private_key.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read(), password=None + ), + mode="rb", + ) + class TestEllipticCurvePEMPublicKeySerialization: @pytest.mark.parametrize( diff --git a/vectors/cryptography_vectors/asymmetric/EC/explicit_parameters_private_key.pem b/vectors/cryptography_vectors/asymmetric/EC/explicit_parameters_private_key.pem new file mode 100644 index 000000000000..f54b9fe60bb8 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/EC/explicit_parameters_private_key.pem @@ -0,0 +1,10 @@ +-----BEGIN EC PRIVATE KEY----- +MIIBaAIBAQQgoIAlsArFMdyIAGre7kgA0D4fvM+Dibt9XSdtFxhuPrWggfowgfcC +AQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAAAAAAAAAAAAAA///////////////+ +MFsEIP////8AAAABAAAAAAAAAAAAAAAA///////////////8BCBaxjXYqjqT57Pr +vVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSdNgiG5wSTamZ44ROdJreBn36QBEEE +axfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54W +K84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA//////////+85vqtpxeehPO5ysL8 +YyVRAgEBoUQDQgAEhIXBZutCVz1ULBu1Mq1Hg1FV0wgYADGMRvYdC1zR1nqvVsmB +yYka/ElVXwRwUAKxwhbXXt2kTvpZEAG/wjOn3Q== +-----END EC PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/EC/secp128r1_private_key.pem b/vectors/cryptography_vectors/asymmetric/EC/secp128r1_private_key.pem new file mode 100644 index 000000000000..da151cc53add --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/EC/secp128r1_private_key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MEQCAQEEEGqA3EQW0B/63PyiwCa4bg2gBwYFK4EEAByhJAMiAASL133VyEjU3FUh +9sq37xm62q/GWxp1Q4t2iOpuBzBrBQ== +-----END EC PRIVATE KEY----- + From c5fff81350f86e89be62af34711ed588e6d81bad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 Jan 2024 08:18:43 -0300 Subject: [PATCH 0911/1014] Bump syn from 2.0.46 to 2.0.48 in /src/rust (#10129) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.46 to 2.0.48. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.46...2.0.48) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index edb9f97ebdf4..5d550b0a5b40 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -368,9 +368,9 @@ checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" [[package]] name = "syn" -version = "2.0.46" +version = "2.0.48" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "89456b690ff72fddcecf231caedbe615c59480c93358a93dfae7fc29e3ebbf0e" +checksum = "0f3531638e407dfc0814761abb7c00a5b54992b849452a0646b7f65c9f770f3f" dependencies = [ "proc-macro2", "quote", From 156461b3e9a6f0dd002fd7d1d7860794787c9e5d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 Jan 2024 11:24:17 +0000 Subject: [PATCH 0912/1014] Bump pyo3 from 0.20.1 to 0.20.2 in /src/rust (#10131) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.20.1...v0.20.2) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5d550b0a5b40..84595ce633d1 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.20.1" +version = "0.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e82ad98ce1991c9c70c3464ba4187337b9c45fcbbb060d46dca15f0c075e14e2" +checksum = "9a89dc7a5850d0e983be1ec2a463a171d20990487c3cfcd68b5363f1ee3d6fe0" dependencies = [ "cfg-if", "indoc", @@ -288,9 +288,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.20.1" +version = "0.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5503d0b3aee2c7a8dbb389cd87cd9649f675d4c7f60ca33699a3e3859d81a891" +checksum = "07426f0d8fe5a601f26293f300afd1a7b1ed5e78b2a705870c5f30893c5163be" dependencies = [ "once_cell", "target-lexicon", @@ -298,9 +298,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.20.1" +version = "0.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18a79e8d80486a00d11c0dcb27cd2aa17c022cc95c677b461f01797226ba8f41" +checksum = "dbb7dec17e17766b46bca4f1a4215a85006b4c2ecde122076c562dd058da6cf1" dependencies = [ "libc", "pyo3-build-config", @@ -308,9 +308,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.20.1" +version = "0.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f4b0dc7eaa578604fab11c8c7ff8934c71249c61d4def8e272c76ed879f03d4" +checksum = "05f738b4e40d50b5711957f142878cfa0f28e054aa0ebdfc3fd137a843f74ed3" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -320,9 +320,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.20.1" +version = "0.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "816a4f709e29ddab2e3cdfe94600d554c5556cad0ddfeea95c47b580c3247fa4" +checksum = "0fc910d4851847827daf9d6cdd4a823fbdaab5b8818325c5e97a86da79e8881f" dependencies = [ "heck", "proc-macro2", From e31a34398edad94a58b75f65c86a9cb7ea180854 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jan 2024 10:57:12 -0500 Subject: [PATCH 0913/1014] Another test case for explicit parameter private key (#10132) --- docs/development/test-vectors.rst | 3 +++ tests/hazmat/primitives/test_ec.py | 13 +++++++++++++ ...rameters_wap_wsg_idm_ecid_wtls11_private_key.pem | 9 +++++++++ 3 files changed, 25 insertions(+) create mode 100644 vectors/cryptography_vectors/asymmetric/EC/explicit_parameters_wap_wsg_idm_ecid_wtls11_private_key.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index d80bcd40414d..4295d63c03a5 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -117,6 +117,9 @@ Custom asymmetric vectors generated using OpenSSL. * ``asymmetric/EC/explicit_parameters_private_key.pem`` - Contains an EC private key with an curve defined by explicit parameters. +* ``asymmetric/EC/explicit_parameters_wap_wsg_idm_ecid_wtls11_private_key.pem`` - + Contains an EC private key with over the ``wap-wsg-idm-ecid-wtls11`` curve, + encoded with explicit parameters. * ``asymmetric/EC/secp128r1_private_key.pem`` - Contains an EC private key on the curve ``secp128r1``. * ``asymmetric/X448/x448-pkcs8-enc.pem`` and diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 55c18a8fb3f5..06d7d57d4c62 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -905,6 +905,19 @@ def test_load_private_key_explicit_parameters(self): mode="rb", ) + with pytest.raises(ValueError, match="explicit parameters"): + load_vectors_from_file( + os.path.join( + "asymmetric", + "EC", + "explicit_parameters_wap_wsg_idm_ecid_wtls11_private_key.pem", + ), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read(), password=None + ), + mode="rb", + ) + def test_load_private_key_unsupported_curve(self): with pytest.raises((ValueError, exceptions.UnsupportedAlgorithm)): load_vectors_from_file( diff --git a/vectors/cryptography_vectors/asymmetric/EC/explicit_parameters_wap_wsg_idm_ecid_wtls11_private_key.pem b/vectors/cryptography_vectors/asymmetric/EC/explicit_parameters_wap_wsg_idm_ecid_wtls11_private_key.pem new file mode 100644 index 000000000000..3e300a4740d6 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/EC/explicit_parameters_wap_wsg_idm_ecid_wtls11_private_key.pem @@ -0,0 +1,9 @@ +-----BEGIN EC PRIVATE KEY----- +MIIBSAIBAQQeAOgdbe7dchFPZAojhztGgDWQqwyZHjLneCvhSvBfoIHgMIHdAgEB +MB0GByqGSM49AQIwEgICAOkGCSqGSM49AQIDAgIBSjBXBB4AAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAEEHgBmZH7ebDMsf4wJI7tYITszOyDpzkKB/hFffY+Q +rQMVAHTVn/B/a0E9DqFLNEsgotsEm1DDBD0EAPrJ38usgxO7ITnxu3Vf72W8OR+L +Nvj463Nx/VWLAQBqCKQZAzUGeOWFKL6/igvv+GenyjZxb34B+BBSAh4BAAAAAAAA +AAAAAAAAAAAT6XTnL4ppIgMdJgPP4NcCAQKhQAM+AAQAITc5rTBkBHaMSOuhKb8z +c/hoCZIQEQp0F3fawnMBi82rKn67H56ZrXX7dWzL5yFGmleInGphYwDo+2A= +-----END EC PRIVATE KEY----- From 30e5ee2493587c284b2392ba24ff65b60e4b0095 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 5 Jan 2024 15:03:57 -0300 Subject: [PATCH 0914/1014] add some more EC vectors (#10134) --- docs/development/test-vectors.rst | 8 ++++++++ docs/spelling_wordlist.txt | 1 + .../cryptography_vectors/asymmetric/EC/sect163k1-spki.pem | 4 ++++ .../cryptography_vectors/asymmetric/EC/sect163r2-spki.pem | 4 ++++ .../cryptography_vectors/asymmetric/EC/sect233k1-spki.pem | 4 ++++ .../cryptography_vectors/asymmetric/EC/sect233r1-spki.pem | 4 ++++ 6 files changed, 25 insertions(+) create mode 100644 vectors/cryptography_vectors/asymmetric/EC/sect163k1-spki.pem create mode 100644 vectors/cryptography_vectors/asymmetric/EC/sect163r2-spki.pem create mode 100644 vectors/cryptography_vectors/asymmetric/EC/sect233k1-spki.pem create mode 100644 vectors/cryptography_vectors/asymmetric/EC/sect233r1-spki.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 4295d63c03a5..1255688840f3 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -122,6 +122,14 @@ Custom asymmetric vectors encoded with explicit parameters. * ``asymmetric/EC/secp128r1_private_key.pem`` - Contains an EC private key on the curve ``secp128r1``. +* ``asymmetric/EC/sect163k1-spki.pem`` - Contains an EC SPKI on the curve + ``sect163k1``. +* ``asymmetric/EC/sect163r2-spki.pem`` - Contains an EC SPKI on the curve + ``sect163r2``. +* ``asymmetric/EC/sect233k1-spki.pem`` - Contains an EC SPKI on the curve + ``sect233k1``. +* ``asymmetric/EC/sect233r1-spki.pem`` - Contains an EC SPKI on the curve + ``sect233r1``. * ``asymmetric/X448/x448-pkcs8-enc.pem`` and ``asymmetric/X448/x448-pkcs8-enc.der`` contain an X448 key encrypted with AES 256 CBC with the password ``password``. diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index f72955fc696b..933e781308ed 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -119,6 +119,7 @@ setuptools SHA Solaris Sonoma +SPKI Sur syscall Tanja diff --git a/vectors/cryptography_vectors/asymmetric/EC/sect163k1-spki.pem b/vectors/cryptography_vectors/asymmetric/EC/sect163k1-spki.pem new file mode 100644 index 000000000000..a69945b39cb9 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/EC/sect163k1-spki.pem @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEAxGAaICwgq0YOcgiIg1qIBU/tmU3AS4t +jG+YV5KpVbVoZrj9Z+fb24Pg +-----END PUBLIC KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/EC/sect163r2-spki.pem b/vectors/cryptography_vectors/asymmetric/EC/sect163r2-spki.pem new file mode 100644 index 000000000000..18bac0a8c9d3 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/EC/sect163r2-spki.pem @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEAkMQD2BC7lzGH0cqllPPPtNl1kqRBXhT +JmwDP66hW6PMFl3ldz4ZlvkK +-----END PUBLIC KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/EC/sect233k1-spki.pem b/vectors/cryptography_vectors/asymmetric/EC/sect233k1-spki.pem new file mode 100644 index 000000000000..d9fe3cb27b88 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/EC/sect233k1-spki.pem @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEAbCYgpNMrLez2VEmv+xSGQLxtnWoDDvK +4oh4XfQEAPETU2P//4hH7hiDxo1jfe104nG45sbYJQke8+OK +-----END PUBLIC KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/EC/sect233r1-spki.pem b/vectors/cryptography_vectors/asymmetric/EC/sect233r1-spki.pem new file mode 100644 index 000000000000..96bb20c64134 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/EC/sect233r1-spki.pem @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAVfRTJ18T67P5XD5HXs9dv7NuO+FQwNl +9/COeQIjAWjajHoGNjsris/W25ZMPcq240TdudpXmHC5gFiV +-----END PUBLIC KEY----- From 98b6354c3fdfefac9c777da1dabb84fd9302cd7d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 5 Jan 2024 16:44:15 -0300 Subject: [PATCH 0915/1014] add tests for the new vectors (#10135) just verifying basic loading works for these curve names --- tests/hazmat/primitives/test_ec.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 06d7d57d4c62..531e182c9095 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -928,6 +928,27 @@ def test_load_private_key_unsupported_curve(self): mode="rb", ) + @pytest.mark.parametrize( + ("key_file", "curve"), + [ + ("sect163k1-spki.pem", ec.SECT163K1), + ("sect163r2-spki.pem", ec.SECT163R2), + ("sect233k1-spki.pem", ec.SECT233K1), + ("sect233r1-spki.pem", ec.SECT233R1), + ], + ) + def test_load_public_keys(self, key_file, curve, backend): + _skip_curve_unsupported(backend, curve()) + key = load_vectors_from_file( + os.path.join("asymmetric", "EC", key_file), + lambda pemfile: serialization.load_pem_public_key( + pemfile.read(), + ), + mode="rb", + ) + assert isinstance(key, ec.EllipticCurvePublicKey) + assert isinstance(key.curve, curve) + class TestEllipticCurvePEMPublicKeySerialization: @pytest.mark.parametrize( From b208cbc619735be0107c81c220a1ca46ce61c9cf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jan 2024 16:35:08 -0500 Subject: [PATCH 0916/1014] Store intermediates in a Vec rather than a hash set (#10136) There's no particular need for a hash set --- src/rust/cryptography-x509-verification/src/lib.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index ef9cdae84205..6265f75c5502 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -11,7 +11,6 @@ pub mod policy; pub mod trust_store; pub mod types; -use std::collections::HashSet; use std::vec; use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions}; @@ -171,7 +170,7 @@ pub fn verify<'chain, B: CryptoOps>( } struct ChainBuilder<'a, 'chain, B: CryptoOps> { - intermediates: HashSet>, + intermediates: Vec>, policy: &'a Policy<'a, B>, store: &'a Store<'chain, B>, } @@ -197,7 +196,7 @@ impl ApplyNameConstraintStatus { impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn new( - intermediates: HashSet>, + intermediates: Vec>, policy: &'a Policy<'a, B>, store: &'a Store<'chain, B>, ) -> Self { From 43a7c9f7d43c2fe7830fa9bc8b65e0b4d38d0602 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 6 Jan 2024 00:14:49 +0000 Subject: [PATCH 0917/1014] Bump BoringSSL and/or OpenSSL in CI (#10138) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc2868fd68d3..681354c6dc55 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6694ec17488e13e14f2db27f8e7a75a207d696b"}} - # Latest commit on the OpenSSL master branch, as of Jan 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3348713ad390372ba5a0a0f98b46b2f637475e47"}} + # Latest commit on the BoringSSL master branch, as of Jan 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a813621dac6878ab53b6ed7392939a8982226e8"}} + # Latest commit on the OpenSSL master branch, as of Jan 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5963aa8c196d7c5a940a979299a07418527932af"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 0670833eaa2bf62b18978275fc42753cd84cab3b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 6 Jan 2024 00:30:56 +0000 Subject: [PATCH 0918/1014] Bump x509-limbo and/or wycheproof in CI (#10139) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index eaac6fc28fb1..c9857401f2e3 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 03, 2024. - ref: "e8aea0aad91a06f2fe1e4e8be56b95d28f177790" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 06, 2024. + ref: "76061cf07d91b2612cea993049846680578a25f6" # x509-limbo-ref From e9923102f2c78bd56032708618690acb353a7061 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Jan 2024 04:54:23 -0500 Subject: [PATCH 0919/1014] fixes #10118 -- remove remaining indirection for functions that just call rust (#10140) --- .../hazmat/bindings/_rust/openssl/dh.pyi | 4 +- .../hazmat/bindings/_rust/openssl/ec.pyi | 2 +- .../hazmat/bindings/_rust/x509.pyi | 25 +++++++--- .../hazmat/primitives/asymmetric/dh.py | 7 +-- .../hazmat/primitives/asymmetric/ec.py | 5 +- .../hazmat/primitives/serialization/base.py | 1 - .../hazmat/primitives/serialization/pkcs7.py | 6 +-- src/cryptography/x509/base.py | 48 +++---------------- src/cryptography/x509/ocsp.py | 8 +--- src/rust/src/backend/dh.rs | 8 +++- src/rust/src/backend/ec.rs | 11 +++-- src/rust/src/x509/certificate.rs | 20 ++++++-- src/rust/src/x509/crl.rs | 9 +++- src/rust/src/x509/csr.rs | 9 +++- 14 files changed, 82 insertions(+), 81 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi index e29ad46bd1b5..08733d745c3d 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/dh.pyi @@ -40,7 +40,9 @@ class DHParameterNumbers: @property def q(self) -> int | None: ... -def generate_parameters(generator: int, key_size: int) -> dh.DHParameters: ... +def generate_parameters( + generator: int, key_size: int, backend: typing.Any = None +) -> dh.DHParameters: ... def from_pem_parameters( data: bytes, backend: typing.Any = None ) -> dh.DHParameters: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi index e43d4b7fa784..5c3b7bf6e4a9 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/ec.pyi @@ -36,7 +36,7 @@ class EllipticCurvePublicNumbers: def curve_supported(curve: ec.EllipticCurve) -> bool: ... def generate_private_key( - curve: ec.EllipticCurve, + curve: ec.EllipticCurve, backend: typing.Any = None ) -> ec.EllipticCurvePrivateKey: ... def from_private_numbers( numbers: ec.EllipticCurvePrivateNumbers, diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index ae2849627429..418184f8a6fd 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -3,21 +3,34 @@ # for complete details. import datetime +import typing from cryptography import x509 from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.padding import PSS, PKCS1v15 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes -def load_pem_x509_certificate(data: bytes) -> x509.Certificate: ... +def load_pem_x509_certificate( + data: bytes, backend: typing.Any = None +) -> x509.Certificate: ... +def load_der_x509_certificate( + data: bytes, backend: typing.Any = None +) -> x509.Certificate: ... def load_pem_x509_certificates( data: bytes, ) -> list[x509.Certificate]: ... -def load_der_x509_certificate(data: bytes) -> x509.Certificate: ... -def load_pem_x509_crl(data: bytes) -> x509.CertificateRevocationList: ... -def load_der_x509_crl(data: bytes) -> x509.CertificateRevocationList: ... -def load_pem_x509_csr(data: bytes) -> x509.CertificateSigningRequest: ... -def load_der_x509_csr(data: bytes) -> x509.CertificateSigningRequest: ... +def load_pem_x509_crl( + data: bytes, backend: typing.Any = None +) -> x509.CertificateRevocationList: ... +def load_der_x509_crl( + data: bytes, backend: typing.Any = None +) -> x509.CertificateRevocationList: ... +def load_pem_x509_csr( + data: bytes, backend: typing.Any = None +) -> x509.CertificateSigningRequest: ... +def load_der_x509_csr( + data: bytes, backend: typing.Any = None +) -> x509.CertificateSigningRequest: ... def encode_name_bytes(name: x509.Name) -> bytes: ... def encode_extension_value(extension: x509.ExtensionType) -> bytes: ... def create_x509_certificate( diff --git a/src/cryptography/hazmat/primitives/asymmetric/dh.py b/src/cryptography/hazmat/primitives/asymmetric/dh.py index cc3294965c02..31c9748a91cd 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/dh.py +++ b/src/cryptography/hazmat/primitives/asymmetric/dh.py @@ -5,16 +5,11 @@ from __future__ import annotations import abc -import typing from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import _serialization - -def generate_parameters( - generator: int, key_size: int, backend: typing.Any = None -) -> DHParameters: - return rust_openssl.dh.generate_parameters(generator, key_size) +generate_parameters = rust_openssl.dh.generate_parameters DHPrivateNumbers = rust_openssl.dh.DHPrivateNumbers diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py index f3bd413d9d00..c927c3f15cbe 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ec.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py @@ -332,10 +332,7 @@ def algorithm( return self._algorithm -def generate_private_key( - curve: EllipticCurve, backend: typing.Any = None -) -> EllipticCurvePrivateKey: - return rust_openssl.ec.generate_private_key(curve) +generate_private_key = rust_openssl.ec.generate_private_key def derive_private_key( diff --git a/src/cryptography/hazmat/primitives/serialization/base.py b/src/cryptography/hazmat/primitives/serialization/base.py index b2c32f658646..e7c998b7f35b 100644 --- a/src/cryptography/hazmat/primitives/serialization/base.py +++ b/src/cryptography/hazmat/primitives/serialization/base.py @@ -10,6 +10,5 @@ load_pem_public_key = rust_openssl.keys.load_pem_public_key load_der_public_key = rust_openssl.keys.load_der_public_key - load_pem_parameters = rust_openssl.dh.from_pem_parameters load_der_parameters = rust_openssl.dh.from_der_parameters diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py index b6feb1ee823b..cd6c904df0ea 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py @@ -30,11 +30,7 @@ def load_der_pkcs7_certificates(data: bytes) -> list[x509.Certificate]: return backend.load_der_pkcs7_certificates(data) -def serialize_certificates( - certs: list[x509.Certificate], - encoding: serialization.Encoding, -) -> bytes: - return rust_pkcs7.serialize_certificates(certs, encoding) +serialize_certificates = rust_pkcs7.serialize_certificates PKCS7HashTypes = typing.Union[ diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 624bc44bd678..89a75a23ac36 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -641,50 +641,16 @@ def get_attribute_for_oid(self, oid: ObjectIdentifier) -> bytes: CertificateSigningRequest.register(rust_x509.CertificateSigningRequest) -# Backend argument preserved for API compatibility, but ignored. -def load_pem_x509_certificate( - data: bytes, backend: typing.Any = None -) -> Certificate: - return rust_x509.load_pem_x509_certificate(data) +load_pem_x509_certificate = rust_x509.load_pem_x509_certificate +load_der_x509_certificate = rust_x509.load_der_x509_certificate +load_pem_x509_certificates = rust_x509.load_pem_x509_certificates -def load_pem_x509_certificates(data: bytes) -> list[Certificate]: - return rust_x509.load_pem_x509_certificates(data) +load_pem_x509_csr = rust_x509.load_pem_x509_csr +load_der_x509_csr = rust_x509.load_der_x509_csr - -# Backend argument preserved for API compatibility, but ignored. -def load_der_x509_certificate( - data: bytes, backend: typing.Any = None -) -> Certificate: - return rust_x509.load_der_x509_certificate(data) - - -# Backend argument preserved for API compatibility, but ignored. -def load_pem_x509_csr( - data: bytes, backend: typing.Any = None -) -> CertificateSigningRequest: - return rust_x509.load_pem_x509_csr(data) - - -# Backend argument preserved for API compatibility, but ignored. -def load_der_x509_csr( - data: bytes, backend: typing.Any = None -) -> CertificateSigningRequest: - return rust_x509.load_der_x509_csr(data) - - -# Backend argument preserved for API compatibility, but ignored. -def load_pem_x509_crl( - data: bytes, backend: typing.Any = None -) -> CertificateRevocationList: - return rust_x509.load_pem_x509_crl(data) - - -# Backend argument preserved for API compatibility, but ignored. -def load_der_x509_crl( - data: bytes, backend: typing.Any = None -) -> CertificateRevocationList: - return rust_x509.load_der_x509_crl(data) +load_pem_x509_crl = rust_x509.load_pem_x509_crl +load_der_x509_crl = rust_x509.load_der_x509_crl class CertificateSigningRequestBuilder: diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index 114e0d1e34cf..9751ceaf9655 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -611,9 +611,5 @@ def build_unsuccessful( return ocsp.create_ocsp_response(response_status, None, None, None) -def load_der_ocsp_request(data: bytes) -> OCSPRequest: - return ocsp.load_der_ocsp_request(data) - - -def load_der_ocsp_response(data: bytes) -> OCSPResponse: - return ocsp.load_der_ocsp_response(data) +load_der_ocsp_request = ocsp.load_der_ocsp_request +load_der_ocsp_response = ocsp.load_der_ocsp_response diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index f4a80d7acc1e..0319a96f0d12 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -27,7 +27,13 @@ struct DHParameters { } #[pyo3::prelude::pyfunction] -fn generate_parameters(generator: u32, key_size: u32) -> CryptographyResult { +fn generate_parameters( + generator: u32, + key_size: u32, + backend: Option<&pyo3::PyAny>, +) -> CryptographyResult { + let _ = backend; + if key_size < MIN_MODULUS_SIZE { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err(format!( diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index ffef07fa4fab..571273a53475 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -153,14 +153,17 @@ pub(crate) fn public_key_from_pkey( #[pyo3::prelude::pyfunction] fn generate_private_key( py: pyo3::Python<'_>, - py_curve: &pyo3::PyAny, + curve: &pyo3::PyAny, + backend: Option<&pyo3::PyAny>, ) -> CryptographyResult { - let curve = curve_from_py_curve(py, py_curve)?; - let key = openssl::ec::EcKey::generate(&curve)?; + let _ = backend; + + let ossl_curve = curve_from_py_curve(py, curve)?; + let key = openssl::ec::EcKey::generate(&ossl_curve)?; Ok(ECPrivateKey { pkey: openssl::pkey::PKey::from_ec_key(key)?, - curve: py_curve.into(), + curve: curve.into(), }) } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 6d76296d4b1f..bc40fc846ef4 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -332,7 +332,13 @@ fn cert_version(py: pyo3::Python<'_>, version: u8) -> Result<&pyo3::PyAny, Crypt } #[pyo3::prelude::pyfunction] -fn load_pem_x509_certificate(py: pyo3::Python<'_>, data: &[u8]) -> CryptographyResult { +fn load_pem_x509_certificate( + py: pyo3::Python<'_>, + data: &[u8], + backend: Option<&pyo3::PyAny>, +) -> CryptographyResult { + let _ = backend; + // We support both PEM header strings that OpenSSL does // https://github.com/openssl/openssl/blob/5e2d22d53ed322a7124e26a4fbd116a8210eb77a/include/openssl/pem.h#L32-L33 let parsed = x509::find_in_pem( @@ -343,6 +349,7 @@ fn load_pem_x509_certificate(py: pyo3::Python<'_>, data: &[u8]) -> CryptographyR load_der_x509_certificate( py, pyo3::types::PyBytes::new(py, parsed.contents()).into_py(py), + None, ) } @@ -355,7 +362,11 @@ fn load_pem_x509_certificates( .iter() .filter(|p| p.tag() == "CERTIFICATE" || p.tag() == "X509 CERTIFICATE") .map(|p| { - load_der_x509_certificate(py, pyo3::types::PyBytes::new(py, p.contents()).into_py(py)) + load_der_x509_certificate( + py, + pyo3::types::PyBytes::new(py, p.contents()).into_py(py), + None, + ) }) .collect::, _>>()?; @@ -370,7 +381,10 @@ fn load_pem_x509_certificates( fn load_der_x509_certificate( py: pyo3::Python<'_>, data: pyo3::Py, + backend: Option<&pyo3::PyAny>, ) -> CryptographyResult { + let _ = backend; + let raw = OwnedCertificate::try_new(data, |data| asn1::parse_single(data.as_bytes(py)))?; // Parse cert version immediately so we can raise error on parse if it is invalid. cert_version(py, raw.borrow_dependent().tbs_cert.version)?; @@ -894,7 +908,7 @@ fn create_x509_certificate( signature_alg: sigalg, signature: asn1::BitString::new(signature, 0).unwrap(), })?; - load_der_x509_certificate(py, pyo3::types::PyBytes::new(py, &data).into_py(py)) + load_der_x509_certificate(py, pyo3::types::PyBytes::new(py, &data).into_py(py), None) } pub(crate) fn set_bit(vals: &mut [u8], n: usize, set: bool) { diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 94169069a09e..8e43832986c2 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -27,7 +27,10 @@ use crate::{exceptions, types, x509}; fn load_der_x509_crl( py: pyo3::Python<'_>, data: pyo3::Py, + backend: Option<&pyo3::PyAny>, ) -> Result { + let _ = backend; + let owned = OwnedCertificateRevocationList::try_new(data, |data| { asn1::parse_single(data.as_bytes(py)) })?; @@ -53,7 +56,10 @@ fn load_der_x509_crl( fn load_pem_x509_crl( py: pyo3::Python<'_>, data: &[u8], + backend: Option<&pyo3::PyAny>, ) -> Result { + let _ = backend; + let block = x509::find_in_pem( data, |p| p.tag() == "X509 CRL", @@ -62,6 +68,7 @@ fn load_pem_x509_crl( load_der_x509_crl( py, pyo3::types::PyBytes::new(py, block.contents()).into_py(py), + None, ) } @@ -665,7 +672,7 @@ fn create_x509_crl( signature_algorithm: sigalg, signature_value: asn1::BitString::new(signature, 0).unwrap(), })?; - load_der_x509_crl(py, pyo3::types::PyBytes::new(py, &data).into_py(py)) + load_der_x509_crl(py, pyo3::types::PyBytes::new(py, &data).into_py(py), None) } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index ae0c5623173f..c49f6e04421a 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -224,7 +224,10 @@ impl CertificateSigningRequest { fn load_pem_x509_csr( py: pyo3::Python<'_>, data: &[u8], + backend: Option<&pyo3::PyAny>, ) -> CryptographyResult { + let _ = backend; + // We support both PEM header strings that OpenSSL does // https://github.com/openssl/openssl/blob/5e2d22d53ed322a7124e26a4fbd116a8210eb77a/include/openssl/pem.h#L35-L36 let parsed = x509::find_in_pem( @@ -235,6 +238,7 @@ fn load_pem_x509_csr( load_der_x509_csr( py, pyo3::types::PyBytes::new(py, parsed.contents()).into_py(py), + None, ) } @@ -242,7 +246,10 @@ fn load_pem_x509_csr( fn load_der_x509_csr( py: pyo3::Python<'_>, data: pyo3::Py, + backend: Option<&pyo3::PyAny>, ) -> CryptographyResult { + let _ = backend; + let raw = OwnedCsr::try_new(data, |data| asn1::parse_single(data.as_bytes(py)))?; let version = raw.borrow_dependent().csr_info.version; @@ -336,7 +343,7 @@ fn create_x509_csr( signature_alg: sigalg, signature: asn1::BitString::new(signature, 0).unwrap(), })?; - load_der_x509_csr(py, pyo3::types::PyBytes::new(py, &data).into_py(py)) + load_der_x509_csr(py, pyo3::types::PyBytes::new(py, &data).into_py(py), None) } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { From e7b149a4e2e918907f66f23d4564b17b7b6dc5be Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Jan 2024 04:55:48 -0500 Subject: [PATCH 0920/1014] Avoid rebuilding sets of permitted algorithms for each policy (#10137) --- .../src/policy/mod.rs | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index e51f0a1c413c..6d96e5feaef1 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -6,6 +6,7 @@ mod extension; use std::collections::HashSet; use std::ops::Range; +use std::sync::Arc; use asn1::ObjectIdentifier; use cryptography_x509::certificate::Certificate; @@ -54,8 +55,15 @@ static SPKI_SECP521R1: AlgorithmIdentifier<'_> = AlgorithmIdentifier { /// Permitted algorithms, from CA/B Forum's Baseline Requirements, section 7.1.3.1 (page 96) /// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf -pub static WEBPKI_PERMITTED_SPKI_ALGORITHMS: Lazy>> = - Lazy::new(|| HashSet::from([&SPKI_RSA, &SPKI_SECP256R1, &SPKI_SECP384R1, &SPKI_SECP521R1])); +pub static WEBPKI_PERMITTED_SPKI_ALGORITHMS: Lazy>>> = + Lazy::new(|| { + Arc::new(HashSet::from([ + SPKI_RSA.clone(), + SPKI_SECP256R1.clone(), + SPKI_SECP384R1.clone(), + SPKI_SECP521R1.clone(), + ])) + }); // Signature AlgorithmIdentifier constants, as defined in CA/B 7.1.3.2. @@ -130,19 +138,19 @@ static ECDSA_SHA512: AlgorithmIdentifier<'_> = AlgorithmIdentifier { /// Permitted algorithms, from CA/B Forum's Baseline Requirements, section 7.1.3.2 (pages 96-98) /// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf -pub static WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS: Lazy>> = +pub static WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS: Lazy>>> = Lazy::new(|| { - HashSet::from([ - &RSASSA_PKCS1V15_SHA256, - &RSASSA_PKCS1V15_SHA384, - &RSASSA_PKCS1V15_SHA512, - &RSASSA_PSS_SHA256, - &RSASSA_PSS_SHA384, - &RSASSA_PSS_SHA512, - &ECDSA_SHA256, - &ECDSA_SHA384, - &ECDSA_SHA512, - ]) + Arc::new(HashSet::from([ + RSASSA_PKCS1V15_SHA256.clone(), + RSASSA_PKCS1V15_SHA384.clone(), + RSASSA_PKCS1V15_SHA512.clone(), + RSASSA_PSS_SHA256.clone(), + RSASSA_PSS_SHA384.clone(), + RSASSA_PSS_SHA512.clone(), + ECDSA_SHA256.clone(), + ECDSA_SHA384.clone(), + ECDSA_SHA512.clone(), + ])) }); /// A default reasonable maximum chain depth. @@ -207,11 +215,11 @@ pub struct Policy<'a, B: CryptoOps> { /// The set of permitted public key algorithms, identified by their /// algorithm identifiers. - pub permitted_public_key_algorithms: HashSet>, + pub permitted_public_key_algorithms: Arc>>, /// The set of permitted signature algorithms, identified by their /// algorithm identifiers. - pub permitted_signature_algorithms: HashSet>, + pub permitted_signature_algorithms: Arc>>, ca_extension_policy: ExtensionPolicy, ee_extension_policy: ExtensionPolicy, @@ -232,16 +240,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { subject, validation_time: time, extended_key_usage: EKU_SERVER_AUTH_OID.clone(), - permitted_public_key_algorithms: WEBPKI_PERMITTED_SPKI_ALGORITHMS - .clone() - .into_iter() - .cloned() - .collect(), - permitted_signature_algorithms: WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS - .clone() - .into_iter() - .cloned() - .collect(), + permitted_public_key_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SPKI_ALGORITHMS), + permitted_signature_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS), ca_extension_policy: ExtensionPolicy { // 5280 4.2.2.1: Authority Information Access authority_information_access: ExtensionValidator::maybe_present( From 97a12cfb9c20dd61fe587adf2fc06ed285f367fc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 6 Jan 2024 17:11:32 +0000 Subject: [PATCH 0921/1014] Bump proc-macro2 from 1.0.75 to 1.0.76 in /src/rust (#10141) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.75 to 1.0.76. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.75...1.0.76) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 84595ce633d1..9515e0fd235e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -262,9 +262,9 @@ checksum = "69d3587f8a9e599cc7ec2c00e331f71c4e69a5f9a4b8a6efd5b07466b9736f9a" [[package]] name = "proc-macro2" -version = "1.0.75" +version = "1.0.76" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "907a61bd0f64c2f29cd1cf1dc34d05176426a3f504a78010f08416ddb7b13708" +checksum = "95fc56cda0b5c3325f5fbbd7ff9fda9e02bb00bb3dac51252d2f1bfa1cb8cc8c" dependencies = [ "unicode-ident", ] From 19adabfe453d507ff69f457f3616be532219eedc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jan 2024 12:02:16 -0500 Subject: [PATCH 0922/1014] Bump libc from 0.2.151 to 0.2.152 in /src/rust (#10144) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.151 to 0.2.152. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.151...0.2.152) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9515e0fd235e..cbb6d0ef1815 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -155,9 +155,9 @@ checksum = "1e186cfbae8084e513daff4240b4797e342f988cecda4fb6c939150f96315fd8" [[package]] name = "libc" -version = "0.2.151" +version = "0.2.152" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "302d7ab3130588088d277783b1e2d2e10c9e9e4a16dd9050e6ec93fb3e7048f4" +checksum = "13e3bf6590cbc649f4d1a3eefc9d5d6eb746f5200ffb04e5e142700b8faa56e7" [[package]] name = "lock_api" From 00f8304a3dfe7a2aab6f3150a3c620e87d848044 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 12:13:47 +0000 Subject: [PATCH 0923/1014] Bump alabaster from 0.7.13 to 0.7.15 (#10147) Bumps [alabaster](https://github.com/sphinx-doc/alabaster) from 0.7.13 to 0.7.15. - [Release notes](https://github.com/sphinx-doc/alabaster/releases) - [Changelog](https://github.com/sphinx-doc/alabaster/blob/master/docs/changelog.rst) - [Commits](https://github.com/sphinx-doc/alabaster/compare/0.7.13...0.7.15) --- updated-dependencies: - dependency-name: alabaster dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9937756b4ba5..3a25a87a4c73 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -5,7 +5,7 @@ # and then manually massaged to add version specifiers to packages whose # versions vary by Python version -alabaster==0.7.13 +alabaster==0.7.15 # via sphinx argcomplete==3.2.1; python_version >= "3.8" # via nox From 3b45c5670d835e4efaa168d2d2e479e753f9a4e1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 00:20:11 +0000 Subject: [PATCH 0924/1014] Bump BoringSSL and/or OpenSSL in CI (#10148) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 681354c6dc55..5315ca4ffd28 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jan 06, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a813621dac6878ab53b6ed7392939a8982226e8"}} - # Latest commit on the OpenSSL master branch, as of Jan 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5963aa8c196d7c5a940a979299a07418527932af"}} + # Latest commit on the OpenSSL master branch, as of Jan 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0a22436ea5826d0089db7f1cd97b7c90135ca165"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From ec086a4a8fac030f8ae9daba453e5ceb50903a6d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 00:35:42 +0000 Subject: [PATCH 0925/1014] Bump x509-limbo and/or wycheproof in CI (#10149) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c9857401f2e3..92bc1d75694b 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 06, 2024. - ref: "76061cf07d91b2612cea993049846680578a25f6" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 09, 2024. + ref: "16af0625f14ebff7246d378b386210a45d4c6d5c" # x509-limbo-ref From 5dfea0c766c12da398812ea74e2f4f3ed198ef30 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 06:52:57 -0500 Subject: [PATCH 0926/1014] Bump more-itertools from 10.1.0 to 10.2.0 in /.github/requirements (#10150) Bumps [more-itertools](https://github.com/more-itertools/more-itertools) from 10.1.0 to 10.2.0. - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/compare/v10.1.0...v10.2.0) --- updated-dependencies: - dependency-name: more-itertools dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8e16964556f5..f4bcded7dbd9 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -259,9 +259,9 @@ mdurl==0.1.2 \ --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba # via markdown-it-py -more-itertools==10.1.0 \ - --hash=sha256:626c369fa0eb37bac0291bce8259b332fd59ac792fa5497b59837309cd5b114a \ - --hash=sha256:64e0735fcfdc6f3464ea133afe8ea4483b1c5fe3a3d69852e6503b43a0b222e6 +more-itertools==10.2.0 \ + --hash=sha256:686b06abe565edfab151cb8fd385a05651e1fdf8f0a14191e4439283421f8684 \ + --hash=sha256:8fccb480c43d3e99a00087634c06dd02b0d50fbf088b380de5a41a015ec239e1 # via jaraco-classes multidict==6.0.4 \ --hash=sha256:01a3a55bd90018c9c080fbb0b9f4891db37d148a0a18722b42f94694f8b6d4c9 \ From 6b2ae585f8f8edb9b4f14040169f66a874465fc9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 12:14:41 +0000 Subject: [PATCH 0927/1014] Bump base64 from 0.21.5 to 0.21.6 in /src/rust (#10151) Bumps [base64](https://github.com/marshallpierce/rust-base64) from 0.21.5 to 0.21.6. - [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.21.5...v0.21.6) --- updated-dependencies: - dependency-name: base64 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index cbb6d0ef1815..797c70701b93 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -30,9 +30,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "base64" -version = "0.21.5" +version = "0.21.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35636a1494ede3b646cc98f74f8e62c773a38a659ebc777a2cf26b9b74171df9" +checksum = "c79fed4cdb43e993fcdadc7e58a09fd0e3e649c4436fa11da71c9f1f3ee7feb9" [[package]] name = "bitflags" From 89d0d56fb104ac4e0e6db63d78fc22b8c53d27e9 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 10 Jan 2024 00:19:32 +0000 Subject: [PATCH 0928/1014] Bump BoringSSL and/or OpenSSL in CI (#10153) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5315ca4ffd28..4b6ec06353d3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "7a813621dac6878ab53b6ed7392939a8982226e8"}} - # Latest commit on the OpenSSL master branch, as of Jan 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0a22436ea5826d0089db7f1cd97b7c90135ca165"}} + # Latest commit on the BoringSSL master branch, as of Jan 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e9539957ce42b07dc6f8b9bd23c28c7d2ef2bd3b"}} + # Latest commit on the OpenSSL master branch, as of Jan 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "806bbafe2df5b699feac6ef26e50c14e701950cf"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 199c2114c78b69c13ecbbc72bf64566afbf48103 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 10 Jan 2024 00:35:45 +0000 Subject: [PATCH 0929/1014] Bump x509-limbo and/or wycheproof in CI (#10154) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 92bc1d75694b..f1b6172f0f4e 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 09, 2024. - ref: "16af0625f14ebff7246d378b386210a45d4c6d5c" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 10, 2024. + ref: "62337778ae035d8de4130cd514549cc62aaa1896" # x509-limbo-ref From 3b4a86cdcbe0b5fba271758d43cf39560e11b767 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Jan 2024 11:55:21 +0000 Subject: [PATCH 0930/1014] Bump alabaster from 0.7.15 to 0.7.16 (#10155) Bumps [alabaster](https://github.com/sphinx-doc/alabaster) from 0.7.15 to 0.7.16. - [Release notes](https://github.com/sphinx-doc/alabaster/releases) - [Changelog](https://github.com/sphinx-doc/alabaster/blob/master/docs/changelog.rst) - [Commits](https://github.com/sphinx-doc/alabaster/compare/0.7.15...0.7.16) --- updated-dependencies: - dependency-name: alabaster dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3a25a87a4c73..5b4da1896b4a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -5,7 +5,7 @@ # and then manually massaged to add version specifiers to packages whose # versions vary by Python version -alabaster==0.7.15 +alabaster==0.7.16 # via sphinx argcomplete==3.2.1; python_version >= "3.8" # via nox From f1bd6480bf09ee0486e210c1558ee0b86d80b65c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 10 Jan 2024 15:12:52 -0500 Subject: [PATCH 0931/1014] pypi-publish: tweak OIDC minting endpoint (#10156) Signed-off-by: William Woodruff --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index ed495cba8e5a..a7f75070628e 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -75,7 +75,7 @@ jobs: response.raise_for_status() token = response.json()["value"] - response = requests.post(f"https://{os.environ['PYPI_DOMAIN']}/_/oidc/github/mint-token", json={"token": token}) + response = requests.post(f"https://{os.environ['PYPI_DOMAIN']}/_/oidc/mint-token", json={"token": token}) response.raise_for_status() pypi_token = response.json()["token"] From 5e355a086171ba1375fdcfd4bd306060e6f49333 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jan 2024 19:24:37 -0500 Subject: [PATCH 0932/1014] Remove unused bindings (#10158) boringssl removed these --- src/_cffi_src/openssl/x509_vfy.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py index 6df80cd0f3fc..26eed9974f82 100644 --- a/src/_cffi_src/openssl/x509_vfy.py +++ b/src/_cffi_src/openssl/x509_vfy.py @@ -122,8 +122,6 @@ static const long X509_PURPOSE_ANY; static const long X509_PURPOSE_OCSP_HELPER; static const long X509_PURPOSE_TIMESTAMP_SIGN; -static const long X509_PURPOSE_MIN; -static const long X509_PURPOSE_MAX; """ FUNCTIONS = """ From bb5f9c06ee9bfb133da44502bd2a420232151f93 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jan 2024 19:25:10 -0500 Subject: [PATCH 0933/1014] Remove now unused OpenSSL cmac bindings (#10146) --- src/_cffi_src/build_openssl.py | 1 - src/_cffi_src/openssl/cmac.py | 27 --------------------------- 2 files changed, 28 deletions(-) delete mode 100644 src/_cffi_src/openssl/cmac.py diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index ae8b821fe644..2ba79a6f4daf 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -26,7 +26,6 @@ "asn1", "bignum", "bio", - "cmac", "crypto", "dh", "dsa", diff --git a/src/_cffi_src/openssl/cmac.py b/src/_cffi_src/openssl/cmac.py deleted file mode 100644 index 7095066dac54..000000000000 --- a/src/_cffi_src/openssl/cmac.py +++ /dev/null @@ -1,27 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -INCLUDES = """ -#if !defined(OPENSSL_NO_CMAC) -#include -#endif -""" - -TYPES = """ -typedef ... CMAC_CTX; -""" - -FUNCTIONS = """ -CMAC_CTX *CMAC_CTX_new(void); -int CMAC_Init(CMAC_CTX *, const void *, size_t, const EVP_CIPHER *, ENGINE *); -int CMAC_Update(CMAC_CTX *, const void *, size_t); -int CMAC_Final(CMAC_CTX *, unsigned char *, size_t *); -int CMAC_CTX_copy(CMAC_CTX *, const CMAC_CTX *); -void CMAC_CTX_free(CMAC_CTX *); -""" - -CUSTOMIZATIONS = """ -""" From efb98b43f89466ff8034b5fe7667980e6cba31fb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jan 2024 19:26:45 -0500 Subject: [PATCH 0934/1014] Remove now unused OpenSSL password callback (#10145) --- src/_cffi_src/build_openssl.py | 1 - src/_cffi_src/openssl/callbacks.py | 52 --------------------------- tests/hazmat/backends/test_openssl.py | 27 -------------- 3 files changed, 80 deletions(-) delete mode 100644 src/_cffi_src/openssl/callbacks.py diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 2ba79a6f4daf..3a7d86caaec4 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -47,7 +47,6 @@ "x509v3", "x509_vfy", "pkcs7", - "callbacks", ], ) diff --git a/src/_cffi_src/openssl/callbacks.py b/src/_cffi_src/openssl/callbacks.py deleted file mode 100644 index ddb764283920..000000000000 --- a/src/_cffi_src/openssl/callbacks.py +++ /dev/null @@ -1,52 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -INCLUDES = """ -#include -""" - -TYPES = """ -typedef struct { - char *password; - int length; - int called; - int error; - int maxsize; -} CRYPTOGRAPHY_PASSWORD_DATA; -""" - -FUNCTIONS = """ -int Cryptography_pem_password_cb(char *, int, int, void *); -""" - -CUSTOMIZATIONS = """ -typedef struct { - char *password; - int length; - int called; - int error; - int maxsize; -} CRYPTOGRAPHY_PASSWORD_DATA; - -int Cryptography_pem_password_cb(char *buf, int size, - int rwflag, void *userdata) { - /* The password cb is only invoked if OpenSSL decides the private - key is encrypted. So this path only occurs if it needs a password */ - CRYPTOGRAPHY_PASSWORD_DATA *st = (CRYPTOGRAPHY_PASSWORD_DATA *)userdata; - st->called += 1; - st->maxsize = size; - if (st->length == 0) { - st->error = -1; - return 0; - } else if (st->length < size) { - memcpy(buf, st->password, (size_t)st->length); - return st->length; - } else { - st->error = -2; - return 0; - } -} -""" diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index f5bc6233f35c..faa291668f5c 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -252,33 +252,6 @@ def test_unsupported_mgf1_hash_algorithm_md5_decrypt(self, rsa_key_2048): class TestOpenSSLSerializationWithOpenSSL: - def test_pem_password_cb(self): - userdata = backend._ffi.new("CRYPTOGRAPHY_PASSWORD_DATA *") - pw = b"abcdefg" - password = backend._ffi.new("char []", pw) - userdata.password = password - userdata.length = len(pw) - buflen = 10 - buf = backend._ffi.new("char []", buflen) - res = backend._lib.Cryptography_pem_password_cb( - buf, buflen, 0, userdata - ) - assert res == len(pw) - assert userdata.called == 1 - assert backend._ffi.buffer(buf, len(pw))[:] == pw - assert userdata.maxsize == buflen - assert userdata.error == 0 - - def test_pem_password_cb_no_password(self): - userdata = backend._ffi.new("CRYPTOGRAPHY_PASSWORD_DATA *") - buflen = 10 - buf = backend._ffi.new("char []", buflen) - res = backend._lib.Cryptography_pem_password_cb( - buf, buflen, 0, userdata - ) - assert res == 0 - assert userdata.error == -1 - def test_unsupported_evp_pkey_type(self): key = backend._lib.EVP_PKEY_new() key = backend._ffi.gc(key, backend._lib.EVP_PKEY_free) From 8b8d258cfa56fdd679fa91e082d555433574ab2b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jan 2024 19:29:51 -0500 Subject: [PATCH 0935/1014] Simplify some parameter handling in AEAD (#10142) --- src/rust/src/backend/aead.rs | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index ba14900d5f71..fc5418835e57 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -220,9 +220,8 @@ struct AesSiv { #[pyo3::prelude::pymethods] impl AesSiv { #[new] - fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { - let key_buf = key.extract::>(py)?; - let cipher_name = match key_buf.as_bytes().len() { + fn new(key: CffiBuf<'_>) -> CryptographyResult { + let cipher_name = match key.as_bytes().len() { 32 => "aes-128-siv", 48 => "aes-192-siv", 64 => "aes-256-siv", @@ -248,7 +247,7 @@ impl AesSiv { let cipher = openssl::cipher::Cipher::fetch(None, cipher_name, None)?; Ok(AesSiv { - ctx: EvpCipherAead::new(&cipher, key_buf.as_bytes(), 16, true)?, + ctx: EvpCipherAead::new(&cipher, key.as_bytes(), 16, true)?, }) } else { return Err(CryptographyError::from( @@ -315,9 +314,7 @@ struct AesOcb3 { #[pyo3::prelude::pymethods] impl AesOcb3 { #[new] - fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { - let key_buf = key.extract::>(py)?; - + fn new(key: CffiBuf<'_>) -> CryptographyResult { cfg_if::cfg_if! { if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] { return Err(CryptographyError::from( @@ -336,7 +333,7 @@ impl AesOcb3 { )); } - let cipher = match key_buf.as_bytes().len() { + let cipher = match key.as_bytes().len() { 16 => openssl::cipher::Cipher::aes_128_ocb(), 24 => openssl::cipher::Cipher::aes_192_ocb(), 32 => openssl::cipher::Cipher::aes_256_ocb(), @@ -350,7 +347,7 @@ impl AesOcb3 { }; Ok(AesOcb3 { - ctx: EvpCipherAead::new(cipher, key_buf.as_bytes(), 16, false)?, + ctx: EvpCipherAead::new(cipher, key.as_bytes(), 16, false)?, }) } } @@ -422,9 +419,8 @@ struct AesGcmSiv { #[pyo3::prelude::pymethods] impl AesGcmSiv { #[new] - fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { - let key_buf = key.extract::>(py)?; - let cipher_name = match key_buf.as_bytes().len() { + fn new(key: CffiBuf<'_>) -> CryptographyResult { + let cipher_name = match key.as_bytes().len() { 16 => "aes-128-gcm-siv", 24 => "aes-192-gcm-siv", 32 => "aes-256-gcm-siv", @@ -457,7 +453,7 @@ impl AesGcmSiv { } let cipher = openssl::cipher::Cipher::fetch(None, cipher_name, None)?; Ok(AesGcmSiv { - ctx: EvpCipherAead::new(&cipher, key_buf.as_bytes(), 16, false)?, + ctx: EvpCipherAead::new(&cipher, key.as_bytes(), 16, false)?, }) } } From 03ab5a1816195a3bcd353060812c811168746b6b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jan 2024 19:32:14 -0500 Subject: [PATCH 0936/1014] Simplify CffiBuf code to avoid dangling pointer magic (#10152) --- src/rust/src/buf.rs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index 0acb4bd0a106..c1f2cc8253c7 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use std::{ptr, slice}; +use std::slice; use crate::types; @@ -28,15 +28,9 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { .extract()?; let len = bufobj.len()?; - let ptr = if len == 0 { - ptr::NonNull::dangling().as_ptr() + let buf = if len == 0 { + &[] } else { - ptrval as *const u8 - }; - - Ok(CffiBuf { - _pyobj: pyobj, - _bufobj: bufobj, // SAFETY: _extract_buffer_length ensures that we have a valid ptr // and length (and we ensure we meet slice's requirements for // 0-length slices above), we're keeping pyobj alive which ensures @@ -45,7 +39,13 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { // https://alexgaynor.net/2022/oct/23/buffers-on-the-edge/ // for details. This is the same as our cffi status quo ante, so // we're doing an unsound thing and living with it. - buf: unsafe { slice::from_raw_parts(ptr, len) }, + unsafe { slice::from_raw_parts(ptrval as *const u8, len) } + }; + + Ok(CffiBuf { + _pyobj: pyobj, + _bufobj: bufobj, + buf, }) } } From 15e97d62217c71a802934041066eda98b152d310 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 11 Jan 2024 00:42:10 +0000 Subject: [PATCH 0937/1014] Bump BoringSSL and/or OpenSSL in CI (#10157) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4b6ec06353d3..69726efbeaa2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "e9539957ce42b07dc6f8b9bd23c28c7d2ef2bd3b"}} - # Latest commit on the OpenSSL master branch, as of Jan 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "806bbafe2df5b699feac6ef26e50c14e701950cf"}} + # Latest commit on the BoringSSL master branch, as of Jan 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "0c8bc4653e34892dc291b48fb38e180ce92b5921"}} + # Latest commit on the OpenSSL master branch, as of Jan 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "398011848468c7e8e481b295f7904afc30934217"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 728365f45034486f3ae0be0193e978c2bd7a7cae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jan 2024 20:00:35 -0500 Subject: [PATCH 0938/1014] Add a new encrypt/decrypt with ctx to aead internals (#10143) This will allow working around the OpenSSL3 bug with copying ctx --- src/rust/src/backend/aead.rs | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index fc5418835e57..61f209e055fa 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -131,10 +131,21 @@ impl EvpCipherAead { aad: Option>, nonce: Option<&[u8]>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - check_length(plaintext)?; - let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_encryption_ctx)?; + self.encrypt_with_context(py, ctx, plaintext, aad, nonce) + } + + fn encrypt_with_context<'p>( + &self, + py: pyo3::Python<'p>, + mut ctx: openssl::cipher_ctx::CipherCtx, + plaintext: &[u8], + aad: Option>, + nonce: Option<&[u8]>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + check_length(plaintext)?; + if let Some(nonce) = nonce { ctx.set_iv_length(nonce.len())?; } @@ -169,13 +180,24 @@ impl EvpCipherAead { ciphertext: &[u8], aad: Option>, nonce: Option<&[u8]>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; + ctx.copy(&self.base_decryption_ctx)?; + self.decrypt_with_ctx(py, ctx, ciphertext, aad, nonce) + } + + fn decrypt_with_ctx<'p>( + &self, + py: pyo3::Python<'p>, + mut ctx: openssl::cipher_ctx::CipherCtx, + ciphertext: &[u8], + aad: Option>, + nonce: Option<&[u8]>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if ciphertext.len() < self.tag_len { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } - let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; - ctx.copy(&self.base_decryption_ctx)?; if let Some(nonce) = nonce { ctx.set_iv_length(nonce.len())?; } From 5418e1e6d661ab9d996f9b973b75cf4a064d851a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jan 2024 12:10:53 +0000 Subject: [PATCH 0939/1014] Bump jinja2 from 3.1.2 to 3.1.3 (#10159) Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/jinja/compare/3.1.2...3.1.3) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5b4da1896b4a..1ee38f1cfeb0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -48,7 +48,7 @@ imagesize==1.4.1 # via sphinx iniconfig==2.0.0 # via pytest -jinja2==3.1.2 +jinja2==3.1.3 # via sphinx markupsafe==2.1.3 # via jinja2 From f14dddbe0a37326d52a25b7778d9868cb4b00add Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 11 Jan 2024 19:19:19 -0500 Subject: [PATCH 0940/1014] Bump BoringSSL and/or OpenSSL in CI (#10162) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 69726efbeaa2..30c0deb5afda 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "0c8bc4653e34892dc291b48fb38e180ce92b5921"}} - # Latest commit on the OpenSSL master branch, as of Jan 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "398011848468c7e8e481b295f7904afc30934217"}} + # Latest commit on the BoringSSL master branch, as of Jan 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8a558aa2fc6172396a41e853cc5c6e3109a98f56"}} + # Latest commit on the OpenSSL master branch, as of Jan 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9eabb30ab4491bdcf49c5bfeef659ca846da5160"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From b1810f36861343f13d312bcf9ee3bc3d63dd5579 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 12 Jan 2024 00:33:42 +0000 Subject: [PATCH 0941/1014] Bump x509-limbo and/or wycheproof in CI (#10163) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f1b6172f0f4e..1b65536285c8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 10, 2024. - ref: "62337778ae035d8de4130cd514549cc62aaa1896" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 12, 2024. + ref: "212c926ebab967dbff2c8910e11cf30cd94efde3" # x509-limbo-ref From ba2bef6daca77cf1217e470e337b39c284d60151 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Jan 2024 07:37:43 -0500 Subject: [PATCH 0942/1014] Silence new clippy false-positive (#10168) --- src/rust/src/x509/crl.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 8e43832986c2..f4d6feebc820 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -120,6 +120,9 @@ impl CertificateRevocationList { self.len() } + // Silenced due to false-positives + // https://github.com/rust-lang/rust-clippy/issues/12135 + #[allow(clippy::useless_asref)] fn __iter__(&self) -> CRLIterator { CRLIterator { contents: OwnedCRLIteratorData::try_new(Arc::clone(&self.owned), |v| { From 53f3fdaa617a39b610a65567c8ac610754326846 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jan 2024 12:48:35 +0000 Subject: [PATCH 0943/1014] Bump base64 from 0.21.6 to 0.21.7 in /src/rust (#10167) Bumps [base64](https://github.com/marshallpierce/rust-base64) from 0.21.6 to 0.21.7. - [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.21.6...v0.21.7) --- updated-dependencies: - dependency-name: base64 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 797c70701b93..995f6f0e0e9c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -30,9 +30,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "base64" -version = "0.21.6" +version = "0.21.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c79fed4cdb43e993fcdadc7e58a09fd0e3e649c4436fa11da71c9f1f3ee7feb9" +checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" [[package]] name = "bitflags" From 2bae113d7c672b83d47aeafd88d0f800630a3393 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jan 2024 12:51:11 +0000 Subject: [PATCH 0944/1014] Bump ruff from 0.1.11 to 0.1.12 (#10165) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.11 to 0.1.12. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.11...v0.1.12) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 1ee38f1cfeb0..8dd08df233f0 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.1.11 +ruff==0.1.12 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 17583be43c99787830a4b6214ab6475aa982652f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jan 2024 12:51:39 +0000 Subject: [PATCH 0945/1014] Bump id from 1.2.1 to 1.3.0 in /.github/requirements (#10166) Bumps [id](https://github.com/di/id) from 1.2.1 to 1.3.0. - [Release notes](https://github.com/di/id/releases) - [Changelog](https://github.com/di/id/blob/main/CHANGELOG.md) - [Commits](https://github.com/di/id/compare/v1.2.1...v1.3.0) --- updated-dependencies: - dependency-name: id dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f4bcded7dbd9..3e07243c697d 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -221,9 +221,9 @@ hyperframe==6.0.1 \ --hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \ --hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914 # via h2 -id==1.2.1 \ - --hash=sha256:339fe8d7a0edf20514ed5e5dc841e504c99f38c7b7d7a2849724c6dfedc89860 \ - --hash=sha256:51021c5ba12c6ee88fb58240a58f788f43aa9c4f629280d6a97a1192f3cefdb9 +id==1.3.0 \ + --hash=sha256:c5dbb6048a469466054f065e92dba9b202a57d718cf12a0f24a082d0df988e18 \ + --hash=sha256:da320bc6d6e612a2c16364ca95bb905e87c74332d4fc9b34850a26c304790694 # via sigstore idna==3.6 \ --hash=sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca \ From 113fca9225b933426cf2199abb85f77754d3ca78 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jan 2024 12:55:51 +0000 Subject: [PATCH 0946/1014] Bump actions/cache from 3.3.2 to 3.3.3 (#10164) Bumps [actions/cache](https://github.com/actions/cache) from 3.3.2 to 3.3.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/704facf57e6136b1bc63b828d79edcd491f0ee84...e12d46a63a90f2fae62d114769bbf2a179198b5c) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30c0deb5afda..4cb8763e0292 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -95,7 +95,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 id: ossl-cache timeout-minutes: 2 with: From a1ed534adb0c0dd63d99a0a75983e5ed92822c8b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 12 Jan 2024 16:05:59 -0500 Subject: [PATCH 0947/1014] docs/x509: fix verification example (#10169) * docs/x509: fix verification example Signed-off-by: William Woodruff * x509/verification: doctest Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- docs/x509/verification.rst | 81 ++++++++++++++++++++++++++++++++------ 1 file changed, 68 insertions(+), 13 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 9524a79f29d3..6afc75f289e5 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -15,19 +15,74 @@ or chain building. Example usage, with `certifi `_ providing the root of trust: -.. code-block:: python - - from cryptography.x509 import Certificate, DNSName, load_pem_x509_certificates - from cryptography.x509.verification import PolicyBuilder, Store - import certifi - - with open(certifi.where(), "rb") as pems: - store = Store(load_pem_x509_certificates(pems.read())) - - builder = PolicyBuilder().store(store) - verifier = builder().build_server_verifier(DNSName("cryptography.io")) - - chain = verifier.verify(peer, untrusted_intermediates) +.. testsetup:: + + from cryptography.x509 import load_pem_x509_certificate, load_pem_x509_certificates + from datetime import datetime + + peer = load_pem_x509_certificate(b""" + -----BEGIN CERTIFICATE----- + MIIDgTCCAwegAwIBAgISBJUzlK20QGqPf5xI0aoE8OIBMAoGCCqGSM49BAMDMDIx + CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF + MTAeFw0yMzExMjIyMDUyNDBaFw0yNDAyMjAyMDUyMzlaMBoxGDAWBgNVBAMTD2Ny + eXB0b2dyYXBoeS5pbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAh2A0yuOByJ + lxK3ps5vbSOT6ZmvAlflGLn8kEseeodIAockm0ISTb/NGSpu/SY4ITefAOSaulKn + BzDgmqjGRKujggITMIICDzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYB + BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJu7f03HjjwJ + MU6rfwDBzxySTrs5MB8GA1UdIwQYMBaAFFrz7Sv8NsI3eblSMOpUb89Vyy6sMFUG + CCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2UxLm8ubGVuY3Iub3Jn + MCIGCCsGAQUFBzAChhZodHRwOi8vZTEuaS5sZW5jci5vcmcvMBoGA1UdEQQTMBGC + D2NyeXB0b2dyYXBoeS5pbzATBgNVHSAEDDAKMAgGBmeBDAECATCCAQYGCisGAQQB + 1nkCBAIEgfcEgfQA8gB3AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRz + AAABi/kFXv4AAAQDAEgwRgIhAI9uF526YzU/DEfpmWRA28fn9gryrWMUCXQnEejQ + K/trAiEA12ePSql3sGJ/QgXc6ceQB/XAdwzwDB+2CHr6T14vvvUAdwDuzdBk1dsa + zsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYv5BV8kAAAEAwBIMEYCIQD1mqTn + b1hOpZWAUlwVM4EJLYA9HtlOvF70bfrGHpAX4gIhAI8pktDxrUwfTXPuA+eMFPbC + QraG6dMkB+HOmTz+hgKyMAoGCCqGSM49BAMDA2gAMGUCMQC+PwiHciKMaJyRJkGa + KFjT/1ICAUsCm8o5h4Xxm0LoOCJVggaXeamDEYnPWbxGETgCME5TJzLIDuF3z6vX + 1SLZDdvHEHLKfOL8/h8KctkjLQ8OJycxwIc+zK+xexVoIuxRhA== + -----END CERTIFICATE----- + """ + ) + + untrusted_intermediates = load_pem_x509_certificates(b""" + -----BEGIN CERTIFICATE----- + MIICxjCCAk2gAwIBAgIRALO93/inhFu86QOgQTWzSkUwCgYIKoZIzj0EAwMwTzEL + MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo + IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjAwOTA0MDAwMDAwWhcN + MjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j + cnlwdDELMAkGA1UEAxMCRTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkXC2iKv0c + S6Zdl3MnMayyoGli72XoprDwrEuf/xwLcA/TmC9N/A8AmzfwdAVXMpcuBe8qQyWj + +240JxP2T35p0wKZXuskR5LBJJvmsSGPwSSB/GjMH2m6WPUZIvd0xhajggEIMIIB + BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB + MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFFrz7Sv8NsI3eblSMOpUb89V + yy6sMB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEB + BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzAnBgNVHR8E + IDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYG + Z4EMAQIBMA0GCysGAQQBgt8TAQEBMAoGCCqGSM49BAMDA2cAMGQCMHt01VITjWH+ + Dbo/AwCd89eYhNlXLr3pD5xcSAQh8suzYHKOl9YST8pE9kLJ03uGqQIwWrGxtO3q + YJkgsTgDyj2gJrjubi1K9sZmHzOa25JK1fUpE8ZwYii6I4zPPS/Lgul/ + -----END CERTIFICATE----- + """) + + verification_time = datetime.fromisoformat("2024-01-12T00:00:00Z") + +.. doctest:: + + >>> from cryptography.x509 import Certificate, DNSName, load_pem_x509_certificates + >>> from cryptography.x509.verification import PolicyBuilder, Store + >>> import certifi + >>> from datetime import datetime + >>> with open(certifi.where(), "rb") as pems: + ... store = Store(load_pem_x509_certificates(pems.read())) + >>> builder = PolicyBuilder().store(store) + >>> builder = builder.time(verification_time) + >>> verifier = builder.build_server_verifier(DNSName("cryptography.io")) + >>> # NOTE: peer and untrusted_intermediates are Certificate and + >>> # list[Certificate] respectively, and should be loaded from the + >>> # application context that needs them verified, such as a + >>> # TLS socket. + >>> chain = verifier.verify(peer, untrusted_intermediates) .. class:: Store(certs) From 94d2275b756a04c0ebd228cb0a764a0ba6149837 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 12 Jan 2024 19:16:11 -0500 Subject: [PATCH 0948/1014] Bump BoringSSL and/or OpenSSL in CI (#10170) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4cb8763e0292..1ec47119a814 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8a558aa2fc6172396a41e853cc5c6e3109a98f56"}} - # Latest commit on the OpenSSL master branch, as of Jan 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9eabb30ab4491bdcf49c5bfeef659ca846da5160"}} + # Latest commit on the BoringSSL master branch, as of Jan 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8f4e9d41548eca0cd394b66d3bd0ecd16e04b8b2"}} + # Latest commit on the OpenSSL master branch, as of Jan 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "df04e81794ac3083804c34c173eb2b2fa55d373d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 94e5167a123d05285e8f50c1cdcb3f76c995790d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Jan 2024 20:16:39 -0500 Subject: [PATCH 0949/1014] Migrate ChaCha20Poly1305 AEAD to Rust (#9399) * Migrate ChaCha20Poly1305 AEAD to Rust * Remove FixedPool --- .../hazmat/backends/openssl/aead.py | 269 ++------------ .../hazmat/bindings/_rust/__init__.pyi | 17 - .../hazmat/bindings/_rust/openssl/aead.pyi | 17 + .../hazmat/primitives/ciphers/aead.py | 75 +--- src/rust/cryptography-openssl/src/aead.rs | 91 +++++ src/rust/cryptography-openssl/src/lib.rs | 2 + src/rust/src/backend/aead.rs | 339 +++++++++++++++++- src/rust/src/lib.rs | 2 - src/rust/src/pool.rs | 81 ----- tests/test_rust_utils.py | 63 ---- 10 files changed, 461 insertions(+), 495 deletions(-) create mode 100644 src/rust/cryptography-openssl/src/aead.rs delete mode 100644 src/rust/src/pool.rs delete mode 100644 tests/test_rust_utils.py diff --git a/src/cryptography/hazmat/backends/openssl/aead.py b/src/cryptography/hazmat/backends/openssl/aead.py index 95c5133c1dc9..f1d990106474 100644 --- a/src/cryptography/hazmat/backends/openssl/aead.py +++ b/src/cryptography/hazmat/backends/openssl/aead.py @@ -13,47 +13,15 @@ from cryptography.hazmat.primitives.ciphers.aead import ( AESCCM, AESGCM, - ChaCha20Poly1305, ) - _AEADTypes = typing.Union[AESCCM, AESGCM, ChaCha20Poly1305] - - -def _is_evp_aead_supported_cipher( - backend: Backend, cipher: _AEADTypes -) -> bool: - """ - Checks whether the given cipher is supported through - EVP_AEAD rather than the normal OpenSSL EVP_CIPHER API. - """ - from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 - - return backend._lib.Cryptography_HAS_EVP_AEAD and isinstance( - cipher, ChaCha20Poly1305 - ) + _AEADTypes = typing.Union[AESCCM, AESGCM] def _aead_cipher_supported(backend: Backend, cipher: _AEADTypes) -> bool: - if _is_evp_aead_supported_cipher(backend, cipher): - return True - else: - cipher_name = _evp_cipher_cipher_name(cipher) - if backend._fips_enabled and cipher_name not in backend._fips_aead: - return False - return ( - backend._lib.EVP_get_cipherbyname(cipher_name) != backend._ffi.NULL - ) + cipher_name = _evp_cipher_cipher_name(cipher) - -def _aead_create_ctx( - backend: Backend, - cipher: _AEADTypes, - key: bytes, -): - if _is_evp_aead_supported_cipher(backend, cipher): - return _evp_aead_create_ctx(backend, cipher, key) - else: - return _evp_cipher_create_ctx(backend, cipher, key) + return backend._lib.EVP_get_cipherbyname(cipher_name) != backend._ffi.NULL def _encrypt( @@ -63,153 +31,24 @@ def _encrypt( data: bytes, associated_data: list[bytes], tag_length: int, - ctx: typing.Any = None, -) -> bytes: - if _is_evp_aead_supported_cipher(backend, cipher): - return _evp_aead_encrypt( - backend, cipher, nonce, data, associated_data, tag_length, ctx - ) - else: - return _evp_cipher_encrypt( - backend, cipher, nonce, data, associated_data, tag_length, ctx - ) - - -def _decrypt( - backend: Backend, - cipher: _AEADTypes, - nonce: bytes, - data: bytes, - associated_data: list[bytes], - tag_length: int, - ctx: typing.Any = None, ) -> bytes: - if _is_evp_aead_supported_cipher(backend, cipher): - return _evp_aead_decrypt( - backend, cipher, nonce, data, associated_data, tag_length, ctx - ) - else: - return _evp_cipher_decrypt( - backend, cipher, nonce, data, associated_data, tag_length, ctx - ) - - -def _evp_aead_create_ctx( - backend: Backend, - cipher: _AEADTypes, - key: bytes, - tag_len: int | None = None, -): - aead_cipher = _evp_aead_get_cipher(backend, cipher) - assert aead_cipher is not None - key_ptr = backend._ffi.from_buffer(key) - tag_len = ( - backend._lib.EVP_AEAD_DEFAULT_TAG_LENGTH - if tag_len is None - else tag_len - ) - ctx = backend._lib.Cryptography_EVP_AEAD_CTX_new( - aead_cipher, key_ptr, len(key), tag_len - ) - backend.openssl_assert(ctx != backend._ffi.NULL) - ctx = backend._ffi.gc(ctx, backend._lib.EVP_AEAD_CTX_free) - return ctx - - -def _evp_aead_get_cipher(backend: Backend, cipher: _AEADTypes): - from cryptography.hazmat.primitives.ciphers.aead import ( - ChaCha20Poly1305, - ) - - # Currently only ChaCha20-Poly1305 is supported using this API - assert isinstance(cipher, ChaCha20Poly1305) - return backend._lib.EVP_aead_chacha20_poly1305() - - -def _evp_aead_encrypt( - backend: Backend, - cipher: _AEADTypes, - nonce: bytes, - data: bytes, - associated_data: list[bytes], - tag_length: int, - ctx: typing.Any, -) -> bytes: - assert ctx is not None - - aead_cipher = _evp_aead_get_cipher(backend, cipher) - assert aead_cipher is not None - - out_len = backend._ffi.new("size_t *") - # max_out_len should be in_len plus the result of - # EVP_AEAD_max_overhead. - max_out_len = len(data) + backend._lib.EVP_AEAD_max_overhead(aead_cipher) - out_buf = backend._ffi.new("uint8_t[]", max_out_len) - data_ptr = backend._ffi.from_buffer(data) - nonce_ptr = backend._ffi.from_buffer(nonce) - aad = b"".join(associated_data) - aad_ptr = backend._ffi.from_buffer(aad) - - res = backend._lib.EVP_AEAD_CTX_seal( - ctx, - out_buf, - out_len, - max_out_len, - nonce_ptr, - len(nonce), - data_ptr, - len(data), - aad_ptr, - len(aad), + return _evp_cipher_encrypt( + backend, cipher, nonce, data, associated_data, tag_length ) - backend.openssl_assert(res == 1) - encrypted_data = backend._ffi.buffer(out_buf, out_len[0])[:] - return encrypted_data -def _evp_aead_decrypt( +def _decrypt( backend: Backend, cipher: _AEADTypes, nonce: bytes, data: bytes, associated_data: list[bytes], tag_length: int, - ctx: typing.Any, ) -> bytes: - if len(data) < tag_length: - raise InvalidTag - - assert ctx is not None - - out_len = backend._ffi.new("size_t *") - # max_out_len should at least in_len - max_out_len = len(data) - out_buf = backend._ffi.new("uint8_t[]", max_out_len) - data_ptr = backend._ffi.from_buffer(data) - nonce_ptr = backend._ffi.from_buffer(nonce) - aad = b"".join(associated_data) - aad_ptr = backend._ffi.from_buffer(aad) - - res = backend._lib.EVP_AEAD_CTX_open( - ctx, - out_buf, - out_len, - max_out_len, - nonce_ptr, - len(nonce), - data_ptr, - len(data), - aad_ptr, - len(aad), + return _evp_cipher_decrypt( + backend, cipher, nonce, data, associated_data, tag_length ) - if res == 0: - backend._consume_errors() - raise InvalidTag - - decrypted_data = backend._ffi.buffer(out_buf, out_len[0])[:] - return decrypted_data - _ENCRYPT = 1 _DECRYPT = 0 @@ -219,12 +58,9 @@ def _evp_cipher_cipher_name(cipher: _AEADTypes) -> bytes: from cryptography.hazmat.primitives.ciphers.aead import ( AESCCM, AESGCM, - ChaCha20Poly1305, ) - if isinstance(cipher, ChaCha20Poly1305): - return b"chacha20-poly1305" - elif isinstance(cipher, AESCCM): + if isinstance(cipher, AESCCM): return f"aes-{len(cipher._key) * 8}-ccm".encode("ascii") else: assert isinstance(cipher, AESGCM) @@ -237,29 +73,6 @@ def _evp_cipher(cipher_name: bytes, backend: Backend): return evp_cipher -def _evp_cipher_create_ctx( - backend: Backend, - cipher: _AEADTypes, - key: bytes, -): - ctx = backend._lib.EVP_CIPHER_CTX_new() - backend.openssl_assert(ctx != backend._ffi.NULL) - ctx = backend._ffi.gc(ctx, backend._lib.EVP_CIPHER_CTX_free) - cipher_name = _evp_cipher_cipher_name(cipher) - evp_cipher = _evp_cipher(cipher_name, backend) - key_ptr = backend._ffi.from_buffer(key) - res = backend._lib.EVP_CipherInit_ex( - ctx, - evp_cipher, - backend._ffi.NULL, - key_ptr, - backend._ffi.NULL, - 0, - ) - backend.openssl_assert(res != 0) - return ctx - - def _evp_cipher_aead_setup( backend: Backend, cipher_name: bytes, @@ -323,21 +136,6 @@ def _evp_cipher_set_tag(backend, ctx, tag: bytes) -> None: backend.openssl_assert(res != 0) -def _evp_cipher_set_nonce_operation( - backend, ctx, nonce: bytes, operation: int -) -> None: - nonce_ptr = backend._ffi.from_buffer(nonce) - res = backend._lib.EVP_CipherInit_ex( - ctx, - backend._ffi.NULL, - backend._ffi.NULL, - backend._ffi.NULL, - nonce_ptr, - int(operation == _ENCRYPT), - ) - backend.openssl_assert(res != 0) - - def _evp_cipher_set_length(backend: Backend, ctx, data_len: int) -> None: intptr = backend._ffi.new("int *") res = backend._lib.EVP_CipherUpdate( @@ -373,23 +171,19 @@ def _evp_cipher_encrypt( data: bytes, associated_data: list[bytes], tag_length: int, - ctx: typing.Any = None, ) -> bytes: from cryptography.hazmat.primitives.ciphers.aead import AESCCM - if ctx is None: - cipher_name = _evp_cipher_cipher_name(cipher) - ctx = _evp_cipher_aead_setup( - backend, - cipher_name, - cipher._key, - nonce, - None, - tag_length, - _ENCRYPT, - ) - else: - _evp_cipher_set_nonce_operation(backend, ctx, nonce, _ENCRYPT) + cipher_name = _evp_cipher_cipher_name(cipher) + ctx = _evp_cipher_aead_setup( + backend, + cipher_name, + cipher._key, + nonce, + None, + tag_length, + _ENCRYPT, + ) # CCM requires us to pass the length of the data before processing # anything. @@ -425,7 +219,6 @@ def _evp_cipher_decrypt( data: bytes, associated_data: list[bytes], tag_length: int, - ctx: typing.Any = None, ) -> bytes: from cryptography.hazmat.primitives.ciphers.aead import AESCCM @@ -434,20 +227,16 @@ def _evp_cipher_decrypt( tag = data[-tag_length:] data = data[:-tag_length] - if ctx is None: - cipher_name = _evp_cipher_cipher_name(cipher) - ctx = _evp_cipher_aead_setup( - backend, - cipher_name, - cipher._key, - nonce, - tag, - tag_length, - _DECRYPT, - ) - else: - _evp_cipher_set_nonce_operation(backend, ctx, nonce, _DECRYPT) - _evp_cipher_set_tag(backend, ctx, tag) + cipher_name = _evp_cipher_cipher_name(cipher) + ctx = _evp_cipher_aead_setup( + backend, + cipher_name, + cipher._key, + nonce, + tag, + tag_length, + _DECRYPT, + ) # CCM requires us to pass the length of the data before processing # anything. diff --git a/src/cryptography/hazmat/bindings/_rust/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/__init__.pyi index 0b36938ec49a..18a6fb87b628 100644 --- a/src/cryptography/hazmat/bindings/_rust/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/__init__.pyi @@ -2,7 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -import types import typing def check_pkcs7_padding(data: bytes) -> bool: ... @@ -16,19 +15,3 @@ class ObjectIdentifier: def _name(self) -> str: ... T = typing.TypeVar("T") - -class FixedPool(typing.Generic[T]): - def __init__( - self, - create: typing.Callable[[], T], - ) -> None: ... - def acquire(self) -> PoolAcquisition[T]: ... - -class PoolAcquisition(typing.Generic[T]): - def __enter__(self) -> T: ... - def __exit__( - self, - exc_type: type[BaseException] | None, - exc_value: BaseException | None, - exc_tb: types.TracebackType | None, - ) -> None: ... diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi index 62f1d8772b0b..81e801e30bb5 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -2,6 +2,23 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +class ChaCha20Poly1305: + def __init__(self, key: bytes) -> None: ... + @staticmethod + def generate_key() -> bytes: ... + def encrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + def decrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + class AESSIV: def __init__(self, key: bytes) -> None: ... @staticmethod diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index 9752d786cea3..40f1b9b74459 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -9,7 +9,6 @@ from cryptography import exceptions, utils from cryptography.hazmat.backends.openssl import aead from cryptography.hazmat.backends.openssl.backend import backend -from cryptography.hazmat.bindings._rust import FixedPool from cryptography.hazmat.bindings._rust import openssl as rust_openssl __all__ = [ @@ -21,84 +20,12 @@ "AESSIV", ] +ChaCha20Poly1305 = rust_openssl.aead.ChaCha20Poly1305 AESSIV = rust_openssl.aead.AESSIV AESOCB3 = rust_openssl.aead.AESOCB3 AESGCMSIV = rust_openssl.aead.AESGCMSIV -class ChaCha20Poly1305: - _MAX_SIZE = 2**31 - 1 - - def __init__(self, key: bytes): - if not backend.aead_cipher_supported(self): - raise exceptions.UnsupportedAlgorithm( - "ChaCha20Poly1305 is not supported by this version of OpenSSL", - exceptions._Reasons.UNSUPPORTED_CIPHER, - ) - utils._check_byteslike("key", key) - - if len(key) != 32: - raise ValueError("ChaCha20Poly1305 key must be 32 bytes.") - - self._key = key - self._pool = FixedPool(self._create_fn) - - @classmethod - def generate_key(cls) -> bytes: - return os.urandom(32) - - def _create_fn(self): - return aead._aead_create_ctx(backend, self, self._key) - - def encrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - if len(data) > self._MAX_SIZE or len(associated_data) > self._MAX_SIZE: - # This is OverflowError to match what cffi would raise - raise OverflowError( - "Data or associated data too long. Max 2**31 - 1 bytes" - ) - - self._check_params(nonce, data, associated_data) - with self._pool.acquire() as ctx: - return aead._encrypt( - backend, self, nonce, data, [associated_data], 16, ctx - ) - - def decrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - self._check_params(nonce, data, associated_data) - with self._pool.acquire() as ctx: - return aead._decrypt( - backend, self, nonce, data, [associated_data], 16, ctx - ) - - def _check_params( - self, - nonce: bytes, - data: bytes, - associated_data: bytes, - ) -> None: - utils._check_byteslike("nonce", nonce) - utils._check_byteslike("data", data) - utils._check_byteslike("associated_data", associated_data) - if len(nonce) != 12: - raise ValueError("Nonce must be 12 bytes") - - class AESCCM: _MAX_SIZE = 2**31 - 1 diff --git a/src/rust/cryptography-openssl/src/aead.rs b/src/rust/cryptography-openssl/src/aead.rs new file mode 100644 index 000000000000..000d5a9c65f9 --- /dev/null +++ b/src/rust/cryptography-openssl/src/aead.rs @@ -0,0 +1,91 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::{cvt, cvt_p, OpenSSLResult}; +use foreign_types_shared::{ForeignType, ForeignTypeRef}; + +pub enum AeadType { + ChaCha20Poly1305, +} + +foreign_types::foreign_type! { + type CType = ffi::EVP_AEAD_CTX; + fn drop = ffi::EVP_AEAD_CTX_free; + + pub struct AeadCtx; + pub struct AeadCtxRef; +} + +unsafe impl Sync for AeadCtx {} +unsafe impl Send for AeadCtx {} + +impl AeadCtx { + pub fn new(aead: AeadType, key: &[u8]) -> OpenSSLResult { + let aead = match aead { + AeadType::ChaCha20Poly1305 => unsafe { ffi::EVP_aead_chacha20_poly1305() }, + }; + + unsafe { + let ctx = cvt_p(ffi::EVP_AEAD_CTX_new( + aead, + key.as_ptr(), + key.len(), + ffi::EVP_AEAD_DEFAULT_TAG_LENGTH as usize, + ))?; + Ok(AeadCtx::from_ptr(ctx)) + } + } +} + +impl AeadCtxRef { + pub fn encrypt( + &self, + data: &[u8], + nonce: &[u8], + ad: &[u8], + out: &mut [u8], + ) -> OpenSSLResult<()> { + let mut out_len = out.len(); + unsafe { + cvt(ffi::EVP_AEAD_CTX_seal( + self.as_ptr(), + out.as_mut_ptr(), + &mut out_len, + out.len(), + nonce.as_ptr(), + nonce.len(), + data.as_ptr(), + data.len(), + ad.as_ptr(), + ad.len(), + ))?; + } + Ok(()) + } + + pub fn decrypt( + &self, + data: &[u8], + nonce: &[u8], + ad: &[u8], + out: &mut [u8], + ) -> OpenSSLResult<()> { + let mut out_len = out.len(); + unsafe { + cvt(ffi::EVP_AEAD_CTX_open( + self.as_ptr(), + out.as_mut_ptr(), + &mut out_len, + out.len(), + nonce.as_ptr(), + nonce.len(), + data.as_ptr(), + data.len(), + ad.as_ptr(), + ad.len(), + ))?; + } + Ok(()) + } +} diff --git a/src/rust/cryptography-openssl/src/lib.rs b/src/rust/cryptography-openssl/src/lib.rs index 41938246fc5d..d0fb6fff5c21 100644 --- a/src/rust/cryptography-openssl/src/lib.rs +++ b/src/rust/cryptography-openssl/src/lib.rs @@ -4,6 +4,8 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] +pub mod aead; pub mod cmac; pub mod fips; pub mod hmac; diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 61f209e055fa..7c364dede81e 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -52,7 +52,6 @@ impl EvpCipherAead { } fn process_aad( - &self, ctx: &mut openssl::cipher_ctx::CipherCtx, aad: Option>, ) -> CryptographyResult<()> { @@ -75,7 +74,6 @@ impl EvpCipherAead { } fn process_data( - &self, ctx: &mut openssl::cipher_ctx::CipherCtx, data: &[u8], out: &mut [u8], @@ -133,16 +131,17 @@ impl EvpCipherAead { ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_encryption_ctx)?; - self.encrypt_with_context(py, ctx, plaintext, aad, nonce) + Self::encrypt_with_context(py, ctx, plaintext, aad, nonce, self.tag_len, self.tag_first) } fn encrypt_with_context<'p>( - &self, py: pyo3::Python<'p>, mut ctx: openssl::cipher_ctx::CipherCtx, plaintext: &[u8], aad: Option>, nonce: Option<&[u8]>, + tag_len: usize, + tag_first: bool, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { check_length(plaintext)?; @@ -151,21 +150,21 @@ impl EvpCipherAead { } ctx.encrypt_init(None, None, nonce)?; - self.process_aad(&mut ctx, aad)?; + Self::process_aad(&mut ctx, aad)?; Ok(pyo3::types::PyBytes::new_with( py, - plaintext.len() + self.tag_len, + plaintext.len() + tag_len, |b| { let ciphertext; let tag; - if self.tag_first { - (tag, ciphertext) = b.split_at_mut(self.tag_len); + if tag_first { + (tag, ciphertext) = b.split_at_mut(tag_len); } else { (ciphertext, tag) = b.split_at_mut(plaintext.len()); } - self.process_data(&mut ctx, plaintext, ciphertext)?; + Self::process_data(&mut ctx, plaintext, ciphertext)?; ctx.tag(tag).map_err(CryptographyError::from)?; @@ -183,18 +182,27 @@ impl EvpCipherAead { ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_decryption_ctx)?; - self.decrypt_with_ctx(py, ctx, ciphertext, aad, nonce) + Self::decrypt_with_context( + py, + ctx, + ciphertext, + aad, + nonce, + self.tag_len, + self.tag_first, + ) } - fn decrypt_with_ctx<'p>( - &self, + fn decrypt_with_context<'p>( py: pyo3::Python<'p>, mut ctx: openssl::cipher_ctx::CipherCtx, ciphertext: &[u8], aad: Option>, nonce: Option<&[u8]>, + tag_len: usize, + tag_first: bool, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if ciphertext.len() < self.tag_len { + if ciphertext.len() < tag_len { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } @@ -205,23 +213,183 @@ impl EvpCipherAead { let tag; let ciphertext_data; - if self.tag_first { + if tag_first { // RFC 5297 defines the output as IV || C, where the tag we generate // is the "IV" and C is the ciphertext. This is the opposite of our // other AEADs, which are Ciphertext || Tag. - (tag, ciphertext_data) = ciphertext.split_at(self.tag_len); + (tag, ciphertext_data) = ciphertext.split_at(tag_len); } else { - (ciphertext_data, tag) = ciphertext.split_at(ciphertext.len() - self.tag_len); + (ciphertext_data, tag) = ciphertext.split_at(ciphertext.len() - tag_len); } ctx.set_tag(tag)?; - self.process_aad(&mut ctx, aad)?; + Self::process_aad(&mut ctx, aad)?; Ok(pyo3::types::PyBytes::new_with( py, ciphertext_data.len(), |b| { - self.process_data(&mut ctx, ciphertext_data, b) + Self::process_data(&mut ctx, ciphertext_data, b) + .map_err(|_| exceptions::InvalidTag::new_err(()))?; + + Ok(()) + }, + )?) + } +} + +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER +)))] +struct LazyEvpCipherAead { + cipher: &'static openssl::cipher::CipherRef, + key: pyo3::Py, + + tag_len: usize, + tag_first: bool, +} + +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER +)))] +impl LazyEvpCipherAead { + fn new( + cipher: &'static openssl::cipher::CipherRef, + key: pyo3::Py, + tag_len: usize, + tag_first: bool, + ) -> LazyEvpCipherAead { + LazyEvpCipherAead { + cipher, + key, + tag_len, + tag_first, + } + } + + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + plaintext: &[u8], + aad: Option>, + nonce: Option<&[u8]>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let key_buf = self.key.as_ref(py).extract::>()?; + + let mut encryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; + encryption_ctx.encrypt_init(Some(self.cipher), Some(key_buf.as_bytes()), None)?; + EvpCipherAead::encrypt_with_context( + py, + encryption_ctx, + plaintext, + aad, + nonce, + self.tag_len, + self.tag_first, + ) + } + + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + ciphertext: &[u8], + aad: Option>, + nonce: Option<&[u8]>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let key_buf = self.key.as_ref(py).extract::>()?; + + let mut decryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; + decryption_ctx.decrypt_init(Some(self.cipher), Some(key_buf.as_bytes()), None)?; + EvpCipherAead::decrypt_with_context( + py, + decryption_ctx, + ciphertext, + aad, + nonce, + self.tag_len, + self.tag_first, + ) + } +} + +#[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] +struct EvpAead { + ctx: cryptography_openssl::aead::AeadCtx, + tag_len: usize, +} + +#[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] +impl EvpAead { + fn new( + algorithm: cryptography_openssl::aead::AeadType, + key: &[u8], + tag_len: usize, + ) -> CryptographyResult { + Ok(EvpAead { + ctx: cryptography_openssl::aead::AeadCtx::new(algorithm, key)?, + tag_len, + }) + } + + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + plaintext: &[u8], + aad: Option>, + nonce: Option<&[u8]>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + check_length(plaintext)?; + + let ad = if let Some(Aad::Single(ad)) = &aad { + check_length(ad.as_bytes())?; + ad.as_bytes() + } else { + assert!(aad.is_none()); + b"" + }; + Ok(pyo3::types::PyBytes::new_with( + py, + plaintext.len() + self.tag_len, + |b| { + self.ctx + .encrypt(plaintext, nonce.unwrap_or(b""), ad, b) + .map_err(CryptographyError::from)?; + Ok(()) + }, + )?) + } + + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + ciphertext: &[u8], + aad: Option>, + nonce: Option<&[u8]>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + if ciphertext.len() < self.tag_len { + return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); + } + + let ad = if let Some(Aad::Single(ad)) = &aad { + check_length(ad.as_bytes())?; + ad.as_bytes() + } else { + assert!(aad.is_none()); + b"" + }; + + Ok(pyo3::types::PyBytes::new_with( + py, + ciphertext.len() - self.tag_len, + |b| { + self.ctx + .decrypt(ciphertext, nonce.unwrap_or(b""), ad, b) .map_err(|_| exceptions::InvalidTag::new_err(()))?; Ok(()) @@ -230,6 +398,140 @@ impl EvpCipherAead { } } +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead")] +struct ChaCha20Poly1305 { + #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] + ctx: EvpAead, + #[cfg(any( + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, + CRYPTOGRAPHY_IS_LIBRESSL, + all( + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + not(CRYPTOGRAPHY_IS_BORINGSSL) + ) + ))] + ctx: EvpCipherAead, + #[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER + )))] + ctx: LazyEvpCipherAead, +} + +#[pyo3::prelude::pymethods] +impl ChaCha20Poly1305 { + #[new] + fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { + let key_buf = key.extract::>(py)?; + if key_buf.as_bytes().len() != 32 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("ChaCha20Poly1305 key must be 32 bytes."), + )); + } + + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] { + Ok(ChaCha20Poly1305 { + ctx: EvpAead::new( + cryptography_openssl::aead::AeadType::ChaCha20Poly1305, + key_buf.as_bytes(), + 16, + )?, + }) + } else if #[cfg(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + )))] { + if cryptography_openssl::fips::is_enabled() { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "ChaCha20Poly1305 is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } + + Ok(ChaCha20Poly1305 { + ctx: EvpCipherAead::new( + openssl::cipher::Cipher::chacha20_poly1305(), + key_buf.as_bytes(), + 16, + false, + )?, + }) + } else { + if cryptography_openssl::fips::is_enabled() { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "ChaCha20Poly1305 is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } + + Ok(ChaCha20Poly1305{ + ctx: LazyEvpCipherAead::new( + openssl::cipher::Cipher::chacha20_poly1305(), + key, + 16, + false, + ) + }) + } + } + } + + #[staticmethod] + fn generate_key(py: pyo3::Python<'_>) -> CryptographyResult<&pyo3::PyAny> { + Ok(py + .import(pyo3::intern!(py, "os"))? + .call_method1(pyo3::intern!(py, "urandom"), (32,))?) + } + + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() != 12 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be 12 bytes"), + )); + } + + self.ctx + .encrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) + } + + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() != 12 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be 12 bytes"), + )); + } + + self.ctx + .decrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) + } +} + #[pyo3::prelude::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", @@ -540,6 +842,7 @@ impl AesGcmSiv { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "aead")?; + m.add_class::()?; m.add_class::()?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index c245649f985e..9dd54f4b901d 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -12,7 +12,6 @@ mod exceptions; pub(crate) mod oid; mod padding; mod pkcs7; -mod pool; pub(crate) mod types; mod x509; @@ -31,7 +30,6 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_function(pyo3::wrap_pyfunction!(padding::check_pkcs7_padding, m)?)?; m.add_function(pyo3::wrap_pyfunction!(padding::check_ansix923_padding, m)?)?; m.add_class::()?; - m.add_class::()?; m.add_submodule(asn1::create_submodule(py)?)?; m.add_submodule(pkcs7::create_submodule(py)?)?; diff --git a/src/rust/src/pool.rs b/src/rust/src/pool.rs deleted file mode 100644 index c8d029bdc3ce..000000000000 --- a/src/rust/src/pool.rs +++ /dev/null @@ -1,81 +0,0 @@ -// This file is dual licensed under the terms of the Apache License, Version -// 2.0, and the BSD License. See the LICENSE file in the root of this repository -// for complete details. - -use std::cell::Cell; - -// An object pool that can contain a single object and will dynamically -// allocate new objects to fulfill requests if the pool'd object is already in -// use. -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] -pub(crate) struct FixedPool { - create_fn: pyo3::PyObject, - - value: Cell>, -} - -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] -struct PoolAcquisition { - pool: pyo3::Py, - - value: pyo3::PyObject, - fresh: bool, -} - -#[pyo3::pymethods] -impl FixedPool { - #[new] - fn new(py: pyo3::Python<'_>, create: pyo3::PyObject) -> pyo3::PyResult { - let value = create.call0(py)?; - - Ok(FixedPool { - create_fn: create, - - value: Cell::new(Some(value)), - }) - } - - fn acquire(slf: pyo3::Py, py: pyo3::Python<'_>) -> pyo3::PyResult { - let v = slf.as_ref(py).borrow().value.replace(None); - if let Some(value) = v { - Ok(PoolAcquisition { - pool: slf, - value, - fresh: false, - }) - } else { - let value = slf.as_ref(py).borrow().create_fn.call0(py)?; - Ok(PoolAcquisition { - pool: slf, - value, - fresh: true, - }) - } - } - - fn __traverse__(&self, visit: pyo3::PyVisit<'_>) -> Result<(), pyo3::PyTraverseError> { - visit.call(&self.create_fn)?; - Ok(()) - } -} - -#[pyo3::pymethods] -impl PoolAcquisition { - fn __enter__(&self, py: pyo3::Python<'_>) -> pyo3::PyObject { - self.value.clone_ref(py) - } - - fn __exit__( - &self, - py: pyo3::Python<'_>, - _exc_type: &pyo3::PyAny, - _exc_value: &pyo3::PyAny, - _exc_tb: &pyo3::PyAny, - ) -> pyo3::PyResult<()> { - let pool = self.pool.as_ref(py).borrow(); - if !self.fresh { - pool.value.replace(Some(self.value.clone_ref(py))); - } - Ok(()) - } -} diff --git a/tests/test_rust_utils.py b/tests/test_rust_utils.py deleted file mode 100644 index 1ee68541e7fc..000000000000 --- a/tests/test_rust_utils.py +++ /dev/null @@ -1,63 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -import gc -import threading - -from cryptography.hazmat.bindings._rust import FixedPool - - -class TestFixedPool: - def test_basic(self): - c = 0 - events = [] - - def create(): - nonlocal c - c += 1 - events.append(("create", c)) - return c - - pool = FixedPool(create) - assert events == [("create", 1)] - with pool.acquire() as c: - assert c == 1 - assert events == [("create", 1)] - - with pool.acquire() as c: - assert c == 2 - assert events == [("create", 1), ("create", 2)] - - assert events == [("create", 1), ("create", 2)] - - assert events == [("create", 1), ("create", 2)] - - del pool - gc.collect() - gc.collect() - gc.collect() - - assert events == [ - ("create", 1), - ("create", 2), - ] - - def test_thread_stress(self): - def create(): - return None - - pool = FixedPool(create) - - def thread_fn(): - with pool.acquire(): - pass - - threads = [] - for i in range(1024): - t = threading.Thread(target=thread_fn) - t.start() - threads.append(t) - - for t in threads: - t.join() From 13fc9134148485827e93d16e63c5b7e9c3ee11ae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jan 2024 05:25:49 -0500 Subject: [PATCH 0950/1014] Remove Python bindings to EVP_AEAD (#10171) --- src/_cffi_src/build_openssl.py | 1 - src/_cffi_src/openssl/evp_aead.py | 88 ------------------- .../hazmat/bindings/openssl/_conditional.py | 12 --- 3 files changed, 101 deletions(-) delete mode 100644 src/_cffi_src/openssl/evp_aead.py diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 3a7d86caaec4..6065e7aeed37 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -33,7 +33,6 @@ "engine", "err", "evp", - "evp_aead", "nid", "objects", "opensslv", diff --git a/src/_cffi_src/openssl/evp_aead.py b/src/_cffi_src/openssl/evp_aead.py deleted file mode 100644 index a748bcd7a6a8..000000000000 --- a/src/_cffi_src/openssl/evp_aead.py +++ /dev/null @@ -1,88 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -INCLUDES = """ -#if CRYPTOGRAPHY_IS_BORINGSSL -#include -#endif -""" - -TYPES = """ -typedef ... EVP_AEAD; -typedef ... EVP_AEAD_CTX; -static const size_t EVP_AEAD_DEFAULT_TAG_LENGTH; - -static const long Cryptography_HAS_EVP_AEAD; -""" - -FUNCTIONS = """ -const EVP_AEAD *EVP_aead_chacha20_poly1305(void); -void EVP_AEAD_CTX_free(EVP_AEAD_CTX *); -int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *, uint8_t *, size_t *, size_t, - const uint8_t *, size_t, const uint8_t *, size_t, - const uint8_t *, size_t); -int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *, uint8_t *, size_t *, size_t, - const uint8_t *, size_t, const uint8_t *, size_t, - const uint8_t *, size_t); -size_t EVP_AEAD_max_overhead(const EVP_AEAD *); -/* The function EVP_AEAD_CTX_NEW() has different signatures in BoringSSL and - LibreSSL, so we cannot declare it here. We define a wrapper for it instead. -*/ -EVP_AEAD_CTX *Cryptography_EVP_AEAD_CTX_new(const EVP_AEAD *, - const uint8_t *, size_t, - size_t); -""" - -CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_BORINGSSL || CRYPTOGRAPHY_IS_LIBRESSL -static const long Cryptography_HAS_EVP_AEAD = 1; -#else -static const long Cryptography_HAS_EVP_AEAD = 0; -#endif - -#if CRYPTOGRAPHY_IS_BORINGSSL -EVP_AEAD_CTX *Cryptography_EVP_AEAD_CTX_new(const EVP_AEAD *aead, - const uint8_t *key, - size_t key_len, size_t tag_len) { - return EVP_AEAD_CTX_new(aead, key, key_len, tag_len); -} -#elif CRYPTOGRAPHY_IS_LIBRESSL -EVP_AEAD_CTX *Cryptography_EVP_AEAD_CTX_new(const EVP_AEAD *aead, - const uint8_t *key, - size_t key_len, size_t tag_len) { - EVP_AEAD_CTX *ctx = EVP_AEAD_CTX_new(); - if (ctx == NULL) { - return NULL; - } - - /* This mimics BoringSSL's behavior: any error here is pushed onto - the stack. - */ - int result = EVP_AEAD_CTX_init(ctx, aead, key, key_len, tag_len, NULL); - if (result != 1) { - return NULL; - } - - return ctx; -} -#else -typedef void EVP_AEAD; -typedef void EVP_AEAD_CTX; -static const size_t EVP_AEAD_DEFAULT_TAG_LENGTH = 0; -const EVP_AEAD *(*EVP_aead_chacha20_poly1305)(void) = NULL; -void (*EVP_AEAD_CTX_free)(EVP_AEAD_CTX *) = NULL; -int (*EVP_AEAD_CTX_seal)(const EVP_AEAD_CTX *, uint8_t *, size_t *, size_t, - const uint8_t *, size_t, const uint8_t *, size_t, - const uint8_t *, size_t) = NULL; -int (*EVP_AEAD_CTX_open)(const EVP_AEAD_CTX *, uint8_t *, size_t *, size_t, - const uint8_t *, size_t, const uint8_t *, size_t, - const uint8_t *, size_t) = NULL; -size_t (*EVP_AEAD_max_overhead)(const EVP_AEAD *) = NULL; -EVP_AEAD_CTX *(*Cryptography_EVP_AEAD_CTX_new)(const EVP_AEAD *, - const uint8_t *, size_t, - size_t) = NULL; -#endif -""" diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 47bbf71a3572..21e517352c7f 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -199,17 +199,6 @@ def cryptography_has_get_extms_support() -> list[str]: return ["SSL_get_extms_support"] -def cryptography_has_evp_aead() -> list[str]: - return [ - "EVP_aead_chacha20_poly1305", - "EVP_AEAD_CTX_free", - "EVP_AEAD_CTX_seal", - "EVP_AEAD_CTX_open", - "EVP_AEAD_max_overhead", - "Cryptography_EVP_AEAD_CTX_new", - ] - - # This is a mapping of # {condition: function-returning-names-dependent-on-that-condition} so we can # loop over them and delete unsupported names at runtime. It will be removed @@ -248,5 +237,4 @@ def cryptography_has_evp_aead() -> list[str]: cryptography_has_ssl_op_ignore_unexpected_eof ), "Cryptography_HAS_GET_EXTMS_SUPPORT": cryptography_has_get_extms_support, - "Cryptography_HAS_EVP_AEAD": cryptography_has_evp_aead, } From cb493187e07f8962b14ee81882a5358bf54ab14a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 14 Jan 2024 00:15:43 +0000 Subject: [PATCH 0951/1014] Bump BoringSSL and/or OpenSSL in CI (#10175) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1ec47119a814..13eade9e9320 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8f4e9d41548eca0cd394b66d3bd0ecd16e04b8b2"}} + # Latest commit on the BoringSSL master branch, as of Jan 14, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "45f5e5da1235b13220599fa04b7a648f29db80c3"}} # Latest commit on the OpenSSL master branch, as of Jan 13, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "df04e81794ac3083804c34c173eb2b2fa55d373d"}} # Builds with various Rust versions. Includes MSRV and next From c8937e8003226b9635c6d9bf3f0ad2162eb77e7c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jan 2024 14:26:54 +0000 Subject: [PATCH 0952/1014] Bump sphinxcontrib-applehelp from 1.0.7 to 1.0.8 (#10182) Bumps [sphinxcontrib-applehelp](https://github.com/sphinx-doc/sphinxcontrib-applehelp) from 1.0.7 to 1.0.8. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-applehelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-applehelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-applehelp/compare/1.0.7...1.0.8) --- updated-dependencies: - dependency-name: sphinxcontrib-applehelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8dd08df233f0..c918416f902c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -122,7 +122,7 @@ sphinx==7.2.6 # sphinxcontrib-spelling sphinx-rtd-theme==2.0.0 # via cryptography (pyproject.toml) -sphinxcontrib-applehelp==1.0.7 +sphinxcontrib-applehelp==1.0.8 # via sphinx sphinxcontrib-devhelp==1.0.5 # via sphinx From ca997250788001d266fb744adbaf658daae93aa2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jan 2024 14:27:04 +0000 Subject: [PATCH 0953/1014] Bump sphinxcontrib-devhelp from 1.0.5 to 1.0.6 (#10181) Bumps [sphinxcontrib-devhelp](https://github.com/sphinx-doc/sphinxcontrib-devhelp) from 1.0.5 to 1.0.6. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-devhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-devhelp/blob/1.0.6/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-devhelp/compare/1.0.5...1.0.6) --- updated-dependencies: - dependency-name: sphinxcontrib-devhelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c918416f902c..ad288e64fb32 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -124,7 +124,7 @@ sphinx-rtd-theme==2.0.0 # via cryptography (pyproject.toml) sphinxcontrib-applehelp==1.0.8 # via sphinx -sphinxcontrib-devhelp==1.0.5 +sphinxcontrib-devhelp==1.0.6 # via sphinx sphinxcontrib-htmlhelp==2.0.4 # via sphinx From e0359fa64047c027f8a3a594a159b073be19f9e4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jan 2024 14:27:10 +0000 Subject: [PATCH 0954/1014] Bump ruff from 0.1.12 to 0.1.13 (#10183) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.12 to 0.1.13. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.12...v0.1.13) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ad288e64fb32..6b69ac662e35 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.1.12 +ruff==0.1.13 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From fc9107ce347be51ab88b05ae046d1d69d71be15b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jan 2024 14:27:20 +0000 Subject: [PATCH 0955/1014] Bump sphinxcontrib-serializinghtml from 1.1.9 to 1.1.10 (#10184) Bumps [sphinxcontrib-serializinghtml](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml) from 1.1.9 to 1.1.10. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/compare/1.1.9...1.1.10) --- updated-dependencies: - dependency-name: sphinxcontrib-serializinghtml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6b69ac662e35..db06aec9a2de 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -134,7 +134,7 @@ sphinxcontrib-jsmath==1.0.1 # via sphinx sphinxcontrib-qthelp==1.0.6 # via sphinx -sphinxcontrib-serializinghtml==1.1.9 +sphinxcontrib-serializinghtml==1.1.10 # via sphinx sphinxcontrib-spelling==8.0.0 # via cryptography (pyproject.toml) From 5e10a750b77b825d263813fe797464b840b95bea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jan 2024 14:27:34 +0000 Subject: [PATCH 0956/1014] Bump smallvec from 1.11.2 to 1.12.0 in /src/rust (#10179) Bumps [smallvec](https://github.com/servo/rust-smallvec) from 1.11.2 to 1.12.0. - [Release notes](https://github.com/servo/rust-smallvec/releases) - [Commits](https://github.com/servo/rust-smallvec/compare/v1.11.2...v1.12.0) --- updated-dependencies: - dependency-name: smallvec dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 995f6f0e0e9c..ac330d60fc8b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -362,9 +362,9 @@ checksum = "58bf37232d3bb9a2c4e641ca2a11d83b5062066f88df7fed36c28772046d65ba" [[package]] name = "smallvec" -version = "1.11.2" +version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" +checksum = "2593d31f82ead8df961d8bd23a64c2ccf2eb5dd34b0a34bfb4dd54011c72009e" [[package]] name = "syn" From a2cba66c3170f1b77bbae9dda4df9f950e26d613 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jan 2024 14:44:03 +0000 Subject: [PATCH 0957/1014] Bump sphinxcontrib-qthelp from 1.0.6 to 1.0.7 (#10180) Bumps [sphinxcontrib-qthelp](https://github.com/sphinx-doc/sphinxcontrib-qthelp) from 1.0.6 to 1.0.7. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-qthelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-qthelp/blob/1.0.7/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-qthelp/compare/1.0.6...1.0.7) --- updated-dependencies: - dependency-name: sphinxcontrib-qthelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index db06aec9a2de..f487e64a3276 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -132,7 +132,7 @@ sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-qthelp==1.0.6 +sphinxcontrib-qthelp==1.0.7 # via sphinx sphinxcontrib-serializinghtml==1.1.10 # via sphinx From 6d0fb983a5a73fe4c5c1d11e8f27d099a8ff1b2d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jan 2024 14:48:15 +0000 Subject: [PATCH 0958/1014] Bump sphinxcontrib-htmlhelp from 2.0.4 to 2.0.5 (#10185) Bumps [sphinxcontrib-htmlhelp](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp) from 2.0.4 to 2.0.5. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/blob/2.0.5/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/compare/2.0.4...2.0.5) --- updated-dependencies: - dependency-name: sphinxcontrib-htmlhelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f487e64a3276..1410cd3c0723 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -126,7 +126,7 @@ sphinxcontrib-applehelp==1.0.8 # via sphinx sphinxcontrib-devhelp==1.0.6 # via sphinx -sphinxcontrib-htmlhelp==2.0.4 +sphinxcontrib-htmlhelp==2.0.5 # via sphinx sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme From ad4ba0af959ac4427c82477910a31040644f36d3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 14 Jan 2024 17:43:55 -0500 Subject: [PATCH 0959/1014] Develop a local nox target (#10173) This formats code, runs linters, and tests. And it does these in an order that's optimized for fast local feedback --- docs/development/getting-started.rst | 11 ++--- noxfile.py | 68 ++++++++++++++++++++++++++-- 2 files changed, 70 insertions(+), 9 deletions(-) diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst index 12cce7540085..2cb1bb478bff 100644 --- a/docs/development/getting-started.rst +++ b/docs/development/getting-started.rst @@ -14,7 +14,7 @@ handled by the use of ``nox``, which can be installed with ``pip``. $ # Create a virtualenv and activate it $ # Set up your cryptography build environment $ pip install nox - $ nox -e tests-nocoverage + $ nox -e local OpenSSL on macOS ~~~~~~~~~~~~~~~~ @@ -26,13 +26,12 @@ Running tests ------------- ``cryptography`` unit tests are found in the ``tests/`` directory and are -designed to be run using `pytest`_. ``nox`` automatically invokes ``pytest``: +designed to be run using `pytest`_. ``nox`` automatically invokes ``pytest`` +and other required checks for ``cryptography``: .. code-block:: console - $ nox -e tests-nocoverage - ... - ===== 3062 passed, 61 skipped in 16.02s ===== + $ nox -e local You can also specify a subset of tests to run as positional arguments: @@ -40,7 +39,7 @@ You can also specify a subset of tests to run as positional arguments: .. code-block:: console $ # run the whole x509 testsuite, plus the fernet tests - $ nox -e tests-nocoverage -- tests/x509/ tests/test_fernet.py + $ nox -e local -- tests/x509/ tests/test_fernet.py .. _`Homebrew`: https://brew.sh diff --git a/noxfile.py b/noxfile.py index 5651ea3c7156..eb5e11cec449 100644 --- a/noxfile.py +++ b/noxfile.py @@ -22,13 +22,14 @@ nox.options.reuse_existing_virtualenvs = True -def install(session: nox.Session, *args: str) -> None: +def install(session: nox.Session, *args: str, silent: bool = False) -> None: + if not silent: + args += ("-v",) session.install( - "-v", "-c", "ci-constraints-requirements.txt", *args, - silent=False, + silent=silent, ) @@ -246,6 +247,67 @@ def rust(session: nox.Session) -> None: process_rust_coverage(session, rust_tests, prof_location) +@nox.session +def local(session): + pyproject_data = load_pyproject_toml() + install( + session, + *pyproject_data["build-system"]["requires"], + *pyproject_data["project"]["optional-dependencies"]["pep8test"], + *pyproject_data["project"]["optional-dependencies"]["test"], + *pyproject_data["project"]["optional-dependencies"]["ssh"], + *pyproject_data["project"]["optional-dependencies"]["nox"], + silent=True, + ) + install(session, "-e", "vectors/", silent=True) + + session.run("ruff", "format", ".") + session.run("ruff", ".") + + with session.chdir("src/rust/"): + session.run("cargo", "fmt", "--all", external=True) + session.run("cargo", "check", "--all", "--tests", external=True) + session.run( + "cargo", + "clippy", + "--all", + "--", + "-D", + "warnings", + external=True, + ) + + session.run( + "mypy", + "src/cryptography/", + "vectors/cryptography_vectors/", + "tests/", + "release.py", + "noxfile.py", + ) + + install(session, ".[test]") + + if session.posargs: + tests = session.posargs + else: + tests = ["tests/"] + + session.run( + "pytest", + "-n", + "auto", + "--dist=worksteal", + "--durations=10", + *tests, + ) + + with session.chdir("src/rust/"): + session.run( + "cargo", "test", "--no-default-features", "--all", external=True + ) + + LCOV_SOURCEFILE_RE = re.compile( r"^SF:.*[\\/]src[\\/]rust[\\/](.*)$", flags=re.MULTILINE ) From 0f69ce5e8f873c9715a9199d591091060bbe8ef0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 14 Jan 2024 19:00:06 -0500 Subject: [PATCH 0960/1014] Use flit instead of setuptools for vectors (#10174) Its much faster --- vectors/MANIFEST.in | 4 ---- vectors/pyproject.toml | 12 ++++-------- 2 files changed, 4 insertions(+), 12 deletions(-) delete mode 100644 vectors/MANIFEST.in diff --git a/vectors/MANIFEST.in b/vectors/MANIFEST.in deleted file mode 100644 index 6d1e5ff66c70..000000000000 --- a/vectors/MANIFEST.in +++ /dev/null @@ -1,4 +0,0 @@ -recursive-include cryptography_vectors * -include LICENSE -include LICENSE.APACHE -include LICENSE.BSD diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 8540516ace1a..704bc0a5a96b 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -1,6 +1,6 @@ [build-system] -requires = ["setuptools"] -build-backend = "setuptools.build_meta" +requires = ["flit_core >=3.2,<4"] +build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" @@ -14,9 +14,5 @@ license = {text = "Apache-2.0 OR BSD-3-Clause"} [project.urls] homepage = "https://github.com/pyca/cryptography" -[tool.setuptools] -zip-safe = false -include-package-data = true - -[tool.distutils.bdist_wheel] -universal = true +[tool.flit.sdist] +include = ["LICENSE", "LICENSE.APACHE", "LICENSE.BSD"] From 00a94b006564042cf636d0d12fcadba5c83c7201 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 15 Jan 2024 00:15:09 +0000 Subject: [PATCH 0961/1014] Bump BoringSSL and/or OpenSSL in CI (#10186) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 13eade9e9320..3d71c0d25481 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 14, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "45f5e5da1235b13220599fa04b7a648f29db80c3"}} + # Latest commit on the BoringSSL master branch, as of Jan 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b628f8721e7e67302b0e26c92e0108a31066194e"}} # Latest commit on the OpenSSL master branch, as of Jan 13, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "df04e81794ac3083804c34c173eb2b2fa55d373d"}} # Builds with various Rust versions. Includes MSRV and next From 9409479c9a8fa2057dc4a191e6e104f2ac7e8feb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Jan 2024 12:48:49 -0500 Subject: [PATCH 0962/1014] fixes #10187 -- handle passing a curve class when generating an EC key (#10188) --- .../hazmat/primitives/asymmetric/ec.py | 6 ----- src/rust/src/backend/ec.rs | 27 ++++++++++++++----- tests/hazmat/primitives/test_ec.py | 12 ++++++++- tests/hazmat/primitives/test_pkcs12.py | 2 +- 4 files changed, 32 insertions(+), 15 deletions(-) diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py index c927c3f15cbe..986d195af682 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ec.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py @@ -173,9 +173,6 @@ def from_encoded_point( ) -> EllipticCurvePublicKey: utils._check_bytes("data", data) - if not isinstance(curve, EllipticCurve): - raise TypeError("curve must be an EllipticCurve instance") - if len(data) == 0: raise ValueError("data must not be an empty byte string") @@ -346,9 +343,6 @@ def derive_private_key( if private_value <= 0: raise ValueError("private_value must be a positive integer.") - if not isinstance(curve, EllipticCurve): - raise TypeError("curve must provide the EllipticCurve interface.") - return rust_openssl.ec.derive_private_key(private_value, curve) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 571273a53475..f48e375d0477 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -28,7 +28,20 @@ pub(crate) struct ECPublicKey { fn curve_from_py_curve( py: pyo3::Python<'_>, py_curve: &pyo3::PyAny, + allow_curve_class: bool, ) -> CryptographyResult { + if !py_curve.is_instance(types::ELLIPTIC_CURVE.get(py)?)? { + if allow_curve_class { + let warning_cls = types::DEPRECATED_IN_42.get(py)?; + let warning_msg = "Curve argument must be an instance of an EllipticCurve class. Did you pass a class by mistake? This will be an exception in a future version of cryptography."; + pyo3::PyErr::warn(py, warning_cls, warning_msg, 1)?; + } else { + return Err(CryptographyError::from( + pyo3::exceptions::PyTypeError::new_err("curve must be an EllipticCurve instance"), + )); + } + } + let curve_name = py_curve.getattr(pyo3::intern!(py, "name"))?.extract()?; let nid = match curve_name { "secp192r1" => openssl::nid::Nid::X9_62_PRIME192V1, @@ -121,7 +134,7 @@ fn check_key_infinity( #[pyo3::prelude::pyfunction] fn curve_supported(py: pyo3::Python<'_>, py_curve: &pyo3::PyAny) -> bool { - curve_from_py_curve(py, py_curve).is_ok() + curve_from_py_curve(py, py_curve, false).is_ok() } pub(crate) fn private_key_from_pkey( @@ -158,12 +171,12 @@ fn generate_private_key( ) -> CryptographyResult { let _ = backend; - let ossl_curve = curve_from_py_curve(py, curve)?; + let ossl_curve = curve_from_py_curve(py, curve, true)?; let key = openssl::ec::EcKey::generate(&ossl_curve)?; Ok(ECPrivateKey { pkey: openssl::pkey::PKey::from_ec_key(key)?, - curve: curve.into(), + curve: py_curve_from_curve(py, &ossl_curve)?.into(), }) } @@ -173,7 +186,7 @@ fn derive_private_key( py_private_value: &pyo3::types::PyLong, py_curve: &pyo3::PyAny, ) -> CryptographyResult { - let curve = curve_from_py_curve(py, py_curve)?; + let curve = curve_from_py_curve(py, py_curve, false)?; let private_value = utils::py_int_to_bn(py, py_private_value)?; let mut point = openssl::ec::EcPoint::new(&curve)?; @@ -196,7 +209,7 @@ fn from_public_bytes( py_curve: &pyo3::PyAny, data: &[u8], ) -> CryptographyResult { - let curve = curve_from_py_curve(py, py_curve)?; + let curve = curve_from_py_curve(py, py_curve, false)?; let mut bn_ctx = openssl::bn::BigNumContext::new()?; let point = openssl::ec::EcPoint::from_bytes(&curve, data, &mut bn_ctx) @@ -494,7 +507,7 @@ impl EllipticCurvePrivateNumbers { ) -> CryptographyResult { let _ = backend; - let curve = curve_from_py_curve(py, self.public_numbers.get().curve.as_ref(py))?; + let curve = curve_from_py_curve(py, self.public_numbers.get().curve.as_ref(py), false)?; let public_key = public_key_from_numbers(py, self.public_numbers.get(), &curve)?; let private_value = utils::py_int_to_bn(py, self.private_value.as_ref(py))?; @@ -575,7 +588,7 @@ impl EllipticCurvePublicNumbers { ) -> CryptographyResult { let _ = backend; - let curve = curve_from_py_curve(py, self.curve.as_ref(py))?; + let curve = curve_from_py_curve(py, self.curve.as_ref(py), false)?; let public_key = public_key_from_numbers(py, self, &curve)?; let pkey = openssl::pkey::PKey::from_ec_key(public_key)?; diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 531e182c9095..bee911ccd731 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -12,7 +12,7 @@ import pytest -from cryptography import exceptions, x509 +from cryptography import exceptions, utils, x509 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.asymmetric.utils import ( @@ -210,6 +210,16 @@ def test_ec_key_key_size(backend): assert key.public_key().key_size == 256 +def test_deprecated_generate_private_key_with_curve_class(backend): + # This test verifies that if you pass a curve _class_ instead of instance, + # you get a warning and then `key.curve` is still an instance. + _skip_curve_unsupported(backend, ec.SECP256R1()) + + with pytest.warns(utils.DeprecatedIn42): + key = ec.generate_private_key(ec.SECP256R1) # type: ignore[arg-type] + assert isinstance(key.curve, ec.SECP256R1) + + class TestECWithNumbers: def test_with_numbers(self, backend, subtests): vectors = itertools.product( diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index cd9c279ac4b0..fb0e39be9e36 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -308,7 +308,7 @@ class TestPKCS12Creation: ] + [ pytest.param( - ec.generate_private_key, ec.EllipticCurvePrivateKey, [curve] + ec.generate_private_key, ec.EllipticCurvePrivateKey, [curve()] ) for curve in ec._CURVE_TYPES.values() ], From 4b5be7b0032ade70e09a43f9d857708e36170bbc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 00:15:35 +0000 Subject: [PATCH 0963/1014] Bump BoringSSL and/or OpenSSL in CI (#10192) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3d71c0d25481..d6f9e35f6460 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jan 15, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b628f8721e7e67302b0e26c92e0108a31066194e"}} - # Latest commit on the OpenSSL master branch, as of Jan 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "df04e81794ac3083804c34c173eb2b2fa55d373d"}} + # Latest commit on the OpenSSL master branch, as of Jan 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "afd8e29c360376420ea676581aa5d50b6027d069"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 41e157ef8630bb3aaa3aa7032f8183f80882a5cf Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 17 Jan 2024 00:15:46 +0000 Subject: [PATCH 0964/1014] Bump BoringSSL and/or OpenSSL in CI (#10194) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d6f9e35f6460..71ead17fed2a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b628f8721e7e67302b0e26c92e0108a31066194e"}} - # Latest commit on the OpenSSL master branch, as of Jan 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "afd8e29c360376420ea676581aa5d50b6027d069"}} + # Latest commit on the BoringSSL master branch, as of Jan 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b96e8166f35ec679cb5afe94ea4581a373f25f66"}} + # Latest commit on the OpenSSL master branch, as of Jan 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2f85736e9c66248528f132d46508f06a0bb8dd88"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From b740f5a198deba059f64d9359b6078aad5601833 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 17 Jan 2024 00:31:05 +0000 Subject: [PATCH 0965/1014] Bump x509-limbo and/or wycheproof in CI (#10195) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 1b65536285c8..2907067cd8b6 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "trailofbits/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 12, 2024. - ref: "212c926ebab967dbff2c8910e11cf30cd94efde3" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 17, 2024. + ref: "13ee076aae65a2ccfcfe5d3df3fa8b1fb8c540fd" # x509-limbo-ref From 1f8fbed1245b0591ad13fa715fa2dd4464075eda Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jan 2024 07:34:04 -0500 Subject: [PATCH 0966/1014] Bump actions/cache from 3.3.3 to 4.0.0 (#10197) Bumps [actions/cache](https://github.com/actions/cache) from 3.3.3 to 4.0.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/e12d46a63a90f2fae62d114769bbf2a179198b5c...13aacd865c20de90d75de3b17ebe84f7a17d57d2) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71ead17fed2a..33de3edc11fa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -95,7 +95,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 id: ossl-cache timeout-minutes: 2 with: From 376a266cef2a494fc07843ca2f3d81562585aa11 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 17 Jan 2024 10:52:07 -0500 Subject: [PATCH 0967/1014] Special-case installation of vectors in local nox (#10190) This saves roughly a second, but makes getting feedback much more responsive. --- noxfile.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index eb5e11cec449..f1117d7fee3b 100644 --- a/noxfile.py +++ b/noxfile.py @@ -257,9 +257,11 @@ def local(session): *pyproject_data["project"]["optional-dependencies"]["test"], *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], + "flit", silent=True, ) - install(session, "-e", "vectors/", silent=True) + with session.cd("vectors/"): + session.run("flit", "install", "-s", silent=True) session.run("ruff", "format", ".") session.run("ruff", ".") From 895cddf5915382f57f6224b42688b301a20951ae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 17 Jan 2024 11:03:56 -0500 Subject: [PATCH 0968/1014] Consistently use EllipticCurve instances in various places (#10189) --- .../hazmat/primitives/asymmetric/ec.py | 44 +++++++-------- src/rust/src/backend/ec.rs | 5 +- tests/hazmat/primitives/test_ec.py | 56 +++++++++---------- tests/hazmat/primitives/test_pkcs12.py | 2 +- 4 files changed, 51 insertions(+), 56 deletions(-) diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py index 986d195af682..b612b40149d4 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ec.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py @@ -290,28 +290,28 @@ class BrainpoolP512R1(EllipticCurve): key_size = 512 -_CURVE_TYPES: dict[str, type[EllipticCurve]] = { - "prime192v1": SECP192R1, - "prime256v1": SECP256R1, - "secp192r1": SECP192R1, - "secp224r1": SECP224R1, - "secp256r1": SECP256R1, - "secp384r1": SECP384R1, - "secp521r1": SECP521R1, - "secp256k1": SECP256K1, - "sect163k1": SECT163K1, - "sect233k1": SECT233K1, - "sect283k1": SECT283K1, - "sect409k1": SECT409K1, - "sect571k1": SECT571K1, - "sect163r2": SECT163R2, - "sect233r1": SECT233R1, - "sect283r1": SECT283R1, - "sect409r1": SECT409R1, - "sect571r1": SECT571R1, - "brainpoolP256r1": BrainpoolP256R1, - "brainpoolP384r1": BrainpoolP384R1, - "brainpoolP512r1": BrainpoolP512R1, +_CURVE_TYPES: dict[str, EllipticCurve] = { + "prime192v1": SECP192R1(), + "prime256v1": SECP256R1(), + "secp192r1": SECP192R1(), + "secp224r1": SECP224R1(), + "secp256r1": SECP256R1(), + "secp384r1": SECP384R1(), + "secp521r1": SECP521R1(), + "secp256k1": SECP256K1(), + "sect163k1": SECT163K1(), + "sect233k1": SECT233K1(), + "sect283k1": SECT283K1(), + "sect409k1": SECT409K1(), + "sect571k1": SECT571K1(), + "sect163r2": SECT163R2(), + "sect233r1": SECT233R1(), + "sect283r1": SECT283R1(), + "sect409r1": SECT409R1(), + "sect571r1": SECT571R1(), + "brainpoolP256r1": BrainpoolP256R1(), + "brainpoolP384r1": BrainpoolP384R1(), + "brainpoolP512r1": BrainpoolP512R1(), } diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index f48e375d0477..ed525f7d1502 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -106,7 +106,7 @@ fn py_curve_from_curve<'p>( )); } - Ok(types::CURVE_TYPES + types::CURVE_TYPES .get(py)? .extract::<&pyo3::types::PyDict>()? .get_item(name)? @@ -115,8 +115,7 @@ fn py_curve_from_curve<'p>( format!("{name} is not a supported elliptic curve"), exceptions::Reasons::UNSUPPORTED_ELLIPTIC_CURVE, ))) - })? - .call0()?) + }) } fn check_key_infinity( diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index bee911ccd731..d794d429524e 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -41,18 +41,18 @@ } -def _skip_ecdsa_vector(backend, curve_type, hash_type): +def _skip_ecdsa_vector(backend, curve: ec.EllipticCurve, hash_type): if not backend.elliptic_curve_signature_algorithm_supported( - ec.ECDSA(hash_type()), curve_type() + ec.ECDSA(hash_type()), curve ): pytest.skip( "ECDSA not supported with this hash {} and curve {}.".format( - hash_type().name, curve_type().name + hash_type().name, curve.name ) ) -def _skip_curve_unsupported(backend, curve): +def _skip_curve_unsupported(backend, curve: ec.EllipticCurve): if not backend.elliptic_curve_supported(curve): pytest.skip( f"Curve {curve.name} is not supported by this backend {backend}" @@ -95,7 +95,7 @@ def test_skip_exchange_algorithm_unsupported(backend): def test_skip_ecdsa_vector(backend): with pytest.raises(pytest.skip.Exception): - _skip_ecdsa_vector(backend, DummyCurve, hashes.SHA256) + _skip_ecdsa_vector(backend, DummyCurve(), hashes.SHA256) def test_derive_private_key_success(backend): @@ -233,16 +233,14 @@ def test_with_numbers(self, backend, subtests): ) for vector, hash_type in vectors: with subtests.test(): - curve_type: typing.Type[ec.EllipticCurve] = ec._CURVE_TYPES[ - vector["curve"] - ] + curve = ec._CURVE_TYPES[vector["curve"]] - _skip_ecdsa_vector(backend, curve_type, hash_type) + _skip_ecdsa_vector(backend, curve, hash_type) key = ec.EllipticCurvePrivateNumbers( vector["d"], ec.EllipticCurvePublicNumbers( - vector["x"], vector["y"], curve_type() + vector["x"], vector["y"], curve ), ).private_key(backend) assert key @@ -251,7 +249,7 @@ def test_with_numbers(self, backend, subtests): assert priv_num.private_value == vector["d"] assert priv_num.public_numbers.x == vector["x"] assert priv_num.public_numbers.y == vector["y"] - assert curve_type().name == priv_num.public_numbers.curve.name + assert curve.name == priv_num.public_numbers.curve.name class TestECDSAVectors: @@ -267,14 +265,14 @@ def test_signing_with_example_keys(self, backend, subtests): ) for vector, hash_type in vectors: with subtests.test(): - curve_type = ec._CURVE_TYPES[vector["curve"]] + curve = ec._CURVE_TYPES[vector["curve"]] - _skip_ecdsa_vector(backend, curve_type, hash_type) + _skip_ecdsa_vector(backend, curve, hash_type) key = ec.EllipticCurvePrivateNumbers( vector["d"], ec.EllipticCurvePublicNumbers( - vector["x"], vector["y"], curve_type() + vector["x"], vector["y"], curve ), ).private_key(backend) assert key @@ -292,16 +290,16 @@ def test_signing_with_example_keys(self, backend, subtests): @pytest.mark.parametrize("curve", ec._CURVE_TYPES.values()) def test_generate_vector_curves(self, backend, curve): - _skip_curve_unsupported(backend, curve()) + _skip_curve_unsupported(backend, curve) - key = ec.generate_private_key(curve(), backend) + key = ec.generate_private_key(curve, backend) assert key - assert isinstance(key.curve, curve) + assert type(key.curve) is type(curve) assert key.curve.key_size pkey = key.public_key() assert pkey - assert isinstance(pkey.curve, curve) + assert type(pkey.curve) is type(curve) assert key.curve.key_size == pkey.curve.key_size def test_generate_unknown_curve(self, backend): @@ -469,14 +467,12 @@ def test_signatures(self, backend, subtests): for vector in vectors: with subtests.test(): hash_type = _HASH_TYPES[vector["digest_algorithm"]] - curve_type: typing.Type[ec.EllipticCurve] = ec._CURVE_TYPES[ - vector["curve"] - ] + curve = ec._CURVE_TYPES[vector["curve"]] - _skip_ecdsa_vector(backend, curve_type, hash_type) + _skip_ecdsa_vector(backend, curve, hash_type) key = ec.EllipticCurvePublicNumbers( - vector["x"], vector["y"], curve_type() + vector["x"], vector["y"], curve ).public_key(backend) signature = encode_dss_signature(vector["r"], vector["s"]) @@ -491,12 +487,12 @@ def test_signature_failures(self, backend, subtests): for vector in vectors: with subtests.test(): hash_type = _HASH_TYPES[vector["digest_algorithm"]] - curve_type = ec._CURVE_TYPES[vector["curve"]] + curve = ec._CURVE_TYPES[vector["curve"]] - _skip_ecdsa_vector(backend, curve_type, hash_type) + _skip_ecdsa_vector(backend, curve, hash_type) key = ec.EllipticCurvePublicNumbers( - vector["x"], vector["y"], curve_type() + vector["x"], vector["y"], curve ).public_key(backend) signature = encode_dss_signature(vector["r"], vector["s"]) @@ -1230,7 +1226,7 @@ def test_key_exchange_with_vectors(self, backend, subtests): for vector in vectors: with subtests.test(): _skip_exchange_algorithm_unsupported( - backend, ec.ECDH(), ec._CURVE_TYPES[vector["curve"]]() + backend, ec.ECDH(), ec._CURVE_TYPES[vector["curve"]] ) key_numbers = vector["IUT"] @@ -1239,7 +1235,7 @@ def test_key_exchange_with_vectors(self, backend, subtests): ec.EllipticCurvePublicNumbers( key_numbers["x"], key_numbers["y"], - ec._CURVE_TYPES[vector["curve"]](), + ec._CURVE_TYPES[vector["curve"]], ), ) # Errno 5-7 indicates a bad public or private key, this @@ -1255,7 +1251,7 @@ def test_key_exchange_with_vectors(self, backend, subtests): public_numbers = ec.EllipticCurvePublicNumbers( peer_numbers["x"], peer_numbers["y"], - ec._CURVE_TYPES[vector["curve"]](), + ec._CURVE_TYPES[vector["curve"]], ) # Errno 1 and 2 indicates a bad public key, this doesn't test # the ECDH code at all @@ -1285,7 +1281,7 @@ def test_key_exchange_with_vectors(self, backend, subtests): ), ) def test_brainpool_kex(self, backend, vector): - curve = ec._CURVE_TYPES[vector["curve"].decode("ascii")]() + curve = ec._CURVE_TYPES[vector["curve"].decode("ascii")] _skip_exchange_algorithm_unsupported(backend, ec.ECDH(), curve) key = ec.EllipticCurvePrivateNumbers( int(vector["da"], 16), diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index fb0e39be9e36..cd9c279ac4b0 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -308,7 +308,7 @@ class TestPKCS12Creation: ] + [ pytest.param( - ec.generate_private_key, ec.EllipticCurvePrivateKey, [curve()] + ec.generate_private_key, ec.EllipticCurvePrivateKey, [curve] ) for curve in ec._CURVE_TYPES.values() ], From 406b771ff0f334488e1956081bb316b48376193e Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 17 Jan 2024 14:42:12 -0500 Subject: [PATCH 0969/1014] fetch-vectors: change repo for x509-limbo (#10199) * fetch-vectors: change repo for x509-limbo Signed-off-by: William Woodruff * workflows: trailofbits -> C2SP Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/actions/fetch-vectors/action.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 2907067cd8b6..0a270b6baa50 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -14,7 +14,7 @@ runs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: - repository: "trailofbits/x509-limbo" + repository: "C2SP/x509-limbo" path: "x509-limbo" # Latest commit on the x509-limbo main branch, as of Jan 17, 2024. ref: "13ee076aae65a2ccfcfe5d3df3fa8b1fb8c540fd" # x509-limbo-ref diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 5434dbccfd0f..e4a42bf3155f 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -16,12 +16,12 @@ jobs: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - id: check-sha-x509-limbo run: | - SHA=$(git ls-remote https://github.com/trailofbits/x509-limbo refs/heads/main | cut -f1) + SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) LAST_COMMIT=$(grep x509-limbo-ref .github/actions/fetch-vectors/action.yml | grep -oE '[a-f0-9]{40}') if ! grep -q "$SHA" .github/actions/fetch-vectors/action.yml; then echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## x509-limbo\n[Commit: ${SHA}](https://github.com/trailofbits/x509-limbo/commit/${SHA})\n\n[Diff](https://github.com/trailofbits/x509-limbo/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT + echo -e "## x509-limbo\n[Commit: ${SHA}](https://github.com/C2SP/x509-limbo/commit/${SHA})\n\n[Diff](https://github.com/C2SP/x509-limbo/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT fi - name: Update x509-limbo From dcd964abbfa7c7e6d8b7c4c1dc1739f288e0b141 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 17 Jan 2024 19:20:41 -0500 Subject: [PATCH 0970/1014] Bump BoringSSL and/or OpenSSL in CI (#10200) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 33de3edc11fa..18630766c166 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b96e8166f35ec679cb5afe94ea4581a373f25f66"}} - # Latest commit on the OpenSSL master branch, as of Jan 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2f85736e9c66248528f132d46508f06a0bb8dd88"}} + # Latest commit on the BoringSSL master branch, as of Jan 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c1433eb1959ef7579cb460aab464bc0441467e3"}} + # Latest commit on the OpenSSL master branch, as of Jan 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c930ee52a4b0853fa42f0ca5942e59a68c6bca80"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 1bf2d29b40410464b83364f5c43ab005ff68ef02 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 18 Jan 2024 00:35:02 +0000 Subject: [PATCH 0971/1014] Bump x509-limbo and/or wycheproof in CI (#10201) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 0a270b6baa50..e0a4f436439e 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 17, 2024. - ref: "13ee076aae65a2ccfcfe5d3df3fa8b1fb8c540fd" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 18, 2024. + ref: "60f535528d1ad66fc939caef1a512e3e79036db8" # x509-limbo-ref From 82f715cfb0251ab6be63adfb1c7289d24cc1b989 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jan 2024 01:26:33 +0000 Subject: [PATCH 0972/1014] Bump pkg-config from 0.3.28 to 0.3.29 in /src/rust (#10202) Bumps [pkg-config](https://github.com/rust-lang/pkg-config-rs) from 0.3.28 to 0.3.29. - [Changelog](https://github.com/rust-lang/pkg-config-rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/pkg-config-rs/compare/0.3.28...0.3.29) --- updated-dependencies: - dependency-name: pkg-config dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index ac330d60fc8b..3775ee1e5222 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -256,9 +256,9 @@ dependencies = [ [[package]] name = "pkg-config" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69d3587f8a9e599cc7ec2c00e331f71c4e69a5f9a4b8a6efd5b07466b9736f9a" +checksum = "2900ede94e305130c13ddd391e0ab7cbaeb783945ae07a279c268cb05109c6cb" [[package]] name = "proc-macro2" From bd0a0648a85c8aed266eeada48721fd85c124736 Mon Sep 17 00:00:00 2001 From: Hacksawfred3232 Date: Fri, 19 Jan 2024 01:26:45 +0000 Subject: [PATCH 0973/1014] Added warning about SHA1 being used for response signing in ocsp.rst (#10204) * Update ocsp.rst Added warning about SHA1 being used for sign() * Update ocsp.rst Fixed spelling issues, at least according to en-GB dictionary. * Update ocsp.rst Spell checker didn't catch "algorithim" somehow. * Update ocsp.rst Attempting to rephrase the warning. * Update ocsp.rst Removing rouge space. --- docs/x509/ocsp.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/x509/ocsp.rst b/docs/x509/ocsp.rst index 76bfc023f15f..94605c2e499f 100644 --- a/docs/x509/ocsp.rst +++ b/docs/x509/ocsp.rst @@ -340,7 +340,11 @@ Creating Responses :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey` and an instance of a :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` - otherwise. + otherwise. Please note that + :class:`~cryptography.hazmat.primitives.hashes.SHA1` + can not be used here, regardless of if it was used for + :meth:`~cryptography.x509.ocsp.OCSPResponseBuilder.add_response` + or not. :returns: A new :class:`~cryptography.x509.ocsp.OCSPResponse`. From 17404b61fca35aafe0884a49e3f63c523ab6491f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 19 Jan 2024 01:26:57 +0000 Subject: [PATCH 0974/1014] Bump BoringSSL and/or OpenSSL in CI (#10205) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 18630766c166..af941427e4f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c1433eb1959ef7579cb460aab464bc0441467e3"}} - # Latest commit on the OpenSSL master branch, as of Jan 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c930ee52a4b0853fa42f0ca5942e59a68c6bca80"}} + # Latest commit on the BoringSSL master branch, as of Jan 19, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "083f72d726097b4abb67982315adc5f7ceb5a69a"}} + # Latest commit on the OpenSSL master branch, as of Jan 19, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5b2d8bc28a8ff59689da98f31459819db09a9099"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From a65879560eb6a636b1634ec4e434381a138c8145 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jan 2024 08:57:04 -0300 Subject: [PATCH 0975/1014] Bump smallvec from 1.12.0 to 1.13.0 in /src/rust (#10206) Bumps [smallvec](https://github.com/servo/rust-smallvec) from 1.12.0 to 1.13.0. - [Release notes](https://github.com/servo/rust-smallvec/releases) - [Commits](https://github.com/servo/rust-smallvec/compare/v1.12.0...v1.13.0) --- updated-dependencies: - dependency-name: smallvec dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3775ee1e5222..f51274fe9ed5 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -362,9 +362,9 @@ checksum = "58bf37232d3bb9a2c4e641ca2a11d83b5062066f88df7fed36c28772046d65ba" [[package]] name = "smallvec" -version = "1.12.0" +version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2593d31f82ead8df961d8bd23a64c2ccf2eb5dd34b0a34bfb4dd54011c72009e" +checksum = "3b187f0231d56fe41bfb12034819dd2bf336422a5866de41bc3fec4b2e3883e8" [[package]] name = "syn" From 23acc7f8df0f7086a658255a560094dcbe2baab6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jan 2024 23:04:44 +0000 Subject: [PATCH 0976/1014] Bump smallvec from 1.13.0 to 1.13.1 in /src/rust (#10210) Bumps [smallvec](https://github.com/servo/rust-smallvec) from 1.13.0 to 1.13.1. - [Release notes](https://github.com/servo/rust-smallvec/releases) - [Commits](https://github.com/servo/rust-smallvec/compare/v1.13.0...v1.13.1) --- updated-dependencies: - dependency-name: smallvec dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f51274fe9ed5..189f4d8d90b2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -362,9 +362,9 @@ checksum = "58bf37232d3bb9a2c4e641ca2a11d83b5062066f88df7fed36c28772046d65ba" [[package]] name = "smallvec" -version = "1.13.0" +version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b187f0231d56fe41bfb12034819dd2bf336422a5866de41bc3fec4b2e3883e8" +checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" From 74273aba099733db46d863bc0bd1687bc4978981 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jan 2024 23:07:17 +0000 Subject: [PATCH 0977/1014] Bump markupsafe from 2.1.3 to 2.1.4 (#10211) Bumps [markupsafe](https://github.com/pallets/markupsafe) from 2.1.3 to 2.1.4. - [Release notes](https://github.com/pallets/markupsafe/releases) - [Changelog](https://github.com/pallets/markupsafe/blob/2.1.4/CHANGES.rst) - [Commits](https://github.com/pallets/markupsafe/compare/2.1.3...2.1.4) --- updated-dependencies: - dependency-name: markupsafe dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 1410cd3c0723..0961a2c9e937 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -50,7 +50,7 @@ iniconfig==2.0.0 # via pytest jinja2==3.1.3 # via sphinx -markupsafe==2.1.3 +markupsafe==2.1.4 # via jinja2 mypy==1.8.0 # via cryptography (pyproject.toml) From 35dedf46d9e9aa8c30c24eec38165fdc9e8606aa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jan 2024 23:09:31 +0000 Subject: [PATCH 0978/1014] Bump ruff from 0.1.13 to 0.1.14 (#10212) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.13 to 0.1.14. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.13...v0.1.14) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0961a2c9e937..19110a231d8e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.1.13 +ruff==0.1.14 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From a5973d1453ce7212748e0bab47216ab53c1ee5e9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jan 2024 00:10:22 +0000 Subject: [PATCH 0979/1014] Bump openssl-sys from 0.9.98 to 0.9.99 in /src/rust (#10213) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.98 to 0.9.99. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.98...openssl-sys-v0.9.99) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 189f4d8d90b2..0e8987bf9053 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -212,9 +212,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.98" +version = "0.9.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1665caf8ab2dc9aef43d1c0023bd904633a6a05cb30b0ad59bec2ae986e57a7" +checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index d816efc291e6..c111cb91cf76 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -19,7 +19,7 @@ cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.62" -openssl-sys = "0.9.98" +openssl-sys = "0.9.99" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 8e2a99e8e5f3..a025e58ceda7 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3"] } -openssl-sys = "0.9.98" +openssl-sys = "0.9.99" [build-dependencies] cc = "1.0.83" From 663492e4f091b825ea60483baf4b14c9f05865a1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 20 Jan 2024 00:15:19 +0000 Subject: [PATCH 0980/1014] Bump BoringSSL and/or OpenSSL in CI (#10214) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index af941427e4f8..2568b30415fe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 19, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "083f72d726097b4abb67982315adc5f7ceb5a69a"}} - # Latest commit on the OpenSSL master branch, as of Jan 19, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5b2d8bc28a8ff59689da98f31459819db09a9099"}} + # Latest commit on the BoringSSL master branch, as of Jan 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f42be90d665b6a376177648ccbb76fbbd6497c13"}} + # Latest commit on the OpenSSL master branch, as of Jan 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7f7a910b6e8d5e564f5ce174236e44de0725f801"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From d6ddd41dcf453319a2980a96122107341b3da19a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jan 2024 00:19:59 +0000 Subject: [PATCH 0981/1014] Bump openssl from 0.10.62 to 0.10.63 in /src/rust (#10215) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.62 to 0.10.63. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.62...openssl-v0.10.63) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0e8987bf9053..789d2629f702 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -186,9 +186,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "openssl" -version = "0.10.62" +version = "0.10.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8cde4d2d9200ad5909f8dac647e29482e07c3a35de8a13fce7c9c7747ad9f671" +checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8" dependencies = [ "bitflags 2.4.1", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index c111cb91cf76..2322486d0406 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -18,7 +18,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.62" +openssl = "0.10.63" openssl-sys = "0.9.99" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index a6fed36e22b2..dfa6b1d72182 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -9,4 +9,4 @@ rust-version = "1.63.0" [dependencies] asn1 = { version = "0.15.5", default-features = false } -openssl = "0.10.62" +openssl = "0.10.63" diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 993a9201d9be..9de75a80c88f 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -openssl = "0.10.62" +openssl = "0.10.63" ffi = { package = "openssl-sys", version = "0.9.91" } foreign-types = "0.3" foreign-types-shared = "0.1" From 75d81bb882c492b45f942d535f8293860d4a10b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Jan 2024 04:34:55 +0000 Subject: [PATCH 0982/1014] Bump proc-macro2 from 1.0.76 to 1.0.78 in /src/rust (#10220) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.76 to 1.0.78. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.76...1.0.78) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 789d2629f702..cdaa96b9c28f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -262,9 +262,9 @@ checksum = "2900ede94e305130c13ddd391e0ab7cbaeb783945ae07a279c268cb05109c6cb" [[package]] name = "proc-macro2" -version = "1.0.76" +version = "1.0.78" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95fc56cda0b5c3325f5fbbd7ff9fda9e02bb00bb3dac51252d2f1bfa1cb8cc8c" +checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae" dependencies = [ "unicode-ident", ] From aaad6cbd330e89c8026c5a6688bfb81e5b7a8e92 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jan 2024 23:44:12 -0500 Subject: [PATCH 0983/1014] Bump dnspython from 2.4.2 to 2.5.0 in /.github/requirements (#10221) Bumps [dnspython](https://github.com/rthalley/dnspython) from 2.4.2 to 2.5.0. - [Release notes](https://github.com/rthalley/dnspython/releases) - [Changelog](https://github.com/rthalley/dnspython/blob/master/doc/whatsnew.rst) - [Commits](https://github.com/rthalley/dnspython/compare/v2.4.2...v2.5.0) --- updated-dependencies: - dependency-name: dnspython dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 3e07243c697d..2de251b3aa5b 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -194,9 +194,9 @@ cryptography==41.0.7 \ # pyopenssl # secretstorage # sigstore -dnspython==2.4.2 \ - --hash=sha256:57c6fbaaeaaf39c891292012060beb141791735dbb4004798328fc2c467402d8 \ - --hash=sha256:8dcfae8c7460a2f84b4072e26f1c9f4101ca20c071649cb7c34e8b6a93d58984 +dnspython==2.5.0 \ + --hash=sha256:6facdf76b73c742ccf2d07add296f178e629da60be23ce4b0a9c927b1e02c3a6 \ + --hash=sha256:a0034815a59ba9ae888946be7ccca8f7c157b286f8455b379c692efb51022a15 # via email-validator docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ From 742267b159fb33577eee636079a33d4ae2cc3d77 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 21 Jan 2024 05:38:30 -0500 Subject: [PATCH 0984/1014] bump bitflags (#10219) --- src/rust/Cargo.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index cdaa96b9c28f..c16a60e8f8fd 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.4.1" +version = "2.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "327762f6e5a765692301e5bb513e0d9fef63be86bbc14528052b1cd3e6f03e07" +checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" @@ -190,7 +190,7 @@ version = "0.10.63" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8" dependencies = [ - "bitflags 2.4.1", + "bitflags 2.4.2", "cfg-if", "foreign-types", "libc", From 39e301117054bf2f3f3df5aba757b3f82d03fc0b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 21 Jan 2024 05:39:18 -0500 Subject: [PATCH 0985/1014] Remove unused test utility (#10216) --- tests/hazmat/backends/test_openssl.py | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index faa291668f5c..ca3a82abcbf7 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -35,20 +35,6 @@ __all__ = ["rsa_key_2048"] -def skip_if_libre_ssl(openssl_version): - if "LibreSSL" in openssl_version: - pytest.skip("LibreSSL hard-codes RAND_bytes to use arc4random.") - - -class TestLibreSkip: - def test_skip_no(self): - assert skip_if_libre_ssl("OpenSSL 1.0.2h 3 May 2016") is None - - def test_skip_yes(self): - with pytest.raises(pytest.skip.Exception): - skip_if_libre_ssl("LibreSSL 2.1.6") - - class DummyMGF(padding.MGF): _salt_length = 0 _algorithm = hashes.SHA1() From 8d3b4b57bfce99b7103017d1b5ce9e9bfe2ebb9a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 21 Jan 2024 05:40:11 -0500 Subject: [PATCH 0986/1014] Avoid allocating a Vec -- directly create a list (#10217) --- src/rust/src/x509/verify.rs | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 74f28e46bd7e..8cd9cfdf964b 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -211,12 +211,12 @@ impl PyServerVerifier { self.as_policy().max_chain_depth } - fn verify( + fn verify<'p>( &self, - py: pyo3::Python<'_>, + py: pyo3::Python<'p>, leaf: pyo3::Py, intermediates: Vec>, - ) -> CryptographyResult>> { + ) -> CryptographyResult<&'p pyo3::types::PyList> { let policy = self.as_policy(); let store = self.store.get(); @@ -236,7 +236,11 @@ impl PyServerVerifier { ) .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; - Ok(chain.iter().map(|c| c.extra().clone_ref(py)).collect()) + let result = pyo3::types::PyList::empty(py); + for c in chain { + result.append(c.extra())?; + } + Ok(result) } } From 2c5671928119057c0259bc532b05b8ccc04bb296 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 21 Jan 2024 05:45:27 -0500 Subject: [PATCH 0987/1014] Reduce the amount of data that needs to be hashed to check if a cert is in a trust store (#10218) --- .../cryptography-x509-verification/src/ops.rs | 5 ----- .../src/trust_store.rs | 17 +++++------------ 2 files changed, 5 insertions(+), 17 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/ops.rs b/src/rust/cryptography-x509-verification/src/ops.rs index 991c9f997e98..807bce5dff93 100644 --- a/src/rust/cryptography-x509-verification/src/ops.rs +++ b/src/rust/cryptography-x509-verification/src/ops.rs @@ -39,11 +39,6 @@ impl PartialEq for VerificationCertificate<'_, B> { } } impl Eq for VerificationCertificate<'_, B> {} -impl std::hash::Hash for VerificationCertificate<'_, B> { - fn hash(&self, state: &mut H) { - self.cert.hash(state) - } -} impl Clone for VerificationCertificate<'_, B> { fn clone(&self) -> Self { VerificationCertificate::new(self.cert.clone(), self.extra.clone()) diff --git a/src/rust/cryptography-x509-verification/src/trust_store.rs b/src/rust/cryptography-x509-verification/src/trust_store.rs index eea444a80e2c..462b81965df4 100644 --- a/src/rust/cryptography-x509-verification/src/trust_store.rs +++ b/src/rust/cryptography-x509-verification/src/trust_store.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use std::collections::{HashMap, HashSet}; +use std::collections::HashMap; use cryptography_x509::name::Name; @@ -11,32 +11,26 @@ use crate::VerificationCertificate; /// A `Store` represents the core state needed for X.509 path validation. pub struct Store<'a, B: CryptoOps> { - certs: HashSet>, by_subject: HashMap, Vec>>, } impl<'a, B: CryptoOps> Store<'a, B> { /// Create a new `Store` from the given iterable certificate source. pub fn new(trusted: impl IntoIterator>) -> Self { - let certs = HashSet::from_iter(trusted); let mut by_subject: HashMap, Vec>> = HashMap::new(); - for cert in certs.iter() { + for cert in trusted { by_subject .entry(cert.certificate().tbs_cert.subject.clone()) .or_default() .push(cert.clone()); } - Store { certs, by_subject } + Store { by_subject } } /// Returns whether this store contains the given certificate. pub fn contains(&self, cert: &VerificationCertificate<'a, B>) -> bool { - self.certs.contains(cert) - } - - /// Returns an iterator over all certificates in this store. - pub fn iter(&self) -> impl Iterator> { - self.certs.iter() + self.get_by_subject(&cert.certificate().tbs_cert.subject) + .contains(cert) } pub fn get_by_subject(&self, subject: &Name<'a>) -> &[VerificationCertificate<'a, B>] { @@ -61,6 +55,5 @@ mod tests { let store = Store::<'_, PublicKeyErrorOps>::new([cert.clone()]); assert!(store.contains(&cert)); - assert!(store.iter().collect::>() == [&cert]); } } From 6b4a4de78ad91426d8e671e86e18ed6cff608639 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 21 Jan 2024 13:11:17 -0500 Subject: [PATCH 0988/1014] Migrate SPKI parsing from OpenSSL to Rust (#10121) --- src/rust/Cargo.lock | 3 + src/rust/cryptography-key-parsing/Cargo.toml | 3 + src/rust/cryptography-key-parsing/build.rs | 15 ++ src/rust/cryptography-key-parsing/src/lib.rs | 5 + src/rust/cryptography-key-parsing/src/rsa.rs | 2 +- src/rust/cryptography-key-parsing/src/spki.rs | 142 ++++++++++++++++++ src/rust/cryptography-x509/src/common.rs | 59 ++++++++ src/rust/cryptography-x509/src/oid.rs | 30 ++++ src/rust/src/backend/dh.rs | 26 +++- src/rust/src/backend/ec.rs | 4 +- src/rust/src/backend/keys.rs | 45 ++---- src/rust/src/error.rs | 19 +++ tests/hazmat/backends/test_openssl.py | 20 --- tests/hazmat/primitives/test_dh.py | 27 ++-- tests/x509/test_x509_ext.py | 16 -- 15 files changed, 332 insertions(+), 84 deletions(-) create mode 100644 src/rust/cryptography-key-parsing/build.rs create mode 100644 src/rust/cryptography-key-parsing/src/spki.rs diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c16a60e8f8fd..b2e0ac4aad38 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -75,7 +75,10 @@ name = "cryptography-key-parsing" version = "0.1.0" dependencies = [ "asn1", + "cfg-if", + "cryptography-x509", "openssl", + "openssl-sys", ] [[package]] diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index dfa6b1d72182..3dd0b31fa1a6 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -9,4 +9,7 @@ rust-version = "1.63.0" [dependencies] asn1 = { version = "0.15.5", default-features = false } +cfg-if = "1" openssl = "0.10.63" +openssl-sys = "0.9.99" +cryptography-x509 = { path = "../cryptography-x509" } diff --git a/src/rust/cryptography-key-parsing/build.rs b/src/rust/cryptography-key-parsing/build.rs new file mode 100644 index 000000000000..cd318b35ff35 --- /dev/null +++ b/src/rust/cryptography-key-parsing/build.rs @@ -0,0 +1,15 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use std::env; + +fn main() { + if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { + println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL"); + } + + if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { + println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL"); + } +} diff --git a/src/rust/cryptography-key-parsing/src/lib.rs b/src/rust/cryptography-key-parsing/src/lib.rs index a5f7bc1d5579..93c49181c1fe 100644 --- a/src/rust/cryptography-key-parsing/src/lib.rs +++ b/src/rust/cryptography-key-parsing/src/lib.rs @@ -3,8 +3,13 @@ // for complete details. pub mod rsa; +pub mod spki; pub enum KeyParsingError { + InvalidKey, + ExplicitCurveUnsupported, + UnsupportedKeyType(asn1::ObjectIdentifier), + UnsupportedEllipticCurve(asn1::ObjectIdentifier), Parse(asn1::ParseError), OpenSSL(openssl::error::ErrorStack), } diff --git a/src/rust/cryptography-key-parsing/src/rsa.rs b/src/rust/cryptography-key-parsing/src/rsa.rs index b1bbe2c13d38..066e7053cb52 100644 --- a/src/rust/cryptography-key-parsing/src/rsa.rs +++ b/src/rust/cryptography-key-parsing/src/rsa.rs @@ -10,7 +10,7 @@ struct Pksc1RsaPublicKey<'a> { e: asn1::BigUint<'a>, } -pub fn parse_pkcs1_rsa_public_key( +pub fn parse_pkcs1_public_key( data: &[u8], ) -> KeyParsingResult> { let k = asn1::parse_single::(data)?; diff --git a/src/rust/cryptography-key-parsing/src/spki.rs b/src/rust/cryptography-key-parsing/src/spki.rs new file mode 100644 index 000000000000..e6e1133c490a --- /dev/null +++ b/src/rust/cryptography-key-parsing/src/spki.rs @@ -0,0 +1,142 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use cryptography_x509::common::{AlgorithmParameters, EcParameters, SubjectPublicKeyInfo}; + +use crate::{KeyParsingError, KeyParsingResult}; + +pub fn parse_public_key( + data: &[u8], +) -> KeyParsingResult> { + let k = asn1::parse_single::(data)?; + + match k.algorithm.params { + AlgorithmParameters::Ec(ec_params) => match ec_params { + EcParameters::NamedCurve(curve_oid) => { + let curve_nid = match curve_oid { + cryptography_x509::oid::EC_SECP192R1 => openssl::nid::Nid::X9_62_PRIME192V1, + cryptography_x509::oid::EC_SECP224R1 => openssl::nid::Nid::SECP224R1, + cryptography_x509::oid::EC_SECP256R1 => openssl::nid::Nid::X9_62_PRIME256V1, + cryptography_x509::oid::EC_SECP384R1 => openssl::nid::Nid::SECP384R1, + cryptography_x509::oid::EC_SECP521R1 => openssl::nid::Nid::SECP521R1, + + cryptography_x509::oid::EC_SECP256K1 => openssl::nid::Nid::SECP256K1, + + cryptography_x509::oid::EC_SECT233R1 => openssl::nid::Nid::SECT233R1, + cryptography_x509::oid::EC_SECT283R1 => openssl::nid::Nid::SECT283R1, + cryptography_x509::oid::EC_SECT409R1 => openssl::nid::Nid::SECT409R1, + cryptography_x509::oid::EC_SECT571R1 => openssl::nid::Nid::SECT571R1, + + cryptography_x509::oid::EC_SECT163R2 => openssl::nid::Nid::SECT163R2, + + cryptography_x509::oid::EC_SECT163K1 => openssl::nid::Nid::SECT163K1, + cryptography_x509::oid::EC_SECT233K1 => openssl::nid::Nid::SECT233K1, + cryptography_x509::oid::EC_SECT283K1 => openssl::nid::Nid::SECT283K1, + cryptography_x509::oid::EC_SECT409K1 => openssl::nid::Nid::SECT409K1, + cryptography_x509::oid::EC_SECT571K1 => openssl::nid::Nid::SECT571K1, + + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + cryptography_x509::oid::EC_BRAINPOOLP256R1 => { + openssl::nid::Nid::BRAINPOOL_P256R1 + } + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + cryptography_x509::oid::EC_BRAINPOOLP384R1 => { + openssl::nid::Nid::BRAINPOOL_P384R1 + } + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + cryptography_x509::oid::EC_BRAINPOOLP512R1 => { + openssl::nid::Nid::BRAINPOOL_P512R1 + } + + _ => return Err(KeyParsingError::UnsupportedEllipticCurve(curve_oid)), + }; + + let group = openssl::ec::EcGroup::from_curve_name(curve_nid) + .map_err(|_| KeyParsingError::UnsupportedEllipticCurve(curve_oid))?; + let mut bn_ctx = openssl::bn::BigNumContext::new()?; + let ec_point = openssl::ec::EcPoint::from_bytes( + &group, + k.subject_public_key.as_bytes(), + &mut bn_ctx, + ) + .map_err(|_| KeyParsingError::InvalidKey)?; + let ec_key = openssl::ec::EcKey::from_public_key(&group, &ec_point)?; + Ok(openssl::pkey::PKey::from_ec_key(ec_key)?) + } + EcParameters::ImplicitCurve(_) | EcParameters::SpecifiedCurve(_) => { + Err(KeyParsingError::ExplicitCurveUnsupported) + } + }, + AlgorithmParameters::Ed25519 => Ok(openssl::pkey::PKey::public_key_from_raw_bytes( + k.subject_public_key.as_bytes(), + openssl::pkey::Id::ED25519, + )?), + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + AlgorithmParameters::Ed448 => Ok(openssl::pkey::PKey::public_key_from_raw_bytes( + k.subject_public_key.as_bytes(), + openssl::pkey::Id::ED448, + )?), + AlgorithmParameters::X25519 => Ok(openssl::pkey::PKey::public_key_from_raw_bytes( + k.subject_public_key.as_bytes(), + openssl::pkey::Id::X25519, + )?), + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + AlgorithmParameters::X448 => Ok(openssl::pkey::PKey::public_key_from_raw_bytes( + k.subject_public_key.as_bytes(), + openssl::pkey::Id::X448, + )?), + AlgorithmParameters::Rsa(_) | AlgorithmParameters::RsaPss(_) => { + // RSA-PSS keys are treated the same as bare RSA keys. + crate::rsa::parse_pkcs1_public_key(k.subject_public_key.as_bytes()) + } + AlgorithmParameters::Dsa(dsa_params) => { + let p = openssl::bn::BigNum::from_slice(dsa_params.p.as_bytes())?; + let q = openssl::bn::BigNum::from_slice(dsa_params.q.as_bytes())?; + let g = openssl::bn::BigNum::from_slice(dsa_params.g.as_bytes())?; + + let pub_key_int = + asn1::parse_single::>(k.subject_public_key.as_bytes())?; + let pub_key = openssl::bn::BigNum::from_slice(pub_key_int.as_bytes())?; + + let dsa = openssl::dsa::Dsa::from_public_components(p, q, g, pub_key)?; + Ok(openssl::pkey::PKey::from_dsa(dsa)?) + } + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + AlgorithmParameters::Dh(dh_params) => { + let p = openssl::bn::BigNum::from_slice(dh_params.p.as_bytes())?; + let q = openssl::bn::BigNum::from_slice(dh_params.q.as_bytes())?; + let g = openssl::bn::BigNum::from_slice(dh_params.g.as_bytes())?; + let dh = openssl::dh::Dh::from_pqg(p, Some(q), g)?; + + let pub_key_int = + asn1::parse_single::>(k.subject_public_key.as_bytes())?; + let pub_key = openssl::bn::BigNum::from_slice(pub_key_int.as_bytes())?; + let dh = dh.set_public_key(pub_key)?; + + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_IS_LIBRESSL)] { + Ok(openssl::pkey::PKey::from_dh(dh)?) + } else { + Ok(openssl::pkey::PKey::from_dhx(dh)?) + } + } + } + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + AlgorithmParameters::DhKeyAgreement(dh_params) => { + let p = openssl::bn::BigNum::from_slice(dh_params.p.as_bytes())?; + let g = openssl::bn::BigNum::from_slice(dh_params.g.as_bytes())?; + let dh = openssl::dh::Dh::from_pqg(p, None, g)?; + + let pub_key_int = + asn1::parse_single::>(k.subject_public_key.as_bytes())?; + let pub_key = openssl::bn::BigNum::from_slice(pub_key_int.as_bytes())?; + let dh = dh.set_public_key(pub_key)?; + + Ok(openssl::pkey::PKey::from_dh(dh)?) + } + _ => Err(KeyParsingError::UnsupportedKeyType( + k.algorithm.oid().clone(), + )), + } +} diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 8366edcfbaff..77cebc30464e 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -45,6 +45,11 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::ED448_OID)] Ed448, + #[defined_by(oid::X25519_OID)] + X25519, + #[defined_by(oid::X448_OID)] + X448, + // These encodings are only used in SPKI AlgorithmIdentifiers. #[defined_by(oid::EC_OID)] Ec(EcParameters<'a>), @@ -103,6 +108,9 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::RSASSA_PSS_OID)] RsaPss(Option>>), + #[defined_by(oid::DSA_OID)] + Dsa(DssParams<'a>), + #[defined_by(oid::DSA_WITH_SHA224_OID)] DsaWithSha224(Option), #[defined_by(oid::DSA_WITH_SHA256_OID)] @@ -112,6 +120,11 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::DSA_WITH_SHA512_OID)] DsaWithSha512(Option), + #[defined_by(oid::DH_OID)] + Dh(DHXParams<'a>), + #[defined_by(oid::DH_KEY_AGREEMENT_OID)] + DhKeyAgreement(BasicDHParams<'a>), + #[default] Other(asn1::ObjectIdentifier, Option>), } @@ -235,6 +248,38 @@ pub struct DHParams<'a> { pub g: asn1::BigUint<'a>, pub q: Option>, } + +// From PKCS#3 Section 9 +// DHParameter ::= SEQUENCE { +// prime INTEGER, -- p +// base INTEGER, -- g +// privateValueLength INTEGER OPTIONAL +// } +#[derive(asn1::Asn1Read, asn1::Asn1Write, Clone, PartialEq, Eq, Debug, Hash)] +pub struct BasicDHParams<'a> { + pub p: asn1::BigUint<'a>, + pub g: asn1::BigUint<'a>, + pub private_value_length: Option, +} + +// From https://www.rfc-editor.org/rfc/rfc3279#section-2.3.3 +// DomainParameters ::= SEQUENCE { +// p INTEGER, -- odd prime, p=jq +1 +// g INTEGER, -- generator, g +// q INTEGER, -- factor of p-1 +// j INTEGER OPTIONAL, -- subgroup factor +// validationParms ValidationParms OPTIONAL +// } +#[derive(asn1::Asn1Read, asn1::Asn1Write, Clone, PartialEq, Eq, Debug, Hash)] +pub struct DHXParams<'a> { + pub p: asn1::BigUint<'a>, + pub g: asn1::BigUint<'a>, + pub q: asn1::BigUint<'a>, + pub j: Option>, + // No support for this, so don't bother filling out the fields. + pub validation_params: Option>, +} + // RSA-PSS ASN.1 default hash algorithm pub const PSS_SHA1_HASH_ALG: AlgorithmIdentifier<'_> = AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), @@ -327,6 +372,20 @@ pub struct RsaPssParameters<'a> { pub _trailer_field: u8, } +// https://datatracker.ietf.org/doc/html/rfc3279#section-2.3.2 +// +// Dss-Parms ::= SEQUENCE { +// p INTEGER, +// q INTEGER, +// g INTEGER +// } +#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, Clone, PartialEq, Eq, Debug)] +pub struct DssParams<'a> { + pub p: asn1::BigUint<'a>, + pub q: asn1::BigUint<'a>, + pub g: asn1::BigUint<'a>, +} + /// A VisibleString ASN.1 element whose contents is not validated as meeting the /// requirements (visible characters of IA5), and instead is only known to be /// valid UTF-8. diff --git a/src/rust/cryptography-x509/src/oid.rs b/src/rust/cryptography-x509/src/oid.rs index 8d3e3543d1b5..bf5d0ba29689 100644 --- a/src/rust/cryptography-x509/src/oid.rs +++ b/src/rust/cryptography-x509/src/oid.rs @@ -47,9 +47,32 @@ pub const ACCEPTABLE_RESPONSES_OID: asn1::ObjectIdentifier = // Public key identifiers pub const EC_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 2, 1); + +pub const EC_SECP192R1: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 3, 1, 1); +pub const EC_SECP224R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 33); pub const EC_SECP256R1: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 3, 1, 7); pub const EC_SECP384R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 34); pub const EC_SECP521R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 35); + +pub const EC_SECP256K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 10); + +pub const EC_SECT233R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 27); +pub const EC_SECT283R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 17); +pub const EC_SECT409R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 37); +pub const EC_SECT571R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 39); + +pub const EC_SECT163R2: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 15); + +pub const EC_SECT163K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 1); +pub const EC_SECT233K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 26); +pub const EC_SECT283K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 16); +pub const EC_SECT409K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 36); +pub const EC_SECT571K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 38); + +pub const EC_BRAINPOOLP256R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 36, 3, 3, 2, 8, 1, 1, 7); +pub const EC_BRAINPOOLP384R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 36, 3, 3, 2, 8, 1, 1, 11); +pub const EC_BRAINPOOLP512R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 36, 3, 3, 2, 8, 1, 1, 13); + pub const RSA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 1, 1); // Signing methods @@ -81,11 +104,18 @@ pub const RSA_WITH_SHA3_384_OID: asn1::ObjectIdentifier = pub const RSA_WITH_SHA3_512_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 3, 16); +pub const DSA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10040, 4, 1); pub const DSA_WITH_SHA224_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 3, 1); pub const DSA_WITH_SHA256_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 3, 2); pub const DSA_WITH_SHA384_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 3, 3); pub const DSA_WITH_SHA512_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 3, 4); +pub const DH_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10046, 2, 1); +pub const DH_KEY_AGREEMENT_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 3, 1); + +pub const X25519_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 101, 110); +pub const X448_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 101, 111); + pub const ED25519_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 101, 112); pub const ED448_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 101, 113); diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 0319a96f0d12..5ec1804e0df8 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -68,6 +68,23 @@ pub(crate) fn public_key_from_pkey( } } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +fn pkey_from_dh( + dh: openssl::dh::Dh, +) -> CryptographyResult> { + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_IS_LIBRESSL)] { + Ok(openssl::pkey::PKey::from_dh(dh)?) + } else { + if dh.prime_q().is_some() { + Ok(openssl::pkey::PKey::from_dhx(dh)?) + } else { + Ok(openssl::pkey::PKey::from_dh(dh)?) + } + } + } +} + #[pyo3::prelude::pyfunction] fn from_der_parameters( data: &[u8], @@ -192,8 +209,7 @@ impl DHPrivateKey { let orig_dh = self.pkey.dh().unwrap(); let dh = clone_dh(&orig_dh)?; - let pkey = - openssl::pkey::PKey::from_dh(dh.set_public_key(orig_dh.public_key().to_owned()?)?)?; + let pkey = pkey_from_dh(dh.set_public_key(orig_dh.public_key().to_owned()?)?)?; Ok(DHPublicKey { pkey }) } @@ -301,7 +317,7 @@ impl DHParameters { fn generate_private_key(&self) -> CryptographyResult { let dh = clone_dh(&self.dh)?.generate_key()?; Ok(DHPrivateKey { - pkey: openssl::pkey::PKey::from_dh(dh)?, + pkey: pkey_from_dh(dh)?, }) } @@ -413,7 +429,7 @@ impl DHPrivateNumbers { )); } - let pkey = openssl::pkey::PKey::from_dh(dh)?; + let pkey = pkey_from_dh(dh)?; Ok(DHPrivateKey { pkey }) } @@ -455,7 +471,7 @@ impl DHPublicNumbers { let pub_key = utils::py_int_to_bn(py, self.y.as_ref(py))?; - let pkey = openssl::pkey::PKey::from_dh(dh.set_public_key(pub_key)?)?; + let pkey = pkey_from_dh(dh.set_public_key(pub_key)?)?; Ok(DHPublicKey { pkey }) } diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index ed525f7d1502..07a3ce6aac72 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -152,9 +152,7 @@ pub(crate) fn public_key_from_pkey( py: pyo3::Python<'_>, pkey: &openssl::pkey::PKeyRef, ) -> CryptographyResult { - let ec = pkey.ec_key().map_err(|e| { - pyo3::exceptions::PyValueError::new_err(format!("Unable to load EC key: {e}")) - })?; + let ec = pkey.ec_key()?; let curve = py_curve_from_curve(py, ec.group())?; check_key_infinity(&ec)?; Ok(ECPublicKey { diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 18b20becf948..bd3e8eb28e3b 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -7,8 +7,8 @@ use pyo3::IntoPy; use crate::backend::utils; use crate::buf::CffiBuf; -use crate::error::{self, CryptographyError, CryptographyResult}; -use crate::{exceptions, types}; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::exceptions; #[pyo3::prelude::pyfunction] #[pyo3(signature = (data, password, backend=None, *, unsafe_skip_rsa_key_validation=false))] @@ -142,14 +142,18 @@ pub(crate) fn load_der_public_key_bytes( py: pyo3::Python<'_>, data: &[u8], ) -> CryptographyResult { - if let Ok(pkey) = openssl::pkey::PKey::public_key_from_der(data) { - return public_key_from_pkey(py, &pkey, pkey.id()); + match cryptography_key_parsing::spki::parse_public_key(data) { + Ok(pkey) => public_key_from_pkey(py, &pkey, pkey.id()), + // It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still need + // to check to see if it is a pure PKCS1 RSA public key (not embedded + // in a subjectPublicKeyInfo) + Err(e) => { + // Use the original error. + let pkey = + cryptography_key_parsing::rsa::parse_pkcs1_public_key(data).map_err(|_| e)?; + public_key_from_pkey(py, &pkey, pkey.id()) + } } - // It's not a (RSA/DSA/ECDSA) subjectPublicKeyInfo, but we still need to - // check to see if it is a pure PKCS1 RSA public key (not embedded in a - // subjectPublicKeyInfo) - let pkey = cryptography_key_parsing::rsa::parse_pkcs1_rsa_public_key(data)?; - public_key_from_pkey(py, &pkey, pkey.id()) } #[pyo3::prelude::pyfunction] @@ -161,16 +165,8 @@ fn load_pem_public_key( let _ = backend; let p = pem::parse(data.as_bytes())?; let pkey = match p.tag() { - "RSA PUBLIC KEY" => { - cryptography_key_parsing::rsa::parse_pkcs1_rsa_public_key(p.contents())? - } - "PUBLIC KEY" => openssl::pkey::PKey::public_key_from_der(p.contents()).or_else(|e| { - let errors = error::list_from_openssl_error(py, e); - Err(types::BACKEND_HANDLE_KEY_LOADING_ERROR - .get(py)? - .call1((errors,)) - .unwrap_err()) - })?, + "RSA PUBLIC KEY" => cryptography_key_parsing::rsa::parse_pkcs1_public_key(p.contents())?, + "PUBLIC KEY" => cryptography_key_parsing::spki::parse_public_key(p.contents())?, _ => return Err(CryptographyError::from(pem::PemError::MalformedFraming)), }; public_key_from_pkey(py, &pkey, pkey.id()) @@ -185,17 +181,6 @@ fn public_key_from_pkey( // unsupported. match id { openssl::pkey::Id::RSA => Ok(crate::backend::rsa::public_key_from_pkey(pkey).into_py(py)), - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER))] - openssl::pkey::Id::RSA_PSS => { - // At the moment the way we handle RSA PSS keys is to strip the - // PSS constraints from them and treat them as normal RSA keys - // Unfortunately the RSA * itself tracks this data so we need to - // extract, serialize, and reload it without the constraints. - let der_bytes = pkey.rsa()?.public_key_to_der()?; - let rsa = openssl::rsa::Rsa::public_key_from_der(&der_bytes)?; - let pkey = openssl::pkey::PKey::from_rsa(rsa)?; - Ok(crate::backend::rsa::public_key_from_pkey(&pkey).into_py(py)) - } openssl::pkey::Id::EC => { Ok(crate::backend::ec::public_key_from_pkey(py, pkey)?.into_py(py)) } diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 79ca0ea63c16..a4461d05a87a 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -57,6 +57,25 @@ impl From for CryptographyError { match e { cryptography_key_parsing::KeyParsingError::Parse(e) => CryptographyError::KeyParsing(e), cryptography_key_parsing::KeyParsingError::OpenSSL(e) => CryptographyError::OpenSSL(e), + cryptography_key_parsing::KeyParsingError::InvalidKey => { + CryptographyError::Py(pyo3::exceptions::PyValueError::new_err("Invalid key")) + } + cryptography_key_parsing::KeyParsingError::ExplicitCurveUnsupported => { + CryptographyError::Py(pyo3::exceptions::PyValueError::new_err( + "ECDSA keys with explicit parameters are unsupported at this time", + )) + } + cryptography_key_parsing::KeyParsingError::UnsupportedKeyType(oid) => { + CryptographyError::Py(pyo3::exceptions::PyValueError::new_err(format!( + "Unknown key type: {oid}" + ))) + } + cryptography_key_parsing::KeyParsingError::UnsupportedEllipticCurve(oid) => { + CryptographyError::Py(exceptions::UnsupportedAlgorithm::new_err(( + format!("Curve {oid} is not supported"), + exceptions::Reasons::UNSUPPORTED_ELLIPTIC_CURVE, + ))) + } } } } diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index ca3a82abcbf7..a289c5ba7415 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -308,23 +308,3 @@ def test_private_load_dhx_unsupported( ) with pytest.raises(ValueError): loader_func(key_bytes, None, backend) - - @pytest.mark.parametrize( - ("key_path", "loader_func"), - [ - ( - os.path.join("asymmetric", "DH", "dhpub_rfc5114_2.pem"), - serialization.load_pem_public_key, - ), - ( - os.path.join("asymmetric", "DH", "dhpub_rfc5114_2.der"), - serialization.load_der_public_key, - ), - ], - ) - def test_public_load_dhx_unsupported(self, key_path, loader_func, backend): - key_bytes = load_vectors_from_file( - key_path, lambda pemfile: pemfile.read(), mode="rb" - ) - with pytest.raises(ValueError): - loader_func(key_bytes, backend) diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index 33ab4121c30c..a8c5325891d2 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -443,10 +443,6 @@ def test_dh_vectors_with_q(self, backend, vector): assert int.from_bytes(symkey1, "big") == int(vector["z"], 16) assert int.from_bytes(symkey2, "big") == int(vector["z"], 16) - @pytest.mark.supported( - only_if=lambda backend: backend.dh_x942_serialization_supported(), - skip_message="DH X9.42 not supported", - ) def test_public_key_equality(self, backend): key_bytes = load_vectors_from_file( os.path.join("asymmetric", "DH", "dhpub.pem"), @@ -468,10 +464,6 @@ def test_public_key_equality(self, backend): with pytest.raises(TypeError): key1 < key2 # type: ignore[operator] - @pytest.mark.supported( - only_if=lambda backend: backend.dh_x942_serialization_supported(), - skip_message="DH X9.42 not supported", - ) def test_public_key_copy(self): key_bytes = load_vectors_from_file( os.path.join("asymmetric", "DH", "dhpub.pem"), @@ -696,7 +688,24 @@ def test_public_bytes(self, backend, encoding, loader_func): loaded_key = loader_func(serialized, backend) loaded_pub_num = loaded_key.public_numbers() pub_num = key.public_numbers() - assert loaded_pub_num == pub_num + + assert loaded_pub_num.y == pub_num.y + assert ( + loaded_pub_num.parameter_numbers.p == pub_num.parameter_numbers.p + ) + assert ( + loaded_pub_num.parameter_numbers.g == pub_num.parameter_numbers.g + ) + if pub_num.parameter_numbers.q and loaded_pub_num.parameter_numbers.q: + assert ( + loaded_pub_num.parameter_numbers.q + == pub_num.parameter_numbers.q + ) + else: + # When this branch becomes unreachable by coverage (when support + # for RHEL8 is dropped), all this code can be replaced with: + # assert loaded_pub_num == pub_num + assert True @pytest.mark.skip_fips(reason="non-FIPS parameters") @pytest.mark.parametrize( diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 7048c025d312..fc3e3e06f00e 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -1758,22 +1758,6 @@ def test_invalid_bit_string_padding_from_public_key(self, backend): with pytest.raises(ValueError, match="Invalid public key encoding"): _key_identifier_from_public_key(pretend_key) - def test_no_optional_params_allowed_from_public_key(self, backend): - data = load_vectors_from_file( - filename=os.path.join( - "asymmetric", - "DER_Serialization", - "dsa_public_key_no_params.der", - ), - loader=lambda data: data.read(), - mode="rb", - ) - pretend_key = pretend.stub(public_bytes=lambda x, y: data) - key_identifier = _key_identifier_from_public_key(pretend_key) - assert key_identifier == binascii.unhexlify( - b"24c0133a6a492f2c48a18c7648e515db5ac76749" - ) - def test_from_ec_public_key(self, backend): _skip_curve_unsupported(backend, ec.SECP384R1()) cert = _load_cert( From 410f4a1ee4cbf46fe7e969bb48fccf261f74bbcd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 21 Jan 2024 13:25:00 -0500 Subject: [PATCH 0989/1014] Allow brainpool on libressl (#10222) --- src/rust/src/backend/ec.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 07a3ce6aac72..e221b025cbb9 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -65,11 +65,11 @@ fn curve_from_py_curve( "sect409k1" => openssl::nid::Nid::SECT409K1, "sect571k1" => openssl::nid::Nid::SECT571K1, - #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] "brainpoolP256r1" => openssl::nid::Nid::BRAINPOOL_P256R1, - #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] "brainpoolP384r1" => openssl::nid::Nid::BRAINPOOL_P384R1, - #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] "brainpoolP512r1" => openssl::nid::Nid::BRAINPOOL_P512R1, _ => { From 7ea4b89cea553ce0f641ed29e1ce2e3e34278f1d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 22 Jan 2024 08:01:14 -0500 Subject: [PATCH 0990/1014] fixed formatting in changelog (#10225) --- CHANGELOG.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 9ade854140f3..7b3fdc3f529b 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -31,9 +31,9 @@ Changelog * Added support for obtaining X.509 certificate revocation list signature algorithm parameters (including PSS) via :meth:`~cryptography.x509.CertificateRevocationList.signature_algorithm_parameters`. -* Added `mgf` property to +* Added ``mgf`` property to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. -* Added `algorithm` and `mgf` properties to +* Added ``algorithm`` and ``mgf`` properties to :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP`. * Added the following properties that return timezone-aware ``datetime`` objects: :meth:`~cryptography.x509.Certificate.not_valid_before_utc`, From 71929bd91f34213b9f4a3a0a493c218c35fa25eb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 22 Jan 2024 08:01:37 -0500 Subject: [PATCH 0991/1014] Remove binding that's not used anymore (#10224) --- src/_cffi_src/openssl/evp.py | 2 -- src/cryptography/hazmat/bindings/openssl/_conditional.py | 7 ------- 2 files changed, 9 deletions(-) diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 7e80f36229f8..54f5388b83d0 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -20,7 +20,6 @@ static const int EVP_PKEY_RSA_PSS; static const int EVP_PKEY_DSA; static const int EVP_PKEY_DH; -static const int EVP_PKEY_DHX; static const int EVP_PKEY_EC; static const int EVP_PKEY_X25519; static const int EVP_PKEY_ED25519; @@ -93,7 +92,6 @@ const long Cryptography_HAS_EVP_PKEY_DHX = 1; #else const long Cryptography_HAS_EVP_PKEY_DHX = 0; -const long EVP_PKEY_DHX = -1; #endif #if CRYPTOGRAPHY_IS_LIBRESSL || defined(OPENSSL_NO_SCRYPT) diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 21e517352c7f..30cc3bfa25ef 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -28,12 +28,6 @@ def cryptography_has_tls_st() -> list[str]: ] -def cryptography_has_evp_pkey_dhx() -> list[str]: - return [ - "EVP_PKEY_DHX", - ] - - def cryptography_has_mem_functions() -> list[str]: return [ "Cryptography_CRYPTO_set_mem_functions", @@ -208,7 +202,6 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb, "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st, "Cryptography_HAS_TLS_ST": cryptography_has_tls_st, - "Cryptography_HAS_EVP_PKEY_DHX": cryptography_has_evp_pkey_dhx, "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions, "Cryptography_HAS_ED448": cryptography_has_ed448, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, From d54093e62e7e68c02efbb4d6a09162ddb39bf72f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 22 Jan 2024 08:07:53 -0500 Subject: [PATCH 0992/1014] Remove some skips in tests that aren't needed anymore (#10223) --- tests/hazmat/primitives/test_dh.py | 18 ++++-------------- tests/hazmat/primitives/test_rsa.py | 11 ----------- tests/x509/test_x509.py | 8 -------- 3 files changed, 4 insertions(+), 33 deletions(-) diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index a8c5325891d2..9caded2cc2ac 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -753,38 +753,33 @@ def test_public_bytes_match( @pytest.mark.skip_fips(reason="non-FIPS parameters") @pytest.mark.parametrize( - ("key_path", "loader_func", "vec_path", "is_dhx"), + ("key_path", "loader_func", "vec_path"), [ ( os.path.join("asymmetric", "DH", "dhpub.pem"), serialization.load_pem_public_key, os.path.join("asymmetric", "DH", "dhkey.txt"), - False, ), ( os.path.join("asymmetric", "DH", "dhpub.der"), serialization.load_der_public_key, os.path.join("asymmetric", "DH", "dhkey.txt"), - False, ), ( os.path.join("asymmetric", "DH", "dhpub_rfc5114_2.pem"), serialization.load_pem_public_key, os.path.join("asymmetric", "DH", "dhkey_rfc5114_2.txt"), - True, ), ( os.path.join("asymmetric", "DH", "dhpub_rfc5114_2.der"), serialization.load_der_public_key, os.path.join("asymmetric", "DH", "dhkey_rfc5114_2.txt"), - True, ), ], ) def test_public_bytes_values( - self, key_path, loader_func, vec_path, is_dhx, backend + self, key_path, loader_func, vec_path, backend ): - _skip_dhx_unsupported(backend, is_dhx) key_bytes = load_vectors_from_file( key_path, lambda pemfile: pemfile.read(), mode="rb" ) @@ -882,38 +877,33 @@ def test_parameter_bytes_match( assert serialized == param_bytes @pytest.mark.parametrize( - ("param_path", "loader_func", "vec_path", "is_dhx"), + ("param_path", "loader_func", "vec_path"), [ ( os.path.join("asymmetric", "DH", "dhp.pem"), serialization.load_pem_parameters, os.path.join("asymmetric", "DH", "dhkey.txt"), - False, ), ( os.path.join("asymmetric", "DH", "dhp.der"), serialization.load_der_parameters, os.path.join("asymmetric", "DH", "dhkey.txt"), - False, ), ( os.path.join("asymmetric", "DH", "dhp_rfc5114_2.pem"), serialization.load_pem_parameters, os.path.join("asymmetric", "DH", "dhkey_rfc5114_2.txt"), - True, ), ( os.path.join("asymmetric", "DH", "dhp_rfc5114_2.der"), serialization.load_der_parameters, os.path.join("asymmetric", "DH", "dhkey_rfc5114_2.txt"), - True, ), ], ) def test_public_bytes_values( - self, param_path, loader_func, vec_path, backend, is_dhx + self, param_path, loader_func, vec_path, backend ): - _skip_dhx_unsupported(backend, is_dhx) key_bytes = load_vectors_from_file( param_path, lambda pemfile: pemfile.read(), mode="rb" ) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 205f294bffe6..10a84cb08665 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -292,17 +292,6 @@ def test_load_pss_keys_strips_constraints(self, path, backend): signature, b"whatever", padding.PKCS1v15(), hashes.SHA224() ) - @pytest.mark.supported( - only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - and ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E - or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not backend._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 - ) - ), - skip_message="Does not support RSA PSS loading", - ) def test_load_pss_pub_keys_strips_constraints(self, backend): key = load_vectors_from_file( filename=os.path.join( diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 8d40481b47c6..1a6fc7b437cc 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -792,14 +792,6 @@ def test_get_revoked_certificate_doesnt_reorder( assert crl[2].serial_number == 3 -@pytest.mark.supported( - only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - and not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E - ), - skip_message="Does not support RSA PSS loading", -) class TestRSAPSSCertificate: def test_load_cert_pub_key(self, backend): cert = _load_cert( From 41daf2d86dd9bf18081802fa5d851a7953810786 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Mon, 22 Jan 2024 22:22:05 +0100 Subject: [PATCH 0993/1014] Migrate PKCS7 backend to Rust (#10228) * Migrate PKCS7 backend to Rust * Disable PKCS7 functions under BoringSSL * Misc PKCS7 fixes --- .../hazmat/backends/openssl/backend.py | 57 +---------- .../hazmat/bindings/_rust/pkcs7.pyi | 6 ++ .../hazmat/primitives/serialization/pkcs7.py | 14 +-- src/rust/cryptography-openssl/Cargo.toml | 2 +- src/rust/src/pkcs7.rs | 95 ++++++++++++++++++- src/rust/src/x509/certificate.rs | 2 +- tests/hazmat/primitives/test_pkcs7.py | 13 +++ 7 files changed, 117 insertions(+), 72 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 1cb68c33ac74..5d9eb2768dfb 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -10,7 +10,7 @@ import typing from cryptography import utils, x509 -from cryptography.exceptions import UnsupportedAlgorithm, _Reasons +from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.backends.openssl import aead from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.bindings._rust import openssl as rust_openssl @@ -863,61 +863,6 @@ def poly1305_supported(self) -> bool: def pkcs7_supported(self) -> bool: return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL - def load_pem_pkcs7_certificates( - self, data: bytes - ) -> list[x509.Certificate]: - utils._check_bytes("data", data) - bio = self._bytes_to_bio(data) - p7 = self._lib.PEM_read_bio_PKCS7( - bio.bio, self._ffi.NULL, self._ffi.NULL, self._ffi.NULL - ) - if p7 == self._ffi.NULL: - self._consume_errors() - raise ValueError("Unable to parse PKCS7 data") - - p7 = self._ffi.gc(p7, self._lib.PKCS7_free) - return self._load_pkcs7_certificates(p7) - - def load_der_pkcs7_certificates( - self, data: bytes - ) -> list[x509.Certificate]: - utils._check_bytes("data", data) - bio = self._bytes_to_bio(data) - p7 = self._lib.d2i_PKCS7_bio(bio.bio, self._ffi.NULL) - if p7 == self._ffi.NULL: - self._consume_errors() - raise ValueError("Unable to parse PKCS7 data") - - p7 = self._ffi.gc(p7, self._lib.PKCS7_free) - return self._load_pkcs7_certificates(p7) - - def _load_pkcs7_certificates(self, p7) -> list[x509.Certificate]: - nid = self._lib.OBJ_obj2nid(p7.type) - self.openssl_assert(nid != self._lib.NID_undef) - if nid != self._lib.NID_pkcs7_signed: - raise UnsupportedAlgorithm( - "Only basic signed structures are currently supported. NID" - f" for this data was {nid}", - _Reasons.UNSUPPORTED_SERIALIZATION, - ) - - if p7.d.sign == self._ffi.NULL: - raise ValueError( - "The provided PKCS7 has no certificate data, but a cert " - "loading method was called." - ) - - sk_x509 = p7.d.sign.cert - num = self._lib.sk_X509_num(sk_x509) - certs: list[x509.Certificate] = [] - for i in range(num): - x509 = self._lib.sk_X509_value(sk_x509, i) - self.openssl_assert(x509 != self._ffi.NULL) - cert = self._ossl2cert(x509) - certs.append(cert) - - return certs - class GetCipherByName: def __init__(self, fmt: str): diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi index 32c21c4c5439..a84978246572 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi @@ -13,3 +13,9 @@ def sign_and_serialize( encoding: serialization.Encoding, options: typing.Iterable[pkcs7.PKCS7Options], ) -> bytes: ... +def load_pem_pkcs7_certificates( + data: bytes, +) -> list[x509.Certificate]: ... +def load_der_pkcs7_certificates( + data: bytes, +) -> list[x509.Certificate]: ... diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py index cd6c904df0ea..bae35c5f5988 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py @@ -17,22 +17,12 @@ from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa from cryptography.utils import _check_byteslike +load_pem_pkcs7_certificates = rust_pkcs7.load_pem_pkcs7_certificates -def load_pem_pkcs7_certificates(data: bytes) -> list[x509.Certificate]: - from cryptography.hazmat.backends.openssl.backend import backend - - return backend.load_pem_pkcs7_certificates(data) - - -def load_der_pkcs7_certificates(data: bytes) -> list[x509.Certificate]: - from cryptography.hazmat.backends.openssl.backend import backend - - return backend.load_der_pkcs7_certificates(data) - +load_der_pkcs7_certificates = rust_pkcs7.load_der_pkcs7_certificates serialize_certificates = rust_pkcs7.serialize_certificates - PKCS7HashTypes = typing.Union[ hashes.SHA224, hashes.SHA256, diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 9de75a80c88f..3a35c9fcaa2d 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -9,6 +9,6 @@ rust-version = "1.63.0" [dependencies] openssl = "0.10.63" -ffi = { package = "openssl-sys", version = "0.9.91" } +ffi = { package = "openssl-sys", version = "0.9.99" } foreign-types = "0.3" foreign-types-shared = "0.1" diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index b7f6af216e49..f307cf483ad7 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -9,11 +9,17 @@ use std::ops::Deref; use cryptography_x509::csr::Attribute; use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use openssl::pkcs7::Pkcs7; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use pyo3::IntoPy; use crate::asn1::encode_der_data; use crate::buf::CffiBuf; -use crate::error::CryptographyResult; -use crate::{types, x509}; +use crate::error::{CryptographyError, CryptographyResult}; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use crate::x509::certificate::load_der_x509_certificate; +use crate::{exceptions, types, x509}; const PKCS7_CONTENT_TYPE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 3); const PKCS7_MESSAGE_DIGEST_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 4); @@ -290,11 +296,96 @@ fn smime_canonicalize(data: &[u8], text_mode: bool) -> (Cow<'_, [u8]>, Cow<'_, [ } } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +fn load_pkcs7_certificates( + py: pyo3::Python<'_>, + pkcs7: Pkcs7, +) -> CryptographyResult<&pyo3::types::PyList> { + let nid = pkcs7.type_().map(|t| t.nid()); + if nid != Some(openssl::nid::Nid::PKCS7_SIGNED) { + let nid_string = nid.map_or("empty".to_string(), |n| n.as_raw().to_string()); + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + format!("Only basic signed structures are currently supported. NID for this data was {}", nid_string), + exceptions::Reasons::UNSUPPORTED_SERIALIZATION, + )), + )); + } + + let signed_certificates = pkcs7.signed().and_then(|x| x.certificates()); + match signed_certificates { + None => Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "The provided PKCS7 has no certificate data, but a cert loading method was called.", + ), + )), + Some(certificates) => { + let result = pyo3::types::PyList::empty(py); + for c in certificates { + let cert_der = pyo3::types::PyBytes::new(py, c.to_der()?.as_slice()).into_py(py); + let cert = load_der_x509_certificate(py, cert_der, None)?; + result.append(cert.into_py(py))?; + } + Ok(result) + } + } +} + +#[pyo3::prelude::pyfunction] +fn load_pem_pkcs7_certificates<'p>( + py: pyo3::Python<'p>, + data: &[u8], +) -> CryptographyResult<&'p pyo3::types::PyList> { + cfg_if::cfg_if! { + if #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { + let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_pem(data).map_err(|_| { + CryptographyError::from(pyo3::exceptions::PyValueError::new_err( + "Unable to parse PKCS7 data", + )) + })?; + load_pkcs7_certificates(py, pkcs7_decoded) + } else { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "PKCS#7 is not supported by this backend.", + exceptions::Reasons::UNSUPPORTED_SERIALIZATION, + )), + )); + } + } +} + +#[pyo3::prelude::pyfunction] +fn load_der_pkcs7_certificates<'p>( + py: pyo3::Python<'p>, + data: &[u8], +) -> CryptographyResult<&'p pyo3::types::PyList> { + cfg_if::cfg_if! { + if #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { + let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_der(data).map_err(|_| { + CryptographyError::from(pyo3::exceptions::PyValueError::new_err( + "Unable to parse PKCS7 data", + )) + })?; + load_pkcs7_certificates(py, pkcs7_decoded) + } else { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "PKCS#7 is not supported by this backend.", + exceptions::Reasons::UNSUPPORTED_SERIALIZATION, + )), + )); + } + } +} + pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let submod = pyo3::prelude::PyModule::new(py, "pkcs7")?; submod.add_function(pyo3::wrap_pyfunction!(serialize_certificates, submod)?)?; submod.add_function(pyo3::wrap_pyfunction!(sign_and_serialize, submod)?)?; + submod.add_function(pyo3::wrap_pyfunction!(load_pem_pkcs7_certificates, submod)?)?; + submod.add_function(pyo3::wrap_pyfunction!(load_der_pkcs7_certificates, submod)?)?; Ok(submod) } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index bc40fc846ef4..552f4eda7d81 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -378,7 +378,7 @@ fn load_pem_x509_certificates( } #[pyo3::prelude::pyfunction] -fn load_der_x509_certificate( +pub(crate) fn load_der_x509_certificate( py: pyo3::Python<'_>, data: pyo3::Py, backend: Option<&pyo3::PyAny>, diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index dffc4ab2c1d0..03b04cd389e5 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -922,3 +922,16 @@ def test_invalid_types(self): certs, "not an encoding", # type: ignore[arg-type] ) + + +@pytest.mark.supported( + only_if=lambda backend: not backend.pkcs7_supported(), + skip_message="Requires OpenSSL without PKCS7 support (BoringSSL)", +) +class TestPKCS7Unsupported: + def test_pkcs7_functions_unsupported(self): + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION): + pkcs7.load_der_pkcs7_certificates(b"nonsense") + + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION): + pkcs7.load_pem_pkcs7_certificates(b"nonsense") From 972a7b5896a6047ea43a86db87820ab474d898ff Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 22 Jan 2024 17:14:50 -0500 Subject: [PATCH 0994/1014] verification: add test_verify_tz_aware (#10229) * verification: add test_verify_tz_aware Signed-off-by: William Woodruff * py_to_datetime handles tzinfo, add test Signed-off-by: William Woodruff * Update src/rust/src/x509/common.rs Co-authored-by: Alex Gaynor * x509/common: coverage for the coverage god Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff Co-authored-by: Alex Gaynor --- src/rust/src/x509/common.rs | 21 ++++++++---- tests/x509/verification/test_verification.py | 35 ++++++++++++++++++++ 2 files changed, 50 insertions(+), 6 deletions(-) diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 42d08823430e..a941f50b928c 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -503,13 +503,22 @@ pub(crate) fn py_to_datetime( py: pyo3::Python<'_>, val: &pyo3::PyAny, ) -> pyo3::PyResult { + // We treat naive datetimes as UTC times, while aware datetimes get + // normalized to UTC before conversion. + let val_utc = if val.getattr(pyo3::intern!(py, "tzinfo"))?.is_none() { + val + } else { + let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; + val.call_method1(pyo3::intern!(py, "astimezone"), (utc,))? + }; + Ok(asn1::DateTime::new( - val.getattr(pyo3::intern!(py, "year"))?.extract()?, - val.getattr(pyo3::intern!(py, "month"))?.extract()?, - val.getattr(pyo3::intern!(py, "day"))?.extract()?, - val.getattr(pyo3::intern!(py, "hour"))?.extract()?, - val.getattr(pyo3::intern!(py, "minute"))?.extract()?, - val.getattr(pyo3::intern!(py, "second"))?.extract()?, + val_utc.getattr(pyo3::intern!(py, "year"))?.extract()?, + val_utc.getattr(pyo3::intern!(py, "month"))?.extract()?, + val_utc.getattr(pyo3::intern!(py, "day"))?.extract()?, + val_utc.getattr(pyo3::intern!(py, "hour"))?.extract()?, + val_utc.getattr(pyo3::intern!(py, "minute"))?.extract()?, + val_utc.getattr(pyo3::intern!(py, "second"))?.extract()?, ) .unwrap()) } diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py index d4b0bc07d606..8c2be7054227 100644 --- a/tests/x509/verification/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -103,3 +103,38 @@ def test_store_rejects_empty_list(self): def test_store_rejects_non_certificates(self): with pytest.raises(TypeError): Store(["not a cert"]) # type: ignore[list-item] + + +class TestServerVerifier: + @pytest.mark.parametrize( + ("validation_time", "valid"), + [ + # 03:15:02 UTC+2, or 1 second before expiry in UTC + ("2018-11-16T03:15:02+02:00", True), + # 00:15:04 UTC-1, or 1 second after expiry in UTC + ("2018-11-16T00:15:04-01:00", False), + ], + ) + def test_verify_tz_aware(self, validation_time, valid): + # expires 2018-11-16 01:15:03 UTC + leaf = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + ) + + store = Store([leaf]) + + builder = PolicyBuilder().store(store) + builder = builder.time( + datetime.datetime.fromisoformat(validation_time) + ) + verifier = builder.build_server_verifier(DNSName("cryptography.io")) + + if valid: + assert verifier.verify(leaf, []) == [leaf] + else: + with pytest.raises( + x509.verification.VerificationError, + match="cert is not valid at validation time", + ): + verifier.verify(leaf, []) From 97578b98ffc417864e07d0ff9b76c02d2cb4e6da Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 00:17:25 +0000 Subject: [PATCH 0995/1014] Bump BoringSSL and/or OpenSSL in CI (#10230) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2568b30415fe..c9d3ab950244 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f42be90d665b6a376177648ccbb76fbbd6497c13"}} - # Latest commit on the OpenSSL master branch, as of Jan 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7f7a910b6e8d5e564f5ce174236e44de0725f801"}} + # Latest commit on the BoringSSL master branch, as of Jan 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a4c3f8de4406c2382e43e88a638882fb1a32da32"}} + # Latest commit on the OpenSSL master branch, as of Jan 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5ed9a32a2aee89e10eb2891f5fb7a283e1b5199b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 605c74e41c75edc717f21afaa5e6a0eee9863a10 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 00:31:24 +0000 Subject: [PATCH 0996/1014] Bump x509-limbo and/or wycheproof in CI (#10231) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index e0a4f436439e..c1df58824014 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 18, 2024. - ref: "60f535528d1ad66fc939caef1a512e3e79036db8" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 23, 2024. + ref: "cf66142f5c27b64c987c6f0aa4c10b8c9677b41c" # x509-limbo-ref From 7cb13a3bc91b7537c6231674fb5b0d2132a7edbe Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 22 Jan 2024 18:45:02 -0600 Subject: [PATCH 0997/1014] we'll ship 3.2.0 for 42 (#9951) * we'll ship 3.2.0 for 42 * invalidate the caches, sigh --- .github/actions/cache/action.yml | 2 +- CHANGELOG.rst | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index b806abd215a2..6cf0f08e56a8 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -17,5 +17,5 @@ runs: shell: bash - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 with: - key: ${{ steps.normalized-key.outputs.key }} + key: ${{ steps.normalized-key.outputs.key }}-1 workspaces: "./src/rust/ -> target" diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 7b3fdc3f529b..467ec3ffd741 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,6 +16,7 @@ Changelog will now raise a ``ValueError`` rather than return an empty list. * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.0. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. * We now publish both ``py37`` and ``py39`` ``abi3`` wheels. This should resolve some errors relating to initializing a module multiple times per From 4e64baf360a3a89bd92582f59344c12b5c0bd3fd Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 22 Jan 2024 19:05:18 -0600 Subject: [PATCH 0998/1014] 42.0.0 version bump (#10232) --- CHANGELOG.rst | 8 +++----- pyproject.toml | 2 +- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 5 files changed, 7 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 467ec3ffd741..b11a81f3fbc5 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,10 +3,8 @@ Changelog .. _v42-0-0: -42.0.0 - `main`_ -~~~~~~~~~~~~~~~~ - -.. note:: This version is not yet released and is under active development. +42.0.0 - 2024-01-22 +~~~~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7. * **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using @@ -66,7 +64,7 @@ Changelog for :class:`~cryptography.x509.Certificate` chains. These APIs should be considered unstable and not subject to our stability guarantees until documented as such in a future release. -* Added support for +* Added support for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4` :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` when using OpenSSL 3.0 or greater. diff --git a/pyproject.toml b/pyproject.toml index bb93dff82f52..6369bebf7620 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,7 +12,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "42.0.0.dev1" +version = "42.0.0" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 103c77eb7b63..7d62a32b6fab 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "42.0.0.dev1" +__version__ = "42.0.0" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index bc114b667491..6040ee84583e 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "42.0.0.dev1" +__version__ = "42.0.0" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 704bc0a5a96b..0c43684bb92a 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "42.0.0.dev1" +version = "42.0.0" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From 12f038b38af76e36efe8cef09597010c97647e8f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 23 Jan 2024 06:43:30 -0600 Subject: [PATCH 0999/1014] fixes #10237 -- correct EC sign parameter name (#10239) (#10240) Co-authored-by: Alex Gaynor --- src/rust/src/backend/ec.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index e221b025cbb9..459da6103d3b 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -269,9 +269,9 @@ impl ECPrivateKey { &self, py: pyo3::Python<'p>, data: &[u8], - algorithm: &pyo3::PyAny, + signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !algorithm.is_instance(types::ECDSA.get(py)?)? { + if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -283,7 +283,7 @@ impl ECPrivateKey { let (data, _) = utils::calculate_digest_and_algorithm( py, data, - algorithm.getattr(pyo3::intern!(py, "algorithm"))?, + signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; From 56255de6b2d1a2d2e502b0275231ca81907f33f1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 24 Jan 2024 19:02:37 -0700 Subject: [PATCH 1000/1014] allow SPKI RSA keys to be parsed even if they have an incorrect delimiter (#10248) (#10251) * allow SPKI RSA keys to be parsed even if they have an incorrect delimiter This allows RSA SPKI keys (typically delimited with PUBLIC KEY) to be parsed even if they are using the RSA PUBLIC KEY delimiter. * formatting * use original error if nothing parses, don't let it parse non-RSA --- docs/development/test-vectors.rst | 6 ++++++ src/rust/src/backend/keys.rs | 21 ++++++++++++++++++- tests/hazmat/primitives/test_serialization.py | 16 ++++++++++++++ .../ec_public_key_rsa_delimiter.pem | 4 ++++ .../rsa_wrong_delimiter_public_key.pem | 9 ++++++++ 5 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem create mode 100644 vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 1255688840f3..0b1f238ffaa2 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -72,12 +72,18 @@ Custom asymmetric vectors * ``asymmetric/PEM_Serialization/ec_public_key.pem`` and ``asymmetric/DER_Serialization/ec_public_key.der``- Contains the public key corresponding to ``ec_private_key.pem``, generated using OpenSSL. +* ``asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem`` - Contains + the public key corresponding to ``ec_private_key.pem``, but with the wrong PEM + delimiter (``RSA PUBLIC KEY`` when it should be ``PUBLIC KEY``). * ``asymmetric/PEM_Serialization/rsa_private_key.pem`` - Contains an RSA 2048 bit key generated using OpenSSL, protected by the secret "123456" with DES3 encryption. * ``asymmetric/PEM_Serialization/rsa_public_key.pem`` and ``asymmetric/DER_Serialization/rsa_public_key.der``- Contains an RSA 2048 bit public generated using OpenSSL from ``rsa_private_key.pem``. +* ``asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem`` - Contains + an RSA 2048 bit public key generated from ``rsa_private_key.pem``, but with + the wrong PEM delimiter (``RSA PUBLIC KEY`` when it should be ``PUBLIC KEY``). * ``asymmetric/PEM_Serialization/dsa_4096.pem`` - Contains a 4096-bit DSA private key generated using OpenSSL. * ``asymmetric/PEM_Serialization/dsaparam.pem`` - Contains 2048-bit DSA diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index bd3e8eb28e3b..ecdff5db6dcb 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -165,7 +165,26 @@ fn load_pem_public_key( let _ = backend; let p = pem::parse(data.as_bytes())?; let pkey = match p.tag() { - "RSA PUBLIC KEY" => cryptography_key_parsing::rsa::parse_pkcs1_public_key(p.contents())?, + "RSA PUBLIC KEY" => { + // We try to parse it as a PKCS1 first since that's the PEM delimiter, and if + // that fails we try to parse it as an SPKI. This is to match the permissiveness + // of OpenSSL, which doesn't care about the delimiter. + match cryptography_key_parsing::rsa::parse_pkcs1_public_key(p.contents()) { + Ok(pkey) => pkey, + Err(err) => { + let pkey = cryptography_key_parsing::spki::parse_public_key(p.contents()) + .map_err(|_| err)?; + if pkey.id() != openssl::pkey::Id::RSA { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Incorrect PEM delimiter for key type.", + ), + )); + } + pkey + } + } + } "PUBLIC KEY" => cryptography_key_parsing::spki::parse_public_key(p.contents())?, _ => return Err(CryptographyError::from(pem::PemError::MalformedFraming)), }; diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py index 58693a4912d2..51fcc3563d8a 100644 --- a/tests/hazmat/primitives/test_serialization.py +++ b/tests/hazmat/primitives/test_serialization.py @@ -506,6 +506,11 @@ def test_load_pem_ec_private_key(self, key_path, password, backend): "asymmetric", "PEM_Serialization", "rsa_public_key.pem" ), os.path.join("asymmetric", "public", "PKCS1", "rsa.pub.pem"), + os.path.join( + "asymmetric", + "PEM_Serialization", + "rsa_wrong_delimiter_public_key.pem", + ), ], ) def test_load_pem_rsa_public_key(self, key_file, backend): @@ -520,6 +525,17 @@ def test_load_pem_rsa_public_key(self, key_file, backend): numbers = key.public_numbers() assert numbers.e == 65537 + def test_load_pem_public_fails_with_ec_key_with_rsa_delimiter(self): + with pytest.raises(ValueError): + load_vectors_from_file( + os.path.join( + "asymmetric", + "PEM_Serialization", + "ec_public_key_rsa_delimiter.pem", + ), + lambda pemfile: load_pem_public_key(pemfile.read().encode()), + ) + def test_load_priv_key_with_public_key_api_fails( self, rsa_key_2048, backend ): diff --git a/vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem new file mode 100644 index 000000000000..565ece176bf5 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem @@ -0,0 +1,4 @@ +-----BEGIN RSA PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJLzzbuz2tRnLFlOL+6bTX6giVavA +sc6NDFFT0IMCd2ibTTNUDDkFGsgq0cH5JYPg/6xUlMBFKrWYe3yQ4has9w== +-----END RSA PUBLIC KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem new file mode 100644 index 000000000000..78053b4e6ed9 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnR4AZ+tgWYql+S3MaTQ6 +zeIO1fKzFIoau9Q0zGuv/1oCAewXwxeDSSxw+/Z3GL1NpuuS9CpbR5EQ3d71bD0v +0G+Sf+mShSl0oljG7YqnNSPzKl+EQ3/KE+eEButcwas6KGof2BA4bFNCw/fPbuhk +u/d8sIIEgdzBMiGRMdW33uci3rsdOenMZQA7uWsM/q/pu85YLAVOxq6wlUCzP4FM +Tw/RKzayrPkn3Jfbqcy1aM2HDlFVx24vaN+RRbPSnVoQbo5EQYkUMXE8WmadSyHl +pXGRnWsJSV9AdGyDrbU+6tcFwcIwnW22jb/OJy8swHdqKGkuR1kQ0XqokK1yGKFZ +8wIDAQAB +-----END RSA PUBLIC KEY----- From 337437dc2e62772bde4ad5544f4b1db9ee7572d9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 24 Jan 2024 19:25:05 -0700 Subject: [PATCH 1001/1014] 42.0.1 bump (#10252) * 42.0.1 bump * Update CHANGELOG.rst Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- CHANGELOG.rst | 10 ++++++++++ pyproject.toml | 2 +- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 5 files changed, 14 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b11a81f3fbc5..c61510410bac 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,16 @@ Changelog ========= +.. _v42-0-1: + +42.0.1 - 2024-01-24 +~~~~~~~~~~~~~~~~~~~ + +* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign`. +* Resolved compatibility issue with loading certain RSA public keys in + :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`. + .. _v42-0-0: 42.0.0 - 2024-01-22 diff --git a/pyproject.toml b/pyproject.toml index 6369bebf7620..e7fe731373f5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,7 +12,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "42.0.0" +version = "42.0.1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 7d62a32b6fab..35d8510fbafa 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "42.0.0" +__version__ = "42.0.1" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 6040ee84583e..c79601b44990 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "42.0.0" +__version__ = "42.0.1" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 0c43684bb92a..376f984a9303 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "42.0.0" +version = "42.0.1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From 4bb8596ae02d95bb054dbcf55e8771379dbe0c19 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 24 Jan 2024 19:45:39 -0700 Subject: [PATCH 1002/1014] fix the release script (#10233) (#10254) we removed version as an arg, but didn't remove it from the click decorator --- release.py | 1 - 1 file changed, 1 deletion(-) diff --git a/release.py b/release.py index 4abac1a2ed3e..78b894fe1d44 100644 --- a/release.py +++ b/release.py @@ -22,7 +22,6 @@ def cli(): @cli.command() -@click.argument("version") def release() -> None: base_dir = pathlib.Path(__file__).parent with (base_dir / "pyproject.toml").open("rb") as f: From 6478f7e28be54b51931277235de01b249ceabd96 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 25 Jan 2024 13:09:56 -0800 Subject: [PATCH 1003/1014] explicitly support bytes-like for signature/data in RSA sign/verify (#10259) (#10261) this was never documented but previously worked in <42. we now also document that this is supported to confuse ourselves less. --- docs/hazmat/primitives/asymmetric/rsa.rst | 9 ++++++--- src/rust/src/backend/rsa.rs | 15 +++++++++------ tests/hazmat/primitives/test_rsa.py | 20 ++++++++++++++++---- 3 files changed, 31 insertions(+), 13 deletions(-) diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index b8f2acacdf8f..35230f7e982d 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -620,7 +620,8 @@ Key interfaces Sign one block of data which can be verified later by others using the public key. - :param bytes data: The message string to sign. + :param data: The message string to sign. + :type data: :term:`bytes-like` :param padding: An instance of :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. @@ -739,9 +740,11 @@ Key interfaces Verify one block of data was signed by the private key associated with this public key. - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The message string that was signed. + :param data: The message string that was signed. + :type data: :term:`bytes-like` :param padding: An instance of :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 35dd1053fdfc..662f30aff084 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -6,6 +6,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; use crate::backend::{hashes, utils}; +use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; @@ -281,11 +282,12 @@ impl RsaPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::PyAny> { - let (data, algorithm) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, algorithm) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.sign_init().map_err(|_| { @@ -419,18 +421,19 @@ impl RsaPublicKey { fn verify( &self, py: pyo3::Python<'_>, - signature: &[u8], - data: &[u8], + signature: CffiBuf<'_>, + data: CffiBuf<'_>, padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, algorithm) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, algorithm) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.verify_init()?; setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), false)?; - let valid = ctx.verify(data, signature).unwrap_or(false); + let valid = ctx.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 10a84cb08665..8810f0f58e7e 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -763,9 +763,15 @@ def test_pkcs1_minimum_key_size(self, backend): ) private_key.sign(b"no failure", padding.PKCS1v15(), hashes.SHA512()) - def test_sign(self, rsa_key_2048: rsa.RSAPrivateKey, backend): + @pytest.mark.parametrize( + "message", + [ + b"one little message", + bytearray(b"one little message"), + ], + ) + def test_sign(self, rsa_key_2048: rsa.RSAPrivateKey, message, backend): private_key = rsa_key_2048 - message = b"one little message" pkcs = padding.PKCS1v15() algorithm = hashes.SHA256() signature = private_key.sign(message, pkcs, algorithm) @@ -1375,9 +1381,15 @@ def test_pss_verify_salt_length_too_long(self, backend): hashes.SHA1(), ) - def test_verify(self, rsa_key_2048: rsa.RSAPrivateKey, backend): + @pytest.mark.parametrize( + "message", + [ + b"one little message", + bytearray(b"one little message"), + ], + ) + def test_verify(self, rsa_key_2048: rsa.RSAPrivateKey, message, backend): private_key = rsa_key_2048 - message = b"one little message" pkcs = padding.PKCS1v15() algorithm = hashes.SHA256() signature = private_key.sign(message, pkcs, algorithm) From 92fa9f2f606caea5d499c825e832be5bac6f0c23 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 26 Jan 2024 08:48:45 -0800 Subject: [PATCH 1004/1014] support bytes-like consistently across our asym sign/verify APIs (#10260) (#10265) and update our docs to show it as well --- docs/hazmat/primitives/asymmetric/dsa.rst | 9 ++++++--- docs/hazmat/primitives/asymmetric/ec.rst | 9 ++++++--- docs/hazmat/primitives/asymmetric/ed25519.rst | 9 ++++++--- docs/hazmat/primitives/asymmetric/ed448.rst | 9 ++++++--- src/rust/src/backend/dsa.rs | 13 +++++++------ src/rust/src/backend/ec.rs | 13 +++++++------ src/rust/src/backend/ed25519.rs | 8 ++++---- src/rust/src/backend/ed448.rs | 8 ++++---- tests/hazmat/primitives/test_dsa.py | 8 ++++++++ tests/hazmat/primitives/test_ec.py | 9 +++++++++ tests/hazmat/primitives/test_ed25519.py | 6 ++++++ tests/hazmat/primitives/test_ed448.py | 6 ++++++ 12 files changed, 75 insertions(+), 32 deletions(-) diff --git a/docs/hazmat/primitives/asymmetric/dsa.rst b/docs/hazmat/primitives/asymmetric/dsa.rst index bcd4c993d20a..b159a09116ff 100644 --- a/docs/hazmat/primitives/asymmetric/dsa.rst +++ b/docs/hazmat/primitives/asymmetric/dsa.rst @@ -289,7 +289,8 @@ Key interfaces Sign one block of data which can be verified later by others using the public key. - :param bytes data: The message string to sign. + :param data: The message string to sign. + :type data: :term:`bytes-like` :param algorithm: An instance of :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or @@ -391,9 +392,11 @@ Key interfaces Verify one block of data was signed by the private key associated with this public key. - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The message string that was signed. + :param data: The message string that was signed. + :type data: :term:`bytes-like` :param algorithm: An instance of :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 561218c35c72..75165b6a4536 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -569,7 +569,8 @@ Key Interfaces Sign one block of data which can be verified later by others using the public key. - :param bytes data: The message string to sign. + :param data: The message string to sign. + :type data: :term:`bytes-like` :param signature_algorithm: An instance of :class:`EllipticCurveSignatureAlgorithm`, such as :class:`ECDSA`. @@ -678,12 +679,14 @@ Key Interfaces Verify one block of data was signed by the private key associated with this public key. - :param bytes signature: The DER-encoded signature to verify. + :param signature: The DER-encoded signature to verify. A raw signature may be DER-encoded by splitting it into the ``r`` and ``s`` components and passing them into :func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature`. + :type signature: :term:`bytes-like` - :param bytes data: The message string that was signed. + :param data: The message string that was signed. + :type data: :term:`bytes-like` :param signature_algorithm: An instance of :class:`EllipticCurveSignatureAlgorithm`. diff --git a/docs/hazmat/primitives/asymmetric/ed25519.rst b/docs/hazmat/primitives/asymmetric/ed25519.rst index 1ca06fc1b9f2..8d4b910ca115 100644 --- a/docs/hazmat/primitives/asymmetric/ed25519.rst +++ b/docs/hazmat/primitives/asymmetric/ed25519.rst @@ -67,7 +67,8 @@ Key interfaces .. method:: sign(data) - :param bytes data: The data to sign. + :param data: The data to sign. + :type data: :term:`bytes-like` :returns bytes: The 64 byte signature. @@ -192,9 +193,11 @@ Key interfaces .. method:: verify(signature, data) - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The data to verify. + :param data: The data to verify. + :type data: :term:`bytes-like` :returns: None :raises cryptography.exceptions.InvalidSignature: Raised when the diff --git a/docs/hazmat/primitives/asymmetric/ed448.rst b/docs/hazmat/primitives/asymmetric/ed448.rst index efe245d568e9..27a8092db59c 100644 --- a/docs/hazmat/primitives/asymmetric/ed448.rst +++ b/docs/hazmat/primitives/asymmetric/ed448.rst @@ -47,7 +47,8 @@ Key interfaces .. method:: sign(data) - :param bytes data: The data to sign. + :param data: The data to sign. + :type data: :term:`bytes-like` :returns bytes: The 114 byte signature. @@ -146,9 +147,11 @@ Key interfaces .. method:: verify(signature, data) - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The data to verify. + :param data: The data to verify. + :type data: :term:`bytes-like` :returns: None :raises cryptography.exceptions.InvalidSignature: Raised when the diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index cf0824613fdb..bf341ac71314 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -3,6 +3,7 @@ // for complete details. use crate::backend::utils; +use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; @@ -66,10 +67,10 @@ impl DsaPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let (data, _) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -151,15 +152,15 @@ impl DsaPublicKey { fn verify( &self, py: pyo3::Python<'_>, - signature: &[u8], - data: &[u8], + signature: CffiBuf<'_>, + data: CffiBuf<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, _) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; - let valid = verifier.verify(data, signature).unwrap_or(false); + let valid = verifier.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 459da6103d3b..5a01412981d2 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -8,6 +8,7 @@ use std::hash::{Hash, Hasher}; use pyo3::ToPyObject; use crate::backend::utils; +use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; @@ -268,7 +269,7 @@ impl ECPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { @@ -282,7 +283,7 @@ impl ECPrivateKey { let (data, _) = utils::calculate_digest_and_algorithm( py, - data, + data.as_bytes(), signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; @@ -366,8 +367,8 @@ impl ECPublicKey { fn verify( &self, py: pyo3::Python<'_>, - signature: &[u8], - data: &[u8], + signature: CffiBuf<'_>, + data: CffiBuf<'_>, signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { @@ -381,13 +382,13 @@ impl ECPublicKey { let (data, _) = utils::calculate_digest_and_algorithm( py, - data, + data.as_bytes(), signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; - let valid = verifier.verify(data, signature).unwrap_or(false); + let valid = verifier.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index f68da83bfb47..81ca3230088e 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -66,12 +66,12 @@ impl Ed25519PrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { let n = signer - .sign_oneshot(b, data) + .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; assert_eq!(n, b.len()); Ok(()) @@ -118,9 +118,9 @@ impl Ed25519PrivateKey { #[pyo3::prelude::pymethods] impl Ed25519PublicKey { - fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> { + fn verify(&self, signature: CffiBuf<'_>, data: CffiBuf<'_>) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? - .verify_oneshot(signature, data) + .verify_oneshot(signature.as_bytes(), data.as_bytes()) .unwrap_or(false); if !valid { diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index eeed28e92f6e..15b679d5f993 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -64,12 +64,12 @@ impl Ed448PrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { let n = signer - .sign_oneshot(b, data) + .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; assert_eq!(n, b.len()); Ok(()) @@ -116,9 +116,9 @@ impl Ed448PrivateKey { #[pyo3::prelude::pymethods] impl Ed448PublicKey { - fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> { + fn verify(&self, signature: CffiBuf<'_>, data: CffiBuf<'_>) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? - .verify_oneshot(signature, data)?; + .verify_oneshot(signature.as_bytes(), data.as_bytes())?; if !valid { return Err(CryptographyError::from( diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index c3990cd5af44..2928a1eb9d8c 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -522,6 +522,14 @@ def test_sign(self, backend): public_key = private_key.public_key() public_key.verify(signature, message, algorithm) + def test_sign_verify_buffer(self, backend): + private_key = DSA_KEY_1024.private_key(backend) + message = bytearray(b"one little message") + algorithm = hashes.SHA1() + signature = private_key.sign(message, algorithm) + public_key = private_key.public_key() + public_key.verify(bytearray(signature), message, algorithm) + def test_prehashed_sign(self, backend): private_key = DSA_KEY_1024.private_key(backend) message = b"one little message" diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index d794d429524e..334e76dcc073 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -516,6 +516,15 @@ def test_sign(self, backend): public_key = private_key.public_key() public_key.verify(signature, message, algorithm) + def test_sign_verify_buffers(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + message = bytearray(b"one little message") + algorithm = ec.ECDSA(hashes.SHA1()) + private_key = ec.generate_private_key(ec.SECP256R1(), backend) + signature = private_key.sign(message, algorithm) + public_key = private_key.public_key() + public_key.verify(bytearray(signature), message, algorithm) + def test_sign_prehashed(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" diff --git a/tests/hazmat/primitives/test_ed25519.py b/tests/hazmat/primitives/test_ed25519.py index 8e6b33b1fd62..26f7d0c71b07 100644 --- a/tests/hazmat/primitives/test_ed25519.py +++ b/tests/hazmat/primitives/test_ed25519.py @@ -117,6 +117,12 @@ def test_invalid_signature(self, backend): with pytest.raises(InvalidSignature): key.public_key().verify(b"0" * 64, b"test data") + def test_sign_verify_buffer(self, backend): + key = Ed25519PrivateKey.generate() + data = bytearray(b"test data") + signature = key.sign(data) + key.public_key().verify(bytearray(signature), data) + def test_generate(self, backend): key = Ed25519PrivateKey.generate() assert key diff --git a/tests/hazmat/primitives/test_ed448.py b/tests/hazmat/primitives/test_ed448.py index d363f38dfd96..6c7bdedea39d 100644 --- a/tests/hazmat/primitives/test_ed448.py +++ b/tests/hazmat/primitives/test_ed448.py @@ -86,6 +86,12 @@ def test_invalid_signature(self, backend): with pytest.raises(InvalidSignature): key.public_key().verify(b"0" * 64, b"test data") + def test_sign_verify_buffer(self, backend): + key = Ed448PrivateKey.generate() + data = bytearray(b"test data") + signature = key.sign(data) + key.public_key().verify(bytearray(signature), data) + def test_generate(self, backend): key = Ed448PrivateKey.generate() assert key From 002e886f16d8857151c09b11dc86b35f2ac9aec3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 29 Jan 2024 23:41:28 -0500 Subject: [PATCH 1005/1014] Fixes #10294 -- correct accidental change to exchange kwarg (#10295) (#10296) --- src/rust/src/backend/dh.rs | 4 ++-- src/rust/src/backend/ec.rs | 6 +++--- src/rust/src/backend/x25519.rs | 4 ++-- src/rust/src/backend/x448.rs | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 5ec1804e0df8..eb6cbdcdc9e4 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -154,11 +154,11 @@ impl DHPrivateKey { fn exchange<'p>( &self, py: pyo3::Python<'p>, - public_key: &DHPublicKey, + peer_public_key: &DHPublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver - .set_peer(&public_key.pkey) + .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 5a01412981d2..6a224b49f155 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -232,7 +232,7 @@ impl ECPrivateKey { &self, py: pyo3::Python<'p>, algorithm: &pyo3::PyAny, - public_key: &ECPublicKey, + peer_public_key: &ECPublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if !algorithm.is_instance(types::ECDH.get(py)?)? { return Err(CryptographyError::from( @@ -249,12 +249,12 @@ impl ECPrivateKey { // ECPublicKey object. #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] deriver - .set_peer_ex(&public_key.pkey, false) + .set_peer_ex(&peer_public_key.pkey, false) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; #[cfg(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER))] deriver - .set_peer(&public_key.pkey) + .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 00e2866cfc39..b193e18b0483 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -65,10 +65,10 @@ impl X25519PrivateKey { fn exchange<'p>( &self, py: pyo3::Python<'p>, - public_key: &X25519PublicKey, + peer_public_key: &X25519PublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; - deriver.set_peer(&public_key.pkey)?; + deriver.set_peer(&peer_public_key.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { let n = deriver.derive(b).map_err(|_| { diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 07c84bc36aca..7a64002d943d 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -64,10 +64,10 @@ impl X448PrivateKey { fn exchange<'p>( &self, py: pyo3::Python<'p>, - public_key: &X448PublicKey, + peer_public_key: &X448PublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; - deriver.set_peer(&public_key.pkey)?; + deriver.set_peer(&peer_public_key.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { let n = deriver.derive(b).map_err(|_| { From f7032bdd409838f67fc2b93343f897fb5f397d80 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 Jan 2024 11:05:07 -0600 Subject: [PATCH 1006/1014] bump openssl in CI (#10298) (#10299) --- .github/actions/cache/action.yml | 2 +- .github/workflows/ci.yml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 6cf0f08e56a8..31af7422da04 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -17,5 +17,5 @@ runs: shell: bash - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 with: - key: ${{ steps.normalized-key.outputs.key }}-1 + key: ${{ steps.normalized-key.outputs.key }}-2 workspaces: "./src/rust/ -> target" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c9d3ab950244..4db52079b000 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,17 +29,17 @@ jobs: PYTHON: - {VERSION: "3.12", NOXSESSION: "flake"} - {VERSION: "3.12", NOXSESSION: "rust"} - - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0"}} + - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.12"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.0"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From 2202123b50de1b8788f909a3e5afe350c56ad81e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 Jan 2024 11:16:58 -0600 Subject: [PATCH 1007/1014] changelog and version bump 42.0.2 (#10268) --- CHANGELOG.rst | 17 +++++++++++++++++ pyproject.toml | 2 +- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c61510410bac..393ba2aa8835 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,23 @@ Changelog ========= +.. _v42-0-2: + +42.0.2 - 2024-01-30 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1. +* Fixed an issue that prevented the use of Python buffer protocol objects in + ``sign`` and ``verify`` methods on asymmetric keys. +* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`, + ``X25519PrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`, + ``X448PrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`, + and ``DHPrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`. + .. _v42-0-1: 42.0.1 - 2024-01-24 diff --git a/pyproject.toml b/pyproject.toml index e7fe731373f5..c9a7979bdcc4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,7 +12,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "42.0.1" +version = "42.0.2" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 35d8510fbafa..5b1b9783549c 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "42.0.1" +__version__ = "42.0.2" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index c79601b44990..c3ca4f6e267b 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "42.0.1" +__version__ = "42.0.2" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 376f984a9303..69c3511e0e73 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "42.0.1" +version = "42.0.2" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From 0e0e46f5f73f477b8ee9682738c42129d5d60177 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 3 Feb 2024 14:02:48 -0600 Subject: [PATCH 1008/1014] backport: initialize openssl's legacy provider in rust (#10323) (#10333) * initialize openssl's legacy provider in rust (#10323) * initialize openssl's legacy provider in rust as we oxidize we need to do this here to ensure it actually happens * alex is a comment format pedant * remove the memleak tests (#10322) they are fragile, haven't caught regressions, and increasingly pointless as we oxidize. --- src/_cffi_src/openssl/crypto.py | 45 -- .../hazmat/backends/openssl/backend.py | 4 +- .../bindings/_rust/openssl/__init__.pyi | 2 + .../hazmat/bindings/openssl/_conditional.py | 7 - .../hazmat/bindings/openssl/binding.py | 31 -- src/rust/src/lib.rs | 65 +++ tests/hazmat/backends/test_openssl_memleak.py | 391 ------------------ tests/hazmat/bindings/test_openssl.py | 7 - 8 files changed, 69 insertions(+), 483 deletions(-) delete mode 100644 tests/hazmat/backends/test_openssl_memleak.py diff --git a/src/_cffi_src/openssl/crypto.py b/src/_cffi_src/openssl/crypto.py index b81b5de1da27..5284f329619c 100644 --- a/src/_cffi_src/openssl/crypto.py +++ b/src/_cffi_src/openssl/crypto.py @@ -9,8 +9,6 @@ """ TYPES = """ -static const long Cryptography_HAS_MEM_FUNCTIONS; - static const int OPENSSL_VERSION; static const int OPENSSL_CFLAGS; static const int OPENSSL_BUILT_ON; @@ -26,50 +24,7 @@ void *OPENSSL_malloc(size_t); void OPENSSL_free(void *); - - -/* Signature is significantly different in LibreSSL, so expose via different - symbol name */ -int Cryptography_CRYPTO_set_mem_functions( - void *(*)(size_t, const char *, int), - void *(*)(void *, size_t, const char *, int), - void (*)(void *, const char *, int)); - -void *Cryptography_malloc_wrapper(size_t, const char *, int); -void *Cryptography_realloc_wrapper(void *, size_t, const char *, int); -void Cryptography_free_wrapper(void *, const char *, int); """ CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL -static const long Cryptography_HAS_MEM_FUNCTIONS = 0; -int (*Cryptography_CRYPTO_set_mem_functions)( - void *(*)(size_t, const char *, int), - void *(*)(void *, size_t, const char *, int), - void (*)(void *, const char *, int)) = NULL; - -#else -static const long Cryptography_HAS_MEM_FUNCTIONS = 1; - -int Cryptography_CRYPTO_set_mem_functions( - void *(*m)(size_t, const char *, int), - void *(*r)(void *, size_t, const char *, int), - void (*f)(void *, const char *, int) -) { - return CRYPTO_set_mem_functions(m, r, f); -} -#endif - -void *Cryptography_malloc_wrapper(size_t size, const char *path, int line) { - return malloc(size); -} - -void *Cryptography_realloc_wrapper(void *ptr, size_t size, const char *path, - int line) { - return realloc(ptr, size); -} - -void Cryptography_free_wrapper(void *ptr, const char *path, int line) { - free(ptr); -} """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 5d9eb2768dfb..5cd1103bd133 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -138,7 +138,7 @@ def __repr__(self) -> str: return "".format( self.openssl_version_text(), self._fips_enabled, - self._binding._legacy_provider_loaded, + rust_openssl._legacy_provider_loaded, ) def openssl_assert( @@ -277,7 +277,7 @@ def _register_default_ciphers(self) -> None: # we get an EVP_CIPHER * in the _CipherContext __init__, but OpenSSL 3 # will return a valid pointer even though the cipher is unavailable. if ( - self._binding._legacy_provider_loaded + rust_openssl._legacy_provider_loaded or not self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ): for mode_cls in [CBC, CFB, OFB, ECB]: diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 9cdb4d6a5c6e..cc54647732cc 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -42,6 +42,8 @@ __all__ = [ "x25519", ] +_legacy_provider_loaded: bool + def openssl_version() -> int: ... def raise_openssl_error() -> typing.NoReturn: ... def capture_error_stack() -> list[OpenSSLError]: ... diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 30cc3bfa25ef..fc13348af77f 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -28,12 +28,6 @@ def cryptography_has_tls_st() -> list[str]: ] -def cryptography_has_mem_functions() -> list[str]: - return [ - "Cryptography_CRYPTO_set_mem_functions", - ] - - def cryptography_has_ed448() -> list[str]: return [ "EVP_PKEY_ED448", @@ -202,7 +196,6 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb, "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st, "Cryptography_HAS_TLS_ST": cryptography_has_tls_st, - "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions, "Cryptography_HAS_ED448": cryptography_has_ed448, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, "Cryptography_HAS_PSK": cryptography_has_psk, diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 40814f2a58a0..209fbeb73a8f 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -37,17 +37,6 @@ def _openssl_assert( ) -def _legacy_provider_error(loaded: bool) -> None: - if not loaded: - raise RuntimeError( - "OpenSSL 3.0's legacy provider failed to load. This is a fatal " - "error by default, but cryptography supports running without " - "legacy algorithms by setting the environment variable " - "CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error," - " you have likely made a mistake with your OpenSSL configuration." - ) - - def build_conditional_library( lib: typing.Any, conditional_names: dict[str, typing.Callable[[], list[str]]], @@ -76,7 +65,6 @@ class Binding: _lib_loaded = False _init_lock = threading.Lock() _legacy_provider: typing.Any = ffi.NULL - _legacy_provider_loaded = False _default_provider: typing.Any = ffi.NULL def __init__(self) -> None: @@ -106,25 +94,6 @@ def _ensure_ffi_initialized(cls) -> None: _openssl.lib, CONDITIONAL_NAMES ) cls._lib_loaded = True - # As of OpenSSL 3.0.0 we must register a legacy cipher provider - # to get RC2 (needed for junk asymmetric private key - # serialization), RC4, Blowfish, IDEA, SEED, etc. These things - # are ugly legacy, but we aren't going to get rid of them - # any time soon. - if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - if not os.environ.get("CRYPTOGRAPHY_OPENSSL_NO_LEGACY"): - cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( - cls.ffi.NULL, b"legacy" - ) - cls._legacy_provider_loaded = ( - cls._legacy_provider != cls.ffi.NULL - ) - _legacy_provider_error(cls._legacy_provider_loaded) - - cls._default_provider = cls.lib.OSSL_PROVIDER_load( - cls.ffi.NULL, b"default" - ) - _openssl_assert(cls._default_provider != cls.ffi.NULL) @classmethod def init_static_locks(cls) -> None: diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 9dd54f4b901d..c9f9285e3825 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -4,6 +4,11 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +use crate::error::CryptographyResult; +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +use openssl::provider; +use std::env; + mod asn1; mod backend; mod buf; @@ -15,6 +20,12 @@ mod pkcs7; pub(crate) mod types; mod x509; +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] +struct LoadedProviders { + legacy: Option, +} + #[pyo3::prelude::pyfunction] fn openssl_version() -> i64 { openssl::version::number() @@ -25,6 +36,35 @@ fn is_fips_enabled() -> bool { cryptography_openssl::fips::is_enabled() } +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +fn _initialize_legacy_provider() -> CryptographyResult { + // As of OpenSSL 3.0.0 we must register a legacy cipher provider + // to get RC2 (needed for junk asymmetric private key + // serialization), RC4, Blowfish, IDEA, SEED, etc. These things + // are ugly legacy, but we aren't going to get rid of them + // any time soon. + let load_legacy = env::var("CRYPTOGRAPHY_OPENSSL_NO_LEGACY") + .map(|v| v.is_empty() || v == "0") + .unwrap_or(true); + let legacy = if load_legacy { + let legacy_result = provider::Provider::try_load(None, "legacy", true); + _legacy_provider_error(legacy_result.is_ok())?; + Some(legacy_result?) + } else { + None + }; + Ok(LoadedProviders { legacy }) +} + +fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { + if !success { + return Err(pyo3::exceptions::PyRuntimeError::new_err( + "OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration." + )); + } + Ok(()) +} + #[pyo3::prelude::pymodule] fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> { m.add_function(pyo3::wrap_pyfunction!(padding::check_pkcs7_padding, m)?)?; @@ -52,6 +92,20 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(cryptography_cffi::create_module(py)?)?; let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + let providers = _initialize_legacy_provider()?; + if providers.legacy.is_some() { + openssl_mod.add("_legacy_provider_loaded", true)?; + openssl_mod.add("_providers", providers)?; + } else { + openssl_mod.add("_legacy_provider_loaded", false)?; + } + } else { + // default value for non-openssl 3+ + openssl_mod.add("_legacy_provider_loaded", false)?; + } + } openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(error::raise_openssl_error, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(error::capture_error_stack, m)?)?; @@ -62,3 +116,14 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> Ok(()) } + +#[cfg(test)] +mod tests { + use super::_legacy_provider_error; + + #[test] + fn test_legacy_provider_error() { + assert!(_legacy_provider_error(true).is_ok()); + assert!(_legacy_provider_error(false).is_err()); + } +} diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py deleted file mode 100644 index 371a7c990188..000000000000 --- a/tests/hazmat/backends/test_openssl_memleak.py +++ /dev/null @@ -1,391 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import json -import os -import platform -import subprocess -import sys -import textwrap - -import pytest - -from cryptography.hazmat.bindings.openssl.binding import Binding - -MEMORY_LEAK_SCRIPT = """ -import sys - - -def main(argv): - import gc - import json - - import cffi - - from cryptography.hazmat.bindings._rust import _openssl - - heap = {} - start_heap = {} - start_heap_realloc_delta = [0] # 1-item list so callbacks can mutate it - - BACKTRACE_ENABLED = False - if BACKTRACE_ENABLED: - backtrace_ffi = cffi.FFI() - backtrace_ffi.cdef(''' - int backtrace(void **, int); - char **backtrace_symbols(void *const *, int); - ''') - backtrace_lib = backtrace_ffi.dlopen(None) - - def backtrace(): - buf = backtrace_ffi.new("void*[]", 24) - length = backtrace_lib.backtrace(buf, len(buf)) - return (buf, length) - - def symbolize_backtrace(trace): - (buf, length) = trace - symbols = backtrace_lib.backtrace_symbols(buf, length) - stack = [ - backtrace_ffi.string(symbols[i]).decode() - for i in range(length) - ] - _openssl.lib.Cryptography_free_wrapper( - symbols, backtrace_ffi.NULL, 0 - ) - return stack - else: - def backtrace(): - return None - - def symbolize_backtrace(trace): - return None - - @_openssl.ffi.callback("void *(size_t, const char *, int)") - def malloc(size, path, line): - ptr = _openssl.lib.Cryptography_malloc_wrapper(size, path, line) - heap[ptr] = (size, path, line, backtrace()) - return ptr - - @_openssl.ffi.callback("void *(void *, size_t, const char *, int)") - def realloc(ptr, size, path, line): - if ptr != _openssl.ffi.NULL: - del heap[ptr] - new_ptr = _openssl.lib.Cryptography_realloc_wrapper( - ptr, size, path, line - ) - heap[new_ptr] = (size, path, line, backtrace()) - - # It is possible that something during the test will cause a - # realloc of memory allocated during the startup phase. (This - # was observed in conda-forge Windows builds of this package with - # provider operation_bits pointers in crypto/provider_core.c.) If - # we don't pay attention to that, the realloc'ed pointer will show - # up as a leak; but we also don't want to allow this kind of realloc - # to consume large amounts of additional memory. So we track the - # realloc and the change in memory consumption. - startup_info = start_heap.pop(ptr, None) - if startup_info is not None: - start_heap[new_ptr] = heap[new_ptr] - start_heap_realloc_delta[0] += size - startup_info[0] - - return new_ptr - - @_openssl.ffi.callback("void(void *, const char *, int)") - def free(ptr, path, line): - if ptr != _openssl.ffi.NULL: - del heap[ptr] - _openssl.lib.Cryptography_free_wrapper(ptr, path, line) - - result = _openssl.lib.Cryptography_CRYPTO_set_mem_functions( - malloc, realloc, free - ) - assert result == 1 - - # Trigger a bunch of initialization stuff. - import hashlib - from cryptography.hazmat.backends.openssl.backend import backend - - hashlib.sha256() - - start_heap.update(heap) - - try: - func(*argv[1:]) - finally: - gc.collect() - gc.collect() - gc.collect() - - if _openssl.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - _openssl.lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) - _openssl.lib.OSSL_PROVIDER_unload(backend._binding._default_provider) - - _openssl.lib.OPENSSL_cleanup() - - # Swap back to the original functions so that if OpenSSL tries to free - # something from its atexit handle it won't be going through a Python - # function, which will be deallocated when this function returns - result = _openssl.lib.Cryptography_CRYPTO_set_mem_functions( - _openssl.ffi.addressof( - _openssl.lib, "Cryptography_malloc_wrapper" - ), - _openssl.ffi.addressof( - _openssl.lib, "Cryptography_realloc_wrapper" - ), - _openssl.ffi.addressof(_openssl.lib, "Cryptography_free_wrapper"), - ) - assert result == 1 - - remaining = set(heap) - set(start_heap) - - # The constant here is the number of additional bytes of memory - # consumption that are allowed in reallocs of start_heap memory. - if remaining or start_heap_realloc_delta[0] > 3072: - info = dict( - (int(_openssl.ffi.cast("size_t", ptr)), { - "size": heap[ptr][0], - "path": _openssl.ffi.string(heap[ptr][1]).decode(), - "line": heap[ptr][2], - "backtrace": symbolize_backtrace(heap[ptr][3]), - }) - for ptr in remaining - ) - info["start_heap_realloc_delta"] = start_heap_realloc_delta[0] - sys.stdout.write(json.dumps(info)) - sys.stdout.flush() - sys.exit(255) - -main(sys.argv) -""" - - -def assert_no_memory_leaks(s, argv=[]): - env = os.environ.copy() - env["PYTHONPATH"] = os.pathsep.join(sys.path) - - # When using pytest-cov it attempts to instrument subprocesses. This - # causes the memleak tests to raise exceptions. - # we don't need coverage so we remove the env vars. - env.pop("COV_CORE_CONFIG", None) - env.pop("COV_CORE_DATAFILE", None) - env.pop("COV_CORE_SOURCE", None) - - argv = [sys.executable, "-c", f"{s}\n\n{MEMORY_LEAK_SCRIPT}", *argv] - # Shell out to a fresh Python process because OpenSSL does not allow you to - # install new memory hooks after the first malloc/free occurs. - proc = subprocess.Popen( - argv, - env=env, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, - ) - assert proc.stdout is not None - assert proc.stderr is not None - try: - proc.wait() - if proc.returncode == 255: - # 255 means there was a leak, load the info about what mallocs - # weren't freed. - out = json.loads(proc.stdout.read().decode()) - raise AssertionError(out) - elif proc.returncode != 0: - # Any exception type will do to be honest - raise ValueError(proc.stdout.read(), proc.stderr.read()) - finally: - proc.stdout.close() - proc.stderr.close() - - -def skip_if_memtesting_not_supported(): - return pytest.mark.skipif( - not Binding().lib.Cryptography_HAS_MEM_FUNCTIONS - or platform.python_implementation() == "PyPy", - reason="Requires OpenSSL memory functions (>=1.1.0) and not PyPy", - ) - - -@pytest.mark.skip_fips(reason="FIPS self-test sets allow_customize = 0") -@skip_if_memtesting_not_supported() -class TestAssertNoMemoryLeaks: - def test_no_leak_no_malloc(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - pass - """ - ) - ) - - def test_no_leak_free(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.bindings.openssl.binding import Binding - b = Binding() - name = b.lib.X509_NAME_new() - b.lib.X509_NAME_free(name) - """ - ) - ) - - def test_no_leak_gc(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.bindings.openssl.binding import Binding - b = Binding() - name = b.lib.X509_NAME_new() - b.ffi.gc(name, b.lib.X509_NAME_free) - """ - ) - ) - - def test_leak(self): - with pytest.raises(AssertionError): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.bindings.openssl.binding import ( - Binding - ) - b = Binding() - b.lib.X509_NAME_new() - """ - ) - ) - - def test_errors(self): - with pytest.raises(ValueError, match="ZeroDivisionError"): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - raise ZeroDivisionError - """ - ) - ) - - -@pytest.mark.skip_fips(reason="FIPS self-test sets allow_customize = 0") -@skip_if_memtesting_not_supported() -class TestOpenSSLMemoryLeaks: - def test_ec_private_numbers_private_key(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives.asymmetric import ec - - ec.EllipticCurvePrivateNumbers( - private_value=int( - '280814107134858470598753916394807521398239633534281633982576099083' - '35787109896602102090002196616273211495718603965098' - ), - public_numbers=ec.EllipticCurvePublicNumbers( - curve=ec.SECP384R1(), - x=int( - '10036914308591746758780165503819213553101287571902957054148542' - '504671046744460374996612408381962208627004841444205030' - ), - y=int( - '17337335659928075994560513699823544906448896792102247714689323' - '575406618073069185107088229463828921069465902299522926' - ) - ) - ).private_key(backend) - """ - ) - ) - - def test_ec_derive_private_key(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives.asymmetric import ec - ec.derive_private_key(1, ec.SECP256R1(), backend) - """ - ) - ) - - def test_x25519_pubkey_from_private_key(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.primitives.asymmetric import x25519 - private_key = x25519.X25519PrivateKey.generate() - private_key.public_key() - """ - ) - ) - - @pytest.mark.parametrize( - "path", - ["pkcs12/cert-aes256cbc-no-key.p12", "pkcs12/cert-key-aes256cbc.p12"], - ) - def test_load_pkcs12_key_and_certificates(self, path): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(path): - from cryptography import x509 - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives.serialization import pkcs12 - import cryptography_vectors - - with cryptography_vectors.open_vector_file(path, "rb") as f: - pkcs12.load_key_and_certificates( - f.read(), b"cryptography", backend - ) - """ - ), - [path], - ) - - def test_write_pkcs12_key_and_certificates(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - import os - from cryptography import x509 - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives import serialization - from cryptography.hazmat.primitives.serialization import pkcs12 - import cryptography_vectors - - path = os.path.join('x509', 'custom', 'ca', 'ca.pem') - with cryptography_vectors.open_vector_file(path, "rb") as f: - cert = x509.load_pem_x509_certificate( - f.read(), backend - ) - path2 = os.path.join('x509', 'custom', 'dsa_selfsigned_ca.pem') - with cryptography_vectors.open_vector_file(path2, "rb") as f: - cert2 = x509.load_pem_x509_certificate( - f.read(), backend - ) - path3 = os.path.join('x509', 'letsencryptx3.pem') - with cryptography_vectors.open_vector_file(path3, "rb") as f: - cert3 = x509.load_pem_x509_certificate( - f.read(), backend - ) - key_path = os.path.join("x509", "custom", "ca", "ca_key.pem") - with cryptography_vectors.open_vector_file(key_path, "rb") as f: - key = serialization.load_pem_private_key( - f.read(), None, backend - ) - encryption = serialization.NoEncryption() - pkcs12.serialize_key_and_certificates( - b"name", key, cert, [cert2, cert3], encryption) - """ - ) - ) diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 64c3cfdec05c..ef45b304b4ef 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -8,7 +8,6 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl.binding import ( Binding, - _legacy_provider_error, _openssl_assert, _verify_package_version, ) @@ -84,12 +83,6 @@ def test_version_mismatch(self): with pytest.raises(ImportError): _verify_package_version("nottherightversion") - def test_legacy_provider_error(self): - with pytest.raises(RuntimeError): - _legacy_provider_error(False) - - _legacy_provider_error(True) - def test_rust_internal_error(self): with pytest.raises(InternalError) as exc_info: rust_openssl.raise_openssl_error() From 396bcf64c5be826ec00e7d7f45838c858c049cbc Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 15 Feb 2024 19:01:07 -0800 Subject: [PATCH 1009/1014] fix provider loading take two (#10390) (#10395) we previously hoisted this into rust, but we used the try_load feature which supposedly retains fallbacks. Something about that doesn't behave the way we expect though and the machinery in providers is sufficiently complex that we are just going to load the default provider explicitly. this matches our behavior pre-rust. --- src/rust/src/lib.rs | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index c9f9285e3825..9308e0c81c17 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -24,6 +24,7 @@ mod x509; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] struct LoadedProviders { legacy: Option, + _default: provider::Provider, } #[pyo3::prelude::pyfunction] @@ -37,7 +38,7 @@ fn is_fips_enabled() -> bool { } #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] -fn _initialize_legacy_provider() -> CryptographyResult { +fn _initialize_providers() -> CryptographyResult { // As of OpenSSL 3.0.0 we must register a legacy cipher provider // to get RC2 (needed for junk asymmetric private key // serialization), RC4, Blowfish, IDEA, SEED, etc. These things @@ -47,13 +48,14 @@ fn _initialize_legacy_provider() -> CryptographyResult { .map(|v| v.is_empty() || v == "0") .unwrap_or(true); let legacy = if load_legacy { - let legacy_result = provider::Provider::try_load(None, "legacy", true); + let legacy_result = provider::Provider::load(None, "legacy"); _legacy_provider_error(legacy_result.is_ok())?; Some(legacy_result?) } else { None }; - Ok(LoadedProviders { legacy }) + let _default = provider::Provider::load(None, "default")?; + Ok(LoadedProviders { legacy, _default }) } fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { @@ -94,13 +96,13 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; cfg_if::cfg_if! { if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { - let providers = _initialize_legacy_provider()?; + let providers = _initialize_providers()?; if providers.legacy.is_some() { openssl_mod.add("_legacy_provider_loaded", true)?; - openssl_mod.add("_providers", providers)?; } else { openssl_mod.add("_legacy_provider_loaded", false)?; } + openssl_mod.add("_providers", providers)?; } else { // default value for non-openssl 3+ openssl_mod.add("_legacy_provider_loaded", false)?; From c49a7a5271178c6e8ef36fa1c499f62c63ec19b9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 15 Feb 2024 19:41:19 -0800 Subject: [PATCH 1010/1014] changelog and version bump for 42.0.3 (#10396) --- CHANGELOG.rst | 8 ++++++++ pyproject.toml | 2 +- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 5 files changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 393ba2aa8835..f895ac2eee95 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,14 @@ Changelog ========= +.. _v42-0-3: + +42.0.3 - 2024-02-15 +~~~~~~~~~~~~~~~~~~~ + +* Fixed an initialization issue that caused key loading failures for some + users. + .. _v42-0-2: 42.0.2 - 2024-01-30 diff --git a/pyproject.toml b/pyproject.toml index c9a7979bdcc4..38549872dd59 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,7 +12,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "42.0.2" +version = "42.0.3" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 5b1b9783549c..b3b68cc74880 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "42.0.2" +__version__ = "42.0.3" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index c3ca4f6e267b..4a3177ec60eb 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "42.0.2" +__version__ = "42.0.3" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 69c3511e0e73..6310fb8c485b 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "42.0.2" +version = "42.0.3" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From df314bb182bdfd661333969a94325e4680d785f6 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 17 Feb 2024 21:20:20 -0800 Subject: [PATCH 1011/1014] backport actions m1 switch to 42.0.x (#10415) * Check to see if we can use the hosted M1 runners (#10340) * Stop pretending to be x64 on M1 in CI (#10341) --------- Co-authored-by: Alex Gaynor --- .github/workflows/ci.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4db52079b000..8a58cdb1d3af 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -222,14 +222,14 @@ jobs: matrix: RUNNER: - {OS: 'macos-13', ARCH: 'x86_64'} - - {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} + - {OS: 'macos-14', ARCH: 'arm64'} PYTHON: - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests"} exclude: # We only test latest Python on arm64. py37 won't work since there's no universal2 binary - PYTHON: {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - RUNNER: {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} + RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 @@ -246,7 +246,6 @@ jobs: uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: ${{ matrix.PYTHON.VERSION }} - architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 cache: pip cache-dependency-path: ci-constraints-requirements.txt timeout-minutes: 3 From 7a4d012991061974da5d9cb7614de65eac94f49b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 12:09:10 -0500 Subject: [PATCH 1012/1014] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) (#10425) --- .../hazmat/backends/openssl/backend.py | 9 +++++++++ tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 5cd1103bd133..66053af7f937 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -826,6 +826,15 @@ def serialize_key_and_certificates_to_pkcs12( mac_iter, 0, ) + if p12 == self._ffi.NULL: + errors = self._consume_errors() + raise ValueError( + ( + "Failed to create PKCS12 (does the key match the " + "certificate?)" + ), + errors, + ) if ( self._lib.Cryptography_HAS_PKCS12_SET_MAC diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index cd9c279ac4b0..cd7bcafc6e73 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -657,6 +657,24 @@ def test_key_serialization_encryption_set_mac_unsupported( b"name", cakey, cacert, [], algorithm ) + @pytest.mark.supported( + only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, + skip_message="Requires OpenSSL with PKCS12_set_mac", + ) + def test_set_mac_key_certificate_mismatch(self, backend): + cacert, _ = _load_ca(backend) + key = ec.generate_private_key(ec.SECP256R1()) + encryption = ( + serialization.PrivateFormat.PKCS12.encryption_builder() + .hmac_hash(hashes.SHA256()) + .build(b"password") + ) + + with pytest.raises(ValueError): + serialize_key_and_certificates( + b"name", key, cacert, [], encryption + ) + @pytest.mark.skip_fips( reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." From aaa2dd06ed470695de818405a982d4c459869803 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Feb 2024 20:53:59 -0500 Subject: [PATCH 1013/1014] Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442) * Fix ASN.1 for S/MIME capabilities. The current implementation defines the SMIMECapabilities attribute so that its value is a SEQUENCE of all the algorithm OIDs that are supported. However, the S/MIME v3 spec (RFC 2633) specifies that each algorithm should be specified in its own SEQUENCE: SMIMECapabilities ::= SEQUENCE OF SMIMECapability SMIMECapability ::= SEQUENCE { capabilityID OBJECT IDENTIFIER, parameters ANY DEFINED BY capabilityID OPTIONAL } (RFC 2633, Appendix A) This commit changes the implementation so that each algorithm is inside its own SEQUENCE. This also matches the OpenSSL implementation. * Fix the RSA OID used for signing PKCS#7/SMIME The current implementation computes the algorithm identifier used in the `digest_encryption_algorithm` PKCS#7 field (or `SignatureAlgorithmIdentifier` in S/MIME) based on both the algorithm used to sign (e.g. RSA) and the digest algorithm (e.g. SHA512). This is correct for ECDSA signatures, where the OIDs used include the digest algorithm (e.g: ecdsa-with-SHA512). However, due to historical reasons, when signing with RSA the OID specified should be the one corresponding to just RSA ("1.2.840.113549.1.1.1" rsaEncryption), rather than OIDs which also include the digest algorithm (such as "1.2.840.113549.1.1.13", sha512WithRSAEncryption). This means that the logic to compute the algorithm identifier is the same except when signing with RSA, in which case the OID will always be `rsaEncryption`. This is consistent with the OpenSSL implementation, and the RFCs that define PKCS#7 and S/MIME. See RFC 3851 (section 2.2), and RFC 3370 (section 3.2) for more details. * Add tests for the changes in PKCS7 signing * PKCS7 fixes from code review * Update CHANGELOG Co-authored-by: Facundo Tuesca --- CHANGELOG.rst | 9 +++++ src/rust/src/pkcs7.rs | 28 ++++++++++++-- src/rust/src/x509/sign.rs | 5 ++- tests/hazmat/primitives/test_pkcs7.py | 54 ++++++++++++++++++++++++++- 4 files changed, 89 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f895ac2eee95..7fb4a46047f5 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,15 @@ Changelog ========= +.. _v42-0-4: + +42.0.4 - 2024-02-20 +~~~~~~~~~~~~~~~~~~~ + +* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities`` + and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the + definitions in :rfc:`2633` :rfc:`3370`. + .. _v42-0-3: 42.0.3 - 2024-02-15 diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index f307cf483ad7..711018793fb9 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -104,9 +104,9 @@ fn sign_and_serialize<'p>( // Subset of values OpenSSL provides: // https://github.com/openssl/openssl/blob/667a8501f0b6e5705fd611d5bb3ca24848b07154/crypto/pkcs7/pk7_smime.c#L150 // removing all the ones that are bad cryptography - AES_256_CBC_OID, - AES_192_CBC_OID, - AES_128_CBC_OID, + &asn1::SequenceOfWriter::new([AES_256_CBC_OID]), + &asn1::SequenceOfWriter::new([AES_192_CBC_OID]), + &asn1::SequenceOfWriter::new([AES_128_CBC_OID]), ]))?; let py_signers: Vec<( @@ -205,7 +205,7 @@ fn sign_and_serialize<'p>( }, digest_algorithm: digest_alg, authenticated_attributes: authenticated_attrs, - digest_encryption_algorithm: x509::sign::compute_signature_algorithm( + digest_encryption_algorithm: compute_pkcs7_signature_algorithm( py, py_private_key, py_hash_alg, @@ -262,6 +262,26 @@ fn sign_and_serialize<'p>( } } +fn compute_pkcs7_signature_algorithm<'p>( + py: pyo3::Python<'p>, + private_key: &'p pyo3::PyAny, + hash_algorithm: &'p pyo3::PyAny, + rsa_padding: &'p pyo3::PyAny, +) -> pyo3::PyResult> { + let key_type = x509::sign::identify_key_type(py, private_key)?; + let has_pss_padding = rsa_padding.is_instance(types::PSS.get(py)?)?; + // For RSA signatures (with no PSS padding), the OID is always the same no matter the + // digest algorithm. See RFC 3370 (section 3.2). + if key_type == x509::sign::KeyType::Rsa && !has_pss_padding { + Ok(common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Rsa(Some(())), + }) + } else { + x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding) + } +} + fn smime_canonicalize(data: &[u8], text_mode: bool) -> (Cow<'_, [u8]>, Cow<'_, [u8]>) { let mut new_data_with_header = vec![]; let mut new_data_without_header = vec![]; diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 4d9637d1f2de..5e38af2e2e79 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -48,7 +48,10 @@ enum HashType { Sha3_512, } -fn identify_key_type(py: pyo3::Python<'_>, private_key: &pyo3::PyAny) -> pyo3::PyResult { +pub(crate) fn identify_key_type( + py: pyo3::Python<'_>, + private_key: &pyo3::PyAny, +) -> pyo3::PyResult { if private_key.is_instance(types::RSA_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Rsa) } else if private_key.is_instance(types::DSA_PRIVATE_KEY.get(py)?)? { diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 03b04cd389e5..685b7c940ad7 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -557,6 +557,50 @@ def test_sign_text(self, backend): backend, ) + def test_smime_capabilities(self, backend): + data = b"hello world" + cert, key = _load_cert_key() + builder = ( + pkcs7.PKCS7SignatureBuilder() + .set_data(data) + .add_signer(cert, key, hashes.SHA256()) + ) + + sig_binary = builder.sign(serialization.Encoding.DER, []) + + # 1.2.840.113549.1.9.15 (SMIMECapabilities) as an ASN.1 DER encoded OID + assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x0f" in sig_binary + + # 2.16.840.1.101.3.4.1.42 (aes256-CBC-PAD) as an ASN.1 DER encoded OID + aes256_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x2A" + # 2.16.840.1.101.3.4.1.22 (aes192-CBC-PAD) as an ASN.1 DER encoded OID + aes192_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x16" + # 2.16.840.1.101.3.4.1.2 (aes128-CBC-PAD) as an ASN.1 DER encoded OID + aes128_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" + + # Each algorithm in SMIMECapabilities should be inside its own + # SEQUENCE. + # This is encoded as SEQUENCE_IDENTIFIER + LENGTH + ALGORITHM_OID. + # This tests that each algorithm is indeed encoded inside its own + # sequence. See RFC 2633, Appendix A for more details. + sequence_identifier = b"\x30" + for oid in [ + aes256_cbc_pad_oid, + aes192_cbc_pad_oid, + aes128_cbc_pad_oid, + ]: + len_oid = len(oid).to_bytes(length=1, byteorder="big") + assert sequence_identifier + len_oid + oid in sig_binary + + _pkcs7_verify( + serialization.Encoding.DER, + sig_binary, + None, + [cert], + [], + backend, + ) + def test_sign_no_capabilities(self, backend): data = b"hello world" cert, key = _load_cert_key() @@ -677,9 +721,15 @@ def test_rsa_pkcs_padding_options(self, pad, backend): sig.count(b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x08") == 1 ) else: - # This should be a pkcs1 sha512 signature + # This should be a pkcs1 RSA signature, which uses the + # `rsaEncryption` OID (1.2.840.113549.1.1.1) no matter which + # digest algorithm is used. + # See RFC 3370 section 3.2 for more details. + # This OID appears twice, once in the certificate itself and + # another in the SignerInfo data structure in the + # `digest_encryption_algorithm` field. assert ( - sig.count(b"\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D") == 1 + sig.count(b"\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01") == 2 ) _pkcs7_verify( serialization.Encoding.DER, From fe18470f7d05f963e7267e34fdf985d81ea6ceea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Feb 2024 21:48:23 -0500 Subject: [PATCH 1014/1014] Bump for 42.0.4 release (#10445) --- CHANGELOG.rst | 3 +++ pyproject.toml | 2 +- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 5 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 7fb4a46047f5..b32b234c5d33 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,9 @@ Changelog 42.0.4 - 2024-02-20 ~~~~~~~~~~~~~~~~~~~ +* Fixed a null-pointer-dereference and segfault that could occur when creating + a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the + issue. **CVE-2024-26130** * Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities`` and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the definitions in :rfc:`2633` :rfc:`3370`. diff --git a/pyproject.toml b/pyproject.toml index 38549872dd59..6fce9b3403e7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,7 +12,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "42.0.3" +version = "42.0.4" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index b3b68cc74880..b66092523d7d 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "42.0.3" +__version__ = "42.0.4" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 4a3177ec60eb..e2d51b38c0f4 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "42.0.3" +__version__ = "42.0.4" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 6310fb8c485b..48cab55c51d1 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "42.0.3" +version = "42.0.4" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ]