From 71cd1c43a93ba5a079392ea66023ce063e5d58d0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 22 Jan 2024 20:50:49 -0600 Subject: [PATCH 001/868] reopen main for 43 dev (#10234) --- CHANGELOG.rst | 8 ++++++++ pyproject.toml | 2 +- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 5 files changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b11a81f3fbc5..f96ef193d2d9 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,14 @@ Changelog ========= +.. _v43-0-0: + +43.0.0 - `main`_ +~~~~~~~~~~~~~~~~ + +.. note:: This version is not yet released and is under active development. + + .. _v42-0-0: 42.0.0 - 2024-01-22 diff --git a/pyproject.toml b/pyproject.toml index 6369bebf7620..e127e7fa6fd6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,7 +12,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "42.0.0" +version = "43.0.0.dev1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 7d62a32b6fab..5d65d977a08a 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "42.0.0" +__version__ = "43.0.0.dev1" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 6040ee84583e..4f859faec08c 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "42.0.0" +__version__ = "43.0.0.dev1" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 0c43684bb92a..99021511a0cd 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "42.0.0" +version = "43.0.0.dev1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From c8f732eb27770ecfc2c7a265c213d7e4b595113f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 22 Jan 2024 20:51:02 -0600 Subject: [PATCH 002/868] fix the release script (#10233) we removed version as an arg, but didn't remove it from the click decorator --- release.py | 1 - 1 file changed, 1 deletion(-) diff --git a/release.py b/release.py index 4abac1a2ed3e..78b894fe1d44 100644 --- a/release.py +++ b/release.py @@ -22,7 +22,6 @@ def cli(): @cli.command() -@click.argument("version") def release() -> None: base_dir = pathlib.Path(__file__).parent with (base_dir / "pyproject.toml").open("rb") as f: From 317985423b7658881d13f80e2a0fb533ebcf9162 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 23 Jan 2024 07:32:38 -0500 Subject: [PATCH 003/868] fixes #10237 -- correct EC sign parameter name (#10239) --- src/rust/src/backend/ec.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index e221b025cbb9..459da6103d3b 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -269,9 +269,9 @@ impl ECPrivateKey { &self, py: pyo3::Python<'p>, data: &[u8], - algorithm: &pyo3::PyAny, + signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !algorithm.is_instance(types::ECDSA.get(py)?)? { + if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -283,7 +283,7 @@ impl ECPrivateKey { let (data, _) = utils::calculate_digest_and_algorithm( py, data, - algorithm.getattr(pyo3::intern!(py, "algorithm"))?, + signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; From bbbf1de73a5d57f8e9a43b6323a43e2d6ae22a3f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 06:34:25 -0600 Subject: [PATCH 004/868] Bump pyopenssl from 23.3.0 to 24.0.0 in /.github/requirements (#10238) * Bump pyopenssl from 23.3.0 to 24.0.0 in /.github/requirements Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 23.3.0 to 24.0.0. - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/pyopenssl/compare/23.3.0...24.0.0) --- updated-dependencies: - dependency-name: pyopenssl dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 2de251b3aa5b..f1db1b610c84 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -489,9 +489,9 @@ pyjwt==2.8.0 \ --hash=sha256:57e28d156e3d5c10088e0c68abb90bfac3df82b40a71bd0daa20c65ccd5c23de \ --hash=sha256:59127c392cc44c2da5bb3192169a91f429924e17aff6534d70fdc02ab3e04320 # via sigstore -pyopenssl==23.3.0 \ - --hash=sha256:6756834481d9ed5470f4a9393455154bc92fe7a64b7bc6ee2c804e78c52099b2 \ - --hash=sha256:6b2cba5cc46e822750ec3e5a81ee12819850b11303630d575e98108a079c2b12 +pyopenssl==24.0.0 \ + --hash=sha256:6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a334530bf \ + --hash=sha256:ba07553fb6fd6a7a2259adb9b84e12302a9a8a75c44046e8bb5d3e5ee887e3c3 # via sigstore python-dateutil==2.8.2 \ --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ From f9a0b3d67e406832e4933a0f9d62a66e3800cabc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 07:08:18 -0600 Subject: [PATCH 005/868] Bump cryptography from 41.0.7 to 42.0.0 in /.github/requirements (#10241) * Bump cryptography from 41.0.7 to 42.0.0 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.7 to 42.0.0. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/41.0.7...42.0.0) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 57 +++++++++++-------- 1 file changed, 33 insertions(+), 24 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f1db1b610c84..8bb646c976e5 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,30 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==41.0.7 \ - --hash=sha256:079b85658ea2f59c4f43b70f8119a52414cdb7be34da5d019a77bf96d473b960 \ - --hash=sha256:09616eeaef406f99046553b8a40fbf8b1e70795a91885ba4c96a70793de5504a \ - --hash=sha256:13f93ce9bea8016c253b34afc6bd6a75993e5c40672ed5405a9c832f0d4a00bc \ - --hash=sha256:37a138589b12069efb424220bf78eac59ca68b95696fc622b6ccc1c0a197204a \ - --hash=sha256:3c78451b78313fa81607fa1b3f1ae0a5ddd8014c38a02d9db0616133987b9cdf \ - --hash=sha256:43f2552a2378b44869fe8827aa19e69512e3245a219104438692385b0ee119d1 \ - --hash=sha256:48a0476626da912a44cc078f9893f292f0b3e4c739caf289268168d8f4702a39 \ - --hash=sha256:49f0805fc0b2ac8d4882dd52f4a3b935b210935d500b6b805f321addc8177406 \ - --hash=sha256:5429ec739a29df2e29e15d082f1d9ad683701f0ec7709ca479b3ff2708dae65a \ - --hash=sha256:5a1b41bc97f1ad230a41657d9155113c7521953869ae57ac39ac7f1bb471469a \ - --hash=sha256:68a2dec79deebc5d26d617bfdf6e8aab065a4f34934b22d3b5010df3ba36612c \ - --hash=sha256:7a698cb1dac82c35fcf8fe3417a3aaba97de16a01ac914b89a0889d364d2f6be \ - --hash=sha256:841df4caa01008bad253bce2a6f7b47f86dc9f08df4b433c404def869f590a15 \ - --hash=sha256:90452ba79b8788fa380dfb587cca692976ef4e757b194b093d845e8d99f612f2 \ - --hash=sha256:928258ba5d6f8ae644e764d0f996d61a8777559f72dfeb2eea7e2fe0ad6e782d \ - --hash=sha256:af03b32695b24d85a75d40e1ba39ffe7db7ffcb099fe507b39fd41a565f1b157 \ - --hash=sha256:b640981bf64a3e978a56167594a0e97db71c89a479da8e175d8bb5be5178c003 \ - --hash=sha256:c5ca78485a255e03c32b513f8c2bc39fedb7f5c5f8535545bdc223a03b24f248 \ - --hash=sha256:c7f3201ec47d5207841402594f1d7950879ef890c0c495052fa62f58283fde1a \ - --hash=sha256:d5ec85080cce7b0513cfd233914eb8b7bbd0633f1d1703aa28d1dd5a72f678ec \ - --hash=sha256:d6c391c021ab1f7a82da5d8d0b3cee2f4b2c455ec86c8aebbc84837a631ff309 \ - --hash=sha256:e3114da6d7f95d2dee7d3f4eec16dacff819740bbab931aff8648cb13c5ff5e7 \ - --hash=sha256:f983596065a18a2183e7f79ab3fd4c475205b839e02cbc0efbbf9666c4b3083d +cryptography==42.0.0 \ + --hash=sha256:0a68bfcf57a6887818307600c3c0ebc3f62fbb6ccad2240aa21887cda1f8df1b \ + --hash=sha256:146e971e92a6dd042214b537a726c9750496128453146ab0ee8971a0299dc9bd \ + --hash=sha256:14e4b909373bc5bf1095311fa0f7fcabf2d1a160ca13f1e9e467be1ac4cbdf94 \ + --hash=sha256:206aaf42e031b93f86ad60f9f5d9da1b09164f25488238ac1dc488334eb5e221 \ + --hash=sha256:3005166a39b70c8b94455fdbe78d87a444da31ff70de3331cdec2c568cf25b7e \ + --hash=sha256:324721d93b998cb7367f1e6897370644751e5580ff9b370c0a50dc60a2003513 \ + --hash=sha256:33588310b5c886dfb87dba5f013b8d27df7ffd31dc753775342a1e5ab139e59d \ + --hash=sha256:35cf6ed4c38f054478a9df14f03c1169bb14bd98f0b1705751079b25e1cb58bc \ + --hash=sha256:3ca482ea80626048975360c8e62be3ceb0f11803180b73163acd24bf014133a0 \ + --hash=sha256:56ce0c106d5c3fec1038c3cca3d55ac320a5be1b44bf15116732d0bc716979a2 \ + --hash=sha256:5a217bca51f3b91971400890905a9323ad805838ca3fa1e202a01844f485ee87 \ + --hash=sha256:678cfa0d1e72ef41d48993a7be75a76b0725d29b820ff3cfd606a5b2b33fda01 \ + --hash=sha256:69fd009a325cad6fbfd5b04c711a4da563c6c4854fc4c9544bff3088387c77c0 \ + --hash=sha256:6cf9b76d6e93c62114bd19485e5cb003115c134cf9ce91f8ac924c44f8c8c3f4 \ + --hash=sha256:74f18a4c8ca04134d2052a140322002fef535c99cdbc2a6afc18a8024d5c9d5b \ + --hash=sha256:85f759ed59ffd1d0baad296e72780aa62ff8a71f94dc1ab340386a1207d0ea81 \ + --hash=sha256:87086eae86a700307b544625e3ba11cc600c3c0ef8ab97b0fda0705d6db3d4e3 \ + --hash=sha256:8814722cffcfd1fbd91edd9f3451b88a8f26a5fd41b28c1c9193949d1c689dc4 \ + --hash=sha256:8fedec73d590fd30c4e3f0d0f4bc961aeca8390c72f3eaa1a0874d180e868ddf \ + --hash=sha256:9515ea7f596c8092fdc9902627e51b23a75daa2c7815ed5aa8cf4f07469212ec \ + --hash=sha256:988b738f56c665366b1e4bfd9045c3efae89ee366ca3839cd5af53eaa1401bce \ + --hash=sha256:a2a8d873667e4fd2f34aedab02ba500b824692c6542e017075a2efc38f60a4c0 \ + --hash=sha256:bd7cf7a8d9f34cc67220f1195884151426ce616fdc8285df9054bfa10135925f \ + --hash=sha256:bdce70e562c69bb089523e75ef1d9625b7417c6297a76ac27b1b8b1eb51b7d0f \ + --hash=sha256:be14b31eb3a293fc6e6aa2807c8a3224c71426f7c4e3639ccf1a2f3ffd6df8c3 \ + --hash=sha256:be41b0c7366e5549265adf2145135dca107718fa44b6e418dc7499cfff6b4689 \ + --hash=sha256:c310767268d88803b653fffe6d6f2f17bb9d49ffceb8d70aed50ad45ea49ab08 \ + --hash=sha256:c58115384bdcfe9c7f644c72f10f6f42bed7cf59f7b52fe1bf7ae0a622b3a139 \ + --hash=sha256:c640b0ef54138fde761ec99a6c7dc4ce05e80420262c20fa239e694ca371d434 \ + --hash=sha256:ca20550bb590db16223eb9ccc5852335b48b8f597e2f6f0878bbfd9e7314eb17 \ + --hash=sha256:d97aae66b7de41cdf5b12087b5509e4e9805ed6f562406dfcf60e8481a9a28f8 \ + --hash=sha256:e9326ca78111e4c645f7e49cbce4ed2f3f85e17b61a563328c85a5208cf34440 # via # pyopenssl # secretstorage From 97eb48eee01edcd081fa546cafecc28d6247d005 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 19:53:49 -0500 Subject: [PATCH 006/868] Bump x509-limbo and/or wycheproof in CI (#10243) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c1df58824014..191272a8c3ed 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 23, 2024. - ref: "cf66142f5c27b64c987c6f0aa4c10b8c9677b41c" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 24, 2024. + ref: "5df450e490c1edc9d883e0f654e2671b638a2802" # x509-limbo-ref From 050839f4dd0f1394ddb6538d4520424ee84ca99d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Jan 2024 06:52:30 -0500 Subject: [PATCH 007/868] Bump argcomplete from 3.2.1 to 3.2.2 (#10245) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.2.1 to 3.2.2. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.2.1...v3.2.2) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 19110a231d8e..e05835c90880 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.16 # via sphinx -argcomplete==3.2.1; python_version >= "3.8" +argcomplete==3.2.2; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx From 72d94030fce5ddf1b1c4fcd882ab155d2d471a27 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 00:22:02 +0000 Subject: [PATCH 008/868] Bump BoringSSL and/or OpenSSL in CI (#10249) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c9d3ab950244..a77e813d78ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a4c3f8de4406c2382e43e88a638882fb1a32da32"}} - # Latest commit on the OpenSSL master branch, as of Jan 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5ed9a32a2aee89e10eb2891f5fb7a283e1b5199b"}} + # Latest commit on the BoringSSL master branch, as of Jan 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "77ee4e4609cfb3480e1a554790348ebcab61313e"}} + # Latest commit on the OpenSSL master branch, as of Jan 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ff78d94b131d7bb3b761509d3ce0dd864b1420e3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From bee35f0d4b2151e530995c1b2ca0c2ba049e8b4b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 00:30:50 +0000 Subject: [PATCH 009/868] Bump x509-limbo and/or wycheproof in CI (#10250) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 191272a8c3ed..6dced6338927 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 24, 2024. - ref: "5df450e490c1edc9d883e0f654e2671b638a2802" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 25, 2024. + ref: "dcbb36ae64a11648c98c42e6610f7d278704c2ea" # x509-limbo-ref From 075925fd55dfef127141bb9ef49e826008da8ae4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 24 Jan 2024 18:54:23 -0700 Subject: [PATCH 010/868] allow SPKI RSA keys to be parsed even if they have an incorrect delimiter (#10248) * allow SPKI RSA keys to be parsed even if they have an incorrect delimiter This allows RSA SPKI keys (typically delimited with PUBLIC KEY) to be parsed even if they are using the RSA PUBLIC KEY delimiter. * formatting * use original error if nothing parses, don't let it parse non-RSA --- docs/development/test-vectors.rst | 6 ++++++ src/rust/src/backend/keys.rs | 21 ++++++++++++++++++- tests/hazmat/primitives/test_serialization.py | 16 ++++++++++++++ .../ec_public_key_rsa_delimiter.pem | 4 ++++ .../rsa_wrong_delimiter_public_key.pem | 9 ++++++++ 5 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem create mode 100644 vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 1255688840f3..0b1f238ffaa2 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -72,12 +72,18 @@ Custom asymmetric vectors * ``asymmetric/PEM_Serialization/ec_public_key.pem`` and ``asymmetric/DER_Serialization/ec_public_key.der``- Contains the public key corresponding to ``ec_private_key.pem``, generated using OpenSSL. +* ``asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem`` - Contains + the public key corresponding to ``ec_private_key.pem``, but with the wrong PEM + delimiter (``RSA PUBLIC KEY`` when it should be ``PUBLIC KEY``). * ``asymmetric/PEM_Serialization/rsa_private_key.pem`` - Contains an RSA 2048 bit key generated using OpenSSL, protected by the secret "123456" with DES3 encryption. * ``asymmetric/PEM_Serialization/rsa_public_key.pem`` and ``asymmetric/DER_Serialization/rsa_public_key.der``- Contains an RSA 2048 bit public generated using OpenSSL from ``rsa_private_key.pem``. +* ``asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem`` - Contains + an RSA 2048 bit public key generated from ``rsa_private_key.pem``, but with + the wrong PEM delimiter (``RSA PUBLIC KEY`` when it should be ``PUBLIC KEY``). * ``asymmetric/PEM_Serialization/dsa_4096.pem`` - Contains a 4096-bit DSA private key generated using OpenSSL. * ``asymmetric/PEM_Serialization/dsaparam.pem`` - Contains 2048-bit DSA diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index bd3e8eb28e3b..ecdff5db6dcb 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -165,7 +165,26 @@ fn load_pem_public_key( let _ = backend; let p = pem::parse(data.as_bytes())?; let pkey = match p.tag() { - "RSA PUBLIC KEY" => cryptography_key_parsing::rsa::parse_pkcs1_public_key(p.contents())?, + "RSA PUBLIC KEY" => { + // We try to parse it as a PKCS1 first since that's the PEM delimiter, and if + // that fails we try to parse it as an SPKI. This is to match the permissiveness + // of OpenSSL, which doesn't care about the delimiter. + match cryptography_key_parsing::rsa::parse_pkcs1_public_key(p.contents()) { + Ok(pkey) => pkey, + Err(err) => { + let pkey = cryptography_key_parsing::spki::parse_public_key(p.contents()) + .map_err(|_| err)?; + if pkey.id() != openssl::pkey::Id::RSA { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Incorrect PEM delimiter for key type.", + ), + )); + } + pkey + } + } + } "PUBLIC KEY" => cryptography_key_parsing::spki::parse_public_key(p.contents())?, _ => return Err(CryptographyError::from(pem::PemError::MalformedFraming)), }; diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py index 58693a4912d2..51fcc3563d8a 100644 --- a/tests/hazmat/primitives/test_serialization.py +++ b/tests/hazmat/primitives/test_serialization.py @@ -506,6 +506,11 @@ def test_load_pem_ec_private_key(self, key_path, password, backend): "asymmetric", "PEM_Serialization", "rsa_public_key.pem" ), os.path.join("asymmetric", "public", "PKCS1", "rsa.pub.pem"), + os.path.join( + "asymmetric", + "PEM_Serialization", + "rsa_wrong_delimiter_public_key.pem", + ), ], ) def test_load_pem_rsa_public_key(self, key_file, backend): @@ -520,6 +525,17 @@ def test_load_pem_rsa_public_key(self, key_file, backend): numbers = key.public_numbers() assert numbers.e == 65537 + def test_load_pem_public_fails_with_ec_key_with_rsa_delimiter(self): + with pytest.raises(ValueError): + load_vectors_from_file( + os.path.join( + "asymmetric", + "PEM_Serialization", + "ec_public_key_rsa_delimiter.pem", + ), + lambda pemfile: load_pem_public_key(pemfile.read().encode()), + ) + def test_load_priv_key_with_public_key_api_fails( self, rsa_key_2048, backend ): diff --git a/vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem new file mode 100644 index 000000000000..565ece176bf5 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/ec_public_key_rsa_delimiter.pem @@ -0,0 +1,4 @@ +-----BEGIN RSA PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJLzzbuz2tRnLFlOL+6bTX6giVavA +sc6NDFFT0IMCd2ibTTNUDDkFGsgq0cH5JYPg/6xUlMBFKrWYe3yQ4has9w== +-----END RSA PUBLIC KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem new file mode 100644 index 000000000000..78053b4e6ed9 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/PEM_Serialization/rsa_wrong_delimiter_public_key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnR4AZ+tgWYql+S3MaTQ6 +zeIO1fKzFIoau9Q0zGuv/1oCAewXwxeDSSxw+/Z3GL1NpuuS9CpbR5EQ3d71bD0v +0G+Sf+mShSl0oljG7YqnNSPzKl+EQ3/KE+eEButcwas6KGof2BA4bFNCw/fPbuhk +u/d8sIIEgdzBMiGRMdW33uci3rsdOenMZQA7uWsM/q/pu85YLAVOxq6wlUCzP4FM +Tw/RKzayrPkn3Jfbqcy1aM2HDlFVx24vaN+RRbPSnVoQbo5EQYkUMXE8WmadSyHl +pXGRnWsJSV9AdGyDrbU+6tcFwcIwnW22jb/OJy8swHdqKGkuR1kQ0XqokK1yGKFZ +8wIDAQAB +-----END RSA PUBLIC KEY----- From 1bb43b0d9ee6978f1bdfafd2df34b0024417a053 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 24 Jan 2024 19:48:17 -0700 Subject: [PATCH 011/868] port 42.0.1 changelog to main (#10253) --- CHANGELOG.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f96ef193d2d9..7abdf8e9f9ef 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,15 @@ Changelog .. note:: This version is not yet released and is under active development. +.. _v42-0-1: + +42.0.1 - 2024-01-24 +~~~~~~~~~~~~~~~~~~~ + +* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign`. +* Resolved compatibility issue with loading certain RSA public keys in + :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`. .. _v42-0-0: From e49a9361bbf717eee8d61fd3fda2d698ac916c08 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 12:01:30 +0000 Subject: [PATCH 012/868] Bump pluggy from 1.3.0 to 1.4.0 (#10258) Bumps [pluggy](https://github.com/pytest-dev/pluggy) from 1.3.0 to 1.4.0. - [Changelog](https://github.com/pytest-dev/pluggy/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pluggy/compare/1.3.0...1.4.0) --- updated-dependencies: - dependency-name: pluggy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e05835c90880..6650dc463de8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -70,7 +70,7 @@ pathspec==0.12.1 # via check-sdist platformdirs==4.1.0; python_version >= "3.8" # via virtualenv -pluggy==1.3.0; python_version >= "3.8" +pluggy==1.4.0; python_version >= "3.8" # via pytest pretend==1.0.9 # via cryptography (pyproject.toml) From 646c0c4b56bbf249b49792fabca75332081ddf78 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 06:06:32 -0800 Subject: [PATCH 013/868] Bump cryptography from 42.0.0 to 42.0.1 in /.github/requirements (#10257) * Bump cryptography from 42.0.0 to 42.0.1 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.0 to 42.0.1. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.0...42.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8bb646c976e5..9189187f47fb 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,39 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.0 \ - --hash=sha256:0a68bfcf57a6887818307600c3c0ebc3f62fbb6ccad2240aa21887cda1f8df1b \ - --hash=sha256:146e971e92a6dd042214b537a726c9750496128453146ab0ee8971a0299dc9bd \ - --hash=sha256:14e4b909373bc5bf1095311fa0f7fcabf2d1a160ca13f1e9e467be1ac4cbdf94 \ - --hash=sha256:206aaf42e031b93f86ad60f9f5d9da1b09164f25488238ac1dc488334eb5e221 \ - --hash=sha256:3005166a39b70c8b94455fdbe78d87a444da31ff70de3331cdec2c568cf25b7e \ - --hash=sha256:324721d93b998cb7367f1e6897370644751e5580ff9b370c0a50dc60a2003513 \ - --hash=sha256:33588310b5c886dfb87dba5f013b8d27df7ffd31dc753775342a1e5ab139e59d \ - --hash=sha256:35cf6ed4c38f054478a9df14f03c1169bb14bd98f0b1705751079b25e1cb58bc \ - --hash=sha256:3ca482ea80626048975360c8e62be3ceb0f11803180b73163acd24bf014133a0 \ - --hash=sha256:56ce0c106d5c3fec1038c3cca3d55ac320a5be1b44bf15116732d0bc716979a2 \ - --hash=sha256:5a217bca51f3b91971400890905a9323ad805838ca3fa1e202a01844f485ee87 \ - --hash=sha256:678cfa0d1e72ef41d48993a7be75a76b0725d29b820ff3cfd606a5b2b33fda01 \ - --hash=sha256:69fd009a325cad6fbfd5b04c711a4da563c6c4854fc4c9544bff3088387c77c0 \ - --hash=sha256:6cf9b76d6e93c62114bd19485e5cb003115c134cf9ce91f8ac924c44f8c8c3f4 \ - --hash=sha256:74f18a4c8ca04134d2052a140322002fef535c99cdbc2a6afc18a8024d5c9d5b \ - --hash=sha256:85f759ed59ffd1d0baad296e72780aa62ff8a71f94dc1ab340386a1207d0ea81 \ - --hash=sha256:87086eae86a700307b544625e3ba11cc600c3c0ef8ab97b0fda0705d6db3d4e3 \ - --hash=sha256:8814722cffcfd1fbd91edd9f3451b88a8f26a5fd41b28c1c9193949d1c689dc4 \ - --hash=sha256:8fedec73d590fd30c4e3f0d0f4bc961aeca8390c72f3eaa1a0874d180e868ddf \ - --hash=sha256:9515ea7f596c8092fdc9902627e51b23a75daa2c7815ed5aa8cf4f07469212ec \ - --hash=sha256:988b738f56c665366b1e4bfd9045c3efae89ee366ca3839cd5af53eaa1401bce \ - --hash=sha256:a2a8d873667e4fd2f34aedab02ba500b824692c6542e017075a2efc38f60a4c0 \ - --hash=sha256:bd7cf7a8d9f34cc67220f1195884151426ce616fdc8285df9054bfa10135925f \ - --hash=sha256:bdce70e562c69bb089523e75ef1d9625b7417c6297a76ac27b1b8b1eb51b7d0f \ - --hash=sha256:be14b31eb3a293fc6e6aa2807c8a3224c71426f7c4e3639ccf1a2f3ffd6df8c3 \ - --hash=sha256:be41b0c7366e5549265adf2145135dca107718fa44b6e418dc7499cfff6b4689 \ - --hash=sha256:c310767268d88803b653fffe6d6f2f17bb9d49ffceb8d70aed50ad45ea49ab08 \ - --hash=sha256:c58115384bdcfe9c7f644c72f10f6f42bed7cf59f7b52fe1bf7ae0a622b3a139 \ - --hash=sha256:c640b0ef54138fde761ec99a6c7dc4ce05e80420262c20fa239e694ca371d434 \ - --hash=sha256:ca20550bb590db16223eb9ccc5852335b48b8f597e2f6f0878bbfd9e7314eb17 \ - --hash=sha256:d97aae66b7de41cdf5b12087b5509e4e9805ed6f562406dfcf60e8481a9a28f8 \ - --hash=sha256:e9326ca78111e4c645f7e49cbce4ed2f3f85e17b61a563328c85a5208cf34440 +cryptography==42.0.1 \ + --hash=sha256:0b7cacc142260ada944de070ce810c3e2a438963ee3deb45aa26fd2cee94c9a4 \ + --hash=sha256:126e0ba3cc754b200a2fb88f67d66de0d9b9e94070c5bc548318c8dab6383cb6 \ + --hash=sha256:160fa08dfa6dca9cb8ad9bd84e080c0db6414ba5ad9a7470bc60fb154f60111e \ + --hash=sha256:16b9260d04a0bfc8952b00335ff54f471309d3eb9d7e8dbfe9b0bd9e26e67881 \ + --hash=sha256:25ec6e9e81de5d39f111a4114193dbd39167cc4bbd31c30471cebedc2a92c323 \ + --hash=sha256:265bdc693570b895eb641410b8fc9e8ddbce723a669236162b9d9cfb70bd8d77 \ + --hash=sha256:2dff7a32880a51321f5de7869ac9dde6b1fca00fc1fef89d60e93f215468e824 \ + --hash=sha256:2fe16624637d6e3e765530bc55caa786ff2cbca67371d306e5d0a72e7c3d0407 \ + --hash=sha256:32ea63ceeae870f1a62e87f9727359174089f7b4b01e4999750827bf10e15d60 \ + --hash=sha256:351db02c1938c8e6b1fee8a78d6b15c5ccceca7a36b5ce48390479143da3b411 \ + --hash=sha256:430100abed6d3652208ae1dd410c8396213baee2e01a003a4449357db7dc9e14 \ + --hash=sha256:4d84673c012aa698555d4710dcfe5f8a0ad76ea9dde8ef803128cc669640a2e0 \ + --hash=sha256:50aecd93676bcca78379604ed664c45da82bc1241ffb6f97f6b7392ed5bc6f04 \ + --hash=sha256:6ac8924085ed8287545cba89dc472fc224c10cc634cdf2c3e2866fe868108e77 \ + --hash=sha256:6bfd823b336fdcd8e06285ae8883d3d2624d3bdef312a0e2ef905f332f8e9302 \ + --hash=sha256:727387886c9c8de927c360a396c5edcb9340d9e960cda145fca75bdafdabd24c \ + --hash=sha256:7911586fc69d06cd0ab3f874a169433db1bc2f0e40988661408ac06c4527a986 \ + --hash=sha256:802d6f83233cf9696b59b09eb067e6b4d5ae40942feeb8e13b213c8fad47f1aa \ + --hash=sha256:8d7efb6bf427d2add2f40b6e1e8e476c17508fa8907234775214b153e69c2e11 \ + --hash=sha256:9544492e8024f29919eac2117edd8c950165e74eb551a22c53f6fdf6ba5f4cb8 \ + --hash=sha256:95d900d19a370ae36087cc728e6e7be9c964ffd8cbcb517fd1efb9c9284a6abc \ + --hash=sha256:9d61fcdf37647765086030d81872488e4cb3fafe1d2dda1d487875c3709c0a49 \ + --hash=sha256:ab6b302d51fbb1dd339abc6f139a480de14d49d50f65fdc7dff782aa8631d035 \ + --hash=sha256:b512f33c6ab195852595187af5440d01bb5f8dd57cb7a91e1e009a17f1b7ebca \ + --hash=sha256:cb2861a9364fa27d24832c718150fdbf9ce6781d7dc246a516435f57cfa31fe7 \ + --hash=sha256:d3594947d2507d4ef7a180a7f49a6db41f75fb874c2fd0e94f36b89bfd678bf2 \ + --hash=sha256:d3902c779a92151f134f68e555dd0b17c658e13429f270d8a847399b99235a3f \ + --hash=sha256:d50718dd574a49d3ef3f7ef7ece66ef281b527951eb2267ce570425459f6a404 \ + --hash=sha256:e5edf189431b4d51f5c6fb4a95084a75cef6b4646c934eb6e32304fc720e1453 \ + --hash=sha256:e6edc3a568667daf7d349d7e820783426ee4f1c0feab86c29bd1d6fe2755e009 \ + --hash=sha256:ed1b2130f5456a09a134cc505a17fc2830a1a48ed53efd37dcc904a23d7b82fa \ + --hash=sha256:fd33f53809bb363cf126bebe7a99d97735988d9b0131a2be59fbf83e1259a5b7 # via # pyopenssl # secretstorage From 08b24d87a64734ac7f5c575b309ad7d49c246353 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 25 Jan 2024 11:51:59 -0800 Subject: [PATCH 014/868] explicitly support bytes-like for signature/data in RSA sign/verify (#10259) this was never documented but previously worked in <42. we now also document that this is supported to confuse ourselves less. --- docs/hazmat/primitives/asymmetric/rsa.rst | 9 ++++++--- src/rust/src/backend/rsa.rs | 15 +++++++++------ tests/hazmat/primitives/test_rsa.py | 20 ++++++++++++++++---- 3 files changed, 31 insertions(+), 13 deletions(-) diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index b8f2acacdf8f..35230f7e982d 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -620,7 +620,8 @@ Key interfaces Sign one block of data which can be verified later by others using the public key. - :param bytes data: The message string to sign. + :param data: The message string to sign. + :type data: :term:`bytes-like` :param padding: An instance of :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. @@ -739,9 +740,11 @@ Key interfaces Verify one block of data was signed by the private key associated with this public key. - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The message string that was signed. + :param data: The message string that was signed. + :type data: :term:`bytes-like` :param padding: An instance of :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`. diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 35dd1053fdfc..662f30aff084 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -6,6 +6,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; use crate::backend::{hashes, utils}; +use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; @@ -281,11 +282,12 @@ impl RsaPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::PyAny> { - let (data, algorithm) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, algorithm) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.sign_init().map_err(|_| { @@ -419,18 +421,19 @@ impl RsaPublicKey { fn verify( &self, py: pyo3::Python<'_>, - signature: &[u8], - data: &[u8], + signature: CffiBuf<'_>, + data: CffiBuf<'_>, padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, algorithm) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, algorithm) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.verify_init()?; setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), false)?; - let valid = ctx.verify(data, signature).unwrap_or(false); + let valid = ctx.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 10a84cb08665..8810f0f58e7e 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -763,9 +763,15 @@ def test_pkcs1_minimum_key_size(self, backend): ) private_key.sign(b"no failure", padding.PKCS1v15(), hashes.SHA512()) - def test_sign(self, rsa_key_2048: rsa.RSAPrivateKey, backend): + @pytest.mark.parametrize( + "message", + [ + b"one little message", + bytearray(b"one little message"), + ], + ) + def test_sign(self, rsa_key_2048: rsa.RSAPrivateKey, message, backend): private_key = rsa_key_2048 - message = b"one little message" pkcs = padding.PKCS1v15() algorithm = hashes.SHA256() signature = private_key.sign(message, pkcs, algorithm) @@ -1375,9 +1381,15 @@ def test_pss_verify_salt_length_too_long(self, backend): hashes.SHA1(), ) - def test_verify(self, rsa_key_2048: rsa.RSAPrivateKey, backend): + @pytest.mark.parametrize( + "message", + [ + b"one little message", + bytearray(b"one little message"), + ], + ) + def test_verify(self, rsa_key_2048: rsa.RSAPrivateKey, message, backend): private_key = rsa_key_2048 - message = b"one little message" pkcs = padding.PKCS1v15() algorithm = hashes.SHA256() signature = private_key.sign(message, pkcs, algorithm) From 3da3a3703bef1772b08bfc7da4b9221b5592f506 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 25 Jan 2024 13:09:27 -0800 Subject: [PATCH 015/868] support bytes-like consistently across our asym sign/verify APIs (#10260) and update our docs to show it as well --- docs/hazmat/primitives/asymmetric/dsa.rst | 9 ++++++--- docs/hazmat/primitives/asymmetric/ec.rst | 9 ++++++--- docs/hazmat/primitives/asymmetric/ed25519.rst | 9 ++++++--- docs/hazmat/primitives/asymmetric/ed448.rst | 9 ++++++--- src/rust/src/backend/dsa.rs | 13 +++++++------ src/rust/src/backend/ec.rs | 13 +++++++------ src/rust/src/backend/ed25519.rs | 8 ++++---- src/rust/src/backend/ed448.rs | 8 ++++---- tests/hazmat/primitives/test_dsa.py | 8 ++++++++ tests/hazmat/primitives/test_ec.py | 9 +++++++++ tests/hazmat/primitives/test_ed25519.py | 6 ++++++ tests/hazmat/primitives/test_ed448.py | 6 ++++++ 12 files changed, 75 insertions(+), 32 deletions(-) diff --git a/docs/hazmat/primitives/asymmetric/dsa.rst b/docs/hazmat/primitives/asymmetric/dsa.rst index bcd4c993d20a..b159a09116ff 100644 --- a/docs/hazmat/primitives/asymmetric/dsa.rst +++ b/docs/hazmat/primitives/asymmetric/dsa.rst @@ -289,7 +289,8 @@ Key interfaces Sign one block of data which can be verified later by others using the public key. - :param bytes data: The message string to sign. + :param data: The message string to sign. + :type data: :term:`bytes-like` :param algorithm: An instance of :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or @@ -391,9 +392,11 @@ Key interfaces Verify one block of data was signed by the private key associated with this public key. - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The message string that was signed. + :param data: The message string that was signed. + :type data: :term:`bytes-like` :param algorithm: An instance of :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 561218c35c72..75165b6a4536 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -569,7 +569,8 @@ Key Interfaces Sign one block of data which can be verified later by others using the public key. - :param bytes data: The message string to sign. + :param data: The message string to sign. + :type data: :term:`bytes-like` :param signature_algorithm: An instance of :class:`EllipticCurveSignatureAlgorithm`, such as :class:`ECDSA`. @@ -678,12 +679,14 @@ Key Interfaces Verify one block of data was signed by the private key associated with this public key. - :param bytes signature: The DER-encoded signature to verify. + :param signature: The DER-encoded signature to verify. A raw signature may be DER-encoded by splitting it into the ``r`` and ``s`` components and passing them into :func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature`. + :type signature: :term:`bytes-like` - :param bytes data: The message string that was signed. + :param data: The message string that was signed. + :type data: :term:`bytes-like` :param signature_algorithm: An instance of :class:`EllipticCurveSignatureAlgorithm`. diff --git a/docs/hazmat/primitives/asymmetric/ed25519.rst b/docs/hazmat/primitives/asymmetric/ed25519.rst index 1ca06fc1b9f2..8d4b910ca115 100644 --- a/docs/hazmat/primitives/asymmetric/ed25519.rst +++ b/docs/hazmat/primitives/asymmetric/ed25519.rst @@ -67,7 +67,8 @@ Key interfaces .. method:: sign(data) - :param bytes data: The data to sign. + :param data: The data to sign. + :type data: :term:`bytes-like` :returns bytes: The 64 byte signature. @@ -192,9 +193,11 @@ Key interfaces .. method:: verify(signature, data) - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The data to verify. + :param data: The data to verify. + :type data: :term:`bytes-like` :returns: None :raises cryptography.exceptions.InvalidSignature: Raised when the diff --git a/docs/hazmat/primitives/asymmetric/ed448.rst b/docs/hazmat/primitives/asymmetric/ed448.rst index efe245d568e9..27a8092db59c 100644 --- a/docs/hazmat/primitives/asymmetric/ed448.rst +++ b/docs/hazmat/primitives/asymmetric/ed448.rst @@ -47,7 +47,8 @@ Key interfaces .. method:: sign(data) - :param bytes data: The data to sign. + :param data: The data to sign. + :type data: :term:`bytes-like` :returns bytes: The 114 byte signature. @@ -146,9 +147,11 @@ Key interfaces .. method:: verify(signature, data) - :param bytes signature: The signature to verify. + :param signature: The signature to verify. + :type signature: :term:`bytes-like` - :param bytes data: The data to verify. + :param data: The data to verify. + :type data: :term:`bytes-like` :returns: None :raises cryptography.exceptions.InvalidSignature: Raised when the diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index cf0824613fdb..bf341ac71314 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -3,6 +3,7 @@ // for complete details. use crate::backend::utils; +use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; @@ -66,10 +67,10 @@ impl DsaPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let (data, _) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -151,15 +152,15 @@ impl DsaPublicKey { fn verify( &self, py: pyo3::Python<'_>, - signature: &[u8], - data: &[u8], + signature: CffiBuf<'_>, + data: CffiBuf<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, _) = utils::calculate_digest_and_algorithm(py, data, algorithm)?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; - let valid = verifier.verify(data, signature).unwrap_or(false); + let valid = verifier.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 459da6103d3b..5a01412981d2 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -8,6 +8,7 @@ use std::hash::{Hash, Hasher}; use pyo3::ToPyObject; use crate::backend::utils; +use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; @@ -268,7 +269,7 @@ impl ECPrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { @@ -282,7 +283,7 @@ impl ECPrivateKey { let (data, _) = utils::calculate_digest_and_algorithm( py, - data, + data.as_bytes(), signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; @@ -366,8 +367,8 @@ impl ECPublicKey { fn verify( &self, py: pyo3::Python<'_>, - signature: &[u8], - data: &[u8], + signature: CffiBuf<'_>, + data: CffiBuf<'_>, signature_algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { @@ -381,13 +382,13 @@ impl ECPublicKey { let (data, _) = utils::calculate_digest_and_algorithm( py, - data, + data.as_bytes(), signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; - let valid = verifier.verify(data, signature).unwrap_or(false); + let valid = verifier.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index f68da83bfb47..81ca3230088e 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -66,12 +66,12 @@ impl Ed25519PrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { let n = signer - .sign_oneshot(b, data) + .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; assert_eq!(n, b.len()); Ok(()) @@ -118,9 +118,9 @@ impl Ed25519PrivateKey { #[pyo3::prelude::pymethods] impl Ed25519PublicKey { - fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> { + fn verify(&self, signature: CffiBuf<'_>, data: CffiBuf<'_>) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? - .verify_oneshot(signature, data) + .verify_oneshot(signature.as_bytes(), data.as_bytes()) .unwrap_or(false); if !valid { diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index eeed28e92f6e..15b679d5f993 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -64,12 +64,12 @@ impl Ed448PrivateKey { fn sign<'p>( &self, py: pyo3::Python<'p>, - data: &[u8], + data: CffiBuf<'_>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { let n = signer - .sign_oneshot(b, data) + .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; assert_eq!(n, b.len()); Ok(()) @@ -116,9 +116,9 @@ impl Ed448PrivateKey { #[pyo3::prelude::pymethods] impl Ed448PublicKey { - fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> { + fn verify(&self, signature: CffiBuf<'_>, data: CffiBuf<'_>) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? - .verify_oneshot(signature, data)?; + .verify_oneshot(signature.as_bytes(), data.as_bytes())?; if !valid { return Err(CryptographyError::from( diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index c3990cd5af44..2928a1eb9d8c 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -522,6 +522,14 @@ def test_sign(self, backend): public_key = private_key.public_key() public_key.verify(signature, message, algorithm) + def test_sign_verify_buffer(self, backend): + private_key = DSA_KEY_1024.private_key(backend) + message = bytearray(b"one little message") + algorithm = hashes.SHA1() + signature = private_key.sign(message, algorithm) + public_key = private_key.public_key() + public_key.verify(bytearray(signature), message, algorithm) + def test_prehashed_sign(self, backend): private_key = DSA_KEY_1024.private_key(backend) message = b"one little message" diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index d794d429524e..334e76dcc073 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -516,6 +516,15 @@ def test_sign(self, backend): public_key = private_key.public_key() public_key.verify(signature, message, algorithm) + def test_sign_verify_buffers(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + message = bytearray(b"one little message") + algorithm = ec.ECDSA(hashes.SHA1()) + private_key = ec.generate_private_key(ec.SECP256R1(), backend) + signature = private_key.sign(message, algorithm) + public_key = private_key.public_key() + public_key.verify(bytearray(signature), message, algorithm) + def test_sign_prehashed(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" diff --git a/tests/hazmat/primitives/test_ed25519.py b/tests/hazmat/primitives/test_ed25519.py index 8e6b33b1fd62..26f7d0c71b07 100644 --- a/tests/hazmat/primitives/test_ed25519.py +++ b/tests/hazmat/primitives/test_ed25519.py @@ -117,6 +117,12 @@ def test_invalid_signature(self, backend): with pytest.raises(InvalidSignature): key.public_key().verify(b"0" * 64, b"test data") + def test_sign_verify_buffer(self, backend): + key = Ed25519PrivateKey.generate() + data = bytearray(b"test data") + signature = key.sign(data) + key.public_key().verify(bytearray(signature), data) + def test_generate(self, backend): key = Ed25519PrivateKey.generate() assert key diff --git a/tests/hazmat/primitives/test_ed448.py b/tests/hazmat/primitives/test_ed448.py index d363f38dfd96..6c7bdedea39d 100644 --- a/tests/hazmat/primitives/test_ed448.py +++ b/tests/hazmat/primitives/test_ed448.py @@ -86,6 +86,12 @@ def test_invalid_signature(self, backend): with pytest.raises(InvalidSignature): key.public_key().verify(b"0" * 64, b"test data") + def test_sign_verify_buffer(self, backend): + key = Ed448PrivateKey.generate() + data = bytearray(b"test data") + signature = key.sign(data) + key.public_key().verify(bytearray(signature), data) + def test_generate(self, backend): key = Ed448PrivateKey.generate() assert key From 314dd53422eef945fd6cf49d5a5cade2c71dfd0a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 25 Jan 2024 19:16:33 -0500 Subject: [PATCH 016/868] Bump BoringSSL and/or OpenSSL in CI (#10262) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a77e813d78ac..dffb089229f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "77ee4e4609cfb3480e1a554790348ebcab61313e"}} - # Latest commit on the OpenSSL master branch, as of Jan 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ff78d94b131d7bb3b761509d3ce0dd864b1420e3"}} + # Latest commit on the BoringSSL master branch, as of Jan 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "cba7adcd108e9a41a992b4c4fc18b050e4d05a66"}} + # Latest commit on the OpenSSL master branch, as of Jan 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0f644b96d209443b4566f7e86e3be2568292e75b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 430777fb56f444932c748c9c94dc0cc9e2a260d2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 26 Jan 2024 00:28:30 +0000 Subject: [PATCH 017/868] Bump x509-limbo and/or wycheproof in CI (#10263) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 6dced6338927..fb78f39da598 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 25, 2024. - ref: "dcbb36ae64a11648c98c42e6610f7d278704c2ea" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 26, 2024. + ref: "3f614440092d3bfd0d0787095c558c4b4626195b" # x509-limbo-ref From f7888eb46e9753d65fa2d4f3c24838bee8aad814 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 26 Jan 2024 10:14:39 -0500 Subject: [PATCH 018/868] fixed fips skip condition (#10264) --- tests/hazmat/primitives/test_dh.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index 9caded2cc2ac..4b3b63a96436 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -164,10 +164,7 @@ def test_large_key_generate_dh(self, backend): ) def test_dh_parameters_allows_rfc3526_groups(self, backend, vector): p = int.from_bytes(binascii.unhexlify(vector["p"]), "big") - if ( - backend._fips_enabled - and p.bit_length() < backend._fips_dh_min_modulus - ): + if backend._fips_enabled and p < backend._fips_dh_min_modulus: pytest.skip("modulus too small for FIPS mode") params = dh.DHParameterNumbers(p, int(vector["g"])) From dab3536e9378b3b3bef4d2ac069ae38a38ab79ad Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 26 Jan 2024 15:35:39 -0800 Subject: [PATCH 019/868] improve the performance of cffibuf (#10266) * improve the performance of cffibuf * Update src/rust/src/buf.rs Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- src/cryptography/utils.py | 7 ------- src/rust/src/buf.rs | 19 ++++++++++++------- src/rust/src/types.rs | 11 +++++++++-- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index a0ec7a3cd76d..d6f079d4be0e 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -45,13 +45,6 @@ def int_to_bytes(integer: int, length: int | None = None) -> bytes: ) -def _extract_buffer_length(obj: typing.Any) -> tuple[typing.Any, int]: - from cryptography.hazmat.bindings._rust import _openssl - - buf = _openssl.ffi.from_buffer(obj) - return buf, int(_openssl.ffi.cast("uintptr_t", buf)) - - class InterfaceNotImplemented(Exception): pass diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index c1f2cc8253c7..edc3860c1050 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -12,6 +12,17 @@ pub(crate) struct CffiBuf<'p> { buf: &'p [u8], } +fn _extract_buffer_length(pyobj: &pyo3::PyAny) -> pyo3::PyResult<(&pyo3::PyAny, usize)> { + let py = pyobj.py(); + let bufobj = types::FFI_FROM_BUFFER.get(py)?.call1((pyobj,))?; + let ptrval = types::FFI_CAST + .get(py)? + .call1((pyo3::intern!(py, "uintptr_t"), bufobj))? + .call_method0(pyo3::intern!(py, "__int__"))? + .extract::()?; + Ok((bufobj, ptrval)) +} + impl CffiBuf<'_> { pub(crate) fn as_bytes(&self) -> &[u8] { self.buf @@ -20,13 +31,7 @@ impl CffiBuf<'_> { impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { - let py = pyobj.py(); - - let (bufobj, ptrval): (&pyo3::PyAny, usize) = types::EXTRACT_BUFFER_LENGTH - .get(py)? - .call1((pyobj,))? - .extract()?; - + let (bufobj, ptrval) = _extract_buffer_length(pyobj)?; let len = bufobj.len()?; let buf = if len == 0 { &[] diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 07cf417971b6..76c9bba96d3e 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -441,8 +441,15 @@ pub static DSA_PUBLIC_KEY: LazyPyImport = LazyPyImport::new( &["DSAPublicKey"], ); -pub static EXTRACT_BUFFER_LENGTH: LazyPyImport = - LazyPyImport::new("cryptography.utils", &["_extract_buffer_length"]); +pub static FFI_FROM_BUFFER: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.bindings._rust", + &["_openssl", "ffi", "from_buffer"], +); + +pub static FFI_CAST: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.bindings._rust", + &["_openssl", "ffi", "cast"], +); pub static BLOCK_CIPHER_ALGORITHM: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers", From 92cb4badedd29a022b4d60aab926abb8bb83be79 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 27 Jan 2024 00:15:16 +0000 Subject: [PATCH 020/868] Bump BoringSSL and/or OpenSSL in CI (#10269) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dffb089229f8..356ef15e29b0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "cba7adcd108e9a41a992b4c4fc18b050e4d05a66"}} + # Latest commit on the BoringSSL master branch, as of Jan 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "db7308de87ea138e7bbcbbb00dfc9b841774ba2f"}} # Latest commit on the OpenSSL master branch, as of Jan 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0f644b96d209443b4566f7e86e3be2568292e75b"}} # Builds with various Rust versions. Includes MSRV and next From 0fca863ac4015a7c2efde1e687784b4638955039 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 27 Jan 2024 13:35:33 +0000 Subject: [PATCH 021/868] Bump coverage from 7.4.0 to 7.4.1 (#10271) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.4.0 to 7.4.1. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.0...7.4.1) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6650dc463de8..298c3dddb823 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.0 # via nox -coverage==7.4.0; python_version >= "3.8" +coverage==7.4.1; python_version >= "3.8" # via # coverage # pytest-cov From 5cd842bc66b3da171f086eeb59b422f5d1e7314a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 27 Jan 2024 13:42:12 +0000 Subject: [PATCH 022/868] Bump colorlog from 6.8.0 to 6.8.2 (#10270) Bumps [colorlog](https://github.com/borntyping/python-colorlog) from 6.8.0 to 6.8.2. - [Release notes](https://github.com/borntyping/python-colorlog/releases) - [Commits](https://github.com/borntyping/python-colorlog/compare/v6.8.0...v6.8.2) --- updated-dependencies: - dependency-name: colorlog dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 298c3dddb823..fd97ab4c9106 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -23,7 +23,7 @@ check-sdist==0.1.3 # via cryptography (pyproject.toml) click==8.1.7 # via cryptography (pyproject.toml) -colorlog==6.8.0 +colorlog==6.8.2 # via nox coverage==7.4.1; python_version >= "3.8" # via From 5427fa1503a5a301fa89530e9f3c53b17a0df5d0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 27 Jan 2024 14:06:56 -0500 Subject: [PATCH 023/868] Bump rust-asn1 to 0.16 (#10272) --- src/rust/Cargo.lock | 8 ++++---- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/src/policy/mod.rs | 7 +++---- src/rust/cryptography-x509/Cargo.toml | 2 +- src/rust/cryptography-x509/src/pkcs7.rs | 4 ++-- 7 files changed, 13 insertions(+), 14 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b2e0ac4aad38..37bc849b650e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,18 +4,18 @@ version = 3 [[package]] name = "asn1" -version = "0.15.5" +version = "0.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae3ecbce89a22627b5e8e6e11d69715617138290289e385cde773b1fe50befdb" +checksum = "a227d599843d72985b747c71958d16d670a6e6bc06fadf064570cae70c11fd0a" dependencies = [ "asn1_derive", ] [[package]] name = "asn1_derive" -version = "0.15.5" +version = "0.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "861af988fac460ac69a09f41e6217a8fb9178797b76fcc9478444be6a59be19c" +checksum = "87132221a3cb3794c8def2208c723276686e0cd771541deb7768905ce13dc603" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 2322486d0406..08bd9583cbff 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -11,7 +11,7 @@ rust-version = "1.63.0" once_cell = "1" cfg-if = "1" pyo3 = { version = "0.20", features = ["abi3"] } -asn1 = { version = "0.15.5", default-features = false } +asn1 = { version = "0.16.0", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-key-parsing = { path = "cryptography-key-parsing" } cryptography-x509 = { path = "cryptography-x509" } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 3dd0b31fa1a6..f2ae0b6e4aed 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -asn1 = { version = "0.15.5", default-features = false } +asn1 = { version = "0.16.0", default-features = false } cfg-if = "1" openssl = "0.10.63" openssl-sys = "0.9.99" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 1ed759074167..30a4e8cb7373 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] -asn1 = { version = "0.15.5", default-features = false } +asn1 = { version = "0.16.0", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } once_cell = "1" diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 6d96e5feaef1..d5fffd0d8e2a 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -350,8 +350,8 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // Per 5280: The serial number MUST be a positive integer. // In practice, there are a few roots in common trust stores (like certifi) // that have `serial == 0`, so we can't enforce this yet. - let serial_bytes = cert.tbs_cert.serial.as_bytes(); - if !(1..=21).contains(&serial_bytes.len()) { + let serial = cert.tbs_cert.serial; + if !(1..=21).contains(&serial.as_bytes().len()) { // Conforming CAs MUST NOT use serial numbers longer than 20 octets. // NOTE: In practice, this requires us to check for an encoding of // 21 octets, since some CAs generate 20 bytes of randomness and @@ -360,8 +360,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { return Err(ValidationError::Other( "certificate must have a serial between 1 and 20 octets".to_string(), )); - } else if serial_bytes[0] & 0x80 == 0x80 { - // TODO: replace with `is_negative`: https://github.com/alex/rust-asn1/pull/425 + } else if serial.is_negative() { return Err(ValidationError::Other( "certificate serial number cannot be negative".to_string(), )); diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 9a877fd13cb6..86d6b971488d 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.63.0" [dependencies] -asn1 = { version = "0.15.5", default-features = false } +asn1 = { version = "0.16.0", default-features = false } diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index c5b7a9e3f650..6b5c9541aaf5 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -18,9 +18,9 @@ pub struct ContentInfo<'a> { #[derive(asn1::Asn1DefinedByWrite)] pub enum Content<'a> { #[defined_by(PKCS7_SIGNED_DATA_OID)] - SignedData(asn1::Explicit<'a, Box>, 0>), + SignedData(asn1::Explicit>, 0>), #[defined_by(PKCS7_DATA_OID)] - Data(Option>), + Data(Option>), } #[derive(asn1::Asn1Write)] From 10211b8917fb77f194f53bfc98b7d748f3e7498b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 27 Jan 2024 19:17:30 -0500 Subject: [PATCH 024/868] Remove unused generate_rsa_parameters_supported (#10273) --- src/cryptography/hazmat/backends/openssl/backend.py | 9 --------- tests/hazmat/backends/test_openssl.py | 6 ------ 2 files changed, 15 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 5d9eb2768dfb..f296303ced1f 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -325,15 +325,6 @@ def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: def _consume_errors(self) -> list[rust_openssl.OpenSSLError]: return rust_openssl.capture_error_stack() - def generate_rsa_parameters_supported( - self, public_exponent: int, key_size: int - ) -> bool: - return ( - public_exponent >= 3 - and public_exponent & 1 != 0 - and key_size >= 512 - ) - def _bytes_to_bio(self, data: bytes) -> _MemoryBIO: """ Return a _MemoryBIO namedtuple of (BIO, char*). diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index a289c5ba7415..e9cdcc432a50 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -138,12 +138,6 @@ def test_unknown_error_in_cipher_finalize(self): class TestOpenSSLRSA: - def test_generate_rsa_parameters_supported(self): - assert backend.generate_rsa_parameters_supported(1, 1024) is False - assert backend.generate_rsa_parameters_supported(4, 1024) is False - assert backend.generate_rsa_parameters_supported(3, 1024) is True - assert backend.generate_rsa_parameters_supported(3, 511) is False - def test_rsa_padding_unsupported_pss_mgf1_hash(self): assert ( backend.rsa_padding_supported( From 216142269d6068ba2602445fde0a143f25de4456 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 27 Jan 2024 18:17:53 -0600 Subject: [PATCH 025/868] Bump pytest from 7.4.4 to 8.0.0 (#10274) Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.4.4 to 8.0.0. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/7.4.4...8.0.0) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index fd97ab4c9106..ce60b8126314 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==7.4.4 +pytest==8.0.0; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From 5ee102dc1853119f3f11a66d0fcf92700cd2f241 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 27 Jan 2024 23:55:18 -0500 Subject: [PATCH 026/868] Move _CRL_ENTRY_REASON_ENUM_TO_CODE to a more sensible place (#10275) --- .../hazmat/backends/openssl/decode_asn1.py | 32 ------------------- src/cryptography/x509/extensions.py | 25 +++++++++++++++ src/rust/src/types.rs | 8 ++--- 3 files changed, 29 insertions(+), 36 deletions(-) delete mode 100644 src/cryptography/hazmat/backends/openssl/decode_asn1.py diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py deleted file mode 100644 index bf123b6285b6..000000000000 --- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py +++ /dev/null @@ -1,32 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -from cryptography import x509 - -# CRLReason ::= ENUMERATED { -# unspecified (0), -# keyCompromise (1), -# cACompromise (2), -# affiliationChanged (3), -# superseded (4), -# cessationOfOperation (5), -# certificateHold (6), -# -- value 7 is not used -# removeFromCRL (8), -# privilegeWithdrawn (9), -# aACompromise (10) } -_CRL_ENTRY_REASON_ENUM_TO_CODE = { - x509.ReasonFlags.unspecified: 0, - x509.ReasonFlags.key_compromise: 1, - x509.ReasonFlags.ca_compromise: 2, - x509.ReasonFlags.affiliation_changed: 3, - x509.ReasonFlags.superseded: 4, - x509.ReasonFlags.cessation_of_operation: 5, - x509.ReasonFlags.certificate_hold: 6, - x509.ReasonFlags.remove_from_crl: 8, - x509.ReasonFlags.privilege_withdrawn: 9, - x509.ReasonFlags.aa_compromise: 10, -} diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index c61c1f4853fd..db6e3bb5a621 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -729,6 +729,31 @@ class ReasonFlags(utils.Enum): ReasonFlags.aa_compromise: 8, } +# CRLReason ::= ENUMERATED { +# unspecified (0), +# keyCompromise (1), +# cACompromise (2), +# affiliationChanged (3), +# superseded (4), +# cessationOfOperation (5), +# certificateHold (6), +# -- value 7 is not used +# removeFromCRL (8), +# privilegeWithdrawn (9), +# aACompromise (10) } +_CRL_ENTRY_REASON_ENUM_TO_CODE = { + ReasonFlags.unspecified: 0, + ReasonFlags.key_compromise: 1, + ReasonFlags.ca_compromise: 2, + ReasonFlags.affiliation_changed: 3, + ReasonFlags.superseded: 4, + ReasonFlags.cessation_of_operation: 5, + ReasonFlags.certificate_hold: 6, + ReasonFlags.remove_from_crl: 8, + ReasonFlags.privilege_withdrawn: 9, + ReasonFlags.aa_compromise: 10, +} + class PolicyConstraints(ExtensionType): oid = ExtensionOID.POLICY_CONSTRAINTS diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 76c9bba96d3e..e948f49e822d 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -251,6 +251,10 @@ pub static CRL_REASON_FLAGS: LazyPyImport = LazyPyImport::new("cryptography.x509.extensions", &["_CRLREASONFLAGS"]); pub static REASON_BIT_MAPPING: LazyPyImport = LazyPyImport::new("cryptography.x509.extensions", &["_REASON_BIT_MAPPING"]); +pub static CRL_ENTRY_REASON_ENUM_TO_CODE: LazyPyImport = LazyPyImport::new( + "cryptography.x509.extensions", + &["_CRL_ENTRY_REASON_ENUM_TO_CODE"], +); pub static TLS_FEATURE_TYPE_TO_ENUM: LazyPyImport = LazyPyImport::new( "cryptography.x509.extensions", &["_TLS_FEATURE_TYPE_TO_ENUM"], @@ -375,10 +379,6 @@ pub static CALCULATE_MAX_PSS_SALT_LENGTH: LazyPyImport = LazyPyImport::new( &["calculate_max_pss_salt_length"], ); -pub static CRL_ENTRY_REASON_ENUM_TO_CODE: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.backends.openssl.decode_asn1", - &["_CRL_ENTRY_REASON_ENUM_TO_CODE"], -); pub static BACKEND_HANDLE_KEY_LOADING_ERROR: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.backends.openssl.backend", &["backend", "_handle_key_loading_error"], From 581b928a865d51405d73437397a2fcd5f85f0604 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 14:28:29 -0500 Subject: [PATCH 027/868] Added another reason for rust 1.65 (#10280) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 356ef15e29b0..d1d18e3bf2dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -50,7 +50,7 @@ jobs: # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance - # 1.65 - Generic associated types (GATs) + # 1.65 - Generic associated types (GATs), std::backtrace - {VERSION: "3.12", NOXSESSION: "rust-noclippy,tests", RUST: "1.63.0"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.64.0"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "beta"} From 36368cc056bb517c3ce9b95c80b23fec29a16725 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 14:29:34 -0500 Subject: [PATCH 028/868] Include cryptography_vectors in our test deps (#10277) fixes #10242 --- pyproject.toml | 1 + release.py | 32 +++++++++++++++++++++++--------- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index e127e7fa6fd6..84ffe04f9f95 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -70,6 +70,7 @@ ssh = ["bcrypt >=3.1.5"] # All the following are used for our own testing. nox = ["nox"] test = [ + "cryptography_vectors", "pytest >=6.2.0", "pytest-benchmark", "pytest-cov", diff --git a/release.py b/release.py index 78b894fe1d44..120a6c445738 100644 --- a/release.py +++ b/release.py @@ -38,23 +38,24 @@ def release() -> None: run("git", "push", "--tags", "git@github.com:pyca/cryptography.git") -def replace_version( - p: pathlib.Path, variable_name: str, new_version: str -) -> None: +def replace_pattern(p: pathlib.Path, pattern: str, replacement: str) -> None: content = p.read_text() - - pattern = rf"^{variable_name}\s*=\s*.*$" match = re.search(pattern, content, re.MULTILINE) assert match is not None start, end = match.span() - new_content = ( - content[:start] + f'{variable_name} = "{new_version}"' + content[end:] - ) - + new_content = content[:start] + replacement + content[end:] p.write_text(new_content) +def replace_version( + p: pathlib.Path, variable_name: str, new_version: str +) -> None: + replace_pattern( + p, rf"^{variable_name}\s*=\s*.*$", f'{variable_name} = "{new_version}"' + ) + + @cli.command() @click.argument("new_version") def bump_version(new_version: str) -> None: @@ -75,6 +76,19 @@ def bump_version(new_version: str) -> None: new_version, ) + if Version(new_version).is_prerelease: + replace_pattern( + base_dir / "pyproject.toml", + r'"cryptography_vectors(==.*?)?"', + '"cryptography_vectors"', + ) + else: + replace_pattern( + base_dir / "pyproject.toml", + r'"cryptography_vectors(==.*?)?"', + f'"cryptography_vectors=={new_version}"', + ) + if __name__ == "__main__": cli() From 83dcbc190165ad5c1f86bddaee76e0b288803c43 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 14:39:47 -0500 Subject: [PATCH 029/868] Don't generate RSA keys <1024 bits (#10278) * Don't generate RSA keys <1024 bits * Update CHANGELOG.rst --- CHANGELOG.rst | 5 +++++ src/cryptography/hazmat/primitives/asymmetric/rsa.py | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 7abdf8e9f9ef..80e85c85e1de 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,11 @@ Changelog .. note:: This version is not yet released and is under active development. +* :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` + now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still + considered insecure, users should generally use a key size of 2048-bits. + + .. _v42-0-1: 42.0.1 - 2024-01-24 diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index 6420434d82b7..49c76af0de94 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -150,8 +150,8 @@ def _verify_rsa_parameters(public_exponent: int, key_size: int) -> None: "65537. Almost everyone should choose 65537 here!" ) - if key_size < 512: - raise ValueError("key_size must be at least 512-bits.") + if key_size < 1024: + raise ValueError("key_size must be at least 1024-bits.") def _modinv(e: int, m: int) -> int: From da3eb8fa220aa632504a17883e9845372fc55436 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 15:07:13 -0500 Subject: [PATCH 030/868] Fix warnings on libressl (#10281) --- src/rust/Cargo.lock | 1 + src/rust/cryptography-openssl/Cargo.toml | 1 + src/rust/cryptography-openssl/src/fips.rs | 31 +++++++------------ src/rust/cryptography-openssl/src/poly1305.rs | 14 ++++++--- src/rust/src/backend/aead.rs | 13 +++++--- src/rust/src/types.rs | 2 ++ 6 files changed, 32 insertions(+), 30 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 37bc849b650e..d4a9a31adec1 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -85,6 +85,7 @@ dependencies = [ name = "cryptography-openssl" version = "0.1.0" dependencies = [ + "cfg-if", "foreign-types", "foreign-types-shared", "openssl", diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 3a35c9fcaa2d..700704d0dc3a 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,6 +8,7 @@ publish = false rust-version = "1.63.0" [dependencies] +cfg-if = "1" openssl = "0.10.63" ffi = { package = "openssl-sys", version = "0.9.99" } foreign-types = "0.3" diff --git a/src/rust/cryptography-openssl/src/fips.rs b/src/rust/cryptography-openssl/src/fips.rs index 9cdbd3f34648..9c89f317ebda 100644 --- a/src/rust/cryptography-openssl/src/fips.rs +++ b/src/rust/cryptography-openssl/src/fips.rs @@ -9,25 +9,16 @@ use std::ptr; pub fn is_enabled() -> bool { - #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] - { - return false; - } - - #[cfg(all( - CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, - not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)) - ))] - // SAFETY: No pre-conditions - unsafe { - ffi::EVP_default_properties_is_fips_enabled(ptr::null_mut()) == 1 - } - - #[cfg(all( - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), - not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)) - ))] - { - return openssl::fips::enabled(); + cfg_if::cfg_if! { + if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] { + false + } else if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + // SAFETY: No pre-conditions + unsafe { + ffi::EVP_default_properties_is_fips_enabled(ptr::null_mut()) == 1 + } + } else { + openssl::fips::enabled() + } } } diff --git a/src/rust/cryptography-openssl/src/poly1305.rs b/src/rust/cryptography-openssl/src/poly1305.rs index 262062eedd3f..e386bc2d7f4a 100644 --- a/src/rust/cryptography-openssl/src/poly1305.rs +++ b/src/rust/cryptography-openssl/src/poly1305.rs @@ -18,9 +18,10 @@ impl Poly1305State { let mut ctx: Box> = Box::new(MaybeUninit::::uninit()); - // After initializing the context, unwrap the Box> into - // a Box while keeping the same memory address. See the docstring of the - // Poly1305State struct above for the rationale. + // SAFETY: After initializing the context, unwrap the + // `Box>` into a `Box` + // while keeping the same memory address. See the docstring of the + // `Poly1305State` struct above for the rationale. let initialized_ctx: Box = unsafe { ffi::CRYPTO_poly1305_init(ctx.as_mut().as_mut_ptr(), key.as_ptr()); let raw_ctx_ptr = (*Box::into_raw(ctx)).as_mut_ptr(); @@ -32,14 +33,17 @@ impl Poly1305State { } } - pub fn update(&mut self, data: &[u8]) -> () { + pub fn update(&mut self, data: &[u8]) { + // SAFETY: context is valid, as is the data ptr. unsafe { ffi::CRYPTO_poly1305_update(self.context.as_mut(), data.as_ptr(), data.len()); }; } - pub fn finalize(&mut self, output: &mut [u8]) -> () { + pub fn finalize(&mut self, output: &mut [u8]) { assert_eq!(output.len(), 16); + // SAFETY: context is valid and we verified that the output is the + // right length. unsafe { ffi::CRYPTO_poly1305_finish(self.context.as_mut(), output.as_mut_ptr()) }; } } diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 7c364dede81e..9fd8a91ceeaf 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -574,13 +574,14 @@ impl AesSiv { ctx: EvpCipherAead::new(&cipher, key.as_bytes(), 16, true)?, }) } else { - return Err(CryptographyError::from( + _ = cipher_name; + + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "AES-SIV is not supported by this version of OpenSSL", exceptions::Reasons::UNSUPPORTED_CIPHER, )), - )); - + )) } } } @@ -641,12 +642,14 @@ impl AesOcb3 { fn new(key: CffiBuf<'_>) -> CryptographyResult { cfg_if::cfg_if! { if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] { - return Err(CryptographyError::from( + _ = key; + + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "AES-OCB3 is not supported by this version of OpenSSL", exceptions::Reasons::UNSUPPORTED_CIPHER, )), - )); + )) } else { if cryptography_openssl::fips::is_enabled() { return Err(CryptographyError::from( diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index e948f49e822d..b7564955d20e 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -331,6 +331,7 @@ pub static HASHES_MODULE: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.hashes", &[]); pub static HASH_ALGORITHM: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.hashes", &["HashAlgorithm"]); +#[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] pub static EXTENDABLE_OUTPUT_FUNCTION: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.hashes", &["ExtendableOutputFunction"], @@ -476,6 +477,7 @@ pub static SM4: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["SM4"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] pub static SEED: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["_SEEDInternal"], From 98d764801df9b55fb43d8e772b65adccddbbc87f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 Jan 2024 14:40:02 -0600 Subject: [PATCH 031/868] increase toctree depth on primitives (#10282) this makes the landing page for hazmat/primtives in the docs much more useful. --- docs/hazmat/primitives/index.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hazmat/primitives/index.rst b/docs/hazmat/primitives/index.rst index 72e5b26ce33d..98d597be9c99 100644 --- a/docs/hazmat/primitives/index.rst +++ b/docs/hazmat/primitives/index.rst @@ -4,7 +4,7 @@ Primitives ========== .. toctree:: - :maxdepth: 1 + :maxdepth: 2 aead asymmetric/index From e44e124f4a1c7af609bcd05fb47bc0faac033be5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 16:59:56 -0500 Subject: [PATCH 032/868] Drop LibreSSL <3.8.0 (#10283) --- .github/workflows/ci.yml | 1 - CHANGELOG.rst | 1 + src/_cffi_src/openssl/cryptography.py | 10 ---------- src/rust/build.rs | 7 +------ src/rust/src/backend/ec.rs | 11 ++--------- src/rust/src/backend/keys.rs | 1 - tests/hazmat/primitives/test_rsa.py | 2 -- 7 files changed, 4 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d1d18e3bf2dc..8d79bc7c0f69 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,6 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.0"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jan 27, 2024. diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 80e85c85e1de..8142363dc4d2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,7 @@ Changelog .. note:: This version is not yet released and is under active development. +* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.8. * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index b3543ade73cb..173ec1bb4546 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -53,14 +53,6 @@ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \ (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL) - -#if CRYPTOGRAPHY_IS_LIBRESSL -#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 \ - (LIBRESSL_VERSION_NUMBER < 0x3080000f) - -#else -#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 (0) -#endif """ TYPES = """ @@ -69,8 +61,6 @@ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E; -static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380; - static const int CRYPTOGRAPHY_IS_LIBRESSL; static const int CRYPTOGRAPHY_IS_BORINGSSL; """ diff --git a/src/rust/build.rs b/src/rust/build.rs index f247822e0dcd..d4dca24c4566 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -17,13 +17,8 @@ fn main() { } } - if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { - let version = u64::from_str_radix(&version, 16).unwrap(); - + if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL"); - if version >= 0x3_08_00_00_0 { - println!("cargo:rustc-cfg=CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER"); - } } if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 5a01412981d2..f71c9bf505e6 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -90,15 +90,6 @@ fn py_curve_from_curve<'p>( py: pyo3::Python<'p>, curve: &openssl::ec::EcGroupRef, ) -> CryptographyResult<&'p pyo3::PyAny> { - let name = curve - .curve_name() - .ok_or_else(|| { - pyo3::exceptions::PyValueError::new_err( - "ECDSA keys with explicit parameters are unsupported at this time", - ) - })? - .short_name()?; - if curve.asn1_flag() == openssl::ec::Asn1Flag::EXPLICIT_CURVE { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -107,6 +98,8 @@ fn py_curve_from_curve<'p>( )); } + let name = curve.curve_name().unwrap().short_name()?; + types::CURVE_TYPES .get(py)? .extract::<&pyo3::types::PyDict>()? diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index ecdff5db6dcb..f4faecdb5c9e 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -83,7 +83,6 @@ fn private_key_from_pkey( unsafe_skip_rsa_key_validation, )? .into_py(py)), - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER))] openssl::pkey::Id::RSA_PSS => { // At the moment the way we handle RSA PSS keys is to strip the // PSS constraints from them and treat them as normal RSA keys diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 8810f0f58e7e..7e82743c49bc 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -256,7 +256,6 @@ def test_load_pss_vect_example_keys(self, pkcs1_example): and ( not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not backend._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 ) ), skip_message="Does not support RSA PSS loading", @@ -314,7 +313,6 @@ def test_load_pss_pub_keys_strips_constraints(self, backend): and ( not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not backend._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 ) ), skip_message="Test requires a backend without RSA-PSS key support", From ea5a5b4ad01737bce57de7ca3803436abf32dc61 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 17:18:00 -0500 Subject: [PATCH 033/868] Convert AESGCM AEAD to Rust (#9181) --- .../hazmat/backends/openssl/aead.py | 55 +++----- .../hazmat/bindings/_rust/openssl/aead.pyi | 17 +++ .../hazmat/primitives/ciphers/aead.py | 64 +--------- src/rust/src/backend/aead.rs | 117 +++++++++++++++++- tests/hazmat/primitives/test_aead.py | 2 + 5 files changed, 153 insertions(+), 102 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/aead.py b/src/cryptography/hazmat/backends/openssl/aead.py index f1d990106474..dd2485481203 100644 --- a/src/cryptography/hazmat/backends/openssl/aead.py +++ b/src/cryptography/hazmat/backends/openssl/aead.py @@ -12,10 +12,9 @@ from cryptography.hazmat.backends.openssl.backend import Backend from cryptography.hazmat.primitives.ciphers.aead import ( AESCCM, - AESGCM, ) - _AEADTypes = typing.Union[AESCCM, AESGCM] + _AEADTypes = typing.Union[AESCCM] def _aead_cipher_supported(backend: Backend, cipher: _AEADTypes) -> bool: @@ -55,16 +54,10 @@ def _decrypt( def _evp_cipher_cipher_name(cipher: _AEADTypes) -> bytes: - from cryptography.hazmat.primitives.ciphers.aead import ( - AESCCM, - AESGCM, - ) + from cryptography.hazmat.primitives.ciphers.aead import AESCCM - if isinstance(cipher, AESCCM): - return f"aes-{len(cipher._key) * 8}-ccm".encode("ascii") - else: - assert isinstance(cipher, AESGCM) - return f"aes-{len(cipher._key) * 8}-gcm".encode("ascii") + assert isinstance(cipher, AESCCM) + return f"aes-{len(cipher._key) * 8}-ccm".encode("ascii") def _evp_cipher(cipher_name: bytes, backend: Backend): @@ -105,7 +98,8 @@ def _evp_cipher_aead_setup( if operation == _DECRYPT: assert tag is not None _evp_cipher_set_tag(backend, ctx, tag) - elif cipher_name.endswith(b"-ccm"): + else: + assert cipher_name.endswith(b"-ccm") res = backend._lib.EVP_CIPHER_CTX_ctrl( ctx, backend._lib.EVP_CTRL_AEAD_SET_TAG, @@ -188,8 +182,8 @@ def _evp_cipher_encrypt( # CCM requires us to pass the length of the data before processing # anything. # However calling this with any other AEAD results in an error - if isinstance(cipher, AESCCM): - _evp_cipher_set_length(backend, ctx, len(data)) + assert isinstance(cipher, AESCCM) + _evp_cipher_set_length(backend, ctx, len(data)) for ad in associated_data: _evp_cipher_process_aad(backend, ctx, ad) @@ -241,32 +235,21 @@ def _evp_cipher_decrypt( # CCM requires us to pass the length of the data before processing # anything. # However calling this with any other AEAD results in an error - if isinstance(cipher, AESCCM): - _evp_cipher_set_length(backend, ctx, len(data)) + assert isinstance(cipher, AESCCM) + _evp_cipher_set_length(backend, ctx, len(data)) for ad in associated_data: _evp_cipher_process_aad(backend, ctx, ad) # CCM has a different error path if the tag doesn't match. Errors are # raised in Update and Final is irrelevant. - if isinstance(cipher, AESCCM): - outlen = backend._ffi.new("int *") - buf = backend._ffi.new("unsigned char[]", len(data)) - d_ptr = backend._ffi.from_buffer(data) - res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, d_ptr, len(data)) - if res != 1: - backend._consume_errors() - raise InvalidTag - - processed_data = backend._ffi.buffer(buf, outlen[0])[:] - else: - processed_data = _evp_cipher_process_data(backend, ctx, data) - outlen = backend._ffi.new("int *") - # OCB can return up to 15 bytes (16 byte block - 1) in finalization - buf = backend._ffi.new("unsigned char[]", 16) - res = backend._lib.EVP_CipherFinal_ex(ctx, buf, outlen) - processed_data += backend._ffi.buffer(buf, outlen[0])[:] - if res == 0: - backend._consume_errors() - raise InvalidTag + outlen = backend._ffi.new("int *") + buf = backend._ffi.new("unsigned char[]", len(data)) + d_ptr = backend._ffi.from_buffer(data) + res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, d_ptr, len(data)) + if res != 1: + backend._consume_errors() + raise InvalidTag + + processed_data = backend._ffi.buffer(buf, outlen[0])[:] return processed_data diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi index 81e801e30bb5..e274073f201e 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -2,6 +2,23 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +class AESGCM: + def __init__(self, key: bytes) -> None: ... + @staticmethod + def generate_key(key_size: int) -> bytes: ... + def encrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + def decrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + class ChaCha20Poly1305: def __init__(self, key: bytes) -> None: ... @staticmethod diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index 40f1b9b74459..e96b735b18f9 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -20,6 +20,7 @@ "AESSIV", ] +AESGCM = rust_openssl.aead.AESGCM ChaCha20Poly1305 = rust_openssl.aead.ChaCha20Poly1305 AESSIV = rust_openssl.aead.AESSIV AESOCB3 = rust_openssl.aead.AESOCB3 @@ -109,66 +110,3 @@ def _check_params( utils._check_byteslike("associated_data", associated_data) if not 7 <= len(nonce) <= 13: raise ValueError("Nonce must be between 7 and 13 bytes") - - -class AESGCM: - _MAX_SIZE = 2**31 - 1 - - def __init__(self, key: bytes): - utils._check_byteslike("key", key) - if len(key) not in (16, 24, 32): - raise ValueError("AESGCM key must be 128, 192, or 256 bits.") - - self._key = key - - @classmethod - def generate_key(cls, bit_length: int) -> bytes: - if not isinstance(bit_length, int): - raise TypeError("bit_length must be an integer") - - if bit_length not in (128, 192, 256): - raise ValueError("bit_length must be 128, 192, or 256") - - return os.urandom(bit_length // 8) - - def encrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - if len(data) > self._MAX_SIZE or len(associated_data) > self._MAX_SIZE: - # This is OverflowError to match what cffi would raise - raise OverflowError( - "Data or associated data too long. Max 2**31 - 1 bytes" - ) - - self._check_params(nonce, data, associated_data) - return aead._encrypt(backend, self, nonce, data, [associated_data], 16) - - def decrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - self._check_params(nonce, data, associated_data) - return aead._decrypt(backend, self, nonce, data, [associated_data], 16) - - def _check_params( - self, - nonce: bytes, - data: bytes, - associated_data: bytes, - ) -> None: - utils._check_byteslike("nonce", nonce) - utils._check_byteslike("data", data) - utils._check_byteslike("associated_data", associated_data) - if len(nonce) < 8 or len(nonce) > 128: - raise ValueError("Nonce must be between 8 and 128 bytes") diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 9fd8a91ceeaf..b13a420c7588 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -486,9 +486,7 @@ impl ChaCha20Poly1305 { #[staticmethod] fn generate_key(py: pyo3::Python<'_>) -> CryptographyResult<&pyo3::PyAny> { - Ok(py - .import(pyo3::intern!(py, "os"))? - .call_method1(pyo3::intern!(py, "urandom"), (32,))?) + Ok(types::OS_URANDOM.get(py)?.call1((32,))?) } fn encrypt<'p>( @@ -532,6 +530,118 @@ impl ChaCha20Poly1305 { } } +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.bindings._rust.openssl.aead", + name = "AESGCM" +)] +struct AesGcm { + #[cfg(any( + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + ))] + ctx: EvpCipherAead, + + #[cfg(not(any( + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + )))] + ctx: LazyEvpCipherAead, +} + +#[pyo3::prelude::pymethods] +impl AesGcm { + #[new] + fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { + let key_buf = key.extract::>(py)?; + let cipher = match key_buf.as_bytes().len() { + 16 => openssl::cipher::Cipher::aes_128_gcm(), + 24 => openssl::cipher::Cipher::aes_192_gcm(), + 32 => openssl::cipher::Cipher::aes_256_gcm(), + _ => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "AESGCM key must be 128, 192, or 256 bits.", + ), + )) + } + }; + + cfg_if::cfg_if! { + if #[cfg(any( + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_LIBRESSL, + not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, + )))] { + Ok(AesGcm { + ctx: EvpCipherAead::new(cipher, key_buf.as_bytes(), 16, false)?, + }) + } else { + Ok(AesGcm { + ctx: LazyEvpCipherAead::new(cipher, key, 16, false), + }) + + } + } + } + + #[staticmethod] + fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + if bit_length != 128 && bit_length != 192 && bit_length != 256 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), + )); + } + + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + } + + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() < 8 || nonce_bytes.len() > 128 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be between 8 and 128 bytes"), + )); + } + + self.ctx + .encrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) + } + + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() < 8 || nonce_bytes.len() > 128 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be between 8 and 128 bytes"), + )); + } + + self.ctx + .decrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) + } +} + #[pyo3::prelude::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", @@ -845,6 +955,7 @@ impl AesGcmSiv { pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { let m = pyo3::prelude::PyModule::new(py, "aead")?; + m.add_class::()?; m.add_class::()?; m.add_class::()?; m.add_class::()?; diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index a4624cefc555..5228edbbd2d3 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -451,6 +451,8 @@ def test_invalid_nonce_length(self, length, backend): aesgcm = AESGCM(key) with pytest.raises(ValueError): aesgcm.encrypt(b"\x00" * length, b"hi", None) + with pytest.raises(ValueError): + aesgcm.decrypt(b"\x00" * length, b"hi", None) def test_bad_key(self, backend): with pytest.raises(TypeError): From 1729edef70315b532379db998efc6d69c546fe27 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 28 Jan 2024 16:34:33 -0600 Subject: [PATCH 034/868] add decrepit namespace and put SEED, IDEA, Blowfish, and CAST5 in it (#10284) --- CHANGELOG.rst | 8 +- docs/hazmat/decrepit/ciphers.rst | 87 +++++ docs/hazmat/decrepit/index.rst | 14 + .../primitives/symmetric-encryption.rst | 30 ++ docs/index.rst | 1 + .../hazmat/backends/openssl/backend.py | 16 +- src/cryptography/hazmat/decrepit/__init__.py | 5 + .../hazmat/decrepit/ciphers/__init__.py | 5 + .../hazmat/decrepit/ciphers/algorithms.py | 62 ++++ .../hazmat/primitives/_cipheralgorithm.py | 14 + .../hazmat/primitives/ciphers/algorithms.py | 97 ++--- src/rust/src/types.rs | 20 +- tests/hazmat/primitives/decrepit/__init__.py | 3 + .../primitives/decrepit/test_algorithms.py | 340 ++++++++++++++++++ tests/hazmat/primitives/test_blowfish.py | 86 ----- tests/hazmat/primitives/test_cast5.py | 86 ----- tests/hazmat/primitives/test_ciphers.py | 88 ++--- tests/hazmat/primitives/test_idea.py | 86 ----- tests/hazmat/primitives/test_seed.py | 86 ----- 19 files changed, 630 insertions(+), 504 deletions(-) create mode 100644 docs/hazmat/decrepit/ciphers.rst create mode 100644 docs/hazmat/decrepit/index.rst create mode 100644 src/cryptography/hazmat/decrepit/__init__.py create mode 100644 src/cryptography/hazmat/decrepit/ciphers/__init__.py create mode 100644 src/cryptography/hazmat/decrepit/ciphers/algorithms.py create mode 100644 tests/hazmat/primitives/decrepit/__init__.py create mode 100644 tests/hazmat/primitives/decrepit/test_algorithms.py delete mode 100644 tests/hazmat/primitives/test_blowfish.py delete mode 100644 tests/hazmat/primitives/test_cast5.py delete mode 100644 tests/hazmat/primitives/test_idea.py delete mode 100644 tests/hazmat/primitives/test_seed.py diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 8142363dc4d2..1088e7099323 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -12,7 +12,13 @@ Changelog * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. - +* Added new :doc:`/hazmat/decrepit/index` module which contains outdated and + insecure cryptographic primitives. + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish`, which were + deprecated in 37.0.0, have been added to this module. .. _v42-0-1: diff --git a/docs/hazmat/decrepit/ciphers.rst b/docs/hazmat/decrepit/ciphers.rst new file mode 100644 index 000000000000..fed571eab50a --- /dev/null +++ b/docs/hazmat/decrepit/ciphers.rst @@ -0,0 +1,87 @@ +.. hazmat:: + + +Decrepit Symmetric algorithms +============================= + +.. module:: cryptography.hazmat.decrepit.ciphers + +This module contains decrepit symmetric encryption algorithms. These +are algorithms that should not be used unless necessary for backwards +compatibility or interoperability with legacy systems. Their use is +**strongly discouraged**. + +These algorithms require you to use a :class:`~cryptography.hazmat.primitives.ciphers.Cipher` +object along with the appropriate :mod:`~cryptography.hazmat.primitives.ciphers.modes`. + +.. class:: CAST5(key) + + .. versionadded:: 43.0.0 + + CAST5 (also known as CAST-128) is a block cipher approved for use in the + Canadian government by the `Communications Security Establishment`_. It is + a variable key length cipher and supports keys from 40-128 :term:`bits` in + length. + + :param key: The secret key, This must be kept secret. 40 to 128 + :term:`bits` in length in increments of 8 bits. + :type key: :term:`bytes-like` + + .. doctest:: + + >>> import os + >>> from cryptography.hazmat.decrepit.ciphers.algorithms import CAST5 + >>> from cryptography.hazmat.primitives.ciphers import Cipher, modes + >>> key = os.urandom(16) + >>> iv = os.urandom(8) + >>> algorithm = CAST5(key) + >>> cipher = Cipher(algorithm, modes.CBC(iv)) + >>> encryptor = cipher.encryptor() + >>> ct = encryptor.update(b"a secret message") + >>> decryptor = cipher.decryptor() + >>> decryptor.update(ct) + b'a secret message' + +.. class:: SEED(key) + + .. versionadded:: 43.0.0 + + SEED is a block cipher developed by the Korea Information Security Agency + (KISA). It is defined in :rfc:`4269` and is used broadly throughout South + Korean industry, but rarely found elsewhere. + + :param key: The secret key. This must be kept secret. ``128`` + :term:`bits` in length. + :type key: :term:`bytes-like` + + +.. class:: Blowfish(key) + + .. versionadded:: 43.0.0 + + Blowfish is a block cipher developed by Bruce Schneier. It is known to be + susceptible to attacks when using weak keys. The author has recommended + that users of Blowfish move to newer algorithms. + + :param key: The secret key. This must be kept secret. 32 to 448 + :term:`bits` in length in increments of 8 bits. + :type key: :term:`bytes-like` + +.. class:: IDEA(key) + + .. versionadded:: 43.0.0 + + IDEA (`International Data Encryption Algorithm`_) is a block cipher created + in 1991. It is an optional component of the `OpenPGP`_ standard. This cipher + is susceptible to attacks when using weak keys. It is recommended that you + do not use this cipher for new applications. + + :param key: The secret key. This must be kept secret. ``128`` + :term:`bits` in length. + :type key: :term:`bytes-like` + + + +.. _`Communications Security Establishment`: https://www.cse-cst.gc.ca +.. _`International Data Encryption Algorithm`: https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm +.. _`OpenPGP`: https://www.openpgp.org/ diff --git a/docs/hazmat/decrepit/index.rst b/docs/hazmat/decrepit/index.rst new file mode 100644 index 000000000000..f0e541a496ef --- /dev/null +++ b/docs/hazmat/decrepit/index.rst @@ -0,0 +1,14 @@ +.. hazmat:: + +Decrepit cryptography +===================== + +This module holds old, deprecated, and/or insecure cryptographic +algorithms that may be needed in exceptional cases for backwards +compatibility or interoperability reasons. Unless necessary +their use is **strongly discouraged**. + +.. toctree:: + :maxdepth: 2 + + ciphers diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index e12ccac6ecf5..2b21c4162afd 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -205,6 +205,12 @@ Algorithms .. versionadded:: 0.2 + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 45.0.0. + CAST5 (also known as CAST-128) is a block cipher approved for use in the Canadian government by the `Communications Security Establishment`_. It is a variable key length cipher and supports keys from 40-128 :term:`bits` in @@ -218,6 +224,12 @@ Algorithms .. versionadded:: 0.4 + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 45.0.0. + SEED is a block cipher developed by the Korea Information Security Agency (KISA). It is defined in :rfc:`4269` and is used broadly throughout South Korean industry, but rarely found elsewhere. @@ -252,6 +264,12 @@ Weak ciphers .. class:: Blowfish(key) + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 45.0.0. + Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as :class:`AES`. @@ -262,6 +280,12 @@ Weak ciphers .. class:: ARC4(key) + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 45.0.0. + ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. @@ -284,6 +308,12 @@ Weak ciphers .. class:: IDEA(key) + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 45.0.0. + IDEA (`International Data Encryption Algorithm`_) is a block cipher created in 1991. It is an optional component of the `OpenPGP`_ standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you diff --git a/docs/index.rst b/docs/index.rst index 08fcba34d96f..7086f80ee6e3 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -67,6 +67,7 @@ hazmat layer only when necessary. hazmat/primitives/index exceptions random-numbers + hazmat/decrepit/index .. toctree:: :maxdepth: 2 diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index f296303ced1f..c5b02b2e9f01 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -15,6 +15,12 @@ from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + CAST5, + IDEA, + SEED, + Blowfish, +) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding from cryptography.hazmat.primitives.asymmetric import ec @@ -40,10 +46,6 @@ Camellia, ChaCha20, TripleDES, - _BlowfishInternal, - _CAST5Internal, - _IDEAInternal, - _SEEDInternal, ) from cryptography.hazmat.primitives.ciphers.modes import ( CBC, @@ -282,18 +284,18 @@ def _register_default_ciphers(self) -> None: ): for mode_cls in [CBC, CFB, OFB, ECB]: self.register_cipher_adapter( - _BlowfishInternal, + Blowfish, mode_cls, GetCipherByName("bf-{mode.name}"), ) for mode_cls in [CBC, CFB, OFB, ECB]: self.register_cipher_adapter( - _SEEDInternal, + SEED, mode_cls, GetCipherByName("seed-{mode.name}"), ) for cipher_cls, mode_cls in itertools.product( - [_CAST5Internal, _IDEAInternal], + [CAST5, IDEA], [CBC, OFB, CFB, ECB], ): self.register_cipher_adapter( diff --git a/src/cryptography/hazmat/decrepit/__init__.py b/src/cryptography/hazmat/decrepit/__init__.py new file mode 100644 index 000000000000..41d731863aa2 --- /dev/null +++ b/src/cryptography/hazmat/decrepit/__init__.py @@ -0,0 +1,5 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import annotations diff --git a/src/cryptography/hazmat/decrepit/ciphers/__init__.py b/src/cryptography/hazmat/decrepit/ciphers/__init__.py new file mode 100644 index 000000000000..41d731863aa2 --- /dev/null +++ b/src/cryptography/hazmat/decrepit/ciphers/__init__.py @@ -0,0 +1,5 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import annotations diff --git a/src/cryptography/hazmat/decrepit/ciphers/algorithms.py b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py new file mode 100644 index 000000000000..f9432834dc5c --- /dev/null +++ b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py @@ -0,0 +1,62 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import annotations + +from cryptography.hazmat.primitives._cipheralgorithm import ( + BlockCipherAlgorithm, + _verify_key_size, +) + + +class Blowfish(BlockCipherAlgorithm): + name = "Blowfish" + block_size = 64 + key_sizes = frozenset(range(32, 449, 8)) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 + + +class CAST5(BlockCipherAlgorithm): + name = "CAST5" + block_size = 64 + key_sizes = frozenset(range(40, 129, 8)) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 + + +class SEED(BlockCipherAlgorithm): + name = "SEED" + block_size = 128 + key_sizes = frozenset([128]) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 + + +class IDEA(BlockCipherAlgorithm): + name = "IDEA" + block_size = 64 + key_sizes = frozenset([128]) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 diff --git a/src/cryptography/hazmat/primitives/_cipheralgorithm.py b/src/cryptography/hazmat/primitives/_cipheralgorithm.py index 9d7f5bc79c2b..588a61698fdc 100644 --- a/src/cryptography/hazmat/primitives/_cipheralgorithm.py +++ b/src/cryptography/hazmat/primitives/_cipheralgorithm.py @@ -6,6 +6,8 @@ import abc +from cryptography import utils + # This exists to break an import cycle. It is normally accessible from the # ciphers module. @@ -42,3 +44,15 @@ def block_size(self) -> int: """ The size of a block as an integer in bits (e.g. 64, 128). """ + + +def _verify_key_size(algorithm: CipherAlgorithm, key: bytes) -> bytes: + # Verify that the key is instance of bytes + utils._check_byteslike("key", key) + + # Verify that the key size matches the expected key size + if len(key) * 8 not in algorithm.key_sizes: + raise ValueError( + f"Invalid key size ({len(key) * 8}) for {algorithm.name}." + ) + return key diff --git a/src/cryptography/hazmat/primitives/ciphers/algorithms.py b/src/cryptography/hazmat/primitives/ciphers/algorithms.py index 000bdcba97a4..645d0acd3cac 100644 --- a/src/cryptography/hazmat/primitives/ciphers/algorithms.py +++ b/src/cryptography/hazmat/primitives/ciphers/algorithms.py @@ -5,24 +5,25 @@ from __future__ import annotations from cryptography import utils +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + CAST5 as CAST5, +) +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + IDEA as IDEA, +) +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + SEED as SEED, +) +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + Blowfish as Blowfish, +) +from cryptography.hazmat.primitives._cipheralgorithm import _verify_key_size from cryptography.hazmat.primitives.ciphers import ( BlockCipherAlgorithm, CipherAlgorithm, ) -def _verify_key_size(algorithm: CipherAlgorithm, key: bytes) -> bytes: - # Verify that the key is instance of bytes - utils._check_byteslike("key", key) - - # Verify that the key size matches the expected key size - if len(key) * 8 not in algorithm.key_sizes: - raise ValueError( - f"Invalid key size ({len(key) * 8}) for {algorithm.name}." - ) - return key - - class AES(BlockCipherAlgorithm): name = "AES" block_size = 128 @@ -87,47 +88,23 @@ def key_size(self) -> int: return len(self.key) * 8 -class Blowfish(BlockCipherAlgorithm): - name = "Blowfish" - block_size = 64 - key_sizes = frozenset(range(32, 449, 8)) - - def __init__(self, key: bytes): - self.key = _verify_key_size(self, key) - - @property - def key_size(self) -> int: - return len(self.key) * 8 - - -_BlowfishInternal = Blowfish utils.deprecated( Blowfish, __name__, - "Blowfish has been deprecated and will be removed in a future release", + "Blowfish has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.Blowfish and " + "will be removed from this module in 45.0.0.", utils.DeprecatedIn37, name="Blowfish", ) -class CAST5(BlockCipherAlgorithm): - name = "CAST5" - block_size = 64 - key_sizes = frozenset(range(40, 129, 8)) - - def __init__(self, key: bytes): - self.key = _verify_key_size(self, key) - - @property - def key_size(self) -> int: - return len(self.key) * 8 - - -_CAST5Internal = CAST5 utils.deprecated( CAST5, __name__, - "CAST5 has been deprecated and will be removed in a future release", + "CAST5 has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.CAST5 and " + "will be removed from this module in 45.0.0.", utils.DeprecatedIn37, name="CAST5", ) @@ -145,47 +122,23 @@ def key_size(self) -> int: return len(self.key) * 8 -class IDEA(BlockCipherAlgorithm): - name = "IDEA" - block_size = 64 - key_sizes = frozenset([128]) - - def __init__(self, key: bytes): - self.key = _verify_key_size(self, key) - - @property - def key_size(self) -> int: - return len(self.key) * 8 - - -_IDEAInternal = IDEA utils.deprecated( IDEA, __name__, - "IDEA has been deprecated and will be removed in a future release", + "IDEA has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.IDEA and " + "will be removed from this module in 45.0.0.", utils.DeprecatedIn37, name="IDEA", ) -class SEED(BlockCipherAlgorithm): - name = "SEED" - block_size = 128 - key_sizes = frozenset([128]) - - def __init__(self, key: bytes): - self.key = _verify_key_size(self, key) - - @property - def key_size(self) -> int: - return len(self.key) * 8 - - -_SEEDInternal = SEED utils.deprecated( SEED, __name__, - "SEED has been deprecated and will be removed in a future release", + "SEED has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.SEED and " + "will be removed from this module in 45.0.0.", utils.DeprecatedIn37, name="SEED", ) diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index b7564955d20e..fc60ecd97f10 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -478,27 +478,23 @@ pub static SM4: LazyPyImport = LazyPyImport::new( &["SM4"], ); #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] -pub static SEED: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.ciphers.algorithms", - &["_SEEDInternal"], -); +pub static SEED: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["SEED"]); pub static CAMELLIA: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["Camellia"], ); pub static BLOWFISH: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.ciphers.algorithms", - &["_BlowfishInternal"], + "cryptography.hazmat.decrepit.ciphers.algorithms", + &["Blowfish"], ); pub static CAST5: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.ciphers.algorithms", - &["_CAST5Internal"], + "cryptography.hazmat.decrepit.ciphers.algorithms", + &["CAST5"], ); #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] -pub static IDEA: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.ciphers.algorithms", - &["_IDEAInternal"], -); +pub static IDEA: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["IDEA"]); pub static CBC: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CBC"]); diff --git a/tests/hazmat/primitives/decrepit/__init__.py b/tests/hazmat/primitives/decrepit/__init__.py new file mode 100644 index 000000000000..b509336233c2 --- /dev/null +++ b/tests/hazmat/primitives/decrepit/__init__.py @@ -0,0 +1,3 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. diff --git a/tests/hazmat/primitives/decrepit/test_algorithms.py b/tests/hazmat/primitives/decrepit/test_algorithms.py new file mode 100644 index 000000000000..c812f17fd3d9 --- /dev/null +++ b/tests/hazmat/primitives/decrepit/test_algorithms.py @@ -0,0 +1,340 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + + +import binascii +import os + +import pytest + +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + CAST5, + IDEA, + SEED, + Blowfish, +) +from cryptography.hazmat.primitives.ciphers import modes + +from ....utils import load_nist_vectors +from ..utils import generate_encrypt_test + + +class TestBlowfish: + @pytest.mark.parametrize( + ("key", "keysize"), + [(b"0" * (keysize // 4), keysize) for keysize in range(32, 449, 8)], + ) + def test_key_size(self, key, keysize): + cipher = Blowfish(binascii.unhexlify(key)) + assert cipher.key_size == keysize + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + Blowfish(binascii.unhexlify(b"0" * 6)) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + Blowfish("0" * 8) # type: ignore[arg-type] + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + Blowfish(b"\x00" * 56), modes.ECB() + ), + skip_message="Does not support Blowfish ECB", +) +class TestBlowfishModeECB: + test_ecb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "Blowfish"), + ["bf-ecb.txt"], + lambda key, **kwargs: Blowfish(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + Blowfish(b"\x00" * 56), modes.CBC(b"\x00" * 8) + ), + skip_message="Does not support Blowfish CBC", +) +class TestBlowfishModeCBC: + test_cbc = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "Blowfish"), + ["bf-cbc.txt"], + lambda key, **kwargs: Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + Blowfish(b"\x00" * 56), modes.OFB(b"\x00" * 8) + ), + skip_message="Does not support Blowfish OFB", +) +class TestBlowfishModeOFB: + test_ofb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "Blowfish"), + ["bf-ofb.txt"], + lambda key, **kwargs: Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + Blowfish(b"\x00" * 56), modes.CFB(b"\x00" * 8) + ), + skip_message="Does not support Blowfish CFB", +) +class TestBlowfishModeCFB: + test_cfb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "Blowfish"), + ["bf-cfb.txt"], + lambda key, **kwargs: Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + ) + + +class TestCAST5: + @pytest.mark.parametrize( + ("key", "keysize"), + [(b"0" * (keysize // 4), keysize) for keysize in range(40, 129, 8)], + ) + def test_key_size(self, key, keysize): + cipher = CAST5(binascii.unhexlify(key)) + assert cipher.key_size == keysize + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + CAST5(binascii.unhexlify(b"0" * 34)) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + CAST5("0" * 10) # type: ignore[arg-type] + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + CAST5(b"\x00" * 16), modes.ECB() + ), + skip_message="Does not support CAST5 ECB", +) +class TestCAST5ModeECB: + test_ecb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-ecb.txt"], + lambda key, **kwargs: CAST5(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + CAST5(b"\x00" * 16), modes.CBC(b"\x00" * 8) + ), + skip_message="Does not support CAST5 CBC", +) +class TestCAST5ModeCBC: + test_cbc = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-cbc.txt"], + lambda key, **kwargs: CAST5(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + CAST5(b"\x00" * 16), modes.OFB(b"\x00" * 8) + ), + skip_message="Does not support CAST5 OFB", +) +class TestCAST5ModeOFB: + test_ofb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-ofb.txt"], + lambda key, **kwargs: CAST5(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + CAST5(b"\x00" * 16), modes.CFB(b"\x00" * 8) + ), + skip_message="Does not support CAST5 CFB", +) +class TestCAST5ModeCFB: + test_cfb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-cfb.txt"], + lambda key, **kwargs: CAST5(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + ) + + +class TestIDEA: + def test_key_size(self): + cipher = IDEA(b"\x00" * 16) + assert cipher.key_size == 128 + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + IDEA(b"\x00" * 17) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + IDEA("0" * 16) # type: ignore[arg-type] + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + IDEA(b"\x00" * 16), modes.ECB() + ), + skip_message="Does not support IDEA ECB", +) +class TestIDEAModeECB: + test_ecb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "IDEA"), + ["idea-ecb.txt"], + lambda key, **kwargs: IDEA(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + IDEA(b"\x00" * 16), modes.CBC(b"\x00" * 8) + ), + skip_message="Does not support IDEA CBC", +) +class TestIDEAModeCBC: + test_cbc = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "IDEA"), + ["idea-cbc.txt"], + lambda key, **kwargs: IDEA(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + IDEA(b"\x00" * 16), modes.OFB(b"\x00" * 8) + ), + skip_message="Does not support IDEA OFB", +) +class TestIDEAModeOFB: + test_ofb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "IDEA"), + ["idea-ofb.txt"], + lambda key, **kwargs: IDEA(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + IDEA(b"\x00" * 16), modes.CFB(b"\x00" * 8) + ), + skip_message="Does not support IDEA CFB", +) +class TestIDEAModeCFB: + test_cfb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "IDEA"), + ["idea-cfb.txt"], + lambda key, **kwargs: IDEA(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + ) + + +class TestSEED: + def test_key_size(self): + cipher = SEED(b"\x00" * 16) + assert cipher.key_size == 128 + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + SEED(b"\x00" * 17) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + SEED("0" * 16) # type: ignore[arg-type] + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + SEED(b"\x00" * 16), modes.ECB() + ), + skip_message="Does not support SEED ECB", +) +class TestSEEDModeECB: + test_ecb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "SEED"), + ["rfc-4269.txt"], + lambda key, **kwargs: SEED(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + SEED(b"\x00" * 16), modes.CBC(b"\x00" * 16) + ), + skip_message="Does not support SEED CBC", +) +class TestSEEDModeCBC: + test_cbc = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "SEED"), + ["rfc-4196.txt"], + lambda key, **kwargs: SEED(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + SEED(b"\x00" * 16), modes.OFB(b"\x00" * 16) + ), + skip_message="Does not support SEED OFB", +) +class TestSEEDModeOFB: + test_ofb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "SEED"), + ["seed-ofb.txt"], + lambda key, **kwargs: SEED(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + SEED(b"\x00" * 16), modes.CFB(b"\x00" * 16) + ), + skip_message="Does not support SEED CFB", +) +class TestSEEDModeCFB: + test_cfb = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "SEED"), + ["seed-cfb.txt"], + lambda key, **kwargs: SEED(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + ) diff --git a/tests/hazmat/primitives/test_blowfish.py b/tests/hazmat/primitives/test_blowfish.py deleted file mode 100644 index b8f34dfcef58..000000000000 --- a/tests/hazmat/primitives/test_blowfish.py +++ /dev/null @@ -1,86 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import binascii -import os - -import pytest - -from cryptography.hazmat.primitives.ciphers import algorithms, modes - -from ...utils import load_nist_vectors -from .utils import generate_encrypt_test - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._BlowfishInternal(b"\x00" * 56), modes.ECB() - ), - skip_message="Does not support Blowfish ECB", -) -class TestBlowfishModeECB: - test_ecb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "Blowfish"), - ["bf-ecb.txt"], - lambda key, **kwargs: algorithms._BlowfishInternal( - binascii.unhexlify(key) - ), - lambda **kwargs: modes.ECB(), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._BlowfishInternal(b"\x00" * 56), modes.CBC(b"\x00" * 8) - ), - skip_message="Does not support Blowfish CBC", -) -class TestBlowfishModeCBC: - test_cbc = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "Blowfish"), - ["bf-cbc.txt"], - lambda key, **kwargs: algorithms._BlowfishInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._BlowfishInternal(b"\x00" * 56), modes.OFB(b"\x00" * 8) - ), - skip_message="Does not support Blowfish OFB", -) -class TestBlowfishModeOFB: - test_ofb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "Blowfish"), - ["bf-ofb.txt"], - lambda key, **kwargs: algorithms._BlowfishInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._BlowfishInternal(b"\x00" * 56), modes.CFB(b"\x00" * 8) - ), - skip_message="Does not support Blowfish CFB", -) -class TestBlowfishModeCFB: - test_cfb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "Blowfish"), - ["bf-cfb.txt"], - lambda key, **kwargs: algorithms._BlowfishInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - ) diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py deleted file mode 100644 index 327a463b60e5..000000000000 --- a/tests/hazmat/primitives/test_cast5.py +++ /dev/null @@ -1,86 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import binascii -import os - -import pytest - -from cryptography.hazmat.primitives.ciphers import algorithms, modes - -from ...utils import load_nist_vectors -from .utils import generate_encrypt_test - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._CAST5Internal(b"\x00" * 16), modes.ECB() - ), - skip_message="Does not support CAST5 ECB", -) -class TestCAST5ModeECB: - test_ecb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "CAST5"), - ["cast5-ecb.txt"], - lambda key, **kwargs: algorithms._CAST5Internal( - binascii.unhexlify(key) - ), - lambda **kwargs: modes.ECB(), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._CAST5Internal(b"\x00" * 16), modes.CBC(b"\x00" * 8) - ), - skip_message="Does not support CAST5 CBC", -) -class TestCAST5ModeCBC: - test_cbc = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "CAST5"), - ["cast5-cbc.txt"], - lambda key, **kwargs: algorithms._CAST5Internal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._CAST5Internal(b"\x00" * 16), modes.OFB(b"\x00" * 8) - ), - skip_message="Does not support CAST5 OFB", -) -class TestCAST5ModeOFB: - test_ofb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "CAST5"), - ["cast5-ofb.txt"], - lambda key, **kwargs: algorithms._CAST5Internal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._CAST5Internal(b"\x00" * 16), modes.CFB(b"\x00" * 8) - ), - skip_message="Does not support CAST5 CFB", -) -class TestCAST5ModeCFB: - test_cfb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "CAST5"), - ["cast5-cfb.txt"], - lambda key, **kwargs: algorithms._CAST5Internal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - ) diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py index 1659fa2cd605..e096986160f8 100644 --- a/tests/hazmat/primitives/test_ciphers.py +++ b/tests/hazmat/primitives/test_ciphers.py @@ -10,6 +10,7 @@ import pytest +from cryptography import utils from cryptography.exceptions import AlreadyFinalized, _Reasons from cryptography.hazmat.primitives import ciphers from cryptography.hazmat.primitives.ciphers import modes @@ -18,10 +19,6 @@ ARC4, Camellia, TripleDES, - _BlowfishInternal, - _CAST5Internal, - _IDEAInternal, - _SEEDInternal, ) from ...utils import ( @@ -31,6 +28,25 @@ ) +def test_deprecated_ciphers_import_with_warning(): + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + Blowfish, # noqa: F401 + ) + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + CAST5, # noqa: F401 + ) + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + IDEA, # noqa: F401 + ) + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + SEED, # noqa: F401 + ) + + class TestAES: @pytest.mark.parametrize( ("key", "keysize"), @@ -110,42 +126,6 @@ def test_invalid_key_type(self): TripleDES("0" * 16) # type: ignore[arg-type] -class TestBlowfish: - @pytest.mark.parametrize( - ("key", "keysize"), - [(b"0" * (keysize // 4), keysize) for keysize in range(32, 449, 8)], - ) - def test_key_size(self, key, keysize): - cipher = _BlowfishInternal(binascii.unhexlify(key)) - assert cipher.key_size == keysize - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - _BlowfishInternal(binascii.unhexlify(b"0" * 6)) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - _BlowfishInternal("0" * 8) # type: ignore[arg-type] - - -class TestCAST5: - @pytest.mark.parametrize( - ("key", "keysize"), - [(b"0" * (keysize // 4), keysize) for keysize in range(40, 129, 8)], - ) - def test_key_size(self, key, keysize): - cipher = _CAST5Internal(binascii.unhexlify(key)) - assert cipher.key_size == keysize - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - _CAST5Internal(binascii.unhexlify(b"0" * 34)) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - _CAST5Internal("0" * 10) # type: ignore[arg-type] - - class TestARC4: @pytest.mark.parametrize( ("key", "keysize"), @@ -172,34 +152,6 @@ def test_invalid_key_type(self): ARC4("0" * 10) # type: ignore[arg-type] -class TestIDEA: - def test_key_size(self): - cipher = _IDEAInternal(b"\x00" * 16) - assert cipher.key_size == 128 - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - _IDEAInternal(b"\x00" * 17) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - _IDEAInternal("0" * 16) # type: ignore[arg-type] - - -class TestSEED: - def test_key_size(self): - cipher = _SEEDInternal(b"\x00" * 16) - assert cipher.key_size == 128 - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - _SEEDInternal(b"\x00" * 17) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - _SEEDInternal("0" * 16) # type: ignore[arg-type] - - def test_invalid_mode_algorithm(): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): ciphers.Cipher( diff --git a/tests/hazmat/primitives/test_idea.py b/tests/hazmat/primitives/test_idea.py deleted file mode 100644 index 6631a93f91cc..000000000000 --- a/tests/hazmat/primitives/test_idea.py +++ /dev/null @@ -1,86 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import binascii -import os - -import pytest - -from cryptography.hazmat.primitives.ciphers import algorithms, modes - -from ...utils import load_nist_vectors -from .utils import generate_encrypt_test - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._IDEAInternal(b"\x00" * 16), modes.ECB() - ), - skip_message="Does not support IDEA ECB", -) -class TestIDEAModeECB: - test_ecb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "IDEA"), - ["idea-ecb.txt"], - lambda key, **kwargs: algorithms._IDEAInternal( - binascii.unhexlify(key) - ), - lambda **kwargs: modes.ECB(), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._IDEAInternal(b"\x00" * 16), modes.CBC(b"\x00" * 8) - ), - skip_message="Does not support IDEA CBC", -) -class TestIDEAModeCBC: - test_cbc = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "IDEA"), - ["idea-cbc.txt"], - lambda key, **kwargs: algorithms._IDEAInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._IDEAInternal(b"\x00" * 16), modes.OFB(b"\x00" * 8) - ), - skip_message="Does not support IDEA OFB", -) -class TestIDEAModeOFB: - test_ofb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "IDEA"), - ["idea-ofb.txt"], - lambda key, **kwargs: algorithms._IDEAInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._IDEAInternal(b"\x00" * 16), modes.CFB(b"\x00" * 8) - ), - skip_message="Does not support IDEA CFB", -) -class TestIDEAModeCFB: - test_cfb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "IDEA"), - ["idea-cfb.txt"], - lambda key, **kwargs: algorithms._IDEAInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - ) diff --git a/tests/hazmat/primitives/test_seed.py b/tests/hazmat/primitives/test_seed.py deleted file mode 100644 index f36ce1e4ecea..000000000000 --- a/tests/hazmat/primitives/test_seed.py +++ /dev/null @@ -1,86 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import binascii -import os - -import pytest - -from cryptography.hazmat.primitives.ciphers import algorithms, modes - -from ...utils import load_nist_vectors -from .utils import generate_encrypt_test - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._SEEDInternal(b"\x00" * 16), modes.ECB() - ), - skip_message="Does not support SEED ECB", -) -class TestSEEDModeECB: - test_ecb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "SEED"), - ["rfc-4269.txt"], - lambda key, **kwargs: algorithms._SEEDInternal( - binascii.unhexlify(key) - ), - lambda **kwargs: modes.ECB(), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._SEEDInternal(b"\x00" * 16), modes.CBC(b"\x00" * 16) - ), - skip_message="Does not support SEED CBC", -) -class TestSEEDModeCBC: - test_cbc = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "SEED"), - ["rfc-4196.txt"], - lambda key, **kwargs: algorithms._SEEDInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._SEEDInternal(b"\x00" * 16), modes.OFB(b"\x00" * 16) - ), - skip_message="Does not support SEED OFB", -) -class TestSEEDModeOFB: - test_ofb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "SEED"), - ["seed-ofb.txt"], - lambda key, **kwargs: algorithms._SEEDInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - ) - - -@pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - algorithms._SEEDInternal(b"\x00" * 16), modes.CFB(b"\x00" * 16) - ), - skip_message="Does not support SEED CFB", -) -class TestSEEDModeCFB: - test_cfb = generate_encrypt_test( - load_nist_vectors, - os.path.join("ciphers", "SEED"), - ["seed-cfb.txt"], - lambda key, **kwargs: algorithms._SEEDInternal( - binascii.unhexlify(key) - ), - lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - ) From 98dfafeb8dcdf5e640c9612841f07da66586509b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 17:54:54 -0500 Subject: [PATCH 035/868] Migrate AES-CCM to Rust (#10279) --- .../hazmat/backends/openssl/aead.py | 255 ------------------ .../hazmat/backends/openssl/backend.py | 4 - .../hazmat/bindings/_rust/openssl/aead.pyi | 17 ++ .../hazmat/primitives/ciphers/aead.py | 91 +------ src/rust/src/backend/aead.rs | 235 +++++++++++++--- tests/hazmat/primitives/test_aead.py | 3 + 6 files changed, 226 insertions(+), 379 deletions(-) delete mode 100644 src/cryptography/hazmat/backends/openssl/aead.py diff --git a/src/cryptography/hazmat/backends/openssl/aead.py b/src/cryptography/hazmat/backends/openssl/aead.py deleted file mode 100644 index dd2485481203..000000000000 --- a/src/cryptography/hazmat/backends/openssl/aead.py +++ /dev/null @@ -1,255 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -import typing - -from cryptography.exceptions import InvalidTag - -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.backend import Backend - from cryptography.hazmat.primitives.ciphers.aead import ( - AESCCM, - ) - - _AEADTypes = typing.Union[AESCCM] - - -def _aead_cipher_supported(backend: Backend, cipher: _AEADTypes) -> bool: - cipher_name = _evp_cipher_cipher_name(cipher) - - return backend._lib.EVP_get_cipherbyname(cipher_name) != backend._ffi.NULL - - -def _encrypt( - backend: Backend, - cipher: _AEADTypes, - nonce: bytes, - data: bytes, - associated_data: list[bytes], - tag_length: int, -) -> bytes: - return _evp_cipher_encrypt( - backend, cipher, nonce, data, associated_data, tag_length - ) - - -def _decrypt( - backend: Backend, - cipher: _AEADTypes, - nonce: bytes, - data: bytes, - associated_data: list[bytes], - tag_length: int, -) -> bytes: - return _evp_cipher_decrypt( - backend, cipher, nonce, data, associated_data, tag_length - ) - - -_ENCRYPT = 1 -_DECRYPT = 0 - - -def _evp_cipher_cipher_name(cipher: _AEADTypes) -> bytes: - from cryptography.hazmat.primitives.ciphers.aead import AESCCM - - assert isinstance(cipher, AESCCM) - return f"aes-{len(cipher._key) * 8}-ccm".encode("ascii") - - -def _evp_cipher(cipher_name: bytes, backend: Backend): - evp_cipher = backend._lib.EVP_get_cipherbyname(cipher_name) - backend.openssl_assert(evp_cipher != backend._ffi.NULL) - return evp_cipher - - -def _evp_cipher_aead_setup( - backend: Backend, - cipher_name: bytes, - key: bytes, - nonce: bytes, - tag: bytes | None, - tag_len: int, - operation: int, -): - evp_cipher = _evp_cipher(cipher_name, backend) - ctx = backend._lib.EVP_CIPHER_CTX_new() - ctx = backend._ffi.gc(ctx, backend._lib.EVP_CIPHER_CTX_free) - res = backend._lib.EVP_CipherInit_ex( - ctx, - evp_cipher, - backend._ffi.NULL, - backend._ffi.NULL, - backend._ffi.NULL, - int(operation == _ENCRYPT), - ) - backend.openssl_assert(res != 0) - # CCM requires the IVLEN to be set before calling SET_TAG on decrypt - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, - backend._lib.EVP_CTRL_AEAD_SET_IVLEN, - len(nonce), - backend._ffi.NULL, - ) - backend.openssl_assert(res != 0) - if operation == _DECRYPT: - assert tag is not None - _evp_cipher_set_tag(backend, ctx, tag) - else: - assert cipher_name.endswith(b"-ccm") - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, - backend._lib.EVP_CTRL_AEAD_SET_TAG, - tag_len, - backend._ffi.NULL, - ) - backend.openssl_assert(res != 0) - - nonce_ptr = backend._ffi.from_buffer(nonce) - key_ptr = backend._ffi.from_buffer(key) - res = backend._lib.EVP_CipherInit_ex( - ctx, - backend._ffi.NULL, - backend._ffi.NULL, - key_ptr, - nonce_ptr, - int(operation == _ENCRYPT), - ) - backend.openssl_assert(res != 0) - return ctx - - -def _evp_cipher_set_tag(backend, ctx, tag: bytes) -> None: - tag_ptr = backend._ffi.from_buffer(tag) - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, backend._lib.EVP_CTRL_AEAD_SET_TAG, len(tag), tag_ptr - ) - backend.openssl_assert(res != 0) - - -def _evp_cipher_set_length(backend: Backend, ctx, data_len: int) -> None: - intptr = backend._ffi.new("int *") - res = backend._lib.EVP_CipherUpdate( - ctx, backend._ffi.NULL, intptr, backend._ffi.NULL, data_len - ) - backend.openssl_assert(res != 0) - - -def _evp_cipher_process_aad( - backend: Backend, ctx, associated_data: bytes -) -> None: - outlen = backend._ffi.new("int *") - a_data_ptr = backend._ffi.from_buffer(associated_data) - res = backend._lib.EVP_CipherUpdate( - ctx, backend._ffi.NULL, outlen, a_data_ptr, len(associated_data) - ) - backend.openssl_assert(res != 0) - - -def _evp_cipher_process_data(backend: Backend, ctx, data: bytes) -> bytes: - outlen = backend._ffi.new("int *") - buf = backend._ffi.new("unsigned char[]", len(data)) - data_ptr = backend._ffi.from_buffer(data) - res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, data_ptr, len(data)) - backend.openssl_assert(res != 0) - return backend._ffi.buffer(buf, outlen[0])[:] - - -def _evp_cipher_encrypt( - backend: Backend, - cipher: _AEADTypes, - nonce: bytes, - data: bytes, - associated_data: list[bytes], - tag_length: int, -) -> bytes: - from cryptography.hazmat.primitives.ciphers.aead import AESCCM - - cipher_name = _evp_cipher_cipher_name(cipher) - ctx = _evp_cipher_aead_setup( - backend, - cipher_name, - cipher._key, - nonce, - None, - tag_length, - _ENCRYPT, - ) - - # CCM requires us to pass the length of the data before processing - # anything. - # However calling this with any other AEAD results in an error - assert isinstance(cipher, AESCCM) - _evp_cipher_set_length(backend, ctx, len(data)) - - for ad in associated_data: - _evp_cipher_process_aad(backend, ctx, ad) - processed_data = _evp_cipher_process_data(backend, ctx, data) - outlen = backend._ffi.new("int *") - # All AEADs we support besides OCB are streaming so they return nothing - # in finalization. OCB can return up to (16 byte block - 1) bytes so - # we need a buffer here too. - buf = backend._ffi.new("unsigned char[]", 16) - res = backend._lib.EVP_CipherFinal_ex(ctx, buf, outlen) - backend.openssl_assert(res != 0) - processed_data += backend._ffi.buffer(buf, outlen[0])[:] - tag_buf = backend._ffi.new("unsigned char[]", tag_length) - res = backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, backend._lib.EVP_CTRL_AEAD_GET_TAG, tag_length, tag_buf - ) - backend.openssl_assert(res != 0) - tag = backend._ffi.buffer(tag_buf)[:] - - return processed_data + tag - - -def _evp_cipher_decrypt( - backend: Backend, - cipher: _AEADTypes, - nonce: bytes, - data: bytes, - associated_data: list[bytes], - tag_length: int, -) -> bytes: - from cryptography.hazmat.primitives.ciphers.aead import AESCCM - - if len(data) < tag_length: - raise InvalidTag - - tag = data[-tag_length:] - data = data[:-tag_length] - cipher_name = _evp_cipher_cipher_name(cipher) - ctx = _evp_cipher_aead_setup( - backend, - cipher_name, - cipher._key, - nonce, - tag, - tag_length, - _DECRYPT, - ) - - # CCM requires us to pass the length of the data before processing - # anything. - # However calling this with any other AEAD results in an error - assert isinstance(cipher, AESCCM) - _evp_cipher_set_length(backend, ctx, len(data)) - - for ad in associated_data: - _evp_cipher_process_aad(backend, ctx, ad) - # CCM has a different error path if the tag doesn't match. Errors are - # raised in Update and Final is irrelevant. - outlen = backend._ffi.new("int *") - buf = backend._ffi.new("unsigned char[]", len(data)) - d_ptr = backend._ffi.from_buffer(data) - res = backend._lib.EVP_CipherUpdate(ctx, buf, outlen, d_ptr, len(data)) - if res != 1: - backend._consume_errors() - raise InvalidTag - - processed_data = backend._ffi.buffer(buf, outlen[0])[:] - - return processed_data diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index c5b02b2e9f01..1412c480b708 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -11,7 +11,6 @@ from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm -from cryptography.hazmat.backends.openssl import aead from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding @@ -561,9 +560,6 @@ def ed448_supported(self) -> bool: and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL ) - def aead_cipher_supported(self, cipher) -> bool: - return aead._aead_cipher_supported(self, cipher) - def _zero_data(self, data, length: int) -> None: # We clear things this way because at the moment we're not # sure of a better way that can guarantee it overwrites the diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi index e274073f201e..047f49d819c1 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/aead.pyi @@ -36,6 +36,23 @@ class ChaCha20Poly1305: associated_data: bytes | None, ) -> bytes: ... +class AESCCM: + def __init__(self, key: bytes, tag_length: int = 16) -> None: ... + @staticmethod + def generate_key(key_size: int) -> bytes: ... + def encrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + def decrypt( + self, + nonce: bytes, + data: bytes, + associated_data: bytes | None, + ) -> bytes: ... + class AESSIV: def __init__(self, key: bytes) -> None: ... @staticmethod diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index e96b735b18f9..f82a05685e02 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -4,11 +4,6 @@ from __future__ import annotations -import os - -from cryptography import exceptions, utils -from cryptography.hazmat.backends.openssl import aead -from cryptography.hazmat.backends.openssl.backend import backend from cryptography.hazmat.bindings._rust import openssl as rust_openssl __all__ = [ @@ -22,91 +17,7 @@ AESGCM = rust_openssl.aead.AESGCM ChaCha20Poly1305 = rust_openssl.aead.ChaCha20Poly1305 +AESCCM = rust_openssl.aead.AESCCM AESSIV = rust_openssl.aead.AESSIV AESOCB3 = rust_openssl.aead.AESOCB3 AESGCMSIV = rust_openssl.aead.AESGCMSIV - - -class AESCCM: - _MAX_SIZE = 2**31 - 1 - - def __init__(self, key: bytes, tag_length: int = 16): - utils._check_byteslike("key", key) - if len(key) not in (16, 24, 32): - raise ValueError("AESCCM key must be 128, 192, or 256 bits.") - - self._key = key - if not isinstance(tag_length, int): - raise TypeError("tag_length must be an integer") - - if tag_length not in (4, 6, 8, 10, 12, 14, 16): - raise ValueError("Invalid tag_length") - - self._tag_length = tag_length - - if not backend.aead_cipher_supported(self): - raise exceptions.UnsupportedAlgorithm( - "AESCCM is not supported by this version of OpenSSL", - exceptions._Reasons.UNSUPPORTED_CIPHER, - ) - - @classmethod - def generate_key(cls, bit_length: int) -> bytes: - if not isinstance(bit_length, int): - raise TypeError("bit_length must be an integer") - - if bit_length not in (128, 192, 256): - raise ValueError("bit_length must be 128, 192, or 256") - - return os.urandom(bit_length // 8) - - def encrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - if len(data) > self._MAX_SIZE or len(associated_data) > self._MAX_SIZE: - # This is OverflowError to match what cffi would raise - raise OverflowError( - "Data or associated data too long. Max 2**31 - 1 bytes" - ) - - self._check_params(nonce, data, associated_data) - self._validate_lengths(nonce, len(data)) - return aead._encrypt( - backend, self, nonce, data, [associated_data], self._tag_length - ) - - def decrypt( - self, - nonce: bytes, - data: bytes, - associated_data: bytes | None, - ) -> bytes: - if associated_data is None: - associated_data = b"" - - self._check_params(nonce, data, associated_data) - return aead._decrypt( - backend, self, nonce, data, [associated_data], self._tag_length - ) - - def _validate_lengths(self, nonce: bytes, data_len: int) -> None: - # For information about computing this, see - # https://tools.ietf.org/html/rfc3610#section-2.1 - l_val = 15 - len(nonce) - if 2 ** (8 * l_val) < data_len: - raise ValueError("Data too long for nonce") - - def _check_params( - self, nonce: bytes, data: bytes, associated_data: bytes - ) -> None: - utils._check_byteslike("nonce", nonce) - utils._check_byteslike("data", data) - utils._check_byteslike("associated_data", associated_data) - if not 7 <= len(nonce) <= 13: - raise ValueError("Nonce must be between 7 and 13 bytes") diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index b13a420c7588..7afd7a172e94 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -77,6 +77,7 @@ impl EvpCipherAead { ctx: &mut openssl::cipher_ctx::CipherCtx, data: &[u8], out: &mut [u8], + is_ccm: bool, ) -> CryptographyResult<()> { let bs = ctx.block_size(); @@ -87,9 +88,11 @@ impl EvpCipherAead { let n = ctx.cipher_update(data, Some(out))?; assert_eq!(n, data.len()); - let mut final_block = [0]; - let n = ctx.cipher_final(&mut final_block)?; - assert_eq!(n, 0); + if !is_ccm { + let mut final_block = [0]; + let n = ctx.cipher_final(&mut final_block)?; + assert_eq!(n, 0); + } } else { // Our algorithm here is: split the data into the full chunks, and // the remaining partial chunk. Feed the full chunks into OpenSSL @@ -131,9 +134,19 @@ impl EvpCipherAead { ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_encryption_ctx)?; - Self::encrypt_with_context(py, ctx, plaintext, aad, nonce, self.tag_len, self.tag_first) + Self::encrypt_with_context( + py, + ctx, + plaintext, + aad, + nonce, + self.tag_len, + self.tag_first, + false, + ) } + #[allow(clippy::too_many_arguments)] fn encrypt_with_context<'p>( py: pyo3::Python<'p>, mut ctx: openssl::cipher_ctx::CipherCtx, @@ -142,13 +155,19 @@ impl EvpCipherAead { nonce: Option<&[u8]>, tag_len: usize, tag_first: bool, + is_ccm: bool, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { check_length(plaintext)?; - if let Some(nonce) = nonce { - ctx.set_iv_length(nonce.len())?; + if !is_ccm { + if let Some(nonce) = nonce { + ctx.set_iv_length(nonce.len())?; + } + ctx.encrypt_init(None, None, nonce)?; + } + if is_ccm { + ctx.set_data_len(plaintext.len())?; } - ctx.encrypt_init(None, None, nonce)?; Self::process_aad(&mut ctx, aad)?; @@ -164,7 +183,7 @@ impl EvpCipherAead { (ciphertext, tag) = b.split_at_mut(plaintext.len()); } - Self::process_data(&mut ctx, plaintext, ciphertext)?; + Self::process_data(&mut ctx, plaintext, ciphertext, is_ccm)?; ctx.tag(tag).map_err(CryptographyError::from)?; @@ -190,9 +209,11 @@ impl EvpCipherAead { nonce, self.tag_len, self.tag_first, + false, ) } + #[allow(clippy::too_many_arguments)] fn decrypt_with_context<'p>( py: pyo3::Python<'p>, mut ctx: openssl::cipher_ctx::CipherCtx, @@ -201,16 +222,12 @@ impl EvpCipherAead { nonce: Option<&[u8]>, tag_len: usize, tag_first: bool, + is_ccm: bool, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if ciphertext.len() < tag_len { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } - if let Some(nonce) = nonce { - ctx.set_iv_length(nonce.len())?; - } - ctx.decrypt_init(None, None, nonce)?; - let tag; let ciphertext_data; if tag_first { @@ -221,7 +238,18 @@ impl EvpCipherAead { } else { (ciphertext_data, tag) = ciphertext.split_at(ciphertext.len() - tag_len); } - ctx.set_tag(tag)?; + + if !is_ccm { + if let Some(nonce) = nonce { + ctx.set_iv_length(nonce.len())?; + } + + ctx.decrypt_init(None, None, nonce)?; + ctx.set_tag(tag)?; + } + if is_ccm { + ctx.set_data_len(ciphertext_data.len())?; + } Self::process_aad(&mut ctx, aad)?; @@ -229,7 +257,7 @@ impl EvpCipherAead { py, ciphertext_data.len(), |b| { - Self::process_data(&mut ctx, ciphertext_data, b) + Self::process_data(&mut ctx, ciphertext_data, b, is_ccm) .map_err(|_| exceptions::InvalidTag::new_err(()))?; Ok(()) @@ -238,38 +266,29 @@ impl EvpCipherAead { } } -#[cfg(not(any( - CRYPTOGRAPHY_IS_LIBRESSL, - CRYPTOGRAPHY_IS_BORINGSSL, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), - CRYPTOGRAPHY_OPENSSL_320_OR_GREATER -)))] struct LazyEvpCipherAead { cipher: &'static openssl::cipher::CipherRef, key: pyo3::Py, tag_len: usize, tag_first: bool, + is_ccm: bool, } -#[cfg(not(any( - CRYPTOGRAPHY_IS_LIBRESSL, - CRYPTOGRAPHY_IS_BORINGSSL, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), - CRYPTOGRAPHY_OPENSSL_320_OR_GREATER -)))] impl LazyEvpCipherAead { fn new( cipher: &'static openssl::cipher::CipherRef, key: pyo3::Py, tag_len: usize, tag_first: bool, + is_ccm: bool, ) -> LazyEvpCipherAead { LazyEvpCipherAead { cipher, key, tag_len, tag_first, + is_ccm, } } @@ -283,7 +302,15 @@ impl LazyEvpCipherAead { let key_buf = self.key.as_ref(py).extract::>()?; let mut encryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; - encryption_ctx.encrypt_init(Some(self.cipher), Some(key_buf.as_bytes()), None)?; + if self.is_ccm { + encryption_ctx.encrypt_init(Some(self.cipher), None, None)?; + encryption_ctx.set_iv_length(nonce.as_ref().unwrap().len())?; + encryption_ctx.set_tag_length(self.tag_len)?; + encryption_ctx.encrypt_init(None, Some(key_buf.as_bytes()), nonce)?; + } else { + encryption_ctx.encrypt_init(Some(self.cipher), Some(key_buf.as_bytes()), None)?; + } + EvpCipherAead::encrypt_with_context( py, encryption_ctx, @@ -292,6 +319,7 @@ impl LazyEvpCipherAead { nonce, self.tag_len, self.tag_first, + self.is_ccm, ) } @@ -305,7 +333,22 @@ impl LazyEvpCipherAead { let key_buf = self.key.as_ref(py).extract::>()?; let mut decryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; - decryption_ctx.decrypt_init(Some(self.cipher), Some(key_buf.as_bytes()), None)?; + if self.is_ccm { + decryption_ctx.decrypt_init(Some(self.cipher), None, None)?; + decryption_ctx.set_iv_length(nonce.as_ref().unwrap().len())?; + + if ciphertext.len() < self.tag_len { + return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); + } + + let (_, tag) = ciphertext.split_at(ciphertext.len() - self.tag_len); + decryption_ctx.set_tag(tag)?; + + decryption_ctx.decrypt_init(None, Some(key_buf.as_bytes()), nonce)?; + } else { + decryption_ctx.decrypt_init(Some(self.cipher), Some(key_buf.as_bytes()), None)?; + } + EvpCipherAead::decrypt_with_context( py, decryption_ctx, @@ -314,6 +357,7 @@ impl LazyEvpCipherAead { nonce, self.tag_len, self.tag_first, + self.is_ccm, ) } } @@ -478,6 +522,7 @@ impl ChaCha20Poly1305 { key, 16, false, + false, ) }) } @@ -583,7 +628,7 @@ impl AesGcm { }) } else { Ok(AesGcm { - ctx: LazyEvpCipherAead::new(cipher, key, 16, false), + ctx: LazyEvpCipherAead::new(cipher, key, 16, false, false), }) } @@ -642,6 +687,135 @@ impl AesGcm { } } +#[pyo3::prelude::pyclass( + frozen, + module = "cryptography.hazmat.bindings._rust.openssl.aead", + name = "AESCCM" +)] +struct AesCcm { + ctx: LazyEvpCipherAead, +} + +#[pyo3::prelude::pymethods] +impl AesCcm { + #[new] + fn new( + py: pyo3::Python<'_>, + key: pyo3::Py, + tag_length: Option, + ) -> CryptographyResult { + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "AES-CCM is not supported by this version of OpenSSL", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } else { + let key_buf = key.extract::>(py)?; + let cipher = match key_buf.as_bytes().len() { + 16 => openssl::cipher::Cipher::aes_128_ccm(), + 24 => openssl::cipher::Cipher::aes_192_ccm(), + 32 => openssl::cipher::Cipher::aes_256_ccm(), + _ => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "AESCCM key must be 128, 192, or 256 bits.", + ), + )) + } + }; + let tag_length = tag_length.unwrap_or(16); + if ![4, 6, 8, 10, 12, 14, 16].contains(&tag_length) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Invalid tag_length"), + )); + } + + Ok(AesCcm { + ctx: LazyEvpCipherAead::new(cipher, key, tag_length, false, true), + }) + } + } + } + + #[staticmethod] + fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + if bit_length != 128 && bit_length != 192 && bit_length != 256 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), + )); + } + + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + } + + fn encrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let data_bytes = data.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() < 7 || nonce_bytes.len() > 13 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be between 7 and 13 bytes"), + )); + } + + check_length(data_bytes)?; + // For information about computing this, see + // https://tools.ietf.org/html/rfc3610#section-2.1 + let l_val = 15 - nonce_bytes.len(); + let max_length = 1usize.checked_shl(8 * l_val as u32); + // If `max_length` overflowed, then it's not possible for data to be + // longer than it. + if max_length.map(|v| v < data_bytes.len()).unwrap_or(false) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Data too long for nonce"), + )); + } + + self.ctx.encrypt(py, data_bytes, aad, Some(nonce_bytes)) + } + + fn decrypt<'p>( + &self, + py: pyo3::Python<'p>, + nonce: CffiBuf<'_>, + data: CffiBuf<'_>, + associated_data: Option>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let nonce_bytes = nonce.as_bytes(); + let data_bytes = data.as_bytes(); + let aad = associated_data.map(Aad::Single); + + if nonce_bytes.len() < 7 || nonce_bytes.len() > 13 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Nonce must be between 7 and 13 bytes"), + )); + } + // For information about computing this, see + // https://tools.ietf.org/html/rfc3610#section-2.1 + let l_val = 15 - nonce_bytes.len(); + let max_length = 1usize.checked_shl(8 * l_val as u32); + // If `max_length` overflowed, then it's not possible for data to be + // longer than it. + if max_length.map(|v| v < data_bytes.len()).unwrap_or(false) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Data too long for nonce"), + )); + } + + self.ctx.decrypt(py, data_bytes, aad, Some(nonce_bytes)) + } +} + #[pyo3::prelude::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", @@ -957,6 +1131,7 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu m.add_class::()?; m.add_class::()?; + m.add_class::()?; m.add_class::()?; m.add_class::()?; m.add_class::()?; diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 5228edbbd2d3..a1f99ab815ed 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -296,6 +296,9 @@ def test_nonce_too_long(self, backend): with pytest.raises(ValueError): aesccm.encrypt(nonce, pt, None) + with pytest.raises(ValueError): + aesccm.decrypt(nonce, pt, None) + @pytest.mark.parametrize( ("nonce", "data", "associated_data"), [ From 49bf4e408cd2f93276687f451dd28982e5d501e0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Jan 2024 18:06:11 -0500 Subject: [PATCH 036/868] Remove unused attr on backend (#10285) --- src/cryptography/hazmat/backends/openssl/backend.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 1412c480b708..6a8c65cebc78 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -80,18 +80,6 @@ class Backend: name = "openssl" - # FIPS has opinions about acceptable algorithms and key sizes, but the - # disallowed algorithms are still present in OpenSSL. They just error if - # you try to use them. To avoid that we allowlist the algorithms in - # FIPS 140-3. This isn't ideal, but FIPS 140-3 is trash so here we are. - _fips_aead: typing.ClassVar[set[bytes]] = { - b"aes-128-ccm", - b"aes-192-ccm", - b"aes-256-ccm", - b"aes-128-gcm", - b"aes-192-gcm", - b"aes-256-gcm", - } # TripleDES encryption is disallowed/deprecated throughout 2023 in # FIPS 140-3. To keep it simple we denylist any use of TripleDES (TDEA). _fips_ciphers = (AES,) From 4ea43098ca252fa4e3dfdb0f9869473f02b8247f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 29 Jan 2024 17:40:25 -0600 Subject: [PATCH 037/868] stop using SHA1 in most of test_ec where it isn't needed (#10287) --- tests/hazmat/primitives/test_ec.py | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 334e76dcc073..9a368e67cafa 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -510,7 +510,7 @@ def test_signature_failures(self, backend, subtests): def test_sign(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" - algorithm = ec.ECDSA(hashes.SHA1()) + algorithm = ec.ECDSA(hashes.SHA256()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) signature = private_key.sign(message, algorithm) public_key = private_key.public_key() @@ -519,7 +519,7 @@ def test_sign(self, backend): def test_sign_verify_buffers(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = bytearray(b"one little message") - algorithm = ec.ECDSA(hashes.SHA1()) + algorithm = ec.ECDSA(hashes.SHA256()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) signature = private_key.sign(message, algorithm) public_key = private_key.public_key() @@ -528,19 +528,19 @@ def test_sign_verify_buffers(self, backend): def test_sign_prehashed(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" - h = hashes.Hash(hashes.SHA1(), backend) + h = hashes.Hash(hashes.SHA256(), backend) h.update(message) data = h.finalize() - algorithm = ec.ECDSA(Prehashed(hashes.SHA1())) + algorithm = ec.ECDSA(Prehashed(hashes.SHA256())) private_key = ec.generate_private_key(ec.SECP256R1(), backend) signature = private_key.sign(data, algorithm) public_key = private_key.public_key() - public_key.verify(signature, message, ec.ECDSA(hashes.SHA1())) + public_key.verify(signature, message, ec.ECDSA(hashes.SHA256())) def test_sign_prehashed_digest_mismatch(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" - h = hashes.Hash(hashes.SHA1(), backend) + h = hashes.Hash(hashes.SHA224(), backend) h.update(message) data = h.finalize() algorithm = ec.ECDSA(Prehashed(hashes.SHA256())) @@ -551,7 +551,7 @@ def test_sign_prehashed_digest_mismatch(self, backend): def test_verify(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" - algorithm = ec.ECDSA(hashes.SHA1()) + algorithm = ec.ECDSA(hashes.SHA256()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) signature = private_key.sign(message, algorithm) public_key = private_key.public_key() @@ -560,20 +560,22 @@ def test_verify(self, backend): def test_verify_prehashed(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" - algorithm = ec.ECDSA(hashes.SHA1()) + algorithm = ec.ECDSA(hashes.SHA256()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) signature = private_key.sign(message, algorithm) - h = hashes.Hash(hashes.SHA1(), backend) + h = hashes.Hash(hashes.SHA256(), backend) h.update(message) data = h.finalize() public_key = private_key.public_key() - public_key.verify(signature, data, ec.ECDSA(Prehashed(hashes.SHA1()))) + public_key.verify( + signature, data, ec.ECDSA(Prehashed(hashes.SHA256())) + ) def test_verify_prehashed_digest_mismatch(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" private_key = ec.generate_private_key(ec.SECP256R1(), backend) - h = hashes.Hash(hashes.SHA1(), backend) + h = hashes.Hash(hashes.SHA224(), backend) h.update(message) data = h.finalize() public_key = private_key.public_key() From 07b706f336e475fd5dd35fad9e39535a419b6c81 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 29 Jan 2024 17:44:42 -0600 Subject: [PATCH 038/868] remove unneeded sha1 and support checks from the rsa tests (#10288) --- tests/hazmat/primitives/test_rsa.py | 136 +++++++++++----------------- 1 file changed, 53 insertions(+), 83 deletions(-) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 7e82743c49bc..83055fd6fa28 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -72,7 +72,7 @@ def rsa_key_2048() -> rsa.RSAPrivateKey: class DummyMGF(padding.MGF): _salt_length = 0 - _algorithm = hashes.SHA1() + _algorithm = hashes.SHA256() def _check_fips_key_length(backend, private_key): @@ -600,7 +600,7 @@ def test_pss_digest_length(self, rsa_key_2048, backend): backend.hash_supported(hashes.SHA512()) and backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ) @@ -615,7 +615,7 @@ def test_pss_minimum_key_size_for_digest(self, backend): private_key.sign( b"no failure", padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ), hashes.SHA512(), @@ -624,7 +624,7 @@ def test_pss_minimum_key_size_for_digest(self, backend): @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), @@ -643,7 +643,7 @@ def test_pss_signing_digest_too_large_for_key_size( private_key.sign( b"msg", padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ), hashes.SHA512(), @@ -652,7 +652,7 @@ def test_pss_signing_digest_too_large_for_key_size( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), @@ -666,7 +666,7 @@ def test_pss_signing_salt_length_too_long( private_key.sign( b"failure coming", padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), salt_length=1000000 + mgf=padding.MGF1(hashes.SHA256()), salt_length=1000000 ), hashes.SHA256(), ) @@ -676,7 +676,7 @@ def test_unsupported_padding( ): private_key = rsa_key_2048 with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): - private_key.sign(b"msg", DummyAsymmetricPadding(), hashes.SHA1()) + private_key.sign(b"msg", DummyAsymmetricPadding(), hashes.SHA256()) def test_padding_incorrect_type( self, rsa_key_2048: rsa.RSAPrivateKey, backend @@ -691,7 +691,7 @@ def test_padding_incorrect_type( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) ), skip_message="Does not support PSS.", ) @@ -706,7 +706,7 @@ def test_unsupported_pss_mgf( mgf=DummyMGF(), salt_length=padding.PSS.MAX_LENGTH, ), - hashes.SHA1(), + hashes.SHA256(), ) @pytest.mark.supported( @@ -778,7 +778,7 @@ def test_sign(self, rsa_key_2048: rsa.RSAPrivateKey, message, backend): @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) ), skip_message="Does not support PSS.", ) @@ -788,7 +788,7 @@ def test_prehashed_sign(self, rsa_key_2048: rsa.RSAPrivateKey, backend): h = hashes.Hash(hashes.SHA256(), backend) h.update(message) digest = h.finalize() - pss = padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + pss = padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) prehashed_alg = asym_utils.Prehashed(hashes.SHA256()) signature = private_key.sign(digest, pss, prehashed_alg) public_key = private_key.public_key() @@ -828,7 +828,7 @@ def test_prehashed_digest_length( ) @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) ), skip_message="Does not support PSS.", ) @@ -856,7 +856,7 @@ def test_unsupported_hash_pss_mgf1(self, rsa_key_2048: rsa.RSAPrivateKey): @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) ), skip_message="Does not support PSS.", ) @@ -868,8 +868,8 @@ def test_prehashed_digest_mismatch( h = hashes.Hash(hashes.SHA512(), backend) h.update(message) digest = h.finalize() - pss = padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) - prehashed_alg = asym_utils.Prehashed(hashes.SHA1()) + pss = padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) + prehashed_alg = asym_utils.Prehashed(hashes.SHA256()) with pytest.raises(ValueError): private_key.sign(digest, pss, prehashed_alg) @@ -1105,18 +1105,12 @@ def test_pss_verify_auto_salt_length( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), skip_message="Does not support PSS.", ) - @pytest.mark.supported( - only_if=lambda backend: backend.signature_hash_supported( - hashes.SHA1() - ), - skip_message="Does not support SHA1 signature.", - ) @pytest.mark.skip_fips(reason="Unsupported key size in FIPS mode.") def test_invalid_pss_signature_wrong_data(self, backend): public_key = rsa.RSAPublicNumbers( @@ -1137,27 +1131,21 @@ def test_invalid_pss_signature_wrong_data(self, backend): signature, b"incorrect data", padding.PSS( - mgf=padding.MGF1(algorithm=hashes.SHA1()), + mgf=padding.MGF1(algorithm=hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ), - hashes.SHA1(), + hashes.SHA256(), ) @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), skip_message="Does not support PSS.", ) - @pytest.mark.supported( - only_if=lambda backend: backend.signature_hash_supported( - hashes.SHA1() - ), - skip_message="Does not support SHA1 signature.", - ) @pytest.mark.skip_fips(reason="Unsupported key size in FIPS mode.") def test_invalid_pss_signature_wrong_key(self, backend): signature = binascii.unhexlify( @@ -1180,27 +1168,21 @@ def test_invalid_pss_signature_wrong_key(self, backend): signature, b"sign me", padding.PSS( - mgf=padding.MGF1(algorithm=hashes.SHA1()), + mgf=padding.MGF1(algorithm=hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ), - hashes.SHA1(), + hashes.SHA256(), ) @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), skip_message="Does not support PSS.", ) - @pytest.mark.supported( - only_if=lambda backend: backend.signature_hash_supported( - hashes.SHA1() - ), - skip_message="Does not support SHA1 signature.", - ) @pytest.mark.skip_fips(reason="Unsupported key size in FIPS mode.") def test_invalid_pss_signature_data_too_large_for_modulus(self, backend): # 2048 bit PSS signature @@ -1223,25 +1205,19 @@ def test_invalid_pss_signature_data_too_large_for_modulus(self, backend): signature, b"sign me", padding.PSS( - mgf=padding.MGF1(algorithm=hashes.SHA1()), + mgf=padding.MGF1(algorithm=hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ), - hashes.SHA1(), + hashes.SHA256(), ) - @pytest.mark.supported( - only_if=lambda backend: backend.signature_hash_supported( - hashes.SHA1() - ), - skip_message="Does not support SHA1 signature.", - ) def test_invalid_pss_signature_recover( self, rsa_key_2048: rsa.RSAPrivateKey, backend ): private_key = rsa_key_2048 public_key = private_key.public_key() pss_padding = padding.PSS( - mgf=padding.MGF1(algorithm=hashes.SHA1()), + mgf=padding.MGF1(algorithm=hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) signature = private_key.sign(b"sign me", pss_padding, hashes.SHA256()) @@ -1283,7 +1259,7 @@ def test_padding_incorrect_type( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=0) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=0) ), skip_message="Does not support PSS.", ) @@ -1305,7 +1281,7 @@ def test_unsupported_pss_mgf( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA512()), salt_length=padding.PSS.MAX_LENGTH, ) ), @@ -1330,7 +1306,7 @@ def test_pss_verify_digest_too_large_for_key_size( signature, b"msg doesn't matter", padding.PSS( - mgf=padding.MGF1(algorithm=hashes.SHA1()), + mgf=padding.MGF1(algorithm=hashes.SHA512()), salt_length=padding.PSS.MAX_LENGTH, ), hashes.SHA512(), @@ -1339,18 +1315,12 @@ def test_pss_verify_digest_too_large_for_key_size( @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, ) ), skip_message="Does not support PSS.", ) - @pytest.mark.supported( - only_if=lambda backend: backend.signature_hash_supported( - hashes.SHA1() - ), - skip_message="Does not support SHA1 signature.", - ) @pytest.mark.skip_fips(reason="Unsupported key size in FIPS mode.") def test_pss_verify_salt_length_too_long(self, backend): signature = binascii.unhexlify( @@ -1372,11 +1342,11 @@ def test_pss_verify_salt_length_too_long(self, backend): b"sign me", padding.PSS( mgf=padding.MGF1( - algorithm=hashes.SHA1(), + algorithm=hashes.SHA256(), ), salt_length=1000000, ), - hashes.SHA1(), + hashes.SHA256(), ) @pytest.mark.parametrize( @@ -1673,16 +1643,16 @@ def test_calculate_max_pss_salt_length(self): def test_invalid_salt_length_not_integer(self): with pytest.raises(TypeError): padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), + mgf=padding.MGF1(hashes.SHA256()), salt_length=b"not_a_length", # type:ignore[arg-type] ) def test_invalid_salt_length_negative_integer(self): with pytest.raises(ValueError): - padding.PSS(mgf=padding.MGF1(hashes.SHA1()), salt_length=-1) + padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=-1) def test_valid_pss_parameters(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() salt_length = algorithm.digest_size mgf = padding.MGF1(algorithm) pss = padding.PSS(mgf=mgf, salt_length=salt_length) @@ -1690,14 +1660,14 @@ def test_valid_pss_parameters(self): assert pss._salt_length == salt_length def test_valid_pss_parameters_maximum(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() mgf = padding.MGF1(algorithm) pss = padding.PSS(mgf=mgf, salt_length=padding.PSS.MAX_LENGTH) assert pss._mgf == mgf assert pss._salt_length == padding.PSS.MAX_LENGTH def test_mgf_property(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() mgf = padding.MGF1(algorithm) pss = padding.PSS(mgf=mgf, salt_length=padding.PSS.MAX_LENGTH) assert pss.mgf == mgf @@ -1710,14 +1680,14 @@ def test_invalid_hash_algorithm(self): padding.MGF1(b"not_a_hash") # type:ignore[arg-type] def test_valid_mgf1_parameters(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() mgf = padding.MGF1(algorithm) assert mgf._algorithm == algorithm class TestOAEP: def test_invalid_algorithm(self): - mgf = padding.MGF1(hashes.SHA1()) + mgf = padding.MGF1(hashes.SHA256()) with pytest.raises(TypeError): padding.OAEP( mgf=mgf, @@ -1726,14 +1696,14 @@ def test_invalid_algorithm(self): ) def test_algorithm_property(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() mgf = padding.MGF1(algorithm) oaep = padding.OAEP(mgf=mgf, algorithm=algorithm, label=None) assert oaep.algorithm == algorithm assert oaep.algorithm == oaep._algorithm def test_mgf_property(self): - algorithm = hashes.SHA1() + algorithm = hashes.SHA256() mgf = padding.MGF1(algorithm) oaep = padding.OAEP(mgf=mgf, algorithm=algorithm, label=None) assert oaep.mgf == mgf @@ -1898,8 +1868,8 @@ def test_decrypt_oaep_sha2_vectors(self, backend, subtests): @pytest.mark.supported( only_if=lambda backend: backend.rsa_encryption_supported( padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), + mgf=padding.MGF1(algorithm=hashes.SHA256()), + algorithm=hashes.SHA256(), label=None, ) ), @@ -1916,8 +1886,8 @@ def test_invalid_oaep_decryption( ciphertext = private_key.public_key().encrypt( b"secure data", padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), + mgf=padding.MGF1(algorithm=hashes.SHA256()), + algorithm=hashes.SHA256(), label=None, ), ) @@ -1930,8 +1900,8 @@ def test_invalid_oaep_decryption( private_key_alt.decrypt( ciphertext, padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), + mgf=padding.MGF1(algorithm=hashes.SHA256()), + algorithm=hashes.SHA256(), label=None, ), ) @@ -2006,7 +1976,7 @@ def test_unsupported_oaep_mgf( b"0" * 256, padding.OAEP( mgf=DummyMGF(), - algorithm=hashes.SHA1(), + algorithm=hashes.SHA256(), label=None, ), ) @@ -2016,8 +1986,8 @@ class TestRSAEncryption: @pytest.mark.supported( only_if=lambda backend: backend.rsa_encryption_supported( padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), + mgf=padding.MGF1(algorithm=hashes.SHA256()), + algorithm=hashes.SHA256(), label=None, ) ), @@ -2040,8 +2010,8 @@ class TestRSAEncryption: ), [ padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), + mgf=padding.MGF1(algorithm=hashes.SHA256()), + algorithm=hashes.SHA256(), label=None, ) ], @@ -2206,7 +2176,7 @@ def test_unsupported_oaep_mgf( b"ciphertext", padding.OAEP( mgf=DummyMGF(), - algorithm=hashes.SHA1(), + algorithm=hashes.SHA256(), label=None, ), ) From 5dd88c92dca61c637649788f98b48a033722201f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 00:14:06 +0000 Subject: [PATCH 039/868] Bump BoringSSL and/or OpenSSL in CI (#10291) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8d79bc7c0f69..c7c068c3370f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.0"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "db7308de87ea138e7bbcbbb00dfc9b841774ba2f"}} + # Latest commit on the BoringSSL master branch, as of Jan 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f58aa24e661d528e07f7c59574926aebb4e92c14"}} # Latest commit on the OpenSSL master branch, as of Jan 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0f644b96d209443b4566f7e86e3be2568292e75b"}} # Builds with various Rust versions. Includes MSRV and next From 46655d7736ecabc6a3a90fbbc06fd1fa6114ad2e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 00:41:05 +0000 Subject: [PATCH 040/868] Bump x509-limbo and/or wycheproof in CI (#10292) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index fb78f39da598..7e5198c8094a 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 26, 2024. - ref: "3f614440092d3bfd0d0787095c558c4b4626195b" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 30, 2024. + ref: "dd7541dac329f03756f6358ad0c01d32e5677619" # x509-limbo-ref From 722a6393e61b3acb569f404218f213fe08478a96 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 29 Jan 2024 18:42:21 -0600 Subject: [PATCH 041/868] migrate ARC4 and TripleDES to decrepit (#10286) --- CHANGELOG.rst | 7 +- docs/hazmat/decrepit/ciphers.rst | 40 ++++++++++ .../primitives/symmetric-encryption.rst | 8 +- .../hazmat/backends/openssl/backend.py | 4 +- .../hazmat/decrepit/ciphers/algorithms.py | 30 +++++++ .../hazmat/primitives/ciphers/algorithms.py | 50 ++++++------ src/cryptography/utils.py | 1 + src/rust/src/types.rs | 2 +- .../primitives/{ => decrepit}/test_3des.py | 7 +- .../primitives/decrepit/test_algorithms.py | 67 +++++++++++++++- .../primitives/{ => decrepit}/test_arc4.py | 6 +- tests/hazmat/primitives/test_ciphers.py | 79 +++---------------- tests/hazmat/primitives/test_cmac.py | 3 +- tests/hazmat/primitives/test_kbkdf.py | 2 +- tests/hazmat/primitives/utils.py | 9 ++- 15 files changed, 202 insertions(+), 113 deletions(-) rename tests/hazmat/primitives/{ => decrepit}/test_3des.py (96%) rename tests/hazmat/primitives/{ => decrepit}/test_arc4.py (85%) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1088e7099323..36a90eff5ced 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -18,7 +18,12 @@ Changelog :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish`, which were - deprecated in 37.0.0, have been added to this module. + deprecated in 37.0.0, have been added to this module. They will be removed + from the ``cipher`` module in 45.0.0. +* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` + and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ARC4` into + :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. + They will be removed from the ``cipher`` module in 48.0.0. .. _v42-0-1: diff --git a/docs/hazmat/decrepit/ciphers.rst b/docs/hazmat/decrepit/ciphers.rst index fed571eab50a..2f7b12f14333 100644 --- a/docs/hazmat/decrepit/ciphers.rst +++ b/docs/hazmat/decrepit/ciphers.rst @@ -14,6 +14,46 @@ compatibility or interoperability with legacy systems. Their use is These algorithms require you to use a :class:`~cryptography.hazmat.primitives.ciphers.Cipher` object along with the appropriate :mod:`~cryptography.hazmat.primitives.ciphers.modes`. +.. class:: ARC4(key) + + ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its + initial stream output. Its use is strongly discouraged. ARC4 does not use + mode constructions. + + :param key: The secret key. This must be kept secret. Either ``40``, + ``56``, ``64``, ``80``, ``128``, ``192``, or ``256`` :term:`bits` in + length. + :type key: :term:`bytes-like` + + .. doctest:: + + >>> import os + >>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes + >>> key = os.urandom(16) + >>> algorithm = algorithms.ARC4(key) + >>> cipher = Cipher(algorithm, mode=None) + >>> encryptor = cipher.encryptor() + >>> ct = encryptor.update(b"a secret message") + >>> decryptor = cipher.decryptor() + >>> decryptor.update(ct) + b'a secret message' + +.. class:: TripleDES(key) + + Triple DES (Data Encryption Standard), sometimes referred to as 3DES, is a + block cipher standardized by NIST. Triple DES has known crypto-analytic + flaws, however none of them currently enable a practical attack. + Nonetheless, Triple DES is not recommended for new applications because it + is incredibly slow; old applications should consider moving away from it. + + :param key: The secret key. This must be kept secret. Either ``64``, + ``128``, or ``192`` :term:`bits` long. DES only uses ``56``, ``112``, + or ``168`` bits of the key as there is a parity byte in each component + of the key. Some writing refers to there being up to three separate + keys that are each ``56`` bits long, they can simply be concatenated + to produce the full key. + :type key: :term:`bytes-like` + .. class:: CAST5(key) .. versionadded:: 43.0.0 diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 2b21c4162afd..6eb769bb23b1 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -187,6 +187,12 @@ Algorithms .. class:: TripleDES(key) + .. warning:: + + This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` + module. If you need to continue using it then update your code to + use the new module path. It will be removed from this namespace in 48.0.0. + Triple DES (Data Encryption Standard), sometimes referred to as 3DES, is a block cipher standardized by NIST. Triple DES has known crypto-analytic flaws, however none of them currently enable a practical attack. @@ -284,7 +290,7 @@ Weak ciphers This algorithm has been deprecated and moved to the :doc:`/hazmat/decrepit/index` module. If you need to continue using it then update your code to - use the new module path. It will be removed from this namespace in 45.0.0. + use the new module path. It will be removed from this namespace in 48.0.0. ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 6a8c65cebc78..3cf01664685c 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -15,10 +15,12 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding from cryptography.hazmat.decrepit.ciphers.algorithms import ( + ARC4, CAST5, IDEA, SEED, Blowfish, + TripleDES, ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding @@ -40,11 +42,9 @@ AES, AES128, AES256, - ARC4, SM4, Camellia, ChaCha20, - TripleDES, ) from cryptography.hazmat.primitives.ciphers.modes import ( CBC, diff --git a/src/cryptography/hazmat/decrepit/ciphers/algorithms.py b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py index f9432834dc5c..68cd533c9c97 100644 --- a/src/cryptography/hazmat/decrepit/ciphers/algorithms.py +++ b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py @@ -6,10 +6,40 @@ from cryptography.hazmat.primitives._cipheralgorithm import ( BlockCipherAlgorithm, + CipherAlgorithm, _verify_key_size, ) +class ARC4(CipherAlgorithm): + name = "RC4" + key_sizes = frozenset([40, 56, 64, 80, 128, 160, 192, 256]) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 + + +class TripleDES(BlockCipherAlgorithm): + name = "3DES" + block_size = 64 + key_sizes = frozenset([64, 128, 192]) + + def __init__(self, key: bytes): + if len(key) == 8: + key += key + key + elif len(key) == 16: + key += key[:8] + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 + + class Blowfish(BlockCipherAlgorithm): name = "Blowfish" block_size = 64 diff --git a/src/cryptography/hazmat/primitives/ciphers/algorithms.py b/src/cryptography/hazmat/primitives/ciphers/algorithms.py index 645d0acd3cac..1051ba323506 100644 --- a/src/cryptography/hazmat/primitives/ciphers/algorithms.py +++ b/src/cryptography/hazmat/primitives/ciphers/algorithms.py @@ -5,6 +5,9 @@ from __future__ import annotations from cryptography import utils +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + ARC4 as ARC4, +) from cryptography.hazmat.decrepit.ciphers.algorithms import ( CAST5 as CAST5, ) @@ -17,6 +20,9 @@ from cryptography.hazmat.decrepit.ciphers.algorithms import ( Blowfish as Blowfish, ) +from cryptography.hazmat.decrepit.ciphers.algorithms import ( + TripleDES as TripleDES, +) from cryptography.hazmat.primitives._cipheralgorithm import _verify_key_size from cryptography.hazmat.primitives.ciphers import ( BlockCipherAlgorithm, @@ -71,22 +77,26 @@ def key_size(self) -> int: return len(self.key) * 8 -class TripleDES(BlockCipherAlgorithm): - name = "3DES" - block_size = 64 - key_sizes = frozenset([64, 128, 192]) - - def __init__(self, key: bytes): - if len(key) == 8: - key += key + key - elif len(key) == 16: - key += key[:8] - self.key = _verify_key_size(self, key) +utils.deprecated( + ARC4, + __name__, + "ARC4 has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and " + "will be removed from this module in 48.0.0.", + utils.DeprecatedIn43, + name="ARC4", +) - @property - def key_size(self) -> int: - return len(self.key) * 8 +utils.deprecated( + TripleDES, + __name__, + "TripleDES has been moved to " + "cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and " + "will be removed from this module in 48.0.0.", + utils.DeprecatedIn43, + name="TripleDES", +) utils.deprecated( Blowfish, @@ -110,18 +120,6 @@ def key_size(self) -> int: ) -class ARC4(CipherAlgorithm): - name = "RC4" - key_sizes = frozenset([40, 56, 64, 80, 128, 160, 192, 256]) - - def __init__(self, key: bytes): - self.key = _verify_key_size(self, key) - - @property - def key_size(self) -> int: - return len(self.key) * 8 - - utils.deprecated( IDEA, __name__, diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index d6f079d4be0e..b3f6e736918a 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -25,6 +25,7 @@ class CryptographyDeprecationWarning(UserWarning): DeprecatedIn40 = CryptographyDeprecationWarning DeprecatedIn41 = CryptographyDeprecationWarning DeprecatedIn42 = CryptographyDeprecationWarning +DeprecatedIn43 = CryptographyDeprecationWarning def _check_bytes(name: str, value: bytes) -> None: diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index fc60ecd97f10..ddd5d8f452ff 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -458,7 +458,7 @@ pub static BLOCK_CIPHER_ALGORITHM: LazyPyImport = LazyPyImport::new( ); pub static TRIPLE_DES: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.ciphers.algorithms", + "cryptography.hazmat.decrepit.ciphers.algorithms", &["TripleDES"], ); pub static AES: LazyPyImport = LazyPyImport::new( diff --git a/tests/hazmat/primitives/test_3des.py b/tests/hazmat/primitives/decrepit/test_3des.py similarity index 96% rename from tests/hazmat/primitives/test_3des.py rename to tests/hazmat/primitives/decrepit/test_3des.py index 007ecfe21271..f64cbd2d4412 100644 --- a/tests/hazmat/primitives/test_3des.py +++ b/tests/hazmat/primitives/decrepit/test_3des.py @@ -12,10 +12,11 @@ import pytest -from cryptography.hazmat.primitives.ciphers import algorithms, modes +from cryptography.hazmat.decrepit.ciphers import algorithms +from cryptography.hazmat.primitives.ciphers import modes -from ...utils import load_nist_vectors -from .utils import generate_encrypt_test +from ....utils import load_nist_vectors +from ..utils import generate_encrypt_test @pytest.mark.supported( diff --git a/tests/hazmat/primitives/decrepit/test_algorithms.py b/tests/hazmat/primitives/decrepit/test_algorithms.py index c812f17fd3d9..0dbdac7c5da8 100644 --- a/tests/hazmat/primitives/decrepit/test_algorithms.py +++ b/tests/hazmat/primitives/decrepit/test_algorithms.py @@ -8,18 +8,83 @@ import pytest +from cryptography.exceptions import _Reasons from cryptography.hazmat.decrepit.ciphers.algorithms import ( + ARC4, CAST5, IDEA, SEED, Blowfish, + TripleDES, ) +from cryptography.hazmat.primitives import ciphers from cryptography.hazmat.primitives.ciphers import modes -from ....utils import load_nist_vectors +from ....utils import load_nist_vectors, raises_unsupported_algorithm from ..utils import generate_encrypt_test +class TestARC4: + @pytest.mark.parametrize( + ("key", "keysize"), + [ + (b"0" * 10, 40), + (b"0" * 14, 56), + (b"0" * 16, 64), + (b"0" * 20, 80), + (b"0" * 32, 128), + (b"0" * 48, 192), + (b"0" * 64, 256), + ], + ) + def test_key_size(self, key, keysize): + cipher = ARC4(binascii.unhexlify(key)) + assert cipher.key_size == keysize + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + ARC4(binascii.unhexlify(b"0" * 34)) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + ARC4("0" * 10) # type: ignore[arg-type] + + +def test_invalid_mode_algorithm(): + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + ciphers.Cipher( + ARC4(b"\x00" * 16), + modes.GCM(b"\x00" * 12), + ) + + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + ciphers.Cipher( + ARC4(b"\x00" * 16), + modes.CBC(b"\x00" * 12), + ) + + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + ciphers.Cipher( + ARC4(b"\x00" * 16), + modes.CTR(b"\x00" * 12), + ) + + +class TestTripleDES: + @pytest.mark.parametrize("key", [b"0" * 16, b"0" * 32, b"0" * 48]) + def test_key_size(self, key): + cipher = TripleDES(binascii.unhexlify(key)) + assert cipher.key_size == 192 + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + TripleDES(binascii.unhexlify(b"0" * 12)) + + def test_invalid_key_type(self): + with pytest.raises(TypeError, match="key must be bytes"): + TripleDES("0" * 16) # type: ignore[arg-type] + + class TestBlowfish: @pytest.mark.parametrize( ("key", "keysize"), diff --git a/tests/hazmat/primitives/test_arc4.py b/tests/hazmat/primitives/decrepit/test_arc4.py similarity index 85% rename from tests/hazmat/primitives/test_arc4.py rename to tests/hazmat/primitives/decrepit/test_arc4.py index b589518adfec..116f4b15ccff 100644 --- a/tests/hazmat/primitives/test_arc4.py +++ b/tests/hazmat/primitives/decrepit/test_arc4.py @@ -8,10 +8,10 @@ import pytest -from cryptography.hazmat.primitives.ciphers import algorithms +from cryptography.hazmat.decrepit.ciphers import algorithms -from ...utils import load_nist_vectors -from .utils import generate_stream_encryption_test +from ....utils import load_nist_vectors +from ..utils import generate_stream_encryption_test @pytest.mark.supported( diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py index e096986160f8..5fef25b86c0e 100644 --- a/tests/hazmat/primitives/test_ciphers.py +++ b/tests/hazmat/primitives/test_ciphers.py @@ -11,21 +11,15 @@ import pytest from cryptography import utils -from cryptography.exceptions import AlreadyFinalized, _Reasons +from cryptography.exceptions import AlreadyFinalized from cryptography.hazmat.primitives import ciphers from cryptography.hazmat.primitives.ciphers import modes from cryptography.hazmat.primitives.ciphers.algorithms import ( AES, - ARC4, Camellia, - TripleDES, ) -from ...utils import ( - load_nist_vectors, - load_vectors_from_file, - raises_unsupported_algorithm, -) +from ...utils import load_nist_vectors, load_vectors_from_file def test_deprecated_ciphers_import_with_warning(): @@ -45,6 +39,14 @@ def test_deprecated_ciphers_import_with_warning(): from cryptography.hazmat.primitives.ciphers.algorithms import ( SEED, # noqa: F401 ) + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + ARC4, # noqa: F401 + ) + with pytest.warns(utils.CryptographyDeprecationWarning): + from cryptography.hazmat.primitives.ciphers.algorithms import ( + TripleDES, # noqa: F401 + ) class TestAES: @@ -111,67 +113,6 @@ def test_invalid_key_type(self): Camellia("0" * 32) # type: ignore[arg-type] -class TestTripleDES: - @pytest.mark.parametrize("key", [b"0" * 16, b"0" * 32, b"0" * 48]) - def test_key_size(self, key): - cipher = TripleDES(binascii.unhexlify(key)) - assert cipher.key_size == 192 - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - TripleDES(binascii.unhexlify(b"0" * 12)) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - TripleDES("0" * 16) # type: ignore[arg-type] - - -class TestARC4: - @pytest.mark.parametrize( - ("key", "keysize"), - [ - (b"0" * 10, 40), - (b"0" * 14, 56), - (b"0" * 16, 64), - (b"0" * 20, 80), - (b"0" * 32, 128), - (b"0" * 48, 192), - (b"0" * 64, 256), - ], - ) - def test_key_size(self, key, keysize): - cipher = ARC4(binascii.unhexlify(key)) - assert cipher.key_size == keysize - - def test_invalid_key_size(self): - with pytest.raises(ValueError): - ARC4(binascii.unhexlify(b"0" * 34)) - - def test_invalid_key_type(self): - with pytest.raises(TypeError, match="key must be bytes"): - ARC4("0" * 10) # type: ignore[arg-type] - - -def test_invalid_mode_algorithm(): - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - ciphers.Cipher( - ARC4(b"\x00" * 16), - modes.GCM(b"\x00" * 12), - ) - - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - ciphers.Cipher( - ARC4(b"\x00" * 16), - modes.CBC(b"\x00" * 12), - ) - - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - ciphers.Cipher( - ARC4(b"\x00" * 16), - modes.CTR(b"\x00" * 12), - ) - - @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( AES(b"\x00" * 16), modes.ECB() diff --git a/tests/hazmat/primitives/test_cmac.py b/tests/hazmat/primitives/test_cmac.py index 18ba898e7a85..5e81563a6b14 100644 --- a/tests/hazmat/primitives/test_cmac.py +++ b/tests/hazmat/primitives/test_cmac.py @@ -12,10 +12,9 @@ InvalidSignature, _Reasons, ) +from cryptography.hazmat.decrepit.ciphers.algorithms import ARC4, TripleDES from cryptography.hazmat.primitives.ciphers.algorithms import ( AES, - ARC4, - TripleDES, ) from cryptography.hazmat.primitives.cmac import CMAC diff --git a/tests/hazmat/primitives/test_kbkdf.py b/tests/hazmat/primitives/test_kbkdf.py index 4329e3df60cd..965075d2ce2d 100644 --- a/tests/hazmat/primitives/test_kbkdf.py +++ b/tests/hazmat/primitives/test_kbkdf.py @@ -871,7 +871,7 @@ def test_unsupported_algorithm(self, backend): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): KBKDFCMAC( - algorithms.ARC4, + algorithms.ChaCha20, Mode.CounterMode, 32, 4, diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index b15955fd25fb..9e119f0b636b 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -16,6 +16,9 @@ InvalidTag, NotYetFinalized, ) +from cryptography.hazmat.decrepit.ciphers import ( + algorithms as decrepit_algorithms, +) from cryptography.hazmat.primitives import hashes, hmac, serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.ciphers import ( @@ -430,15 +433,15 @@ def _kbkdf_cmac_counter_mode_test(backend, prf, ctr_loc, brk_loc, params): "cmac_aes128": algorithms.AES, "cmac_aes192": algorithms.AES, "cmac_aes256": algorithms.AES, - "cmac_tdes2": algorithms.TripleDES, - "cmac_tdes3": algorithms.TripleDES, + "cmac_tdes2": decrepit_algorithms.TripleDES, + "cmac_tdes3": decrepit_algorithms.TripleDES, } algorithm = supported_cipher_algorithms.get(prf) assert algorithm is not None # TripleDES is disallowed in FIPS mode. - if backend._fips_enabled and algorithm is algorithms.TripleDES: + if backend._fips_enabled and algorithm is decrepit_algorithms.TripleDES: pytest.skip("TripleDES is not supported in FIPS mode.") ctrkdf = KBKDFCMAC( From 285ebed5e49bfd15b1a37cdbc8d85ddddd555f51 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 29 Jan 2024 23:31:51 -0500 Subject: [PATCH 042/868] Fixes #10294 -- correct accidental change to exchange kwarg (#10295) --- src/rust/src/backend/dh.rs | 4 ++-- src/rust/src/backend/ec.rs | 6 +++--- src/rust/src/backend/x25519.rs | 4 ++-- src/rust/src/backend/x448.rs | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 5ec1804e0df8..eb6cbdcdc9e4 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -154,11 +154,11 @@ impl DHPrivateKey { fn exchange<'p>( &self, py: pyo3::Python<'p>, - public_key: &DHPublicKey, + peer_public_key: &DHPublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver - .set_peer(&public_key.pkey) + .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index f71c9bf505e6..624b753c07cb 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -225,7 +225,7 @@ impl ECPrivateKey { &self, py: pyo3::Python<'p>, algorithm: &pyo3::PyAny, - public_key: &ECPublicKey, + peer_public_key: &ECPublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { if !algorithm.is_instance(types::ECDH.get(py)?)? { return Err(CryptographyError::from( @@ -242,12 +242,12 @@ impl ECPrivateKey { // ECPublicKey object. #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] deriver - .set_peer_ex(&public_key.pkey, false) + .set_peer_ex(&peer_public_key.pkey, false) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; #[cfg(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER))] deriver - .set_peer(&public_key.pkey) + .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 00e2866cfc39..b193e18b0483 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -65,10 +65,10 @@ impl X25519PrivateKey { fn exchange<'p>( &self, py: pyo3::Python<'p>, - public_key: &X25519PublicKey, + peer_public_key: &X25519PublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; - deriver.set_peer(&public_key.pkey)?; + deriver.set_peer(&peer_public_key.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { let n = deriver.derive(b).map_err(|_| { diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 07c84bc36aca..7a64002d943d 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -64,10 +64,10 @@ impl X448PrivateKey { fn exchange<'p>( &self, py: pyo3::Python<'p>, - public_key: &X448PublicKey, + peer_public_key: &X448PublicKey, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; - deriver.set_peer(&public_key.pkey)?; + deriver.set_peer(&peer_public_key.pkey)?; Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { let n = deriver.derive(b).map_err(|_| { From 983ef8c3823bc1e676da93d9beb4ea77b8d0c7ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 07:04:31 -0500 Subject: [PATCH 043/868] Bump ruff from 0.1.14 to 0.1.15 (#10297) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.14 to 0.1.15. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.14...v0.1.15) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ce60b8126314..5e74a88e20e5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.1.14 +ruff==0.1.15 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 3519591d255d4506fbcd0d04037d45271903c64d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 Jan 2024 10:46:21 -0600 Subject: [PATCH 044/868] bump openssl in CI (#10298) --- .github/actions/cache/action.yml | 2 +- .github/workflows/ci.yml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 6cf0f08e56a8..31af7422da04 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -17,5 +17,5 @@ runs: shell: bash - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 with: - key: ${{ steps.normalized-key.outputs.key }}-1 + key: ${{ steps.normalized-key.outputs.key }}-2 workspaces: "./src/rust/ -> target" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c7c068c3370f..51de1171a90f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,17 +29,17 @@ jobs: PYTHON: - {VERSION: "3.12", NOXSESSION: "flake"} - {VERSION: "3.12", NOXSESSION: "rust"} - - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0"}} + - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.12"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.0"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jan 30, 2024. From d06a3db1b453b9aaefea5fe8fce23823e6e36e69 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 Jan 2024 11:37:08 -0600 Subject: [PATCH 045/868] port 42.0.2 changelog to main (#10301) --- CHANGELOG.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 36a90eff5ced..a522db213916 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -25,6 +25,23 @@ Changelog :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. +.. _v42-0-2: + +42.0.2 - 2024-01-30 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1. +* Fixed an issue that prevented the use of Python buffer protocol objects in + ``sign`` and ``verify`` methods on asymmetric keys. +* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`, + ``X25519PrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`, + ``X448PrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`, + and ``DHPrivateKey`` + :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`. + .. _v42-0-1: 42.0.1 - 2024-01-24 From 6b2dc96f992cb9e13c0e9c5fb7ffd65b7ef39410 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:16:12 +0000 Subject: [PATCH 046/868] Bump BoringSSL and/or OpenSSL in CI (#10303) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51de1171a90f..a8d2ab9971f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "f58aa24e661d528e07f7c59574926aebb4e92c14"}} - # Latest commit on the OpenSSL master branch, as of Jan 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0f644b96d209443b4566f7e86e3be2568292e75b"}} + # Latest commit on the BoringSSL master branch, as of Jan 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6855f30b94ddfd2970a7aa3d904a356dea5ec443"}} + # Latest commit on the OpenSSL master branch, as of Jan 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "62ecad5378067ab1f702ef2381c2f4a279d15250"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 103f123efa15191c0125555cfc623a54ba7a5392 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 30 Jan 2024 19:45:18 -0500 Subject: [PATCH 047/868] parsing, verification: check RSA key size against WebPKI minimum (#10302) * parsing, verification: check RSA key size against WebPKI minimum Signed-off-by: William Woodruff * move key size check to permits_ca We don't enforce EE key sizes, consistent with other CABF validators. Signed-off-by: William Woodruff * limit is_rsa to key algorithms Signed-off-by: William Woodruff * is_rsa -> is_rsa_key Signed-off-by: William Woodruff * fetch-vectors: bump limbo Signed-off-by: William Woodruff * reorg, remove helper Signed-off-by: William Woodruff * Update .github/actions/fetch-vectors/action.yml Co-authored-by: Alex Gaynor --------- Signed-off-by: William Woodruff Co-authored-by: Alex Gaynor --- .github/actions/fetch-vectors/action.yml | 4 +-- src/rust/Cargo.lock | 1 + src/rust/cryptography-key-parsing/src/rsa.rs | 4 +-- .../cryptography-x509-verification/Cargo.toml | 1 + .../src/policy/mod.rs | 25 +++++++++++++++++++ tests/x509/verification/test_limbo.py | 3 +++ 6 files changed, 34 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 7e5198c8094a..f9715437f878 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 30, 2024. - ref: "dd7541dac329f03756f6358ad0c01d32e5677619" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jan 31, 2024. + ref: "481b5d595b00ce55824607e1e8c2f1174539f3f8" # x509-limbo-ref diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index d4a9a31adec1..84e9d90e7eea 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -125,6 +125,7 @@ name = "cryptography-x509-verification" version = "0.1.0" dependencies = [ "asn1", + "cryptography-key-parsing", "cryptography-x509", "once_cell", "pem", diff --git a/src/rust/cryptography-key-parsing/src/rsa.rs b/src/rust/cryptography-key-parsing/src/rsa.rs index 066e7053cb52..5a2f57d58a6b 100644 --- a/src/rust/cryptography-key-parsing/src/rsa.rs +++ b/src/rust/cryptography-key-parsing/src/rsa.rs @@ -5,8 +5,8 @@ use crate::KeyParsingResult; #[derive(asn1::Asn1Read)] -struct Pksc1RsaPublicKey<'a> { - n: asn1::BigUint<'a>, +pub struct Pksc1RsaPublicKey<'a> { + pub n: asn1::BigUint<'a>, e: asn1::BigUint<'a>, } diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 30a4e8cb7373..2ec541fb2af0 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -10,6 +10,7 @@ rust-version = "1.63.0" [dependencies] asn1 = { version = "0.16.0", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } +cryptography-key-parsing = { path = "../cryptography-key-parsing" } once_cell = "1" [dev-dependencies] diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index d5fffd0d8e2a..3d8bc86b6b8b 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -9,6 +9,7 @@ use std::ops::Range; use std::sync::Arc; use asn1::ObjectIdentifier; +use cryptography_key_parsing::rsa::Pksc1RsaPublicKey; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{ AlgorithmIdentifier, AlgorithmParameters, EcParameters, RsaPssParameters, Time, @@ -27,6 +28,9 @@ use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy, Ext use crate::types::{DNSName, DNSPattern, IPAddress}; use crate::{ValidationError, VerificationCertificate}; +// RSA key constraints, as defined in CA/B 6.1.5. +static WEBPKI_MINIMUM_RSA_MODULUS: usize = 2048; + // SubjectPublicKeyInfo AlgorithmIdentifier constants, as defined in CA/B 7.1.3.1. // RSA @@ -213,6 +217,10 @@ pub struct Policy<'a, B: CryptoOps> { /// An extended key usage that must appear in EEs validated by this policy. pub extended_key_usage: ObjectIdentifier, + /// The minimum RSA modulus, in bits. + /// This is equivalent to the public key size, e.g. 2048 for an RSA-2048 key. + pub minimum_rsa_modulus: usize, + /// The set of permitted public key algorithms, identified by their /// algorithm identifiers. pub permitted_public_key_algorithms: Arc>>, @@ -240,6 +248,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { subject, validation_time: time, extended_key_usage: EKU_SERVER_AUTH_OID.clone(), + minimum_rsa_modulus: WEBPKI_MINIMUM_RSA_MODULUS, permitted_public_key_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SPKI_ALGORITHMS), permitted_signature_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS), ca_extension_policy: ExtensionPolicy { @@ -488,6 +497,22 @@ impl<'a, B: CryptoOps> Policy<'a, B> { ))); } + // CA/B 6.1.5: Key sizes + // NOTE: We don't currently enforce that RSA moduli are divisible by 8, + // since other implementations don't bother. + let issuer_spki = &issuer.certificate().tbs_cert.spki; + if matches!( + issuer_spki.algorithm.params, + AlgorithmParameters::Rsa(_) | AlgorithmParameters::RsaPss(_) + ) { + let rsa_key: Pksc1RsaPublicKey<'_> = + asn1::parse_single(issuer_spki.subject_public_key.as_bytes())?; + + if rsa_key.n.as_bytes().len() * 8 < self.minimum_rsa_modulus { + return Err(ValidationError::Other("RSA key is too weak".into())); + } + } + let pk = issuer .public_key(&self.ops) .map_err(|_| ValidationError::Other("issuer has malformed public key".to_string()))?; diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 194b64f1f0bd..57c429886809 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -62,6 +62,9 @@ # forbidden under CABF. This is consistent with what # Go's crypto/x509 and Rust's webpki crate do. "webpki::aki::root-with-aki-ski-mismatch", + # We allow RSA keys that aren't divisible by 8, which is technically + # forbidden under CABF. No other implementation checks this either. + "webpki::forbidden-rsa-key-not-divisable-by-8", # We disallow CAs in the leaf position, which is explicitly forbidden # by CABF (but implicitly permitted under RFC 5280). This is consistent # with what webpki and rustls do, but inconsistent with Go and OpenSSL. From 586f0a206d76d6d2845d5280ded03ddc66e349c7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:13:11 +0000 Subject: [PATCH 048/868] Bump urllib3 from 2.1.0 to 2.2.0 (#10305) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.1.0...2.2.0) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5e74a88e20e5..511887699f93 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -148,7 +148,7 @@ tomli==2.0.1 # pytest typing-extensions==4.9.0; python_version >= "3.8" # via mypy -urllib3==2.1.0 +urllib3==2.2.0 # via requests virtualenv==20.25.0 # via nox From 18e8c12757aaaa4c3a00063b1ead3c6d7bcacf22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 02:15:50 +0000 Subject: [PATCH 049/868] Bump platformdirs from 4.1.0 to 4.2.0 (#10306) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 4.1.0 to 4.2.0. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/4.1.0...4.2.0) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 511887699f93..7db1eb111e6f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ packaging==23.2 # sphinx pathspec==0.12.1 # via check-sdist -platformdirs==4.1.0; python_version >= "3.8" +platformdirs==4.2.0; python_version >= "3.8" # via virtualenv pluggy==1.4.0; python_version >= "3.8" # via pytest From b042df0f14caa1e22692e35537b1f6ddfd4372f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 20:46:27 -0600 Subject: [PATCH 050/868] Bump cryptography from 42.0.1 to 42.0.2 in /.github/requirements (#10307) * Bump cryptography from 42.0.1 to 42.0.2 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.1 to 42.0.2. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.1...42.0.2) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 9189187f47fb..a073cd40eec1 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,39 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.1 \ - --hash=sha256:0b7cacc142260ada944de070ce810c3e2a438963ee3deb45aa26fd2cee94c9a4 \ - --hash=sha256:126e0ba3cc754b200a2fb88f67d66de0d9b9e94070c5bc548318c8dab6383cb6 \ - --hash=sha256:160fa08dfa6dca9cb8ad9bd84e080c0db6414ba5ad9a7470bc60fb154f60111e \ - --hash=sha256:16b9260d04a0bfc8952b00335ff54f471309d3eb9d7e8dbfe9b0bd9e26e67881 \ - --hash=sha256:25ec6e9e81de5d39f111a4114193dbd39167cc4bbd31c30471cebedc2a92c323 \ - --hash=sha256:265bdc693570b895eb641410b8fc9e8ddbce723a669236162b9d9cfb70bd8d77 \ - --hash=sha256:2dff7a32880a51321f5de7869ac9dde6b1fca00fc1fef89d60e93f215468e824 \ - --hash=sha256:2fe16624637d6e3e765530bc55caa786ff2cbca67371d306e5d0a72e7c3d0407 \ - --hash=sha256:32ea63ceeae870f1a62e87f9727359174089f7b4b01e4999750827bf10e15d60 \ - --hash=sha256:351db02c1938c8e6b1fee8a78d6b15c5ccceca7a36b5ce48390479143da3b411 \ - --hash=sha256:430100abed6d3652208ae1dd410c8396213baee2e01a003a4449357db7dc9e14 \ - --hash=sha256:4d84673c012aa698555d4710dcfe5f8a0ad76ea9dde8ef803128cc669640a2e0 \ - --hash=sha256:50aecd93676bcca78379604ed664c45da82bc1241ffb6f97f6b7392ed5bc6f04 \ - --hash=sha256:6ac8924085ed8287545cba89dc472fc224c10cc634cdf2c3e2866fe868108e77 \ - --hash=sha256:6bfd823b336fdcd8e06285ae8883d3d2624d3bdef312a0e2ef905f332f8e9302 \ - --hash=sha256:727387886c9c8de927c360a396c5edcb9340d9e960cda145fca75bdafdabd24c \ - --hash=sha256:7911586fc69d06cd0ab3f874a169433db1bc2f0e40988661408ac06c4527a986 \ - --hash=sha256:802d6f83233cf9696b59b09eb067e6b4d5ae40942feeb8e13b213c8fad47f1aa \ - --hash=sha256:8d7efb6bf427d2add2f40b6e1e8e476c17508fa8907234775214b153e69c2e11 \ - --hash=sha256:9544492e8024f29919eac2117edd8c950165e74eb551a22c53f6fdf6ba5f4cb8 \ - --hash=sha256:95d900d19a370ae36087cc728e6e7be9c964ffd8cbcb517fd1efb9c9284a6abc \ - --hash=sha256:9d61fcdf37647765086030d81872488e4cb3fafe1d2dda1d487875c3709c0a49 \ - --hash=sha256:ab6b302d51fbb1dd339abc6f139a480de14d49d50f65fdc7dff782aa8631d035 \ - --hash=sha256:b512f33c6ab195852595187af5440d01bb5f8dd57cb7a91e1e009a17f1b7ebca \ - --hash=sha256:cb2861a9364fa27d24832c718150fdbf9ce6781d7dc246a516435f57cfa31fe7 \ - --hash=sha256:d3594947d2507d4ef7a180a7f49a6db41f75fb874c2fd0e94f36b89bfd678bf2 \ - --hash=sha256:d3902c779a92151f134f68e555dd0b17c658e13429f270d8a847399b99235a3f \ - --hash=sha256:d50718dd574a49d3ef3f7ef7ece66ef281b527951eb2267ce570425459f6a404 \ - --hash=sha256:e5edf189431b4d51f5c6fb4a95084a75cef6b4646c934eb6e32304fc720e1453 \ - --hash=sha256:e6edc3a568667daf7d349d7e820783426ee4f1c0feab86c29bd1d6fe2755e009 \ - --hash=sha256:ed1b2130f5456a09a134cc505a17fc2830a1a48ed53efd37dcc904a23d7b82fa \ - --hash=sha256:fd33f53809bb363cf126bebe7a99d97735988d9b0131a2be59fbf83e1259a5b7 +cryptography==42.0.2 \ + --hash=sha256:087887e55e0b9c8724cf05361357875adb5c20dec27e5816b653492980d20380 \ + --hash=sha256:09a77e5b2e8ca732a19a90c5bca2d124621a1edb5438c5daa2d2738bfeb02589 \ + --hash=sha256:130c0f77022b2b9c99d8cebcdd834d81705f61c68e91ddd614ce74c657f8b3ea \ + --hash=sha256:141e2aa5ba100d3788c0ad7919b288f89d1fe015878b9659b307c9ef867d3a65 \ + --hash=sha256:28cb2c41f131a5758d6ba6a0504150d644054fd9f3203a1e8e8d7ac3aea7f73a \ + --hash=sha256:2f9f14185962e6a04ab32d1abe34eae8a9001569ee4edb64d2304bf0d65c53f3 \ + --hash=sha256:320948ab49883557a256eab46149df79435a22d2fefd6a66fe6946f1b9d9d008 \ + --hash=sha256:36d4b7c4be6411f58f60d9ce555a73df8406d484ba12a63549c88bd64f7967f1 \ + --hash=sha256:3b15c678f27d66d247132cbf13df2f75255627bcc9b6a570f7d2fd08e8c081d2 \ + --hash=sha256:3dbd37e14ce795b4af61b89b037d4bc157f2cb23e676fa16932185a04dfbf635 \ + --hash=sha256:4383b47f45b14459cab66048d384614019965ba6c1a1a141f11b5a551cace1b2 \ + --hash=sha256:44c95c0e96b3cb628e8452ec060413a49002a247b2b9938989e23a2c8291fc90 \ + --hash=sha256:4b063d3413f853e056161eb0c7724822a9740ad3caa24b8424d776cebf98e7ee \ + --hash=sha256:52ed9ebf8ac602385126c9a2fe951db36f2cb0c2538d22971487f89d0de4065a \ + --hash=sha256:55d1580e2d7e17f45d19d3b12098e352f3a37fe86d380bf45846ef257054b242 \ + --hash=sha256:5ef9bc3d046ce83c4bbf4c25e1e0547b9c441c01d30922d812e887dc5f125c12 \ + --hash=sha256:5fa82a26f92871eca593b53359c12ad7949772462f887c35edaf36f87953c0e2 \ + --hash=sha256:61321672b3ac7aade25c40449ccedbc6db72c7f5f0fdf34def5e2f8b51ca530d \ + --hash=sha256:701171f825dcab90969596ce2af253143b93b08f1a716d4b2a9d2db5084ef7be \ + --hash=sha256:841ec8af7a8491ac76ec5a9522226e287187a3107e12b7d686ad354bb78facee \ + --hash=sha256:8a06641fb07d4e8f6c7dda4fc3f8871d327803ab6542e33831c7ccfdcb4d0ad6 \ + --hash=sha256:8e88bb9eafbf6a4014d55fb222e7360eef53e613215085e65a13290577394529 \ + --hash=sha256:a00aee5d1b6c20620161984f8ab2ab69134466c51f58c052c11b076715e72929 \ + --hash=sha256:a047682d324ba56e61b7ea7c7299d51e61fd3bca7dad2ccc39b72bd0118d60a1 \ + --hash=sha256:a7ef8dd0bf2e1d0a27042b231a3baac6883cdd5557036f5e8df7139255feaac6 \ + --hash=sha256:ad28cff53f60d99a928dfcf1e861e0b2ceb2bc1f08a074fdd601b314e1cc9e0a \ + --hash=sha256:b9097a208875fc7bbeb1286d0125d90bdfed961f61f214d3f5be62cd4ed8a446 \ + --hash=sha256:b97fe7d7991c25e6a31e5d5e795986b18fbbb3107b873d5f3ae6dc9a103278e9 \ + --hash=sha256:e0ec52ba3c7f1b7d813cd52649a5b3ef1fc0d433219dc8c93827c57eab6cf888 \ + --hash=sha256:ea2c3ffb662fec8bbbfce5602e2c159ff097a4631d96235fcf0fb00e59e3ece4 \ + --hash=sha256:fa3dec4ba8fb6e662770b74f62f1a0c7d4e37e25b58b2bf2c1be4c95372b4a33 \ + --hash=sha256:fbeb725c9dc799a574518109336acccaf1303c30d45c075c665c0793c2f79a7f # via # pyopenssl # secretstorage From 0be0a5886cef17c0a2e3a9dfc6645b279e648355 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 20:47:09 -0600 Subject: [PATCH 051/868] Bump urllib3 from 2.1.0 to 2.2.0 in /.github/requirements (#10308) * Bump urllib3 from 2.1.0 to 2.2.0 in /.github/requirements Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.1.0...2.2.0) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index a073cd40eec1..959d370571a1 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -574,9 +574,9 @@ typing-extensions==4.9.0 \ # via # pydantic # pydantic-core -urllib3==2.1.0 \ - --hash=sha256:55901e917a5896a349ff771be919f8bd99aff50b79fe58fec595eb37bbc56bb3 \ - --hash=sha256:df7aa8afb0148fa78488e7899b2c59b5f4ffcfa82e6c54ccb9dd37c1d7b52d54 +urllib3==2.2.0 \ + --hash=sha256:051d961ad0c62a94e50ecf1af379c3aba230c66c710493493560c0c223c49f20 \ + --hash=sha256:ce3711610ddce217e6d113a2732fafad960a03fd0318c91faa79481e35c11224 # via # requests # twine From fd46c01cac798801d6fe3e2fca99d1b6bbbcd74a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 31 Jan 2024 06:09:22 -0600 Subject: [PATCH 052/868] Update install docs (#10309) We also test OpenSSL 3.2 --- docs/installation.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/installation.rst b/docs/installation.rst index d24d8062c8ad..6994aa0216f8 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -34,6 +34,7 @@ above supported platforms: * ``OpenSSL 1.1.1-latest`` * ``OpenSSL 3.0-latest`` * ``OpenSSL 3.1-latest`` +* ``OpenSSL 3.2-latest`` We also test against the latest commit of BoringSSL as well as versions of LibreSSL that are receiving security support at the time of a given From b39190140facaedf133648b74a968b4eb5e3c83d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 19:19:25 -0500 Subject: [PATCH 053/868] Bump BoringSSL and/or OpenSSL in CI (#10313) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a8d2ab9971f8..beb463ef49d3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jan 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "6855f30b94ddfd2970a7aa3d904a356dea5ec443"}} - # Latest commit on the OpenSSL master branch, as of Jan 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "62ecad5378067ab1f702ef2381c2f4a279d15250"}} + # Latest commit on the BoringSSL master branch, as of Feb 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "608becc67282174594fdaf0ec9c96daca9710d2f"}} + # Latest commit on the OpenSSL master branch, as of Feb 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d2e7855f5bdb2f817f6adb7ce6562505ec244474"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From e80f3eed8e6cf0cee32c05ac5e1d7145902a2aaf Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 31 Jan 2024 19:26:49 -0500 Subject: [PATCH 054/868] verification/policy: tweak key checks (#10311) * verification/policy: tweak key checks Needs https://github.com/C2SP/x509-limbo/pull/185. Signed-off-by: William Woodruff * bump limbo Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/actions/fetch-vectors/action.yml | 2 +- .../cryptography-x509-verification/src/policy/mod.rs | 9 ++++++++- tests/x509/verification/test_limbo.py | 7 +++++-- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f9715437f878..f9d21c8234d6 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -17,4 +17,4 @@ runs: repository: "C2SP/x509-limbo" path: "x509-limbo" # Latest commit on the x509-limbo main branch, as of Jan 31, 2024. - ref: "481b5d595b00ce55824607e1e8c2f1174539f3f8" # x509-limbo-ref + ref: "e7b8885bb20e532392e1f7c4be0d54c39b17c58b" # x509-limbo-ref diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 3d8bc86b6b8b..41a4e722d5b7 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -476,9 +476,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { self.permits_ca(issuer.certificate(), current_depth, issuer_extensions)?; // CA/B 7.1.3.1 SubjectPublicKeyInfo + // NOTE: We check the issuer's SPKI here, since the issuer is + // definitionally a CA and thus subject to CABF key requirements. if !self .permitted_public_key_algorithms - .contains(&child.tbs_cert.spki.algorithm) + .contains(&issuer.certificate().tbs_cert.spki.algorithm) { return Err(ValidationError::Other(format!( "Forbidden public key algorithm: {:?}", @@ -487,6 +489,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } // CA/B 7.1.3.2 Signature AlgorithmIdentifier + // NOTE: We check the child's signature here, since the issuer's + // signature is not necessarily subject to signature checks (e.g. + // if it's a root). This works out transitively, as any non root-issuer + // will be checked in its recursive step (where it'll be in the child + // position). if !self .permitted_signature_algorithms .contains(&child.signature_alg) diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 57c429886809..edcb0fc9bda5 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -27,7 +27,10 @@ # Our support for custom EKUs is limited, and we (like most impls.) don't # handle all EKU conditions under CABF. "pedantic-webpki-eku", - # Similarly: contains tests that fail based on a strict reading of RFC 5280 + # Most CABF validators do not enforce the CABF key requirements on + # subscriber keys (i.e., in the leaf certificate). + "pedantic-webpki-subscriber-key", + # Tests that fail based on a strict reading of RFC 5280 # but are widely ignored by validators. "pedantic-rfc5280", # In rare circumstances, CABF relaxes RFC 5280's prescriptions in @@ -64,7 +67,7 @@ "webpki::aki::root-with-aki-ski-mismatch", # We allow RSA keys that aren't divisible by 8, which is technically # forbidden under CABF. No other implementation checks this either. - "webpki::forbidden-rsa-key-not-divisable-by-8", + "webpki::forbidden-rsa-not-divisable-by-8-in-root", # We disallow CAs in the leaf position, which is explicitly forbidden # by CABF (but implicitly permitted under RFC 5280). This is consistent # with what webpki and rustls do, but inconsistent with Go and OpenSSL. From b7a52b96394539b2a7bf46afdb74792d0a074ca1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Feb 2024 11:54:56 +0000 Subject: [PATCH 055/868] Bump libc from 0.2.152 to 0.2.153 in /src/rust (#10317) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.152 to 0.2.153. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.152...0.2.153) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 84e9d90e7eea..7150fcd88fe1 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -160,9 +160,9 @@ checksum = "1e186cfbae8084e513daff4240b4797e342f988cecda4fb6c939150f96315fd8" [[package]] name = "libc" -version = "0.2.152" +version = "0.2.153" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13e3bf6590cbc649f4d1a3eefc9d5d6eb746f5200ffb04e5e142700b8faa56e7" +checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" [[package]] name = "lock_api" From 66e7171b946d5768ca682eb048b7a8da4e10e28d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 Feb 2024 11:58:39 +0000 Subject: [PATCH 056/868] Bump peter-evans/create-pull-request from 5.0.2 to 6.0.0 (#10316) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.2 to 6.0.0. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/153407881ec5c347639a548ade7d8ad1d6740e38...b1ddad2c994a25fbc81a28b3ec0e368bb2021c50) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 9a6ba2ae81bc..8c8e4c058e5a 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 + uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0 with: commit-message: "Bump BoringSSL and/or OpenSSL in CI" title: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index e4a42bf3155f..7df3a5fbcc38 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 + uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0 with: commit-message: "Bump x509-limbo and/or wycheproof in CI" title: "Bump x509-limbo and/or wycheproof in CI" From 56259b5ff14d7334a17c3326a01e156b64b7b077 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 00:17:47 +0000 Subject: [PATCH 057/868] Bump BoringSSL and/or OpenSSL in CI (#10320) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index beb463ef49d3..1bbfba8c57c8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 01, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "608becc67282174594fdaf0ec9c96daca9710d2f"}} - # Latest commit on the OpenSSL master branch, as of Feb 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d2e7855f5bdb2f817f6adb7ce6562505ec244474"}} + # Latest commit on the OpenSSL master branch, as of Feb 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "afb19f07aecc84998eeea56c4d65f5e0499abb5a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 247ad85305dad535e0549af21acacffc0f5562ab Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 00:33:01 +0000 Subject: [PATCH 058/868] Bump x509-limbo and/or wycheproof in CI (#10321) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f9d21c8234d6..9c7c294d1e37 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jan 31, 2024. - ref: "e7b8885bb20e532392e1f7c4be0d54c39b17c58b" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 02, 2024. + ref: "215546b218a84c35b9aaf3e84b8df4278c06920b" # x509-limbo-ref From b80629c342489b5632bfafad0df871d2c7596c8b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 1 Feb 2024 20:16:05 -0500 Subject: [PATCH 059/868] Dropped support for OpenSSL<1.1.1e (#10318) --- CHANGELOG.rst | 2 ++ src/_cffi_src/openssl/cryptography.py | 9 ++------- .../hazmat/backends/openssl/backend.py | 2 +- tests/hazmat/primitives/test_rsa.py | 16 ++-------------- 4 files changed, 7 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a522db213916..bd6b92f65712 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,8 @@ Changelog .. note:: This version is not yet released and is under active development. +* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1e has been + removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.8. * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 173ec1bb4546..9d09471967a2 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -42,25 +42,20 @@ #define CRYPTOGRAPHY_IS_BORINGSSL 0 #endif -#if OPENSSL_VERSION_NUMBER < 0x10101040 - #error "pyca/cryptography MUST be linked with Openssl 1.1.1d or later" +#if OPENSSL_VERSION_NUMBER < 0x10101050 + #error "pyca/cryptography MUST be linked with Openssl 1.1.1e or later" #endif #define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_320_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x30200000 && !CRYPTOGRAPHY_IS_LIBRESSL) - -#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \ - (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL) """ TYPES = """ static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_320_OR_GREATER; -static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E; - static const int CRYPTOGRAPHY_IS_LIBRESSL; static const int CRYPTOGRAPHY_IS_BORINGSSL; """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 3cf01664685c..24bfa3a1f4bf 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -149,7 +149,7 @@ def openssl_version_text(self) -> str: Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. - Example: OpenSSL 1.1.1d 10 Sep 2019 + Example: OpenSSL 3.2.1 30 Jan 2024 """ return self._ffi.string( self._lib.OpenSSL_version(self._lib.OPENSSL_VERSION) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 83055fd6fa28..eb74be7c6d4c 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -251,13 +251,7 @@ def test_load_pss_vect_example_keys(self, pkcs1_example): assert public_num.e == public_num2.e @pytest.mark.supported( - only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - and ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E - or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - ) - ), + only_if=lambda backend: not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL, skip_message="Does not support RSA PSS loading", ) @pytest.mark.parametrize( @@ -308,13 +302,7 @@ def test_load_pss_pub_keys_strips_constraints(self, backend): ) @pytest.mark.supported( - only_if=lambda backend: ( - backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - and ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E - or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - ) - ), + only_if=lambda backend: backend._lib.CRYPTOGRAPHY_IS_BORINGSSL, skip_message="Test requires a backend without RSA-PSS key support", ) def test_load_pss_unsupported(self, backend): From c0c9ec8dbb74ad13be09687044dc4eb2182681d0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 Feb 2024 20:38:52 -0600 Subject: [PATCH 060/868] remove the memleak tests (#10322) they are fragile, haven't caught regressions, and increasingly pointless as we oxidize. --- src/_cffi_src/openssl/crypto.py | 45 -- .../hazmat/bindings/openssl/_conditional.py | 7 - tests/hazmat/backends/test_openssl_memleak.py | 391 ------------------ 3 files changed, 443 deletions(-) delete mode 100644 tests/hazmat/backends/test_openssl_memleak.py diff --git a/src/_cffi_src/openssl/crypto.py b/src/_cffi_src/openssl/crypto.py index b81b5de1da27..5284f329619c 100644 --- a/src/_cffi_src/openssl/crypto.py +++ b/src/_cffi_src/openssl/crypto.py @@ -9,8 +9,6 @@ """ TYPES = """ -static const long Cryptography_HAS_MEM_FUNCTIONS; - static const int OPENSSL_VERSION; static const int OPENSSL_CFLAGS; static const int OPENSSL_BUILT_ON; @@ -26,50 +24,7 @@ void *OPENSSL_malloc(size_t); void OPENSSL_free(void *); - - -/* Signature is significantly different in LibreSSL, so expose via different - symbol name */ -int Cryptography_CRYPTO_set_mem_functions( - void *(*)(size_t, const char *, int), - void *(*)(void *, size_t, const char *, int), - void (*)(void *, const char *, int)); - -void *Cryptography_malloc_wrapper(size_t, const char *, int); -void *Cryptography_realloc_wrapper(void *, size_t, const char *, int); -void Cryptography_free_wrapper(void *, const char *, int); """ CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL -static const long Cryptography_HAS_MEM_FUNCTIONS = 0; -int (*Cryptography_CRYPTO_set_mem_functions)( - void *(*)(size_t, const char *, int), - void *(*)(void *, size_t, const char *, int), - void (*)(void *, const char *, int)) = NULL; - -#else -static const long Cryptography_HAS_MEM_FUNCTIONS = 1; - -int Cryptography_CRYPTO_set_mem_functions( - void *(*m)(size_t, const char *, int), - void *(*r)(void *, size_t, const char *, int), - void (*f)(void *, const char *, int) -) { - return CRYPTO_set_mem_functions(m, r, f); -} -#endif - -void *Cryptography_malloc_wrapper(size_t size, const char *path, int line) { - return malloc(size); -} - -void *Cryptography_realloc_wrapper(void *ptr, size_t size, const char *path, - int line) { - return realloc(ptr, size); -} - -void Cryptography_free_wrapper(void *ptr, const char *path, int line) { - free(ptr); -} """ diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 30cc3bfa25ef..fc13348af77f 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -28,12 +28,6 @@ def cryptography_has_tls_st() -> list[str]: ] -def cryptography_has_mem_functions() -> list[str]: - return [ - "Cryptography_CRYPTO_set_mem_functions", - ] - - def cryptography_has_ed448() -> list[str]: return [ "EVP_PKEY_ED448", @@ -202,7 +196,6 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb, "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st, "Cryptography_HAS_TLS_ST": cryptography_has_tls_st, - "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions, "Cryptography_HAS_ED448": cryptography_has_ed448, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, "Cryptography_HAS_PSK": cryptography_has_psk, diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py deleted file mode 100644 index 371a7c990188..000000000000 --- a/tests/hazmat/backends/test_openssl_memleak.py +++ /dev/null @@ -1,391 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -import json -import os -import platform -import subprocess -import sys -import textwrap - -import pytest - -from cryptography.hazmat.bindings.openssl.binding import Binding - -MEMORY_LEAK_SCRIPT = """ -import sys - - -def main(argv): - import gc - import json - - import cffi - - from cryptography.hazmat.bindings._rust import _openssl - - heap = {} - start_heap = {} - start_heap_realloc_delta = [0] # 1-item list so callbacks can mutate it - - BACKTRACE_ENABLED = False - if BACKTRACE_ENABLED: - backtrace_ffi = cffi.FFI() - backtrace_ffi.cdef(''' - int backtrace(void **, int); - char **backtrace_symbols(void *const *, int); - ''') - backtrace_lib = backtrace_ffi.dlopen(None) - - def backtrace(): - buf = backtrace_ffi.new("void*[]", 24) - length = backtrace_lib.backtrace(buf, len(buf)) - return (buf, length) - - def symbolize_backtrace(trace): - (buf, length) = trace - symbols = backtrace_lib.backtrace_symbols(buf, length) - stack = [ - backtrace_ffi.string(symbols[i]).decode() - for i in range(length) - ] - _openssl.lib.Cryptography_free_wrapper( - symbols, backtrace_ffi.NULL, 0 - ) - return stack - else: - def backtrace(): - return None - - def symbolize_backtrace(trace): - return None - - @_openssl.ffi.callback("void *(size_t, const char *, int)") - def malloc(size, path, line): - ptr = _openssl.lib.Cryptography_malloc_wrapper(size, path, line) - heap[ptr] = (size, path, line, backtrace()) - return ptr - - @_openssl.ffi.callback("void *(void *, size_t, const char *, int)") - def realloc(ptr, size, path, line): - if ptr != _openssl.ffi.NULL: - del heap[ptr] - new_ptr = _openssl.lib.Cryptography_realloc_wrapper( - ptr, size, path, line - ) - heap[new_ptr] = (size, path, line, backtrace()) - - # It is possible that something during the test will cause a - # realloc of memory allocated during the startup phase. (This - # was observed in conda-forge Windows builds of this package with - # provider operation_bits pointers in crypto/provider_core.c.) If - # we don't pay attention to that, the realloc'ed pointer will show - # up as a leak; but we also don't want to allow this kind of realloc - # to consume large amounts of additional memory. So we track the - # realloc and the change in memory consumption. - startup_info = start_heap.pop(ptr, None) - if startup_info is not None: - start_heap[new_ptr] = heap[new_ptr] - start_heap_realloc_delta[0] += size - startup_info[0] - - return new_ptr - - @_openssl.ffi.callback("void(void *, const char *, int)") - def free(ptr, path, line): - if ptr != _openssl.ffi.NULL: - del heap[ptr] - _openssl.lib.Cryptography_free_wrapper(ptr, path, line) - - result = _openssl.lib.Cryptography_CRYPTO_set_mem_functions( - malloc, realloc, free - ) - assert result == 1 - - # Trigger a bunch of initialization stuff. - import hashlib - from cryptography.hazmat.backends.openssl.backend import backend - - hashlib.sha256() - - start_heap.update(heap) - - try: - func(*argv[1:]) - finally: - gc.collect() - gc.collect() - gc.collect() - - if _openssl.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - _openssl.lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) - _openssl.lib.OSSL_PROVIDER_unload(backend._binding._default_provider) - - _openssl.lib.OPENSSL_cleanup() - - # Swap back to the original functions so that if OpenSSL tries to free - # something from its atexit handle it won't be going through a Python - # function, which will be deallocated when this function returns - result = _openssl.lib.Cryptography_CRYPTO_set_mem_functions( - _openssl.ffi.addressof( - _openssl.lib, "Cryptography_malloc_wrapper" - ), - _openssl.ffi.addressof( - _openssl.lib, "Cryptography_realloc_wrapper" - ), - _openssl.ffi.addressof(_openssl.lib, "Cryptography_free_wrapper"), - ) - assert result == 1 - - remaining = set(heap) - set(start_heap) - - # The constant here is the number of additional bytes of memory - # consumption that are allowed in reallocs of start_heap memory. - if remaining or start_heap_realloc_delta[0] > 3072: - info = dict( - (int(_openssl.ffi.cast("size_t", ptr)), { - "size": heap[ptr][0], - "path": _openssl.ffi.string(heap[ptr][1]).decode(), - "line": heap[ptr][2], - "backtrace": symbolize_backtrace(heap[ptr][3]), - }) - for ptr in remaining - ) - info["start_heap_realloc_delta"] = start_heap_realloc_delta[0] - sys.stdout.write(json.dumps(info)) - sys.stdout.flush() - sys.exit(255) - -main(sys.argv) -""" - - -def assert_no_memory_leaks(s, argv=[]): - env = os.environ.copy() - env["PYTHONPATH"] = os.pathsep.join(sys.path) - - # When using pytest-cov it attempts to instrument subprocesses. This - # causes the memleak tests to raise exceptions. - # we don't need coverage so we remove the env vars. - env.pop("COV_CORE_CONFIG", None) - env.pop("COV_CORE_DATAFILE", None) - env.pop("COV_CORE_SOURCE", None) - - argv = [sys.executable, "-c", f"{s}\n\n{MEMORY_LEAK_SCRIPT}", *argv] - # Shell out to a fresh Python process because OpenSSL does not allow you to - # install new memory hooks after the first malloc/free occurs. - proc = subprocess.Popen( - argv, - env=env, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, - ) - assert proc.stdout is not None - assert proc.stderr is not None - try: - proc.wait() - if proc.returncode == 255: - # 255 means there was a leak, load the info about what mallocs - # weren't freed. - out = json.loads(proc.stdout.read().decode()) - raise AssertionError(out) - elif proc.returncode != 0: - # Any exception type will do to be honest - raise ValueError(proc.stdout.read(), proc.stderr.read()) - finally: - proc.stdout.close() - proc.stderr.close() - - -def skip_if_memtesting_not_supported(): - return pytest.mark.skipif( - not Binding().lib.Cryptography_HAS_MEM_FUNCTIONS - or platform.python_implementation() == "PyPy", - reason="Requires OpenSSL memory functions (>=1.1.0) and not PyPy", - ) - - -@pytest.mark.skip_fips(reason="FIPS self-test sets allow_customize = 0") -@skip_if_memtesting_not_supported() -class TestAssertNoMemoryLeaks: - def test_no_leak_no_malloc(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - pass - """ - ) - ) - - def test_no_leak_free(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.bindings.openssl.binding import Binding - b = Binding() - name = b.lib.X509_NAME_new() - b.lib.X509_NAME_free(name) - """ - ) - ) - - def test_no_leak_gc(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.bindings.openssl.binding import Binding - b = Binding() - name = b.lib.X509_NAME_new() - b.ffi.gc(name, b.lib.X509_NAME_free) - """ - ) - ) - - def test_leak(self): - with pytest.raises(AssertionError): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.bindings.openssl.binding import ( - Binding - ) - b = Binding() - b.lib.X509_NAME_new() - """ - ) - ) - - def test_errors(self): - with pytest.raises(ValueError, match="ZeroDivisionError"): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - raise ZeroDivisionError - """ - ) - ) - - -@pytest.mark.skip_fips(reason="FIPS self-test sets allow_customize = 0") -@skip_if_memtesting_not_supported() -class TestOpenSSLMemoryLeaks: - def test_ec_private_numbers_private_key(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives.asymmetric import ec - - ec.EllipticCurvePrivateNumbers( - private_value=int( - '280814107134858470598753916394807521398239633534281633982576099083' - '35787109896602102090002196616273211495718603965098' - ), - public_numbers=ec.EllipticCurvePublicNumbers( - curve=ec.SECP384R1(), - x=int( - '10036914308591746758780165503819213553101287571902957054148542' - '504671046744460374996612408381962208627004841444205030' - ), - y=int( - '17337335659928075994560513699823544906448896792102247714689323' - '575406618073069185107088229463828921069465902299522926' - ) - ) - ).private_key(backend) - """ - ) - ) - - def test_ec_derive_private_key(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives.asymmetric import ec - ec.derive_private_key(1, ec.SECP256R1(), backend) - """ - ) - ) - - def test_x25519_pubkey_from_private_key(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - from cryptography.hazmat.primitives.asymmetric import x25519 - private_key = x25519.X25519PrivateKey.generate() - private_key.public_key() - """ - ) - ) - - @pytest.mark.parametrize( - "path", - ["pkcs12/cert-aes256cbc-no-key.p12", "pkcs12/cert-key-aes256cbc.p12"], - ) - def test_load_pkcs12_key_and_certificates(self, path): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(path): - from cryptography import x509 - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives.serialization import pkcs12 - import cryptography_vectors - - with cryptography_vectors.open_vector_file(path, "rb") as f: - pkcs12.load_key_and_certificates( - f.read(), b"cryptography", backend - ) - """ - ), - [path], - ) - - def test_write_pkcs12_key_and_certificates(self): - assert_no_memory_leaks( - textwrap.dedent( - """ - def func(): - import os - from cryptography import x509 - from cryptography.hazmat.backends.openssl import backend - from cryptography.hazmat.primitives import serialization - from cryptography.hazmat.primitives.serialization import pkcs12 - import cryptography_vectors - - path = os.path.join('x509', 'custom', 'ca', 'ca.pem') - with cryptography_vectors.open_vector_file(path, "rb") as f: - cert = x509.load_pem_x509_certificate( - f.read(), backend - ) - path2 = os.path.join('x509', 'custom', 'dsa_selfsigned_ca.pem') - with cryptography_vectors.open_vector_file(path2, "rb") as f: - cert2 = x509.load_pem_x509_certificate( - f.read(), backend - ) - path3 = os.path.join('x509', 'letsencryptx3.pem') - with cryptography_vectors.open_vector_file(path3, "rb") as f: - cert3 = x509.load_pem_x509_certificate( - f.read(), backend - ) - key_path = os.path.join("x509", "custom", "ca", "ca_key.pem") - with cryptography_vectors.open_vector_file(key_path, "rb") as f: - key = serialization.load_pem_private_key( - f.read(), None, backend - ) - encryption = serialization.NoEncryption() - pkcs12.serialize_key_and_certificates( - b"name", key, cert, [cert2, cert3], encryption) - """ - ) - ) From c7ec8a6eed603c2b20a320c4fd1357e33ae2c691 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 Feb 2024 21:33:48 -0600 Subject: [PATCH 061/868] fix decrepit example (#10324) * fix decrepit example * Update docs/hazmat/decrepit/ciphers.rst Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- docs/hazmat/decrepit/ciphers.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/hazmat/decrepit/ciphers.rst b/docs/hazmat/decrepit/ciphers.rst index 2f7b12f14333..b7a79e217836 100644 --- a/docs/hazmat/decrepit/ciphers.rst +++ b/docs/hazmat/decrepit/ciphers.rst @@ -28,9 +28,10 @@ object along with the appropriate :mod:`~cryptography.hazmat.primitives.ciphers. .. doctest:: >>> import os - >>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes + >>> from cryptography.hazmat.decrepit.ciphers.algorithms import ARC4 + >>> from cryptography.hazmat.primitives.ciphers import Cipher, modes >>> key = os.urandom(16) - >>> algorithm = algorithms.ARC4(key) + >>> algorithm = ARC4(key) >>> cipher = Cipher(algorithm, mode=None) >>> encryptor = cipher.encryptor() >>> ct = encryptor.update(b"a secret message") From ccd392ed50e49288609884042c6c6cc71881d566 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 Feb 2024 21:41:25 -0600 Subject: [PATCH 062/868] mark ARC4 and TripleDES with the right version added for decrepit (#10325) --- docs/hazmat/decrepit/ciphers.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/hazmat/decrepit/ciphers.rst b/docs/hazmat/decrepit/ciphers.rst index b7a79e217836..8ae0178df2f1 100644 --- a/docs/hazmat/decrepit/ciphers.rst +++ b/docs/hazmat/decrepit/ciphers.rst @@ -16,6 +16,8 @@ object along with the appropriate :mod:`~cryptography.hazmat.primitives.ciphers. .. class:: ARC4(key) + .. versionadded:: 43.0.0 + ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. @@ -41,6 +43,8 @@ object along with the appropriate :mod:`~cryptography.hazmat.primitives.ciphers. .. class:: TripleDES(key) + .. versionadded:: 43.0.0 + Triple DES (Data Encryption Standard), sometimes referred to as 3DES, is a block cipher standardized by NIST. Triple DES has known crypto-analytic flaws, however none of them currently enable a practical attack. From c7985dfb631d7edd7cdaedbe2f9f0622686c279a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 2 Feb 2024 06:08:37 -0600 Subject: [PATCH 063/868] stop using deprecated pkg_resources in CI (#10326) --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1bbfba8c57c8..837d6d1dda27 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -395,15 +395,15 @@ jobs: # dist-info directory to pretend to be an older version to "solve" this. - run: | import json - import pkg_resources + import importlib.metadata import shutil import urllib.request - d = pkg_resources.get_distribution("cryptography") + d = importlib.metadata.distribution("cryptography") with urllib.request.urlopen("https://pypi.org/pypi/cryptography/json") as r: latest_version = json.load(r)["info"]["version"] - new_path = d.egg_info.replace(d.version, latest_version) - shutil.move(d.egg_info, new_path) + new_path = d.locate_file(f"cryptography-{latest_version}.dist-info") + shutil.move(d.locate_file(f"cryptography-{d.version}.dist-info"), new_path) shell: python - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh run From 47c0394c4e972f870565fdc8731c1e747e84f831 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 07:08:59 -0500 Subject: [PATCH 064/868] Bump certifi from 2023.11.17 to 2024.2.2 (#10327) Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.11.17 to 2024.2.2. - [Commits](https://github.com/certifi/python-certifi/compare/2023.11.17...2024.02.02) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7db1eb111e6f..b24312e82773 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -15,7 +15,7 @@ build==1.0.3 # via # check-sdist # cryptography (pyproject.toml) -certifi==2023.11.17 +certifi==2024.2.2 # via requests charset-normalizer==3.3.2 # via requests From 35a401191029a538a068a191ee966634c3af90ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 12:19:58 +0000 Subject: [PATCH 065/868] Bump ruff from 0.1.15 to 0.2.0 (#10328) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.1.15 to 0.2.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.1.15...v0.2.0) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b24312e82773..e56d198a94ba 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.1.15 +ruff==0.2.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From b557e4d544f0da3744f81634cad66250b4b4611d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 2 Feb 2024 08:51:03 -0500 Subject: [PATCH 066/868] We no longer need to install setuptools (#10331) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 837d6d1dda27..b56db037f574 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -385,7 +385,7 @@ jobs: cache-dependency-path: ci-constraints-requirements.txt timeout-minutes: 3 - run: ./.github/downstream.d/${{ matrix.DOWNSTREAM }}.sh install - - run: pip install . setuptools + - run: pip install . env: CARGO_TARGET_DIR: ${{ format('{0}/src/rust/target/', github.workspace) }} # cryptography main has a version of "(X+1).0.0.dev1" where X is the From 4a7dc8cc923c29fdecedfd7ffdd3b79c9a5634ab Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 2 Feb 2024 08:51:50 -0500 Subject: [PATCH 067/868] Update ruff configuration for ruff 0.2.0 (#10332) --- pyproject.toml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 84ffe04f9f95..3348500be7af 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -143,11 +143,12 @@ exclude_lines = [ ] [tool.ruff] -ignore = ['N818'] -select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF'] line-length = 79 -[tool.ruff.isort] +lint.ignore = ['N818'] +lint.select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF'] + +[tool.ruff.lint.isort] known-first-party = ["cryptography", "cryptography_vectors", "tests"] [tool.check-sdist] From 25fc7ba29f05c18bc37eb33f96b5e0f61aabac26 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 08:22:28 -0600 Subject: [PATCH 068/868] Bump certifi from 2023.11.17 to 2024.2.2 in /.github/requirements (#10330) * Bump certifi from 2023.11.17 to 2024.2.2 in /.github/requirements Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.11.17 to 2024.2.2. - [Commits](https://github.com/certifi/python-certifi/compare/2023.11.17...2024.02.02) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 959d370571a1..8ac31639f58c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -16,9 +16,9 @@ betterproto==2.0.0b6 \ --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ --hash=sha256:a0839ec165d110a69d0d116f4d0e2bec8d186af4db826257931f0831dab73fcf # via sigstore-protobuf-specs -certifi==2023.11.17 \ - --hash=sha256:9b469f3a900bf28dc19b8cfbf8019bf47f7fdd1a65a1d4ffb98fc14166beb4d1 \ - --hash=sha256:e036ab49d5b79556f99cfc2d9320b34cfbe5be05c5871b51de9329f0603b0474 +certifi==2024.2.2 \ + --hash=sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f \ + --hash=sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1 # via requests cffi==1.16.0 \ --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ From f9d3531db506a491bf8ce7be0ad9f7f606615db7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 08:22:47 -0600 Subject: [PATCH 069/868] Bump multidict from 6.0.4 to 6.0.5 in /.github/requirements (#10329) * Bump multidict from 6.0.4 to 6.0.5 in /.github/requirements Bumps [multidict](https://github.com/aio-libs/multidict) from 6.0.4 to 6.0.5. - [Release notes](https://github.com/aio-libs/multidict/releases) - [Changelog](https://github.com/aio-libs/multidict/blob/master/CHANGES.rst) - [Commits](https://github.com/aio-libs/multidict/compare/v6.0.4...v6.0.5) --- updated-dependencies: - dependency-name: multidict dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 166 ++++++++++-------- 1 file changed, 91 insertions(+), 75 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8ac31639f58c..5406ffbbca48 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -272,81 +272,97 @@ more-itertools==10.2.0 \ --hash=sha256:686b06abe565edfab151cb8fd385a05651e1fdf8f0a14191e4439283421f8684 \ --hash=sha256:8fccb480c43d3e99a00087634c06dd02b0d50fbf088b380de5a41a015ec239e1 # via jaraco-classes -multidict==6.0.4 \ - --hash=sha256:01a3a55bd90018c9c080fbb0b9f4891db37d148a0a18722b42f94694f8b6d4c9 \ - --hash=sha256:0b1a97283e0c85772d613878028fec909f003993e1007eafa715b24b377cb9b8 \ - --hash=sha256:0dfad7a5a1e39c53ed00d2dd0c2e36aed4650936dc18fd9a1826a5ae1cad6f03 \ - --hash=sha256:11bdf3f5e1518b24530b8241529d2050014c884cf18b6fc69c0c2b30ca248710 \ - --hash=sha256:1502e24330eb681bdaa3eb70d6358e818e8e8f908a22a1851dfd4e15bc2f8161 \ - --hash=sha256:16ab77bbeb596e14212e7bab8429f24c1579234a3a462105cda4a66904998664 \ - --hash=sha256:16d232d4e5396c2efbbf4f6d4df89bfa905eb0d4dc5b3549d872ab898451f569 \ - --hash=sha256:21a12c4eb6ddc9952c415f24eef97e3e55ba3af61f67c7bc388dcdec1404a067 \ - --hash=sha256:27c523fbfbdfd19c6867af7346332b62b586eed663887392cff78d614f9ec313 \ - --hash=sha256:281af09f488903fde97923c7744bb001a9b23b039a909460d0f14edc7bf59706 \ - --hash=sha256:33029f5734336aa0d4c0384525da0387ef89148dc7191aae00ca5fb23d7aafc2 \ - --hash=sha256:3601a3cece3819534b11d4efc1eb76047488fddd0c85a3948099d5da4d504636 \ - --hash=sha256:3666906492efb76453c0e7b97f2cf459b0682e7402c0489a95484965dbc1da49 \ - --hash=sha256:36c63aaa167f6c6b04ef2c85704e93af16c11d20de1d133e39de6a0e84582a93 \ - --hash=sha256:39ff62e7d0f26c248b15e364517a72932a611a9b75f35b45be078d81bdb86603 \ - --hash=sha256:43644e38f42e3af682690876cff722d301ac585c5b9e1eacc013b7a3f7b696a0 \ - --hash=sha256:4372381634485bec7e46718edc71528024fcdc6f835baefe517b34a33c731d60 \ - --hash=sha256:458f37be2d9e4c95e2d8866a851663cbc76e865b78395090786f6cd9b3bbf4f4 \ - --hash=sha256:45e1ecb0379bfaab5eef059f50115b54571acfbe422a14f668fc8c27ba410e7e \ - --hash=sha256:4b9d9e4e2b37daddb5c23ea33a3417901fa7c7b3dee2d855f63ee67a0b21e5b1 \ - --hash=sha256:4ceef517eca3e03c1cceb22030a3e39cb399ac86bff4e426d4fc6ae49052cc60 \ - --hash=sha256:4d1a3d7ef5e96b1c9e92f973e43aa5e5b96c659c9bc3124acbbd81b0b9c8a951 \ - --hash=sha256:4dcbb0906e38440fa3e325df2359ac6cb043df8e58c965bb45f4e406ecb162cc \ - --hash=sha256:509eac6cf09c794aa27bcacfd4d62c885cce62bef7b2c3e8b2e49d365b5003fe \ - --hash=sha256:52509b5be062d9eafc8170e53026fbc54cf3b32759a23d07fd935fb04fc22d95 \ - --hash=sha256:52f2dffc8acaba9a2f27174c41c9e57f60b907bb9f096b36b1a1f3be71c6284d \ - --hash=sha256:574b7eae1ab267e5f8285f0fe881f17efe4b98c39a40858247720935b893bba8 \ - --hash=sha256:5979b5632c3e3534e42ca6ff856bb24b2e3071b37861c2c727ce220d80eee9ed \ - --hash=sha256:59d43b61c59d82f2effb39a93c48b845efe23a3852d201ed2d24ba830d0b4cf2 \ - --hash=sha256:5a4dcf02b908c3b8b17a45fb0f15b695bf117a67b76b7ad18b73cf8e92608775 \ - --hash=sha256:5cad9430ab3e2e4fa4a2ef4450f548768400a2ac635841bc2a56a2052cdbeb87 \ - --hash=sha256:5fc1b16f586f049820c5c5b17bb4ee7583092fa0d1c4e28b5239181ff9532e0c \ - --hash=sha256:62501642008a8b9871ddfccbf83e4222cf8ac0d5aeedf73da36153ef2ec222d2 \ - --hash=sha256:64bdf1086b6043bf519869678f5f2757f473dee970d7abf6da91ec00acb9cb98 \ - --hash=sha256:64da238a09d6039e3bd39bb3aee9c21a5e34f28bfa5aa22518581f910ff94af3 \ - --hash=sha256:666daae833559deb2d609afa4490b85830ab0dfca811a98b70a205621a6109fe \ - --hash=sha256:67040058f37a2a51ed8ea8f6b0e6ee5bd78ca67f169ce6122f3e2ec80dfe9b78 \ - --hash=sha256:6748717bb10339c4760c1e63da040f5f29f5ed6e59d76daee30305894069a660 \ - --hash=sha256:6b181d8c23da913d4ff585afd1155a0e1194c0b50c54fcfe286f70cdaf2b7176 \ - --hash=sha256:6ed5f161328b7df384d71b07317f4d8656434e34591f20552c7bcef27b0ab88e \ - --hash=sha256:7582a1d1030e15422262de9f58711774e02fa80df0d1578995c76214f6954988 \ - --hash=sha256:7d18748f2d30f94f498e852c67d61261c643b349b9d2a581131725595c45ec6c \ - --hash=sha256:7d6ae9d593ef8641544d6263c7fa6408cc90370c8cb2bbb65f8d43e5b0351d9c \ - --hash=sha256:81a4f0b34bd92df3da93315c6a59034df95866014ac08535fc819f043bfd51f0 \ - --hash=sha256:8316a77808c501004802f9beebde51c9f857054a0c871bd6da8280e718444449 \ - --hash=sha256:853888594621e6604c978ce2a0444a1e6e70c8d253ab65ba11657659dcc9100f \ - --hash=sha256:99b76c052e9f1bc0721f7541e5e8c05db3941eb9ebe7b8553c625ef88d6eefde \ - --hash=sha256:a2e4369eb3d47d2034032a26c7a80fcb21a2cb22e1173d761a162f11e562caa5 \ - --hash=sha256:ab55edc2e84460694295f401215f4a58597f8f7c9466faec545093045476327d \ - --hash=sha256:af048912e045a2dc732847d33821a9d84ba553f5c5f028adbd364dd4765092ac \ - --hash=sha256:b1a2eeedcead3a41694130495593a559a668f382eee0727352b9a41e1c45759a \ - --hash=sha256:b1e8b901e607795ec06c9e42530788c45ac21ef3aaa11dbd0c69de543bfb79a9 \ - --hash=sha256:b41156839806aecb3641f3208c0dafd3ac7775b9c4c422d82ee2a45c34ba81ca \ - --hash=sha256:b692f419760c0e65d060959df05f2a531945af31fda0c8a3b3195d4efd06de11 \ - --hash=sha256:bc779e9e6f7fda81b3f9aa58e3a6091d49ad528b11ed19f6621408806204ad35 \ - --hash=sha256:bf6774e60d67a9efe02b3616fee22441d86fab4c6d335f9d2051d19d90a40063 \ - --hash=sha256:c048099e4c9e9d615545e2001d3d8a4380bd403e1a0578734e0d31703d1b0c0b \ - --hash=sha256:c5cb09abb18c1ea940fb99360ea0396f34d46566f157122c92dfa069d3e0e982 \ - --hash=sha256:cc8e1d0c705233c5dd0c5e6460fbad7827d5d36f310a0fadfd45cc3029762258 \ - --hash=sha256:d5e3fc56f88cc98ef8139255cf8cd63eb2c586531e43310ff859d6bb3a6b51f1 \ - --hash=sha256:d6aa0418fcc838522256761b3415822626f866758ee0bc6632c9486b179d0b52 \ - --hash=sha256:d6c254ba6e45d8e72739281ebc46ea5eb5f101234f3ce171f0e9f5cc86991480 \ - --hash=sha256:d6d635d5209b82a3492508cf5b365f3446afb65ae7ebd755e70e18f287b0adf7 \ - --hash=sha256:dcfe792765fab89c365123c81046ad4103fcabbc4f56d1c1997e6715e8015461 \ - --hash=sha256:ddd3915998d93fbcd2566ddf9cf62cdb35c9e093075f862935573d265cf8f65d \ - --hash=sha256:ddff9c4e225a63a5afab9dd15590432c22e8057e1a9a13d28ed128ecf047bbdc \ - --hash=sha256:e41b7e2b59679edfa309e8db64fdf22399eec4b0b24694e1b2104fb789207779 \ - --hash=sha256:e69924bfcdda39b722ef4d9aa762b2dd38e4632b3641b1d9a57ca9cd18f2f83a \ - --hash=sha256:ea20853c6dbbb53ed34cb4d080382169b6f4554d394015f1bef35e881bf83547 \ - --hash=sha256:ee2a1ece51b9b9e7752e742cfb661d2a29e7bcdba2d27e66e28a99f1890e4fa0 \ - --hash=sha256:eeb6dcc05e911516ae3d1f207d4b0520d07f54484c49dfc294d6e7d63b734171 \ - --hash=sha256:f70b98cd94886b49d91170ef23ec5c0e8ebb6f242d734ed7ed677b24d50c82cf \ - --hash=sha256:fc35cb4676846ef752816d5be2193a1e8367b4c1397b74a565a9d0389c433a1d \ - --hash=sha256:ff959bee35038c4624250473988b24f846cbeb2c6639de3602c073f10410ceba +multidict==6.0.5 \ + --hash=sha256:01265f5e40f5a17f8241d52656ed27192be03bfa8764d88e8220141d1e4b3556 \ + --hash=sha256:0275e35209c27a3f7951e1ce7aaf93ce0d163b28948444bec61dd7badc6d3f8c \ + --hash=sha256:04bde7a7b3de05732a4eb39c94574db1ec99abb56162d6c520ad26f83267de29 \ + --hash=sha256:04da1bb8c8dbadf2a18a452639771951c662c5ad03aefe4884775454be322c9b \ + --hash=sha256:09a892e4a9fb47331da06948690ae38eaa2426de97b4ccbfafbdcbe5c8f37ff8 \ + --hash=sha256:0d63c74e3d7ab26de115c49bffc92cc77ed23395303d496eae515d4204a625e7 \ + --hash=sha256:107c0cdefe028703fb5dafe640a409cb146d44a6ae201e55b35a4af8e95457dd \ + --hash=sha256:141b43360bfd3bdd75f15ed811850763555a251e38b2405967f8e25fb43f7d40 \ + --hash=sha256:14c2976aa9038c2629efa2c148022ed5eb4cb939e15ec7aace7ca932f48f9ba6 \ + --hash=sha256:19fe01cea168585ba0f678cad6f58133db2aa14eccaf22f88e4a6dccadfad8b3 \ + --hash=sha256:1d147090048129ce3c453f0292e7697d333db95e52616b3793922945804a433c \ + --hash=sha256:1d9ea7a7e779d7a3561aade7d596649fbecfa5c08a7674b11b423783217933f9 \ + --hash=sha256:215ed703caf15f578dca76ee6f6b21b7603791ae090fbf1ef9d865571039ade5 \ + --hash=sha256:21fd81c4ebdb4f214161be351eb5bcf385426bf023041da2fd9e60681f3cebae \ + --hash=sha256:220dd781e3f7af2c2c1053da9fa96d9cf3072ca58f057f4c5adaaa1cab8fc442 \ + --hash=sha256:228b644ae063c10e7f324ab1ab6b548bdf6f8b47f3ec234fef1093bc2735e5f9 \ + --hash=sha256:29bfeb0dff5cb5fdab2023a7a9947b3b4af63e9c47cae2a10ad58394b517fddc \ + --hash=sha256:2f4848aa3baa109e6ab81fe2006c77ed4d3cd1e0ac2c1fbddb7b1277c168788c \ + --hash=sha256:2faa5ae9376faba05f630d7e5e6be05be22913782b927b19d12b8145968a85ea \ + --hash=sha256:2ffc42c922dbfddb4a4c3b438eb056828719f07608af27d163191cb3e3aa6cc5 \ + --hash=sha256:37b15024f864916b4951adb95d3a80c9431299080341ab9544ed148091b53f50 \ + --hash=sha256:3cc2ad10255f903656017363cd59436f2111443a76f996584d1077e43ee51182 \ + --hash=sha256:3d25f19500588cbc47dc19081d78131c32637c25804df8414463ec908631e453 \ + --hash=sha256:403c0911cd5d5791605808b942c88a8155c2592e05332d2bf78f18697a5fa15e \ + --hash=sha256:411bf8515f3be9813d06004cac41ccf7d1cd46dfe233705933dd163b60e37600 \ + --hash=sha256:425bf820055005bfc8aa9a0b99ccb52cc2f4070153e34b701acc98d201693733 \ + --hash=sha256:435a0984199d81ca178b9ae2c26ec3d49692d20ee29bc4c11a2a8d4514c67eda \ + --hash=sha256:4a6a4f196f08c58c59e0b8ef8ec441d12aee4125a7d4f4fef000ccb22f8d7241 \ + --hash=sha256:4cc0ef8b962ac7a5e62b9e826bd0cd5040e7d401bc45a6835910ed699037a461 \ + --hash=sha256:51d035609b86722963404f711db441cf7134f1889107fb171a970c9701f92e1e \ + --hash=sha256:53689bb4e102200a4fafa9de9c7c3c212ab40a7ab2c8e474491914d2305f187e \ + --hash=sha256:55205d03e8a598cfc688c71ca8ea5f66447164efff8869517f175ea632c7cb7b \ + --hash=sha256:5c0631926c4f58e9a5ccce555ad7747d9a9f8b10619621f22f9635f069f6233e \ + --hash=sha256:5cb241881eefd96b46f89b1a056187ea8e9ba14ab88ba632e68d7a2ecb7aadf7 \ + --hash=sha256:60d698e8179a42ec85172d12f50b1668254628425a6bd611aba022257cac1386 \ + --hash=sha256:612d1156111ae11d14afaf3a0669ebf6c170dbb735e510a7438ffe2369a847fd \ + --hash=sha256:6214c5a5571802c33f80e6c84713b2c79e024995b9c5897f794b43e714daeec9 \ + --hash=sha256:6939c95381e003f54cd4c5516740faba40cf5ad3eeff460c3ad1d3e0ea2549bf \ + --hash=sha256:69db76c09796b313331bb7048229e3bee7928eb62bab5e071e9f7fcc4879caee \ + --hash=sha256:6bf7a982604375a8d49b6cc1b781c1747f243d91b81035a9b43a2126c04766f5 \ + --hash=sha256:766c8f7511df26d9f11cd3a8be623e59cca73d44643abab3f8c8c07620524e4a \ + --hash=sha256:76c0de87358b192de7ea9649beb392f107dcad9ad27276324c24c91774ca5271 \ + --hash=sha256:76f067f5121dcecf0d63a67f29080b26c43c71a98b10c701b0677e4a065fbd54 \ + --hash=sha256:7901c05ead4b3fb75113fb1dd33eb1253c6d3ee37ce93305acd9d38e0b5f21a4 \ + --hash=sha256:79660376075cfd4b2c80f295528aa6beb2058fd289f4c9252f986751a4cd0496 \ + --hash=sha256:79a6d2ba910adb2cbafc95dad936f8b9386e77c84c35bc0add315b856d7c3abb \ + --hash=sha256:7afcdd1fc07befad18ec4523a782cde4e93e0a2bf71239894b8d61ee578c1319 \ + --hash=sha256:7be7047bd08accdb7487737631d25735c9a04327911de89ff1b26b81745bd4e3 \ + --hash=sha256:7c6390cf87ff6234643428991b7359b5f59cc15155695deb4eda5c777d2b880f \ + --hash=sha256:7df704ca8cf4a073334e0427ae2345323613e4df18cc224f647f251e5e75a527 \ + --hash=sha256:85f67aed7bb647f93e7520633d8f51d3cbc6ab96957c71272b286b2f30dc70ed \ + --hash=sha256:896ebdcf62683551312c30e20614305f53125750803b614e9e6ce74a96232604 \ + --hash=sha256:92d16a3e275e38293623ebf639c471d3e03bb20b8ebb845237e0d3664914caef \ + --hash=sha256:99f60d34c048c5c2fabc766108c103612344c46e35d4ed9ae0673d33c8fb26e8 \ + --hash=sha256:9fe7b0653ba3d9d65cbe7698cca585bf0f8c83dbbcc710db9c90f478e175f2d5 \ + --hash=sha256:a3145cb08d8625b2d3fee1b2d596a8766352979c9bffe5d7833e0503d0f0b5e5 \ + --hash=sha256:aeaf541ddbad8311a87dd695ed9642401131ea39ad7bc8cf3ef3967fd093b626 \ + --hash=sha256:b55358304d7a73d7bdf5de62494aaf70bd33015831ffd98bc498b433dfe5b10c \ + --hash=sha256:b82cc8ace10ab5bd93235dfaab2021c70637005e1ac787031f4d1da63d493c1d \ + --hash=sha256:c0868d64af83169e4d4152ec612637a543f7a336e4a307b119e98042e852ad9c \ + --hash=sha256:c1c1496e73051918fcd4f58ff2e0f2f3066d1c76a0c6aeffd9b45d53243702cc \ + --hash=sha256:c9bf56195c6bbd293340ea82eafd0071cb3d450c703d2c93afb89f93b8386ccc \ + --hash=sha256:cbebcd5bcaf1eaf302617c114aa67569dd3f090dd0ce8ba9e35e9985b41ac35b \ + --hash=sha256:cd6c8fca38178e12c00418de737aef1261576bd1b6e8c6134d3e729a4e858b38 \ + --hash=sha256:ceb3b7e6a0135e092de86110c5a74e46bda4bd4fbfeeb3a3bcec79c0f861e450 \ + --hash=sha256:cf590b134eb70629e350691ecca88eac3e3b8b3c86992042fb82e3cb1830d5e1 \ + --hash=sha256:d3eb1ceec286eba8220c26f3b0096cf189aea7057b6e7b7a2e60ed36b373b77f \ + --hash=sha256:d65f25da8e248202bd47445cec78e0025c0fe7582b23ec69c3b27a640dd7a8e3 \ + --hash=sha256:d6f6d4f185481c9669b9447bf9d9cf3b95a0e9df9d169bbc17e363b7d5487755 \ + --hash=sha256:d84a5c3a5f7ce6db1f999fb9438f686bc2e09d38143f2d93d8406ed2dd6b9226 \ + --hash=sha256:d946b0a9eb8aaa590df1fe082cee553ceab173e6cb5b03239716338629c50c7a \ + --hash=sha256:dce1c6912ab9ff5f179eaf6efe7365c1f425ed690b03341911bf4939ef2f3046 \ + --hash=sha256:de170c7b4fe6859beb8926e84f7d7d6c693dfe8e27372ce3b76f01c46e489fcf \ + --hash=sha256:e02021f87a5b6932fa6ce916ca004c4d441509d33bbdbeca70d05dff5e9d2479 \ + --hash=sha256:e030047e85cbcedbfc073f71836d62dd5dadfbe7531cae27789ff66bc551bd5e \ + --hash=sha256:e0e79d91e71b9867c73323a3444724d496c037e578a0e1755ae159ba14f4f3d1 \ + --hash=sha256:e4428b29611e989719874670fd152b6625500ad6c686d464e99f5aaeeaca175a \ + --hash=sha256:e4972624066095e52b569e02b5ca97dbd7a7ddd4294bf4e7247d52635630dd83 \ + --hash=sha256:e7be68734bd8c9a513f2b0cfd508802d6609da068f40dc57d4e3494cefc92929 \ + --hash=sha256:e8e94e6912639a02ce173341ff62cc1201232ab86b8a8fcc05572741a5dc7d93 \ + --hash=sha256:ea1456df2a27c73ce51120fa2f519f1bea2f4a03a917f4a43c8707cf4cbbae1a \ + --hash=sha256:ebd8d160f91a764652d3e51ce0d2956b38efe37c9231cd82cfc0bed2e40b581c \ + --hash=sha256:eca2e9d0cc5a889850e9bbd68e98314ada174ff6ccd1129500103df7a94a7a44 \ + --hash=sha256:edd08e6f2f1a390bf137080507e44ccc086353c8e98c657e666c017718561b89 \ + --hash=sha256:f285e862d2f153a70586579c15c44656f888806ed0e5b56b64489afe4a2dbfba \ + --hash=sha256:f2a1dee728b52b33eebff5072817176c172050d44d67befd681609b4746e1c2e \ + --hash=sha256:f7e301075edaf50500f0b341543c41194d8df3ae5caf4702f2095f3ca73dd8da \ + --hash=sha256:fb616be3538599e797a2017cccca78e354c767165e8858ab5116813146041a24 \ + --hash=sha256:fce28b3c8a81b6b36dfac9feb1de115bab619b3c13905b419ec71d03a3fc1423 \ + --hash=sha256:fe5d7785250541f7f5019ab9cba2c71169dc7d74d0f45253f8313f436458a4ef # via grpclib nh3==0.2.15 \ --hash=sha256:0d02d0ff79dfd8208ed25a39c12cbda092388fff7f1662466e27d97ad011b770 \ From ab83fff3c2658f093fe8e89dca83a85dd113a0b9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 2 Feb 2024 10:11:37 -0600 Subject: [PATCH 070/868] initialize openssl's legacy provider in rust (#10323) * initialize openssl's legacy provider in rust as we oxidize we need to do this here to ensure it actually happens * alex is a comment format pedant --- .../hazmat/backends/openssl/backend.py | 4 +- .../bindings/_rust/openssl/__init__.pyi | 2 + .../hazmat/bindings/openssl/binding.py | 31 --------- src/rust/src/lib.rs | 65 +++++++++++++++++++ tests/hazmat/bindings/test_openssl.py | 7 -- 5 files changed, 69 insertions(+), 40 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 24bfa3a1f4bf..66c7ed624be0 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -127,7 +127,7 @@ def __repr__(self) -> str: return "".format( self.openssl_version_text(), self._fips_enabled, - self._binding._legacy_provider_loaded, + rust_openssl._legacy_provider_loaded, ) def openssl_assert( @@ -266,7 +266,7 @@ def _register_default_ciphers(self) -> None: # we get an EVP_CIPHER * in the _CipherContext __init__, but OpenSSL 3 # will return a valid pointer even though the cipher is unavailable. if ( - self._binding._legacy_provider_loaded + rust_openssl._legacy_provider_loaded or not self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ): for mode_cls in [CBC, CFB, OFB, ECB]: diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 9cdb4d6a5c6e..cc54647732cc 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -42,6 +42,8 @@ __all__ = [ "x25519", ] +_legacy_provider_loaded: bool + def openssl_version() -> int: ... def raise_openssl_error() -> typing.NoReturn: ... def capture_error_stack() -> list[OpenSSLError]: ... diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 40814f2a58a0..209fbeb73a8f 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -37,17 +37,6 @@ def _openssl_assert( ) -def _legacy_provider_error(loaded: bool) -> None: - if not loaded: - raise RuntimeError( - "OpenSSL 3.0's legacy provider failed to load. This is a fatal " - "error by default, but cryptography supports running without " - "legacy algorithms by setting the environment variable " - "CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error," - " you have likely made a mistake with your OpenSSL configuration." - ) - - def build_conditional_library( lib: typing.Any, conditional_names: dict[str, typing.Callable[[], list[str]]], @@ -76,7 +65,6 @@ class Binding: _lib_loaded = False _init_lock = threading.Lock() _legacy_provider: typing.Any = ffi.NULL - _legacy_provider_loaded = False _default_provider: typing.Any = ffi.NULL def __init__(self) -> None: @@ -106,25 +94,6 @@ def _ensure_ffi_initialized(cls) -> None: _openssl.lib, CONDITIONAL_NAMES ) cls._lib_loaded = True - # As of OpenSSL 3.0.0 we must register a legacy cipher provider - # to get RC2 (needed for junk asymmetric private key - # serialization), RC4, Blowfish, IDEA, SEED, etc. These things - # are ugly legacy, but we aren't going to get rid of them - # any time soon. - if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - if not os.environ.get("CRYPTOGRAPHY_OPENSSL_NO_LEGACY"): - cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( - cls.ffi.NULL, b"legacy" - ) - cls._legacy_provider_loaded = ( - cls._legacy_provider != cls.ffi.NULL - ) - _legacy_provider_error(cls._legacy_provider_loaded) - - cls._default_provider = cls.lib.OSSL_PROVIDER_load( - cls.ffi.NULL, b"default" - ) - _openssl_assert(cls._default_provider != cls.ffi.NULL) @classmethod def init_static_locks(cls) -> None: diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 9dd54f4b901d..c9f9285e3825 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -4,6 +4,11 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +use crate::error::CryptographyResult; +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +use openssl::provider; +use std::env; + mod asn1; mod backend; mod buf; @@ -15,6 +20,12 @@ mod pkcs7; pub(crate) mod types; mod x509; +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] +struct LoadedProviders { + legacy: Option, +} + #[pyo3::prelude::pyfunction] fn openssl_version() -> i64 { openssl::version::number() @@ -25,6 +36,35 @@ fn is_fips_enabled() -> bool { cryptography_openssl::fips::is_enabled() } +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +fn _initialize_legacy_provider() -> CryptographyResult { + // As of OpenSSL 3.0.0 we must register a legacy cipher provider + // to get RC2 (needed for junk asymmetric private key + // serialization), RC4, Blowfish, IDEA, SEED, etc. These things + // are ugly legacy, but we aren't going to get rid of them + // any time soon. + let load_legacy = env::var("CRYPTOGRAPHY_OPENSSL_NO_LEGACY") + .map(|v| v.is_empty() || v == "0") + .unwrap_or(true); + let legacy = if load_legacy { + let legacy_result = provider::Provider::try_load(None, "legacy", true); + _legacy_provider_error(legacy_result.is_ok())?; + Some(legacy_result?) + } else { + None + }; + Ok(LoadedProviders { legacy }) +} + +fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { + if !success { + return Err(pyo3::exceptions::PyRuntimeError::new_err( + "OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration." + )); + } + Ok(()) +} + #[pyo3::prelude::pymodule] fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> { m.add_function(pyo3::wrap_pyfunction!(padding::check_pkcs7_padding, m)?)?; @@ -52,6 +92,20 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(cryptography_cffi::create_module(py)?)?; let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + let providers = _initialize_legacy_provider()?; + if providers.legacy.is_some() { + openssl_mod.add("_legacy_provider_loaded", true)?; + openssl_mod.add("_providers", providers)?; + } else { + openssl_mod.add("_legacy_provider_loaded", false)?; + } + } else { + // default value for non-openssl 3+ + openssl_mod.add("_legacy_provider_loaded", false)?; + } + } openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(error::raise_openssl_error, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(error::capture_error_stack, m)?)?; @@ -62,3 +116,14 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> Ok(()) } + +#[cfg(test)] +mod tests { + use super::_legacy_provider_error; + + #[test] + fn test_legacy_provider_error() { + assert!(_legacy_provider_error(true).is_ok()); + assert!(_legacy_provider_error(false).is_err()); + } +} diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 64c3cfdec05c..ef45b304b4ef 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -8,7 +8,6 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl.binding import ( Binding, - _legacy_provider_error, _openssl_assert, _verify_package_version, ) @@ -84,12 +83,6 @@ def test_version_mismatch(self): with pytest.raises(ImportError): _verify_package_version("nottherightversion") - def test_legacy_provider_error(self): - with pytest.raises(RuntimeError): - _legacy_provider_error(False) - - _legacy_provider_error(True) - def test_rust_internal_error(self): with pytest.raises(InternalError) as exc_info: rust_openssl.raise_openssl_error() From c72e53d55bb3891b2ac68c010c1906580b837ad5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 18:23:00 -0600 Subject: [PATCH 071/868] Bump BoringSSL and/or OpenSSL in CI (#10334) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b56db037f574..d920a09ea74d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "608becc67282174594fdaf0ec9c96daca9710d2f"}} - # Latest commit on the OpenSSL master branch, as of Feb 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "afb19f07aecc84998eeea56c4d65f5e0499abb5a"}} + # Latest commit on the BoringSSL master branch, as of Feb 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "10a2132f50aaf7d49db7e258666f447b821588d9"}} + # Latest commit on the OpenSSL master branch, as of Feb 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed0f79c7ae63f7f29c9bfce2e0f960f0803be350"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 46b2921d97f4c576c457d2f5df8ec1936fac4f4c Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 3 Feb 2024 14:39:19 +0100 Subject: [PATCH 072/868] verification/policy: make subject optional internally (#10335) This is not surfaced in a public API yet; it's purely an internal change to enable a `ClientVerifier` API (which won't take a subject). Signed-off-by: William Woodruff --- .../cryptography-x509-verification/src/policy/extension.rs | 6 +++++- src/rust/cryptography-x509-verification/src/policy/mod.rs | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index 7006ad5dd110..83d4a5ec1736 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -304,7 +304,11 @@ pub(crate) mod ee { }; let san: SubjectAlternativeName<'_> = extn.value()?; - if !policy.subject.matches(&san) { + if !policy + .subject + .as_ref() + .map_or_else(|| false, |sub| sub.matches(&san)) + { return Err(ValidationError::Other( "leaf certificate has no matching subjectAltName".into(), )); diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 41a4e722d5b7..ef270fc79db4 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -208,7 +208,7 @@ pub struct Policy<'a, B: CryptoOps> { /// A subject (i.e. DNS name or other name format) that any EE certificates /// validated by this policy must match. - pub subject: Subject<'a>, + pub subject: Option>, /// The validation time. All certificates validated by this policy must /// be valid at this time. @@ -245,7 +245,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Self { ops, max_chain_depth: max_chain_depth.unwrap_or(DEFAULT_MAX_CHAIN_DEPTH), - subject, + subject: Some(subject), validation_time: time, extended_key_usage: EKU_SERVER_AUTH_OID.clone(), minimum_rsa_modulus: WEBPKI_MINIMUM_RSA_MODULUS, From 4814d97c60c58b37ac0d450d0d32c02e907643c0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Feb 2024 08:57:24 -0500 Subject: [PATCH 073/868] Revert "Silence new clippy false-positive (#10168)" (#10336) This reverts commit ba2bef6daca77cf1217e470e337b39c284d60151. --- src/rust/src/x509/crl.rs | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index f4d6feebc820..8e43832986c2 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -120,9 +120,6 @@ impl CertificateRevocationList { self.len() } - // Silenced due to false-positives - // https://github.com/rust-lang/rust-clippy/issues/12135 - #[allow(clippy::useless_asref)] fn __iter__(&self) -> CRLIterator { CRLIterator { contents: OwnedCRLIteratorData::try_new(Arc::clone(&self.owned), |v| { From 18591bc279f5caeaeee42d988370f28affd8af94 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 3 Feb 2024 22:19:26 +0000 Subject: [PATCH 074/868] Bump markupsafe from 2.1.4 to 2.1.5 (#10338) Bumps [markupsafe](https://github.com/pallets/markupsafe) from 2.1.4 to 2.1.5. - [Release notes](https://github.com/pallets/markupsafe/releases) - [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/markupsafe/compare/2.1.4...2.1.5) --- updated-dependencies: - dependency-name: markupsafe dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e56d198a94ba..58ab36f65248 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -50,7 +50,7 @@ iniconfig==2.0.0 # via pytest jinja2==3.1.3 # via sphinx -markupsafe==2.1.4 +markupsafe==2.1.5 # via jinja2 mypy==1.8.0 # via cryptography (pyproject.toml) From f52c275ceb6a1c2b709f23a0dddd5f9544c05481 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Feb 2024 18:42:21 -0500 Subject: [PATCH 075/868] remove stray space (#10339) --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 3348500be7af..82aa29db129f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -80,7 +80,7 @@ test = [ ] test-randomorder = ["pytest-randomly"] docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=1.1.1"] -docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] +docstest = ["pyenchant >=1.6.11", "readme-renderer", "sphinxcontrib-spelling >=4.0.1"] sdist = ["build"] # `click` included because its needed to type check `release.py` pep8test = ["ruff", "mypy", "check-sdist", "click"] From c234cc23047cf98d6475985141a9f249450935bc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Feb 2024 18:43:07 -0500 Subject: [PATCH 076/868] Check to see if we can use the hosted M1 runners (#10340) --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d920a09ea74d..a8c4491bbcc6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -221,14 +221,14 @@ jobs: matrix: RUNNER: - {OS: 'macos-13', ARCH: 'x86_64'} - - {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} + - {OS: 'macos-14', ARCH: 'arm64'} PYTHON: - {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.12", NOXSESSION: "tests"} exclude: # We only test latest Python on arm64. py37 won't work since there's no universal2 binary - PYTHON: {VERSION: "3.7", NOXSESSION: "tests-nocoverage"} - RUNNER: {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'} + RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 From ab6a4a20df416f588272e3ffbb5a04789b1637dd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 3 Feb 2024 18:43:29 -0500 Subject: [PATCH 077/868] Stop pretending to be x64 on M1 in CI (#10341) --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a8c4491bbcc6..4eab452ec35c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -245,7 +245,6 @@ jobs: uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: ${{ matrix.PYTHON.VERSION }} - architecture: 'x64' # we force this right now so that it will install the universal2 on arm64 cache: pip cache-dependency-path: ci-constraints-requirements.txt timeout-minutes: 3 From 70e4d79f678d8351e08f03c7e935f293614084f8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 3 Feb 2024 18:29:20 -0600 Subject: [PATCH 078/868] Bump BoringSSL and/or OpenSSL in CI (#10342) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4eab452ec35c..8924ce10488e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "10a2132f50aaf7d49db7e258666f447b821588d9"}} + # Latest commit on the BoringSSL master branch, as of Feb 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "79123ca9c0f9ae1532427f704fa626dbaebbdbe9"}} # Latest commit on the OpenSSL master branch, as of Feb 03, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed0f79c7ae63f7f29c9bfce2e0f960f0803be350"}} # Builds with various Rust versions. Includes MSRV and next From 0c55522b5e8c4d94995c3c8773529540f49b8cf5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 4 Feb 2024 22:32:52 +0000 Subject: [PATCH 079/868] Bump actions/checkout in /.github/actions/fetch-vectors (#9853) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/f43a0e5ff2bd294095638e18286ca9a3d1956744...b4ffde65f46336ab88eb53be808477a3936bae11) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 9c7c294d1e37..017a3358edcb 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "google/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Oct 28, 2023. ref: "d9f6ec7d8bd8c96da05368999094e4a75ba5cb3d" # wycheproof-ref - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From cbaa508e66ba475fe87c8862efe4e89e86a776b3 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Feb 2024 17:01:21 -0600 Subject: [PATCH 080/868] update actions/checkout everywhere (#10346) * update actions/checkout everywhere except manylinux2014, where we can't * update rust-cache to use node20 --- .github/actions/cache/action.yml | 2 +- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 6 +++--- .github/workflows/x509-limbo-version-bump.yml | 2 +- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 31af7422da04..702d82483b6f 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -15,7 +15,7 @@ runs: id: normalized-key run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT shell: bash - - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 with: key: ${{ steps.normalized-key.outputs.key }}-2 workspaces: "./src/rust/ -> target" diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index d494688db74f..deeebb0f69ba 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -21,12 +21,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: repository: "pyca/cryptography" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 8c8e4c058e5a..4cc08f5983d3 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8924ce10488e..3037927d323c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,7 +56,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false @@ -180,7 +180,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false @@ -231,7 +231,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false @@ -295,7 +295,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false @@ -369,7 +369,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false @@ -413,7 +413,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index d4fb20e091f5..9f694c7cb661 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index a7f75070628e..7c2d3cb6db99 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -35,7 +35,7 @@ jobs: with: python-version: "3.11" - name: Get publish-requirements.txt from repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: sparse-checkout: | ${{ env.PUBLISH_REQUIREMENTS_PATH }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 0d2c5774721f..fef4a48bc63f 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -212,7 +212,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -306,7 +306,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 7df3a5fbcc38..9866e266065d 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - id: check-sha-x509-limbo run: | SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) From 172ec89853df99fe53c70bcd4dd3c581e86ed66c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 4 Feb 2024 17:22:40 -0600 Subject: [PATCH 081/868] try to upgrade to upload/download artifact v4 (#10347) --- .github/actions/upload-coverage/action.yml | 4 ++-- .github/workflows/ci.yml | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index a005d6b7462d..d7032c89e303 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,9 +13,9 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: - name: coverage-data + name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | .coverage.* *.lcov diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3037927d323c..b339bc05c3e7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -433,9 +433,10 @@ jobs: if: ${{ always() }} - name: Download coverage data if: ${{ always() }} - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: - name: coverage-data + pattern: coverage-data-* + merge-multiple: true - name: Combine coverage and fail if it's <100%. if: ${{ always() }} id: combinecoverage @@ -475,14 +476,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: _html-rust-report path: rust-coverage From 6f8c79efcd1d8962d676b7a4d3eec9bc5c8b6e20 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Feb 2024 08:03:46 -0600 Subject: [PATCH 082/868] Bump sigstore from 2.1.0 to 2.1.2 in /.github/requirements (#10350) * Bump sigstore from 2.1.0 to 2.1.2 in /.github/requirements Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 2.1.0 to 2.1.2. - [Release notes](https://github.com/sigstore/sigstore-python/releases) - [Changelog](https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/sigstore-python/compare/v2.1.0...v2.1.2) --- updated-dependencies: - dependency-name: sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 5406ffbbca48..3d4fbcfed731 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -560,9 +560,9 @@ securesystemslib==0.31.0 \ # via # sigstore # tuf -sigstore==2.1.0 \ - --hash=sha256:68761c3078aca9bb97af8459602959ff47ce648bf722a8c2c868e45b46aad7e1 \ - --hash=sha256:7c64b4c6eccee0ec1b54d524d7be57dabc1f1f3651dd723cf195aa6b1f94b4f7 +sigstore==2.1.2 \ + --hash=sha256:94139c1efa0784135516d11b79c8b06d4ea61245624e69cda44494e87560b07c \ + --hash=sha256:fd9069b50b5789c6e229641e948a9b47c07525e8924f5e4d20d7dc1a8db6d6e2 # via -r publish-requirements.in sigstore-protobuf-specs==0.2.2 \ --hash=sha256:62c7beabc6910fb570dc4c600e33e81f2d2d683f785202ee109ca394bd829e94 \ From 884be2a97b91c1a354afd60429b5d02e2c8c2c89 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 5 Feb 2024 09:03:59 -0500 Subject: [PATCH 083/868] Remove unused attributes (#10349) --- src/cryptography/hazmat/bindings/openssl/binding.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 209fbeb73a8f..d9f81ce8dcec 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -64,8 +64,6 @@ class Binding: ffi = _openssl.ffi _lib_loaded = False _init_lock = threading.Lock() - _legacy_provider: typing.Any = ffi.NULL - _default_provider: typing.Any = ffi.NULL def __init__(self) -> None: self._ensure_ffi_initialized() From fafcc03bb731482209cec8e692f4155892a0d3ea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 5 Feb 2024 18:50:45 -0500 Subject: [PATCH 084/868] Remove unused dep (#10351) * Remove unused dep * Update Cargo.lock --- src/rust/Cargo.lock | 1 - src/rust/Cargo.toml | 3 --- 2 files changed, 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 7150fcd88fe1..d7e5e256fa3f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -97,7 +97,6 @@ name = "cryptography-rust" version = "0.1.0" dependencies = [ "asn1", - "cc", "cfg-if", "cryptography-cffi", "cryptography-key-parsing", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 08bd9583cbff..698328596665 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -23,9 +23,6 @@ openssl-sys = "0.9.99" foreign-types-shared = "0.1" self_cell = "1" -[build-dependencies] -cc = "1.0.83" - [features] extension-module = ["pyo3/extension-module"] default = ["extension-module"] From 9c0163a4e412e7dc1afcf1c0fe78780d0ecda4da Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 00:14:05 +0000 Subject: [PATCH 085/868] Bump BoringSSL and/or OpenSSL in CI (#10352) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b339bc05c3e7..1a928771f050 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 04, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "79123ca9c0f9ae1532427f704fa626dbaebbdbe9"}} - # Latest commit on the OpenSSL master branch, as of Feb 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ed0f79c7ae63f7f29c9bfce2e0f960f0803be350"}} + # Latest commit on the OpenSSL master branch, as of Feb 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "22f82d457c06289ec66a627a3d11649d83beff88"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From ce8aa9f6f137cc5af7071a4ed4be250cb3a3b769 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 00:28:25 +0000 Subject: [PATCH 086/868] Bump x509-limbo and/or wycheproof in CI (#10353) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 017a3358edcb..9c24312ffe64 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 02, 2024. - ref: "215546b218a84c35b9aaf3e84b8df4278c06920b" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 06, 2024. + ref: "0171902768511b59844113a9026c645e21e85344" # x509-limbo-ref From 42c4677090ca5e957f527394d164c4f1eec50504 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 11:21:45 +0000 Subject: [PATCH 087/868] Bump ruff from 0.2.0 to 0.2.1 (#10354) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.2.0...v0.2.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 58ab36f65248..703ad54e2f79 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.2.0 +ruff==0.2.1 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From aade784e71a1b91e1a5a8e239c4d9861feb4193d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 11:56:25 +0000 Subject: [PATCH 088/868] Bump actions/upload-artifact in /.github/actions/upload-coverage (#10357) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.0 to 4.3.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/26f96dfa697d77e81fd5907df203aa23a56210a8...5d5d22a31266ced268874388b861e4b58bb5c2f3) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index d7032c89e303..720cf904f821 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From 5c17851da78dfc55ec9674f92882f94c6569c5f4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 7 Feb 2024 00:15:15 +0000 Subject: [PATCH 089/868] Bump BoringSSL and/or OpenSSL in CI (#10358) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a928771f050..c32b544a1326 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 04, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "79123ca9c0f9ae1532427f704fa626dbaebbdbe9"}} - # Latest commit on the OpenSSL master branch, as of Feb 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "22f82d457c06289ec66a627a3d11649d83beff88"}} + # Latest commit on the OpenSSL master branch, as of Feb 07, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1751185154ab1f1a796e0f39567fe51c8e24b78d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From b4ae8b0ace1d879d87a80c3e61be323975eda9d2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 7 Feb 2024 00:28:50 +0000 Subject: [PATCH 090/868] Bump x509-limbo and/or wycheproof in CI (#10359) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 9c24312ffe64..b26d8c308115 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 06, 2024. - ref: "0171902768511b59844113a9026c645e21e85344" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 07, 2024. + ref: "471656dc73cedf02eaac82c45d7bd874d097dfc9" # x509-limbo-ref From f11560b6a65d6ff7862087584dac4c20b38e656c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 8 Feb 2024 00:17:24 +0000 Subject: [PATCH 091/868] Bump BoringSSL and/or OpenSSL in CI (#10362) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c32b544a1326..9608d9dc8fdb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "79123ca9c0f9ae1532427f704fa626dbaebbdbe9"}} - # Latest commit on the OpenSSL master branch, as of Feb 07, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1751185154ab1f1a796e0f39567fe51c8e24b78d"}} + # Latest commit on the BoringSSL master branch, as of Feb 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "34b51faf3a58fe36e3ab1db99a2a441d0f69c754"}} + # Latest commit on the OpenSSL master branch, as of Feb 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "387b93e14907cd8203d6f2c9d78e49df01cb6e1f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 92a79c95aed4290436e8299e5896497aeb0db749 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Feb 2024 08:50:39 -0600 Subject: [PATCH 092/868] Bump jaraco-classes from 3.3.0 to 3.3.1 in /.github/requirements (#10363) * Bump jaraco-classes from 3.3.0 to 3.3.1 in /.github/requirements Bumps [jaraco-classes](https://github.com/jaraco/jaraco.classes) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/jaraco/jaraco.classes/releases) - [Changelog](https://github.com/jaraco/jaraco.classes/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.classes/compare/v3.3.0...v3.3.1) --- updated-dependencies: - dependency-name: jaraco-classes dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 3d4fbcfed731..28fdfbdadbcb 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -246,9 +246,9 @@ importlib-metadata==7.0.1 \ # via # keyring # twine -jaraco-classes==3.3.0 \ - --hash=sha256:10afa92b6743f25c0cf5f37c6bb6e18e2c5bb84a16527ccfc0040ea377e7aaeb \ - --hash=sha256:c063dd08e89217cee02c8d5e5ec560f2c8ce6cdc2fcdc2e68f7b2e5547ed3621 +jaraco-classes==3.3.1 \ + --hash=sha256:86b534de565381f6b3c1c830d13f931d7be1a75f0081c57dff615578676e2206 \ + --hash=sha256:cb28a5ebda8bc47d8c8015307d93163464f9f2b91ab4006e09ff0ce07e8bfb30 # via keyring jeepney==0.8.0 \ --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ From b6934e7301d3401ee7f4dcb153f8fa265f577bbf Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 8 Feb 2024 08:51:21 -0600 Subject: [PATCH 093/868] smaller mmap in tests to fit in a 32-bit ssize_t (#10365) this still triggers the overflows we expect in the tests and should also work on 32-bit systems --- tests/hazmat/primitives/test_aead.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index a1f99ab815ed..7b8eebb78447 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -38,7 +38,11 @@ def _aead_supported(cls): def large_mmap(): - return mmap.mmap(-1, 2**32, prot=mmap.PROT_READ) + # We need this large but not larger than fits in a 32-bit int. This way + # a 32-bit platform can return this mmap successfully but we'll raise + # OverFlowError in the tests because the underlying type for the + # function signature is a signed int + return mmap.mmap(-1, 2**31, prot=mmap.PROT_READ) @pytest.mark.skipif( From 4e7c2c72efe5b1fbb2c47d1341c5b4c7cbdb6a57 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 8 Feb 2024 09:19:50 -0600 Subject: [PATCH 094/868] skip overflow aead tests on 32-bit systems (#10366) * Revert "smaller mmap in tests to fit in a 32-bit ssize_t (#10365)" This reverts commit b6934e7301d3401ee7f4dcb153f8fa265f577bbf. * skip overflow aead tests on 32-bit systems --- tests/hazmat/primitives/test_aead.py | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index 7b8eebb78447..2f0d52d82682 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -38,11 +38,7 @@ def _aead_supported(cls): def large_mmap(): - # We need this large but not larger than fits in a 32-bit int. This way - # a 32-bit platform can return this mmap successfully but we'll raise - # OverFlowError in the tests because the underlying type for the - # function signature is a signed int - return mmap.mmap(-1, 2**31, prot=mmap.PROT_READ) + return mmap.mmap(-1, 2**32, prot=mmap.PROT_READ) @pytest.mark.skipif( @@ -60,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): ) class TestChaCha20Poly1305: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = ChaCha20Poly1305.generate_key() @@ -201,7 +198,8 @@ def test_buffer_protocol(self, backend): ) class TestAESCCM: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = AESCCM.generate_key(128) @@ -382,7 +380,8 @@ def _load_gcm_vectors(): class TestAESGCM: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = AESGCM.generate_key(128) @@ -529,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): ) class TestAESOCB3: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = AESOCB3.generate_key(128) @@ -704,7 +704,8 @@ def test_buffer_protocol(self, backend): ) class TestAESSIV: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = AESSIV.generate_key(256) @@ -848,7 +849,8 @@ def test_buffer_protocol(self, backend): ) class TestAESGCMSIV: @pytest.mark.skipif( - sys.platform not in {"linux", "darwin"}, reason="mmap required" + sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, + reason="mmap and 64-bit platform required", ) def test_data_too_large(self): key = AESGCMSIV.generate_key(256) From bfcdfbefb32c5a9786ef66d4eb0777f70ae5943b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 9 Feb 2024 00:16:38 +0000 Subject: [PATCH 095/868] Bump BoringSSL and/or OpenSSL in CI (#10372) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9608d9dc8fdb..341fd2c07506 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "34b51faf3a58fe36e3ab1db99a2a441d0f69c754"}} - # Latest commit on the OpenSSL master branch, as of Feb 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "387b93e14907cd8203d6f2c9d78e49df01cb6e1f"}} + # Latest commit on the BoringSSL master branch, as of Feb 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8ff5add548e89f3680da398a41ecfca95a863fcd"}} + # Latest commit on the OpenSSL master branch, as of Feb 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "01690a7ff36c4d18c48b301cdf375c954105a1d9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From c23442dd4baa44273398d86f679e26e7c8a1e93c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 10 Feb 2024 00:15:59 +0000 Subject: [PATCH 096/868] Bump BoringSSL and/or OpenSSL in CI (#10374) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 341fd2c07506..9fe7e869fccc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "8ff5add548e89f3680da398a41ecfca95a863fcd"}} - # Latest commit on the OpenSSL master branch, as of Feb 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "01690a7ff36c4d18c48b301cdf375c954105a1d9"}} + # Latest commit on the BoringSSL master branch, as of Feb 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "71c589682f7d1dabc08b56ef7a0a28913e44110e"}} + # Latest commit on the OpenSSL master branch, as of Feb 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cfabddfb9f6f54b3f3b8e90ccb918967390a7fb2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 9efa73910454b24074a280725306838bef063709 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sat, 10 Feb 2024 22:34:55 +0000 Subject: [PATCH 097/868] policy: `Policy::new` is now `Policy::server` (#10377) Signed-off-by: William Woodruff --- .../src/policy/extension.rs | 10 +++++----- .../cryptography-x509-verification/src/policy/mod.rs | 6 +++--- src/rust/src/x509/verify.rs | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index 83d4a5ec1736..9ab88ab5189d 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -599,7 +599,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = PublicKeyErrorOps {}; - let policy = Policy::new( + let policy = Policy::server( ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), @@ -639,7 +639,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = PublicKeyErrorOps {}; - let policy = Policy::new( + let policy = Policy::server( ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), @@ -673,7 +673,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = PublicKeyErrorOps {}; - let policy = Policy::new( + let policy = Policy::server( ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), @@ -704,7 +704,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = PublicKeyErrorOps {}; - let policy = Policy::new( + let policy = Policy::server( ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), @@ -733,7 +733,7 @@ mod tests { let cert_pem = v1_cert_pem(); let cert = cert(&cert_pem); let ops = PublicKeyErrorOps {}; - let policy = Policy::new( + let policy = Policy::server( ops, Subject::DNS(DNSName::new("example.com").unwrap()), epoch(), diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index ef270fc79db4..f0a2ba5a7e63 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -234,9 +234,9 @@ pub struct Policy<'a, B: CryptoOps> { } impl<'a, B: CryptoOps> Policy<'a, B> { - /// Create a new policy with defaults for the certificate profile defined in - /// the CA/B Forum's Basic Requirements. - pub fn new( + /// Create a new policy with defaults for the server certificate profile + /// defined in the CA/B Forum's Basic Requirements. + pub fn server( ops: B, subject: Subject<'a>, time: asn1::DateTime, diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 8cd9cfdf964b..d35c3a61ceaa 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -142,7 +142,7 @@ impl PolicyBuilder { let policy = OwnedPolicy::try_new(subject_owner, |subject_owner| { let subject = build_subject(py, subject_owner)?; - Ok::, pyo3::PyErr>(PyCryptoPolicy(Policy::new( + Ok::, pyo3::PyErr>(PyCryptoPolicy(Policy::server( PyCryptoOps {}, subject, time, From 8b521e05b9ef85f0bc96f55713471358613cafd1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 11 Feb 2024 00:20:38 +0000 Subject: [PATCH 098/868] Bump BoringSSL and/or OpenSSL in CI (#10378) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9fe7e869fccc..4427b17543ba 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "71c589682f7d1dabc08b56ef7a0a28913e44110e"}} - # Latest commit on the OpenSSL master branch, as of Feb 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cfabddfb9f6f54b3f3b8e90ccb918967390a7fb2"}} + # Latest commit on the BoringSSL master branch, as of Feb 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab"}} + # Latest commit on the OpenSSL master branch, as of Feb 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "925118e8c3b1041ce7f9840c2d67e7f878123e6b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From e179d30f9fa8ec20e72c320842ae9b0b2be970ae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 11 Feb 2024 10:23:02 -0500 Subject: [PATCH 099/868] Centralize checks for whether scrypt is available (#10376) --- src/_cffi_src/openssl/evp.py | 7 ------- src/cryptography/hazmat/backends/openssl/backend.py | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 54f5388b83d0..ed73ec99fd5f 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -30,7 +30,6 @@ static const int EVP_CTRL_AEAD_GET_TAG; static const int EVP_CTRL_AEAD_SET_TAG; -static const int Cryptography_HAS_SCRYPT; static const int Cryptography_HAS_EVP_PKEY_DHX; static const long Cryptography_HAS_300_FIPS; static const long Cryptography_HAS_300_EVP_CIPHER; @@ -94,12 +93,6 @@ const long Cryptography_HAS_EVP_PKEY_DHX = 0; #endif -#if CRYPTOGRAPHY_IS_LIBRESSL || defined(OPENSSL_NO_SCRYPT) -static const long Cryptography_HAS_SCRYPT = 0; -#else -static const long Cryptography_HAS_SCRYPT = 1; -#endif - /* This is tied to X448 support so we reuse the Cryptography_HAS_X448 conditional to remove it. OpenSSL 1.1.1 adds this define. We can remove this in the distant future when we drop 1.1.0 support. */ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 66c7ed624be0..0f3976c3de02 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -194,7 +194,7 @@ def scrypt_supported(self) -> bool: if self._fips_enabled: return False else: - return self._lib.Cryptography_HAS_SCRYPT == 1 + return hasattr(rust_openssl.kdf, "derive_scrypt") def hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: # FIPS mode still allows SHA1 for HMAC From be950bde6892738d0e86573b9c66d096d70143b2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 11 Feb 2024 18:34:22 -0500 Subject: [PATCH 100/868] Port openssl_version_text to Rust (#10380) --- src/cryptography/hazmat/backends/openssl/backend.py | 6 ++---- src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi | 2 ++ src/rust/src/lib.rs | 6 ++++++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 0f3976c3de02..d20945d6a6de 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -151,12 +151,10 @@ def openssl_version_text(self) -> str: Example: OpenSSL 3.2.1 30 Jan 2024 """ - return self._ffi.string( - self._lib.OpenSSL_version(self._lib.OPENSSL_VERSION) - ).decode("ascii") + return rust_openssl.openssl_version_text() def openssl_version_number(self) -> int: - return self._lib.OpenSSL_version_num() + return rust_openssl.openssl_version() def _evp_md_from_algorithm(self, algorithm: hashes.HashAlgorithm): if algorithm.name in ("blake2b", "blake2s"): diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index cc54647732cc..c4997fc12a61 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -24,6 +24,7 @@ from cryptography.hazmat.bindings._rust.openssl import ( __all__ = [ "openssl_version", + "openssl_version_text", "raise_openssl_error", "aead", "cmac", @@ -45,6 +46,7 @@ __all__ = [ _legacy_provider_loaded: bool def openssl_version() -> int: ... +def openssl_version_text() -> str: ... def raise_openssl_error() -> typing.NoReturn: ... def capture_error_stack() -> list[OpenSSLError]: ... def is_fips_enabled() -> bool: ... diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index c9f9285e3825..62d86884af7a 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -31,6 +31,11 @@ fn openssl_version() -> i64 { openssl::version::number() } +#[pyo3::prelude::pyfunction] +fn openssl_version_text() -> &'static str { + openssl::version::version() +} + #[pyo3::prelude::pyfunction] fn is_fips_enabled() -> bool { cryptography_openssl::fips::is_enabled() @@ -107,6 +112,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> } } openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version, m)?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version_text, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(error::raise_openssl_error, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(error::capture_error_stack, m)?)?; openssl_mod.add_function(pyo3::wrap_pyfunction!(is_fips_enabled, m)?)?; From e8ca1cd8c62593fd8d65de9c1e4efdf1259efa68 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 11 Feb 2024 18:34:54 -0500 Subject: [PATCH 101/868] Don't reinstall test deps in local nox session (#10379) They're already installed first thing --- noxfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index f1117d7fee3b..999654427eca 100644 --- a/noxfile.py +++ b/noxfile.py @@ -288,7 +288,7 @@ def local(session): "noxfile.py", ) - install(session, ".[test]") + install(session, ".") if session.posargs: tests = session.posargs From 2853f64cce4cc88f06f1fbba27f0d8b6031458e4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 00:29:30 +0000 Subject: [PATCH 102/868] Bump x509-limbo and/or wycheproof in CI (#10381) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index b26d8c308115..c56834ced2cb 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 07, 2024. - ref: "471656dc73cedf02eaac82c45d7bd874d097dfc9" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 12, 2024. + ref: "e656fb25e9582c62576bfe2d5322f60c633b9ea5" # x509-limbo-ref From 6b9e5299403953ae30bc26e4043bfcf436aa7d32 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 06:41:16 -0500 Subject: [PATCH 103/868] Bump setuptools from 69.0.3 to 69.1.0 in /.github/requirements (#10382) Bumps [setuptools](https://github.com/pypa/setuptools) from 69.0.3 to 69.1.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.0.3...v69.1.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 1b6bb11dcd3b..aff425f1834b 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.42.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.0.3 \ - --hash=sha256:385eb4edd9c9d5c17540511303e39a147ce2fc04bc55289c322b9e5904fe2c05 \ - --hash=sha256:be1af57fc409f93647f2e8e4573a142ed38724b8cdd389706a867bb4efcf1e78 +setuptools==69.1.0 \ + --hash=sha256:850894c4195f09c4ed30dba56213bf7c3f21d86ed6bdaafb5df5972593bfc401 \ + --hash=sha256:c054629b81b946d63a9c6e732bc8b2513a7c3ea645f11d0139a2191d735c60c6 # via # -r build-requirements.in # setuptools-rust From 87246ebe4072ba216eb8c8a6ca22566614cb0323 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 08:06:16 -0600 Subject: [PATCH 104/868] Bump twine from 4.0.2 to 5.0.0 in /.github/requirements (#10383) * Bump twine from 4.0.2 to 5.0.0 in /.github/requirements Bumps [twine](https://github.com/pypa/twine) from 4.0.2 to 5.0.0. - [Release notes](https://github.com/pypa/twine/releases) - [Changelog](https://github.com/pypa/twine/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/twine/compare/4.0.2...5.0.0) --- updated-dependencies: - dependency-name: twine dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 28fdfbdadbcb..d6a15d8bf03a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -580,9 +580,9 @@ tuf==3.1.0 \ --hash=sha256:3a4e9abba9d03c221842f62a9a687d51cc2b4a26c43ee7deb1ffb5fa2fb49374 \ --hash=sha256:a8f055fbaf90d1477258c98fe29d23217e793ca0bdc5fb5a7d252ff5acecddc0 # via sigstore -twine==4.0.2 \ - --hash=sha256:929bc3c280033347a00f847236564d1c52a3e61b1ac2516c97c48f3ceab756d8 \ - --hash=sha256:9e102ef5fdd5a20661eb88fad46338806c3bd32cf1db729603fe3697b1bc83c8 +twine==5.0.0 \ + --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ + --hash=sha256:a262933de0b484c53408f9edae2e7821c1c45a3314ff2df9bdd343aa7ab8edc0 # via -r publish-requirements.in typing-extensions==4.9.0 \ --hash=sha256:23478f88c37f27d76ac8aee6c905017a143b0b1b886c3c9f66bc2fd94f9f5783 \ From f7972c80ec58b5a32bd1b43a9eff3e11a1a69eda Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 00:16:52 +0000 Subject: [PATCH 105/868] Bump BoringSSL and/or OpenSSL in CI (#10384) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4427b17543ba..8b02cfb83032 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 11, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab"}} - # Latest commit on the OpenSSL master branch, as of Feb 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "925118e8c3b1041ce7f9840c2d67e7f878123e6b"}} + # Latest commit on the OpenSSL master branch, as of Feb 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ace3afa087bc52d9613fd0dcd2dae758d43bde2c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 93932db73d57074ef3ed2f0b9ff4b14846b279df Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 00:33:41 +0000 Subject: [PATCH 106/868] Bump x509-limbo and/or wycheproof in CI (#10385) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c56834ced2cb..9d7c438b1a51 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 12, 2024. - ref: "e656fb25e9582c62576bfe2d5322f60c633b9ea5" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 13, 2024. + ref: "bf860cdd81d87250b7b67cf9ccd52f6d3741a2d7" # x509-limbo-ref From c835401c4aaaef17d421a5b8fb1136cfe8a681b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 07:15:42 -0500 Subject: [PATCH 107/868] Bump cc from 1.0.83 to 1.0.85 in /src/rust (#10386) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.83 to 1.0.85. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.83...1.0.85) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 7 ++----- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index d7e5e256fa3f..9c127b6b6a0c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,12 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.83" +version = "1.0.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" -dependencies = [ - "libc", -] +checksum = "9b918671670962b48bc23753aef0c51d072dca6f52f01f800854ada6ddb7f7d3" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index a025e58ceda7..c7b0782587c3 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.99" [build-dependencies] -cc = "1.0.83" +cc = "1.0.85" From b059986c4cf106ccde7f5d9d1747b7f41be160c6 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 13 Feb 2024 09:22:38 -0600 Subject: [PATCH 108/868] Revert "Bump cc from 1.0.83 to 1.0.85 in /src/rust (#10386)" (#10387) This reverts commit c835401c4aaaef17d421a5b8fb1136cfe8a681b6. --- src/rust/Cargo.lock | 7 +++++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9c127b6b6a0c..d7e5e256fa3f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,12 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.85" +version = "1.0.83" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b918671670962b48bc23753aef0c51d072dca6f52f01f800854ada6ddb7f7d3" +checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" +dependencies = [ + "libc", +] [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index c7b0782587c3..a025e58ceda7 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.99" [build-dependencies] -cc = "1.0.85" +cc = "1.0.83" From 9c6113abb6d3f06ca53337a48d7c9b6aa4da8baf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Feb 2024 22:35:53 +0000 Subject: [PATCH 109/868] Bump pkg-config from 0.3.29 to 0.3.30 in /src/rust (#10392) Bumps [pkg-config](https://github.com/rust-lang/pkg-config-rs) from 0.3.29 to 0.3.30. - [Changelog](https://github.com/rust-lang/pkg-config-rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/pkg-config-rs/commits) --- updated-dependencies: - dependency-name: pkg-config dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index d7e5e256fa3f..97f35d15008a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -260,9 +260,9 @@ dependencies = [ [[package]] name = "pkg-config" -version = "0.3.29" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2900ede94e305130c13ddd391e0ab7cbaeb783945ae07a279c268cb05109c6cb" +checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" [[package]] name = "proc-macro2" From 64b9095c7ae62e9da8003701666be355c2db4128 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 15 Feb 2024 14:36:24 -0800 Subject: [PATCH 110/868] fix provider loading take two (#10390) we previously hoisted this into rust, but we used the try_load feature which supposedly retains fallbacks. Something about that doesn't behave the way we expect though and the machinery in providers is sufficiently complex that we are just going to load the default provider explicitly. this matches our behavior pre-rust. --- src/rust/src/lib.rs | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 62d86884af7a..a21f3986dd18 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -24,6 +24,7 @@ mod x509; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] struct LoadedProviders { legacy: Option, + _default: provider::Provider, } #[pyo3::prelude::pyfunction] @@ -42,7 +43,7 @@ fn is_fips_enabled() -> bool { } #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] -fn _initialize_legacy_provider() -> CryptographyResult { +fn _initialize_providers() -> CryptographyResult { // As of OpenSSL 3.0.0 we must register a legacy cipher provider // to get RC2 (needed for junk asymmetric private key // serialization), RC4, Blowfish, IDEA, SEED, etc. These things @@ -52,13 +53,14 @@ fn _initialize_legacy_provider() -> CryptographyResult { .map(|v| v.is_empty() || v == "0") .unwrap_or(true); let legacy = if load_legacy { - let legacy_result = provider::Provider::try_load(None, "legacy", true); + let legacy_result = provider::Provider::load(None, "legacy"); _legacy_provider_error(legacy_result.is_ok())?; Some(legacy_result?) } else { None }; - Ok(LoadedProviders { legacy }) + let _default = provider::Provider::load(None, "default")?; + Ok(LoadedProviders { legacy, _default }) } fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { @@ -99,13 +101,13 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; cfg_if::cfg_if! { if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { - let providers = _initialize_legacy_provider()?; + let providers = _initialize_providers()?; if providers.legacy.is_some() { openssl_mod.add("_legacy_provider_loaded", true)?; - openssl_mod.add("_providers", providers)?; } else { openssl_mod.add("_legacy_provider_loaded", false)?; } + openssl_mod.add("_providers", providers)?; } else { // default value for non-openssl 3+ openssl_mod.add("_legacy_provider_loaded", false)?; From d60e8b6198ce9530ff9b8ef3384fb7cc8dc77bb7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 15 Feb 2024 14:37:17 -0800 Subject: [PATCH 111/868] Bump BoringSSL and/or OpenSSL in CI (#10391) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8b02cfb83032..f414de66591a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab"}} - # Latest commit on the OpenSSL master branch, as of Feb 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ace3afa087bc52d9613fd0dcd2dae758d43bde2c"}} + # Latest commit on the BoringSSL master branch, as of Feb 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba5eb621d7d9bf2872386b4303fd5e9aa64f7230"}} + # Latest commit on the OpenSSL master branch, as of Feb 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d597b46f9bdb533761e36fcf1d96ce83f3f6f04d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From fe7f03a4152e24b8706fd7454f329113d8f24115 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 15 Feb 2024 19:34:59 -0500 Subject: [PATCH 112/868] Bump x509-limbo and/or wycheproof in CI (#10394) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 9d7c438b1a51..326ef2cf71f7 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 13, 2024. - ref: "bf860cdd81d87250b7b67cf9ccd52f6d3741a2d7" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 16, 2024. + ref: "5f2f7b0a1ac8a8ebae3e418c2569f524c80f29db" # x509-limbo-ref From 378bf75a553acdd31fc4fd6bce9dd6fd14983de7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 15 Feb 2024 19:56:32 -0800 Subject: [PATCH 113/868] port 42.0.3 changelog to main (#10397) --- CHANGELOG.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index bd6b92f65712..2a529c2d7b80 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -27,6 +27,14 @@ Changelog :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. +.. _v42-0-3: + +42.0.3 - 2024-02-15 +~~~~~~~~~~~~~~~~~~~ + +* Fixed an initialization issue that caused key loading failures for some + users. + .. _v42-0-2: 42.0.2 - 2024-01-30 From 0730de72ab6e57335a8ff14bd0710f3a3abe6f68 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 07:12:38 -0500 Subject: [PATCH 114/868] Bump syn from 2.0.48 to 2.0.49 in /src/rust (#10399) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.48 to 2.0.49. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.48...2.0.49) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 97f35d15008a..091f763dee64 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -372,9 +372,9 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" -version = "2.0.48" +version = "2.0.49" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f3531638e407dfc0814761abb7c00a5b54992b849452a0646b7f65c9f770f3f" +checksum = "915aea9e586f80826ee59f8453c1101f9d1c4b3964cd2460185ee8e299ada496" dependencies = [ "proc-macro2", "quote", From 40f2d39ac7a0d43a7778e082e5a09fbd21bf77d2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 12:20:59 +0000 Subject: [PATCH 115/868] Bump dawidd6/action-download-artifact from 3.0.0 to 3.1.0 (#10398) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/e7466d1a7587ed14867642c2ca74b5bcc1e19a2d...f6b0bace624032e30a85a8fd9c1a7f8f611f5737) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f414de66591a..08a13a83b4ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -256,7 +256,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 + - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -316,7 +316,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 + - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 7c2d3cb6db99..620697af42f2 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -44,7 +44,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 + - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index fef4a48bc63f..416db67e8c06 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -232,7 +232,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 + - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -329,7 +329,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 + - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 with: repo: pyca/infra workflow: build-windows-openssl.yml From 3e6231f35925fe6897d26cfd597c49c7a15f7851 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 15:57:25 -0800 Subject: [PATCH 116/868] Bump cryptography from 42.0.2 to 42.0.3 in /.github/requirements (#10401) * Bump cryptography from 42.0.2 to 42.0.3 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.2 to 42.0.3. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.2...42.0.3) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d6a15d8bf03a..4010b549763c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,39 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.2 \ - --hash=sha256:087887e55e0b9c8724cf05361357875adb5c20dec27e5816b653492980d20380 \ - --hash=sha256:09a77e5b2e8ca732a19a90c5bca2d124621a1edb5438c5daa2d2738bfeb02589 \ - --hash=sha256:130c0f77022b2b9c99d8cebcdd834d81705f61c68e91ddd614ce74c657f8b3ea \ - --hash=sha256:141e2aa5ba100d3788c0ad7919b288f89d1fe015878b9659b307c9ef867d3a65 \ - --hash=sha256:28cb2c41f131a5758d6ba6a0504150d644054fd9f3203a1e8e8d7ac3aea7f73a \ - --hash=sha256:2f9f14185962e6a04ab32d1abe34eae8a9001569ee4edb64d2304bf0d65c53f3 \ - --hash=sha256:320948ab49883557a256eab46149df79435a22d2fefd6a66fe6946f1b9d9d008 \ - --hash=sha256:36d4b7c4be6411f58f60d9ce555a73df8406d484ba12a63549c88bd64f7967f1 \ - --hash=sha256:3b15c678f27d66d247132cbf13df2f75255627bcc9b6a570f7d2fd08e8c081d2 \ - --hash=sha256:3dbd37e14ce795b4af61b89b037d4bc157f2cb23e676fa16932185a04dfbf635 \ - --hash=sha256:4383b47f45b14459cab66048d384614019965ba6c1a1a141f11b5a551cace1b2 \ - --hash=sha256:44c95c0e96b3cb628e8452ec060413a49002a247b2b9938989e23a2c8291fc90 \ - --hash=sha256:4b063d3413f853e056161eb0c7724822a9740ad3caa24b8424d776cebf98e7ee \ - --hash=sha256:52ed9ebf8ac602385126c9a2fe951db36f2cb0c2538d22971487f89d0de4065a \ - --hash=sha256:55d1580e2d7e17f45d19d3b12098e352f3a37fe86d380bf45846ef257054b242 \ - --hash=sha256:5ef9bc3d046ce83c4bbf4c25e1e0547b9c441c01d30922d812e887dc5f125c12 \ - --hash=sha256:5fa82a26f92871eca593b53359c12ad7949772462f887c35edaf36f87953c0e2 \ - --hash=sha256:61321672b3ac7aade25c40449ccedbc6db72c7f5f0fdf34def5e2f8b51ca530d \ - --hash=sha256:701171f825dcab90969596ce2af253143b93b08f1a716d4b2a9d2db5084ef7be \ - --hash=sha256:841ec8af7a8491ac76ec5a9522226e287187a3107e12b7d686ad354bb78facee \ - --hash=sha256:8a06641fb07d4e8f6c7dda4fc3f8871d327803ab6542e33831c7ccfdcb4d0ad6 \ - --hash=sha256:8e88bb9eafbf6a4014d55fb222e7360eef53e613215085e65a13290577394529 \ - --hash=sha256:a00aee5d1b6c20620161984f8ab2ab69134466c51f58c052c11b076715e72929 \ - --hash=sha256:a047682d324ba56e61b7ea7c7299d51e61fd3bca7dad2ccc39b72bd0118d60a1 \ - --hash=sha256:a7ef8dd0bf2e1d0a27042b231a3baac6883cdd5557036f5e8df7139255feaac6 \ - --hash=sha256:ad28cff53f60d99a928dfcf1e861e0b2ceb2bc1f08a074fdd601b314e1cc9e0a \ - --hash=sha256:b9097a208875fc7bbeb1286d0125d90bdfed961f61f214d3f5be62cd4ed8a446 \ - --hash=sha256:b97fe7d7991c25e6a31e5d5e795986b18fbbb3107b873d5f3ae6dc9a103278e9 \ - --hash=sha256:e0ec52ba3c7f1b7d813cd52649a5b3ef1fc0d433219dc8c93827c57eab6cf888 \ - --hash=sha256:ea2c3ffb662fec8bbbfce5602e2c159ff097a4631d96235fcf0fb00e59e3ece4 \ - --hash=sha256:fa3dec4ba8fb6e662770b74f62f1a0c7d4e37e25b58b2bf2c1be4c95372b4a33 \ - --hash=sha256:fbeb725c9dc799a574518109336acccaf1303c30d45c075c665c0793c2f79a7f +cryptography==42.0.3 \ + --hash=sha256:04859aa7f12c2b5f7e22d25198ddd537391f1695df7057c8700f71f26f47a129 \ + --hash=sha256:069d2ce9be5526a44093a0991c450fe9906cdf069e0e7cd67d9dee49a62b9ebe \ + --hash=sha256:0d3ec384058b642f7fb7e7bff9664030011ed1af8f852540c76a1317a9dd0d20 \ + --hash=sha256:0fab2a5c479b360e5e0ea9f654bcebb535e3aa1e493a715b13244f4e07ea8eec \ + --hash=sha256:0fea01527d4fb22ffe38cd98951c9044400f6eff4788cf52ae116e27d30a1ba3 \ + --hash=sha256:1b797099d221df7cce5ff2a1d272761d1554ddf9a987d3e11f6459b38cd300fd \ + --hash=sha256:1e935c2900fb53d31f491c0de04f41110351377be19d83d908c1fd502ae8daa5 \ + --hash=sha256:20100c22b298c9eaebe4f0b9032ea97186ac2555f426c3e70670f2517989543b \ + --hash=sha256:20180da1b508f4aefc101cebc14c57043a02b355d1a652b6e8e537967f1e1b46 \ + --hash=sha256:25b09b73db78facdfd7dd0fa77a3f19e94896197c86e9f6dc16bce7b37a96504 \ + --hash=sha256:2619487f37da18d6826e27854a7f9d4d013c51eafb066c80d09c63cf24505306 \ + --hash=sha256:2eb6368d5327d6455f20327fb6159b97538820355ec00f8cc9464d617caecead \ + --hash=sha256:35772a6cffd1f59b85cb670f12faba05513446f80352fe811689b4e439b5d89e \ + --hash=sha256:39d5c93e95bcbc4c06313fc6a500cee414ee39b616b55320c1904760ad686938 \ + --hash=sha256:3d96ea47ce6d0055d5b97e761d37b4e84195485cb5a38401be341fabf23bc32a \ + --hash=sha256:4dcab7c25e48fc09a73c3e463d09ac902a932a0f8d0c568238b3696d06bf377b \ + --hash=sha256:5fbf0f3f0fac7c089308bd771d2c6c7b7d53ae909dce1db52d8e921f6c19bb3a \ + --hash=sha256:6c25e1e9c2ce682d01fc5e2dde6598f7313027343bd14f4049b82ad0402e52cd \ + --hash=sha256:762f3771ae40e111d78d77cbe9c1035e886ac04a234d3ee0856bf4ecb3749d54 \ + --hash=sha256:90147dad8c22d64b2ff7331f8d4cddfdc3ee93e4879796f837bdbb2a0b141e0c \ + --hash=sha256:935cca25d35dda9e7bd46a24831dfd255307c55a07ff38fd1a92119cffc34857 \ + --hash=sha256:93fbee08c48e63d5d1b39ab56fd3fdd02e6c2431c3da0f4edaf54954744c718f \ + --hash=sha256:9541c69c62d7446539f2c1c06d7046aef822940d248fa4b8962ff0302862cc1f \ + --hash=sha256:c23f03cfd7d9826cdcbad7850de67e18b4654179e01fe9bc623d37c2638eb4ef \ + --hash=sha256:c3d1f5a1d403a8e640fa0887e9f7087331abb3f33b0f2207d2cc7f213e4a864c \ + --hash=sha256:d1998e545081da0ab276bcb4b33cce85f775adb86a516e8f55b3dac87f469548 \ + --hash=sha256:d5cf11bc7f0b71fb71af26af396c83dfd3f6eed56d4b6ef95d57867bf1e4ba65 \ + --hash=sha256:db0480ffbfb1193ac4e1e88239f31314fe4c6cdcf9c0b8712b55414afbf80db4 \ + --hash=sha256:de4ae486041878dc46e571a4c70ba337ed5233a1344c14a0790c4c4be4bbb8b4 \ + --hash=sha256:de5086cd475d67113ccb6f9fae6d8fe3ac54a4f9238fd08bfdb07b03d791ff0a \ + --hash=sha256:df34312149b495d9d03492ce97471234fd9037aa5ba217c2a6ea890e9166f151 \ + --hash=sha256:ead69ba488f806fe1b1b4050febafdbf206b81fa476126f3e16110c818bac396 # via # pyopenssl # secretstorage From 6f60735f86e1db740655f07a9e2491c4bc172497 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 15:57:41 -0800 Subject: [PATCH 117/868] Bump tuf from 3.1.0 to 3.1.1 in /.github/requirements (#10400) * Bump tuf from 3.1.0 to 3.1.1 in /.github/requirements Bumps [tuf](https://github.com/theupdateframework/python-tuf) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/theupdateframework/python-tuf/releases) - [Changelog](https://github.com/theupdateframework/python-tuf/blob/v3.1.1/docs/CHANGELOG.md) - [Commits](https://github.com/theupdateframework/python-tuf/compare/v3.1.0...v3.1.1) --- updated-dependencies: - dependency-name: tuf dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 4010b549763c..d01b3a50121c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -576,9 +576,9 @@ six==1.16.0 \ --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 # via python-dateutil -tuf==3.1.0 \ - --hash=sha256:3a4e9abba9d03c221842f62a9a687d51cc2b4a26c43ee7deb1ffb5fa2fb49374 \ - --hash=sha256:a8f055fbaf90d1477258c98fe29d23217e793ca0bdc5fb5a7d252ff5acecddc0 +tuf==3.1.1 \ + --hash=sha256:73b3c89a0acdfe90434bba3118c90c584ef1c56bc0c4565852e917408b774130 \ + --hash=sha256:d6441d11bc9a928cb82cf571519bb99e70ed3ea6fd5a52ce116a8e121023f7ef # via sigstore twine==5.0.0 \ --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ From 4d3ead8ff373390df852d7d0522a965586e3fe1b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 17 Feb 2024 00:07:45 +0000 Subject: [PATCH 118/868] Bump pytest from 8.0.0 to 8.0.1 (#10403) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.0.0 to 8.0.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.0.0...8.0.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 703ad54e2f79..c60b11bbfab6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==8.0.0; python_version >= "3.8" +pytest==8.0.1; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From 608ce9520f9859811f0bc8f7254f42bba359b824 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 16 Feb 2024 19:20:14 -0800 Subject: [PATCH 119/868] add RC2-128-CBC vector (#10402) vector created using golang's x/crypto internal impl and verified against openssl --- docs/development/custom-vectors/rc2.rst | 24 ++ docs/development/custom-vectors/rc2/genrc2.go | 35 +++ docs/development/custom-vectors/rc2/go.mod | 3 + .../development/custom-vectors/rc2/rc2/rc2.go | 269 ++++++++++++++++++ docs/development/test-vectors.rst | 2 + .../ciphers/RC2/rc2-cbc.txt | 8 + 6 files changed, 341 insertions(+) create mode 100644 docs/development/custom-vectors/rc2.rst create mode 100644 docs/development/custom-vectors/rc2/genrc2.go create mode 100644 docs/development/custom-vectors/rc2/go.mod create mode 100644 docs/development/custom-vectors/rc2/rc2/rc2.go create mode 100644 vectors/cryptography_vectors/ciphers/RC2/rc2-cbc.txt diff --git a/docs/development/custom-vectors/rc2.rst b/docs/development/custom-vectors/rc2.rst new file mode 100644 index 000000000000..6c7bb9ccdeb9 --- /dev/null +++ b/docs/development/custom-vectors/rc2.rst @@ -0,0 +1,24 @@ +RC2 vector creation +=================== + +This page documents the code that was used to generate the RC2 CBC test vector. +The CBC vector was generated using Go's internal RC2 implementation and +verified using Go and OpenSSL. + +Creation/Verification +--------------------- + +The program below outputs a test vector in the standard format we use and +also verifies that the encrypted value round trips as expected. The output +was also checked against OpenSSL by modifying ``cryptography`` to support +the algorithm. If you wish to run this program we recommend cloning the +repository, which also contains the requisite ``go.mod`` file. + +.. literalinclude:: /development/custom-vectors/rc2/genrc2.go + :language: go + +Download link: :download:`genrc2.go +` + +Download link: :download:`rc2.go +` diff --git a/docs/development/custom-vectors/rc2/genrc2.go b/docs/development/custom-vectors/rc2/genrc2.go new file mode 100644 index 000000000000..eaacf7510232 --- /dev/null +++ b/docs/development/custom-vectors/rc2/genrc2.go @@ -0,0 +1,35 @@ +package main + +import ( + "bytes" + "crypto/cipher" + "encoding/hex" + "fmt" + "rc2sucks/rc2" +) + +func main() { + // Generate + count := 1 + key := []byte("0000000000000000") + iv := []byte("00000000") + plaintext := []byte("the quick brown fox jumped over the lazy dog!!!!") + ciphertext := make([]byte, len(plaintext)) + block, _ := rc2.New(key, 128) + mode := cipher.NewCBCEncrypter(block, iv) + mode.CryptBlocks(ciphertext, plaintext) + fmt.Printf("COUNT = %v\n", count) + fmt.Printf("Key = %s\n", hex.EncodeToString(key)) + fmt.Printf("IV = %s\n", hex.EncodeToString(iv)) + fmt.Printf("Plaintext = %s\n", hex.EncodeToString(plaintext)) + fmt.Printf("Ciphertext = %s\n", hex.EncodeToString(ciphertext)) + // Verify + decrypted := make([]byte, len(plaintext)) + decmode := cipher.NewCBCDecrypter(block, iv) + decmode.CryptBlocks(decrypted, ciphertext) + if bytes.Equal(decrypted, plaintext) { + fmt.Println("Success") + } else { + fmt.Println("Failed") + } +} diff --git a/docs/development/custom-vectors/rc2/go.mod b/docs/development/custom-vectors/rc2/go.mod new file mode 100644 index 000000000000..ebc124b48faf --- /dev/null +++ b/docs/development/custom-vectors/rc2/go.mod @@ -0,0 +1,3 @@ +module rc2sucks + +go 1.21.7 diff --git a/docs/development/custom-vectors/rc2/rc2/rc2.go b/docs/development/custom-vectors/rc2/rc2/rc2.go new file mode 100644 index 000000000000..25025fa71101 --- /dev/null +++ b/docs/development/custom-vectors/rc2/rc2/rc2.go @@ -0,0 +1,269 @@ +// From https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.19.0:pkcs12/internal/rc2/rc2.go +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package rc2 implements the RC2 cipher +/* +https://www.ietf.org/rfc/rfc2268.txt +http://people.csail.mit.edu/rivest/pubs/KRRR98.pdf + +This code is licensed under the MIT license. +*/ +package rc2 + +import ( + "crypto/cipher" + "encoding/binary" + "math/bits" +) + +// The rc2 block size in bytes +const BlockSize = 8 + +type rc2Cipher struct { + k [64]uint16 +} + +// New returns a new rc2 cipher with the given key and effective key length t1 +func New(key []byte, t1 int) (cipher.Block, error) { + // TODO(dgryski): error checking for key length + return &rc2Cipher{ + k: expandKey(key, t1), + }, nil +} + +func (*rc2Cipher) BlockSize() int { return BlockSize } + +var piTable = [256]byte{ + 0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79, 0x4a, 0xa0, 0xd8, 0x9d, + 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e, 0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, + 0x17, 0x9a, 0x59, 0xf5, 0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32, + 0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22, 0x5c, 0x6b, 0x4e, 0x82, + 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c, 0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, + 0x12, 0x75, 0xca, 0x1f, 0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26, + 0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b, 0xbc, 0x94, 0x43, 0x03, + 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7, 0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, + 0x08, 0xe8, 0xea, 0xde, 0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a, + 0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e, 0x04, 0x18, 0xa4, 0xec, + 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc, 0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, + 0x99, 0x7c, 0x3a, 0x85, 0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31, + 0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10, 0x67, 0x6c, 0xba, 0xc9, + 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c, 0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, + 0x0d, 0x38, 0x34, 0x1b, 0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e, + 0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68, 0xfe, 0x7f, 0xc1, 0xad, +} + +func expandKey(key []byte, t1 int) [64]uint16 { + + l := make([]byte, 128) + copy(l, key) + + var t = len(key) + var t8 = (t1 + 7) / 8 + var tm = byte(255 % uint(1<<(8+uint(t1)-8*uint(t8)))) + + for i := len(key); i < 128; i++ { + l[i] = piTable[l[i-1]+l[uint8(i-t)]] + } + + l[128-t8] = piTable[l[128-t8]&tm] + + for i := 127 - t8; i >= 0; i-- { + l[i] = piTable[l[i+1]^l[i+t8]] + } + + var k [64]uint16 + + for i := range k { + k[i] = uint16(l[2*i]) + uint16(l[2*i+1])*256 + } + + return k +} + +func (c *rc2Cipher) Encrypt(dst, src []byte) { + + r0 := binary.LittleEndian.Uint16(src[0:]) + r1 := binary.LittleEndian.Uint16(src[2:]) + r2 := binary.LittleEndian.Uint16(src[4:]) + r3 := binary.LittleEndian.Uint16(src[6:]) + + var j int + + for j <= 16 { + // mix r0 + r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) + r0 = bits.RotateLeft16(r0, 1) + j++ + + // mix r1 + r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2) + r1 = bits.RotateLeft16(r1, 2) + j++ + + // mix r2 + r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3) + r2 = bits.RotateLeft16(r2, 3) + j++ + + // mix r3 + r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0) + r3 = bits.RotateLeft16(r3, 5) + j++ + + } + + r0 = r0 + c.k[r3&63] + r1 = r1 + c.k[r0&63] + r2 = r2 + c.k[r1&63] + r3 = r3 + c.k[r2&63] + + for j <= 40 { + // mix r0 + r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) + r0 = bits.RotateLeft16(r0, 1) + j++ + + // mix r1 + r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2) + r1 = bits.RotateLeft16(r1, 2) + j++ + + // mix r2 + r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3) + r2 = bits.RotateLeft16(r2, 3) + j++ + + // mix r3 + r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0) + r3 = bits.RotateLeft16(r3, 5) + j++ + + } + + r0 = r0 + c.k[r3&63] + r1 = r1 + c.k[r0&63] + r2 = r2 + c.k[r1&63] + r3 = r3 + c.k[r2&63] + + for j <= 60 { + // mix r0 + r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) + r0 = bits.RotateLeft16(r0, 1) + j++ + + // mix r1 + r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2) + r1 = bits.RotateLeft16(r1, 2) + j++ + + // mix r2 + r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3) + r2 = bits.RotateLeft16(r2, 3) + j++ + + // mix r3 + r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0) + r3 = bits.RotateLeft16(r3, 5) + j++ + } + + binary.LittleEndian.PutUint16(dst[0:], r0) + binary.LittleEndian.PutUint16(dst[2:], r1) + binary.LittleEndian.PutUint16(dst[4:], r2) + binary.LittleEndian.PutUint16(dst[6:], r3) +} + +func (c *rc2Cipher) Decrypt(dst, src []byte) { + + r0 := binary.LittleEndian.Uint16(src[0:]) + r1 := binary.LittleEndian.Uint16(src[2:]) + r2 := binary.LittleEndian.Uint16(src[4:]) + r3 := binary.LittleEndian.Uint16(src[6:]) + + j := 63 + + for j >= 44 { + // unmix r3 + r3 = bits.RotateLeft16(r3, 16-5) + r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0) + j-- + + // unmix r2 + r2 = bits.RotateLeft16(r2, 16-3) + r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3) + j-- + + // unmix r1 + r1 = bits.RotateLeft16(r1, 16-2) + r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2) + j-- + + // unmix r0 + r0 = bits.RotateLeft16(r0, 16-1) + r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1) + j-- + } + + r3 = r3 - c.k[r2&63] + r2 = r2 - c.k[r1&63] + r1 = r1 - c.k[r0&63] + r0 = r0 - c.k[r3&63] + + for j >= 20 { + // unmix r3 + r3 = bits.RotateLeft16(r3, 16-5) + r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0) + j-- + + // unmix r2 + r2 = bits.RotateLeft16(r2, 16-3) + r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3) + j-- + + // unmix r1 + r1 = bits.RotateLeft16(r1, 16-2) + r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2) + j-- + + // unmix r0 + r0 = bits.RotateLeft16(r0, 16-1) + r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1) + j-- + + } + + r3 = r3 - c.k[r2&63] + r2 = r2 - c.k[r1&63] + r1 = r1 - c.k[r0&63] + r0 = r0 - c.k[r3&63] + + for j >= 0 { + // unmix r3 + r3 = bits.RotateLeft16(r3, 16-5) + r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0) + j-- + + // unmix r2 + r2 = bits.RotateLeft16(r2, 16-3) + r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3) + j-- + + // unmix r1 + r1 = bits.RotateLeft16(r1, 16-2) + r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2) + j-- + + // unmix r0 + r0 = bits.RotateLeft16(r0, 16-1) + r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1) + j-- + + } + + binary.LittleEndian.PutUint16(dst[0:], r0) + binary.LittleEndian.PutUint16(dst[2:], r1) + binary.LittleEndian.PutUint16(dst[4:], r2) + binary.LittleEndian.PutUint16(dst[6:], r3) +} diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 0b1f238ffaa2..35f7b7b9864a 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -986,6 +986,7 @@ Symmetric ciphers * IDEA (ECB) from the `NESSIE IDEA vectors`_ created by `NESSIE`_. * IDEA (CBC, CFB, OFB) generated by this project. See: :doc:`/development/custom-vectors/idea` +* RC2-128-CBC generated by this project. See: :doc:`/development/custom-vectors/rc2` * SEED (ECB) from :rfc:`4269`. * SEED (CBC) from :rfc:`4196`. * SEED (CFB, OFB) generated by this project. @@ -1029,6 +1030,7 @@ Created Vectors custom-vectors/idea custom-vectors/seed custom-vectors/hkdf + custom-vectors/rc2 If official test vectors appear in the future the custom generated vectors diff --git a/vectors/cryptography_vectors/ciphers/RC2/rc2-cbc.txt b/vectors/cryptography_vectors/ciphers/RC2/rc2-cbc.txt new file mode 100644 index 000000000000..4bff7c3518b5 --- /dev/null +++ b/vectors/cryptography_vectors/ciphers/RC2/rc2-cbc.txt @@ -0,0 +1,8 @@ +# RC2 128-bit CBC vector built for https://github.com/pyca/cryptography +# Verified against OpenSSL and Go crypto + +COUNT = 0 +Key = 30303030303030303030303030303030 +IV = 3030303030303030 +Plaintext = 74686520717569636b2062726f776e20666f78206a756d706564206f76657220746865206c617a7920646f6721212121 +Ciphertext = 5b886175cdbb0161badf64936b8ee4cb8f4b75fc28833f61668bb2bea88cfd32c410ac7ec016c5028f75078a88968887 From 8f9d79ddcf2b52b3553423d3f1473d27a05b9b26 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 16 Feb 2024 22:20:33 -0500 Subject: [PATCH 120/868] Install '.' in nox in a way that's uv friendly (#10405) --- noxfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index 999654427eca..50f7f488f409 100644 --- a/noxfile.py +++ b/noxfile.py @@ -288,7 +288,7 @@ def local(session): "noxfile.py", ) - install(session, ".") + install(session, "cryptography @ .") if session.posargs: tests = session.posargs From 6643f54ac9620d94330d4a31ffc58763168c3e29 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 16 Feb 2024 22:21:06 -0500 Subject: [PATCH 121/868] Don't install cryptography_vectors 2x in local nox (#10406) Now that it's a part of the test extras, we were installing it twice, once from PyPI and once from local. Don't do that. --- noxfile.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index 50f7f488f409..4aab73149c18 100644 --- a/noxfile.py +++ b/noxfile.py @@ -250,11 +250,15 @@ def rust(session: nox.Session) -> None: @nox.session def local(session): pyproject_data = load_pyproject_toml() + test_dependencies = pyproject_data["project"]["optional-dependencies"][ + "test" + ] + test_dependencies.remove("cryptography_vectors") install( session, *pyproject_data["build-system"]["requires"], *pyproject_data["project"]["optional-dependencies"]["pep8test"], - *pyproject_data["project"]["optional-dependencies"]["test"], + *test_dependencies, *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], "flit", From 429d34906ce39c082413c10c23386e0b1f520230 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 16 Feb 2024 19:40:43 -0800 Subject: [PATCH 122/868] support RC2-CBC (#10407) This PR supports a bad old algorithm to support a scapy use case, but does not expose support for effective key bits or any key length other than 128-bit. CBC support only -- no other modes. --- .../hazmat/backends/openssl/backend.py | 9 +---- .../hazmat/decrepit/ciphers/algorithms.py | 15 ++++++++ tests/hazmat/primitives/decrepit/test_rc2.py | 37 +++++++++++++++++++ tests/hazmat/primitives/test_pkcs12.py | 7 +++- 4 files changed, 59 insertions(+), 9 deletions(-) create mode 100644 tests/hazmat/primitives/decrepit/test_rc2.py diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index d20945d6a6de..5dea4dcda82c 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -18,6 +18,7 @@ ARC4, CAST5, IDEA, + RC2, SEED, Blowfish, TripleDES, @@ -68,11 +69,6 @@ _MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"]) -# Not actually supported, just used as a marker for some serialization tests. -class _RC2: - pass - - class Backend: """ OpenSSL API binding interfaces. @@ -291,9 +287,8 @@ def _register_default_ciphers(self) -> None: self.register_cipher_adapter( ARC4, type(None), GetCipherByName("rc4") ) - # We don't actually support RC2, this is just used by some tests. self.register_cipher_adapter( - _RC2, type(None), GetCipherByName("rc2") + RC2, CBC, GetCipherByName("{cipher.name}-{mode.name}") ) def create_symmetric_encryption_ctx( diff --git a/src/cryptography/hazmat/decrepit/ciphers/algorithms.py b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py index 68cd533c9c97..a7d4aa3c5d87 100644 --- a/src/cryptography/hazmat/decrepit/ciphers/algorithms.py +++ b/src/cryptography/hazmat/decrepit/ciphers/algorithms.py @@ -90,3 +90,18 @@ def __init__(self, key: bytes): @property def key_size(self) -> int: return len(self.key) * 8 + + +# This class only allows RC2 with a 128-bit key. No support for +# effective key bits or other key sizes is provided. +class RC2(BlockCipherAlgorithm): + name = "RC2" + block_size = 64 + key_sizes = frozenset([128]) + + def __init__(self, key: bytes): + self.key = _verify_key_size(self, key) + + @property + def key_size(self) -> int: + return len(self.key) * 8 diff --git a/tests/hazmat/primitives/decrepit/test_rc2.py b/tests/hazmat/primitives/decrepit/test_rc2.py new file mode 100644 index 000000000000..ecd4ce2accc2 --- /dev/null +++ b/tests/hazmat/primitives/decrepit/test_rc2.py @@ -0,0 +1,37 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +""" +Test using the NIST Test Vectors +""" + + +import binascii +import os + +import pytest + +from cryptography.hazmat.decrepit.ciphers.algorithms import RC2 +from cryptography.hazmat.primitives.ciphers import modes + +from ....utils import load_nist_vectors +from ..utils import generate_encrypt_test + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + RC2(b"\x00" * 16), modes.CBC(b"\x00" * 8) + ), + skip_message="Does not support RC2 CBC", +) +class TestRC2ModeCBC: + test_kat = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "RC2"), + [ + "rc2-cbc.txt", + ], + lambda key, **kwargs: RC2(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + ) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index cd9c279ac4b0..f49c98a4ed3d 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -10,7 +10,7 @@ from cryptography import x509 from cryptography.exceptions import UnsupportedAlgorithm -from cryptography.hazmat.backends.openssl.backend import _RC2 +from cryptography.hazmat.decrepit.ciphers.algorithms import RC2 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( dsa, @@ -19,6 +19,7 @@ ed25519, rsa, ) +from cryptography.hazmat.primitives.ciphers.modes import CBC from cryptography.hazmat.primitives.serialization import ( Encoding, PublicFormat, @@ -81,7 +82,9 @@ def test_load_pkcs12_ec_keys(self, filename, password, backend): ], ) @pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported(_RC2(), None), + only_if=lambda backend: backend.cipher_supported( + RC2(b"0" * 16), CBC(b"0" * 8) + ), skip_message="Does not support RC2", ) def test_load_pkcs12_ec_keys_rc2(self, filename, password, backend): From 8992995c1bf60c2ee334a856075109858c36ce62 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Feb 2024 10:40:53 -0500 Subject: [PATCH 123/868] Fix rust warnings when building with BoringSSL (#10408) --- noxfile.py | 2 +- src/rust/cryptography-openssl/src/aead.rs | 6 ++++++ src/rust/cryptography-openssl/src/hmac.rs | 3 +++ src/rust/src/backend/aead.rs | 8 ++++++-- src/rust/src/backend/keys.rs | 2 ++ src/rust/src/lib.rs | 2 ++ src/rust/src/pkcs7.rs | 12 ++++++++---- src/rust/src/types.rs | 4 ++++ 8 files changed, 32 insertions(+), 7 deletions(-) diff --git a/noxfile.py b/noxfile.py index 4aab73149c18..ea4f205e1764 100644 --- a/noxfile.py +++ b/noxfile.py @@ -292,7 +292,7 @@ def local(session): "noxfile.py", ) - install(session, "cryptography @ .") + install(session, ".") if session.posargs: tests = session.posargs diff --git a/src/rust/cryptography-openssl/src/aead.rs b/src/rust/cryptography-openssl/src/aead.rs index 000d5a9c65f9..42f0fd7f8041 100644 --- a/src/rust/cryptography-openssl/src/aead.rs +++ b/src/rust/cryptography-openssl/src/aead.rs @@ -17,15 +17,19 @@ foreign_types::foreign_type! { pub struct AeadCtxRef; } +// SAFETY: Can safely be used from multiple threads concurrently. unsafe impl Sync for AeadCtx {} +// SAFETY: Can safely be sent between threads. unsafe impl Send for AeadCtx {} impl AeadCtx { pub fn new(aead: AeadType, key: &[u8]) -> OpenSSLResult { let aead = match aead { + // SAFETY: No preconditions. AeadType::ChaCha20Poly1305 => unsafe { ffi::EVP_aead_chacha20_poly1305() }, }; + // SAFETY: We're passing a valid key and aead. unsafe { let ctx = cvt_p(ffi::EVP_AEAD_CTX_new( aead, @@ -47,6 +51,7 @@ impl AeadCtxRef { out: &mut [u8], ) -> OpenSSLResult<()> { let mut out_len = out.len(); + // SAFETY: All the lengths and pointers are known valid. unsafe { cvt(ffi::EVP_AEAD_CTX_seal( self.as_ptr(), @@ -72,6 +77,7 @@ impl AeadCtxRef { out: &mut [u8], ) -> OpenSSLResult<()> { let mut out_len = out.len(); + // SAFETY: All the lengths and pointers are known valid. unsafe { cvt(ffi::EVP_AEAD_CTX_open( self.as_ptr(), diff --git a/src/rust/cryptography-openssl/src/hmac.rs b/src/rust/cryptography-openssl/src/hmac.rs index 84b3a1e3b9b5..64abf83d40ae 100644 --- a/src/rust/cryptography-openssl/src/hmac.rs +++ b/src/rust/cryptography-openssl/src/hmac.rs @@ -22,6 +22,9 @@ unsafe impl Sync for Hmac {} unsafe impl Send for Hmac {} impl Hmac { + // On BoringSSL, the length is a size_t, so the length conversion is a + // no-op. + #[cfg_attr(CRYPTOGRAPHY_IS_BORINGSSL, allow(clippy::useless_conversion))] pub fn new(key: &[u8], md: openssl::hash::MessageDigest) -> OpenSSLResult { // SAFETY: All FFI conditions are handled. unsafe { diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 7afd7a172e94..2438ae644cb6 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -276,6 +276,7 @@ struct LazyEvpCipherAead { } impl LazyEvpCipherAead { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn new( cipher: &'static openssl::cipher::CipherRef, key: pyo3::Py, @@ -706,12 +707,15 @@ impl AesCcm { ) -> CryptographyResult { cfg_if::cfg_if! { if #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] { - return Err(CryptographyError::from( + let _ = py; + let _ = key; + let _ = tag_length; + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "AES-CCM is not supported by this version of OpenSSL", exceptions::Reasons::UNSUPPORTED_CIPHER, )), - )); + )) } else { let key_buf = key.extract::>(py)?; let cipher = match key_buf.as_bytes().len() { diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index f4faecdb5c9e..6af0b923aebc 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -243,9 +243,11 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu #[cfg(test)] mod tests { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use super::public_key_from_pkey; #[test] + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn test_public_key_from_pkey_unknown_key() { pyo3::prepare_freethreaded_python(); diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index a21f3986dd18..56093af012fb 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -4,9 +4,11 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use crate::error::CryptographyResult; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use openssl::provider; +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use std::env; mod asn1; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index f307cf483ad7..28edd016b863 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -345,12 +345,14 @@ fn load_pem_pkcs7_certificates<'p>( })?; load_pkcs7_certificates(py, pkcs7_decoded) } else { - return Err(CryptographyError::from( + let _ = py; + let _ = data; + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "PKCS#7 is not supported by this backend.", exceptions::Reasons::UNSUPPORTED_SERIALIZATION, )), - )); + )) } } } @@ -369,12 +371,14 @@ fn load_der_pkcs7_certificates<'p>( })?; load_pkcs7_certificates(py, pkcs7_decoded) } else { - return Err(CryptographyError::from( + let _ = py; + let _ = data; + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "PKCS#7 is not supported by this backend.", exceptions::Reasons::UNSUPPORTED_SERIALIZATION, )), - )); + )) } } } diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index ddd5d8f452ff..10272e14aa8f 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -473,6 +473,7 @@ pub static AES256: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["AES256"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] pub static SM4: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["SM4"], @@ -480,14 +481,17 @@ pub static SM4: LazyPyImport = LazyPyImport::new( #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] pub static SEED: LazyPyImport = LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["SEED"]); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] pub static CAMELLIA: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["Camellia"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] pub static BLOWFISH: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.decrepit.ciphers.algorithms", &["Blowfish"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] pub static CAST5: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.decrepit.ciphers.algorithms", &["CAST5"], From ffaab66c18fb0cdd742d9b125d713c950c96361c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Feb 2024 11:28:59 -0500 Subject: [PATCH 124/868] Run rust tests and clippy with BoringSSL and LibreSSL (#10409) * Run rust tests and clippy with BoringSSL and LibreSSL * Don't bother building a shared libressl * Update ci.yml * improve libressl build --- .github/workflows/build_openssl.sh | 4 ++-- .github/workflows/ci.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index 013fcf42698a..b646a325a98a 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -60,9 +60,9 @@ elif [[ "${TYPE}" == "libressl" ]]; then curl -O "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz" tar zxf "libressl-${VERSION}.tar.gz" pushd "libressl-${VERSION}" - ./config -Wl -Wl,-Bsymbolic-functions -fPIC shared --prefix="${OSSL_PATH}" + ./configure --disable-shared --prefix="${OSSL_PATH}" shlib_sed - make -j"$(nproc)" install + make -j"$(nproc)" install CFLAGS="-fPIC" # delete binaries, libtls, and docs we don't need. can't skip install/compile sadly rm -rf "${OSSL_PATH}/bin" rm -rf "${OSSL_PATH}/share" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 08a13a83b4ce..a1fd2a5387dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,10 +40,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba5eb621d7d9bf2872386b4303fd5e9aa64f7230"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba5eb621d7d9bf2872386b4303fd5e9aa64f7230"}} # Latest commit on the OpenSSL master branch, as of Feb 15, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d597b46f9bdb533761e36fcf1d96ce83f3f6f04d"}} # Builds with various Rust versions. Includes MSRV and next @@ -102,7 +102,7 @@ jobs: # When altering the openssl build process you may need to increment # the value on the end of this cache key so that you can prevent it # from fetching the cache and skipping the build step. - key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-9 + key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-11 if: matrix.PYTHON.OPENSSL - name: Build custom OpenSSL/LibreSSL run: .github/workflows/build_openssl.sh From 33e74ad45a2f377beb272b297da108eefc2ec9cd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 17 Feb 2024 08:49:48 -0800 Subject: [PATCH 125/868] Bump BoringSSL and/or OpenSSL in CI (#10404) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- src/rust/cryptography-openssl/build.rs | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a1fd2a5387dc..6aa6062bff3e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 15, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba5eb621d7d9bf2872386b4303fd5e9aa64f7230"}} - # Latest commit on the OpenSSL master branch, as of Feb 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d597b46f9bdb533761e36fcf1d96ce83f3f6f04d"}} + # Latest commit on the BoringSSL master branch, as of Feb 17, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "99e8c6e2a383a25679c3d6767702732b27bc16ea"}} + # Latest commit on the OpenSSL master branch, as of Feb 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c3e8d67885c0c4295cfd1df35a41bf1f3fa9dc37"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance diff --git a/src/rust/cryptography-openssl/build.rs b/src/rust/cryptography-openssl/build.rs index a0b4566a753c..5e626f7de614 100644 --- a/src/rust/cryptography-openssl/build.rs +++ b/src/rust/cryptography-openssl/build.rs @@ -20,5 +20,6 @@ fn main() { if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL"); + println!("cargo:rustc-link-lib=stdc++"); } } From d8cadccf06874b12e7b81a30651ea255c5a5021a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 15:04:34 +0000 Subject: [PATCH 126/868] Bump ruff from 0.2.1 to 0.2.2 (#10411) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.2.1 to 0.2.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.2.1...v0.2.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c60b11bbfab6..27a5a9ffa3da 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==42.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.2.1 +ruff==0.2.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 291f6b80cf4f25691515186b4fc9ffeb91eee700 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 15:04:49 +0000 Subject: [PATCH 127/868] Bump dawidd6/action-download-artifact from 3.1.0 to 3.1.1 (#10410) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/f6b0bace624032e30a85a8fd9c1a7f8f611f5737...72aaadce3bc708349fc665eee3785cbb1b6e51d0) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6aa6062bff3e..0cb9bf9d91fe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -256,7 +256,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 + - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -316,7 +316,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 + - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 620697af42f2..40ba5997c319 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -44,7 +44,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 + - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 416db67e8c06..3223f7982f86 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -232,7 +232,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 + - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -329,7 +329,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@f6b0bace624032e30a85a8fd9c1a7f8f611f5737 # v3.1.0 + - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 with: repo: pyca/infra workflow: build-windows-openssl.yml From 33d3bde5a4751f72f41834850907aa75b8523c29 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 15:05:01 +0000 Subject: [PATCH 128/868] Bump urllib3 from 2.2.0 to 2.2.1 (#10412) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.0 to 2.2.1. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.2.0...2.2.1) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 27a5a9ffa3da..460c621257e8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -148,7 +148,7 @@ tomli==2.0.1 # pytest typing-extensions==4.9.0; python_version >= "3.8" # via mypy -urllib3==2.2.0 +urllib3==2.2.1 # via requests virtualenv==20.25.0 # via nox From b89e32c7ec3826bd79d52f54b63e1b5a424b2963 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 15:05:12 +0000 Subject: [PATCH 129/868] Bump urllib3 from 2.2.0 to 2.2.1 in /.github/requirements (#10413) * Bump urllib3 from 2.2.0 to 2.2.1 in /.github/requirements Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.0 to 2.2.1. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.2.0...2.2.1) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d01b3a50121c..65dfc67bce00 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -590,9 +590,9 @@ typing-extensions==4.9.0 \ # via # pydantic # pydantic-core -urllib3==2.2.0 \ - --hash=sha256:051d961ad0c62a94e50ecf1af379c3aba230c66c710493493560c0c223c49f20 \ - --hash=sha256:ce3711610ddce217e6d113a2732fafad960a03fd0318c91faa79481e35c11224 +urllib3==2.2.1 \ + --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \ + --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19 # via # requests # twine From ce7ae1a575d7de0407d4135589053fcee3295cde Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Feb 2024 11:14:14 -0500 Subject: [PATCH 130/868] Added more logging to pypi-publish.yml (#10416) --- .github/workflows/pypi-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 40ba5997c319..bd31dbaeaaf3 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -31,6 +31,9 @@ jobs: permissions: id-token: "write" steps: + - run: echo "$EVENT_CONTEXT" + env: + EVENT_CONTEXT: ${{ toJson(github.event) }} - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: "3.11" From 88cb4dab956fea40494a1799107d333b8ac6d078 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 18 Feb 2024 08:15:18 -0800 Subject: [PATCH 131/868] Bump dnspython from 2.5.0 to 2.6.0 in /.github/requirements (#10414) * Bump dnspython from 2.5.0 to 2.6.0 in /.github/requirements Bumps [dnspython](https://github.com/rthalley/dnspython) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/rthalley/dnspython/releases) - [Changelog](https://github.com/rthalley/dnspython/blob/main/doc/whatsnew.rst) - [Commits](https://github.com/rthalley/dnspython/compare/v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: dnspython dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 65dfc67bce00..7d96e71a86ae 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -203,9 +203,9 @@ cryptography==42.0.3 \ # pyopenssl # secretstorage # sigstore -dnspython==2.5.0 \ - --hash=sha256:6facdf76b73c742ccf2d07add296f178e629da60be23ce4b0a9c927b1e02c3a6 \ - --hash=sha256:a0034815a59ba9ae888946be7ccca8f7c157b286f8455b379c692efb51022a15 +dnspython==2.6.0 \ + --hash=sha256:233f871ff384d84c33b2eaf4358ffe7f8927eae3b257ad8467f9bdba7e7ac6bc \ + --hash=sha256:44c40af3bffed66e3307cea9ab667fd583e138ecc0777b18f262a9dae034e5fa # via email-validator docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ From 50ea0faab70d2830e7d89756731fecf9ca64528e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Feb 2024 17:23:21 -0500 Subject: [PATCH 132/868] Convert symmetric ciphers to Rust (#9859) --- .../hazmat/backends/openssl/backend.py | 164 +---- .../hazmat/backends/openssl/ciphers.py | 282 --------- .../bindings/_rust/openssl/__init__.pyi | 2 + .../hazmat/bindings/_rust/openssl/ciphers.pyi | 38 ++ .../hazmat/bindings/openssl/binding.py | 8 +- .../hazmat/primitives/ciphers/base.py | 143 +---- src/rust/src/backend/cipher_registry.rs | 184 +++++- src/rust/src/backend/ciphers.rs | 567 ++++++++++++++++++ src/rust/src/backend/mod.rs | 2 + src/rust/src/buf.rs | 59 +- src/rust/src/exceptions.rs | 2 + src/rust/src/types.rs | 45 ++ src/rust/src/x509/common.rs | 2 +- tests/hazmat/backends/test_openssl.py | 31 - tests/hazmat/primitives/test_aes_gcm.py | 53 +- 15 files changed, 899 insertions(+), 683 deletions(-) delete mode 100644 src/cryptography/hazmat/backends/openssl/ciphers.py create mode 100644 src/cryptography/hazmat/bindings/_rust/openssl/ciphers.pyi create mode 100644 src/rust/src/backend/ciphers.rs diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 5dea4dcda82c..54c4b11401da 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -6,23 +6,12 @@ import collections import contextlib -import itertools import typing from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm -from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding -from cryptography.hazmat.decrepit.ciphers.algorithms import ( - ARC4, - CAST5, - IDEA, - RC2, - SEED, - Blowfish, - TripleDES, -) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding from cryptography.hazmat.primitives.asymmetric import ec @@ -41,21 +30,9 @@ ) from cryptography.hazmat.primitives.ciphers.algorithms import ( AES, - AES128, - AES256, - SM4, - Camellia, - ChaCha20, ) from cryptography.hazmat.primitives.ciphers.modes import ( CBC, - CFB, - CFB8, - CTR, - ECB, - GCM, - OFB, - XTS, Mode, ) from cryptography.hazmat.primitives.serialization.pkcs12 import ( @@ -113,12 +90,6 @@ def __init__(self) -> None: self._lib = self._binding.lib self._fips_enabled = rust_openssl.is_fips_enabled() - self._cipher_registry: dict[ - tuple[type[CipherAlgorithm], type[Mode]], - typing.Callable, - ] = {} - self._register_default_ciphers() - def __repr__(self) -> str: return "".format( self.openssl_version_text(), @@ -126,12 +97,8 @@ def __repr__(self) -> str: rust_openssl._legacy_provider_loaded, ) - def openssl_assert( - self, - ok: bool, - errors: list[rust_openssl.OpenSSLError] | None = None, - ) -> None: - return binding._openssl_assert(ok, errors=errors) + def openssl_assert(self, ok: bool) -> None: + return binding._openssl_assert(ok) def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that @@ -204,102 +171,7 @@ def cipher_supported(self, cipher: CipherAlgorithm, mode: Mode) -> bool: if not isinstance(cipher, self._fips_ciphers): return False - try: - adapter = self._cipher_registry[type(cipher), type(mode)] - except KeyError: - return False - evp_cipher = adapter(self, cipher, mode) - return self._ffi.NULL != evp_cipher - - def register_cipher_adapter(self, cipher_cls, mode_cls, adapter) -> None: - if (cipher_cls, mode_cls) in self._cipher_registry: - raise ValueError( - f"Duplicate registration for: {cipher_cls} {mode_cls}." - ) - self._cipher_registry[cipher_cls, mode_cls] = adapter - - def _register_default_ciphers(self) -> None: - for cipher_cls in [AES, AES128, AES256]: - for mode_cls in [CBC, CTR, ECB, OFB, CFB, CFB8, GCM]: - self.register_cipher_adapter( - cipher_cls, - mode_cls, - GetCipherByName( - "{cipher.name}-{cipher.key_size}-{mode.name}" - ), - ) - for mode_cls in [CBC, CTR, ECB, OFB, CFB]: - self.register_cipher_adapter( - Camellia, - mode_cls, - GetCipherByName("{cipher.name}-{cipher.key_size}-{mode.name}"), - ) - for mode_cls in [CBC, CFB, CFB8, OFB]: - self.register_cipher_adapter( - TripleDES, mode_cls, GetCipherByName("des-ede3-{mode.name}") - ) - self.register_cipher_adapter( - TripleDES, ECB, GetCipherByName("des-ede3") - ) - # ChaCha20 uses the Long Name "chacha20" in OpenSSL, but in LibreSSL - # it uses "chacha" - self.register_cipher_adapter( - ChaCha20, - type(None), - GetCipherByName( - "chacha" if self._lib.CRYPTOGRAPHY_IS_LIBRESSL else "chacha20" - ), - ) - self.register_cipher_adapter(AES, XTS, _get_xts_cipher) - for mode_cls in [ECB, CBC, OFB, CFB, CTR, GCM]: - self.register_cipher_adapter( - SM4, mode_cls, GetCipherByName("sm4-{mode.name}") - ) - # Don't register legacy ciphers if they're unavailable. Hypothetically - # this wouldn't be necessary because we test availability by seeing if - # we get an EVP_CIPHER * in the _CipherContext __init__, but OpenSSL 3 - # will return a valid pointer even though the cipher is unavailable. - if ( - rust_openssl._legacy_provider_loaded - or not self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - ): - for mode_cls in [CBC, CFB, OFB, ECB]: - self.register_cipher_adapter( - Blowfish, - mode_cls, - GetCipherByName("bf-{mode.name}"), - ) - for mode_cls in [CBC, CFB, OFB, ECB]: - self.register_cipher_adapter( - SEED, - mode_cls, - GetCipherByName("seed-{mode.name}"), - ) - for cipher_cls, mode_cls in itertools.product( - [CAST5, IDEA], - [CBC, OFB, CFB, ECB], - ): - self.register_cipher_adapter( - cipher_cls, - mode_cls, - GetCipherByName("{cipher.name}-{mode.name}"), - ) - self.register_cipher_adapter( - ARC4, type(None), GetCipherByName("rc4") - ) - self.register_cipher_adapter( - RC2, CBC, GetCipherByName("{cipher.name}-{mode.name}") - ) - - def create_symmetric_encryption_ctx( - self, cipher: CipherAlgorithm, mode: Mode - ) -> _CipherContext: - return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT) - - def create_symmetric_decryption_ctx( - self, cipher: CipherAlgorithm, mode: Mode - ) -> _CipherContext: - return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT) + return rust_openssl.ciphers.cipher_supported(cipher, mode) def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: return self.hmac_supported(algorithm) @@ -834,34 +706,4 @@ def pkcs7_supported(self) -> bool: return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL -class GetCipherByName: - def __init__(self, fmt: str): - self._fmt = fmt - - def __call__(self, backend: Backend, cipher: CipherAlgorithm, mode: Mode): - cipher_name = self._fmt.format(cipher=cipher, mode=mode).lower() - evp_cipher = backend._lib.EVP_get_cipherbyname( - cipher_name.encode("ascii") - ) - - # try EVP_CIPHER_fetch if present - if ( - evp_cipher == backend._ffi.NULL - and backend._lib.Cryptography_HAS_300_EVP_CIPHER - ): - evp_cipher = backend._lib.EVP_CIPHER_fetch( - backend._ffi.NULL, - cipher_name.encode("ascii"), - backend._ffi.NULL, - ) - - backend._consume_errors() - return evp_cipher - - -def _get_xts_cipher(backend: Backend, cipher: AES, mode): - cipher_name = f"aes-{cipher.key_size // 2}-xts" - return backend._lib.EVP_get_cipherbyname(cipher_name.encode("ascii")) - - backend = Backend() diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py deleted file mode 100644 index 3916b1a510ad..000000000000 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ /dev/null @@ -1,282 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -import typing - -from cryptography.exceptions import InvalidTag, UnsupportedAlgorithm, _Reasons -from cryptography.hazmat.primitives import ciphers -from cryptography.hazmat.primitives.ciphers import algorithms, modes - -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.backend import Backend - - -class _CipherContext: - _ENCRYPT = 1 - _DECRYPT = 0 - _MAX_CHUNK_SIZE = 2**29 - - def __init__(self, backend: Backend, cipher, mode, operation: int) -> None: - self._backend = backend - self._cipher = cipher - self._mode = mode - self._operation = operation - self._tag: bytes | None = None - - if isinstance(self._cipher, ciphers.BlockCipherAlgorithm): - self._block_size_bytes = self._cipher.block_size // 8 - else: - self._block_size_bytes = 1 - - ctx = self._backend._lib.EVP_CIPHER_CTX_new() - ctx = self._backend._ffi.gc( - ctx, self._backend._lib.EVP_CIPHER_CTX_free - ) - - registry = self._backend._cipher_registry - try: - adapter = registry[type(cipher), type(mode)] - except KeyError: - raise UnsupportedAlgorithm( - "cipher {} in {} mode is not supported " - "by this backend.".format( - cipher.name, mode.name if mode else mode - ), - _Reasons.UNSUPPORTED_CIPHER, - ) - - evp_cipher = adapter(self._backend, cipher, mode) - if evp_cipher == self._backend._ffi.NULL: - msg = f"cipher {cipher.name} " - if mode is not None: - msg += f"in {mode.name} mode " - msg += ( - "is not supported by this backend (Your version of OpenSSL " - "may be too old. Current version: {}.)" - ).format(self._backend.openssl_version_text()) - raise UnsupportedAlgorithm(msg, _Reasons.UNSUPPORTED_CIPHER) - - if isinstance(mode, modes.ModeWithInitializationVector): - iv_nonce = self._backend._ffi.from_buffer( - mode.initialization_vector - ) - elif isinstance(mode, modes.ModeWithTweak): - iv_nonce = self._backend._ffi.from_buffer(mode.tweak) - elif isinstance(mode, modes.ModeWithNonce): - iv_nonce = self._backend._ffi.from_buffer(mode.nonce) - elif isinstance(cipher, algorithms.ChaCha20): - iv_nonce = self._backend._ffi.from_buffer(cipher.nonce) - else: - iv_nonce = self._backend._ffi.NULL - # begin init with cipher and operation type - res = self._backend._lib.EVP_CipherInit_ex( - ctx, - evp_cipher, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - operation, - ) - self._backend.openssl_assert(res != 0) - # set the key length to handle variable key ciphers - res = self._backend._lib.EVP_CIPHER_CTX_set_key_length( - ctx, len(cipher.key) - ) - self._backend.openssl_assert(res != 0) - if isinstance(mode, modes.GCM): - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, - self._backend._lib.EVP_CTRL_AEAD_SET_IVLEN, - len(iv_nonce), - self._backend._ffi.NULL, - ) - self._backend.openssl_assert(res != 0) - if mode.tag is not None: - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - ctx, - self._backend._lib.EVP_CTRL_AEAD_SET_TAG, - len(mode.tag), - mode.tag, - ) - self._backend.openssl_assert(res != 0) - self._tag = mode.tag - - # pass key/iv - res = self._backend._lib.EVP_CipherInit_ex( - ctx, - self._backend._ffi.NULL, - self._backend._ffi.NULL, - self._backend._ffi.from_buffer(cipher.key), - iv_nonce, - operation, - ) - - # Check for XTS mode duplicate keys error - errors = self._backend._consume_errors() - lib = self._backend._lib - if res == 0 and ( - ( - not lib.CRYPTOGRAPHY_IS_LIBRESSL - and errors[0]._lib_reason_match( - lib.ERR_LIB_EVP, lib.EVP_R_XTS_DUPLICATED_KEYS - ) - ) - or ( - lib.Cryptography_HAS_PROVIDERS - and errors[0]._lib_reason_match( - lib.ERR_LIB_PROV, lib.PROV_R_XTS_DUPLICATED_KEYS - ) - ) - ): - raise ValueError("In XTS mode duplicated keys are not allowed") - - self._backend.openssl_assert(res != 0, errors=errors) - - # We purposely disable padding here as it's handled higher up in the - # API. - self._backend._lib.EVP_CIPHER_CTX_set_padding(ctx, 0) - self._ctx = ctx - - def update(self, data: bytes) -> bytes: - buf = bytearray(len(data) + self._block_size_bytes - 1) - n = self.update_into(data, buf) - return bytes(buf[:n]) - - def update_into(self, data: bytes, buf: bytes) -> int: - total_data_len = len(data) - if len(buf) < (total_data_len + self._block_size_bytes - 1): - raise ValueError( - "buffer must be at least {} bytes for this payload".format( - len(data) + self._block_size_bytes - 1 - ) - ) - - data_processed = 0 - total_out = 0 - outlen = self._backend._ffi.new("int *") - baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) - baseinbuf = self._backend._ffi.from_buffer(data) - - while data_processed != total_data_len: - outbuf = baseoutbuf + total_out - inbuf = baseinbuf + data_processed - inlen = min(self._MAX_CHUNK_SIZE, total_data_len - data_processed) - - res = self._backend._lib.EVP_CipherUpdate( - self._ctx, outbuf, outlen, inbuf, inlen - ) - if res == 0 and isinstance(self._mode, modes.XTS): - self._backend._consume_errors() - raise ValueError( - "In XTS mode you must supply at least a full block in the " - "first update call. For AES this is 16 bytes." - ) - else: - self._backend.openssl_assert(res != 0) - data_processed += inlen - total_out += outlen[0] - - return total_out - - def finalize(self) -> bytes: - if ( - self._operation == self._DECRYPT - and isinstance(self._mode, modes.ModeWithAuthenticationTag) - and self.tag is None - ): - raise ValueError( - "Authentication tag must be provided when decrypting." - ) - - buf = self._backend._ffi.new("unsigned char[]", self._block_size_bytes) - outlen = self._backend._ffi.new("int *") - res = self._backend._lib.EVP_CipherFinal_ex(self._ctx, buf, outlen) - if res == 0: - errors = self._backend._consume_errors() - - if not errors and isinstance(self._mode, modes.GCM): - raise InvalidTag - - lib = self._backend._lib - self._backend.openssl_assert( - errors[0]._lib_reason_match( - lib.ERR_LIB_EVP, - lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, - ) - or ( - lib.Cryptography_HAS_PROVIDERS - and errors[0]._lib_reason_match( - lib.ERR_LIB_PROV, - lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH, - ) - ) - or ( - lib.CRYPTOGRAPHY_IS_BORINGSSL - and errors[0].reason - == lib.CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH - ), - errors=errors, - ) - raise ValueError( - "The length of the provided data is not a multiple of " - "the block length." - ) - - if ( - isinstance(self._mode, modes.GCM) - and self._operation == self._ENCRYPT - ): - tag_buf = self._backend._ffi.new( - "unsigned char[]", self._block_size_bytes - ) - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - self._ctx, - self._backend._lib.EVP_CTRL_AEAD_GET_TAG, - self._block_size_bytes, - tag_buf, - ) - self._backend.openssl_assert(res != 0) - self._tag = self._backend._ffi.buffer(tag_buf)[:] - - res = self._backend._lib.EVP_CIPHER_CTX_reset(self._ctx) - self._backend.openssl_assert(res == 1) - return self._backend._ffi.buffer(buf)[: outlen[0]] - - def finalize_with_tag(self, tag: bytes) -> bytes: - tag_len = len(tag) - if tag_len < self._mode._min_tag_length: - raise ValueError( - "Authentication tag must be {} bytes or longer.".format( - self._mode._min_tag_length - ) - ) - elif tag_len > self._block_size_bytes: - raise ValueError( - "Authentication tag cannot be more than {} bytes.".format( - self._block_size_bytes - ) - ) - res = self._backend._lib.EVP_CIPHER_CTX_ctrl( - self._ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG, len(tag), tag - ) - self._backend.openssl_assert(res != 0) - self._tag = tag - return self.finalize() - - def authenticate_additional_data(self, data: bytes) -> None: - outlen = self._backend._ffi.new("int *") - res = self._backend._lib.EVP_CipherUpdate( - self._ctx, - self._backend._ffi.NULL, - outlen, - self._backend._ffi.from_buffer(data), - len(data), - ) - self._backend.openssl_assert(res != 0) - - @property - def tag(self) -> bytes | None: - return self._tag diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index c4997fc12a61..d5ec2522fe1d 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -6,6 +6,7 @@ import typing from cryptography.hazmat.bindings._rust.openssl import ( aead, + ciphers, cmac, dh, dsa, @@ -27,6 +28,7 @@ __all__ = [ "openssl_version_text", "raise_openssl_error", "aead", + "ciphers", "cmac", "dh", "dsa", diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/ciphers.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/ciphers.pyi new file mode 100644 index 000000000000..759f3b591cba --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/openssl/ciphers.pyi @@ -0,0 +1,38 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import typing + +from cryptography.hazmat.primitives import ciphers +from cryptography.hazmat.primitives.ciphers import modes + +@typing.overload +def create_encryption_ctx( + algorithm: ciphers.CipherAlgorithm, mode: modes.ModeWithAuthenticationTag +) -> ciphers.AEADEncryptionContext: ... +@typing.overload +def create_encryption_ctx( + algorithm: ciphers.CipherAlgorithm, mode: modes.Mode +) -> ciphers.CipherContext: ... +@typing.overload +def create_decryption_ctx( + algorithm: ciphers.CipherAlgorithm, mode: modes.ModeWithAuthenticationTag +) -> ciphers.AEADDecryptionContext: ... +@typing.overload +def create_decryption_ctx( + algorithm: ciphers.CipherAlgorithm, mode: modes.Mode +) -> ciphers.CipherContext: ... +def cipher_supported( + algorithm: ciphers.CipherAlgorithm, mode: modes.Mode +) -> bool: ... +def _advance( + ctx: ciphers.AEADEncryptionContext | ciphers.AEADDecryptionContext, n: int +) -> None: ... +def _advance_aad( + ctx: ciphers.AEADEncryptionContext | ciphers.AEADDecryptionContext, n: int +) -> None: ... + +class CipherContext: ... +class AEADEncryptionContext: ... +class AEADDecryptionContext: ... diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index d9f81ce8dcec..4e24914a37fc 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -17,13 +17,9 @@ from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES -def _openssl_assert( - ok: bool, - errors: list[openssl.OpenSSLError] | None = None, -) -> None: +def _openssl_assert(ok: bool) -> None: if not ok: - if errors is None: - errors = openssl.capture_error_stack() + errors = openssl.capture_error_stack() raise InternalError( "Unknown OpenSSL error. This error is commonly encountered when " diff --git a/src/cryptography/hazmat/primitives/ciphers/base.py b/src/cryptography/hazmat/primitives/ciphers/base.py index 2082df669a23..7c32cbec693e 100644 --- a/src/cryptography/hazmat/primitives/ciphers/base.py +++ b/src/cryptography/hazmat/primitives/ciphers/base.py @@ -7,19 +7,10 @@ import abc import typing -from cryptography.exceptions import ( - AlreadyFinalized, - AlreadyUpdated, - NotYetFinalized, -) +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives._cipheralgorithm import CipherAlgorithm from cryptography.hazmat.primitives.ciphers import modes -if typing.TYPE_CHECKING: - from cryptography.hazmat.backends.openssl.ciphers import ( - _CipherContext as _BackendCipherContext, - ) - class CipherContext(metaclass=abc.ABCMeta): @abc.abstractmethod @@ -112,12 +103,10 @@ def encryptor(self): raise ValueError( "Authentication tag must be None when encrypting." ) - from cryptography.hazmat.backends.openssl.backend import backend - ctx = backend.create_symmetric_encryption_ctx( + return rust_openssl.ciphers.create_encryption_ctx( self.algorithm, self.mode ) - return self._wrap_ctx(ctx, encrypt=True) @typing.overload def decryptor( @@ -132,23 +121,9 @@ def decryptor( ... def decryptor(self): - from cryptography.hazmat.backends.openssl.backend import backend - - ctx = backend.create_symmetric_decryption_ctx( + return rust_openssl.ciphers.create_decryption_ctx( self.algorithm, self.mode ) - return self._wrap_ctx(ctx, encrypt=False) - - def _wrap_ctx( - self, ctx: _BackendCipherContext, encrypt: bool - ) -> AEADEncryptionContext | AEADDecryptionContext | CipherContext: - if isinstance(self.mode, modes.ModeWithAuthenticationTag): - if encrypt: - return _AEADEncryptionContext(ctx) - else: - return _AEADDecryptionContext(ctx) - else: - return _CipherContext(ctx) _CIPHER_TYPE = Cipher[ @@ -161,112 +136,6 @@ def _wrap_ctx( ] ] - -class _CipherContext(CipherContext): - _ctx: _BackendCipherContext | None - - def __init__(self, ctx: _BackendCipherContext) -> None: - self._ctx = ctx - - def update(self, data: bytes) -> bytes: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - return self._ctx.update(data) - - def update_into(self, data: bytes, buf: bytes) -> int: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - return self._ctx.update_into(data, buf) - - def finalize(self) -> bytes: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - data = self._ctx.finalize() - self._ctx = None - return data - - -class _AEADCipherContext(AEADCipherContext): - _ctx: _BackendCipherContext | None - _tag: bytes | None - - def __init__(self, ctx: _BackendCipherContext) -> None: - self._ctx = ctx - self._bytes_processed = 0 - self._aad_bytes_processed = 0 - self._tag = None - self._updated = False - - def _check_limit(self, data_size: int) -> None: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - self._updated = True - self._bytes_processed += data_size - if self._bytes_processed > self._ctx._mode._MAX_ENCRYPTED_BYTES: - raise ValueError( - "{} has a maximum encrypted byte limit of {}".format( - self._ctx._mode.name, self._ctx._mode._MAX_ENCRYPTED_BYTES - ) - ) - - def update(self, data: bytes) -> bytes: - self._check_limit(len(data)) - # mypy needs this assert even though _check_limit already checked - assert self._ctx is not None - return self._ctx.update(data) - - def update_into(self, data: bytes, buf: bytes) -> int: - self._check_limit(len(data)) - # mypy needs this assert even though _check_limit already checked - assert self._ctx is not None - return self._ctx.update_into(data, buf) - - def finalize(self) -> bytes: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - data = self._ctx.finalize() - self._tag = self._ctx.tag - self._ctx = None - return data - - def authenticate_additional_data(self, data: bytes) -> None: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - if self._updated: - raise AlreadyUpdated("Update has been called on this context.") - - self._aad_bytes_processed += len(data) - if self._aad_bytes_processed > self._ctx._mode._MAX_AAD_BYTES: - raise ValueError( - "{} has a maximum AAD byte limit of {}".format( - self._ctx._mode.name, self._ctx._mode._MAX_AAD_BYTES - ) - ) - - self._ctx.authenticate_additional_data(data) - - -class _AEADDecryptionContext(_AEADCipherContext, AEADDecryptionContext): - def finalize_with_tag(self, tag: bytes) -> bytes: - if self._ctx is None: - raise AlreadyFinalized("Context was already finalized.") - if self._ctx._tag is not None: - raise ValueError( - "tag provided both in mode and in call with finalize_with_tag:" - " tag should only be provided once" - ) - data = self._ctx.finalize_with_tag(tag) - self._tag = self._ctx.tag - self._ctx = None - return data - - -class _AEADEncryptionContext(_AEADCipherContext, AEADEncryptionContext): - @property - def tag(self) -> bytes: - if self._ctx is not None: - raise NotYetFinalized( - "You must finalize encryption before " "getting the tag." - ) - assert self._tag is not None - return self._tag +CipherContext.register(rust_openssl.ciphers.CipherContext) +AEADEncryptionContext.register(rust_openssl.ciphers.AEADEncryptionContext) +AEADDecryptionContext.register(rust_openssl.ciphers.AEADDecryptionContext) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 128f087ff498..46f6e09b5aac 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -56,6 +56,7 @@ impl std::hash::Hash for RegistryKey { enum RegistryCipher { Ref(&'static openssl::cipher::CipherRef), + Owned(Cipher), } impl From<&'static openssl::cipher::CipherRef> for RegistryCipher { @@ -64,6 +65,12 @@ impl From<&'static openssl::cipher::CipherRef> for RegistryCipher { } } +impl From for RegistryCipher { + fn from(c: Cipher) -> RegistryCipher { + RegistryCipher::Owned(c) + } +} + struct RegistryBuilder<'p> { py: pyo3::Python<'p>, m: HashMap, @@ -122,49 +129,185 @@ fn get_cipher_registry( let sm4 = types::SM4.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] let seed = types::SEED.get(py)?; + let arc4 = types::ARC4.get(py)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + let chacha20 = types::CHACHA20.get(py)?; + let rc2 = types::RC2.get(py)?; let cbc = types::CBC.get(py)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + let cfb = types::CFB.get(py)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + let cfb8 = types::CFB8.get(py)?; + let ofb = types::OFB.get(py)?; + let ecb = types::ECB.get(py)?; + let ctr = types::CTR.get(py)?; + let gcm = types::GCM.get(py)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + let xts = types::XTS.get(py)?; + + let none = py.None(); + let none_type = none.as_ref(py).get_type(); m.add(aes, cbc, Some(128), Cipher::aes_128_cbc())?; m.add(aes, cbc, Some(192), Cipher::aes_192_cbc())?; m.add(aes, cbc, Some(256), Cipher::aes_256_cbc())?; + m.add(aes, ofb, Some(128), Cipher::aes_128_ofb())?; + m.add(aes, ofb, Some(192), Cipher::aes_192_ofb())?; + m.add(aes, ofb, Some(256), Cipher::aes_256_ofb())?; + + m.add(aes, gcm, Some(128), Cipher::aes_128_gcm())?; + m.add(aes, gcm, Some(192), Cipher::aes_192_gcm())?; + m.add(aes, gcm, Some(256), Cipher::aes_256_gcm())?; + + m.add(aes, ctr, Some(128), Cipher::aes_128_ctr())?; + m.add(aes, ctr, Some(192), Cipher::aes_192_ctr())?; + m.add(aes, ctr, Some(256), Cipher::aes_256_ctr())?; + + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + { + m.add(aes, cfb8, Some(128), Cipher::aes_128_cfb8())?; + m.add(aes, cfb8, Some(192), Cipher::aes_192_cfb8())?; + m.add(aes, cfb8, Some(256), Cipher::aes_256_cfb8())?; + + m.add(aes, cfb, Some(128), Cipher::aes_128_cfb128())?; + m.add(aes, cfb, Some(192), Cipher::aes_192_cfb128())?; + m.add(aes, cfb, Some(256), Cipher::aes_256_cfb128())?; + } + + m.add(aes, ecb, Some(128), Cipher::aes_128_ecb())?; + m.add(aes, ecb, Some(192), Cipher::aes_192_ecb())?; + m.add(aes, ecb, Some(256), Cipher::aes_256_ecb())?; + + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + { + m.add(aes, xts, Some(256), Cipher::aes_128_xts())?; + m.add(aes, xts, Some(512), Cipher::aes_256_xts())?; + } + m.add(aes128, cbc, Some(128), Cipher::aes_128_cbc())?; m.add(aes256, cbc, Some(256), Cipher::aes_256_cbc())?; - m.add(triple_des, cbc, Some(192), Cipher::des_ede3_cbc())?; + m.add(aes128, ofb, Some(128), Cipher::aes_128_ofb())?; + m.add(aes256, ofb, Some(256), Cipher::aes_256_ofb())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - m.add(camellia, cbc, Some(128), Cipher::camellia128_cbc())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - m.add(camellia, cbc, Some(192), Cipher::camellia192_cbc())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - m.add(camellia, cbc, Some(256), Cipher::camellia256_cbc())?; + m.add(aes128, gcm, Some(128), Cipher::aes_128_gcm())?; + m.add(aes256, gcm, Some(256), Cipher::aes_256_gcm())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] - m.add(sm4, cbc, Some(128), Cipher::sm4_cbc())?; + m.add(aes128, ctr, Some(128), Cipher::aes_128_ctr())?; + m.add(aes256, ctr, Some(256), Cipher::aes_256_ctr())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] - m.add(seed, cbc, Some(128), Cipher::seed_cbc())?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + { + m.add(aes128, cfb8, Some(128), Cipher::aes_128_cfb8())?; + m.add(aes256, cfb8, Some(256), Cipher::aes_256_cfb8())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] - m.add(blowfish, cbc, None, Cipher::bf_cbc())?; + m.add(aes128, cfb, Some(128), Cipher::aes_128_cfb128())?; + m.add(aes256, cfb, Some(256), Cipher::aes_256_cfb128())?; + } - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] - m.add(cast5, cbc, None, Cipher::cast5_cbc())?; + m.add(aes128, ecb, Some(128), Cipher::aes_128_ecb())?; + m.add(aes256, ecb, Some(256), Cipher::aes_256_ecb())?; - #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] - m.add(idea, cbc, Some(128), Cipher::idea_cbc())?; + m.add(triple_des, cbc, Some(192), Cipher::des_ede3_cbc())?; + m.add(triple_des, ecb, Some(192), Cipher::des_ede3_ecb())?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + { + m.add(triple_des, cfb8, Some(192), Cipher::des_ede3_cfb8())?; + m.add(triple_des, cfb, Some(192), Cipher::des_ede3_cfb64())?; + m.add(triple_des, ofb, Some(192), Cipher::des_ede3_ofb())?; + } + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] + { + m.add(camellia, cbc, Some(128), Cipher::camellia128_cbc())?; + m.add(camellia, cbc, Some(192), Cipher::camellia192_cbc())?; + m.add(camellia, cbc, Some(256), Cipher::camellia256_cbc())?; + + m.add(camellia, ecb, Some(128), Cipher::camellia128_ecb())?; + m.add(camellia, ecb, Some(192), Cipher::camellia192_ecb())?; + m.add(camellia, ecb, Some(256), Cipher::camellia256_ecb())?; + + m.add(camellia, ofb, Some(128), Cipher::camellia128_ofb())?; + m.add(camellia, ofb, Some(192), Cipher::camellia192_ofb())?; + m.add(camellia, ofb, Some(256), Cipher::camellia256_ofb())?; + + m.add(camellia, cfb, Some(128), Cipher::camellia128_cfb128())?; + m.add(camellia, cfb, Some(192), Cipher::camellia192_cfb128())?; + m.add(camellia, cfb, Some(256), Cipher::camellia256_cfb128())?; + } + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] + { + m.add(sm4, cbc, Some(128), Cipher::sm4_cbc())?; + m.add(sm4, ctr, Some(128), Cipher::sm4_ctr())?; + m.add(sm4, cfb, Some(128), Cipher::sm4_cfb128())?; + m.add(sm4, ofb, Some(128), Cipher::sm4_ofb())?; + m.add(sm4, ecb, Some(128), Cipher::sm4_ecb())?; + + #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] + if let Ok(c) = Cipher::fetch(None, "sm4-gcm", None) { + m.add(sm4, gcm, Some(128), c)?; + } + } + + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + m.add(chacha20, none_type, None, Cipher::chacha20())?; + + // Don't register legacy ciphers if they're unavailable. In theory + // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER + // even when the cipher is unavailable. + if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) + || types::LEGACY_PROVIDER_LOADED.get(py)?.is_true()? + { + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] + { + m.add(blowfish, cbc, None, Cipher::bf_cbc())?; + m.add(blowfish, cfb, None, Cipher::bf_cfb64())?; + m.add(blowfish, ofb, None, Cipher::bf_ofb())?; + m.add(blowfish, ecb, None, Cipher::bf_ecb())?; + } + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] + { + m.add(seed, cbc, Some(128), Cipher::seed_cbc())?; + m.add(seed, cfb, Some(128), Cipher::seed_cfb128())?; + m.add(seed, ofb, Some(128), Cipher::seed_ofb())?; + m.add(seed, ecb, Some(128), Cipher::seed_ecb())?; + } + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] + { + m.add(cast5, cbc, None, Cipher::cast5_cbc())?; + m.add(cast5, ecb, None, Cipher::cast5_ecb())?; + m.add(cast5, ofb, None, Cipher::cast5_ofb())?; + m.add(cast5, cfb, None, Cipher::cast5_cfb64())?; + } + + #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] + { + m.add(idea, cbc, Some(128), Cipher::idea_cbc())?; + m.add(idea, ecb, Some(128), Cipher::idea_ecb())?; + m.add(idea, ofb, Some(128), Cipher::idea_ofb())?; + m.add(idea, cfb, Some(128), Cipher::idea_cfb64())?; + } + + m.add(arc4, none_type, None, Cipher::rc4())?; + + if let Some(rc2_cbc) = Cipher::from_nid(openssl::nid::Nid::RC2_CBC) { + m.add(rc2, cbc, Some(128), rc2_cbc)?; + } + } Ok(m.build()) }) } -pub(crate) fn get_cipher<'a>( - py: pyo3::Python<'_>, +pub(crate) fn get_cipher<'py>( + py: pyo3::Python<'py>, algorithm: &pyo3::PyAny, mode_cls: &pyo3::PyAny, -) -> CryptographyResult> { +) -> CryptographyResult> { let registry = get_cipher_registry(py)?; let key_size = algorithm @@ -174,6 +317,7 @@ pub(crate) fn get_cipher<'a>( match registry.get(&key) { Some(RegistryCipher::Ref(c)) => Ok(Some(c)), + Some(RegistryCipher::Owned(c)) => Ok(Some(c)), None => Ok(None), } } diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs new file mode 100644 index 000000000000..3695ca1d89df --- /dev/null +++ b/src/rust/src/backend/ciphers.rs @@ -0,0 +1,567 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::backend::cipher_registry; +use crate::buf::{CffiBuf, CffiMutBuf}; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::exceptions; +use crate::types; +use pyo3::IntoPy; + +struct CipherContext { + ctx: openssl::cipher_ctx::CipherCtx, + py_mode: pyo3::PyObject, +} + +impl CipherContext { + fn new( + py: pyo3::Python<'_>, + algorithm: &pyo3::PyAny, + mode: &pyo3::PyAny, + side: openssl::symm::Mode, + ) -> CryptographyResult { + let cipher = match cipher_registry::get_cipher(py, algorithm, mode.get_type())? { + Some(c) => c, + None => { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + format!( + "cipher {} in {} mode is not supported ", + algorithm.getattr(pyo3::intern!(py, "name"))?, + if mode.is_true()? { + mode.getattr(pyo3::intern!(py, "name"))? + } else { + mode + } + ), + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )) + } + }; + + let iv_nonce = if mode.is_instance(types::MODE_WITH_INITIALIZATION_VECTOR.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "initialization_vector"))? + .extract::>()?, + ) + } else if mode.is_instance(types::MODE_WITH_TWEAK.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "tweak"))? + .extract::>()?, + ) + } else if mode.is_instance(types::MODE_WITH_NONCE.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else if algorithm.is_instance(types::CHACHA20.get(py)?)? { + Some( + algorithm + .getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else { + None + }; + + let key = algorithm + .getattr(pyo3::intern!(py, "key"))? + .extract::>()?; + + let init_op = match side { + openssl::symm::Mode::Encrypt => openssl::cipher_ctx::CipherCtxRef::encrypt_init, + openssl::symm::Mode::Decrypt => openssl::cipher_ctx::CipherCtxRef::decrypt_init, + }; + + let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; + init_op(&mut ctx, Some(cipher), None, None)?; + ctx.set_key_length(key.as_bytes().len())?; + + if let Some(iv) = iv_nonce.as_ref() { + if cipher.iv_length() != 0 && cipher.iv_length() != iv.as_bytes().len() { + ctx.set_iv_length(iv.as_bytes().len())?; + } + } + + if mode.is_instance(types::XTS.get(py)?)? { + init_op( + &mut ctx, + None, + Some(key.as_bytes()), + iv_nonce.as_ref().map(|b| b.as_bytes()), + ) + .map_err(|_| { + pyo3::exceptions::PyValueError::new_err( + "In XTS mode duplicated keys are not allowed", + ) + })?; + } else { + init_op( + &mut ctx, + None, + Some(key.as_bytes()), + iv_nonce.as_ref().map(|b| b.as_bytes()), + )?; + }; + + ctx.set_padding(false); + + Ok(CipherContext { + ctx, + py_mode: mode.into(), + }) + } + + fn update<'p>( + &mut self, + py: pyo3::Python<'p>, + buf: &[u8], + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let mut out_buf = vec![0; buf.len() + self.ctx.block_size()]; + let n = self.update_into(py, buf, &mut out_buf)?; + Ok(pyo3::types::PyBytes::new(py, &out_buf[..n])) + } + + fn update_into( + &mut self, + py: pyo3::Python<'_>, + buf: &[u8], + out_buf: &mut [u8], + ) -> CryptographyResult { + if out_buf.len() < (buf.len() + self.ctx.block_size() - 1) { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "buffer must be at least {} bytes for this payload", + buf.len() + self.ctx.block_size() - 1 + )), + )); + } + + let mut total_written = 0; + for chunk in buf.chunks(1 << 29) { + // SAFETY: We ensure that outbuf is sufficiently large above. + unsafe { + let n = if self.py_mode.as_ref(py).is_instance(types::XTS.get(py)?)? { + self.ctx.cipher_update_unchecked(chunk, Some(&mut out_buf[total_written..])).map_err(|_| { + pyo3::exceptions::PyValueError::new_err( + "In XTS mode you must supply at least a full block in the first update call. For AES this is 16 bytes." + ) + })? + } else { + self.ctx + .cipher_update_unchecked(chunk, Some(&mut out_buf[total_written..]))? + }; + total_written += n; + } + } + + Ok(total_written) + } + + fn authenticate_additional_data(&mut self, buf: &[u8]) -> CryptographyResult<()> { + self.ctx.cipher_update(buf, None)?; + Ok(()) + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let mut out_buf = vec![0; self.ctx.block_size()]; + let n = self.ctx.cipher_final(&mut out_buf).or_else(|e| { + if e.errors().is_empty() + && self + .py_mode + .as_ref(py) + .is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? + { + return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); + } + Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "The length of the provided data is not a multiple of the block length.", + ), + )) + })?; + Ok(pyo3::types::PyBytes::new(py, &out_buf[..n])) + } +} + +#[pyo3::prelude::pyclass( + module = "cryptography.hazmat.bindings._rust.openssl.ciphers", + name = "CipherContext" +)] +struct PyCipherContext { + ctx: Option, +} + +#[pyo3::prelude::pyclass( + module = "cryptography.hazmat.bindings._rust.openssl.ciphers", + name = "AEADEncryptionContext" +)] +struct PyAEADEncryptionContext { + ctx: Option, + tag: Option>, + updated: bool, + bytes_remaining: u64, + aad_bytes_remaining: u64, +} + +#[pyo3::prelude::pyclass( + module = "cryptography.hazmat.bindings._rust.openssl.ciphers", + name = "AEADDecryptionContext" +)] +struct PyAEADDecryptionContext { + ctx: Option, + updated: bool, + bytes_remaining: u64, + aad_bytes_remaining: u64, +} + +fn get_mut_ctx(ctx: Option<&mut CipherContext>) -> pyo3::PyResult<&mut CipherContext> { + ctx.ok_or_else(|| exceptions::AlreadyFinalized::new_err("Context was already finalized.")) +} + +#[pyo3::prelude::pymethods] +impl PyCipherContext { + fn update<'p>( + &mut self, + py: pyo3::Python<'p>, + buf: CffiBuf<'_>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + get_mut_ctx(self.ctx.as_mut())?.update(py, buf.as_bytes()) + } + + fn update_into( + &mut self, + py: pyo3::Python<'_>, + buf: CffiBuf<'_>, + mut out_buf: CffiMutBuf<'_>, + ) -> CryptographyResult { + get_mut_ctx(self.ctx.as_mut())?.update_into(py, buf.as_bytes(), out_buf.as_mut_bytes()) + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let result = get_mut_ctx(self.ctx.as_mut())?.finalize(py)?; + self.ctx = None; + Ok(result) + } +} + +#[pyo3::prelude::pymethods] +impl PyAEADEncryptionContext { + fn update<'p>( + &mut self, + py: pyo3::Python<'p>, + buf: CffiBuf<'_>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let data = buf.as_bytes(); + + self.updated = true; + self.bytes_remaining = self + .bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum encrypted byte limit") + })?; + get_mut_ctx(self.ctx.as_mut())?.update(py, data) + } + + fn update_into( + &mut self, + py: pyo3::Python<'_>, + buf: CffiBuf<'_>, + mut out_buf: CffiMutBuf<'_>, + ) -> CryptographyResult { + let data = buf.as_bytes(); + + self.updated = true; + self.bytes_remaining = self + .bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum encrypted byte limit") + })?; + get_mut_ctx(self.ctx.as_mut())?.update_into(py, data, out_buf.as_mut_bytes()) + } + + fn authenticate_additional_data(&mut self, buf: CffiBuf<'_>) -> CryptographyResult<()> { + let ctx = get_mut_ctx(self.ctx.as_mut())?; + if self.updated { + return Err(CryptographyError::from( + exceptions::AlreadyUpdated::new_err("Update has been called on this context."), + )); + } + + let data = buf.as_bytes(); + self.aad_bytes_remaining = self + .aad_bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum AAD byte limit") + })?; + ctx.authenticate_additional_data(data) + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let ctx = get_mut_ctx(self.ctx.as_mut())?; + let result = ctx.finalize(py)?; + + // XXX: do not hard code 16 + let tag = pyo3::types::PyBytes::new_with(py, 16, |t| { + ctx.ctx.tag(t).map_err(CryptographyError::from)?; + Ok(()) + })?; + self.tag = Some(tag.into_py(py)); + self.ctx = None; + + Ok(result) + } + + #[getter] + fn tag(&self, py: pyo3::Python<'_>) -> CryptographyResult> { + Ok(self + .tag + .as_ref() + .ok_or_else(|| { + exceptions::NotYetFinalized::new_err( + "You must finalize encryption before getting the tag.", + ) + })? + .clone_ref(py)) + } +} + +#[pyo3::prelude::pymethods] +impl PyAEADDecryptionContext { + fn update<'p>( + &mut self, + py: pyo3::Python<'p>, + buf: CffiBuf<'_>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let data = buf.as_bytes(); + + self.updated = true; + self.bytes_remaining = self + .bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum encrypted byte limit") + })?; + get_mut_ctx(self.ctx.as_mut())?.update(py, data) + } + + fn update_into( + &mut self, + py: pyo3::Python<'_>, + buf: CffiBuf<'_>, + mut out_buf: CffiMutBuf<'_>, + ) -> CryptographyResult { + let data = buf.as_bytes(); + + self.updated = true; + self.bytes_remaining = self + .bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum encrypted byte limit") + })?; + get_mut_ctx(self.ctx.as_mut())?.update_into(py, data, out_buf.as_mut_bytes()) + } + + fn authenticate_additional_data(&mut self, buf: CffiBuf<'_>) -> CryptographyResult<()> { + let ctx = get_mut_ctx(self.ctx.as_mut())?; + if self.updated { + return Err(CryptographyError::from( + exceptions::AlreadyUpdated::new_err("Update has been called on this context."), + )); + } + + let data = buf.as_bytes(); + self.aad_bytes_remaining = self + .aad_bytes_remaining + .checked_sub(data.len().try_into().unwrap()) + .ok_or_else(|| { + pyo3::exceptions::PyValueError::new_err("Exceeded maximum AAD byte limit") + })?; + ctx.authenticate_additional_data(data) + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let ctx = get_mut_ctx(self.ctx.as_mut())?; + + if ctx + .py_mode + .as_ref(py) + .getattr(pyo3::intern!(py, "tag"))? + .is_none() + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Authentication tag must be provided when decrypting.", + ), + )); + } + + let result = ctx.finalize(py)?; + self.ctx = None; + Ok(result) + } + + fn finalize_with_tag<'p>( + &mut self, + py: pyo3::Python<'p>, + tag: &[u8], + ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + let ctx = get_mut_ctx(self.ctx.as_mut())?; + + if !ctx + .py_mode + .as_ref(py) + .getattr(pyo3::intern!(py, "tag"))? + .is_none() + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Authentication tag must be provided only once.", + ), + )); + } + + let min_tag_length = ctx + .py_mode + .as_ref(py) + .getattr(pyo3::intern!(py, "_min_tag_length"))? + .extract()?; + // XXX: Do not hard code 16 + if tag.len() < min_tag_length { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "Authentication tag must be {} bytes or longer.", + min_tag_length + )), + )); + } else if tag.len() > 16 { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "Authentication tag cannot be more than {} bytes.", + 16 + )), + )); + } + + ctx.ctx.set_tag(tag)?; + let result = ctx.finalize(py)?; + self.ctx = None; + Ok(result) + } +} + +#[pyo3::prelude::pyfunction] +fn create_encryption_ctx( + py: pyo3::Python<'_>, + algorithm: &pyo3::PyAny, + mode: &pyo3::PyAny, +) -> CryptographyResult { + let ctx = CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Encrypt)?; + + if mode.is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { + Ok(PyAEADEncryptionContext { + ctx: Some(ctx), + tag: None, + updated: false, + bytes_remaining: mode + .getattr(pyo3::intern!(py, "_MAX_ENCRYPTED_BYTES"))? + .extract()?, + aad_bytes_remaining: mode + .getattr(pyo3::intern!(py, "_MAX_AAD_BYTES"))? + .extract()?, + } + .into_py(py)) + } else { + Ok(PyCipherContext { ctx: Some(ctx) }.into_py(py)) + } +} + +#[pyo3::prelude::pyfunction] +fn create_decryption_ctx( + py: pyo3::Python<'_>, + algorithm: &pyo3::PyAny, + mode: &pyo3::PyAny, +) -> CryptographyResult { + let mut ctx = CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Decrypt)?; + + if mode.is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { + if let Some(tag) = mode.getattr(pyo3::intern!(py, "tag"))?.extract()? { + ctx.ctx.set_tag(tag)?; + } + + Ok(PyAEADDecryptionContext { + ctx: Some(ctx), + updated: false, + bytes_remaining: mode + .getattr(pyo3::intern!(py, "_MAX_ENCRYPTED_BYTES"))? + .extract()?, + aad_bytes_remaining: mode + .getattr(pyo3::intern!(py, "_MAX_AAD_BYTES"))? + .extract()?, + } + .into_py(py)) + } else { + Ok(PyCipherContext { ctx: Some(ctx) }.into_py(py)) + } +} + +#[pyo3::prelude::pyfunction] +fn cipher_supported( + py: pyo3::Python<'_>, + algorithm: &pyo3::PyAny, + mode: &pyo3::PyAny, +) -> CryptographyResult { + Ok(cipher_registry::get_cipher(py, algorithm, mode.get_type())?.is_some()) +} + +#[pyo3::prelude::pyfunction] +fn _advance(ctx: &pyo3::PyAny, n: u64) { + if let Ok(c) = ctx.downcast::>() { + c.borrow_mut().bytes_remaining -= n; + } else if let Ok(c) = ctx.downcast::>() { + c.borrow_mut().bytes_remaining -= n; + } +} + +#[pyo3::prelude::pyfunction] +fn _advance_aad(ctx: &pyo3::PyAny, n: u64) { + if let Ok(c) = ctx.downcast::>() { + c.borrow_mut().aad_bytes_remaining -= n; + } else if let Ok(c) = ctx.downcast::>() { + c.borrow_mut().aad_bytes_remaining -= n; + } +} + +pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { + let m = pyo3::prelude::PyModule::new(py, "ciphers")?; + m.add_function(pyo3::wrap_pyfunction!(create_encryption_ctx, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(create_decryption_ctx, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(cipher_supported, m)?)?; + + m.add_function(pyo3::wrap_pyfunction!(_advance, m)?)?; + m.add_function(pyo3::wrap_pyfunction!(_advance_aad, m)?)?; + + m.add_class::()?; + m.add_class::()?; + m.add_class::()?; + + Ok(m) +} diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 7e085d623b40..be7b2d0ac280 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -4,6 +4,7 @@ pub(crate) mod aead; pub(crate) mod cipher_registry; +pub(crate) mod ciphers; pub(crate) mod cmac; pub(crate) mod dh; pub(crate) mod dsa; @@ -24,6 +25,7 @@ pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_submodule(aead::create_module(module.py())?)?; + module.add_submodule(ciphers::create_module(module.py())?)?; module.add_submodule(cmac::create_module(module.py())?)?; module.add_submodule(dh::create_module(module.py())?)?; module.add_submodule(dsa::create_module(module.py())?)?; diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index edc3860c1050..028322dfe0da 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -2,9 +2,9 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use std::slice; - use crate::types; +use pyo3::types::IntoPyDict; +use std::slice; pub(crate) struct CffiBuf<'p> { _pyobj: &'p pyo3::PyAny, @@ -12,9 +12,19 @@ pub(crate) struct CffiBuf<'p> { buf: &'p [u8], } -fn _extract_buffer_length(pyobj: &pyo3::PyAny) -> pyo3::PyResult<(&pyo3::PyAny, usize)> { +fn _extract_buffer_length( + pyobj: &pyo3::PyAny, + mutable: bool, +) -> pyo3::PyResult<(&pyo3::PyAny, usize)> { let py = pyobj.py(); - let bufobj = types::FFI_FROM_BUFFER.get(py)?.call1((pyobj,))?; + let bufobj = if mutable { + let kwargs = [(pyo3::intern!(py, "require_writable"), true)].into_py_dict(py); + types::FFI_FROM_BUFFER + .get(py)? + .call((pyobj,), Some(kwargs))? + } else { + types::FFI_FROM_BUFFER.get(py)?.call1((pyobj,))? + }; let ptrval = types::FFI_CAST .get(py)? .call1((pyo3::intern!(py, "uintptr_t"), bufobj))? @@ -31,7 +41,7 @@ impl CffiBuf<'_> { impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { - let (bufobj, ptrval) = _extract_buffer_length(pyobj)?; + let (bufobj, ptrval) = _extract_buffer_length(pyobj, false)?; let len = bufobj.len()?; let buf = if len == 0 { &[] @@ -54,3 +64,42 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { }) } } + +pub(crate) struct CffiMutBuf<'p> { + _pyobj: &'p pyo3::PyAny, + _bufobj: &'p pyo3::PyAny, + buf: &'p mut [u8], +} + +impl CffiMutBuf<'_> { + pub(crate) fn as_mut_bytes(&mut self) -> &mut [u8] { + self.buf + } +} + +impl<'a> pyo3::conversion::FromPyObject<'a> for CffiMutBuf<'a> { + fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { + let (bufobj, ptrval) = _extract_buffer_length(pyobj, true)?; + + let len = bufobj.len()?; + let buf = if len == 0 { + &mut [] + } else { + // SAFETY: _extract_buffer_length ensures that we have a valid ptr + // and length (and we ensure we meet slice's requirements for + // 0-length slices above), we're keeping pyobj alive which ensures + // the buffer is valid. But! There is no actually guarantee + // against concurrent mutation. See + // https://alexgaynor.net/2022/oct/23/buffers-on-the-edge/ + // for details. This is the same as our cffi status quo ante, so + // we're doing an unsound thing and living with it. + unsafe { slice::from_raw_parts_mut(ptrval as *mut u8, len) } + }; + + Ok(CffiMutBuf { + _pyobj: pyobj, + _bufobj: bufobj, + buf, + }) + } +} diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index c9456513993d..67f57b9adcb5 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -23,10 +23,12 @@ pub(crate) enum Reasons { UNSUPPORTED_MAC, } +pyo3::import_exception!(cryptography.exceptions, AlreadyUpdated); pyo3::import_exception!(cryptography.exceptions, AlreadyFinalized); pyo3::import_exception!(cryptography.exceptions, InternalError); pyo3::import_exception!(cryptography.exceptions, InvalidSignature); pyo3::import_exception!(cryptography.exceptions, InvalidTag); +pyo3::import_exception!(cryptography.exceptions, NotYetFinalized); pyo3::import_exception!(cryptography.exceptions, UnsupportedAlgorithm); pyo3::import_exception!(cryptography.x509, AttributeNotFound); pyo3::import_exception!(cryptography.x509, DuplicateExtension); diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 10272e14aa8f..e48c63fbb0bf 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -473,6 +473,10 @@ pub static AES256: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["AES256"], ); +pub static CHACHA20: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.algorithms", + &["ChaCha20"], +); #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] pub static SM4: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", @@ -499,9 +503,50 @@ pub static CAST5: LazyPyImport = LazyPyImport::new( #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] pub static IDEA: LazyPyImport = LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["IDEA"]); +pub static ARC4: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["ARC4"]); +pub static RC2: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["RC2"]); +pub static MODE_WITH_INITIALIZATION_VECTOR: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.modes", + &["ModeWithInitializationVector"], +); +pub static MODE_WITH_TWEAK: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.modes", + &["ModeWithTweak"], +); +pub static MODE_WITH_NONCE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.modes", + &["ModeWithNonce"], +); +pub static MODE_WITH_AUTHENTICATION_TAG: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.ciphers.modes", + &["ModeWithAuthenticationTag"], +); pub static CBC: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CBC"]); +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +pub static CFB: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CFB"]); +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +pub static CFB8: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CFB8"]); +pub static OFB: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["OFB"]); +pub static ECB: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["ECB"]); +pub static CTR: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["CTR"]); +pub static GCM: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["GCM"]); +pub static XTS: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.ciphers.modes", &["XTS"]); + +pub static LEGACY_PROVIDER_LOADED: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.bindings._rust", + &["openssl", "_legacy_provider_loaded"], +); #[cfg(test)] mod tests { diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index a941f50b928c..d838c2f8dfe1 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -216,7 +216,7 @@ fn parse_name_attribute( pyo3::types::PyString::new(py, parsed) } }; - let kwargs = [("_validate", false)].into_py_dict(py); + let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict(py); Ok(types::NAME_ATTRIBUTE .get(py)? .call((oid, py_data, py_tag), Some(kwargs))? diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index e9cdcc432a50..6115e48f9cc3 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -14,9 +14,6 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import padding -from cryptography.hazmat.primitives.ciphers import Cipher -from cryptography.hazmat.primitives.ciphers.algorithms import AES -from cryptography.hazmat.primitives.ciphers.modes import CBC from ...doubles import ( DummyAsymmetricPadding, @@ -80,26 +77,6 @@ def test_supports_cipher(self): is False ) - def test_register_duplicate_cipher_adapter(self): - with pytest.raises(ValueError): - backend.register_cipher_adapter(AES, CBC, None) - - @pytest.mark.parametrize("mode", [DummyMode(), None]) - def test_nonexistent_cipher(self, mode, backend, monkeypatch): - # We can't use register_cipher_adapter because backend is a - # global singleton and we want to revert the change after the test - monkeypatch.setitem( - backend._cipher_registry, - (DummyCipherAlgorithm, type(mode)), - lambda backend, cipher, mode: backend._ffi.NULL, - ) - cipher = Cipher( - DummyCipherAlgorithm(), - mode, - ) - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - cipher.encryptor() - def test_openssl_assert(self): backend.openssl_assert(True) with pytest.raises(InternalError): @@ -128,14 +105,6 @@ def test_evp_ciphers_registered(self): cipher = backend._lib.EVP_get_cipherbyname(b"aes-256-cbc") assert cipher != backend._ffi.NULL - def test_unknown_error_in_cipher_finalize(self): - cipher = Cipher(AES(b"\0" * 16), CBC(b"\0" * 16), backend=backend) - enc = cipher.encryptor() - enc.update(b"\0") - backend._lib.ERR_put_error(0, 0, 1, b"test_openssl.py", -1) - with pytest.raises(InternalError): - enc.finalize() - class TestOpenSSLRSA: def test_rsa_padding_unsupported_pss_mgf1_hash(self): diff --git a/tests/hazmat/primitives/test_aes_gcm.py b/tests/hazmat/primitives/test_aes_gcm.py index d82e37470cae..054327041358 100644 --- a/tests/hazmat/primitives/test_aes_gcm.py +++ b/tests/hazmat/primitives/test_aes_gcm.py @@ -8,20 +8,13 @@ import pytest +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives.ciphers import algorithms, base, modes from ...utils import load_nist_vectors from .utils import generate_aead_test -def _advance(ctx, n): - ctx._bytes_processed += n - - -def _advance_aad(ctx, n): - ctx._aad_bytes_processed += n - - @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( algorithms.AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) @@ -80,7 +73,9 @@ def test_gcm_ciphertext_limit(self, backend): backend=backend, ) encryptor = cipher.encryptor() - _advance(encryptor, modes.GCM._MAX_ENCRYPTED_BYTES - 16) + rust_openssl.ciphers._advance( + encryptor, modes.GCM._MAX_ENCRYPTED_BYTES - 16 + ) encryptor.update(b"0" * 16) with pytest.raises(ValueError): encryptor.update(b"0") @@ -88,7 +83,9 @@ def test_gcm_ciphertext_limit(self, backend): encryptor.update_into(b"0", bytearray(1)) decryptor = cipher.decryptor() - _advance(decryptor, modes.GCM._MAX_ENCRYPTED_BYTES - 16) + rust_openssl.ciphers._advance( + decryptor, modes.GCM._MAX_ENCRYPTED_BYTES - 16 + ) decryptor.update(b"0" * 16) with pytest.raises(ValueError): decryptor.update(b"0") @@ -102,45 +99,21 @@ def test_gcm_aad_limit(self, backend): backend=backend, ) encryptor = cipher.encryptor() - _advance_aad(encryptor, modes.GCM._MAX_AAD_BYTES - 16) + rust_openssl.ciphers._advance_aad( + encryptor, modes.GCM._MAX_AAD_BYTES - 16 + ) encryptor.authenticate_additional_data(b"0" * 16) with pytest.raises(ValueError): encryptor.authenticate_additional_data(b"0") decryptor = cipher.decryptor() - _advance_aad(decryptor, modes.GCM._MAX_AAD_BYTES - 16) + rust_openssl.ciphers._advance_aad( + decryptor, modes.GCM._MAX_AAD_BYTES - 16 + ) decryptor.authenticate_additional_data(b"0" * 16) with pytest.raises(ValueError): decryptor.authenticate_additional_data(b"0") - def test_gcm_ciphertext_increments(self, backend): - encryptor = base.Cipher( - algorithms.AES(b"\x00" * 16), - modes.GCM(b"\x01" * 16), - backend=backend, - ).encryptor() - encryptor.update(b"0" * 8) - assert encryptor._bytes_processed == 8 # type: ignore[attr-defined] - encryptor.update(b"0" * 7) - assert encryptor._bytes_processed == 15 # type: ignore[attr-defined] - encryptor.update(b"0" * 18) - assert encryptor._bytes_processed == 33 # type: ignore[attr-defined] - - def test_gcm_aad_increments(self, backend): - encryptor = base.Cipher( - algorithms.AES(b"\x00" * 16), - modes.GCM(b"\x01" * 16), - backend=backend, - ).encryptor() - encryptor.authenticate_additional_data(b"0" * 8) - assert ( - encryptor._aad_bytes_processed == 8 # type: ignore[attr-defined] - ) - encryptor.authenticate_additional_data(b"0" * 18) - assert ( - encryptor._aad_bytes_processed == 26 # type: ignore[attr-defined] - ) - def test_gcm_tag_decrypt_none(self, backend): key = binascii.unhexlify(b"5211242698bed4774a090620a6ca56f3") iv = binascii.unhexlify(b"b1e1349120b6e832ef976f5d") From 9f9c5ea9424162f40544fdfa923dcb6fc87d499c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Feb 2024 23:11:10 -0500 Subject: [PATCH 133/868] Migrate some basic constants to Rust (#10418) --- .../hazmat/backends/openssl/backend.py | 31 ++++++++++--------- .../bindings/_rust/openssl/__init__.pyi | 5 +++ src/rust/src/lib.rs | 12 +++++++ 3 files changed, 33 insertions(+), 15 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 54c4b11401da..336028833ff9 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -256,7 +256,8 @@ def rsa_encryption_supported(self, padding: AsymmetricPadding) -> bool: def dsa_supported(self) -> bool: return ( - not self._lib.CRYPTOGRAPHY_IS_BORINGSSL and not self._fips_enabled + not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL + and not self._fips_enabled ) def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: @@ -374,7 +375,7 @@ def elliptic_curve_exchange_algorithm_supported( ) def dh_supported(self) -> bool: - return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL + return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL def dh_x942_serialization_supported(self) -> bool: return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1 @@ -383,7 +384,7 @@ def x25519_supported(self) -> bool: # Beginning with OpenSSL 3.2.0, X25519 is considered FIPS. if ( self._fips_enabled - and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER + and not rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER ): return False return True @@ -392,12 +393,12 @@ def x448_supported(self) -> bool: # Beginning with OpenSSL 3.2.0, X448 is considered FIPS. if ( self._fips_enabled - and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER + and not rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER ): return False return ( - not self._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL + not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL + and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL ) def ed25519_supported(self) -> bool: @@ -409,8 +410,8 @@ def ed448_supported(self) -> bool: if self._fips_enabled: return False return ( - not self._lib.CRYPTOGRAPHY_IS_LIBRESSL - and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL + not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL + and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL ) def _zero_data(self, data, length: int) -> None: @@ -511,8 +512,8 @@ def load_pkcs12( # certificates. indices: typing.Iterable[int] if ( - self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - or self._lib.CRYPTOGRAPHY_IS_BORINGSSL + rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + or rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL ): indices = range(num) else: @@ -557,7 +558,7 @@ def serialize_key_and_certificates_to_pkcs12( # PKCS12 encryption is hopeless trash and can never be fixed. # OpenSSL 3 supports PBESv2, but Libre and Boring do not, so # we use PBESv1 with 3DES on the older paths. - if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: + if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: nid_cert = self._lib.NID_aes_256_cbc nid_key = self._lib.NID_aes_256_cbc else: @@ -593,7 +594,7 @@ def serialize_key_and_certificates_to_pkcs12( nid_cert = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC nid_key = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC elif keycertalg is PBES.PBESv2SHA256AndAES256CBC: - if not self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: + if not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: raise UnsupportedAlgorithm( "PBESv2 is not supported by this version of OpenSSL" ) @@ -695,15 +696,15 @@ def poly1305_supported(self) -> bool: if self._fips_enabled: return False elif ( - self._lib.CRYPTOGRAPHY_IS_BORINGSSL - or self._lib.CRYPTOGRAPHY_IS_LIBRESSL + rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL + or rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL ): return True else: return self._lib.Cryptography_HAS_POLY1305 == 1 def pkcs7_supported(self) -> bool: - return not self._lib.CRYPTOGRAPHY_IS_BORINGSSL + return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL backend = Backend() diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index d5ec2522fe1d..0d6b1a15f776 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -45,6 +45,11 @@ __all__ = [ "x25519", ] +CRYPTOGRAPHY_IS_LIBRESSL: bool +CRYPTOGRAPHY_IS_BORINGSSL: bool +CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool +CRYPTOGRAPHY_OPENSSL_320_OR_GREATER: bool + _legacy_provider_loaded: bool def openssl_version() -> int: ... diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 56093af012fb..a92fdebe42df 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -101,6 +101,18 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(cryptography_cffi::create_module(py)?)?; let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; + openssl_mod.add( + "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", + cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + )?; + openssl_mod.add( + "CRYPTOGRAPHY_OPENSSL_320_OR_GREATER", + cfg!(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER), + )?; + + openssl_mod.add("CRYPTOGRAPHY_IS_LIBRESSL", cfg!(CRYPTOGRAPHY_IS_LIBRESSL))?; + openssl_mod.add("CRYPTOGRAPHY_IS_BORINGSSL", cfg!(CRYPTOGRAPHY_IS_BORINGSSL))?; + cfg_if::cfg_if! { if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { let providers = _initialize_providers()?; From a20d495536742a8a21f74c868b4b95f133228771 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Feb 2024 23:12:28 -0500 Subject: [PATCH 134/868] Simplify emitting errors on key parsing (#10417) --- .../hazmat/backends/openssl/backend.py | 46 ------------------- .../bindings/_rust/openssl/__init__.pyi | 1 - src/rust/src/backend/utils.rs | 9 ++-- src/rust/src/error.rs | 4 -- src/rust/src/types.rs | 5 -- 5 files changed, 5 insertions(+), 60 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 336028833ff9..060f242cd8d3 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -299,52 +299,6 @@ def _key2ossl(self, key: PKCS12PrivateKeyTypes) -> typing.Any: self.openssl_assert(evp_pkey != self._ffi.NULL) return self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - def _handle_key_loading_error( - self, errors: list[rust_openssl.OpenSSLError] - ) -> typing.NoReturn: - if not errors: - raise ValueError( - "Could not deserialize key data. The data may be in an " - "incorrect format or it may be encrypted with an unsupported " - "algorithm." - ) - - elif ( - errors[0]._lib_reason_match( - self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT - ) - or errors[0]._lib_reason_match( - self._lib.ERR_LIB_PKCS12, - self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, - ) - or ( - self._lib.Cryptography_HAS_PROVIDERS - and errors[0]._lib_reason_match( - self._lib.ERR_LIB_PROV, - self._lib.PROV_R_BAD_DECRYPT, - ) - ) - ): - raise ValueError("Bad decrypt. Incorrect password?") - - elif any( - error._lib_reason_match( - self._lib.ERR_LIB_EVP, - self._lib.EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM, - ) - for error in errors - ): - raise ValueError("Unsupported public key algorithm.") - - else: - raise ValueError( - "Could not deserialize key data. The data may be in an " - "incorrect format, it may be encrypted with an unsupported " - "algorithm, or it may be an unsupported key type (e.g. EC " - "curves with explicit parameters).", - errors, - ) - def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool: if self._fips_enabled and not isinstance( curve, self._fips_ecdh_curves diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 0d6b1a15f776..25e0427496e5 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -65,4 +65,3 @@ class OpenSSLError: def reason(self) -> int: ... @property def reason_text(self) -> bytes: ... - def _lib_reason_match(self, lib: int, reason: int) -> bool: ... diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 3373a565cf2c..5c15cba57741 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -5,6 +5,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; +use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, @@ -431,10 +432,10 @@ pub(crate) fn handle_key_load_result( (Err(e), _, _) => { let errors = error::list_from_openssl_error(py, e); Err(CryptographyError::from( - types::BACKEND_HANDLE_KEY_LOADING_ERROR - .get(py)? - .call1((errors,)) - .unwrap_err(), + pyo3::exceptions::PyValueError::new_err(( + "Could not deserialize key data. The data may be in an incorrect format, the provided password may be incorrect, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).", + errors.to_object(py), + )) )) } } diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index a4461d05a87a..62b1ff4a6daa 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -174,10 +174,6 @@ impl OpenSSLError { self.e.reason().unwrap_or("").as_bytes() } - fn _lib_reason_match(&self, lib: i32, reason: i32) -> bool { - self.e.library_code() == lib && self.e.reason_code() == reason - } - fn __repr__(&self) -> pyo3::PyResult { Ok(format!( "", diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index e48c63fbb0bf..98dd9ecbb269 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -380,11 +380,6 @@ pub static CALCULATE_MAX_PSS_SALT_LENGTH: LazyPyImport = LazyPyImport::new( &["calculate_max_pss_salt_length"], ); -pub static BACKEND_HANDLE_KEY_LOADING_ERROR: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.backends.openssl.backend", - &["backend", "_handle_key_loading_error"], -); - pub static RSA_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.rsa", &["RSAPrivateKey"], From 090bdf06016737e6df713f432c8b0c9fe5f871c1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Feb 2024 23:48:50 -0500 Subject: [PATCH 135/868] We always have Poly1305, I think (#10419) --- src/_cffi_src/openssl/nid.py | 6 ------ src/cryptography/hazmat/backends/openssl/backend.py | 8 +------- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/src/_cffi_src/openssl/nid.py b/src/_cffi_src/openssl/nid.py index 0a38fe038da7..f20646f7e56e 100644 --- a/src/_cffi_src/openssl/nid.py +++ b/src/_cffi_src/openssl/nid.py @@ -10,7 +10,6 @@ TYPES = """ static const int Cryptography_HAS_ED448; -static const int Cryptography_HAS_POLY1305; static const int NID_undef; static const int NID_aes_256_cbc; @@ -31,9 +30,4 @@ #else static const long Cryptography_HAS_ED448 = 1; #endif -#ifndef NID_poly1305 -static const long Cryptography_HAS_POLY1305 = 0; -#else -static const long Cryptography_HAS_POLY1305 = 1; -#endif """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 060f242cd8d3..45888f36168a 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -649,13 +649,7 @@ def serialize_key_and_certificates_to_pkcs12( def poly1305_supported(self) -> bool: if self._fips_enabled: return False - elif ( - rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL - or rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL - ): - return True - else: - return self._lib.Cryptography_HAS_POLY1305 == 1 + return True def pkcs7_supported(self) -> bool: return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL From 66088c9a656ccb1f12adaa77b6152e490230abb7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 07:21:56 -0800 Subject: [PATCH 136/868] Bump dnspython from 2.6.0 to 2.6.1 in /.github/requirements (#10420) * Bump dnspython from 2.6.0 to 2.6.1 in /.github/requirements Bumps [dnspython](https://github.com/rthalley/dnspython) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/rthalley/dnspython/releases) - [Changelog](https://github.com/rthalley/dnspython/blob/main/doc/whatsnew.rst) - [Commits](https://github.com/rthalley/dnspython/compare/v2.6.0...v2.6.1) --- updated-dependencies: - dependency-name: dnspython dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7d96e71a86ae..0f65bca76c66 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -203,9 +203,9 @@ cryptography==42.0.3 \ # pyopenssl # secretstorage # sigstore -dnspython==2.6.0 \ - --hash=sha256:233f871ff384d84c33b2eaf4358ffe7f8927eae3b257ad8467f9bdba7e7ac6bc \ - --hash=sha256:44c40af3bffed66e3307cea9ab667fd583e138ecc0777b18f262a9dae034e5fa +dnspython==2.6.1 \ + --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ + --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc # via email-validator docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ From 4398f19e0700ffb1bb1e13be4f8efe7271feb62a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 11:24:38 -0500 Subject: [PATCH 137/868] See if loading the base provider is actually required (#10421) --- src/cryptography/hazmat/bindings/openssl/binding.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 4e24914a37fc..9f268b89aebc 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -68,10 +68,6 @@ def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that # have the FIPS provider installed properly. _openssl_assert(self.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) - self._base_provider = self.lib.OSSL_PROVIDER_load( - self.ffi.NULL, b"base" - ) - _openssl_assert(self._base_provider != self.ffi.NULL) self.lib._fips_provider = self.lib.OSSL_PROVIDER_load( self.ffi.NULL, b"fips" ) From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 11:50:28 -0500 Subject: [PATCH 138/868] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) --- .../hazmat/backends/openssl/backend.py | 9 +++++++++ tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 45888f36168a..6a4aeca7521f 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12( mac_iter, 0, ) + if p12 == self._ffi.NULL: + errors = self._consume_errors() + raise ValueError( + ( + "Failed to create PKCS12 (does the key match the " + "certificate?)" + ), + errors, + ) if ( self._lib.Cryptography_HAS_PKCS12_SET_MAC diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index f49c98a4ed3d..cb998c4a4bc0 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported( b"name", cakey, cacert, [], algorithm ) + @pytest.mark.supported( + only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, + skip_message="Requires OpenSSL with PKCS12_set_mac", + ) + def test_set_mac_key_certificate_mismatch(self, backend): + cacert, _ = _load_ca(backend) + key = ec.generate_private_key(ec.SECP256R1()) + encryption = ( + serialization.PrivateFormat.PKCS12.encryption_builder() + .hmac_hash(hashes.SHA256()) + .build(b"password") + ) + + with pytest.raises(ValueError): + serialize_key_and_certificates( + b"name", key, cacert, [], encryption + ) + @pytest.mark.skip_fips( reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." From b19a2862f239eea54cccb077d73f54ffca18924a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 19 Feb 2024 08:59:41 -0800 Subject: [PATCH 139/868] remove more unneeded bindings (#10424) --- src/_cffi_src/openssl/err.py | 5 ---- src/_cffi_src/openssl/evp.py | 25 ------------------- src/_cffi_src/openssl/provider.py | 4 --- .../hazmat/bindings/openssl/_conditional.py | 6 ----- 4 files changed, 40 deletions(-) diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index 2bb2545fc932..dd5aa64f44c0 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -16,7 +16,6 @@ static const int EVP_R_BAD_DECRYPT; static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM; static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR; -static const int EVP_R_XTS_DUPLICATED_KEYS; static const int ERR_LIB_EVP; static const int ERR_LIB_PROV; @@ -50,10 +49,6 @@ #define ERR_LIB_PROV 0 #endif -#ifndef EVP_R_XTS_DUPLICATED_KEYS -static const int EVP_R_XTS_DUPLICATED_KEYS = 0; -#endif - #if CRYPTOGRAPHY_IS_BORINGSSL static const int ERR_LIB_PKCS12 = 0; static const int EVP_F_EVP_ENCRYPTFINAL_EX = 0; diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index ed73ec99fd5f..7432bc046bb5 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -10,7 +10,6 @@ TYPES = """ typedef ... EVP_CIPHER; -typedef ... EVP_CIPHER_CTX; typedef ... EVP_MD; typedef ... EVP_MD_CTX; @@ -26,30 +25,13 @@ static const int EVP_PKEY_X448; static const int EVP_PKEY_ED448; static const int EVP_MAX_MD_SIZE; -static const int EVP_CTRL_AEAD_SET_IVLEN; -static const int EVP_CTRL_AEAD_GET_TAG; -static const int EVP_CTRL_AEAD_SET_TAG; static const int Cryptography_HAS_EVP_PKEY_DHX; static const long Cryptography_HAS_300_FIPS; -static const long Cryptography_HAS_300_EVP_CIPHER; """ FUNCTIONS = """ const EVP_CIPHER *EVP_get_cipherbyname(const char *); -EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *, const char *, const char *); -void EVP_CIPHER_free(EVP_CIPHER *); - -int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *, int); -int EVP_CipherInit_ex(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *, - const unsigned char *, const unsigned char *, int); -int EVP_CipherUpdate(EVP_CIPHER_CTX *, unsigned char *, int *, - const unsigned char *, int); -int EVP_CipherFinal_ex(EVP_CIPHER_CTX *, unsigned char *, int *); -int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *); -EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); -void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); -int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *, int); const EVP_MD *EVP_get_digestbyname(const char *); @@ -81,8 +63,6 @@ int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); -int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); - int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); """ @@ -108,13 +88,8 @@ #if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER static const long Cryptography_HAS_300_FIPS = 1; -static const long Cryptography_HAS_300_EVP_CIPHER = 1; #else static const long Cryptography_HAS_300_FIPS = 0; -static const long Cryptography_HAS_300_EVP_CIPHER = 0; int (*EVP_default_properties_enable_fips)(OSSL_LIB_CTX *, int) = NULL; -EVP_CIPHER * (*EVP_CIPHER_fetch)(OSSL_LIB_CTX *, const char *, - const char *) = NULL; -void (*EVP_CIPHER_free)(EVP_CIPHER *) = NULL; #endif """ diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py index 769fded96d23..a9fb92f17d13 100644 --- a/src/_cffi_src/openssl/provider.py +++ b/src/_cffi_src/openssl/provider.py @@ -18,8 +18,6 @@ typedef ... OSSL_LIB_CTX; static const long PROV_R_BAD_DECRYPT; -static const long PROV_R_XTS_DUPLICATED_KEYS; -static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH; """ FUNCTIONS = """ @@ -35,8 +33,6 @@ typedef void OSSL_PROVIDER; typedef void OSSL_LIB_CTX; static const long PROV_R_BAD_DECRYPT = 0; -static const long PROV_R_XTS_DUPLICATED_KEYS = 0; -static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0; OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; #endif diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index fc13348af77f..5a559c3b9ab5 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -120,7 +120,6 @@ def cryptography_has_providers() -> list[str]: "OSSL_PROVIDER_load", "OSSL_PROVIDER_unload", "ERR_LIB_PROV", - "PROV_R_WRONG_FINAL_BLOCK_LENGTH", "PROV_R_BAD_DECRYPT", ] @@ -165,10 +164,6 @@ def cryptography_has_prime_checks() -> list[str]: ] -def cryptography_has_300_evp_cipher() -> list[str]: - return ["EVP_CIPHER_fetch", "EVP_CIPHER_free"] - - def cryptography_has_unexpected_eof_while_reading() -> list[str]: return ["SSL_R_UNEXPECTED_EOF_WHILE_READING"] @@ -214,7 +209,6 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, "Cryptography_HAS_PRIME_CHECKS": cryptography_has_prime_checks, - "Cryptography_HAS_300_EVP_CIPHER": cryptography_has_300_evp_cipher, "Cryptography_HAS_UNEXPECTED_EOF_WHILE_READING": ( cryptography_has_unexpected_eof_while_reading ), From 83c6010e8571eb53450cad2f846ac6564303d4f9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 19 Feb 2024 09:36:12 -0800 Subject: [PATCH 140/868] remove more unused bindings (#10426) --- src/_cffi_src/openssl/asn1.py | 5 ----- src/_cffi_src/openssl/ec.py | 2 -- src/_cffi_src/openssl/err.py | 12 ------------ src/_cffi_src/openssl/nid.py | 2 -- src/_cffi_src/openssl/pkcs7.py | 28 +--------------------------- 5 files changed, 1 insertion(+), 48 deletions(-) diff --git a/src/_cffi_src/openssl/asn1.py b/src/_cffi_src/openssl/asn1.py index d2be452a687b..16ce6b32f505 100644 --- a/src/_cffi_src/openssl/asn1.py +++ b/src/_cffi_src/openssl/asn1.py @@ -22,15 +22,10 @@ typedef struct asn1_string_st ASN1_OCTET_STRING; typedef struct asn1_string_st ASN1_IA5STRING; -typedef struct asn1_string_st ASN1_BIT_STRING; typedef struct asn1_string_st ASN1_TIME; typedef ... ASN1_OBJECT; typedef struct asn1_string_st ASN1_STRING; typedef struct asn1_string_st ASN1_UTF8STRING; -typedef struct { - int type; - ...; -} ASN1_TYPE; typedef ... ASN1_GENERALIZEDTIME; typedef ... ASN1_ENUMERATED; diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index 8b9558f8d311..6816934ed0be 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -25,8 +25,6 @@ void EC_KEY_free(EC_KEY *); EC_KEY *EC_KEY_new_by_curve_name(int); - -const char *EC_curve_nid2nist(int); """ CUSTOMIZATIONS = """ diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index dd5aa64f44c0..2c7469ff892c 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -9,17 +9,11 @@ """ TYPES = """ -static const int CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH; - static const int EVP_F_EVP_ENCRYPTFINAL_EX; static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH; -static const int EVP_R_BAD_DECRYPT; -static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM; -static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR; static const int ERR_LIB_EVP; static const int ERR_LIB_PROV; -static const int ERR_LIB_PKCS12; static const int SSL_TLSEXT_ERR_OK; static const int SSL_TLSEXT_ERR_ALERT_FATAL; @@ -50,14 +44,8 @@ #endif #if CRYPTOGRAPHY_IS_BORINGSSL -static const int ERR_LIB_PKCS12 = 0; static const int EVP_F_EVP_ENCRYPTFINAL_EX = 0; -static const int EVP_R_BAD_DECRYPT = 0; static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH = 0; -static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM = 0; -static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR = 0; -#else -static const int CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH = 0; #endif /* SSL_R_UNEXPECTED_EOF_WHILE_READING is needed for pyOpenSSL diff --git a/src/_cffi_src/openssl/nid.py b/src/_cffi_src/openssl/nid.py index f20646f7e56e..fe1cdda10137 100644 --- a/src/_cffi_src/openssl/nid.py +++ b/src/_cffi_src/openssl/nid.py @@ -17,8 +17,6 @@ static const int NID_subject_alt_name; static const int NID_crl_reason; - -static const int NID_pkcs7_signed; """ FUNCTIONS = """ diff --git a/src/_cffi_src/openssl/pkcs7.py b/src/_cffi_src/openssl/pkcs7.py index cce06c6ec0c8..8e93a61b4e60 100644 --- a/src/_cffi_src/openssl/pkcs7.py +++ b/src/_cffi_src/openssl/pkcs7.py @@ -10,33 +10,7 @@ TYPES = """ static const long Cryptography_HAS_PKCS7_FUNCS; - -typedef struct { - Cryptography_STACK_OF_X509 *cert; - ...; -} PKCS7_SIGNED; - -typedef ... PKCS7_SIGN_ENVELOPE; -typedef ... PKCS7_DIGEST; -typedef ... PKCS7_ENCRYPT; -typedef ... PKCS7_ENVELOPE; -typedef ... PKCS7_SIGNER_INFO; - -typedef struct { - ASN1_OBJECT *type; - union { - char *ptr; - ASN1_OCTET_STRING *data; - PKCS7_SIGNED *sign; - PKCS7_ENVELOPE *enveloped; - PKCS7_SIGN_ENVELOPE *signed_and_enveloped; - PKCS7_DIGEST *digest; - PKCS7_ENCRYPT *encrypted; - ASN1_TYPE *other; - } d; - ...; -} PKCS7; - +typedef ... PKCS7; static const int PKCS7_TEXT; """ From 48290a592a12736d724dfa99c24f82e354448e8a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 12:49:53 -0500 Subject: [PATCH 141/868] Remove unused bindings (#10427) --- src/_cffi_src/openssl/err.py | 7 ------- src/_cffi_src/openssl/evp.py | 15 --------------- src/_cffi_src/openssl/provider.py | 3 --- .../hazmat/bindings/openssl/_conditional.py | 9 --------- 4 files changed, 34 deletions(-) diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index 2c7469ff892c..a86e560a659c 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -13,7 +13,6 @@ static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH; static const int ERR_LIB_EVP; -static const int ERR_LIB_PROV; static const int SSL_TLSEXT_ERR_OK; static const int SSL_TLSEXT_ERR_ALERT_FATAL; @@ -37,12 +36,6 @@ """ CUSTOMIZATIONS = """ -/* This define is tied to provider support and is conditionally - removed if Cryptography_HAS_PROVIDERS is false */ -#ifndef ERR_LIB_PROV -#define ERR_LIB_PROV 0 -#endif - #if CRYPTOGRAPHY_IS_BORINGSSL static const int EVP_F_EVP_ENCRYPTFINAL_EX = 0; static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH = 0; diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 7432bc046bb5..59e002bad682 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -22,8 +22,6 @@ static const int EVP_PKEY_EC; static const int EVP_PKEY_X25519; static const int EVP_PKEY_ED25519; -static const int EVP_PKEY_X448; -static const int EVP_PKEY_ED448; static const int EVP_MAX_MD_SIZE; static const int Cryptography_HAS_EVP_PKEY_DHX; @@ -73,19 +71,6 @@ const long Cryptography_HAS_EVP_PKEY_DHX = 0; #endif -/* This is tied to X448 support so we reuse the Cryptography_HAS_X448 - conditional to remove it. OpenSSL 1.1.1 adds this define. We can remove - this in the distant future when we drop 1.1.0 support. */ -#ifndef EVP_PKEY_X448 -#define EVP_PKEY_X448 NID_X448 -#endif - -/* This is tied to ED448 support so we reuse the Cryptography_HAS_ED448 - conditional to remove it. */ -#ifndef EVP_PKEY_ED448 -#define EVP_PKEY_ED448 0 -#endif - #if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER static const long Cryptography_HAS_300_FIPS = 1; #else diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py index a9fb92f17d13..f00b28325164 100644 --- a/src/_cffi_src/openssl/provider.py +++ b/src/_cffi_src/openssl/provider.py @@ -16,8 +16,6 @@ typedef ... OSSL_PROVIDER; typedef ... OSSL_LIB_CTX; - -static const long PROV_R_BAD_DECRYPT; """ FUNCTIONS = """ @@ -32,7 +30,6 @@ static const long Cryptography_HAS_PROVIDERS = 0; typedef void OSSL_PROVIDER; typedef void OSSL_LIB_CTX; -static const long PROV_R_BAD_DECRYPT = 0; OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; #endif diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 5a559c3b9ab5..8def8bf487b9 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -28,12 +28,6 @@ def cryptography_has_tls_st() -> list[str]: ] -def cryptography_has_ed448() -> list[str]: - return [ - "EVP_PKEY_ED448", - ] - - def cryptography_has_ssl_sigalgs() -> list[str]: return [ "SSL_CTX_set1_sigalgs_list", @@ -119,8 +113,6 @@ def cryptography_has_providers() -> list[str]: return [ "OSSL_PROVIDER_load", "OSSL_PROVIDER_unload", - "ERR_LIB_PROV", - "PROV_R_BAD_DECRYPT", ] @@ -191,7 +183,6 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb, "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st, "Cryptography_HAS_TLS_ST": cryptography_has_tls_st, - "Cryptography_HAS_ED448": cryptography_has_ed448, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, "Cryptography_HAS_PSK": cryptography_has_psk, "Cryptography_HAS_PSK_TLSv1_3": cryptography_has_psk_tlsv13, From 732eea3c819a8ea9b14e48a2e1adddd8c3c8d881 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 15:33:12 -0500 Subject: [PATCH 142/868] Move a few more constants fully to Rust (#10428) --- src/_cffi_src/openssl/cryptography.py | 5 ----- src/cryptography/hazmat/bindings/openssl/binding.py | 2 +- tests/hazmat/backends/test_openssl.py | 8 ++++---- tests/hazmat/bindings/test_openssl.py | 10 +++++----- tests/hazmat/primitives/test_aes.py | 3 ++- tests/hazmat/primitives/test_dh.py | 3 ++- tests/hazmat/primitives/test_ec.py | 5 +++-- tests/hazmat/primitives/test_pkcs12.py | 5 +++-- tests/hazmat/primitives/test_pkcs7.py | 3 ++- tests/hazmat/primitives/test_rsa.py | 5 +++-- 10 files changed, 25 insertions(+), 24 deletions(-) diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 9d09471967a2..11afbdc182f0 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -53,11 +53,6 @@ """ TYPES = """ -static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; -static const int CRYPTOGRAPHY_OPENSSL_320_OR_GREATER; - -static const int CRYPTOGRAPHY_IS_LIBRESSL; -static const int CRYPTOGRAPHY_IS_BORINGSSL; """ FUNCTIONS = """ diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 9f268b89aebc..e8577763c57e 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -67,7 +67,7 @@ def __init__(self) -> None: def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that # have the FIPS provider installed properly. - _openssl_assert(self.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) + _openssl_assert(openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) self.lib._fips_provider = self.lib.OSSL_PROVIDER_load( self.ffi.NULL, b"fips" ) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 6115e48f9cc3..7cf98afe91d0 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -59,13 +59,13 @@ def test_openssl_version_text(self): # Verify the correspondence between these two. And do it in a way that # ensures coverage. if version.startswith("LibreSSL"): - assert backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - if backend._lib.CRYPTOGRAPHY_IS_LIBRESSL: + assert rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL + if rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL: assert version.startswith("LibreSSL") if version.startswith("BoringSSL"): - assert backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - if backend._lib.CRYPTOGRAPHY_IS_BORINGSSL: + assert rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL + if rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert version.startswith("BoringSSL") def test_openssl_version_number(self): diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index ef45b304b4ef..db6410d5d1e5 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -24,7 +24,7 @@ def test_ssl_ctx_options(self): # Test that we're properly handling 32-bit unsigned on all platforms. b = Binding() # SSL_OP_ALL is 0 on BoringSSL - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b.lib.SSL_OP_ALL > 0 ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) assert ctx != b.ffi.NULL @@ -39,7 +39,7 @@ def test_ssl_options(self): # Test that we're properly handling 32-bit unsigned on all platforms. b = Binding() # SSL_OP_ALL is 0 on BoringSSL - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b.lib.SSL_OP_ALL > 0 ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) assert ctx != b.ffi.NULL @@ -55,7 +55,7 @@ def test_ssl_options(self): def test_conditional_removal(self): b = Binding() - if not b.lib.CRYPTOGRAPHY_IS_LIBRESSL: + if not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL: assert b.lib.TLS_ST_OK else: with pytest.raises(AttributeError): @@ -76,7 +76,7 @@ def test_openssl_assert_error_on_stack(self): error = exc_info.value.err_code[0] assert error.lib == b.lib.ERR_LIB_EVP assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b"data not multiple of block length" in error.reason_text def test_version_mismatch(self): @@ -103,5 +103,5 @@ def test_rust_internal_error(self): error = exc_info.value.err_code[0] assert error.lib == b.lib.ERR_LIB_EVP assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b"data not multiple of block length" in error.reason_text diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index 1f3dfd0014b4..7b4b065cb2ce 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -8,6 +8,7 @@ import pytest +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives.ciphers import algorithms, base, modes from ...doubles import DummyMode @@ -61,7 +62,7 @@ def test_xts_too_short(self, backend): enc.update(b"0" * 15) @pytest.mark.supported( - only_if=lambda backend: (not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL), + only_if=lambda backend: not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL, skip_message="duplicate key encryption error added in OpenSSL 1.1.1d", ) def test_xts_no_duplicate_keys_encryption(self, backend): diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index 4b3b63a96436..d287d29460ae 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -11,6 +11,7 @@ import pytest +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import dh @@ -379,7 +380,7 @@ def test_bad_exchange(self, backend, vector): @pytest.mark.skip_fips(reason="key_size too small for FIPS") @pytest.mark.supported( only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ), skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", ) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 9a368e67cafa..a558af3b9b70 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -13,6 +13,7 @@ import pytest from cryptography import exceptions, utils, x509 +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.asymmetric.utils import ( @@ -133,7 +134,7 @@ def test_derive_point_at_infinity(backend): # BoringSSL rejects infinity points before it ever gets to us, so it # uses a more generic error message. match = ( - "infinity" if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid" + "infinity" if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid" ) with pytest.raises(ValueError, match=match): ec.derive_private_key(q, ec.SECP256R1()) @@ -423,7 +424,7 @@ def test_load_invalid_ec_key_from_pem(self, backend): # uses a more generic error message. match = ( r"infinity|invalid form" - if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL else None ) with pytest.raises(ValueError, match=match): diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index cb998c4a4bc0..d9f2cdebd5c6 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -10,6 +10,7 @@ from cryptography import x509 from cryptography.exceptions import UnsupportedAlgorithm +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.decrepit.ciphers.algorithms import RC2 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( @@ -558,7 +559,7 @@ def test_key_serialization_encryption( ): if ( enc_alg is PBES.PBESv2SHA256AndAES256CBC - ) and not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: + ) and not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: pytest.skip("PBESv2 is not supported on OpenSSL < 3.0") if ( @@ -615,7 +616,7 @@ def test_key_serialization_encryption( @pytest.mark.supported( only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ), skip_message="Requires OpenSSL < 3.0.0 (or Libre/Boring)", ) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 03b04cd389e5..837ad261941c 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -11,6 +11,7 @@ from cryptography import x509 from cryptography.exceptions import _Reasons +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa from cryptography.hazmat.primitives.serialization import pkcs7 @@ -148,7 +149,7 @@ def _pkcs7_verify(encoding, sig, msg, certs, options, backend): backend.openssl_assert(res == 1) # OpenSSL 3.0 leaves a random bio error on the stack: # https://github.com/openssl/openssl/issues/16681 - if backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: + if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: backend._consume_errors() diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index eb74be7c6d4c..3ce55b48c10c 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -15,6 +15,7 @@ UnsupportedAlgorithm, _Reasons, ) +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import padding, rsa from cryptography.hazmat.primitives.asymmetric import utils as asym_utils @@ -251,7 +252,7 @@ def test_load_pss_vect_example_keys(self, pkcs1_example): assert public_num.e == public_num2.e @pytest.mark.supported( - only_if=lambda backend: not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL, + only_if=lambda backend: not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL, skip_message="Does not support RSA PSS loading", ) @pytest.mark.parametrize( @@ -302,7 +303,7 @@ def test_load_pss_pub_keys_strips_constraints(self, backend): ) @pytest.mark.supported( - only_if=lambda backend: backend._lib.CRYPTOGRAPHY_IS_BORINGSSL, + only_if=lambda backend: rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL, skip_message="Test requires a backend without RSA-PSS key support", ) def test_load_pss_unsupported(self, backend): From 2ac571de77a60c8c7ef6567f1cd5f4b1f802f915 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 15:36:18 -0500 Subject: [PATCH 143/868] Remove pointless none check (#10430) --- src/rust/src/x509/sign.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 4d9637d1f2de..099032210e8b 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -134,7 +134,7 @@ pub(crate) fn compute_signature_algorithm<'p>( // If this is RSA-PSS we need to compute the signature algorithm from the // parameters provided in rsa_padding. - if !rsa_padding.is_none() && rsa_padding.is_instance(types::PSS.get(py)?)? { + if rsa_padding.is_instance(types::PSS.get(py)?)? { let hash_alg_params = identify_alg_params_for_hash_type(hash_type)?; let hash_algorithm_id = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), From e8dc7d88850e0c2eb917444c352c779681a4a000 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 21:33:33 +0000 Subject: [PATCH 144/868] Bump openssl-sys from 0.9.99 to 0.9.100 in /src/rust (#10431) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.99 to 0.9.100. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.99...openssl-sys-v0.9.100) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 091f763dee64..f3f5426dcfab 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -216,9 +216,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.99" +version = "0.9.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae" +checksum = "ae94056a791d0e1217d18b6cbdccb02c61e3054fc69893607f4067e3bb0b1fd1" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 698328596665..4d016e61e578 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -19,7 +19,7 @@ cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.63" -openssl-sys = "0.9.99" +openssl-sys = "0.9.100" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index a025e58ceda7..af977b0d6a51 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3"] } -openssl-sys = "0.9.99" +openssl-sys = "0.9.100" [build-dependencies] cc = "1.0.83" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index f2ae0b6e4aed..5799701f8457 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -11,5 +11,5 @@ rust-version = "1.63.0" asn1 = { version = "0.16.0", default-features = false } cfg-if = "1" openssl = "0.10.63" -openssl-sys = "0.9.99" +openssl-sys = "0.9.100" cryptography-x509 = { path = "../cryptography-x509" } From f867eeb87351da1613466c5ac98d560011d5287f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 21:46:26 +0000 Subject: [PATCH 145/868] Bump openssl from 0.10.63 to 0.10.64 in /src/rust (#10432) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.63 to 0.10.64. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.63...openssl-v0.10.64) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f3f5426dcfab..65d173e5f824 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -190,9 +190,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "openssl" -version = "0.10.63" +version = "0.10.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8" +checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" dependencies = [ "bitflags 2.4.2", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 4d016e61e578..83c6605ad453 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -18,7 +18,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.63" +openssl = "0.10.64" openssl-sys = "0.9.100" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 5799701f8457..2922568d15ef 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -10,6 +10,6 @@ rust-version = "1.63.0" [dependencies] asn1 = { version = "0.16.0", default-features = false } cfg-if = "1" -openssl = "0.10.63" +openssl = "0.10.64" openssl-sys = "0.9.100" cryptography-x509 = { path = "../cryptography-x509" } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 700704d0dc3a..0da98d70dda2 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] cfg-if = "1" -openssl = "0.10.63" +openssl = "0.10.64" ffi = { package = "openssl-sys", version = "0.9.99" } foreign-types = "0.3" foreign-types-shared = "0.1" From fb2d6ec75a704a503f305d24a0f34d9b2e08e4dc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 00:13:58 +0000 Subject: [PATCH 146/868] Bump BoringSSL and/or OpenSSL in CI (#10435) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0cb9bf9d91fe..b7b8535445ab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 17, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "99e8c6e2a383a25679c3d6767702732b27bc16ea"}} - # Latest commit on the OpenSSL master branch, as of Feb 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c3e8d67885c0c4295cfd1df35a41bf1f3fa9dc37"}} + # Latest commit on the OpenSSL master branch, as of Feb 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a768a796f26ecebc12ac0bd9b86c5c30bfd9370b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 8224447b1eba88038d9f9a760e9f2a7d91ede28e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 19:44:28 -0500 Subject: [PATCH 147/868] Convert PKCS#12 loading to Rust (#10434) --- .../hazmat/backends/openssl/backend.py | 100 ------------ .../hazmat/bindings/_rust/openssl/keys.pyi | 4 - .../hazmat/bindings/_rust/pkcs12.pyi | 26 +++ .../hazmat/bindings/_rust/pkcs7.pyi | 4 + .../hazmat/primitives/serialization/pkcs12.py | 25 +-- src/rust/src/backend/keys.rs | 29 ++-- src/rust/src/lib.rs | 2 + src/rust/src/pkcs12.rs | 150 ++++++++++++++++++ src/rust/src/types.rs | 9 ++ tests/hazmat/backends/test_openssl.py | 9 -- tests/hazmat/primitives/test_pkcs12.py | 17 +- 11 files changed, 222 insertions(+), 153 deletions(-) create mode 100644 src/cryptography/hazmat/bindings/_rust/pkcs12.pyi create mode 100644 src/rust/src/pkcs12.rs diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 6a4aeca7521f..56d8206612e6 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -22,9 +22,6 @@ PSS, PKCS1v15, ) -from cryptography.hazmat.primitives.asymmetric.types import ( - PrivateKeyTypes, -) from cryptography.hazmat.primitives.ciphers import ( CipherAlgorithm, ) @@ -38,7 +35,6 @@ from cryptography.hazmat.primitives.serialization.pkcs12 import ( PBES, PKCS12Certificate, - PKCS12KeyAndCertificates, PKCS12PrivateKeyTypes, _PKCS12CATypes, ) @@ -278,12 +274,6 @@ def _cert2ossl(self, cert: x509.Certificate) -> typing.Any: x509 = self._ffi.gc(x509, self._lib.X509_free) return x509 - def _ossl2cert(self, x509_ptr: typing.Any) -> x509.Certificate: - bio = self._create_mem_bio_gc() - res = self._lib.i2d_X509_bio(bio, x509_ptr) - self.openssl_assert(res == 1) - return x509.load_der_x509_certificate(self._read_mem_bio(bio)) - def _key2ossl(self, key: PKCS12PrivateKeyTypes) -> typing.Any: data = key.private_bytes( serialization.Encoding.DER, @@ -398,96 +388,6 @@ def _zeroed_null_terminated_buf(self, data): # Cast to a uint8_t * so we can assign by integer self._zero_data(self._ffi.cast("uint8_t *", buf), data_len) - def load_key_and_certificates_from_pkcs12( - self, data: bytes, password: bytes | None - ) -> tuple[ - PrivateKeyTypes | None, - x509.Certificate | None, - list[x509.Certificate], - ]: - pkcs12 = self.load_pkcs12(data, password) - return ( - pkcs12.key, - pkcs12.cert.certificate if pkcs12.cert else None, - [cert.certificate for cert in pkcs12.additional_certs], - ) - - def load_pkcs12( - self, data: bytes, password: bytes | None - ) -> PKCS12KeyAndCertificates: - if password is not None: - utils._check_byteslike("password", password) - - bio = self._bytes_to_bio(data) - p12 = self._lib.d2i_PKCS12_bio(bio.bio, self._ffi.NULL) - if p12 == self._ffi.NULL: - self._consume_errors() - raise ValueError("Could not deserialize PKCS12 data") - - p12 = self._ffi.gc(p12, self._lib.PKCS12_free) - evp_pkey_ptr = self._ffi.new("EVP_PKEY **") - x509_ptr = self._ffi.new("X509 **") - sk_x509_ptr = self._ffi.new("Cryptography_STACK_OF_X509 **") - with self._zeroed_null_terminated_buf(password) as password_buf: - res = self._lib.PKCS12_parse( - p12, password_buf, evp_pkey_ptr, x509_ptr, sk_x509_ptr - ) - if res == 0: - self._consume_errors() - raise ValueError("Invalid password or PKCS12 data") - - cert = None - key = None - additional_certificates = [] - - if evp_pkey_ptr[0] != self._ffi.NULL: - evp_pkey = self._ffi.gc(evp_pkey_ptr[0], self._lib.EVP_PKEY_free) - # We don't support turning off RSA key validation when loading - # PKCS12 keys - key = rust_openssl.keys.private_key_from_ptr( - int(self._ffi.cast("uintptr_t", evp_pkey)), - unsafe_skip_rsa_key_validation=False, - ) - - if x509_ptr[0] != self._ffi.NULL: - x509 = self._ffi.gc(x509_ptr[0], self._lib.X509_free) - cert_obj = self._ossl2cert(x509) - name = None - maybe_name = self._lib.X509_alias_get0(x509, self._ffi.NULL) - if maybe_name != self._ffi.NULL: - name = self._ffi.string(maybe_name) - cert = PKCS12Certificate(cert_obj, name) - - if sk_x509_ptr[0] != self._ffi.NULL: - sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free) - num = self._lib.sk_X509_num(sk_x509_ptr[0]) - - # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the - # certificates. - indices: typing.Iterable[int] - if ( - rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - or rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL - ): - indices = range(num) - else: - indices = reversed(range(num)) - - for i in indices: - x509 = self._lib.sk_X509_value(sk_x509, i) - self.openssl_assert(x509 != self._ffi.NULL) - x509 = self._ffi.gc(x509, self._lib.X509_free) - addl_cert = self._ossl2cert(x509) - addl_name = None - maybe_name = self._lib.X509_alias_get0(x509, self._ffi.NULL) - if maybe_name != self._ffi.NULL: - addl_name = self._ffi.string(maybe_name) - additional_certificates.append( - PKCS12Certificate(addl_cert, addl_name) - ) - - return PKCS12KeyAndCertificates(key, cert, additional_certificates) - def serialize_key_and_certificates_to_pkcs12( self, name: bytes | None, diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi index e312d51dc58b..6815b7d9154b 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/keys.pyi @@ -9,10 +9,6 @@ from cryptography.hazmat.primitives.asymmetric.types import ( PublicKeyTypes, ) -def private_key_from_ptr( - ptr: int, - unsafe_skip_rsa_key_validation: bool, -) -> PrivateKeyTypes: ... def load_der_private_key( data: bytes, password: bytes | None, diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi new file mode 100644 index 000000000000..c82892f6debc --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi @@ -0,0 +1,26 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +import typing + +from cryptography import x509 +from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes +from cryptography.hazmat.primitives.serialization.pkcs12 import ( + PKCS12KeyAndCertificates, +) + +def load_key_and_certificates( + data: bytes, + password: bytes | None, + backend: typing.Any = None, +) -> tuple[ + PrivateKeyTypes | None, + x509.Certificate | None, + list[x509.Certificate], +]: ... +def load_pkcs12( + data: bytes, + password: bytes | None, + backend: typing.Any = None, +) -> PKCS12KeyAndCertificates: ... diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi index a84978246572..f7f9883eb311 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi @@ -1,3 +1,7 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + import typing from cryptography import x509 diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 006a248bd244..b6d6a198a4f6 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -7,6 +7,7 @@ import typing from cryptography import x509 +from cryptography.hazmat.bindings._rust import pkcs12 as rust_pkcs12 from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives._serialization import PBES as PBES from cryptography.hazmat.primitives.asymmetric import ( @@ -143,28 +144,8 @@ def __repr__(self) -> str: return fmt.format(self.key, self.cert, self.additional_certs) -def load_key_and_certificates( - data: bytes, - password: bytes | None, - backend: typing.Any = None, -) -> tuple[ - PrivateKeyTypes | None, - x509.Certificate | None, - list[x509.Certificate], -]: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.load_key_and_certificates_from_pkcs12(data, password) - - -def load_pkcs12( - data: bytes, - password: bytes | None, - backend: typing.Any = None, -) -> PKCS12KeyAndCertificates: - from cryptography.hazmat.backends.openssl.backend import backend as ossl - - return ossl.load_pkcs12(data, password) +load_key_and_certificates = rust_pkcs12.load_key_and_certificates +load_pkcs12 = rust_pkcs12.load_pkcs12 _PKCS12CATypes = typing.Union[ diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 6af0b923aebc..a41b6805695f 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,7 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use foreign_types_shared::ForeignTypeRef; use pyo3::IntoPy; use crate::backend::utils; @@ -61,18 +60,7 @@ fn load_pem_private_key( private_key_from_pkey(py, &pkey, unsafe_skip_rsa_key_validation) } -#[pyo3::prelude::pyfunction] -fn private_key_from_ptr( - py: pyo3::Python<'_>, - ptr: usize, - unsafe_skip_rsa_key_validation: bool, -) -> CryptographyResult { - // SAFETY: Caller is responsible for passing a valid pointer. - let pkey = unsafe { openssl::pkey::PKeyRef::from_ptr(ptr as *mut _) }; - private_key_from_pkey(py, pkey, unsafe_skip_rsa_key_validation) -} - -fn private_key_from_pkey( +pub(crate) fn private_key_from_pkey( py: pyo3::Python<'_>, pkey: &openssl::pkey::PKeyRef, unsafe_skip_rsa_key_validation: bool, @@ -236,15 +224,13 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu m.add_function(pyo3::wrap_pyfunction!(load_der_public_key, m)?)?; m.add_function(pyo3::wrap_pyfunction!(load_pem_public_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(private_key_from_ptr, m)?)?; - Ok(m) } #[cfg(test)] mod tests { #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - use super::public_key_from_pkey; + use super::{private_key_from_pkey, public_key_from_pkey}; #[test] #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] @@ -260,4 +246,15 @@ mod tests { assert!(public_key_from_pkey(py, &pkey, openssl::pkey::Id::CMAC).is_err()); }); } + + #[test] + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + fn test_private_key_from_pkey_unknown_key() { + pyo3::prepare_freethreaded_python(); + + pyo3::Python::with_gil(|py| { + let pkey = openssl::pkey::PKey::hmac(&[0; 32]).unwrap(); + assert!(private_key_from_pkey(py, &pkey, false).is_err()); + }); + } } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index a92fdebe42df..af9eb42a520b 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -18,6 +18,7 @@ mod error; mod exceptions; pub(crate) mod oid; mod padding; +mod pkcs12; mod pkcs7; pub(crate) mod types; mod x509; @@ -82,6 +83,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(asn1::create_submodule(py)?)?; m.add_submodule(pkcs7::create_submodule(py)?)?; + m.add_submodule(pkcs12::create_submodule(py)?)?; m.add_submodule(exceptions::create_submodule(py)?)?; let x509_mod = pyo3::prelude::PyModule::new(py, "x509")?; diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs new file mode 100644 index 000000000000..34b2c8f04c5e --- /dev/null +++ b/src/rust/src/pkcs12.rs @@ -0,0 +1,150 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::backend::keys; +use crate::buf::CffiBuf; +use crate::error::CryptographyResult; +use crate::{types, x509}; +use pyo3::IntoPy; + +fn decode_p12( + data: CffiBuf<'_>, + password: Option>, +) -> CryptographyResult { + let p12 = openssl::pkcs12::Pkcs12::from_der(data.as_bytes()).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Could not deserialize PKCS12 data") + })?; + + let password = if let Some(p) = password.as_ref() { + std::str::from_utf8(p.as_bytes()) + .map_err(|_| pyo3::exceptions::PyUnicodeDecodeError::new_err(()))? + } else { + // Treat `password=None` the same as empty string. They're actually + // not the same in PKCS#12, but OpenSSL transparently handles them the + // same. + "" + }; + let parsed = p12 + .parse2(password) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid password or PKCS12 data"))?; + + Ok(parsed) +} + +#[pyo3::prelude::pyfunction] +fn load_key_and_certificates<'p>( + py: pyo3::Python<'p>, + data: CffiBuf<'_>, + password: Option>, + backend: Option<&pyo3::PyAny>, +) -> CryptographyResult<( + pyo3::PyObject, + Option, + &'p pyo3::types::PyList, +)> { + let _ = backend; + + let p12 = decode_p12(data, password)?; + + let private_key = if let Some(pkey) = p12.pkey { + keys::private_key_from_pkey(py, &pkey, false)? + } else { + py.None() + }; + let cert = if let Some(ossl_cert) = p12.cert { + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + Some(x509::certificate::load_der_x509_certificate( + py, cert_der, None, + )?) + } else { + None + }; + let additional_certs = pyo3::types::PyList::empty(py); + if let Some(ossl_certs) = p12.ca { + cfg_if::cfg_if! { + if #[cfg(any( + CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, CRYPTOGRAPHY_IS_BORINGSSL + ))] { + let it = ossl_certs.iter(); + } else { + let it = ossl_certs.iter().rev(); + } + }; + + for ossl_cert in it { + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; + additional_certs.append(cert.into_py(py))?; + } + } + + Ok((private_key, cert, additional_certs)) +} + +#[pyo3::prelude::pyfunction] +fn load_pkcs12<'p>( + py: pyo3::Python<'p>, + data: CffiBuf<'_>, + password: Option>, + backend: Option<&pyo3::PyAny>, +) -> CryptographyResult<&'p pyo3::PyAny> { + let _ = backend; + + let p12 = decode_p12(data, password)?; + + let private_key = if let Some(pkey) = p12.pkey { + keys::private_key_from_pkey(py, &pkey, false)? + } else { + py.None() + }; + let cert = if let Some(ossl_cert) = p12.cert { + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; + let alias = ossl_cert.alias(); + + types::PKCS12CERTIFICATE + .get(py)? + .call1((cert, alias))? + .into_py(py) + } else { + py.None() + }; + let additional_certs = pyo3::types::PyList::empty(py); + if let Some(ossl_certs) = p12.ca { + cfg_if::cfg_if! { + if #[cfg(any( + CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, CRYPTOGRAPHY_IS_BORINGSSL + ))] { + let it = ossl_certs.iter(); + } else { + let it = ossl_certs.iter().rev(); + } + }; + + for ossl_cert in it { + let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; + let alias = ossl_cert.alias(); + + let p12_cert = types::PKCS12CERTIFICATE + .get(py)? + .call1((cert, alias))? + .into_py(py); + additional_certs.append(p12_cert)?; + } + } + + Ok(types::PKCS12KEYANDCERTIFICATES + .get(py)? + .call1((private_key, cert, additional_certs))?) +} + +pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { + let submod = pyo3::prelude::PyModule::new(py, "pkcs12")?; + + submod.add_function(pyo3::wrap_pyfunction!(load_key_and_certificates, submod)?)?; + submod.add_function(pyo3::wrap_pyfunction!(load_pkcs12, submod)?)?; + + Ok(submod) +} diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 98dd9ecbb269..3afdbb980914 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -327,6 +327,15 @@ pub static SMIME_ENCODE: LazyPyImport = LazyPyImport::new( &["_smime_encode"], ); +pub static PKCS12CERTIFICATE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs12", + &["PKCS12Certificate"], +); +pub static PKCS12KEYANDCERTIFICATES: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs12", + &["PKCS12KeyAndCertificates"], +); + pub static HASHES_MODULE: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.hashes", &[]); pub static HASH_ALGORITHM: LazyPyImport = diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 7cf98afe91d0..901eec59776f 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -201,15 +201,6 @@ def test_unsupported_mgf1_hash_algorithm_md5_decrypt(self, rsa_key_2048): class TestOpenSSLSerializationWithOpenSSL: - def test_unsupported_evp_pkey_type(self): - key = backend._lib.EVP_PKEY_new() - key = backend._ffi.gc(key, backend._lib.EVP_PKEY_free) - with raises_unsupported_algorithm(None): - rust_openssl.keys.private_key_from_ptr( - int(backend._ffi.cast("uintptr_t", key)), - unsafe_skip_rsa_key_validation=False, - ) - def test_very_long_pem_serialization_password(self): password = b"x" * 1025 diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index d9f2cdebd5c6..e096894956e8 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -91,7 +91,7 @@ def test_load_pkcs12_ec_keys(self, filename, password, backend): def test_load_pkcs12_ec_keys_rc2(self, filename, password, backend): self._test_load_pkcs12_ec_keys(filename, password, backend) - def test_load_pkcs12_cert_only(self, backend): + def test_load_key_and_cert_cert_only(self, backend): cert, _ = _load_ca(backend) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( os.path.join("pkcs12", "cert-aes256cbc-no-key.p12"), @@ -104,7 +104,7 @@ def test_load_pkcs12_cert_only(self, backend): assert parsed_key is None assert parsed_more_certs == [cert] - def test_load_pkcs12_key_only(self, backend): + def test_load_key_and_certificates_key_only(self, backend): _, key = _load_ca(backend) assert isinstance(key, ec.EllipticCurvePrivateKey) parsed_key, parsed_cert, parsed_more_certs = load_vectors_from_file( @@ -119,6 +119,19 @@ def test_load_pkcs12_key_only(self, backend): assert parsed_cert is None assert parsed_more_certs == [] + def test_load_pkcs12_key_only(self, backend): + _, key = _load_ca(backend) + assert isinstance(key, ec.EllipticCurvePrivateKey) + p12 = load_vectors_from_file( + os.path.join("pkcs12", "no-cert-key-aes256cbc.p12"), + lambda data: load_pkcs12(data.read(), b"cryptography", backend), + mode="rb", + ) + assert isinstance(p12.key, ec.EllipticCurvePrivateKey) + assert p12.key.private_numbers() == key.private_numbers() + assert p12.cert is None + assert p12.additional_certs == [] + def test_non_bytes(self, backend): with pytest.raises(TypeError): load_key_and_certificates( From 9db55b592963b588a62d3c88afabe45000ac9f66 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 20:00:19 -0500 Subject: [PATCH 148/868] Move FIPS enablement to Rust (#10433) --- src/_cffi_src/build_openssl.py | 2 -- src/_cffi_src/openssl/evp.py | 10 ------ src/_cffi_src/openssl/provider.py | 36 ------------------- .../bindings/_rust/openssl/__init__.pyi | 4 +++ .../hazmat/bindings/openssl/_conditional.py | 15 -------- .../hazmat/bindings/openssl/binding.py | 11 +----- src/rust/cryptography-openssl/src/fips.rs | 12 +++++++ src/rust/src/lib.rs | 20 +++++++++-- 8 files changed, 35 insertions(+), 75 deletions(-) delete mode 100644 src/_cffi_src/openssl/provider.py diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 6065e7aeed37..642b56ce490f 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -21,8 +21,6 @@ modules=[ # This goes first so we can define some cryptography-wide symbols. "cryptography", - # Provider comes early as well so we define OSSL_LIB_CTX - "provider", "asn1", "bignum", "bio", diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 59e002bad682..141b43ce0b3b 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -25,7 +25,6 @@ static const int EVP_MAX_MD_SIZE; static const int Cryptography_HAS_EVP_PKEY_DHX; -static const long Cryptography_HAS_300_FIPS; """ FUNCTIONS = """ @@ -60,8 +59,6 @@ int EVP_PKEY_bits(const EVP_PKEY *); int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); - -int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); """ CUSTOMIZATIONS = """ @@ -70,11 +67,4 @@ #else const long Cryptography_HAS_EVP_PKEY_DHX = 0; #endif - -#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -static const long Cryptography_HAS_300_FIPS = 1; -#else -static const long Cryptography_HAS_300_FIPS = 0; -int (*EVP_default_properties_enable_fips)(OSSL_LIB_CTX *, int) = NULL; -#endif """ diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py deleted file mode 100644 index f00b28325164..000000000000 --- a/src/_cffi_src/openssl/provider.py +++ /dev/null @@ -1,36 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -INCLUDES = """ -#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -#include -#include -#endif -""" - -TYPES = """ -static const long Cryptography_HAS_PROVIDERS; - -typedef ... OSSL_PROVIDER; -typedef ... OSSL_LIB_CTX; -""" - -FUNCTIONS = """ -OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *); -int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); -""" - -CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -static const long Cryptography_HAS_PROVIDERS = 1; -#else -static const long Cryptography_HAS_PROVIDERS = 0; -typedef void OSSL_PROVIDER; -typedef void OSSL_LIB_CTX; -OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; -int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; -#endif -""" diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 25e0427496e5..e4e742bdfedf 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -50,13 +50,17 @@ CRYPTOGRAPHY_IS_BORINGSSL: bool CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool CRYPTOGRAPHY_OPENSSL_320_OR_GREATER: bool +class Providers: ... + _legacy_provider_loaded: bool +_providers: Providers def openssl_version() -> int: ... def openssl_version_text() -> str: ... def raise_openssl_error() -> typing.NoReturn: ... def capture_error_stack() -> list[OpenSSLError]: ... def is_fips_enabled() -> bool: ... +def enable_fips(providers: Providers) -> None: ... class OpenSSLError: @property diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 8def8bf487b9..805991c560c3 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -109,13 +109,6 @@ def cryptography_has_srtp() -> list[str]: ] -def cryptography_has_providers() -> list[str]: - return [ - "OSSL_PROVIDER_load", - "OSSL_PROVIDER_unload", - ] - - def cryptography_has_op_no_renegotiation() -> list[str]: return [ "SSL_OP_NO_RENEGOTIATION", @@ -128,12 +121,6 @@ def cryptography_has_dtls_get_data_mtu() -> list[str]: ] -def cryptography_has_300_fips() -> list[str]: - return [ - "EVP_default_properties_enable_fips", - ] - - def cryptography_has_ssl_cookie() -> list[str]: return [ "SSL_OP_COOKIE_EXCHANGE", @@ -191,12 +178,10 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_ENGINE": cryptography_has_engine, "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, "Cryptography_HAS_SRTP": cryptography_has_srtp, - "Cryptography_HAS_PROVIDERS": cryptography_has_providers, "Cryptography_HAS_OP_NO_RENEGOTIATION": ( cryptography_has_op_no_renegotiation ), "Cryptography_HAS_DTLS_GET_DATA_MTU": cryptography_has_dtls_get_data_mtu, - "Cryptography_HAS_300_FIPS": cryptography_has_300_fips, "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, "Cryptography_HAS_PRIME_CHECKS": cryptography_has_prime_checks, diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index e8577763c57e..65eb5829134a 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -65,16 +65,7 @@ def __init__(self) -> None: self._ensure_ffi_initialized() def _enable_fips(self) -> None: - # This function enables FIPS mode for OpenSSL 3.0.0 on installs that - # have the FIPS provider installed properly. - _openssl_assert(openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) - self.lib._fips_provider = self.lib.OSSL_PROVIDER_load( - self.ffi.NULL, b"fips" - ) - _openssl_assert(self.lib._fips_provider != self.ffi.NULL) - - res = self.lib.EVP_default_properties_enable_fips(self.ffi.NULL, 1) - _openssl_assert(res == 1) + openssl.enable_fips(openssl._providers) @classmethod def _ensure_ffi_initialized(cls) -> None: diff --git a/src/rust/cryptography-openssl/src/fips.rs b/src/rust/cryptography-openssl/src/fips.rs index 9c89f317ebda..b14d2a5a659d 100644 --- a/src/rust/cryptography-openssl/src/fips.rs +++ b/src/rust/cryptography-openssl/src/fips.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +use crate::{cvt, OpenSSLResult}; #[cfg(all( CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)) @@ -22,3 +24,13 @@ pub fn is_enabled() -> bool { } } } + +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +pub fn enable() -> OpenSSLResult<()> { + // SAFETY: No pre-conditions + unsafe { + cvt(ffi::EVP_default_properties_enable_fips(ptr::null_mut(), 1))?; + } + + Ok(()) +} diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index af9eb42a520b..582d2e139577 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -24,10 +24,12 @@ pub(crate) mod types; mod x509; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] +#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust")] struct LoadedProviders { legacy: Option, _default: provider::Provider, + + fips: Option, } #[pyo3::prelude::pyfunction] @@ -63,7 +65,11 @@ fn _initialize_providers() -> CryptographyResult { None }; let _default = provider::Provider::load(None, "default")?; - Ok(LoadedProviders { legacy, _default }) + Ok(LoadedProviders { + legacy, + _default, + fips: None, + }) } fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { @@ -75,6 +81,14 @@ fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { Ok(()) } +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[pyo3::prelude::pyfunction] +fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { + providers.fips = Some(provider::Provider::load(None, "fips")?); + cryptography_openssl::fips::enable()?; + Ok(()) +} + #[pyo3::prelude::pymodule] fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> { m.add_function(pyo3::wrap_pyfunction!(padding::check_pkcs7_padding, m)?)?; @@ -124,6 +138,8 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> openssl_mod.add("_legacy_provider_loaded", false)?; } openssl_mod.add("_providers", providers)?; + + openssl_mod.add_function(pyo3::wrap_pyfunction!(enable_fips, m)?)?; } else { // default value for non-openssl 3+ openssl_mod.add("_legacy_provider_loaded", false)?; From 027845cc4d2e3238eb895dde824a1a618f715e52 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 19 Feb 2024 17:10:08 -0800 Subject: [PATCH 149/868] remove a useless function (#10436) --- src/cryptography/hazmat/backends/openssl/backend.py | 2 +- src/cryptography/hazmat/bindings/openssl/binding.py | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 56d8206612e6..406b1ea990a2 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -99,7 +99,7 @@ def openssl_assert(self, ok: bool) -> None: def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that # have the FIPS provider installed properly. - self._binding._enable_fips() + rust_openssl.enable_fips(rust_openssl._providers) assert rust_openssl.is_fips_enabled() self._fips_enabled = rust_openssl.is_fips_enabled() diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 65eb5829134a..f5d8cb0b7d9f 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -64,9 +64,6 @@ class Binding: def __init__(self) -> None: self._ensure_ffi_initialized() - def _enable_fips(self) -> None: - openssl.enable_fips(openssl._providers) - @classmethod def _ensure_ffi_initialized(cls) -> None: with cls._init_lock: From 4aa0d9ad35be926a7f19e0a89bab72de606f770a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 07:04:35 -0500 Subject: [PATCH 150/868] Bump syn from 2.0.49 to 2.0.50 in /src/rust (#10439) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.49 to 2.0.50. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.49...2.0.50) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 65d173e5f824..c85ea888aa3a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -372,9 +372,9 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" -version = "2.0.49" +version = "2.0.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "915aea9e586f80826ee59f8453c1101f9d1c4b3964cd2460185ee8e299ada496" +checksum = "74f1bdc9872430ce9b75da68329d1c1746faf50ffac5f19e02b71e37ff881ffb" dependencies = [ "proc-macro2", "quote", From c97808ca7716667037804a6b8709b7e9045b6629 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Tue, 20 Feb 2024 15:57:07 +0100 Subject: [PATCH 151/868] Add test vectors for deterministic ECDSA (RFC6979) (#10438) --- docs/development/test-vectors.rst | 2 + .../ECDSA/RFC6979/evppkey_ecdsa_rfc6979.txt | 2807 +++++++++++++++++ 2 files changed, 2809 insertions(+) create mode 100644 vectors/cryptography_vectors/asymmetric/ECDSA/RFC6979/evppkey_ecdsa_rfc6979.txt diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 35f7b7b9864a..aeff528faf78 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -51,6 +51,7 @@ Asymmetric ciphers * X25519 and X448 test vectors from :rfc:`7748`. * RSA OAEP with custom label from the `BoringSSL evp tests`_. * Ed448 test vectors from :rfc:`8032`. +* Deterministic ECDSA (:rfc:`6979`) from `OpenSSL's RFC 6979 test vectors`_. Custom asymmetric vectors @@ -1094,3 +1095,4 @@ header format (substituting the correct information): .. _`dkg's additional OCB3 vectors`: https://gitlab.com/dkg/ocb-test-vectors .. _`OpenSSL's OCB vectors`: https://github.com/openssl/openssl/commit/2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be .. _`badkeys`: https://github.com/vcsjones/badkeys/tree/50f1cc5f8d13bf3a2046d689f6452decb15d9c3c +.. _`OpenSSL's RFC 6979 test vectors`: https://github.com/openssl/openssl/blob/01690a7ff36c4d18c48b301cdf375c954105a1d9/test/recipes/30-test_evp_data/evppkey_ecdsa_rfc6979.txt diff --git a/vectors/cryptography_vectors/asymmetric/ECDSA/RFC6979/evppkey_ecdsa_rfc6979.txt b/vectors/cryptography_vectors/asymmetric/ECDSA/RFC6979/evppkey_ecdsa_rfc6979.txt new file mode 100644 index 000000000000..3bc27a603c29 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/ECDSA/RFC6979/evppkey_ecdsa_rfc6979.txt @@ -0,0 +1,2807 @@ +# +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# Tests start with one of these keywords +# Cipher Decrypt Derive Digest Encoding KDF MAC PBE +# PrivPubKeyPair Sign Verify VerifyRecover +# and continue until a blank line. Lines starting with a pound sign are ignored. + + +Title = RFC 6979 P-192 deterministic ECDSA tests + +PrivateKey=P-192_PRIV +-----BEGIN PRIVATE KEY----- +MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhvqwNJNOTA/Jrmf1tWWanX0f79GH7g +n9Q= +-----END PRIVATE KEY----- + +PublicKey=P-192_PUB +-----BEGIN PUBLIC KEY----- +MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAErCx39Sn5Fon+oOpe/sfyENjuoLngR+1WO8cj5XZw +vUiH68cyxSMGPQp8lXvJfBxD +-----END PUBLIC KEY----- + +PrivPubKeyPair=P-192_PRIV:P-192_PUB + +DigestSign = SHA1 +Key = P-192_PRIV +NonceType = deterministic +Input = "sample" +Output = 303502190098C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF021857A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64 + +DigestVerify = SHA1 +Key = P-192_PUB +Input = "sample" +Output = 303502190098C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF021857A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64 + +DigestVerify = SHA1 +Key = P-192_PUB +Input = "sample" +Output = 303502190098C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF021857A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B65 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-192_PRIV +NonceType = deterministic +Input = "sample" +Output = 3036021900A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5021900E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A + +DigestVerify = SHA224 +Key = P-192_PUB +Input = "sample" +Output = 3036021900A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5021900E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A + +DigestVerify = SHA224 +Key = P-192_PUB +Input = "sample" +Output = 3036021900A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5021900E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97B +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-192_PRIV +NonceType = deterministic +Input = "sample" +Output = 303502184B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55021900CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85 + +DigestVerify = SHA256 +Key = P-192_PUB +Input = "sample" +Output = 303502184B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55021900CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85 + +DigestVerify = SHA256 +Key = P-192_PUB +Input = "sample" +Output = 303502184B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55021900CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B84 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-192_PRIV +NonceType = deterministic +Input = "sample" +Output = 3036021900DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5021900C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E + +DigestVerify = SHA384 +Key = P-192_PUB +Input = "sample" +Output = 3036021900DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5021900C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E + +DigestVerify = SHA384 +Key = P-192_PUB +Input = "sample" +Output = 3036021900DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5021900C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5F +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-192_PRIV +NonceType = deterministic +Input = "sample" +Output = 303402184D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B802183F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67 + +DigestVerify = SHA512 +Key = P-192_PUB +Input = "sample" +Output = 303402184D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B802183F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67 + +DigestVerify = SHA512 +Key = P-192_PUB +Input = "sample" +Output = 303402184D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B802183F6E837448F027A1BF4B34E796E32A811CBB4050908D8F66 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = P-192_PRIV +NonceType = deterministic +Input = "test" +Output = 303502180F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D021900EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7 + +DigestVerify = SHA1 +Key = P-192_PUB +Input = "test" +Output = 303502180F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D021900EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7 + +DigestVerify = SHA1 +Key = P-192_PUB +Input = "test" +Output = 303502180F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D021900EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B6 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-192_PRIV +NonceType = deterministic +Input = "test" +Output = 303502186945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34021900B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293 + +DigestVerify = SHA224 +Key = P-192_PUB +Input = "test" +Output = 303502186945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34021900B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293 + +DigestVerify = SHA224 +Key = P-192_PUB +Input = "test" +Output = 303502186945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34021900B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15292 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-192_PRIV +NonceType = deterministic +Input = "test" +Output = 303402183A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE02185662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F + +DigestVerify = SHA256 +Key = P-192_PUB +Input = "test" +Output = 303402183A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE02185662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F + +DigestVerify = SHA256 +Key = P-192_PUB +Input = "test" +Output = 303402183A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE02185662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124E +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-192_PRIV +NonceType = deterministic +Input = "test" +Output = 3035021900B234B60B4DB75A733E19280A7A6034BD6B1EE88AF533236702187994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A + +DigestVerify = SHA384 +Key = P-192_PUB +Input = "test" +Output = 3035021900B234B60B4DB75A733E19280A7A6034BD6B1EE88AF533236702187994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A + +DigestVerify = SHA384 +Key = P-192_PUB +Input = "test" +Output = 3035021900B234B60B4DB75A733E19280A7A6034BD6B1EE88AF533236702187994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77B +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-192_PRIV +NonceType = deterministic +Input = "test" +Output = 3035021900FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739021874CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52290 + +DigestVerify = SHA512 +Key = P-192_PUB +Input = "test" +Output = 3035021900FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739021874CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52290 + +DigestVerify = SHA512 +Key = P-192_PUB +Input = "test" +Output = 3035021900FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739021874CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52291 +Result = VERIFY_ERROR + +Title = RFC 6979 P-224 deterministic ECDSA tests + +PrivateKey=P-224_PRIV +-----BEGIN PRIVATE KEY----- +MDoCAQAwEAYHKoZIzj0CAQYFK4EEACEEIzAhAgEBBBzyICZuEQW/4wg+A+x6OmVGUfReNxZ+iGAL +8lfB +-----END PRIVATE KEY----- + +PublicKey=P-224_PUB +-----BEGIN PUBLIC KEY----- +ME4wEAYHKoZIzj0CAQYFK4EEACEDOgAEAM8I2lrXGeQnB/pDEpLeoRJE1k/FFhDZSxMNbO6rbz3r +5FXj2/hUFvcDDL2U808tbyMsafPBOFo= +-----END PUBLIC KEY----- + +PrivPubKeyPair=P-224_PRIV:P-224_PUB + +DigestSign = SHA1 +Key = P-224_PRIV +NonceType = deterministic +Input = "sample" +Output = 303C021C22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC021C66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69 + +DigestVerify = SHA1 +Key = P-224_PUB +Input = "sample" +Output = 303C021C22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC021C66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69 + +DigestVerify = SHA1 +Key = P-224_PUB +Input = "sample" +Output = 303C021C22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC021C66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D68 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-224_PRIV +NonceType = deterministic +Input = "sample" +Output = 303D021C1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E021D00A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBC + +DigestVerify = SHA224 +Key = P-224_PUB +Input = "sample" +Output = 303D021C1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E021D00A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBC + +DigestVerify = SHA224 +Key = P-224_PUB +Input = "sample" +Output = 303D021C1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E021D00A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBD +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-224_PRIV +NonceType = deterministic +Input = "sample" +Output = 303D021C61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA021D00BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101 + +DigestVerify = SHA256 +Key = P-224_PUB +Input = "sample" +Output = 303D021C61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA021D00BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101 + +DigestVerify = SHA256 +Key = P-224_PUB +Input = "sample" +Output = 303D021C61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA021D00BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10100 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-224_PRIV +NonceType = deterministic +Input = "sample" +Output = 303D021C0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953021D00830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1D + +DigestVerify = SHA384 +Key = P-224_PUB +Input = "sample" +Output = 303D021C0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953021D00830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1D + +DigestVerify = SHA384 +Key = P-224_PUB +Input = "sample" +Output = 303D021C0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953021D00830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1C +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-224_PRIV +NonceType = deterministic +Input = "sample" +Output = 303D021C074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397021D00A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB084 + +DigestVerify = SHA512 +Key = P-224_PUB +Input = "sample" +Output = 303D021C074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397021D00A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB084 + +DigestVerify = SHA512 +Key = P-224_PUB +Input = "sample" +Output = 303D021C074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397021D00A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB085 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = P-224_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D00DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C021D0095987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD2 + +DigestVerify = SHA1 +Key = P-224_PUB +Input = "test" +Output = 303E021D00DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C021D0095987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD2 + +DigestVerify = SHA1 +Key = P-224_PUB +Input = "test" +Output = 303E021D00DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C021D0095987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD3 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-224_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D00C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019021D00902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F4 + +DigestVerify = SHA224 +Key = P-224_PUB +Input = "test" +Output = 303E021D00C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019021D00902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F4 + +DigestVerify = SHA224 +Key = P-224_PUB +Input = "test" +Output = 303E021D00C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019021D00902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F5 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-224_PRIV +NonceType = deterministic +Input = "test" +Output = 303D021D00AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6021C178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFD + +DigestVerify = SHA256 +Key = P-224_PUB +Input = "test" +Output = 303D021D00AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6021C178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFD + +DigestVerify = SHA256 +Key = P-224_PUB +Input = "test" +Output = 303D021D00AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6021C178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFC +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-224_PRIV +NonceType = deterministic +Input = "test" +Output = 303C021C389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4021C414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAB + +DigestVerify = SHA384 +Key = P-224_PUB +Input = "test" +Output = 303C021C389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4021C414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAB + +DigestVerify = SHA384 +Key = P-224_PUB +Input = "test" +Output = 303C021C389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4021C414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAA +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-224_PRIV +NonceType = deterministic +Input = "test" +Output = 303C021C049F050477C5ADD858CAC56208394B5A55BAEBBE887FDF765047C17C021C077EB13E7005929CEFA3CD0403C7CDCC077ADF4E44F3C41B2F60ECFF + +DigestVerify = SHA512 +Key = P-224_PUB +Input = "test" +Output = 303C021C049F050477C5ADD858CAC56208394B5A55BAEBBE887FDF765047C17C021C077EB13E7005929CEFA3CD0403C7CDCC077ADF4E44F3C41B2F60ECFF + +DigestVerify = SHA512 +Key = P-224_PUB +Input = "test" +Output = 303C021C049F050477C5ADD858CAC56208394B5A55BAEBBE887FDF765047C17C021C077EB13E7005929CEFA3CD0403C7CDCC077ADF4E44F3C41B2F60ECFE +Result = VERIFY_ERROR + +Title = RFC 6979 P-256 deterministic ECDSA tests + +PrivateKey=P-256_PRIV +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCDJr6nYRbp1FmtcIVdnsdaTTlDD2zbo +mxJ7imIrEg9nIQ== +-----END PRIVATE KEY----- + +PublicKey=P-256_PUB +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYP7UuiVanTHJYet0xjVtaMBJuJI7Yfps5mliLmDy +n7Z5A/4QCLi8maQa6elWKLxk8vGyDC1+n1F3o8KU1EYimQ== +-----END PUBLIC KEY----- + +PrivPubKeyPair=P-256_PRIV:P-256_PUB + +DigestSign = SHA1 +Key = P-256_PRIV +NonceType = deterministic +Input = "sample" +Output = 3044022061340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D3202206D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB + +DigestVerify = SHA1 +Key = P-256_PUB +Input = "sample" +Output = 3044022061340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D3202206D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB + +DigestVerify = SHA1 +Key = P-256_PUB +Input = "sample" +Output = 3044022061340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D3202206D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EA +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-256_PRIV +NonceType = deterministic +Input = "sample" +Output = 3045022053B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3F022100B9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74C + +DigestVerify = SHA224 +Key = P-256_PUB +Input = "sample" +Output = 3045022053B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3F022100B9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74C + +DigestVerify = SHA224 +Key = P-256_PUB +Input = "sample" +Output = 3045022053B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3F022100B9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74D +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-256_PRIV +NonceType = deterministic +Input = "sample" +Output = 3046022100EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716022100F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8 + +DigestVerify = SHA256 +Key = P-256_PUB +Input = "sample" +Output = 3046022100EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716022100F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8 + +DigestVerify = SHA256 +Key = P-256_PUB +Input = "sample" +Output = 3046022100EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716022100F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA9 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-256_PRIV +NonceType = deterministic +Input = "sample" +Output = 304402200EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF771902204861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940954 + +DigestVerify = SHA384 +Key = P-256_PUB +Input = "sample" +Output = 304402200EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF771902204861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940954 + +DigestVerify = SHA384 +Key = P-256_PUB +Input = "sample" +Output = 304402200EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF771902204861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940955 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-256_PRIV +NonceType = deterministic +Input = "sample" +Output = 30450221008496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F0002202362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FE + +DigestVerify = SHA512 +Key = P-256_PUB +Input = "sample" +Output = 30450221008496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F0002202362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FE + +DigestVerify = SHA512 +Key = P-256_PUB +Input = "sample" +Output = 30450221008496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F0002202362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FF +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = P-256_PRIV +NonceType = deterministic +Input = "test" +Output = 304402200CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A89022001B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B1 + +DigestVerify = SHA1 +Key = P-256_PUB +Input = "test" +Output = 304402200CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A89022001B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B1 + +DigestVerify = SHA1 +Key = P-256_PUB +Input = "test" +Output = 304402200CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A89022001B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B0 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-256_PRIV +NonceType = deterministic +Input = "test" +Output = 3046022100C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692022100C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2D + +DigestVerify = SHA224 +Key = P-256_PUB +Input = "test" +Output = 3046022100C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692022100C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2D + +DigestVerify = SHA224 +Key = P-256_PUB +Input = "test" +Output = 3046022100C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692022100C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2C +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-256_PRIV +NonceType = deterministic +Input = "test" +Output = 3045022100F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D383670220019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0083 + +DigestVerify = SHA256 +Key = P-256_PUB +Input = "test" +Output = 3045022100F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D383670220019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0083 + +DigestVerify = SHA256 +Key = P-256_PUB +Input = "test" +Output = 3045022100F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D383670220019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0082 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-256_PRIV +NonceType = deterministic +Input = "test" +Output = 304602210083910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB60221008DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2C + +DigestVerify = SHA384 +Key = P-256_PUB +Input = "test" +Output = 304602210083910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB60221008DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2C + +DigestVerify = SHA384 +Key = P-256_PUB +Input = "test" +Output = 304602210083910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB60221008DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2D +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-256_PRIV +NonceType = deterministic +Input = "test" +Output = 30440220461D93F31B6540894788FD206C07CFA0CC35F46FA3C91816FFF1040AD1581A04022039AF9F15DE0DB8D97E72719C74820D304CE5226E32DEDAE67519E840D1194E55 + +DigestVerify = SHA512 +Key = P-256_PUB +Input = "test" +Output = 30440220461D93F31B6540894788FD206C07CFA0CC35F46FA3C91816FFF1040AD1581A04022039AF9F15DE0DB8D97E72719C74820D304CE5226E32DEDAE67519E840D1194E55 + +DigestVerify = SHA512 +Key = P-256_PUB +Input = "test" +Output = 30440220461D93F31B6540894788FD206C07CFA0CC35F46FA3C91816FFF1040AD1581A04022039AF9F15DE0DB8D97E72719C74820D304CE5226E32DEDAE67519E840D1194E54 +Result = VERIFY_ERROR + +Title = RFC 6979 P-384 deterministic ECDSA tests + +PrivateKey=P-384_PRIV +-----BEGIN PRIVATE KEY----- +ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDBrnT2tLhuMHAWxmHW2ZZ9N4jw7Znvyl7qa +pHdAeHE32JbVck5McKgl+HLJ6mDS7fU= +-----END PRIVATE KEY----- + +PublicKey=P-384_PUB +-----BEGIN PUBLIC KEY----- +MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7DpOQVtOGaRWhhgCn0J/pdqai8SukuAuBqrlKGswDGTe ++PDqkFWGYGSiVFFUgLwTgBXZty19VyROqO+awMYhiWcIpZNn+d+59UyoSz8cnbEoiyMcOuDU/nNE +/SUzJkcg +-----END PUBLIC KEY----- + +PrivPubKeyPair=P-384_PRIV:P-384_PUB + +DigestSign = SHA1 +Key = P-384_PRIV +NonceType = deterministic +Input = "sample" +Output = 3066023100EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2023100A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A443 + +DigestVerify = SHA1 +Key = P-384_PUB +Input = "sample" +Output = 3066023100EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2023100A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A443 + +DigestVerify = SHA1 +Key = P-384_PUB +Input = "sample" +Output = 3066023100EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2023100A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A442 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-384_PRIV +NonceType = deterministic +Input = "sample" +Output = 3065023042356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE0601220231009DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8D + +DigestVerify = SHA224 +Key = P-384_PUB +Input = "sample" +Output = 3065023042356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE0601220231009DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8D + +DigestVerify = SHA224 +Key = P-384_PUB +Input = "sample" +Output = 3065023042356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE0601220231009DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8C +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-384_PRIV +NonceType = deterministic +Input = "sample" +Output = 3065023021B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CD023100F3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB0 + +DigestVerify = SHA256 +Key = P-384_PUB +Input = "sample" +Output = 3065023021B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CD023100F3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB0 + +DigestVerify = SHA256 +Key = P-384_PUB +Input = "sample" +Output = 3065023021B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CD023100F3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB1 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-384_PRIV +NonceType = deterministic +Input = "sample" +Output = 306602310094EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE4602310099EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8 + +DigestVerify = SHA384 +Key = P-384_PUB +Input = "sample" +Output = 306602310094EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE4602310099EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8 + +DigestVerify = SHA384 +Key = P-384_PUB +Input = "sample" +Output = 306602310094EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE4602310099EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC9 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-384_PRIV +NonceType = deterministic +Input = "sample" +Output = 3065023100ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD78824337090230512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD5 + +DigestVerify = SHA512 +Key = P-384_PUB +Input = "sample" +Output = 3065023100ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD78824337090230512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD5 + +DigestVerify = SHA512 +Key = P-384_PUB +Input = "sample" +Output = 3065023100ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD78824337090230512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD4 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = P-384_PRIV +NonceType = deterministic +Input = "test" +Output = 306502304BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7023100D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382282 + +DigestVerify = SHA1 +Key = P-384_PUB +Input = "test" +Output = 306502304BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7023100D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382282 + +DigestVerify = SHA1 +Key = P-384_PUB +Input = "test" +Output = 306502304BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7023100D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382283 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-384_PRIV +NonceType = deterministic +Input = "test" +Output = 3065023100E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E72023007041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B66 + +DigestVerify = SHA224 +Key = P-384_PUB +Input = "test" +Output = 3065023100E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E72023007041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B66 + +DigestVerify = SHA224 +Key = P-384_PUB +Input = "test" +Output = 3065023100E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E72023007041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B67 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-384_PRIV +NonceType = deterministic +Input = "test" +Output = 306402306D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B02302D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787265 + +DigestVerify = SHA256 +Key = P-384_PUB +Input = "test" +Output = 306402306D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B02302D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787265 + +DigestVerify = SHA256 +Key = P-384_PUB +Input = "test" +Output = 306402306D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B02302D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787264 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-384_PRIV +NonceType = deterministic +Input = "test" +Output = 30660231008203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DB023100DDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A5 + +DigestVerify = SHA384 +Key = P-384_PUB +Input = "test" +Output = 30660231008203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DB023100DDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A5 + +DigestVerify = SHA384 +Key = P-384_PUB +Input = "test" +Output = 30660231008203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DB023100DDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A4 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-384_PRIV +NonceType = deterministic +Input = "test" +Output = 3066023100A0D5D090C9980FAF3C2CE57B7AE951D31977DD11C775D314AF55F76C676447D06FB6495CD21B4B6E340FC236584FB277023100976984E59B4C77B0E8E4460DCA3D9F20E07B9BB1F63BEEFAF576F6B2E8B224634A2092CD3792E0159AD9CEE37659C736 + +DigestVerify = SHA512 +Key = P-384_PUB +Input = "test" +Output = 3066023100A0D5D090C9980FAF3C2CE57B7AE951D31977DD11C775D314AF55F76C676447D06FB6495CD21B4B6E340FC236584FB277023100976984E59B4C77B0E8E4460DCA3D9F20E07B9BB1F63BEEFAF576F6B2E8B224634A2092CD3792E0159AD9CEE37659C736 + +DigestVerify = SHA512 +Key = P-384_PUB +Input = "test" +Output = 3066023100A0D5D090C9980FAF3C2CE57B7AE951D31977DD11C775D314AF55F76C676447D06FB6495CD21B4B6E340FC236584FB277023100976984E59B4C77B0E8E4460DCA3D9F20E07B9BB1F63BEEFAF576F6B2E8B224634A2092CD3792E0159AD9CEE37659C737 +Result = VERIFY_ERROR + +Title = RFC 6979 P-521 deterministic ECDSA tests + +PrivateKey=P-521_PRIV +-----BEGIN PRIVATE KEY----- +MF8CAQAwEAYHKoZIzj0CAQYFK4EEACMESDBGAgEBBEH60G2qYro7JdL7QBM9p1cgXeZ/W7ABj+6M +huG2jH51yqiW6zLx9HxwhVg2ptFvzBRm9tj77GfbiewMCLDplrg1OA== +-----END PRIVATE KEY----- + +PublicKey=P-521_PUB +-----BEGIN PUBLIC KEY----- +MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBiUVQ0HhZMuAOqiO2lPIT+MMSH4bcl6BOWnFn205b +zTcRI9RuRdtrXVNwp/IPtjMVXTj/oW0r12HcrEdLmi9QI6QASTEByWLNTS/d94IoXmRYQTnC+RtH ++H/4I1TWYw90aiig2yV0G1s0qCgAiyKswj+ST6r71NM/gepmlW3+qiv9/PU= +-----END PUBLIC KEY----- + +PrivPubKeyPair=P-521_PRIV:P-521_PUB + +DigestSign = SHA1 +Key = P-521_PRIV +NonceType = deterministic +Input = "sample" +Output = 3081870241343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D024200E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D16 + +DigestVerify = SHA1 +Key = P-521_PUB +Input = "sample" +Output = 3081870241343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D024200E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D16 + +DigestVerify = SHA1 +Key = P-521_PUB +Input = "sample" +Output = 3081870241343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D024200E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D17 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-521_PRIV +NonceType = deterministic +Input = "sample" +Output = 308187024201776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E024150CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41F + +DigestVerify = SHA224 +Key = P-521_PUB +Input = "sample" +Output = 308187024201776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E024150CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41F + +DigestVerify = SHA224 +Key = P-521_PUB +Input = "sample" +Output = 308187024201776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E024150CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41E +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-521_PRIV +NonceType = deterministic +Input = "sample" +Output = 308187024201511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A702414A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFC + +DigestVerify = SHA256 +Key = P-521_PUB +Input = "sample" +Output = 308187024201511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A702414A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFC + +DigestVerify = SHA256 +Key = P-521_PUB +Input = "sample" +Output = 308187024201511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A702414A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFD +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-521_PRIV +NonceType = deterministic +Input = "sample" +Output = 308188024201EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C67451024201F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D61 + +DigestVerify = SHA384 +Key = P-521_PUB +Input = "sample" +Output = 308188024201EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C67451024201F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D61 + +DigestVerify = SHA384 +Key = P-521_PUB +Input = "sample" +Output = 308188024201EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C67451024201F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D60 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-521_PRIV +NonceType = deterministic +Input = "sample" +Output = 308187024200C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA0241617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A + +DigestVerify = SHA512 +Key = P-521_PUB +Input = "sample" +Output = 308187024200C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA0241617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A + +DigestVerify = SHA512 +Key = P-521_PUB +Input = "sample" +Output = 308187024200C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA0241617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67B +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = P-521_PRIV +NonceType = deterministic +Input = "test" +Output = 3081880242013BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D0367024201E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FF + +DigestVerify = SHA1 +Key = P-521_PUB +Input = "test" +Output = 3081880242013BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D0367024201E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FF + +DigestVerify = SHA1 +Key = P-521_PUB +Input = "test" +Output = 3081880242013BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D0367024201E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FE +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = P-521_PRIV +NonceType = deterministic +Input = "test" +Output = 308188024201C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB02420177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A4 + +DigestVerify = SHA224 +Key = P-521_PUB +Input = "test" +Output = 308188024201C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB02420177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A4 + +DigestVerify = SHA224 +Key = P-521_PUB +Input = "test" +Output = 308188024201C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB02420177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A5 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = P-521_PRIV +NonceType = deterministic +Input = "test" +Output = 30818702410E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA8024200CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E86 + +DigestVerify = SHA256 +Key = P-521_PUB +Input = "test" +Output = 30818702410E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA8024200CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E86 + +DigestVerify = SHA256 +Key = P-521_PUB +Input = "test" +Output = 30818702410E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA8024200CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E87 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = P-521_PRIV +NonceType = deterministic +Input = "test" +Output = 3081880242014BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C02420133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B979 + +DigestVerify = SHA384 +Key = P-521_PUB +Input = "test" +Output = 3081880242014BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C02420133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B979 + +DigestVerify = SHA384 +Key = P-521_PUB +Input = "test" +Output = 3081880242014BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C02420133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B978 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = P-521_PRIV +NonceType = deterministic +Input = "test" +Output = 3081880242013E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D024201FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE3 + +DigestVerify = SHA512 +Key = P-521_PUB +Input = "test" +Output = 3081880242013E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D024201FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE3 + +DigestVerify = SHA512 +Key = P-521_PUB +Input = "test" +Output = 3081880242013E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D024201FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE2 +Result = VERIFY_ERROR + +Title = RFC 6979 K-163 deterministic ECDSA tests + +PrivateKey=K-163_PRIV +-----BEGIN PRIVATE KEY----- +MDICAQAwEAYHKoZIzj0CAQYFK4EEAAEEGzAZAgEBBBSaTWeSKVp/cw/D8rScvA9i6GInLw== +-----END PRIVATE KEY----- + +PublicKey=K-163_PUB +-----BEGIN PUBLIC KEY----- +MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEB5ruCQ2wXsJS1ctEUvNWvhmKT/lvB4LiljTdyaMe9AOG +6Ja6oYtTr6Wj +-----END PUBLIC KEY----- + +PrivPubKeyPair=K-163_PRIV:K-163_PUB + +DigestSign = SHA1 +Key = K-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E0215030C45B80BA0E1406C4EFBBB7000D6DE4FA465D5050215038D87DF89493522FC4CD7DE1553BD9DBBA2123011 + +DigestVerify = SHA1 +Key = K-163_PUB +Input = "sample" +Output = 302E0215030C45B80BA0E1406C4EFBBB7000D6DE4FA465D5050215038D87DF89493522FC4CD7DE1553BD9DBBA2123011 + +DigestVerify = SHA1 +Key = K-163_PUB +Input = "sample" +Output = 302E0215030C45B80BA0E1406C4EFBBB7000D6DE4FA465D5050215038D87DF89493522FC4CD7DE1553BD9DBBA2123010 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302D0215038A2749F7EA13BD5DA0C76C842F512D5A65FFAF32021464F841F70112B793FD773F5606BFA5AC2A04C1E8 + +DigestVerify = SHA224 +Key = K-163_PUB +Input = "sample" +Output = 302D0215038A2749F7EA13BD5DA0C76C842F512D5A65FFAF32021464F841F70112B793FD773F5606BFA5AC2A04C1E8 + +DigestVerify = SHA224 +Key = K-163_PUB +Input = "sample" +Output = 302D0215038A2749F7EA13BD5DA0C76C842F512D5A65FFAF32021464F841F70112B793FD773F5606BFA5AC2A04C1E9 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E02150113A63990598A3828C407C0F4D2438D990DF99A7F021501313A2E03F5412DDB296A22E2C455335545672D9F + +DigestVerify = SHA256 +Key = K-163_PUB +Input = "sample" +Output = 302E02150113A63990598A3828C407C0F4D2438D990DF99A7F021501313A2E03F5412DDB296A22E2C455335545672D9F + +DigestVerify = SHA256 +Key = K-163_PUB +Input = "sample" +Output = 302E02150113A63990598A3828C407C0F4D2438D990DF99A7F021501313A2E03F5412DDB296A22E2C455335545672D9E +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E0215034D4DE955871BB84FEA4E7D068BA5E9A11BD8B6C4021502BAAF4D4FD57F175C405A2F39F9755D9045C820BD + +DigestVerify = SHA384 +Key = K-163_PUB +Input = "sample" +Output = 302E0215034D4DE955871BB84FEA4E7D068BA5E9A11BD8B6C4021502BAAF4D4FD57F175C405A2F39F9755D9045C820BD + +DigestVerify = SHA384 +Key = K-163_PUB +Input = "sample" +Output = 302E0215034D4DE955871BB84FEA4E7D068BA5E9A11BD8B6C4021502BAAF4D4FD57F175C405A2F39F9755D9045C820BC +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E0215038E487F218D696A7323B891F0CCF055D895B77ADC021500972D7721093F9B3835A5EB7F0442FA8DCAA873C4 + +DigestVerify = SHA512 +Key = K-163_PUB +Input = "sample" +Output = 302E0215038E487F218D696A7323B891F0CCF055D895B77ADC021500972D7721093F9B3835A5EB7F0442FA8DCAA873C4 + +DigestVerify = SHA512 +Key = K-163_PUB +Input = "sample" +Output = 302E0215038E487F218D696A7323B891F0CCF055D895B77ADC021500972D7721093F9B3835A5EB7F0442FA8DCAA873C5 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = K-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E021501375BEF93F21582F601497036A7DC8014A99C2B7902150254B7F1472FFFEE9002D081BB8CE819CCE6E687F9 + +DigestVerify = SHA1 +Key = K-163_PUB +Input = "test" +Output = 302E021501375BEF93F21582F601497036A7DC8014A99C2B7902150254B7F1472FFFEE9002D081BB8CE819CCE6E687F9 + +DigestVerify = SHA1 +Key = K-163_PUB +Input = "test" +Output = 302E021501375BEF93F21582F601497036A7DC8014A99C2B7902150254B7F1472FFFEE9002D081BB8CE819CCE6E687F8 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302D02150110F17EF209957214E35E8C2E83CBE73B3BFDEE2C021457D5022392D359851B95DEC2444012502A5349CB + +DigestVerify = SHA224 +Key = K-163_PUB +Input = "test" +Output = 302D02150110F17EF209957214E35E8C2E83CBE73B3BFDEE2C021457D5022392D359851B95DEC2444012502A5349CB + +DigestVerify = SHA224 +Key = K-163_PUB +Input = "test" +Output = 302D02150110F17EF209957214E35E8C2E83CBE73B3BFDEE2C021457D5022392D359851B95DEC2444012502A5349CA +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302C0214354D5CD24F9C41F85D02E856FA2B0001C83AF53E021420B200677731CD4FE48612A92F72A19853A82B65 + +DigestVerify = SHA256 +Key = K-163_PUB +Input = "test" +Output = 302C0214354D5CD24F9C41F85D02E856FA2B0001C83AF53E021420B200677731CD4FE48612A92F72A19853A82B65 + +DigestVerify = SHA256 +Key = K-163_PUB +Input = "test" +Output = 302C0214354D5CD24F9C41F85D02E856FA2B0001C83AF53E021420B200677731CD4FE48612A92F72A19853A82B64 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E0215011B6A84206515495AD8DBB2E5785D6D018D75817E021501A7D4C1E17D4030A5D748ADEA785C77A54581F6D0 + +DigestVerify = SHA384 +Key = K-163_PUB +Input = "test" +Output = 302E0215011B6A84206515495AD8DBB2E5785D6D018D75817E021501A7D4C1E17D4030A5D748ADEA785C77A54581F6D0 + +DigestVerify = SHA384 +Key = K-163_PUB +Input = "test" +Output = 302E0215011B6A84206515495AD8DBB2E5785D6D018D75817E021501A7D4C1E17D4030A5D748ADEA785C77A54581F6D1 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E02150148934745B351F6367FF5BB56B1848A2F508902A90215036214B19444FAB504DBA61D4D6FF2D2F9640F4837 + +DigestVerify = SHA512 +Key = K-163_PUB +Input = "test" +Output = 302E02150148934745B351F6367FF5BB56B1848A2F508902A90215036214B19444FAB504DBA61D4D6FF2D2F9640F4837 + +DigestVerify = SHA512 +Key = K-163_PUB +Input = "test" +Output = 302E02150148934745B351F6367FF5BB56B1848A2F508902A90215036214B19444FAB504DBA61D4D6FF2D2F9640F4836 +Result = VERIFY_ERROR + +Title = RFC 6979 K-233 deterministic ECDSA tests + +PrivateKey=K-233_PRIV +-----BEGIN PRIVATE KEY----- +MDsCAQAwEAYHKoZIzj0CAQYFK4EEABoEJDAiAgEBBB0QOyFCvcKjw7VQgNCd8YCPeTNtojmfXKcX +HRvpsA== +-----END PRIVATE KEY----- + +PublicKey=K-233_PUB +-----BEGIN PUBLIC KEY----- +MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEAGgohvNsaEc8GiIXIMKxK5vhNFi6kH4cRzZZV3nyAbIG +ObQb4JJwkJmbeBejs5KNIFA6OVRgROwToQMJ +-----END PUBLIC KEY----- + +PrivPubKeyPair=K-233_PRIV:K-233_PUB + +DigestSign = SHA1 +Key = K-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D5474541C988A9A1F73899F55EF28963DFFBBF0C2B1A1EE787C6A76C6A4021D46301F9EC6624257BFC70D72186F17898EDBD0A3522560A88DD1B7D45A + +DigestVerify = SHA1 +Key = K-233_PUB +Input = "sample" +Output = 303E021D5474541C988A9A1F73899F55EF28963DFFBBF0C2B1A1EE787C6A76C6A4021D46301F9EC6624257BFC70D72186F17898EDBD0A3522560A88DD1B7D45A + +DigestVerify = SHA1 +Key = K-233_PUB +Input = "sample" +Output = 303E021D5474541C988A9A1F73899F55EF28963DFFBBF0C2B1A1EE787C6A76C6A4021D46301F9EC6624257BFC70D72186F17898EDBD0A3522560A88DD1B7D45B +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D667F2FCE3E1C497EBD8E4B7C6372A8234003FE4ED6D4515814E7E11430021D6A1C41340DAA730320DB9475F10E29A127D7AE3432F155E1F7954E1B57 + +DigestVerify = SHA224 +Key = K-233_PUB +Input = "sample" +Output = 303E021D667F2FCE3E1C497EBD8E4B7C6372A8234003FE4ED6D4515814E7E11430021D6A1C41340DAA730320DB9475F10E29A127D7AE3432F155E1F7954E1B57 + +DigestVerify = SHA224 +Key = K-233_PUB +Input = "sample" +Output = 303E021D667F2FCE3E1C497EBD8E4B7C6372A8234003FE4ED6D4515814E7E11430021D6A1C41340DAA730320DB9475F10E29A127D7AE3432F155E1F7954E1B56 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D38AD9C1D2CB29906E7D63C24601AC55736B438FB14F4093D6C32F63A10021D647AAD2599C21B6EE89BE7FF957D98F684B7921DE1FD3CC82C079624F4 + +DigestVerify = SHA256 +Key = K-233_PUB +Input = "sample" +Output = 303E021D38AD9C1D2CB29906E7D63C24601AC55736B438FB14F4093D6C32F63A10021D647AAD2599C21B6EE89BE7FF957D98F684B7921DE1FD3CC82C079624F4 + +DigestVerify = SHA256 +Key = K-233_PUB +Input = "sample" +Output = 303E021D38AD9C1D2CB29906E7D63C24601AC55736B438FB14F4093D6C32F63A10021D647AAD2599C21B6EE89BE7FF957D98F684B7921DE1FD3CC82C079624F5 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D0C6510F57559C36FBCFF8C7BA4B81853DC618AD0BAAB03CFFDF3FD09FD021D0AD331EE1C9B91A88BA77997235769C60AD07EE69E11F7137E17C5CF67 + +DigestVerify = SHA384 +Key = K-233_PUB +Input = "sample" +Output = 303E021D0C6510F57559C36FBCFF8C7BA4B81853DC618AD0BAAB03CFFDF3FD09FD021D0AD331EE1C9B91A88BA77997235769C60AD07EE69E11F7137E17C5CF67 + +DigestVerify = SHA384 +Key = K-233_PUB +Input = "sample" +Output = 303E021D0C6510F57559C36FBCFF8C7BA4B81853DC618AD0BAAB03CFFDF3FD09FD021D0AD331EE1C9B91A88BA77997235769C60AD07EE69E11F7137E17C5CF66 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D47C4AC1B344028CC740BA7BB9F8AA59D6390E3158153D4F2ADE4B74950021D26CE0CDE18A1B884B3EE1A879C13B42F11BB7C85F7A3745C8BECEC8E6E + +DigestVerify = SHA512 +Key = K-233_PUB +Input = "sample" +Output = 303E021D47C4AC1B344028CC740BA7BB9F8AA59D6390E3158153D4F2ADE4B74950021D26CE0CDE18A1B884B3EE1A879C13B42F11BB7C85F7A3745C8BECEC8E6E + +DigestVerify = SHA512 +Key = K-233_PUB +Input = "sample" +Output = 303E021D47C4AC1B344028CC740BA7BB9F8AA59D6390E3158153D4F2ADE4B74950021D26CE0CDE18A1B884B3EE1A879C13B42F11BB7C85F7A3745C8BECEC8E6F +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = K-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D4780B2DE4BAA5613872179AD90664249842E8B96FCD5653B55DD63EED4021D6AF46BA322E21D4A88DAEC1650EF38774231276266D6A45ED6A64ECB44 + +DigestVerify = SHA1 +Key = K-233_PUB +Input = "test" +Output = 303E021D4780B2DE4BAA5613872179AD90664249842E8B96FCD5653B55DD63EED4021D6AF46BA322E21D4A88DAEC1650EF38774231276266D6A45ED6A64ECB44 + +DigestVerify = SHA1 +Key = K-233_PUB +Input = "test" +Output = 303E021D4780B2DE4BAA5613872179AD90664249842E8B96FCD5653B55DD63EED4021D6AF46BA322E21D4A88DAEC1650EF38774231276266D6A45ED6A64ECB45 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D61D9CC8C842DF19B3D9F4BDA0D0E14A957357ADABC239444610FB39AEA021D66432278891CB594BA8D08A0C556053D15917E53449E03C2EF88474CF6 + +DigestVerify = SHA224 +Key = K-233_PUB +Input = "test" +Output = 303E021D61D9CC8C842DF19B3D9F4BDA0D0E14A957357ADABC239444610FB39AEA021D66432278891CB594BA8D08A0C556053D15917E53449E03C2EF88474CF6 + +DigestVerify = SHA224 +Key = K-233_PUB +Input = "test" +Output = 303E021D61D9CC8C842DF19B3D9F4BDA0D0E14A957357ADABC239444610FB39AEA021D66432278891CB594BA8D08A0C556053D15917E53449E03C2EF88474CF7 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D05E4E6B4DB0E13034E7F1F2E5DBAB766D37C15AE4056C7EE607C8AC7F4021D5FC46AA489BF828B34FBAD25EC432190F161BEA8F60D3FCADB0EE3B725 + +DigestVerify = SHA256 +Key = K-233_PUB +Input = "test" +Output = 303E021D05E4E6B4DB0E13034E7F1F2E5DBAB766D37C15AE4056C7EE607C8AC7F4021D5FC46AA489BF828B34FBAD25EC432190F161BEA8F60D3FCADB0EE3B725 + +DigestVerify = SHA256 +Key = K-233_PUB +Input = "test" +Output = 303E021D05E4E6B4DB0E13034E7F1F2E5DBAB766D37C15AE4056C7EE607C8AC7F4021D5FC46AA489BF828B34FBAD25EC432190F161BEA8F60D3FCADB0EE3B724 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D50F1EFEDFFEC1088024620280EE0D7641542E4D4B5D61DB32358FC571B021D4614EAE449927A9EB2FCC42EA3E955B43D194087719511A007EC9217A5 + +DigestVerify = SHA384 +Key = K-233_PUB +Input = "test" +Output = 303E021D50F1EFEDFFEC1088024620280EE0D7641542E4D4B5D61DB32358FC571B021D4614EAE449927A9EB2FCC42EA3E955B43D194087719511A007EC9217A5 + +DigestVerify = SHA384 +Key = K-233_PUB +Input = "test" +Output = 303E021D50F1EFEDFFEC1088024620280EE0D7641542E4D4B5D61DB32358FC571B021D4614EAE449927A9EB2FCC42EA3E955B43D194087719511A007EC9217A4 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D6FE6D0D3A953BB66BB01BC6B9EDFAD9F35E88277E5768D1B214395320F021D7C01A236E4BFF0A771050AD01EC1D24025D3130BBD9E4E81978EB3EC09 + +DigestVerify = SHA512 +Key = K-233_PUB +Input = "test" +Output = 303E021D6FE6D0D3A953BB66BB01BC6B9EDFAD9F35E88277E5768D1B214395320F021D7C01A236E4BFF0A771050AD01EC1D24025D3130BBD9E4E81978EB3EC09 + +DigestVerify = SHA512 +Key = K-233_PUB +Input = "test" +Output = 303E021D6FE6D0D3A953BB66BB01BC6B9EDFAD9F35E88277E5768D1B214395320F021D7C01A236E4BFF0A771050AD01EC1D24025D3130BBD9E4E81978EB3EC08 +Result = VERIFY_ERROR + +Title = RFC 6979 K-283 deterministic ECDSA tests + +PrivateKey=K-283_PRIV +-----BEGIN PRIVATE KEY----- +MEECAQAwEAYHKoZIzj0CAQYFK4EEABAEKjAoAgEBBCNqB3c1boe4m6HtOj2EU1e+MyFzyPemW9x9 +tPqzxMx5rMgZTg== +-----END PRIVATE KEY----- + +PublicKey=K-283_PUB +-----BEGIN PUBLIC KEY----- +MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAlMw0KZR1aINxjibwCNFEXclZArsPBJmEs5ETt0ZZJve +zAPWBQW9YKS2cYJHTsTRxminMUD3BQSmjznvzZckh+lTDgUIp2GT +-----END PUBLIC KEY----- + +PrivPubKeyPair=K-283_PRIV:K-283_PUB + +DigestSign = SHA1 +Key = K-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304B022401B66D1E33FBDB6E107A69B610995C93C744CEBAEAF623CB42737C27D60188BD1D045A6802232E45B62C9C258643532FD536594B46C63B063946494F95DAFF8759FD552502324295C5 + +DigestVerify = SHA1 +Key = K-283_PUB +Input = "sample" +Output = 304B022401B66D1E33FBDB6E107A69B610995C93C744CEBAEAF623CB42737C27D60188BD1D045A6802232E45B62C9C258643532FD536594B46C63B063946494F95DAFF8759FD552502324295C5 + +DigestVerify = SHA1 +Key = K-283_PUB +Input = "sample" +Output = 304B022401B66D1E33FBDB6E107A69B610995C93C744CEBAEAF623CB42737C27D60188BD1D045A6802232E45B62C9C258643532FD536594B46C63B063946494F95DAFF8759FD552502324295C4 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304B022318CF2F371BE86BB62E02B27CDE56DDAC83CCFBB3141FC59AEE022B66AC1A60DBBD8B76022401854E02A381295EA7F184CEE71AB7222D6974522D3B99B309B1A8025EB84118A28BF20E + +DigestVerify = SHA224 +Key = K-283_PUB +Input = "sample" +Output = 304B022318CF2F371BE86BB62E02B27CDE56DDAC83CCFBB3141FC59AEE022B66AC1A60DBBD8B76022401854E02A381295EA7F184CEE71AB7222D6974522D3B99B309B1A8025EB84118A28BF20E + +DigestVerify = SHA224 +Key = K-283_PUB +Input = "sample" +Output = 304B022318CF2F371BE86BB62E02B27CDE56DDAC83CCFBB3141FC59AEE022B66AC1A60DBBD8B76022401854E02A381295EA7F184CEE71AB7222D6974522D3B99B309B1A8025EB84118A28BF20F +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C0224019E90AA3DE5FB20AED22879F92C6FED278D9C9B9293CC5E94922CD952C9DBF20DF1753A02240135AA7443B6A25D11BB64AC482E04D47902D017752882BD72527114F46CF8BB56C5A8C3 + +DigestVerify = SHA256 +Key = K-283_PUB +Input = "sample" +Output = 304C0224019E90AA3DE5FB20AED22879F92C6FED278D9C9B9293CC5E94922CD952C9DBF20DF1753A02240135AA7443B6A25D11BB64AC482E04D47902D017752882BD72527114F46CF8BB56C5A8C3 + +DigestVerify = SHA256 +Key = K-283_PUB +Input = "sample" +Output = 304C0224019E90AA3DE5FB20AED22879F92C6FED278D9C9B9293CC5E94922CD952C9DBF20DF1753A02240135AA7443B6A25D11BB64AC482E04D47902D017752882BD72527114F46CF8BB56C5A8C2 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C022400F8C1CA9C221AD9907A136F787D33BA56B0495A40E86E671C940FD767EDD75EB6001A49022401071A56915DEE89E22E511975AA09D00CDC4AA7F5054CBE83F5977EE6F8E1CC31EC43FD + +DigestVerify = SHA384 +Key = K-283_PUB +Input = "sample" +Output = 304C022400F8C1CA9C221AD9907A136F787D33BA56B0495A40E86E671C940FD767EDD75EB6001A49022401071A56915DEE89E22E511975AA09D00CDC4AA7F5054CBE83F5977EE6F8E1CC31EC43FD + +DigestVerify = SHA384 +Key = K-283_PUB +Input = "sample" +Output = 304C022400F8C1CA9C221AD9907A136F787D33BA56B0495A40E86E671C940FD767EDD75EB6001A49022401071A56915DEE89E22E511975AA09D00CDC4AA7F5054CBE83F5977EE6F8E1CC31EC43FC +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C022401D0008CF4BA4A701BEF70771934C2A4A87386155A2354140E2ED52E18553C35B47D9E50022400D15F4FA1B7A4D41D9843578E22EF98773179103DC4FF0DD1F74A6B5642841B91056F78 + +DigestVerify = SHA512 +Key = K-283_PUB +Input = "sample" +Output = 304C022401D0008CF4BA4A701BEF70771934C2A4A87386155A2354140E2ED52E18553C35B47D9E50022400D15F4FA1B7A4D41D9843578E22EF98773179103DC4FF0DD1F74A6B5642841B91056F78 + +DigestVerify = SHA512 +Key = K-283_PUB +Input = "sample" +Output = 304C022401D0008CF4BA4A701BEF70771934C2A4A87386155A2354140E2ED52E18553C35B47D9E50022400D15F4FA1B7A4D41D9843578E22EF98773179103DC4FF0DD1F74A6B5642841B91056F79 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = K-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C02240140932FA7307666A8CCB1E1A09656CC40F5932965841ABD5E8E43559D93CF2311B027670224016A2FD46DA497E5E739DED67F426308C45C2E16528BF2A17EB5D65964FD88B770FBB9C6 + +DigestVerify = SHA1 +Key = K-283_PUB +Input = "test" +Output = 304C02240140932FA7307666A8CCB1E1A09656CC40F5932965841ABD5E8E43559D93CF2311B027670224016A2FD46DA497E5E739DED67F426308C45C2E16528BF2A17EB5D65964FD88B770FBB9C6 + +DigestVerify = SHA1 +Key = K-283_PUB +Input = "test" +Output = 304C02240140932FA7307666A8CCB1E1A09656CC40F5932965841ABD5E8E43559D93CF2311B027670224016A2FD46DA497E5E739DED67F426308C45C2E16528BF2A17EB5D65964FD88B770FBB9C7 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C022400E72AF7E39CD72EF21E61964D87C838F977485FA6A7E999000AFA97A381B2445FCEE541022401644FF7D848DA1A040F77515082C27C763B1B4BF332BCF5D08251C6B57D806319778208 + +DigestVerify = SHA224 +Key = K-283_PUB +Input = "test" +Output = 304C022400E72AF7E39CD72EF21E61964D87C838F977485FA6A7E999000AFA97A381B2445FCEE541022401644FF7D848DA1A040F77515082C27C763B1B4BF332BCF5D08251C6B57D806319778208 + +DigestVerify = SHA224 +Key = K-283_PUB +Input = "test" +Output = 304C022400E72AF7E39CD72EF21E61964D87C838F977485FA6A7E999000AFA97A381B2445FCEE541022401644FF7D848DA1A040F77515082C27C763B1B4BF332BCF5D08251C6B57D806319778209 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304B02240158FAEB2470B306C57764AFC8528174589008449E11DB8B36994B607A65956A597155310223521BC667CA1CA42B5649E78A3D76823C678B7BB3CD58D2E93CD791D53043A6F83F1FD1 + +DigestVerify = SHA256 +Key = K-283_PUB +Input = "test" +Output = 304B02240158FAEB2470B306C57764AFC8528174589008449E11DB8B36994B607A65956A597155310223521BC667CA1CA42B5649E78A3D76823C678B7BB3CD58D2E93CD791D53043A6F83F1FD1 + +DigestVerify = SHA256 +Key = K-283_PUB +Input = "test" +Output = 304B02240158FAEB2470B306C57764AFC8528174589008449E11DB8B36994B607A65956A597155310223521BC667CA1CA42B5649E78A3D76823C678B7BB3CD58D2E93CD791D53043A6F83F1FD0 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304B022401CC4DC5479E0F34C4339631A45AA690580060BF0EB518184C983E0E618C3B93AAB14BBE0223284D72FF8AFA83DE364502CBA0494BB06D40AE08F9D9746E747EA87240E589BA0683B7 + +DigestVerify = SHA384 +Key = K-283_PUB +Input = "test" +Output = 304B022401CC4DC5479E0F34C4339631A45AA690580060BF0EB518184C983E0E618C3B93AAB14BBE0223284D72FF8AFA83DE364502CBA0494BB06D40AE08F9D9746E747EA87240E589BA0683B7 + +DigestVerify = SHA384 +Key = K-283_PUB +Input = "test" +Output = 304B022401CC4DC5479E0F34C4339631A45AA690580060BF0EB518184C983E0E618C3B93AAB14BBE0223284D72FF8AFA83DE364502CBA0494BB06D40AE08F9D9746E747EA87240E589BA0683B6 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C022401E7912517C6899732E09756B1660F6B96635D638283DF9A8A11D30E008895D7F5C9C7F3022400887E75CBD0B7DD9DE30ED79BDB3D78E4F1121C5EAFF5946918F594F88D363644789DA7 + +DigestVerify = SHA512 +Key = K-283_PUB +Input = "test" +Output = 304C022401E7912517C6899732E09756B1660F6B96635D638283DF9A8A11D30E008895D7F5C9C7F3022400887E75CBD0B7DD9DE30ED79BDB3D78E4F1121C5EAFF5946918F594F88D363644789DA7 + +DigestVerify = SHA512 +Key = K-283_PUB +Input = "test" +Output = 304C022401E7912517C6899732E09756B1660F6B96635D638283DF9A8A11D30E008895D7F5C9C7F3022400887E75CBD0B7DD9DE30ED79BDB3D78E4F1121C5EAFF5946918F594F88D363644789DA6 +Result = VERIFY_ERROR + +Title = RFC 6979 K-409 deterministic ECDSA tests + +PrivateKey=K-409_PRIV +-----BEGIN PRIVATE KEY----- +MFECAQAwEAYHKoZIzj0CAQYFK4EEACQEOjA4AgEBBDMpwWdo8B0bion9qF4u/XOglVi5KheKKTHz +WeTXCthT5WnNrxbapWl1j7TnMInkUl2Lv88= +-----END PRIVATE KEY----- + +PublicKey=K-409_PUB +-----BEGIN PUBLIC KEY----- +MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAM+SP1I/40puhj2LpF+x/m14TI8hnEFO7024Ni2708px +rrKPVoZo1degCT4rhPb611nbQgE7HDdNUTKXihsRI+u+mlxU0anVawmv20rek8zXxNMy4pFvfUud +GFeO48Li3k0uzg3mNUk= +-----END PUBLIC KEY----- + +PrivPubKeyPair=K-409_PRIV:K-409_PUB + +DigestSign = SHA1 +Key = K-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A02337192EE99EC7AFE23E02CB1F9850D1ECE620475EDA6B65D04984029408EC1E5A6476BC940D81F218FC31D979814CAC6E78340FA02331DE75DE97CBE740FC79A6B5B22BC2B7832C687E6960F0B8173D5D8BE2A75AC6CA43438BAF69C669CE6D64E0FB93BC5854E0F81 + +DigestVerify = SHA1 +Key = K-409_PUB +Input = "sample" +Output = 306A02337192EE99EC7AFE23E02CB1F9850D1ECE620475EDA6B65D04984029408EC1E5A6476BC940D81F218FC31D979814CAC6E78340FA02331DE75DE97CBE740FC79A6B5B22BC2B7832C687E6960F0B8173D5D8BE2A75AC6CA43438BAF69C669CE6D64E0FB93BC5854E0F81 + +DigestVerify = SHA1 +Key = K-409_PUB +Input = "sample" +Output = 306A02337192EE99EC7AFE23E02CB1F9850D1ECE620475EDA6B65D04984029408EC1E5A6476BC940D81F218FC31D979814CAC6E78340FA02331DE75DE97CBE740FC79A6B5B22BC2B7832C687E6960F0B8173D5D8BE2A75AC6CA43438BAF69C669CE6D64E0FB93BC5854E0F80 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A023341C8EDF39D5E4E76A04D24E6BFD4B2EC35F99CD2483478FD8B0A03E99379576EDACC4167590B7D9C387857A5130B1220CB771F0233659652EEAC9747BCAD58034B25362B6AA61836E1BA50E2F37630813050D43457E62EAB0F13AE197E6CFE0244F983107555E269 + +DigestVerify = SHA224 +Key = K-409_PUB +Input = "sample" +Output = 306A023341C8EDF39D5E4E76A04D24E6BFD4B2EC35F99CD2483478FD8B0A03E99379576EDACC4167590B7D9C387857A5130B1220CB771F0233659652EEAC9747BCAD58034B25362B6AA61836E1BA50E2F37630813050D43457E62EAB0F13AE197E6CFE0244F983107555E269 + +DigestVerify = SHA224 +Key = K-409_PUB +Input = "sample" +Output = 306A023341C8EDF39D5E4E76A04D24E6BFD4B2EC35F99CD2483478FD8B0A03E99379576EDACC4167590B7D9C387857A5130B1220CB771F0233659652EEAC9747BCAD58034B25362B6AA61836E1BA50E2F37630813050D43457E62EAB0F13AE197E6CFE0244F983107555E268 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A023349EC220D6D24980693E6D33B191532EAB4C5D924E97E305E2C1CCFE6F1EAEF96C17F6EC27D1E06191023615368628A7E0BD6A902331A4AB1DD9BAAA21F77C503E1B39E770FFD44718349D54BA4CF08F688CE89D7D7C5F7213F225944BE5F7C9BA42B8BEE382F8AF9 + +DigestVerify = SHA256 +Key = K-409_PUB +Input = "sample" +Output = 306A023349EC220D6D24980693E6D33B191532EAB4C5D924E97E305E2C1CCFE6F1EAEF96C17F6EC27D1E06191023615368628A7E0BD6A902331A4AB1DD9BAAA21F77C503E1B39E770FFD44718349D54BA4CF08F688CE89D7D7C5F7213F225944BE5F7C9BA42B8BEE382F8AF9 + +DigestVerify = SHA256 +Key = K-409_PUB +Input = "sample" +Output = 306A023349EC220D6D24980693E6D33B191532EAB4C5D924E97E305E2C1CCFE6F1EAEF96C17F6EC27D1E06191023615368628A7E0BD6A902331A4AB1DD9BAAA21F77C503E1B39E770FFD44718349D54BA4CF08F688CE89D7D7C5F7213F225944BE5F7C9BA42B8BEE382F8AF8 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A0233562BB99EE027644EC04E493C5E81B41F261F6BD18FB2FAE3AFEAD91FAB8DD44AFA910B13B9C79C87555225219E44E72245BB7C023325BA5F28047DDDBDA7ED7E49DA31B62B20FD9C7E5B8988817BBF738B3F4DFDD2DCD06EE6DF2A1B744C850DAF952C12B9A56774 + +DigestVerify = SHA384 +Key = K-409_PUB +Input = "sample" +Output = 306A0233562BB99EE027644EC04E493C5E81B41F261F6BD18FB2FAE3AFEAD91FAB8DD44AFA910B13B9C79C87555225219E44E72245BB7C023325BA5F28047DDDBDA7ED7E49DA31B62B20FD9C7E5B8988817BBF738B3F4DFDD2DCD06EE6DF2A1B744C850DAF952C12B9A56774 + +DigestVerify = SHA384 +Key = K-409_PUB +Input = "sample" +Output = 306A0233562BB99EE027644EC04E493C5E81B41F261F6BD18FB2FAE3AFEAD91FAB8DD44AFA910B13B9C79C87555225219E44E72245BB7C023325BA5F28047DDDBDA7ED7E49DA31B62B20FD9C7E5B8988817BBF738B3F4DFDD2DCD06EE6DF2A1B744C850DAF952C12B9A56775 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A023316C7E7FB33B5577F7CF6F77762F0F2D531C6E7A3528BD2CF582498C1A48F200789E9DF7B754029DA0D7E3CE96A2DC76093260602332729617EFBF80DA5D2F201AC7910D3404A992C39921C2F65F8CF4601392DFE933E6457EAFDBD13DFE160D243100378B55C290A + +DigestVerify = SHA512 +Key = K-409_PUB +Input = "sample" +Output = 306A023316C7E7FB33B5577F7CF6F77762F0F2D531C6E7A3528BD2CF582498C1A48F200789E9DF7B754029DA0D7E3CE96A2DC76093260602332729617EFBF80DA5D2F201AC7910D3404A992C39921C2F65F8CF4601392DFE933E6457EAFDBD13DFE160D243100378B55C290A + +DigestVerify = SHA512 +Key = K-409_PUB +Input = "sample" +Output = 306A023316C7E7FB33B5577F7CF6F77762F0F2D531C6E7A3528BD2CF582498C1A48F200789E9DF7B754029DA0D7E3CE96A2DC76093260602332729617EFBF80DA5D2F201AC7910D3404A992C39921C2F65F8CF4601392DFE933E6457EAFDBD13DFE160D243100378B55C290B +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = K-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A0233565648A5BAD24E747A7D7531FA9DBDFCB184ECFEFDB00A319459242B68D0989E52BED4107AED35C27D8ECA10E876ACA48006C902337420BA6FF72ECC5C92B7CA0309258B5879F26393DB22753B9EC5DF905500A04228AC08880C485E2AC8834E13E8FA44FA57BF18 + +DigestVerify = SHA1 +Key = K-409_PUB +Input = "test" +Output = 306A0233565648A5BAD24E747A7D7531FA9DBDFCB184ECFEFDB00A319459242B68D0989E52BED4107AED35C27D8ECA10E876ACA48006C902337420BA6FF72ECC5C92B7CA0309258B5879F26393DB22753B9EC5DF905500A04228AC08880C485E2AC8834E13E8FA44FA57BF18 + +DigestVerify = SHA1 +Key = K-409_PUB +Input = "test" +Output = 306A0233565648A5BAD24E747A7D7531FA9DBDFCB184ECFEFDB00A319459242B68D0989E52BED4107AED35C27D8ECA10E876ACA48006C902337420BA6FF72ECC5C92B7CA0309258B5879F26393DB22753B9EC5DF905500A04228AC08880C485E2AC8834E13E8FA44FA57BF19 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A0233251DFE54EAEC8A781ADF8A623F7F36B4ABFC7EE0AE78C8406E93B5C3932A8120AB8DFC49D8E243C7C30CB5B1E021BADBDF9CA4023377854C2E72EAA6924CC0B5F6751379D132569843B1C7885978DBBAA6678967F643A50DBB06E6EA6102FFAB7766A57C3887BD22 + +DigestVerify = SHA224 +Key = K-409_PUB +Input = "test" +Output = 306A0233251DFE54EAEC8A781ADF8A623F7F36B4ABFC7EE0AE78C8406E93B5C3932A8120AB8DFC49D8E243C7C30CB5B1E021BADBDF9CA4023377854C2E72EAA6924CC0B5F6751379D132569843B1C7885978DBBAA6678967F643A50DBB06E6EA6102FFAB7766A57C3887BD22 + +DigestVerify = SHA224 +Key = K-409_PUB +Input = "test" +Output = 306A0233251DFE54EAEC8A781ADF8A623F7F36B4ABFC7EE0AE78C8406E93B5C3932A8120AB8DFC49D8E243C7C30CB5B1E021BADBDF9CA4023377854C2E72EAA6924CC0B5F6751379D132569843B1C7885978DBBAA6678967F643A50DBB06E6EA6102FFAB7766A57C3887BD23 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A023358075FF7E8D36844EED0FC3F78B7CFFDEEF6ADE5982D5636552A081923E24841C9E37DF2C8C4BF2F2F7A174927F3B7E6A0BEB202330A737469D013A31B91E781CE201100FDE1FA488ABF2252C025C678462D715AD3078C9D049E06555CABDF37878CFB909553FF51 + +DigestVerify = SHA256 +Key = K-409_PUB +Input = "test" +Output = 306A023358075FF7E8D36844EED0FC3F78B7CFFDEEF6ADE5982D5636552A081923E24841C9E37DF2C8C4BF2F2F7A174927F3B7E6A0BEB202330A737469D013A31B91E781CE201100FDE1FA488ABF2252C025C678462D715AD3078C9D049E06555CABDF37878CFB909553FF51 + +DigestVerify = SHA256 +Key = K-409_PUB +Input = "test" +Output = 306A023358075FF7E8D36844EED0FC3F78B7CFFDEEF6ADE5982D5636552A081923E24841C9E37DF2C8C4BF2F2F7A174927F3B7E6A0BEB202330A737469D013A31B91E781CE201100FDE1FA488ABF2252C025C678462D715AD3078C9D049E06555CABDF37878CFB909553FF50 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A02331C5C88642EA216682244E46E24B7CE9AAEF9B3F97E585577D158C3CBC3C598250A53F6D46DFB1E2DD9DC302E7DA4F0CAAFF29102331D3FD721C35872C74514359F88AD983E170E5DE5B31AFC0BE12E9F4AB2B2538C7797686BA955C1D042FD1F8CDC482775579F11 + +DigestVerify = SHA384 +Key = K-409_PUB +Input = "test" +Output = 306A02331C5C88642EA216682244E46E24B7CE9AAEF9B3F97E585577D158C3CBC3C598250A53F6D46DFB1E2DD9DC302E7DA4F0CAAFF29102331D3FD721C35872C74514359F88AD983E170E5DE5B31AFC0BE12E9F4AB2B2538C7797686BA955C1D042FD1F8CDC482775579F11 + +DigestVerify = SHA384 +Key = K-409_PUB +Input = "test" +Output = 306A02331C5C88642EA216682244E46E24B7CE9AAEF9B3F97E585577D158C3CBC3C598250A53F6D46DFB1E2DD9DC302E7DA4F0CAAFF29102331D3FD721C35872C74514359F88AD983E170E5DE5B31AFC0BE12E9F4AB2B2538C7797686BA955C1D042FD1F8CDC482775579F10 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A02331A32CD7764149DF79349DBF79451F4585BB490BD63A200700D7111B45DDA414000AE1B0A69AEACBA1364DD7719968AAD123F930233582AB1076CAFAE23A76244B82341AEFC4C6D8D8060A62A352C33187720C8A37F3DAC227E62758B11DF1562FD249941C1679F82 + +DigestVerify = SHA512 +Key = K-409_PUB +Input = "test" +Output = 306A02331A32CD7764149DF79349DBF79451F4585BB490BD63A200700D7111B45DDA414000AE1B0A69AEACBA1364DD7719968AAD123F930233582AB1076CAFAE23A76244B82341AEFC4C6D8D8060A62A352C33187720C8A37F3DAC227E62758B11DF1562FD249941C1679F82 + +DigestVerify = SHA512 +Key = K-409_PUB +Input = "test" +Output = 306A02331A32CD7764149DF79349DBF79451F4585BB490BD63A200700D7111B45DDA414000AE1B0A69AEACBA1364DD7719968AAD123F930233582AB1076CAFAE23A76244B82341AEFC4C6D8D8060A62A352C33187720C8A37F3DAC227E62758B11DF1562FD249941C1679F83 +Result = VERIFY_ERROR + +Title = RFC 6979 K-571 deterministic ECDSA tests + +PrivateKey=K-571_PRIV +-----BEGIN PRIVATE KEY----- +MGUCAQAwEAYHKoZIzj0CAQYFK4EEACYETjBMAgEBBEfBb1hVDYJO17lVadREU3XTpJC8fgGUxBo5 +3rcywpOWzfHWbeAt0UYKgWYG877A8yICx70Yoy2HUGRmqpIDLxMU7XsZdisNIg== +-----END PRIVATE KEY----- + +PublicKey=K-571_PUB +-----BEGIN PUBLIC KEY----- +MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQGz7DfdUHN1MQe8xnqiOhJ78hgXZd3kUgILsmRxGPt +MjGVlvn99HecF8ryDv2b61fp9O1Vv8UqL6FcojvGK3vwGdtZeT3XcxgBz8kRAvd1mlYb2NW1Gqru +x/QOZZ1nhwNhmQ1t4p9rT34YrhO95epcH3eyPWdvRAUMnb/M3Xs3VjKN2gWXearoRG/FFYp1wic= +-----END PUBLIC KEY----- + +PrivPubKeyPair=K-571_PRIV:K-571_PUB + +DigestSign = SHA1 +Key = K-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 3081930247767913F96C82E38B7146A505938B79EC07E9AA3214377651BE968B52C039D3E4837B4A2DE26C481C4E1DE96F4D9DE63845D9B32E26D0D332725678E3CE57F668A5E3108FB6CEA502480109F89F55FA39FF465E40EBCF869A9B1DB425AEA53AB4ECBCE3C310572F79315F5D4891461372A0C36E63871BEDDBB3BA2042C6410B67311F1A185589FF4C987DBA02F9D992B9DF + +DigestVerify = SHA1 +Key = K-571_PUB +Input = "sample" +Output = 3081930247767913F96C82E38B7146A505938B79EC07E9AA3214377651BE968B52C039D3E4837B4A2DE26C481C4E1DE96F4D9DE63845D9B32E26D0D332725678E3CE57F668A5E3108FB6CEA502480109F89F55FA39FF465E40EBCF869A9B1DB425AEA53AB4ECBCE3C310572F79315F5D4891461372A0C36E63871BEDDBB3BA2042C6410B67311F1A185589FF4C987DBA02F9D992B9DF + +DigestVerify = SHA1 +Key = K-571_PUB +Input = "sample" +Output = 3081930247767913F96C82E38B7146A505938B79EC07E9AA3214377651BE968B52C039D3E4837B4A2DE26C481C4E1DE96F4D9DE63845D9B32E26D0D332725678E3CE57F668A5E3108FB6CEA502480109F89F55FA39FF465E40EBCF869A9B1DB425AEA53AB4ECBCE3C310572F79315F5D4891461372A0C36E63871BEDDBB3BA2042C6410B67311F1A185589FF4C987DBA02F9D992B9DE +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 308192024710774B9F14DE6C9525131AD61531FA30987170D43782E9FB84FF0D70F093946DF75ECB69D400FE39B12D58C67C19DCE96335CEC1D9AADE004FE5B498AB8A940D46C8444348686A02476DFE9AA5FEA6CF2CEDC06EE1F9FD9853D411F0B958F1C9C519C90A85F6D24C1C3435B3CDF4E207B4A67467C87B7543F6C0948DD382D24D1E48B3763EC27D4D32A0151C240CC5E0 + +DigestVerify = SHA224 +Key = K-571_PUB +Input = "sample" +Output = 308192024710774B9F14DE6C9525131AD61531FA30987170D43782E9FB84FF0D70F093946DF75ECB69D400FE39B12D58C67C19DCE96335CEC1D9AADE004FE5B498AB8A940D46C8444348686A02476DFE9AA5FEA6CF2CEDC06EE1F9FD9853D411F0B958F1C9C519C90A85F6D24C1C3435B3CDF4E207B4A67467C87B7543F6C0948DD382D24D1E48B3763EC27D4D32A0151C240CC5E0 + +DigestVerify = SHA224 +Key = K-571_PUB +Input = "sample" +Output = 308192024710774B9F14DE6C9525131AD61531FA30987170D43782E9FB84FF0D70F093946DF75ECB69D400FE39B12D58C67C19DCE96335CEC1D9AADE004FE5B498AB8A940D46C8444348686A02476DFE9AA5FEA6CF2CEDC06EE1F9FD9853D411F0B958F1C9C519C90A85F6D24C1C3435B3CDF4E207B4A67467C87B7543F6C0948DD382D24D1E48B3763EC27D4D32A0151C240CC5E1 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 308194024801604BE98D1A27CEC2D3FA4BD07B42799E07743071E4905D7DCE7F6992B21A27F14F55D0FE5A7810DF65CF07F2F2554658817E5A88D952282EA1B8310514C0B40FFF46F1599651680248018249377C654B8588475510F7B797081F68C2F8CCCE49F730353B2DA3364B1CD3E984813E11BB791824038EA367BA74583AB97A69AF2D77FA691AA694E348E15DA76F5A44EC1F40 + +DigestVerify = SHA256 +Key = K-571_PUB +Input = "sample" +Output = 308194024801604BE98D1A27CEC2D3FA4BD07B42799E07743071E4905D7DCE7F6992B21A27F14F55D0FE5A7810DF65CF07F2F2554658817E5A88D952282EA1B8310514C0B40FFF46F1599651680248018249377C654B8588475510F7B797081F68C2F8CCCE49F730353B2DA3364B1CD3E984813E11BB791824038EA367BA74583AB97A69AF2D77FA691AA694E348E15DA76F5A44EC1F40 + +DigestVerify = SHA256 +Key = K-571_PUB +Input = "sample" +Output = 308194024801604BE98D1A27CEC2D3FA4BD07B42799E07743071E4905D7DCE7F6992B21A27F14F55D0FE5A7810DF65CF07F2F2554658817E5A88D952282EA1B8310514C0B40FFF46F1599651680248018249377C654B8588475510F7B797081F68C2F8CCCE49F730353B2DA3364B1CD3E984813E11BB791824038EA367BA74583AB97A69AF2D77FA691AA694E348E15DA76F5A44EC1F41 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 308193024801E6D7FB237040EA1904CCBF0984B81B866DE10D8AA93B06364C4A46F6C9573FA288C8BDDCC0C6B984E6AA75B42E7BF82FF34D51DFFBD7C87FDBFAD971656185BD12E4B8372F4BF102474F94550072ADA7E8C82B7E83577DD39959577799CDABCEA60E267F36F1BEB981ABF24E722A7F031582D2CC5D80DAA7C0DEEBBE1AC5E729A6DBB34A5D645B698719FCA409FBA370 + +DigestVerify = SHA384 +Key = K-571_PUB +Input = "sample" +Output = 308193024801E6D7FB237040EA1904CCBF0984B81B866DE10D8AA93B06364C4A46F6C9573FA288C8BDDCC0C6B984E6AA75B42E7BF82FF34D51DFFBD7C87FDBFAD971656185BD12E4B8372F4BF102474F94550072ADA7E8C82B7E83577DD39959577799CDABCEA60E267F36F1BEB981ABF24E722A7F031582D2CC5D80DAA7C0DEEBBE1AC5E729A6DBB34A5D645B698719FCA409FBA370 + +DigestVerify = SHA384 +Key = K-571_PUB +Input = "sample" +Output = 308193024801E6D7FB237040EA1904CCBF0984B81B866DE10D8AA93B06364C4A46F6C9573FA288C8BDDCC0C6B984E6AA75B42E7BF82FF34D51DFFBD7C87FDBFAD971656185BD12E4B8372F4BF102474F94550072ADA7E8C82B7E83577DD39959577799CDABCEA60E267F36F1BEB981ABF24E722A7F031582D2CC5D80DAA7C0DEEBBE1AC5E729A6DBB34A5D645B698719FCA409FBA371 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 30819402480086C9E048EADD7D3D2908501086F3AF449A01AF6BEB2026DC381B39530BCDDBE8E854251CBD5C31E6976553813C11213E4761CB8CA2E5352240AD9FB9C635D55FAB13AE42E4EE4F0248009FEE0A68F322B380217FCF6ABFF15D78C432BD8DD82E18B6BA877C01C860E24410F5150A44F979920147826219766ECB4E2E11A151B6A15BB8E2E825AC95BCCA228D8A1C9D3568 + +DigestVerify = SHA512 +Key = K-571_PUB +Input = "sample" +Output = 30819402480086C9E048EADD7D3D2908501086F3AF449A01AF6BEB2026DC381B39530BCDDBE8E854251CBD5C31E6976553813C11213E4761CB8CA2E5352240AD9FB9C635D55FAB13AE42E4EE4F0248009FEE0A68F322B380217FCF6ABFF15D78C432BD8DD82E18B6BA877C01C860E24410F5150A44F979920147826219766ECB4E2E11A151B6A15BB8E2E825AC95BCCA228D8A1C9D3568 + +DigestVerify = SHA512 +Key = K-571_PUB +Input = "sample" +Output = 30819402480086C9E048EADD7D3D2908501086F3AF449A01AF6BEB2026DC381B39530BCDDBE8E854251CBD5C31E6976553813C11213E4761CB8CA2E5352240AD9FB9C635D55FAB13AE42E4EE4F0248009FEE0A68F322B380217FCF6ABFF15D78C432BD8DD82E18B6BA877C01C860E24410F5150A44F979920147826219766ECB4E2E11A151B6A15BB8E2E825AC95BCCA228D8A1C9D3569 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = K-571_PRIV +NonceType = deterministic +Input = "test" +Output = 308194024801D055F499A3F7E3FC73D6E7D517B470879BDCB14ABC938369F23643C7B96D0242C1FF326FDAF1CCC8593612ACE982209658E73C24C9EC493B785608669DA74A5B7C9A1D8EA843BC024801621376C53CFE3390A0520D2C657B1FF0EBB10E4B9C2510EDC39D04FEBAF12B8502B098A8B8F842EA6E8EB9D55CFEF94B7FF6D145AC3FFCE71BD978FEA3EF8194D4AB5293A8F3EA + +DigestVerify = SHA1 +Key = K-571_PUB +Input = "test" +Output = 308194024801D055F499A3F7E3FC73D6E7D517B470879BDCB14ABC938369F23643C7B96D0242C1FF326FDAF1CCC8593612ACE982209658E73C24C9EC493B785608669DA74A5B7C9A1D8EA843BC024801621376C53CFE3390A0520D2C657B1FF0EBB10E4B9C2510EDC39D04FEBAF12B8502B098A8B8F842EA6E8EB9D55CFEF94B7FF6D145AC3FFCE71BD978FEA3EF8194D4AB5293A8F3EA + +DigestVerify = SHA1 +Key = K-571_PUB +Input = "test" +Output = 308194024801D055F499A3F7E3FC73D6E7D517B470879BDCB14ABC938369F23643C7B96D0242C1FF326FDAF1CCC8593612ACE982209658E73C24C9EC493B785608669DA74A5B7C9A1D8EA843BC024801621376C53CFE3390A0520D2C657B1FF0EBB10E4B9C2510EDC39D04FEBAF12B8502B098A8B8F842EA6E8EB9D55CFEF94B7FF6D145AC3FFCE71BD978FEA3EF8194D4AB5293A8F3EB +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = K-571_PRIV +NonceType = deterministic +Input = "test" +Output = 3081940248018709BDE4E9B73D046CE0D48842C97063DA54DCCA28DCB087168FA37DA2BF5FDBE4720EE48D49EDE4DD5BD31AC0149DB8297BD410F9BC02A11EB79B60C8EE63AF51B65267D718810248012D8B9E98FBF1D264D78669E236319D8FFD8426C56AFB10C76471EE88D7F0AB1B158E685B6D93C850D47FB1D02E4B24527473DB60B8D1AEF26CEEBD3467B65A70FFDDC0DBB64D5F + +DigestVerify = SHA224 +Key = K-571_PUB +Input = "test" +Output = 3081940248018709BDE4E9B73D046CE0D48842C97063DA54DCCA28DCB087168FA37DA2BF5FDBE4720EE48D49EDE4DD5BD31AC0149DB8297BD410F9BC02A11EB79B60C8EE63AF51B65267D718810248012D8B9E98FBF1D264D78669E236319D8FFD8426C56AFB10C76471EE88D7F0AB1B158E685B6D93C850D47FB1D02E4B24527473DB60B8D1AEF26CEEBD3467B65A70FFDDC0DBB64D5F + +DigestVerify = SHA224 +Key = K-571_PUB +Input = "test" +Output = 3081940248018709BDE4E9B73D046CE0D48842C97063DA54DCCA28DCB087168FA37DA2BF5FDBE4720EE48D49EDE4DD5BD31AC0149DB8297BD410F9BC02A11EB79B60C8EE63AF51B65267D718810248012D8B9E98FBF1D264D78669E236319D8FFD8426C56AFB10C76471EE88D7F0AB1B158E685B6D93C850D47FB1D02E4B24527473DB60B8D1AEF26CEEBD3467B65A70FFDDC0DBB64D5E +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = K-571_PRIV +NonceType = deterministic +Input = "test" +Output = 308194024801F5BF6B044048E0E310309FFDAC825290A69634A0D3592DBEE7BE71F69E45412F766AC92E174CC99AABAA5C9C89FCB187DFDBCC7A26765DB6D9F1EEC8A6127BBDFA5801E44E3BEC024801B44CBFB233BFA2A98D5E8B2F0B2C27F9494BEAA77FEB59CDE3E7AE9CB2E385BE8DA7B80D7944AA71E0654E5067E9A70E88E68833054EED49F28283F02B229123995AF37A6089F0 + +DigestVerify = SHA256 +Key = K-571_PUB +Input = "test" +Output = 308194024801F5BF6B044048E0E310309FFDAC825290A69634A0D3592DBEE7BE71F69E45412F766AC92E174CC99AABAA5C9C89FCB187DFDBCC7A26765DB6D9F1EEC8A6127BBDFA5801E44E3BEC024801B44CBFB233BFA2A98D5E8B2F0B2C27F9494BEAA77FEB59CDE3E7AE9CB2E385BE8DA7B80D7944AA71E0654E5067E9A70E88E68833054EED49F28283F02B229123995AF37A6089F0 + +DigestVerify = SHA256 +Key = K-571_PUB +Input = "test" +Output = 308194024801F5BF6B044048E0E310309FFDAC825290A69634A0D3592DBEE7BE71F69E45412F766AC92E174CC99AABAA5C9C89FCB187DFDBCC7A26765DB6D9F1EEC8A6127BBDFA5801E44E3BEC024801B44CBFB233BFA2A98D5E8B2F0B2C27F9494BEAA77FEB59CDE3E7AE9CB2E385BE8DA7B80D7944AA71E0654E5067E9A70E88E68833054EED49F28283F02B229123995AF37A6089F1 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = K-571_PRIV +NonceType = deterministic +Input = "test" +Output = 3081940248011F61A6EFAB6D83053D9C52665B3542FF3F63BD5913E527BDBA07FBAF34BC766C2EC83163C5273243AA834C75FDDD1BC8A2BEAD388CD06C4EBA1962D645EEB35E92D44E8F2E081D0248016BF6341876F051DF224770CC8BA0E4D48B3332568A2B014BC80827BAA89DE18D1AEBC73E3BE8F85A8008C682AAC7D5F0E9FB5ECBEFBB637E30E4A0F226D2C2AA3E569BB54AB72B + +DigestVerify = SHA384 +Key = K-571_PUB +Input = "test" +Output = 3081940248011F61A6EFAB6D83053D9C52665B3542FF3F63BD5913E527BDBA07FBAF34BC766C2EC83163C5273243AA834C75FDDD1BC8A2BEAD388CD06C4EBA1962D645EEB35E92D44E8F2E081D0248016BF6341876F051DF224770CC8BA0E4D48B3332568A2B014BC80827BAA89DE18D1AEBC73E3BE8F85A8008C682AAC7D5F0E9FB5ECBEFBB637E30E4A0F226D2C2AA3E569BB54AB72B + +DigestVerify = SHA384 +Key = K-571_PUB +Input = "test" +Output = 3081940248011F61A6EFAB6D83053D9C52665B3542FF3F63BD5913E527BDBA07FBAF34BC766C2EC83163C5273243AA834C75FDDD1BC8A2BEAD388CD06C4EBA1962D645EEB35E92D44E8F2E081D0248016BF6341876F051DF224770CC8BA0E4D48B3332568A2B014BC80827BAA89DE18D1AEBC73E3BE8F85A8008C682AAC7D5F0E9FB5ECBEFBB637E30E4A0F226D2C2AA3E569BB54AB72A +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = K-571_PRIV +NonceType = deterministic +Input = "test" +Output = 308194024800F1E50353A39EA64CDF23081D6BB4B2A91DD73E99D3DD5A1AA1C49B4F6E34A665EAD24FD530B9103D522609A395AF3EF174C85206F67EF84835ED1632E0F6BAB718EA90DF9E2DA0024800B385004D7596625028E3FDE72282DE4EDC5B4CE33C1127F21CC37527C90B7307AE7D09281B840AEBCECAA711B00718103DDB32B3E9F6A9FBC6AF23E224A73B9435F619D9C62527 + +DigestVerify = SHA512 +Key = K-571_PUB +Input = "test" +Output = 308194024800F1E50353A39EA64CDF23081D6BB4B2A91DD73E99D3DD5A1AA1C49B4F6E34A665EAD24FD530B9103D522609A395AF3EF174C85206F67EF84835ED1632E0F6BAB718EA90DF9E2DA0024800B385004D7596625028E3FDE72282DE4EDC5B4CE33C1127F21CC37527C90B7307AE7D09281B840AEBCECAA711B00718103DDB32B3E9F6A9FBC6AF23E224A73B9435F619D9C62527 + +DigestVerify = SHA512 +Key = K-571_PUB +Input = "test" +Output = 308194024800F1E50353A39EA64CDF23081D6BB4B2A91DD73E99D3DD5A1AA1C49B4F6E34A665EAD24FD530B9103D522609A395AF3EF174C85206F67EF84835ED1632E0F6BAB718EA90DF9E2DA0024800B385004D7596625028E3FDE72282DE4EDC5B4CE33C1127F21CC37527C90B7307AE7D09281B840AEBCECAA711B00718103DDB32B3E9F6A9FBC6AF23E224A73B9435F619D9C62526 +Result = VERIFY_ERROR + +Title = RFC 6979 B-163 deterministic ECDSA tests + +PrivateKey=B-163_PRIV +-----BEGIN PRIVATE KEY----- +MDMCAQAwEAYHKoZIzj0CAQYFK4EEAA8EHDAaAgEBBBUDUxj8RH1I1+a8k7SGF93e3yaqZY8= +-----END PRIVATE KEY----- + +PublicKey=B-163_PUB +-----BEGIN PUBLIC KEY----- +MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEASbPVi2Vodd9OHunWj6joUB/I0JaB9fLUnPJTajKkwSa +/aGHIcJGcr1x +-----END PUBLIC KEY----- + +PrivPubKeyPair=B-163_PRIV:B-163_PUB + +DigestSign = SHA1 +Key = B-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E02150153FEBD179A69B6122DEBF5BC61EB947B24C935260215037AC9C670F8CF18045049BAE7DD35553545C19E49 + +DigestVerify = SHA1 +Key = B-163_PUB +Input = "sample" +Output = 302E02150153FEBD179A69B6122DEBF5BC61EB947B24C935260215037AC9C670F8CF18045049BAE7DD35553545C19E49 + +DigestVerify = SHA1 +Key = B-163_PUB +Input = "sample" +Output = 302E02150153FEBD179A69B6122DEBF5BC61EB947B24C935260215037AC9C670F8CF18045049BAE7DD35553545C19E48 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302D021500A379E69C44F9C16EA3215EA39EB1A9B5D58CC95502144BAFF5308DA2A7FE2C1742769265AD3ED1D24E74 + +DigestVerify = SHA224 +Key = B-163_PUB +Input = "sample" +Output = 302D021500A379E69C44F9C16EA3215EA39EB1A9B5D58CC95502144BAFF5308DA2A7FE2C1742769265AD3ED1D24E74 + +DigestVerify = SHA224 +Key = B-163_PUB +Input = "sample" +Output = 302D021500A379E69C44F9C16EA3215EA39EB1A9B5D58CC95502144BAFF5308DA2A7FE2C1742769265AD3ED1D24E75 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E02150134E00F78FC1CB9501675D91C401DE20DDF228CDC02150373273AEC6C36CB7BAFBB1903A5F5EA6A1D50B624 + +DigestVerify = SHA256 +Key = B-163_PUB +Input = "sample" +Output = 302E02150134E00F78FC1CB9501675D91C401DE20DDF228CDC02150373273AEC6C36CB7BAFBB1903A5F5EA6A1D50B624 + +DigestVerify = SHA256 +Key = B-163_PUB +Input = "sample" +Output = 302E02150134E00F78FC1CB9501675D91C401DE20DDF228CDC02150373273AEC6C36CB7BAFBB1903A5F5EA6A1D50B625 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E0215029430B935AF8E77519B0CA4F6903B0B82E6A21A66021501EA1415306E9353FA5AA54BC7C2581DFBB888440D + +DigestVerify = SHA384 +Key = B-163_PUB +Input = "sample" +Output = 302E0215029430B935AF8E77519B0CA4F6903B0B82E6A21A66021501EA1415306E9353FA5AA54BC7C2581DFBB888440D + +DigestVerify = SHA384 +Key = B-163_PUB +Input = "sample" +Output = 302E0215029430B935AF8E77519B0CA4F6903B0B82E6A21A66021501EA1415306E9353FA5AA54BC7C2581DFBB888440C +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-163_PRIV +NonceType = deterministic +Input = "sample" +Output = 302E021500B2F177A99F9DF2D51CCAF55F015F326E4B65E7A0021500DF1FB4487E9B120C5E970EFE48F55E406306C3A1 + +DigestVerify = SHA512 +Key = B-163_PUB +Input = "sample" +Output = 302E021500B2F177A99F9DF2D51CCAF55F015F326E4B65E7A0021500DF1FB4487E9B120C5E970EFE48F55E406306C3A1 + +DigestVerify = SHA512 +Key = B-163_PUB +Input = "sample" +Output = 302E021500B2F177A99F9DF2D51CCAF55F015F326E4B65E7A0021500DF1FB4487E9B120C5E970EFE48F55E406306C3A0 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = B-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E02150256D4079C6C7169B8BC92529D701776A269D5630802150341D3FFEC9F1EB6A6ACBE88E3C86A1C8FDEB8B8E1 + +DigestVerify = SHA1 +Key = B-163_PUB +Input = "test" +Output = 302E02150256D4079C6C7169B8BC92529D701776A269D5630802150341D3FFEC9F1EB6A6ACBE88E3C86A1C8FDEB8B8E1 + +DigestVerify = SHA1 +Key = B-163_PUB +Input = "test" +Output = 302E02150256D4079C6C7169B8BC92529D701776A269D5630802150341D3FFEC9F1EB6A6ACBE88E3C86A1C8FDEB8B8E0 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E0215028ECC6F1272CE80EA59DCF32F7AC2D861BA803393021500AD4AE2C06E60183C1567D2B82F19421FE3053CE2 + +DigestVerify = SHA224 +Key = B-163_PUB +Input = "test" +Output = 302E0215028ECC6F1272CE80EA59DCF32F7AC2D861BA803393021500AD4AE2C06E60183C1567D2B82F19421FE3053CE2 + +DigestVerify = SHA224 +Key = B-163_PUB +Input = "test" +Output = 302E0215028ECC6F1272CE80EA59DCF32F7AC2D861BA803393021500AD4AE2C06E60183C1567D2B82F19421FE3053CE3 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E02150227DF377B3FA50F90C1CB3CDCBBDBA552C1D35104021501F7BEAD92583FE920D353F368C1960D0E88B46A56 + +DigestVerify = SHA256 +Key = B-163_PUB +Input = "test" +Output = 302E02150227DF377B3FA50F90C1CB3CDCBBDBA552C1D35104021501F7BEAD92583FE920D353F368C1960D0E88B46A56 + +DigestVerify = SHA256 +Key = B-163_PUB +Input = "test" +Output = 302E02150227DF377B3FA50F90C1CB3CDCBBDBA552C1D35104021501F7BEAD92583FE920D353F368C1960D0E88B46A57 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E0215011811DAFEEA441845B6118A0DFEE8A0061231337D0215036258301865EE48C5C6F91D63F62695002AB55B57 + +DigestVerify = SHA384 +Key = B-163_PUB +Input = "test" +Output = 302E0215011811DAFEEA441845B6118A0DFEE8A0061231337D0215036258301865EE48C5C6F91D63F62695002AB55B57 + +DigestVerify = SHA384 +Key = B-163_PUB +Input = "test" +Output = 302E0215011811DAFEEA441845B6118A0DFEE8A0061231337D0215036258301865EE48C5C6F91D63F62695002AB55B56 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-163_PRIV +NonceType = deterministic +Input = "test" +Output = 302E021503B6BB95CA823BE2ED8E3972FF516EB8972D7655710215013DC6F420628969DF900C3FCC48220B38BE24A541 + +DigestVerify = SHA512 +Key = B-163_PUB +Input = "test" +Output = 302E021503B6BB95CA823BE2ED8E3972FF516EB8972D7655710215013DC6F420628969DF900C3FCC48220B38BE24A541 + +DigestVerify = SHA512 +Key = B-163_PUB +Input = "test" +Output = 302E021503B6BB95CA823BE2ED8E3972FF516EB8972D7655710215013DC6F420628969DF900C3FCC48220B38BE24A540 +Result = VERIFY_ERROR + +Title = RFC 6979 B-233 deterministic ECDSA tests + +PrivateKey=B-233_PRIV +-----BEGIN PRIVATE KEY----- +MDsCAQAwEAYHKoZIzj0CAQYFK4EEABsEJDAiAgEBBB163BPdW/NNHd7rULLOI7X15tGAZzBtYMX2 +/xHl0w== +-----END PRIVATE KEY----- + +PublicKey=B-233_PUB +-----BEGIN PUBLIC KEY----- +MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAPs0izJGtHOqf7sqAbeNYbYsQiHQ+atV/HLbPfR4ARYv +ofbGrPf9jRn8fXS92RBAdugziYvEwEKm5r6/ +-----END PUBLIC KEY----- + +PrivPubKeyPair=B-233_PRIV:B-233_PUB + +DigestSign = SHA1 +Key = B-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303F021D15CC6FD78BB06E0878E71465515EA5A21A2C18E6FC77B4B158DBEB3944021E00822A4A6C2EB2DF213A5E90BF40377956365EE8C4B4A5A4E2EB9270CB6A + +DigestVerify = SHA1 +Key = B-233_PUB +Input = "sample" +Output = 303F021D15CC6FD78BB06E0878E71465515EA5A21A2C18E6FC77B4B158DBEB3944021E00822A4A6C2EB2DF213A5E90BF40377956365EE8C4B4A5A4E2EB9270CB6A + +DigestVerify = SHA1 +Key = B-233_PUB +Input = "sample" +Output = 303F021D15CC6FD78BB06E0878E71465515EA5A21A2C18E6FC77B4B158DBEB3944021E00822A4A6C2EB2DF213A5E90BF40377956365EE8C4B4A5A4E2EB9270CB6B +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D5D9920B53471148E10502AB49AB7A3F11084820A074FD89883CF51BC1A021D4D3938900C0A9AAA7080D1DFEB56CFB0FADABE4214536C7ED5117ED13A + +DigestVerify = SHA224 +Key = B-233_PUB +Input = "sample" +Output = 303E021D5D9920B53471148E10502AB49AB7A3F11084820A074FD89883CF51BC1A021D4D3938900C0A9AAA7080D1DFEB56CFB0FADABE4214536C7ED5117ED13A + +DigestVerify = SHA224 +Key = B-233_PUB +Input = "sample" +Output = 303E021D5D9920B53471148E10502AB49AB7A3F11084820A074FD89883CF51BC1A021D4D3938900C0A9AAA7080D1DFEB56CFB0FADABE4214536C7ED5117ED13B +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303F021E00A797F3B8AEFCE7456202DF1E46CCC291EA5A49DA3D4BDDA9A4B62D5E0D021D1F6F81DA55C22DA4152134C661588F4BD6F82FDBAF0C5877096B070DC2 + +DigestVerify = SHA256 +Key = B-233_PUB +Input = "sample" +Output = 303F021E00A797F3B8AEFCE7456202DF1E46CCC291EA5A49DA3D4BDDA9A4B62D5E0D021D1F6F81DA55C22DA4152134C661588F4BD6F82FDBAF0C5877096B070DC2 + +DigestVerify = SHA256 +Key = B-233_PUB +Input = "sample" +Output = 303F021E00A797F3B8AEFCE7456202DF1E46CCC291EA5A49DA3D4BDDA9A4B62D5E0D021D1F6F81DA55C22DA4152134C661588F4BD6F82FDBAF0C5877096B070DC3 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303E021D15E85A8D46225DD7E314A1C4289731FC14DECE949349FE535D11043B85021D3F189D37F50493EFD5111A129443A662AB3C6B289129AD8C0CAC85119C + +DigestVerify = SHA384 +Key = B-233_PUB +Input = "sample" +Output = 303E021D15E85A8D46225DD7E314A1C4289731FC14DECE949349FE535D11043B85021D3F189D37F50493EFD5111A129443A662AB3C6B289129AD8C0CAC85119C + +DigestVerify = SHA384 +Key = B-233_PUB +Input = "sample" +Output = 303E021D15E85A8D46225DD7E314A1C4289731FC14DECE949349FE535D11043B85021D3F189D37F50493EFD5111A129443A662AB3C6B289129AD8C0CAC85119D +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-233_PRIV +NonceType = deterministic +Input = "sample" +Output = 303F021D3B62A4BF783919098B1E42F496E65F7621F01D1D466C46940F0F132A95021E00F4BE031C6E5239E7DAA014CBBF1ED19425E49DAEB426EC9DF4C28A2E30 + +DigestVerify = SHA512 +Key = B-233_PUB +Input = "sample" +Output = 303F021D3B62A4BF783919098B1E42F496E65F7621F01D1D466C46940F0F132A95021E00F4BE031C6E5239E7DAA014CBBF1ED19425E49DAEB426EC9DF4C28A2E30 + +DigestVerify = SHA512 +Key = B-233_PUB +Input = "sample" +Output = 303F021D3B62A4BF783919098B1E42F496E65F7621F01D1D466C46940F0F132A95021E00F4BE031C6E5239E7DAA014CBBF1ED19425E49DAEB426EC9DF4C28A2E31 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = B-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D2F1FEDC57BE203E4C8C6B8C1CEB35E13C1FCD956AB41E3BD4C8A6EFB1F021D5738EC8A8EDEA8E435EE7266AD3EDE1EEFC2CEBE2BE1D614008D5D2951 + +DigestVerify = SHA1 +Key = B-233_PUB +Input = "test" +Output = 303E021D2F1FEDC57BE203E4C8C6B8C1CEB35E13C1FCD956AB41E3BD4C8A6EFB1F021D5738EC8A8EDEA8E435EE7266AD3EDE1EEFC2CEBE2BE1D614008D5D2951 + +DigestVerify = SHA1 +Key = B-233_PUB +Input = "test" +Output = 303E021D2F1FEDC57BE203E4C8C6B8C1CEB35E13C1FCD956AB41E3BD4C8A6EFB1F021D5738EC8A8EDEA8E435EE7266AD3EDE1EEFC2CEBE2BE1D614008D5D2950 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-233_PRIV +NonceType = deterministic +Input = "test" +Output = 3040021E00CCE175124D3586BA7486F7146894C65C2A4A5A1904658E5C7F9DF5FA5D021E008804B456D847ACE5CA86D97BF79FD6335E5B17F6C0D964B5D0036C867E + +DigestVerify = SHA224 +Key = B-233_PUB +Input = "test" +Output = 3040021E00CCE175124D3586BA7486F7146894C65C2A4A5A1904658E5C7F9DF5FA5D021E008804B456D847ACE5CA86D97BF79FD6335E5B17F6C0D964B5D0036C867E + +DigestVerify = SHA224 +Key = B-233_PUB +Input = "test" +Output = 3040021E00CCE175124D3586BA7486F7146894C65C2A4A5A1904658E5C7F9DF5FA5D021E008804B456D847ACE5CA86D97BF79FD6335E5B17F6C0D964B5D0036C867F +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D35C3D6DFEEA1CFB29B93BE3FDB91A7B130951770C2690C16833A159677021D600F7301D12AB376B56D4459774159ADB51F97E282FF384406AFD53A02 + +DigestVerify = SHA256 +Key = B-233_PUB +Input = "test" +Output = 303E021D35C3D6DFEEA1CFB29B93BE3FDB91A7B130951770C2690C16833A159677021D600F7301D12AB376B56D4459774159ADB51F97E282FF384406AFD53A02 + +DigestVerify = SHA256 +Key = B-233_PUB +Input = "test" +Output = 303E021D35C3D6DFEEA1CFB29B93BE3FDB91A7B130951770C2690C16833A159677021D600F7301D12AB376B56D4459774159ADB51F97E282FF384406AFD53A03 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303E021D61602FC8068BFD5FB86027B97455D200EC603057446CCE4D76DB8EF42C021D3396DD0D59C067BB999B422D9883736CF9311DFD6951F91033BD03CA8D + +DigestVerify = SHA384 +Key = B-233_PUB +Input = "test" +Output = 303E021D61602FC8068BFD5FB86027B97455D200EC603057446CCE4D76DB8EF42C021D3396DD0D59C067BB999B422D9883736CF9311DFD6951F91033BD03CA8D + +DigestVerify = SHA384 +Key = B-233_PUB +Input = "test" +Output = 303E021D61602FC8068BFD5FB86027B97455D200EC603057446CCE4D76DB8EF42C021D3396DD0D59C067BB999B422D9883736CF9311DFD6951F91033BD03CA8C +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-233_PRIV +NonceType = deterministic +Input = "test" +Output = 303F021D7E12CB60FDD614958E8E34B3C12DDFF35D85A9C5800E31EA2CC2EF63B1021E00E8970FD99D836F3CC1C807A2C58760DE6EDAA23705A82B9CB1CE93FECC + +DigestVerify = SHA512 +Key = B-233_PUB +Input = "test" +Output = 303F021D7E12CB60FDD614958E8E34B3C12DDFF35D85A9C5800E31EA2CC2EF63B1021E00E8970FD99D836F3CC1C807A2C58760DE6EDAA23705A82B9CB1CE93FECC + +DigestVerify = SHA512 +Key = B-233_PUB +Input = "test" +Output = 303F021D7E12CB60FDD614958E8E34B3C12DDFF35D85A9C5800E31EA2CC2EF63B1021E00E8970FD99D836F3CC1C807A2C58760DE6EDAA23705A82B9CB1CE93FECD +Result = VERIFY_ERROR + +Title = RFC 6979 B-283 deterministic ECDSA tests + +PrivateKey=B-283_PRIV +-----BEGIN PRIVATE KEY----- +MEICAQAwEAYHKoZIzj0CAQYFK4EEABEEKzApAgEBBCQBRRDUvETy0m9FU5QsmAc8G9NVRc6rtcwT +iFPFFY0nKepAiDY= +-----END PRIVATE KEY----- + +PublicKey=B-283_PUB +-----BEGIN PUBLIC KEY----- +MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEAX40CaE8OZ8MqKGS8CjUbjRGvP/N9R/4qQXtLe14bnT5 +w+ipBH78vMMcAdhtGZL3v6wCd9vQKm0oknQJmiwPA5yPWfMYNxsO +-----END PUBLIC KEY----- + +PrivPubKeyPair=B-283_PRIV:B-283_PUB + +DigestSign = SHA1 +Key = B-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C02240201E18D48C6DB3D5D097C4DCE1E25587E1501FC3CF47BDB5B4289D79E273D6A9ACB828502240151AE05712B024CE617358260774C8CA8B0E7A7E72EF8229BF2ACE7609560CB30322C4F + +DigestVerify = SHA1 +Key = B-283_PUB +Input = "sample" +Output = 304C02240201E18D48C6DB3D5D097C4DCE1E25587E1501FC3CF47BDB5B4289D79E273D6A9ACB828502240151AE05712B024CE617358260774C8CA8B0E7A7E72EF8229BF2ACE7609560CB30322C4F + +DigestVerify = SHA1 +Key = B-283_PUB +Input = "sample" +Output = 304C02240201E18D48C6DB3D5D097C4DCE1E25587E1501FC3CF47BDB5B4289D79E273D6A9ACB828502240151AE05712B024CE617358260774C8CA8B0E7A7E72EF8229BF2ACE7609560CB30322C4E +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C02240143E878DDFD4DF40D97B8CD638B3C4706501C2201CF7108F2FB91478C11D69473246925022400CBF1B9717FEEA3AABB09D9654110144267098E0E1E8D0289A6211BE0EEDFDD86A3DB79 + +DigestVerify = SHA224 +Key = B-283_PUB +Input = "sample" +Output = 304C02240143E878DDFD4DF40D97B8CD638B3C4706501C2201CF7108F2FB91478C11D69473246925022400CBF1B9717FEEA3AABB09D9654110144267098E0E1E8D0289A6211BE0EEDFDD86A3DB79 + +DigestVerify = SHA224 +Key = B-283_PUB +Input = "sample" +Output = 304C02240143E878DDFD4DF40D97B8CD638B3C4706501C2201CF7108F2FB91478C11D69473246925022400CBF1B9717FEEA3AABB09D9654110144267098E0E1E8D0289A6211BE0EEDFDD86A3DB78 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304B0224029FD82497FB3E5CEF65579272138DE59E2B666B8689466572B3B69A172CEE83BE14565902235A89D9166B40795AF0FE5958201B9C0523E500013CA12B4840EA2BC53F25F9B3CE87C0 + +DigestVerify = SHA256 +Key = B-283_PUB +Input = "sample" +Output = 304B0224029FD82497FB3E5CEF65579272138DE59E2B666B8689466572B3B69A172CEE83BE14565902235A89D9166B40795AF0FE5958201B9C0523E500013CA12B4840EA2BC53F25F9B3CE87C0 + +DigestVerify = SHA256 +Key = B-283_PUB +Input = "sample" +Output = 304B0224029FD82497FB3E5CEF65579272138DE59E2B666B8689466572B3B69A172CEE83BE14565902235A89D9166B40795AF0FE5958201B9C0523E500013CA12B4840EA2BC53F25F9B3CE87C1 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C022402F00689C1BFCD2A8C7A41E0DE55AE182E6463A152828EF89FE3525139B6603294E69353022401744514FE0A37447250C8A329EAAADA81572226CABA16F39270EE5DD03F27B1F665EB5D + +DigestVerify = SHA384 +Key = B-283_PUB +Input = "sample" +Output = 304C022402F00689C1BFCD2A8C7A41E0DE55AE182E6463A152828EF89FE3525139B6603294E69353022401744514FE0A37447250C8A329EAAADA81572226CABA16F39270EE5DD03F27B1F665EB5D + +DigestVerify = SHA384 +Key = B-283_PUB +Input = "sample" +Output = 304C022402F00689C1BFCD2A8C7A41E0DE55AE182E6463A152828EF89FE3525139B6603294E69353022401744514FE0A37447250C8A329EAAADA81572226CABA16F39270EE5DD03F27B1F665EB5C +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-283_PRIV +NonceType = deterministic +Input = "sample" +Output = 304C022400DA43A9ADFAA6AD767998A054C6A8F1CF77A562924628D73C62761847AD8286E0D91B47022401D118733AE2C88357827CAFC6F68ABC25C80C640532925E95CFE66D40F8792F3AC44C42 + +DigestVerify = SHA512 +Key = B-283_PUB +Input = "sample" +Output = 304C022400DA43A9ADFAA6AD767998A054C6A8F1CF77A562924628D73C62761847AD8286E0D91B47022401D118733AE2C88357827CAFC6F68ABC25C80C640532925E95CFE66D40F8792F3AC44C42 + +DigestVerify = SHA512 +Key = B-283_PUB +Input = "sample" +Output = 304C022400DA43A9ADFAA6AD767998A054C6A8F1CF77A562924628D73C62761847AD8286E0D91B47022401D118733AE2C88357827CAFC6F68ABC25C80C640532925E95CFE66D40F8792F3AC44C43 +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = B-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304A02235A408133919F2CDCDBE5E4C14FBC706C1F71BADAFEF41F5DE4EC27272FC1CA9366FBB2022312966272872C097FEA7BCE64FAB1A81982A773E26F6E4EF7C99969846E67CA9CBE1692 + +DigestVerify = SHA1 +Key = B-283_PUB +Input = "test" +Output = 304A02235A408133919F2CDCDBE5E4C14FBC706C1F71BADAFEF41F5DE4EC27272FC1CA9366FBB2022312966272872C097FEA7BCE64FAB1A81982A773E26F6E4EF7C99969846E67CA9CBE1692 + +DigestVerify = SHA1 +Key = B-283_PUB +Input = "test" +Output = 304A02235A408133919F2CDCDBE5E4C14FBC706C1F71BADAFEF41F5DE4EC27272FC1CA9366FBB2022312966272872C097FEA7BCE64FAB1A81982A773E26F6E4EF7C99969846E67CA9CBE1693 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C0224008F3824E40C16FF1DDA8DC992776D26F4A5981AB5092956C4FDBB4F1AE0A711EEAA10E5022400A64B91EFADB213E11483FB61C73E3EF63D3B44EEFC56EA401B99DCC60CC28E99F0F1FA + +DigestVerify = SHA224 +Key = B-283_PUB +Input = "test" +Output = 304C0224008F3824E40C16FF1DDA8DC992776D26F4A5981AB5092956C4FDBB4F1AE0A711EEAA10E5022400A64B91EFADB213E11483FB61C73E3EF63D3B44EEFC56EA401B99DCC60CC28E99F0F1FA + +DigestVerify = SHA224 +Key = B-283_PUB +Input = "test" +Output = 304C0224008F3824E40C16FF1DDA8DC992776D26F4A5981AB5092956C4FDBB4F1AE0A711EEAA10E5022400A64B91EFADB213E11483FB61C73E3EF63D3B44EEFC56EA401B99DCC60CC28E99F0F1FB +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C022403597B406F5329D11A79E887847E5EC60861CCBB19EC61F252DB7BD549C699951C182796022400A6A100B997BC622D91701D9F5C6F6D3815517E577622DA69D3A0E8917C1CBE63ACD345 + +DigestVerify = SHA256 +Key = B-283_PUB +Input = "test" +Output = 304C022403597B406F5329D11A79E887847E5EC60861CCBB19EC61F252DB7BD549C699951C182796022400A6A100B997BC622D91701D9F5C6F6D3815517E577622DA69D3A0E8917C1CBE63ACD345 + +DigestVerify = SHA256 +Key = B-283_PUB +Input = "test" +Output = 304C022403597B406F5329D11A79E887847E5EC60861CCBB19EC61F252DB7BD549C699951C182796022400A6A100B997BC622D91701D9F5C6F6D3815517E577622DA69D3A0E8917C1CBE63ACD344 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304C022401BB490926E5A1FDC7C5AA86D0835F9B994EDA315CA408002AF54A298728D422EBF59E4C0224036C682CFC9E2C89A782BFD3A191609D1F0C1910D5FD6981442070393159D65FBCC0A8BA + +DigestVerify = SHA384 +Key = B-283_PUB +Input = "test" +Output = 304C022401BB490926E5A1FDC7C5AA86D0835F9B994EDA315CA408002AF54A298728D422EBF59E4C0224036C682CFC9E2C89A782BFD3A191609D1F0C1910D5FD6981442070393159D65FBCC0A8BA + +DigestVerify = SHA384 +Key = B-283_PUB +Input = "test" +Output = 304C022401BB490926E5A1FDC7C5AA86D0835F9B994EDA315CA408002AF54A298728D422EBF59E4C0224036C682CFC9E2C89A782BFD3A191609D1F0C1910D5FD6981442070393159D65FBCC0A8BB +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-283_PRIV +NonceType = deterministic +Input = "test" +Output = 304B0224019944AA68F9778C2E3D6E240947613E6DA60EFCE9B9B2C063FF5466D72745B5A0B25BA202233F1567B3C5B02DF15C874F0EE22850824693D5ADC4663BAA19E384E550B1DD41F31EE6 + +DigestVerify = SHA512 +Key = B-283_PUB +Input = "test" +Output = 304B0224019944AA68F9778C2E3D6E240947613E6DA60EFCE9B9B2C063FF5466D72745B5A0B25BA202233F1567B3C5B02DF15C874F0EE22850824693D5ADC4663BAA19E384E550B1DD41F31EE6 + +DigestVerify = SHA512 +Key = B-283_PUB +Input = "test" +Output = 304B0224019944AA68F9778C2E3D6E240947613E6DA60EFCE9B9B2C063FF5466D72745B5A0B25BA202233F1567B3C5B02DF15C874F0EE22850824693D5ADC4663BAA19E384E550B1DD41F31EE7 +Result = VERIFY_ERROR + +Title = RFC 6979 B-409 deterministic ECDSA tests + +PrivateKey=B-409_PRIV +-----BEGIN PRIVATE KEY----- +MFECAQAwEAYHKoZIzj0CAQYFK4EEACUEOjA4AgEBBDNJSZTMMlsI57TOA4vZQ2+QteWaLBPDFAzT +rgfASgH8SJ9XLOBWmm23uAYDk952MwxiQXc= +-----END PRIVATE KEY----- + +PublicKey=B-409_PUB +-----BEGIN PUBLIC KEY----- +MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEAacFWWHPHaS5oBWxixUk7wH92bk/rvwm+x8vgopyJ7cD +GSXaCsGooHXDszVUsiLqhZwX5wGBBcBC8pBzYIjzCux653MqRd5HvOCUAROrgTJRbR4Fmw9YH9WB +qaPLOgrEKhlic4rbhuY= +-----END PUBLIC KEY----- + +PrivPubKeyPair=B-409_PRIV:B-409_PUB + +DigestSign = SHA1 +Key = B-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306B023400D8783188E1A540E2022D389E1D35B32F56F8C2BB5636B8ABF7718806B27A713EBAE37F63ECD4B61445CEF5801B62594EF3E98202333A6B4A80E204DB0DE12E7415C13C9EC091C52935658316B4A0C591216A3879154BEB1712560E346E7EF26517707435B55C3141 + +DigestVerify = SHA1 +Key = B-409_PUB +Input = "sample" +Output = 306B023400D8783188E1A540E2022D389E1D35B32F56F8C2BB5636B8ABF7718806B27A713EBAE37F63ECD4B61445CEF5801B62594EF3E98202333A6B4A80E204DB0DE12E7415C13C9EC091C52935658316B4A0C591216A3879154BEB1712560E346E7EF26517707435B55C3141 + +DigestVerify = SHA1 +Key = B-409_PUB +Input = "sample" +Output = 306B023400D8783188E1A540E2022D389E1D35B32F56F8C2BB5636B8ABF7718806B27A713EBAE37F63ECD4B61445CEF5801B62594EF3E98202333A6B4A80E204DB0DE12E7415C13C9EC091C52935658316B4A0C591216A3879154BEB1712560E346E7EF26517707435B55C3140 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306B023400EE4F39ACC2E03CE96C3D9FCBAFA5C22C89053662F8D4117752A9B10F09ADFDA59DB061E247FE5321D6B170EE758ACE1BE4D15702330A2B83265B456A430A8BF27DCC8A9488B3F126C10F0D6D64BF7B8A218FAAF20E51A295A3AE78F205E5A4A6AE224C3639F1BB34 + +DigestVerify = SHA224 +Key = B-409_PUB +Input = "sample" +Output = 306B023400EE4F39ACC2E03CE96C3D9FCBAFA5C22C89053662F8D4117752A9B10F09ADFDA59DB061E247FE5321D6B170EE758ACE1BE4D15702330A2B83265B456A430A8BF27DCC8A9488B3F126C10F0D6D64BF7B8A218FAAF20E51A295A3AE78F205E5A4A6AE224C3639F1BB34 + +DigestVerify = SHA224 +Key = B-409_PUB +Input = "sample" +Output = 306B023400EE4F39ACC2E03CE96C3D9FCBAFA5C22C89053662F8D4117752A9B10F09ADFDA59DB061E247FE5321D6B170EE758ACE1BE4D15702330A2B83265B456A430A8BF27DCC8A9488B3F126C10F0D6D64BF7B8A218FAAF20E51A295A3AE78F205E5A4A6AE224C3639F1BB35 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A02332D8B1B31E33E74D7EB46C30FDE5AD2CA04EC8FE08FBA0E73BA5E568953AC5EA307C072942238DFC07F4A4D7C7C6A9F86436D17023379F7D471E6CB73234AF7F7C381D2CE15DE35BAF8BB68393B73235B3A26EC2DF4842CE433FB492D6E074E604D4870024D42189A + +DigestVerify = SHA256 +Key = B-409_PUB +Input = "sample" +Output = 306A02332D8B1B31E33E74D7EB46C30FDE5AD2CA04EC8FE08FBA0E73BA5E568953AC5EA307C072942238DFC07F4A4D7C7C6A9F86436D17023379F7D471E6CB73234AF7F7C381D2CE15DE35BAF8BB68393B73235B3A26EC2DF4842CE433FB492D6E074E604D4870024D42189A + +DigestVerify = SHA256 +Key = B-409_PUB +Input = "sample" +Output = 306A02332D8B1B31E33E74D7EB46C30FDE5AD2CA04EC8FE08FBA0E73BA5E568953AC5EA307C072942238DFC07F4A4D7C7C6A9F86436D17023379F7D471E6CB73234AF7F7C381D2CE15DE35BAF8BB68393B73235B3A26EC2DF4842CE433FB492D6E074E604D4870024D42189B +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A02337BC638B7E7CE6FEE5E9C64A0F966D722D01BB4BC3F3A35F30D4CDDA92DFC5F7F0B4BBFE8065D9AD452FD77A1914BE3A2440C1802336D904429850521B28A32CBF55C7C0FDF35DC4E0BDA2552C7BF68A171E970E6788ACC0B9521EACB4796E057C70DD9B95FED5BFB + +DigestVerify = SHA384 +Key = B-409_PUB +Input = "sample" +Output = 306A02337BC638B7E7CE6FEE5E9C64A0F966D722D01BB4BC3F3A35F30D4CDDA92DFC5F7F0B4BBFE8065D9AD452FD77A1914BE3A2440C1802336D904429850521B28A32CBF55C7C0FDF35DC4E0BDA2552C7BF68A171E970E6788ACC0B9521EACB4796E057C70DD9B95FED5BFB + +DigestVerify = SHA384 +Key = B-409_PUB +Input = "sample" +Output = 306A02337BC638B7E7CE6FEE5E9C64A0F966D722D01BB4BC3F3A35F30D4CDDA92DFC5F7F0B4BBFE8065D9AD452FD77A1914BE3A2440C1802336D904429850521B28A32CBF55C7C0FDF35DC4E0BDA2552C7BF68A171E970E6788ACC0B9521EACB4796E057C70DD9B95FED5BFA +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-409_PRIV +NonceType = deterministic +Input = "sample" +Output = 306A02335D178DECAFD2D02A3DA0D8BA1C4C1D95EE083C760DF782193A9F7B4A8BE6FC5C21FD60613BCA65C063A61226E050A680B3ABD4023313B7581E98F6A63FBBCB3E49BCDA60F816DB230B888506D105DC229600497C3B46588C784BE3AA9343BEF82F7C9C80AEB63C3B + +DigestVerify = SHA512 +Key = B-409_PUB +Input = "sample" +Output = 306A02335D178DECAFD2D02A3DA0D8BA1C4C1D95EE083C760DF782193A9F7B4A8BE6FC5C21FD60613BCA65C063A61226E050A680B3ABD4023313B7581E98F6A63FBBCB3E49BCDA60F816DB230B888506D105DC229600497C3B46588C784BE3AA9343BEF82F7C9C80AEB63C3B + +DigestVerify = SHA512 +Key = B-409_PUB +Input = "sample" +Output = 306A02335D178DECAFD2D02A3DA0D8BA1C4C1D95EE083C760DF782193A9F7B4A8BE6FC5C21FD60613BCA65C063A61226E050A680B3ABD4023313B7581E98F6A63FBBCB3E49BCDA60F816DB230B888506D105DC229600497C3B46588C784BE3AA9343BEF82F7C9C80AEB63C3A +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = B-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306A023349F54E7C10D2732B4638473053782C6919218BBEFCEC8B51640FC193E832291F05FA12371E9B448417B3290193F08EE93191950233499E267DEC84E02F6F108B10E82172C414F15B1B7364BE8BFD66ADC0C5DE23FEE3DF0D811134C25AFE0E05A6672F98889F28F1 + +DigestVerify = SHA1 +Key = B-409_PUB +Input = "test" +Output = 306A023349F54E7C10D2732B4638473053782C6919218BBEFCEC8B51640FC193E832291F05FA12371E9B448417B3290193F08EE93191950233499E267DEC84E02F6F108B10E82172C414F15B1B7364BE8BFD66ADC0C5DE23FEE3DF0D811134C25AFE0E05A6672F98889F28F1 + +DigestVerify = SHA1 +Key = B-409_PUB +Input = "test" +Output = 306A023349F54E7C10D2732B4638473053782C6919218BBEFCEC8B51640FC193E832291F05FA12371E9B448417B3290193F08EE93191950233499E267DEC84E02F6F108B10E82172C414F15B1B7364BE8BFD66ADC0C5DE23FEE3DF0D811134C25AFE0E05A6672F98889F28F0 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306B023400B1527FFAA7DD7C7E46B628587A5BEC0539A2D04D3CF27C54841C2544E1BBDB42FDBDAAF8671A4CA86DFD619B1E3732D7BB56F20233442C68C044868DF4832C807F1EDDEBF7F5052A64B826FD03451440794063F52B022DF304F47403D4069234CA9EB4C964B37C02 + +DigestVerify = SHA224 +Key = B-409_PUB +Input = "test" +Output = 306B023400B1527FFAA7DD7C7E46B628587A5BEC0539A2D04D3CF27C54841C2544E1BBDB42FDBDAAF8671A4CA86DFD619B1E3732D7BB56F20233442C68C044868DF4832C807F1EDDEBF7F5052A64B826FD03451440794063F52B022DF304F47403D4069234CA9EB4C964B37C02 + +DigestVerify = SHA224 +Key = B-409_PUB +Input = "test" +Output = 306B023400B1527FFAA7DD7C7E46B628587A5BEC0539A2D04D3CF27C54841C2544E1BBDB42FDBDAAF8671A4CA86DFD619B1E3732D7BB56F20233442C68C044868DF4832C807F1EDDEBF7F5052A64B826FD03451440794063F52B022DF304F47403D4069234CA9EB4C964B37C03 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306C023400BB27755B991D6D31757BCBF68CB01225A38E1CFA20F775E861055DD108ED7EA455E4B96B2F6F7CD6C6EC2B3C70C3EDDEB9743B023400C5BE90980E7F444B5F7A12C9E9AC7A04CA81412822DD5AD1BE7C45D5032555EA070864245CF69266871FEB8CD1B7EDC30EF6D5 + +DigestVerify = SHA256 +Key = B-409_PUB +Input = "test" +Output = 306C023400BB27755B991D6D31757BCBF68CB01225A38E1CFA20F775E861055DD108ED7EA455E4B96B2F6F7CD6C6EC2B3C70C3EDDEB9743B023400C5BE90980E7F444B5F7A12C9E9AC7A04CA81412822DD5AD1BE7C45D5032555EA070864245CF69266871FEB8CD1B7EDC30EF6D5 + +DigestVerify = SHA256 +Key = B-409_PUB +Input = "test" +Output = 306C023400BB27755B991D6D31757BCBF68CB01225A38E1CFA20F775E861055DD108ED7EA455E4B96B2F6F7CD6C6EC2B3C70C3EDDEB9743B023400C5BE90980E7F444B5F7A12C9E9AC7A04CA81412822DD5AD1BE7C45D5032555EA070864245CF69266871FEB8CD1B7EDC30EF6D4 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306B02334EFEB7098772187907C87B33E0FBBA4584226C50C11E98CA7AAC6986F8D3BE044E5B52D201A410B852536527724CA5F8CE65490234009574102FEB3EF87E6D66B94119F5A6062950FF4F902EA1E6BD9E2037F33FF991E31F5956C23AFE48FCDC557FD6F088C7C9B2B3 + +DigestVerify = SHA384 +Key = B-409_PUB +Input = "test" +Output = 306B02334EFEB7098772187907C87B33E0FBBA4584226C50C11E98CA7AAC6986F8D3BE044E5B52D201A410B852536527724CA5F8CE65490234009574102FEB3EF87E6D66B94119F5A6062950FF4F902EA1E6BD9E2037F33FF991E31F5956C23AFE48FCDC557FD6F088C7C9B2B3 + +DigestVerify = SHA384 +Key = B-409_PUB +Input = "test" +Output = 306B02334EFEB7098772187907C87B33E0FBBA4584226C50C11E98CA7AAC6986F8D3BE044E5B52D201A410B852536527724CA5F8CE65490234009574102FEB3EF87E6D66B94119F5A6062950FF4F902EA1E6BD9E2037F33FF991E31F5956C23AFE48FCDC557FD6F088C7C9B2B2 +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-409_PRIV +NonceType = deterministic +Input = "test" +Output = 306B02337E0249C68536AE2AEC2EC30090340DA49E6DC9E9EEC8F85E5AABFB234B6DA7D2E9524028CF821F21C6019770474CC40B01FAF60234008125B5A03FB44AE81EA46D446130C2A415ECCA265910CA69D55F2453E16CD7B2DFA4E28C50FA8137F9C0C6CEE4CD37ABCCF6D8 + +DigestVerify = SHA512 +Key = B-409_PUB +Input = "test" +Output = 306B02337E0249C68536AE2AEC2EC30090340DA49E6DC9E9EEC8F85E5AABFB234B6DA7D2E9524028CF821F21C6019770474CC40B01FAF60234008125B5A03FB44AE81EA46D446130C2A415ECCA265910CA69D55F2453E16CD7B2DFA4E28C50FA8137F9C0C6CEE4CD37ABCCF6D8 + +DigestVerify = SHA512 +Key = B-409_PUB +Input = "test" +Output = 306B02337E0249C68536AE2AEC2EC30090340DA49E6DC9E9EEC8F85E5AABFB234B6DA7D2E9524028CF821F21C6019770474CC40B01FAF60234008125B5A03FB44AE81EA46D446130C2A415ECCA265910CA69D55F2453E16CD7B2DFA4E28C50FA8137F9C0C6CEE4CD37ABCCF6D9 +Result = VERIFY_ERROR + +Title = RFC 6979 B-571 deterministic ECDSA tests + +PrivateKey=B-571_PRIV +-----BEGIN PRIVATE KEY----- +MGUCAQAwEAYHKoZIzj0CAQYFK4EEACcETjBMAgEBBEcooEhX8kwcCC3w2QnA5y9FPy4jQMywcfDj +ibyiV12hkSQZjFcXSSmtJuNIz2P3jSgCHvWpvy1cvq9rfMtsTagk3VyCz7JOEQ== +-----END PRIVATE KEY----- + +PublicKey=B-571_PUB +-----BEGIN PUBLIC KEY----- +MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQEtLPOk3dVAUC2LBBhdjqlJIFN3O83sAzVzelPd5K7 +DpZ1jlXaLp/qj/KotoMK4dV6nKenf8sINr9D6lRUzdn+rVzP5zdcaoMERTsY8mHnoOdXDNcvI16n +UEOOQ5Rvvr0lGLaWlUdnqnhJwXGeGOHFFlLCjKhTQm8VwJqktXlIczirx/M3aPrdYbWjpkQ6gYk= +-----END PUBLIC KEY----- + +PrivPubKeyPair=B-571_PRIV:B-571_PUB + +DigestSign = SHA1 +Key = B-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 30819402480147D3EB0EDA9F2152DFD014363D6A9CE816D7A1467D326A625FC4AB0C786E1B74DDF7CD4D0E99541391B266C704BB6B6E8DCCD27B460802E0867143727AA415555454321EFE5CB60248017319571CAF533D90D2E78A64060B9C53169AB7FC908947B3EDADC54C79CCF0A7920B4C64A4EAB6282AFE9A459677CDA37FD6DD50BEF18709590FE18B923BDF74A66B189A850819 + +DigestVerify = SHA1 +Key = B-571_PUB +Input = "sample" +Output = 30819402480147D3EB0EDA9F2152DFD014363D6A9CE816D7A1467D326A625FC4AB0C786E1B74DDF7CD4D0E99541391B266C704BB6B6E8DCCD27B460802E0867143727AA415555454321EFE5CB60248017319571CAF533D90D2E78A64060B9C53169AB7FC908947B3EDADC54C79CCF0A7920B4C64A4EAB6282AFE9A459677CDA37FD6DD50BEF18709590FE18B923BDF74A66B189A850819 + +DigestVerify = SHA1 +Key = B-571_PUB +Input = "sample" +Output = 30819402480147D3EB0EDA9F2152DFD014363D6A9CE816D7A1467D326A625FC4AB0C786E1B74DDF7CD4D0E99541391B266C704BB6B6E8DCCD27B460802E0867143727AA415555454321EFE5CB60248017319571CAF533D90D2E78A64060B9C53169AB7FC908947B3EDADC54C79CCF0A7920B4C64A4EAB6282AFE9A459677CDA37FD6DD50BEF18709590FE18B923BDF74A66B189A850818 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 3081940248010F4B63E79B2E54E4F4F6A2DBC786D8F4A143ECA7B2AD97810F6472AC6AE20853222854553BE1D44A7974599DB7061AE8560DF57F2675BE5F9DD94ABAF3D47F1582B318E459748B024803BBEA07C6B269C2B7FE9AE4DDB118338D0C2F0022920A7F9DCFCB7489594C03B536A9900C4EA6A10410007222D3DAE1A96F291C4C9275D75D98EB290DC0EEF176037B2C7A7A39A3 + +DigestVerify = SHA224 +Key = B-571_PUB +Input = "sample" +Output = 3081940248010F4B63E79B2E54E4F4F6A2DBC786D8F4A143ECA7B2AD97810F6472AC6AE20853222854553BE1D44A7974599DB7061AE8560DF57F2675BE5F9DD94ABAF3D47F1582B318E459748B024803BBEA07C6B269C2B7FE9AE4DDB118338D0C2F0022920A7F9DCFCB7489594C03B536A9900C4EA6A10410007222D3DAE1A96F291C4C9275D75D98EB290DC0EEF176037B2C7A7A39A3 + +DigestVerify = SHA224 +Key = B-571_PUB +Input = "sample" +Output = 3081940248010F4B63E79B2E54E4F4F6A2DBC786D8F4A143ECA7B2AD97810F6472AC6AE20853222854553BE1D44A7974599DB7061AE8560DF57F2675BE5F9DD94ABAF3D47F1582B318E459748B024803BBEA07C6B269C2B7FE9AE4DDB118338D0C2F0022920A7F9DCFCB7489594C03B536A9900C4EA6A10410007222D3DAE1A96F291C4C9275D75D98EB290DC0EEF176037B2C7A7A39A2 +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 30819402480213EF9F3B0CFC4BF996B8AF3A7E1F6CACD2B87C8C63820000800AC787F17EC99C04BCEDF29A8413CFF83142BB88A50EF8D9A086AF4EB03E97C567500C21D865714D832E03C6D054024803D32322559B094E20D8935E250B6EC139AC4AAB77920812C119AF419FB62B332C8D226C6C9362AE3C1E4AABE19359B8428EA74EC8FBE83C8618C2BCCB6B43FBAA0F2CCB7D303945 + +DigestVerify = SHA256 +Key = B-571_PUB +Input = "sample" +Output = 30819402480213EF9F3B0CFC4BF996B8AF3A7E1F6CACD2B87C8C63820000800AC787F17EC99C04BCEDF29A8413CFF83142BB88A50EF8D9A086AF4EB03E97C567500C21D865714D832E03C6D054024803D32322559B094E20D8935E250B6EC139AC4AAB77920812C119AF419FB62B332C8D226C6C9362AE3C1E4AABE19359B8428EA74EC8FBE83C8618C2BCCB6B43FBAA0F2CCB7D303945 + +DigestVerify = SHA256 +Key = B-571_PUB +Input = "sample" +Output = 30819402480213EF9F3B0CFC4BF996B8AF3A7E1F6CACD2B87C8C63820000800AC787F17EC99C04BCEDF29A8413CFF83142BB88A50EF8D9A086AF4EB03E97C567500C21D865714D832E03C6D054024803D32322559B094E20D8935E250B6EC139AC4AAB77920812C119AF419FB62B332C8D226C6C9362AE3C1E4AABE19359B8428EA74EC8FBE83C8618C2BCCB6B43FBAA0F2CCB7D303944 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 30819402480375D8F49C656A0BBD21D3F54CDA287D853C4BB1849983CD891EF6CD6BB56A62B687807C16685C2C9BCA2663C33696ACCE344C45F3910B1DF806204FF731ECB289C100EF4D1805EC024801CDEC6F46DFEEE44BCE71D41C60550DC67CF98D6C91363625AC2553E4368D2DFB734A8E8C72E118A76ACDB0E58697940A0F3DF49E72894BD799450FC9E550CC04B9FF9B0380021C + +DigestVerify = SHA384 +Key = B-571_PUB +Input = "sample" +Output = 30819402480375D8F49C656A0BBD21D3F54CDA287D853C4BB1849983CD891EF6CD6BB56A62B687807C16685C2C9BCA2663C33696ACCE344C45F3910B1DF806204FF731ECB289C100EF4D1805EC024801CDEC6F46DFEEE44BCE71D41C60550DC67CF98D6C91363625AC2553E4368D2DFB734A8E8C72E118A76ACDB0E58697940A0F3DF49E72894BD799450FC9E550CC04B9FF9B0380021C + +DigestVerify = SHA384 +Key = B-571_PUB +Input = "sample" +Output = 30819402480375D8F49C656A0BBD21D3F54CDA287D853C4BB1849983CD891EF6CD6BB56A62B687807C16685C2C9BCA2663C33696ACCE344C45F3910B1DF806204FF731ECB289C100EF4D1805EC024801CDEC6F46DFEEE44BCE71D41C60550DC67CF98D6C91363625AC2553E4368D2DFB734A8E8C72E118A76ACDB0E58697940A0F3DF49E72894BD799450FC9E550CC04B9FF9B0380021D +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-571_PRIV +NonceType = deterministic +Input = "sample" +Output = 308194024801C26F40D940A7EAA0EB1E62991028057D91FEDA0366B606F6C434C361F04E545A6A51A435E26416F6838FFA260C617E798E946B57215284182BE55F29A355E6024FE32A47289CF0024803691DE4369D921FE94EDDA67CB71FBBEC9A436787478063EB1CC778B3DCDC1C4162662752D28DEEDF6F32A269C82D1DB80C87CE4D3B662E03AC347806E3F19D18D6D4DE7358DF7E + +DigestVerify = SHA512 +Key = B-571_PUB +Input = "sample" +Output = 308194024801C26F40D940A7EAA0EB1E62991028057D91FEDA0366B606F6C434C361F04E545A6A51A435E26416F6838FFA260C617E798E946B57215284182BE55F29A355E6024FE32A47289CF0024803691DE4369D921FE94EDDA67CB71FBBEC9A436787478063EB1CC778B3DCDC1C4162662752D28DEEDF6F32A269C82D1DB80C87CE4D3B662E03AC347806E3F19D18D6D4DE7358DF7E + +DigestVerify = SHA512 +Key = B-571_PUB +Input = "sample" +Output = 308194024801C26F40D940A7EAA0EB1E62991028057D91FEDA0366B606F6C434C361F04E545A6A51A435E26416F6838FFA260C617E798E946B57215284182BE55F29A355E6024FE32A47289CF0024803691DE4369D921FE94EDDA67CB71FBBEC9A436787478063EB1CC778B3DCDC1C4162662752D28DEEDF6F32A269C82D1DB80C87CE4D3B662E03AC347806E3F19D18D6D4DE7358DF7F +Result = VERIFY_ERROR + +DigestSign = SHA1 +Key = B-571_PRIV +NonceType = deterministic +Input = "test" +Output = 30819402480133F5414F2A9BC41466D339B79376038A64D045E5B0F792A98E5A7AA87E0AD016419E5F8D176007D5C9C10B5FD9E2E0AB8331B195797C0358BA05ECBF24ACE59C5F368A6C0997CC024803D16743AE9F00F0B1A500F738719C5582550FEB64689DA241665C4CE4F328BA0E34A7EF527ED13BFA5889FD2D1D214C11EB17D6BC338E05A56F41CAFF1AF7B8D574DB62EF0D0F21 + +DigestVerify = SHA1 +Key = B-571_PUB +Input = "test" +Output = 30819402480133F5414F2A9BC41466D339B79376038A64D045E5B0F792A98E5A7AA87E0AD016419E5F8D176007D5C9C10B5FD9E2E0AB8331B195797C0358BA05ECBF24ACE59C5F368A6C0997CC024803D16743AE9F00F0B1A500F738719C5582550FEB64689DA241665C4CE4F328BA0E34A7EF527ED13BFA5889FD2D1D214C11EB17D6BC338E05A56F41CAFF1AF7B8D574DB62EF0D0F21 + +DigestVerify = SHA1 +Key = B-571_PUB +Input = "test" +Output = 30819402480133F5414F2A9BC41466D339B79376038A64D045E5B0F792A98E5A7AA87E0AD016419E5F8D176007D5C9C10B5FD9E2E0AB8331B195797C0358BA05ECBF24ACE59C5F368A6C0997CC024803D16743AE9F00F0B1A500F738719C5582550FEB64689DA241665C4CE4F328BA0E34A7EF527ED13BFA5889FD2D1D214C11EB17D6BC338E05A56F41CAFF1AF7B8D574DB62EF0D0F20 +Result = VERIFY_ERROR + +DigestSign = SHA224 +Key = B-571_PRIV +NonceType = deterministic +Input = "test" +Output = 308194024803048E76506C5C43D92B2E33F62B33E3111CEEB87F6C7DF7C7C01E3CDA28FA5E8BE04B5B23AA03C0C70FEF8F723CBCEBFF0B7A52A3F5C8B84B741B4F6157E69A5FB0524B48F31828024802C99078CCFE5C82102B8D006E3703E020C46C87C75163A2CD839C885550BA5CB501AC282D29A1C26D26773B60FBE05AAB62BFA0BA32127563D42F7669C97784C8897C22CFB4B8FA + +DigestVerify = SHA224 +Key = B-571_PUB +Input = "test" +Output = 308194024803048E76506C5C43D92B2E33F62B33E3111CEEB87F6C7DF7C7C01E3CDA28FA5E8BE04B5B23AA03C0C70FEF8F723CBCEBFF0B7A52A3F5C8B84B741B4F6157E69A5FB0524B48F31828024802C99078CCFE5C82102B8D006E3703E020C46C87C75163A2CD839C885550BA5CB501AC282D29A1C26D26773B60FBE05AAB62BFA0BA32127563D42F7669C97784C8897C22CFB4B8FA + +DigestVerify = SHA224 +Key = B-571_PUB +Input = "test" +Output = 308194024803048E76506C5C43D92B2E33F62B33E3111CEEB87F6C7DF7C7C01E3CDA28FA5E8BE04B5B23AA03C0C70FEF8F723CBCEBFF0B7A52A3F5C8B84B741B4F6157E69A5FB0524B48F31828024802C99078CCFE5C82102B8D006E3703E020C46C87C75163A2CD839C885550BA5CB501AC282D29A1C26D26773B60FBE05AAB62BFA0BA32127563D42F7669C97784C8897C22CFB4B8FB +Result = VERIFY_ERROR + +DigestSign = SHA256 +Key = B-571_PRIV +NonceType = deterministic +Input = "test" +Output = 30819402480184BC808506E11A65D628B457FDA60952803C604CC7181B59BD25AEE1411A66D12A777F3A0DC99E1190C58D0037807A95E5080FA1B2E5CCAA37B50D401CFFC3417C005AEE9634690248027280D45F81B19334DBDB07B7E63FE8F39AC7E9AE14DE1D2A6884D2101850289D70EE400F26ACA5E7D73F534A14568478E59D00594981ABE6A1BA18554C13EB5E03921E4DC98333 + +DigestVerify = SHA256 +Key = B-571_PUB +Input = "test" +Output = 30819402480184BC808506E11A65D628B457FDA60952803C604CC7181B59BD25AEE1411A66D12A777F3A0DC99E1190C58D0037807A95E5080FA1B2E5CCAA37B50D401CFFC3417C005AEE9634690248027280D45F81B19334DBDB07B7E63FE8F39AC7E9AE14DE1D2A6884D2101850289D70EE400F26ACA5E7D73F534A14568478E59D00594981ABE6A1BA18554C13EB5E03921E4DC98333 + +DigestVerify = SHA256 +Key = B-571_PUB +Input = "test" +Output = 30819402480184BC808506E11A65D628B457FDA60952803C604CC7181B59BD25AEE1411A66D12A777F3A0DC99E1190C58D0037807A95E5080FA1B2E5CCAA37B50D401CFFC3417C005AEE9634690248027280D45F81B19334DBDB07B7E63FE8F39AC7E9AE14DE1D2A6884D2101850289D70EE400F26ACA5E7D73F534A14568478E59D00594981ABE6A1BA18554C13EB5E03921E4DC98332 +Result = VERIFY_ERROR + +DigestSign = SHA384 +Key = B-571_PRIV +NonceType = deterministic +Input = "test" +Output = 30819402480319EE57912E7B0FAA1FBB145B0505849A89C6DB1EC06EA20A6A7EDE072A6268AF6FD9C809C7E422A5F33C6C3326EAD7402467DF3272A1B2726C1C20975950F0F50D8324578F13EC024802CF3EA27EADD0612DD2F96F46E89AB894B01A10DF985C5FC099CFFE0EA083EB44BE682B08BFE405DAD5F37D0A2C59015BA41027E24B99F8F75A70B6B7385BF39BBEA02513EB880C + +DigestVerify = SHA384 +Key = B-571_PUB +Input = "test" +Output = 30819402480319EE57912E7B0FAA1FBB145B0505849A89C6DB1EC06EA20A6A7EDE072A6268AF6FD9C809C7E422A5F33C6C3326EAD7402467DF3272A1B2726C1C20975950F0F50D8324578F13EC024802CF3EA27EADD0612DD2F96F46E89AB894B01A10DF985C5FC099CFFE0EA083EB44BE682B08BFE405DAD5F37D0A2C59015BA41027E24B99F8F75A70B6B7385BF39BBEA02513EB880C + +DigestVerify = SHA384 +Key = B-571_PUB +Input = "test" +Output = 30819402480319EE57912E7B0FAA1FBB145B0505849A89C6DB1EC06EA20A6A7EDE072A6268AF6FD9C809C7E422A5F33C6C3326EAD7402467DF3272A1B2726C1C20975950F0F50D8324578F13EC024802CF3EA27EADD0612DD2F96F46E89AB894B01A10DF985C5FC099CFFE0EA083EB44BE682B08BFE405DAD5F37D0A2C59015BA41027E24B99F8F75A70B6B7385BF39BBEA02513EB880D +Result = VERIFY_ERROR + +DigestSign = SHA512 +Key = B-571_PRIV +NonceType = deterministic +Input = "test" +Output = 308194024802AA1888EAB05F7B00B6A784C4F7081D2C833D50794D9FEAF6E22B8BE728A2A90BFCABDC803162020AA629718295A1489EE7ED0ECB8AAA197B9BDFC49D18DDD78FC85A48F9715544024800AA5371FE5CA671D6ED9665849C37F394FED85D51FEF72DA2B5F28EDFB2C6479CA63320C19596F5E1101988E2C619E302DD05112F47E8823040CE540CD3E90DCF41DBC461744EE9 + +DigestVerify = SHA512 +Key = B-571_PUB +Input = "test" +Output = 308194024802AA1888EAB05F7B00B6A784C4F7081D2C833D50794D9FEAF6E22B8BE728A2A90BFCABDC803162020AA629718295A1489EE7ED0ECB8AAA197B9BDFC49D18DDD78FC85A48F9715544024800AA5371FE5CA671D6ED9665849C37F394FED85D51FEF72DA2B5F28EDFB2C6479CA63320C19596F5E1101988E2C619E302DD05112F47E8823040CE540CD3E90DCF41DBC461744EE9 + +DigestVerify = SHA512 +Key = B-571_PUB +Input = "test" +Output = 308194024802AA1888EAB05F7B00B6A784C4F7081D2C833D50794D9FEAF6E22B8BE728A2A90BFCABDC803162020AA629718295A1489EE7ED0ECB8AAA197B9BDFC49D18DDD78FC85A48F9715544024800AA5371FE5CA671D6ED9665849C37F394FED85D51FEF72DA2B5F28EDFB2C6479CA63320C19596F5E1101988E2C619E302DD05112F47E8823040CE540CD3E90DCF41DBC461744EE8 +Result = VERIFY_ERROR From 8ef3b381bf76349e3277f758e2b1f116b21b776d Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Tue, 20 Feb 2024 23:17:34 +0100 Subject: [PATCH 152/868] Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) * Fix ASN.1 for S/MIME capabilities. The current implementation defines the SMIMECapabilities attribute so that its value is a SEQUENCE of all the algorithm OIDs that are supported. However, the S/MIME v3 spec (RFC 2633) specifies that each algorithm should be specified in its own SEQUENCE: SMIMECapabilities ::= SEQUENCE OF SMIMECapability SMIMECapability ::= SEQUENCE { capabilityID OBJECT IDENTIFIER, parameters ANY DEFINED BY capabilityID OPTIONAL } (RFC 2633, Appendix A) This commit changes the implementation so that each algorithm is inside its own SEQUENCE. This also matches the OpenSSL implementation. * Fix the RSA OID used for signing PKCS#7/SMIME The current implementation computes the algorithm identifier used in the `digest_encryption_algorithm` PKCS#7 field (or `SignatureAlgorithmIdentifier` in S/MIME) based on both the algorithm used to sign (e.g. RSA) and the digest algorithm (e.g. SHA512). This is correct for ECDSA signatures, where the OIDs used include the digest algorithm (e.g: ecdsa-with-SHA512). However, due to historical reasons, when signing with RSA the OID specified should be the one corresponding to just RSA ("1.2.840.113549.1.1.1" rsaEncryption), rather than OIDs which also include the digest algorithm (such as "1.2.840.113549.1.1.13", sha512WithRSAEncryption). This means that the logic to compute the algorithm identifier is the same except when signing with RSA, in which case the OID will always be `rsaEncryption`. This is consistent with the OpenSSL implementation, and the RFCs that define PKCS#7 and S/MIME. See RFC 3851 (section 2.2), and RFC 3370 (section 3.2) for more details. * Add tests for the changes in PKCS7 signing * PKCS7 fixes from code review * Update CHANGELOG --- CHANGELOG.rst | 3 ++ src/rust/src/pkcs7.rs | 28 ++++++++++++-- src/rust/src/x509/sign.rs | 5 ++- tests/hazmat/primitives/test_pkcs7.py | 54 ++++++++++++++++++++++++++- 4 files changed, 83 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 2a529c2d7b80..348a7770a316 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -26,6 +26,9 @@ Changelog and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. +* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities`` + and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the + definitions in :rfc:`2633` :rfc:`3370`. .. _v42-0-3: diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 28edd016b863..9732b6b93b9b 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -104,9 +104,9 @@ fn sign_and_serialize<'p>( // Subset of values OpenSSL provides: // https://github.com/openssl/openssl/blob/667a8501f0b6e5705fd611d5bb3ca24848b07154/crypto/pkcs7/pk7_smime.c#L150 // removing all the ones that are bad cryptography - AES_256_CBC_OID, - AES_192_CBC_OID, - AES_128_CBC_OID, + &asn1::SequenceOfWriter::new([AES_256_CBC_OID]), + &asn1::SequenceOfWriter::new([AES_192_CBC_OID]), + &asn1::SequenceOfWriter::new([AES_128_CBC_OID]), ]))?; let py_signers: Vec<( @@ -205,7 +205,7 @@ fn sign_and_serialize<'p>( }, digest_algorithm: digest_alg, authenticated_attributes: authenticated_attrs, - digest_encryption_algorithm: x509::sign::compute_signature_algorithm( + digest_encryption_algorithm: compute_pkcs7_signature_algorithm( py, py_private_key, py_hash_alg, @@ -262,6 +262,26 @@ fn sign_and_serialize<'p>( } } +fn compute_pkcs7_signature_algorithm<'p>( + py: pyo3::Python<'p>, + private_key: &'p pyo3::PyAny, + hash_algorithm: &'p pyo3::PyAny, + rsa_padding: &'p pyo3::PyAny, +) -> pyo3::PyResult> { + let key_type = x509::sign::identify_key_type(py, private_key)?; + let has_pss_padding = rsa_padding.is_instance(types::PSS.get(py)?)?; + // For RSA signatures (with no PSS padding), the OID is always the same no matter the + // digest algorithm. See RFC 3370 (section 3.2). + if key_type == x509::sign::KeyType::Rsa && !has_pss_padding { + Ok(common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: common::AlgorithmParameters::Rsa(Some(())), + }) + } else { + x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding) + } +} + fn smime_canonicalize(data: &[u8], text_mode: bool) -> (Cow<'_, [u8]>, Cow<'_, [u8]>) { let mut new_data_with_header = vec![]; let mut new_data_without_header = vec![]; diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 099032210e8b..638bbbe909af 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -48,7 +48,10 @@ enum HashType { Sha3_512, } -fn identify_key_type(py: pyo3::Python<'_>, private_key: &pyo3::PyAny) -> pyo3::PyResult { +pub(crate) fn identify_key_type( + py: pyo3::Python<'_>, + private_key: &pyo3::PyAny, +) -> pyo3::PyResult { if private_key.is_instance(types::RSA_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Rsa) } else if private_key.is_instance(types::DSA_PRIVATE_KEY.get(py)?)? { diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 837ad261941c..a929a9e83ae3 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -558,6 +558,50 @@ def test_sign_text(self, backend): backend, ) + def test_smime_capabilities(self, backend): + data = b"hello world" + cert, key = _load_cert_key() + builder = ( + pkcs7.PKCS7SignatureBuilder() + .set_data(data) + .add_signer(cert, key, hashes.SHA256()) + ) + + sig_binary = builder.sign(serialization.Encoding.DER, []) + + # 1.2.840.113549.1.9.15 (SMIMECapabilities) as an ASN.1 DER encoded OID + assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x0f" in sig_binary + + # 2.16.840.1.101.3.4.1.42 (aes256-CBC-PAD) as an ASN.1 DER encoded OID + aes256_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x2A" + # 2.16.840.1.101.3.4.1.22 (aes192-CBC-PAD) as an ASN.1 DER encoded OID + aes192_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x16" + # 2.16.840.1.101.3.4.1.2 (aes128-CBC-PAD) as an ASN.1 DER encoded OID + aes128_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" + + # Each algorithm in SMIMECapabilities should be inside its own + # SEQUENCE. + # This is encoded as SEQUENCE_IDENTIFIER + LENGTH + ALGORITHM_OID. + # This tests that each algorithm is indeed encoded inside its own + # sequence. See RFC 2633, Appendix A for more details. + sequence_identifier = b"\x30" + for oid in [ + aes256_cbc_pad_oid, + aes192_cbc_pad_oid, + aes128_cbc_pad_oid, + ]: + len_oid = len(oid).to_bytes(length=1, byteorder="big") + assert sequence_identifier + len_oid + oid in sig_binary + + _pkcs7_verify( + serialization.Encoding.DER, + sig_binary, + None, + [cert], + [], + backend, + ) + def test_sign_no_capabilities(self, backend): data = b"hello world" cert, key = _load_cert_key() @@ -678,9 +722,15 @@ def test_rsa_pkcs_padding_options(self, pad, backend): sig.count(b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x08") == 1 ) else: - # This should be a pkcs1 sha512 signature + # This should be a pkcs1 RSA signature, which uses the + # `rsaEncryption` OID (1.2.840.113549.1.1.1) no matter which + # digest algorithm is used. + # See RFC 3370 section 3.2 for more details. + # This OID appears twice, once in the certificate itself and + # another in the SignerInfo data structure in the + # `digest_encryption_algorithm` field. assert ( - sig.count(b"\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D") == 1 + sig.count(b"\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01") == 2 ) _pkcs7_verify( serialization.Encoding.DER, From 3d329f2320e695abbd71c5feb4e3494f1c6df59e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 00:15:38 +0000 Subject: [PATCH 153/868] Bump BoringSSL and/or OpenSSL in CI (#10443) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b7b8535445ab..ac090595b7fa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 17, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "99e8c6e2a383a25679c3d6767702732b27bc16ea"}} - # Latest commit on the OpenSSL master branch, as of Feb 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a768a796f26ecebc12ac0bd9b86c5c30bfd9370b"}} + # Latest commit on the BoringSSL master branch, as of Feb 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "48b0edfdf2dd9f38650d2ec13fa72cc0407a0d84"}} + # Latest commit on the OpenSSL master branch, as of Feb 21, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "709637c8764e153f77c1d55d00b37fb08634aca9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 5020735e87ddf6bf72c5f1ed962fc2ff3f81cd8d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 00:28:26 +0000 Subject: [PATCH 154/868] Bump x509-limbo and/or wycheproof in CI (#10444) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 326ef2cf71f7..d633399239c6 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 16, 2024. - ref: "5f2f7b0a1ac8a8ebae3e418c2569f524c80f29db" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 21, 2024. + ref: "8ad17cdde59a1e62e8df1b8b0ffa4cfa3ab53f33" # x509-limbo-ref From 2492af56a45fb4fd7bd5ea1b5a69f8a141b1adac Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 20 Feb 2024 22:20:59 -0500 Subject: [PATCH 155/868] Forward port 42.0.4 changelog (#10446) --- CHANGELOG.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 348a7770a316..78fd4b7d4d19 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -26,6 +26,15 @@ Changelog and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. + +.. _v42-0-4: + +42.0.4 - 2024-02-20 +~~~~~~~~~~~~~~~~~~~ + +* Fixed a null-pointer-dereference and segfault that could occur when creating + a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the + issue. **CVE-2024-26130** * Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities`` and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the definitions in :rfc:`2633` :rfc:`3370`. From fd933a86836c6f9ca35b53a274d1ce3729690a15 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 07:06:33 -0500 Subject: [PATCH 156/868] Bump coverage from 7.4.1 to 7.4.2 (#10448) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.4.1 to 7.4.2. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.1...7.4.2) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 460c621257e8..60363341b890 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.4.1; python_version >= "3.8" +coverage==7.4.2; python_version >= "3.8" # via # coverage # pytest-cov From 583304ee0ab3379c94e87e7c9e274007dcd5c887 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 07:06:55 -0500 Subject: [PATCH 157/868] Bump cc from 1.0.83 to 1.0.86 in /src/rust (#10449) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.83 to 1.0.86. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.83...1.0.86) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 7 ++----- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c85ea888aa3a..21930a302524 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,12 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.83" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" -dependencies = [ - "libc", -] +checksum = "7f9fa1897e4325be0d68d48df6aa1a71ac2ed4d27723887e7754192705350730" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index af977b0d6a51..956728c7beba 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.100" [build-dependencies] -cc = "1.0.83" +cc = "1.0.86" From b997a63f6a4a72824ea7b5fa10efabc56855bb03 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 09:03:36 -0600 Subject: [PATCH 158/868] Bump cryptography from 42.0.3 to 42.0.4 in /.github/requirements (#10447) * Bump cryptography from 42.0.3 to 42.0.4 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.3 to 42.0.4. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.3...42.0.4) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 0f65bca76c66..9086575892ae 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,39 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.3 \ - --hash=sha256:04859aa7f12c2b5f7e22d25198ddd537391f1695df7057c8700f71f26f47a129 \ - --hash=sha256:069d2ce9be5526a44093a0991c450fe9906cdf069e0e7cd67d9dee49a62b9ebe \ - --hash=sha256:0d3ec384058b642f7fb7e7bff9664030011ed1af8f852540c76a1317a9dd0d20 \ - --hash=sha256:0fab2a5c479b360e5e0ea9f654bcebb535e3aa1e493a715b13244f4e07ea8eec \ - --hash=sha256:0fea01527d4fb22ffe38cd98951c9044400f6eff4788cf52ae116e27d30a1ba3 \ - --hash=sha256:1b797099d221df7cce5ff2a1d272761d1554ddf9a987d3e11f6459b38cd300fd \ - --hash=sha256:1e935c2900fb53d31f491c0de04f41110351377be19d83d908c1fd502ae8daa5 \ - --hash=sha256:20100c22b298c9eaebe4f0b9032ea97186ac2555f426c3e70670f2517989543b \ - --hash=sha256:20180da1b508f4aefc101cebc14c57043a02b355d1a652b6e8e537967f1e1b46 \ - --hash=sha256:25b09b73db78facdfd7dd0fa77a3f19e94896197c86e9f6dc16bce7b37a96504 \ - --hash=sha256:2619487f37da18d6826e27854a7f9d4d013c51eafb066c80d09c63cf24505306 \ - --hash=sha256:2eb6368d5327d6455f20327fb6159b97538820355ec00f8cc9464d617caecead \ - --hash=sha256:35772a6cffd1f59b85cb670f12faba05513446f80352fe811689b4e439b5d89e \ - --hash=sha256:39d5c93e95bcbc4c06313fc6a500cee414ee39b616b55320c1904760ad686938 \ - --hash=sha256:3d96ea47ce6d0055d5b97e761d37b4e84195485cb5a38401be341fabf23bc32a \ - --hash=sha256:4dcab7c25e48fc09a73c3e463d09ac902a932a0f8d0c568238b3696d06bf377b \ - --hash=sha256:5fbf0f3f0fac7c089308bd771d2c6c7b7d53ae909dce1db52d8e921f6c19bb3a \ - --hash=sha256:6c25e1e9c2ce682d01fc5e2dde6598f7313027343bd14f4049b82ad0402e52cd \ - --hash=sha256:762f3771ae40e111d78d77cbe9c1035e886ac04a234d3ee0856bf4ecb3749d54 \ - --hash=sha256:90147dad8c22d64b2ff7331f8d4cddfdc3ee93e4879796f837bdbb2a0b141e0c \ - --hash=sha256:935cca25d35dda9e7bd46a24831dfd255307c55a07ff38fd1a92119cffc34857 \ - --hash=sha256:93fbee08c48e63d5d1b39ab56fd3fdd02e6c2431c3da0f4edaf54954744c718f \ - --hash=sha256:9541c69c62d7446539f2c1c06d7046aef822940d248fa4b8962ff0302862cc1f \ - --hash=sha256:c23f03cfd7d9826cdcbad7850de67e18b4654179e01fe9bc623d37c2638eb4ef \ - --hash=sha256:c3d1f5a1d403a8e640fa0887e9f7087331abb3f33b0f2207d2cc7f213e4a864c \ - --hash=sha256:d1998e545081da0ab276bcb4b33cce85f775adb86a516e8f55b3dac87f469548 \ - --hash=sha256:d5cf11bc7f0b71fb71af26af396c83dfd3f6eed56d4b6ef95d57867bf1e4ba65 \ - --hash=sha256:db0480ffbfb1193ac4e1e88239f31314fe4c6cdcf9c0b8712b55414afbf80db4 \ - --hash=sha256:de4ae486041878dc46e571a4c70ba337ed5233a1344c14a0790c4c4be4bbb8b4 \ - --hash=sha256:de5086cd475d67113ccb6f9fae6d8fe3ac54a4f9238fd08bfdb07b03d791ff0a \ - --hash=sha256:df34312149b495d9d03492ce97471234fd9037aa5ba217c2a6ea890e9166f151 \ - --hash=sha256:ead69ba488f806fe1b1b4050febafdbf206b81fa476126f3e16110c818bac396 +cryptography==42.0.4 \ + --hash=sha256:01911714117642a3f1792c7f376db572aadadbafcd8d75bb527166009c9f1d1b \ + --hash=sha256:0e89f7b84f421c56e7ff69f11c441ebda73b8a8e6488d322ef71746224c20fce \ + --hash=sha256:12d341bd42cdb7d4937b0cabbdf2a94f949413ac4504904d0cdbdce4a22cbf88 \ + --hash=sha256:15a1fb843c48b4a604663fa30af60818cd28f895572386e5f9b8a665874c26e7 \ + --hash=sha256:1cdcdbd117681c88d717437ada72bdd5be9de117f96e3f4d50dab3f59fd9ab20 \ + --hash=sha256:1df6fcbf60560d2113b5ed90f072dc0b108d64750d4cbd46a21ec882c7aefce9 \ + --hash=sha256:3c6048f217533d89f2f8f4f0fe3044bf0b2090453b7b73d0b77db47b80af8dff \ + --hash=sha256:3e970a2119507d0b104f0a8e281521ad28fc26f2820687b3436b8c9a5fcf20d1 \ + --hash=sha256:44a64043f743485925d3bcac548d05df0f9bb445c5fcca6681889c7c3ab12764 \ + --hash=sha256:4e36685cb634af55e0677d435d425043967ac2f3790ec652b2b88ad03b85c27b \ + --hash=sha256:5f8907fcf57392cd917892ae83708761c6ff3c37a8e835d7246ff0ad251d9298 \ + --hash=sha256:69b22ab6506a3fe483d67d1ed878e1602bdd5912a134e6202c1ec672233241c1 \ + --hash=sha256:6bfadd884e7280df24d26f2186e4e07556a05d37393b0f220a840b083dc6a824 \ + --hash=sha256:6d0fbe73728c44ca3a241eff9aefe6496ab2656d6e7a4ea2459865f2e8613257 \ + --hash=sha256:6ffb03d419edcab93b4b19c22ee80c007fb2d708429cecebf1dd3258956a563a \ + --hash=sha256:810bcf151caefc03e51a3d61e53335cd5c7316c0a105cc695f0959f2c638b129 \ + --hash=sha256:831a4b37accef30cccd34fcb916a5d7b5be3cbbe27268a02832c3e450aea39cb \ + --hash=sha256:887623fe0d70f48ab3f5e4dbf234986b1329a64c066d719432d0698522749929 \ + --hash=sha256:a0298bdc6e98ca21382afe914c642620370ce0470a01e1bef6dd9b5354c36854 \ + --hash=sha256:a1327f280c824ff7885bdeef8578f74690e9079267c1c8bd7dc5cc5aa065ae52 \ + --hash=sha256:c1f25b252d2c87088abc8bbc4f1ecbf7c919e05508a7e8628e6875c40bc70923 \ + --hash=sha256:c3a5cbc620e1e17009f30dd34cb0d85c987afd21c41a74352d1719be33380885 \ + --hash=sha256:ce8613beaffc7c14f091497346ef117c1798c202b01153a8cc7b8e2ebaaf41c0 \ + --hash=sha256:d2a27aca5597c8a71abbe10209184e1a8e91c1fd470b5070a2ea60cafec35bcd \ + --hash=sha256:dad9c385ba8ee025bb0d856714f71d7840020fe176ae0229de618f14dae7a6e2 \ + --hash=sha256:db4b65b02f59035037fde0998974d84244a64c3265bdef32a827ab9b63d61b18 \ + --hash=sha256:e09469a2cec88fb7b078e16d4adec594414397e8879a4341c6ace96013463d5b \ + --hash=sha256:e53dc41cda40b248ebc40b83b31516487f7db95ab8ceac1f042626bc43a2f992 \ + --hash=sha256:f1e85a178384bf19e36779d91ff35c7617c885da487d689b05c1366f9933ad74 \ + --hash=sha256:f47be41843200f7faec0683ad751e5ef11b9a56a220d57f300376cd8aba81660 \ + --hash=sha256:fb0cef872d8193e487fc6bdb08559c3aa41b659a7d9be48b2e10747f47863925 \ + --hash=sha256:ffc73996c4fca3d2b6c1c8c12bfd3ad00def8621da24f547626bf06441400449 # via # pyopenssl # secretstorage From c86b1b273203988598bc91ecff303d12537df7f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 23:30:15 +0000 Subject: [PATCH 159/868] Bump openssl-sys from 0.9.100 to 0.9.101 in /src/rust (#10452) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.100 to 0.9.101. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.100...openssl-sys-v0.9.101) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 21930a302524..6a68aa4b54cf 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -213,9 +213,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.100" +version = "0.9.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae94056a791d0e1217d18b6cbdccb02c61e3054fc69893607f4067e3bb0b1fd1" +checksum = "dda2b0f344e78efc2facf7d195d098df0dd72151b26ab98da807afc26c198dff" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 83c6605ad453..aa533bf210c3 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -19,7 +19,7 @@ cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.64" -openssl-sys = "0.9.100" +openssl-sys = "0.9.101" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 956728c7beba..44afed76d219 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.63.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3"] } -openssl-sys = "0.9.100" +openssl-sys = "0.9.101" [build-dependencies] cc = "1.0.86" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 2922568d15ef..fdde0053df4c 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -11,5 +11,5 @@ rust-version = "1.63.0" asn1 = { version = "0.16.0", default-features = false } cfg-if = "1" openssl = "0.10.64" -openssl-sys = "0.9.100" +openssl-sys = "0.9.101" cryptography-x509 = { path = "../cryptography-x509" } From 9db845669d36555723c4444768da31a061bc6371 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 18:31:13 -0500 Subject: [PATCH 160/868] Bump dawidd6/action-download-artifact from 3.1.1 to 3.1.2 (#10451) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.1.1 to 3.1.2. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/72aaadce3bc708349fc665eee3785cbb1b6e51d0...71072fbb1229e1317f1a8de6b04206afb461bd67) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ac090595b7fa..7d9a2226aa8f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -256,7 +256,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 + - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -316,7 +316,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 + - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index bd31dbaeaaf3..f95c72b497dc 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -47,7 +47,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 + - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 3223f7982f86..4ddcff39e6df 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -232,7 +232,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 + - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -329,7 +329,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@72aaadce3bc708349fc665eee3785cbb1b6e51d0 # v3.1.1 + - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 with: repo: pyca/infra workflow: build-windows-openssl.yml From 69f00114101503b3b6dc253da4a857f845009ebd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 22 Feb 2024 00:25:00 +0000 Subject: [PATCH 161/868] Bump BoringSSL and/or OpenSSL in CI (#10453) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d9a2226aa8f..85c58679c23e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "48b0edfdf2dd9f38650d2ec13fa72cc0407a0d84"}} - # Latest commit on the OpenSSL master branch, as of Feb 21, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "709637c8764e153f77c1d55d00b37fb08634aca9"}} + # Latest commit on the BoringSSL master branch, as of Feb 22, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e44712755dd9281656009d4931cf7ae12201ae21"}} + # Latest commit on the OpenSSL master branch, as of Feb 22, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a6f70c03182b421d326831532edca32bcdb3fb1"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 62458e7dff8674d77a20c59b0deca559cfa3e491 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Feb 2024 06:51:21 -0500 Subject: [PATCH 162/868] Bump target-lexicon from 0.12.13 to 0.12.14 in /src/rust (#10454) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.13 to 0.12.14. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.13...v0.12.14) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6a68aa4b54cf..6b15f585b316 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -380,9 +380,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.13" +version = "0.12.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69758bda2e78f098e4ccb393021a0963bb3442eac05f135c30f61b7370bbafae" +checksum = "e1fc403891a21bcfb7c37834ba66a547a8f402146eba7265b5a6d88059c9ff2f" [[package]] name = "unicode-ident" From 9ba494087045a61248f791eacd40ed152de26847 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Feb 2024 06:51:27 -0500 Subject: [PATCH 163/868] Bump virtualenv from 20.25.0 to 20.25.1 (#10455) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.25.0 to 20.25.1. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.25.0...20.25.1) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 60363341b890..4b9df4929612 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.9.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.25.0 +virtualenv==20.25.1 # via nox # The following packages are considered to be unsafe in a requirements file: From e02757c4486cd4c655839a734355a98846803077 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 00:13:56 +0000 Subject: [PATCH 164/868] Bump BoringSSL and/or OpenSSL in CI (#10456) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 85c58679c23e..2913312f83b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 22, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e44712755dd9281656009d4931cf7ae12201ae21"}} - # Latest commit on the OpenSSL master branch, as of Feb 22, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a6f70c03182b421d326831532edca32bcdb3fb1"}} + # Latest commit on the BoringSSL master branch, as of Feb 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ab4037e3d14b2b1e02c93f76d80a8dd0ce3193fc"}} + # Latest commit on the OpenSSL master branch, as of Feb 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11adf9a75d6b34723d1a20a0da4e4100ea6ca593"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV: # 1.64 - maturin, workspace inheritance From 292d925c44e1687222e9b6eb6f2a537e83b34799 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 00:29:49 +0000 Subject: [PATCH 165/868] Bump x509-limbo and/or wycheproof in CI (#10457) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index d633399239c6..821d7ffc91c8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 21, 2024. - ref: "8ad17cdde59a1e62e8df1b8b0ffa4cfa3ab53f33" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 23, 2024. + ref: "aa48664a5baddd27129bf0d6cf2b4c54112e6745" # x509-limbo-ref From 048153ab3da5fe818cc7eb507132ff105dff1b6c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 22 Feb 2024 20:01:04 -0500 Subject: [PATCH 166/868] Stop running linkcheck on every push - its pointless (#10458) --- .github/workflows/linkcheck.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 9f694c7cb661..0e5b688c051f 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -4,9 +4,9 @@ on: paths: - docs/conf.py - .github/workflows/linkcheck.yml - push: - branches: - - main + schedule: + # Run once a week on Fridays + - cron: "0 0 * * FRI" permissions: contents: read From 3ffcf539899b5abcec81f1967b31b99f1ac7cbf1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 22 Feb 2024 22:41:40 -0500 Subject: [PATCH 167/868] Simplify implementation of repr on OIDs (#10459) --- src/rust/src/oid.rs | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 4bf764eee408..7996895ca1f0 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -41,17 +41,12 @@ impl ObjectIdentifier { slf } - fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let self_clone = pyo3::PyCell::new( - py, - ObjectIdentifier { - oid: self.oid.clone(), - }, - )?; - let name = ObjectIdentifier::_name(self_clone.borrow(), py)?.extract::<&str>()?; + fn __repr__(slf: &pyo3::PyCell, py: pyo3::Python<'_>) -> pyo3::PyResult { + let name = Self::_name(slf.borrow(), py)?.extract::<&str>()?; Ok(format!( "", - self.oid, name + slf.get().oid, + name )) } From f78c6ea9190425e59a2dc5d8de05cefff3f9fc7a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 07:34:59 -0500 Subject: [PATCH 168/868] Bump setuptools from 69.1.0 to 69.1.1 in /.github/requirements (#10461) Bumps [setuptools](https://github.com/pypa/setuptools) from 69.1.0 to 69.1.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.1.0...v69.1.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index aff425f1834b..92527ddbe91e 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.42.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.1.0 \ - --hash=sha256:850894c4195f09c4ed30dba56213bf7c3f21d86ed6bdaafb5df5972593bfc401 \ - --hash=sha256:c054629b81b946d63a9c6e732bc8b2513a7c3ea645f11d0139a2191d735c60c6 +setuptools==69.1.1 \ + --hash=sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56 \ + --hash=sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8 # via # -r build-requirements.in # setuptools-rust From 3598d2ee4b5060dbbe6938b893410ed35074567c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 13:10:48 +0000 Subject: [PATCH 169/868] Bump pyo3 from 0.20.2 to 0.20.3 in /src/rust (#10462) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.20.2 to 0.20.3. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.20.3/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.20.2...v0.20.3) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6b15f585b316..f74594106eb2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -261,6 +261,12 @@ version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" +[[package]] +name = "portable-atomic" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" + [[package]] name = "proc-macro2" version = "1.0.78" @@ -272,15 +278,16 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.20.2" +version = "0.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a89dc7a5850d0e983be1ec2a463a171d20990487c3cfcd68b5363f1ee3d6fe0" +checksum = "53bdbb96d49157e65d45cc287af5f32ffadd5f4761438b527b055fb0d4bb8233" dependencies = [ "cfg-if", "indoc", "libc", "memoffset", "parking_lot", + "portable-atomic", "pyo3-build-config", "pyo3-ffi", "pyo3-macros", @@ -289,9 +296,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.20.2" +version = "0.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07426f0d8fe5a601f26293f300afd1a7b1ed5e78b2a705870c5f30893c5163be" +checksum = "deaa5745de3f5231ce10517a1f5dd97d53e5a2fd77aa6b5842292085831d48d7" dependencies = [ "once_cell", "target-lexicon", @@ -299,9 +306,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.20.2" +version = "0.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dbb7dec17e17766b46bca4f1a4215a85006b4c2ecde122076c562dd058da6cf1" +checksum = "62b42531d03e08d4ef1f6e85a2ed422eb678b8cd62b762e53891c05faf0d4afa" dependencies = [ "libc", "pyo3-build-config", @@ -309,9 +316,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.20.2" +version = "0.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05f738b4e40d50b5711957f142878cfa0f28e054aa0ebdfc3fd137a843f74ed3" +checksum = "7305c720fa01b8055ec95e484a6eca7a83c841267f0dd5280f0c8b8551d2c158" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -321,12 +328,13 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.20.2" +version = "0.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fc910d4851847827daf9d6cdd4a823fbdaab5b8818325c5e97a86da79e8881f" +checksum = "7c7e9b68bb9c3149c5b0cade5d07f953d6d125eb4337723c4ccdb665f1f96185" dependencies = [ "heck", "proc-macro2", + "pyo3-build-config", "quote", "syn", ] From 28bb975af1f831ea2e8763b2ce6d111e7d6aca40 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 16:07:27 +0000 Subject: [PATCH 170/868] Bump x509-limbo and/or wycheproof in CI (#10464) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 821d7ffc91c8..f896ef7079aa 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -17,4 +17,4 @@ runs: repository: "C2SP/x509-limbo" path: "x509-limbo" # Latest commit on the x509-limbo main branch, as of Feb 23, 2024. - ref: "aa48664a5baddd27129bf0d6cf2b4c54112e6745" # x509-limbo-ref + ref: "34ee9a57606e2875e698fe4320689fd9ee4c0ccd" # x509-limbo-ref From 4f260d3b6726db6ffa3c66dbba3efdea4b9f01aa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 23 Feb 2024 19:04:47 -0500 Subject: [PATCH 171/868] Added a budget for NC checks to protect against DoS (#10467) --- .github/actions/fetch-vectors/action.yml | 2 +- .../cryptography-x509-verification/src/lib.rs | 47 +++++++++++++++++-- 2 files changed, 43 insertions(+), 6 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f896ef7079aa..3d027df32788 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -17,4 +17,4 @@ runs: repository: "C2SP/x509-limbo" path: "x509-limbo" # Latest commit on the x509-limbo main branch, as of Feb 23, 2024. - ref: "34ee9a57606e2875e698fe4320689fd9ee4c0ccd" # x509-limbo-ref + ref: "c8f6a4f4946076db55778ed7b3cffdab082a1a12" # x509-limbo-ref diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 6265f75c5502..5ded892d5cbb 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -33,9 +33,35 @@ pub enum ValidationError { CandidatesExhausted(Box), Malformed(asn1::ParseError), DuplicateExtension(DuplicateExtensionsError), + FatalError(&'static str), Other(String), } +struct Budget { + name_constraint_checks: usize, +} + +impl Budget { + // Same limit as other validators + const DEFAULT_NAME_CONSTRAINT_CHECK_LIMIT: usize = 1 << 20; + + fn new() -> Budget { + Budget { + name_constraint_checks: Self::DEFAULT_NAME_CONSTRAINT_CHECK_LIMIT, + } + } + + fn name_constraint_check(&mut self) -> Result<(), ValidationError> { + self.name_constraint_checks = + self.name_constraint_checks + .checked_sub(1) + .ok_or(ValidationError::FatalError( + "Exceeded maximum name constraint check limit", + ))?; + Ok(()) + } +} + impl From for ValidationError { fn from(value: asn1::ParseError) -> Self { Self::Malformed(value) @@ -76,7 +102,10 @@ impl<'a, 'chain> NameChain<'a, 'chain> { &self, constraint: &GeneralName<'chain>, san: &GeneralName<'chain>, + budget: &mut Budget, ) -> Result { + budget.name_constraint_check()?; + match (constraint, san) { (GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => { match (DNSConstraint::new(pattern.0), DNSName::new(name.0)) { @@ -114,9 +143,10 @@ impl<'a, 'chain> NameChain<'a, 'chain> { fn evaluate_constraints( &self, constraints: &NameConstraints<'chain>, + budget: &mut Budget, ) -> Result<(), ValidationError> { if let Some(child) = self.child { - child.evaluate_constraints(constraints)?; + child.evaluate_constraints(constraints, budget)?; } for san in self.sans.clone() { @@ -124,7 +154,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { let mut permit = true; if let Some(permitted_subtrees) = &constraints.permitted_subtrees { for p in permitted_subtrees.unwrap_read().clone() { - let status = self.evaluate_single_constraint(&p.base, &san)?; + let status = self.evaluate_single_constraint(&p.base, &san, budget)?; if status.is_applied() { permit = status.is_match(); if permit { @@ -142,7 +172,7 @@ impl<'a, 'chain> NameChain<'a, 'chain> { if let Some(excluded_subtrees) = &constraints.excluded_subtrees { for e in excluded_subtrees.unwrap_read().clone() { - let status = self.evaluate_single_constraint(&e.base, &san)?; + let status = self.evaluate_single_constraint(&e.base, &san, budget)?; if status.is_match() { return Err(ValidationError::Other( "excluded name constraint matched SAN".into(), @@ -166,7 +196,8 @@ pub fn verify<'chain, B: CryptoOps>( ) -> Result, ValidationError> { let builder = ChainBuilder::new(intermediates.into_iter().collect(), policy, store); - builder.build_chain(leaf) + let mut budget = Budget::new(); + builder.build_chain(leaf, &mut budget) } struct ChainBuilder<'a, 'chain, B: CryptoOps> { @@ -227,9 +258,10 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { current_depth: u8, working_cert_extensions: &Extensions<'chain>, name_chain: NameChain<'_, 'chain>, + budget: &mut Budget, ) -> Result, ValidationError> { if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { - name_chain.evaluate_constraints(&nc.value()?)?; + name_chain.evaluate_constraints(&nc.value()?, budget)?; } // Look in the store's root set to see if the working cert is listed. @@ -295,11 +327,14 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // candidate (which is a non-leaf by definition) isn't self-issued. cert_is_self_issued(issuing_cert_candidate.certificate()), )?, + budget, ) { Ok(mut chain) => { chain.push(working_cert.clone()); return Ok(chain); } + // Immediately return on fatal error. + Err(e @ ValidationError::FatalError(..)) => return Err(e), Err(e) => last_err = Some(e), }; } @@ -326,6 +361,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn build_chain( &self, leaf: &VerificationCertificate<'chain, B>, + budget: &mut Budget, ) -> Result, ValidationError> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying @@ -342,6 +378,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { 0, &leaf_extensions, NameChain::new(None, &leaf_extensions, false)?, + budget, )?; // We build the chain in reverse order, fix it now. chain.reverse(); From 2981f128543ad23a931f651dfb2783528dd6fb4c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 00:21:02 +0000 Subject: [PATCH 172/868] Bump BoringSSL and/or OpenSSL in CI (#10469) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2913312f83b4..9080d862f888 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ab4037e3d14b2b1e02c93f76d80a8dd0ce3193fc"}} + # Latest commit on the BoringSSL master branch, as of Feb 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9d7535f51f84a079c05b27134fcf6111649c56c9"}} # Latest commit on the OpenSSL master branch, as of Feb 23, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11adf9a75d6b34723d1a20a0da4e4100ea6ca593"}} # Builds with various Rust versions. Includes MSRV and next From 3f6931ee13b758f8b500af4a9a8876dd4aafc2c1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 23 Feb 2024 20:28:28 -0500 Subject: [PATCH 173/868] Forward port 42.0.5 changelog (#10471) --- CHANGELOG.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 78fd4b7d4d19..7fa93101a919 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -27,6 +27,16 @@ Changelog :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. +.. _v42-0-5: + +42.0.5 - 2024-02-23 +~~~~~~~~~~~~~~~~~~~ + +* Limit the number of name constraint checks that will be performed in + :mod:`X.509 path validation ` to protect + against denial of service attacks. +* Upgrade ``pyo3`` version, which fixes building on PowerPC. + .. _v42-0-4: 42.0.4 - 2024-02-20 From 68538b1c94bf4f4be35694fb7bf576e7ee3946a1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 04:55:17 +0000 Subject: [PATCH 174/868] Bump cc from 1.0.86 to 1.0.87 in /src/rust (#10472) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.86 to 1.0.87. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.86...1.0.87) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f74594106eb2..0a09cd54e498 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.86" +version = "1.0.87" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f9fa1897e4325be0d68d48df6aa1a71ac2ed4d27723887e7754192705350730" +checksum = "3286b845d0fccbdd15af433f61c5970e711987036cb468f437ff6badd70f4e24" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 44afed76d219..21e48cbf7624 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.101" [build-dependencies] -cc = "1.0.86" +cc = "1.0.87" From 9ceecb5c7f1dc055513b100e9ccf2df15335fc5c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 04:59:31 +0000 Subject: [PATCH 175/868] Bump coverage from 7.4.2 to 7.4.3 (#10473) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.4.2 to 7.4.3. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.2...7.4.3) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4b9df4929612..59d805e1ce12 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.4.2; python_version >= "3.8" +coverage==7.4.3; python_version >= "3.8" # via # coverage # pytest-cov From e3c2d8c10276298b60106fc977d1d2b4bcce13ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 00:14:02 -0600 Subject: [PATCH 176/868] Bump cryptography from 42.0.4 to 42.0.5 in /.github/requirements (#10474) * Bump cryptography from 42.0.4 to 42.0.5 in /.github/requirements Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.4 to 42.0.5. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.4...42.0.5) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 9086575892ae..fb13f66a171a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -166,39 +166,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.4 \ - --hash=sha256:01911714117642a3f1792c7f376db572aadadbafcd8d75bb527166009c9f1d1b \ - --hash=sha256:0e89f7b84f421c56e7ff69f11c441ebda73b8a8e6488d322ef71746224c20fce \ - --hash=sha256:12d341bd42cdb7d4937b0cabbdf2a94f949413ac4504904d0cdbdce4a22cbf88 \ - --hash=sha256:15a1fb843c48b4a604663fa30af60818cd28f895572386e5f9b8a665874c26e7 \ - --hash=sha256:1cdcdbd117681c88d717437ada72bdd5be9de117f96e3f4d50dab3f59fd9ab20 \ - --hash=sha256:1df6fcbf60560d2113b5ed90f072dc0b108d64750d4cbd46a21ec882c7aefce9 \ - --hash=sha256:3c6048f217533d89f2f8f4f0fe3044bf0b2090453b7b73d0b77db47b80af8dff \ - --hash=sha256:3e970a2119507d0b104f0a8e281521ad28fc26f2820687b3436b8c9a5fcf20d1 \ - --hash=sha256:44a64043f743485925d3bcac548d05df0f9bb445c5fcca6681889c7c3ab12764 \ - --hash=sha256:4e36685cb634af55e0677d435d425043967ac2f3790ec652b2b88ad03b85c27b \ - --hash=sha256:5f8907fcf57392cd917892ae83708761c6ff3c37a8e835d7246ff0ad251d9298 \ - --hash=sha256:69b22ab6506a3fe483d67d1ed878e1602bdd5912a134e6202c1ec672233241c1 \ - --hash=sha256:6bfadd884e7280df24d26f2186e4e07556a05d37393b0f220a840b083dc6a824 \ - --hash=sha256:6d0fbe73728c44ca3a241eff9aefe6496ab2656d6e7a4ea2459865f2e8613257 \ - --hash=sha256:6ffb03d419edcab93b4b19c22ee80c007fb2d708429cecebf1dd3258956a563a \ - --hash=sha256:810bcf151caefc03e51a3d61e53335cd5c7316c0a105cc695f0959f2c638b129 \ - --hash=sha256:831a4b37accef30cccd34fcb916a5d7b5be3cbbe27268a02832c3e450aea39cb \ - --hash=sha256:887623fe0d70f48ab3f5e4dbf234986b1329a64c066d719432d0698522749929 \ - --hash=sha256:a0298bdc6e98ca21382afe914c642620370ce0470a01e1bef6dd9b5354c36854 \ - --hash=sha256:a1327f280c824ff7885bdeef8578f74690e9079267c1c8bd7dc5cc5aa065ae52 \ - --hash=sha256:c1f25b252d2c87088abc8bbc4f1ecbf7c919e05508a7e8628e6875c40bc70923 \ - --hash=sha256:c3a5cbc620e1e17009f30dd34cb0d85c987afd21c41a74352d1719be33380885 \ - --hash=sha256:ce8613beaffc7c14f091497346ef117c1798c202b01153a8cc7b8e2ebaaf41c0 \ - --hash=sha256:d2a27aca5597c8a71abbe10209184e1a8e91c1fd470b5070a2ea60cafec35bcd \ - --hash=sha256:dad9c385ba8ee025bb0d856714f71d7840020fe176ae0229de618f14dae7a6e2 \ - --hash=sha256:db4b65b02f59035037fde0998974d84244a64c3265bdef32a827ab9b63d61b18 \ - --hash=sha256:e09469a2cec88fb7b078e16d4adec594414397e8879a4341c6ace96013463d5b \ - --hash=sha256:e53dc41cda40b248ebc40b83b31516487f7db95ab8ceac1f042626bc43a2f992 \ - --hash=sha256:f1e85a178384bf19e36779d91ff35c7617c885da487d689b05c1366f9933ad74 \ - --hash=sha256:f47be41843200f7faec0683ad751e5ef11b9a56a220d57f300376cd8aba81660 \ - --hash=sha256:fb0cef872d8193e487fc6bdb08559c3aa41b659a7d9be48b2e10747f47863925 \ - --hash=sha256:ffc73996c4fca3d2b6c1c8c12bfd3ad00def8621da24f547626bf06441400449 +cryptography==42.0.5 \ + --hash=sha256:0270572b8bd2c833c3981724b8ee9747b3ec96f699a9665470018594301439ee \ + --hash=sha256:111a0d8553afcf8eb02a4fea6ca4f59d48ddb34497aa8706a6cf536f1a5ec576 \ + --hash=sha256:16a48c23a62a2f4a285699dba2e4ff2d1cff3115b9df052cdd976a18856d8e3d \ + --hash=sha256:1b95b98b0d2af784078fa69f637135e3c317091b615cd0905f8b8a087e86fa30 \ + --hash=sha256:1f71c10d1e88467126f0efd484bd44bca5e14c664ec2ede64c32f20875c0d413 \ + --hash=sha256:2424ff4c4ac7f6b8177b53c17ed5d8fa74ae5955656867f5a8affaca36a27abb \ + --hash=sha256:2bce03af1ce5a5567ab89bd90d11e7bbdff56b8af3acbbec1faded8f44cb06da \ + --hash=sha256:329906dcc7b20ff3cad13c069a78124ed8247adcac44b10bea1130e36caae0b4 \ + --hash=sha256:37dd623507659e08be98eec89323469e8c7b4c1407c85112634ae3dbdb926fdd \ + --hash=sha256:3eaafe47ec0d0ffcc9349e1708be2aaea4c6dd4978d76bf6eb0cb2c13636c6fc \ + --hash=sha256:5e6275c09d2badf57aea3afa80d975444f4be8d3bc58f7f80d2a484c6f9485c8 \ + --hash=sha256:6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1 \ + --hash=sha256:7367d7b2eca6513681127ebad53b2582911d1736dc2ffc19f2c3ae49997496bc \ + --hash=sha256:7cde5f38e614f55e28d831754e8a3bacf9ace5d1566235e39d91b35502d6936e \ + --hash=sha256:9481ffe3cf013b71b2428b905c4f7a9a4f76ec03065b05ff499bb5682a8d9ad8 \ + --hash=sha256:98d8dc6d012b82287f2c3d26ce1d2dd130ec200c8679b6213b3c73c08b2b7940 \ + --hash=sha256:a011a644f6d7d03736214d38832e030d8268bcff4a41f728e6030325fea3e400 \ + --hash=sha256:a2913c5375154b6ef2e91c10b5720ea6e21007412f6437504ffea2109b5a33d7 \ + --hash=sha256:a30596bae9403a342c978fb47d9b0ee277699fa53bbafad14706af51fe543d16 \ + --hash=sha256:b03c2ae5d2f0fc05f9a2c0c997e1bc18c8229f392234e8a0194f202169ccd278 \ + --hash=sha256:b6cd2203306b63e41acdf39aa93b86fb566049aeb6dc489b70e34bcd07adca74 \ + --hash=sha256:b7ffe927ee6531c78f81aa17e684e2ff617daeba7f189f911065b2ea2d526dec \ + --hash=sha256:b8cac287fafc4ad485b8a9b67d0ee80c66bf3574f655d3b97ef2e1082360faf1 \ + --hash=sha256:ba334e6e4b1d92442b75ddacc615c5476d4ad55cc29b15d590cc6b86efa487e2 \ + --hash=sha256:ba3e4a42397c25b7ff88cdec6e2a16c2be18720f317506ee25210f6d31925f9c \ + --hash=sha256:c41fb5e6a5fe9ebcd58ca3abfeb51dffb5d83d6775405305bfa8715b76521922 \ + --hash=sha256:cd2030f6650c089aeb304cf093f3244d34745ce0cfcc39f20c6fbfe030102e2a \ + --hash=sha256:cd65d75953847815962c84a4654a84850b2bb4aed3f26fadcc1c13892e1e29f6 \ + --hash=sha256:e4985a790f921508f36f81831817cbc03b102d643b5fcb81cd33df3fa291a1a1 \ + --hash=sha256:e807b3188f9eb0eaa7bbb579b462c5ace579f1cedb28107ce8b48a9f7ad3679e \ + --hash=sha256:f12764b8fffc7a123f641d7d049d382b73f96a34117e0b637b80643169cec8ac \ + --hash=sha256:f8837fe1d6ac4a8052a9a8ddab256bc006242696f03368a4009be7ee3075cdb7 # via # pyopenssl # secretstorage From be48c94bfbb76e285e0dddf3fafdd89fa62faec0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 24 Feb 2024 11:14:32 -0500 Subject: [PATCH 177/868] Bump setuptools-rust from 1.8.1 to 1.9.0 in /.github/requirements (#10475) Bumps [setuptools-rust](https://github.com/PyO3/setuptools-rust) from 1.8.1 to 1.9.0. - [Release notes](https://github.com/PyO3/setuptools-rust/releases) - [Changelog](https://github.com/PyO3/setuptools-rust/blob/v1.9.0/CHANGELOG.md) - [Commits](https://github.com/PyO3/setuptools-rust/compare/v1.8.1...v1.9.0) --- updated-dependencies: - dependency-name: setuptools-rust dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 92527ddbe91e..3dd62d074f81 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -66,9 +66,9 @@ semantic-version==2.10.0 \ --hash=sha256:bdabb6d336998cbb378d4b9db3a4b56a1e3235701dc05ea2690d9a997ed5041c \ --hash=sha256:de78a3b8e0feda74cabc54aab2da702113e33ac9d9eb9d2389bcf1f58b7d9177 # via setuptools-rust -setuptools-rust==1.8.1 \ - --hash=sha256:94b1dd5d5308b3138d5b933c3a2b55e6d6927d1a22632e509fcea9ddd0f7e486 \ - --hash=sha256:b5324493949ccd6aa0c03890c5f6b5f02de4512e3ac1697d02e9a6c02b18aa8e +setuptools-rust==1.9.0 \ + --hash=sha256:409caf49dcf7ad9bd510b4bf4011fbad504e745fae98f57fe1c06f3a97719638 \ + --hash=sha256:704df0948f2e4cc60c2596ad6e840ea679f4f43e58ed4ad0c1857807240eab96 # via -r build-requirements.in tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ From 8a150de673edfb25d8aef63ce30707ffe5cf8385 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 24 Feb 2024 11:31:45 -0500 Subject: [PATCH 178/868] Update build-requirements.in to match pyproject.toml (#10476) Doesn't actually impact the generated requirements file --- .github/requirements/build-requirements.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/requirements/build-requirements.in b/.github/requirements/build-requirements.in index bdf6916690ca..564eacec8d48 100644 --- a/.github/requirements/build-requirements.in +++ b/.github/requirements/build-requirements.in @@ -2,7 +2,7 @@ setuptools>=61.0.0 wheel cffi>=1.12; platform_python_implementation != 'PyPy' -setuptools-rust>=0.11.4 +setuptools-rust>=1.7.0 # WARN: changing the requirements here DOES NOT update the dependencies used for building at the github workflow, as the build process used build-requirements.txt # To update build-requirements.txt according to the dependencies here, run pip-compile --allow-unsafe --generate-hashes build-requirements.in From 0115da7527022a4fe5065d7e9bf5e37369c17d40 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Feb 2024 18:17:32 +0000 Subject: [PATCH 179/868] Bump cc from 1.0.87 to 1.0.88 in /src/rust (#10479) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.87 to 1.0.88. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.87...1.0.88) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0a09cd54e498..ba1d6d1fcf97 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.87" +version = "1.0.88" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3286b845d0fccbdd15af433f61c5970e711987036cb468f437ff6badd70f4e24" +checksum = "02f341c093d19155a6e41631ce5971aac4e9a868262212153124c15fa22d1cdc" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 21e48cbf7624..1c498f96932b 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.101" [build-dependencies] -cc = "1.0.87" +cc = "1.0.88" From a67a72b9e482d668baa26a883e684f2b739aa355 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Feb 2024 18:19:28 +0000 Subject: [PATCH 180/868] Bump pytest from 8.0.1 to 8.0.2 (#10480) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.0.1 to 8.0.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.0.1...8.0.2) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 59d805e1ce12..2cb0b79c951d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==8.0.1; python_version >= "3.8" +pytest==8.0.2; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From d9cb236c1a41ee6de3dd55ea52c4308a1dde78ec Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Feb 2024 14:49:27 -0500 Subject: [PATCH 181/868] fixed typos and confusing phrasing in comment (#10477) --- pyproject.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 82aa29db129f..886b99bd0722 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,5 +1,6 @@ [build-system] -# These requirements must be kept sync with the requirements on ./github/requirements/build-requirements files +# These requirements must be kept sync with the requirements in +# ./github/requirements/build-requirements.{in,txt} requires = [ # First version of setuptools to support pyproject.toml configuration "setuptools>=61.0.0", From e12b8ae5e0de6be116e45a540e5ea06c6a6e29db Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Feb 2024 15:22:00 -0500 Subject: [PATCH 182/868] See if we can avoid rebuilding cffi in wheel builder (#10478) --- .github/workflows/wheel-builder.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 4ddcff39e6df..15380e301d51 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -135,7 +135,7 @@ jobs: fi OPENSSL_DIR="/opt/pyca/cryptography/openssl" \ OPENSSL_STATIC=1 \ - .venv/bin/python -m pip wheel -v $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl tmpwheelhouse + .venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl tmpwheelhouse env: RUSTUP_HOME: /root/.rustup - run: auditwheel repair --plat ${{ matrix.MANYLINUX.NAME }} tmpwheelhouse/cryptograph*.whl -w wheelhouse/ @@ -262,7 +262,7 @@ jobs: OPENSSL_DIR="$(readlink -f ../openssl-macos-universal2/)" \ OPENSSL_STATIC=1 \ - venv/bin/python -m pip wheel -v $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl wheelhouse + venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl wheelhouse env: MACOSX_DEPLOYMENT_TARGET: ${{ matrix.PYTHON.DEPLOYMENT_TARGET }} ARCHFLAGS: ${{ matrix.PYTHON.ARCHFLAGS }} @@ -351,7 +351,7 @@ jobs: PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" fi - python -m pip wheel -v cryptography*.tar.gz $PY_LIMITED_API -w dist/ && mv dist/cryptography*.whl wheelhouse/ + python -m pip wheel -v --no-deps cryptography*.tar.gz $PY_LIMITED_API -w dist/ && mv dist/cryptography*.whl wheelhouse/ shell: bash - run: pip install -f wheelhouse --no-index cryptography - name: Print the OpenSSL we built and linked against From 43b8b7910d7557aa41e98efeab34be23657fc15c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 25 Feb 2024 18:04:40 -0500 Subject: [PATCH 183/868] Raise MSRV to 1.65 (#10481) --- .github/workflows/ci.yml | 7 ++----- CHANGELOG.rst | 1 + docs/installation.rst | 4 ++-- pyproject.toml | 2 +- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 10 files changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9080d862f888..cc199c75c5fe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,11 +47,8 @@ jobs: # Latest commit on the OpenSSL master branch, as of Feb 23, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11adf9a75d6b34723d1a20a0da4e4100ea6ca593"}} # Builds with various Rust versions. Includes MSRV and next - # potential future MSRV: - # 1.64 - maturin, workspace inheritance - # 1.65 - Generic associated types (GATs), std::backtrace - - {VERSION: "3.12", NOXSESSION: "rust-noclippy,tests", RUST: "1.63.0"} - - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.64.0"} + # potential future MSRV. + - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "beta"} - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 7fa93101a919..fa4812dbb2dd 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -11,6 +11,7 @@ Changelog * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1e has been removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.8. +* Updated the minimum supported Rust version (MSRV) to 1.65.0, from 1.63.0. * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. diff --git a/docs/installation.rst b/docs/installation.rst index 6994aa0216f8..c97dfaeab41c 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -134,7 +134,7 @@ Fedora/RHEL/CentOS .. warning:: For RHEL and CentOS you must be on version 8.8 or newer for the command - below to install a sufficiently new Rust. If your Rust is less than 1.63.0 + below to install a sufficiently new Rust. If your Rust is less than 1.65.0 please see the :ref:`Rust installation instructions ` for information about installing a newer Rust. @@ -312,7 +312,7 @@ Rust a Rust toolchain. Building ``cryptography`` requires having a working Rust toolchain. The current -minimum supported Rust version is 1.63.0. **This is newer than the Rust some +minimum supported Rust version is 1.65.0. **This is newer than the Rust some package managers ship**, so users may need to install with the instructions below. diff --git a/pyproject.toml b/pyproject.toml index 886b99bd0722..64e33aac8aca 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -90,7 +90,7 @@ pep8test = ["ruff", "mypy", "check-sdist", "click"] target = "cryptography.hazmat.bindings._rust" path = "src/rust/Cargo.toml" py-limited-api = "auto" -rust-version = ">=1.63.0" +rust-version = ">=1.65.0" [tool.pytest.ini_options] diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index aa533bf210c3..96ea8425ec45 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] once_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 1c498f96932b..e4cd77756121 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3"] } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index fdde0053df4c..138ff6cd7984 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] asn1 = { version = "0.16.0", default-features = false } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 0da98d70dda2..cfec09f6abdf 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] cfg-if = "1" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 2ec541fb2af0..5ba846878633 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] asn1 = { version = "0.16.0", default-features = false } diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 86d6b971488d..cf6df6f3d3c4 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -5,7 +5,7 @@ authors = ["The cryptography developers "] edition = "2021" publish = false # This specifies the MSRV -rust-version = "1.63.0" +rust-version = "1.65.0" [dependencies] asn1 = { version = "0.16.0", default-features = false } From c3dcb46d3955a225e0581b51f4bde3654ea737ab Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 25 Feb 2024 18:23:18 -0600 Subject: [PATCH 184/868] Bump BoringSSL and/or OpenSSL in CI (#10482) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc199c75c5fe..2de2ca8d27d6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 24, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9d7535f51f84a079c05b27134fcf6111649c56c9"}} - # Latest commit on the OpenSSL master branch, as of Feb 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "11adf9a75d6b34723d1a20a0da4e4100ea6ca593"}} + # Latest commit on the OpenSSL master branch, as of Feb 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2d70cc9cecf8b322d795985efecee06242b203b3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From bf35e069173d5127f06f7d3169be300c05b9576c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 26 Feb 2024 09:32:26 -0500 Subject: [PATCH 185/868] fix warning from latest nightly rust (#10486) * fix warning from latest nightly rust * Update lib.rs --- src/rust/src/lib.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 582d2e139577..e8b881126f20 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -3,6 +3,7 @@ // for complete details. #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#![allow(unknown_lints, non_local_definitions)] #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use crate::error::CryptographyResult; From 6257ca24064740865a9d0d948f9433b0d3763346 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:42:58 +0000 Subject: [PATCH 186/868] Bump syn from 2.0.50 to 2.0.51 in /src/rust (#10483) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.50 to 2.0.51. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.50...2.0.51) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index ba1d6d1fcf97..bb54df84cecb 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" -version = "2.0.50" +version = "2.0.51" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74f1bdc9872430ce9b75da68329d1c1746faf50ffac5f19e02b71e37ff881ffb" +checksum = "6ab617d94515e94ae53b8406c628598680aa0c9587474ecbe58188f7b345d66c" dependencies = [ "proc-macro2", "quote", From 4193caf208b8490fb7be7770e348aa445f0117df Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 14:48:23 +0000 Subject: [PATCH 187/868] Bump typing-extensions from 4.9.0 to 4.10.0 (#10485) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.9.0 to 4.10.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/commits) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 2cb0b79c951d..15fb32977180 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -typing-extensions==4.9.0; python_version >= "3.8" +typing-extensions==4.10.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests From 4bfd3216380c7925609c46759f9c6c48d78a4697 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 09:12:56 -0600 Subject: [PATCH 188/868] Bump typing-extensions from 4.9.0 to 4.10.0 in /.github/requirements (#10484) * Bump typing-extensions from 4.9.0 to 4.10.0 in /.github/requirements Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.9.0 to 4.10.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/commits) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index fb13f66a171a..67ee1c0c2652 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -584,9 +584,9 @@ twine==5.0.0 \ --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ --hash=sha256:a262933de0b484c53408f9edae2e7821c1c45a3314ff2df9bdd343aa7ab8edc0 # via -r publish-requirements.in -typing-extensions==4.9.0 \ - --hash=sha256:23478f88c37f27d76ac8aee6c905017a143b0b1b886c3c9f66bc2fd94f9f5783 \ - --hash=sha256:af72aea155e91adfc61c3ae9e0e342dbc0cba726d6cba4b6c72c1f34e47291cd +typing-extensions==4.10.0 \ + --hash=sha256:69b1a937c3a517342112fb4c6df7e72fc39a38e7891a5730ed4985b5214b5475 \ + --hash=sha256:b0abd7c89e8fb96f98db18d86106ff1d90ab692004eb746cf6eda2682f91b3cb # via # pydantic # pydantic-core From 0a1098fcf09dfb7aef75ec87d29fb133deb0d70d Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Mon, 26 Feb 2024 20:13:47 +0100 Subject: [PATCH 189/868] Support for ECDSA deterministic signing (RFC 6979) (#10369) * Add support for deterministic ECDSA (RFC 6979) --- CHANGELOG.rst | 2 + docs/hazmat/primitives/asymmetric/ec.rst | 13 ++++ .../hazmat/backends/openssl/backend.py | 6 ++ .../hazmat/primitives/asymmetric/ec.py | 20 ++++++ src/rust/cryptography-openssl/Cargo.toml | 2 +- src/rust/cryptography-openssl/build.rs | 3 + src/rust/src/backend/ec.rs | 25 ++++++- tests/hazmat/primitives/test_ec.py | 67 +++++++++++++++++++ tests/utils.py | 51 ++++++++++++++ 9 files changed, 186 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index fa4812dbb2dd..fb71418f32f5 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -27,6 +27,8 @@ Changelog and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and deprecated them in the ``cipher`` module. They will be removed from the ``cipher`` module in 48.0.0. +* Added support for deterministic + :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA` (:rfc:`6979`) .. _v42-0-5: diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 75165b6a4536..c0a0ff757eab 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -47,6 +47,19 @@ Elliptic Curve Signature Algorithms :param algorithm: An instance of :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`. + :param bool deterministic_signing: A boolean flag defaulting to ``False`` + that specifies whether the signing procedure should be deterministic + or not, as defined in :rfc:`6979`. This only impacts the signing + process, verification is not affected (the verification process + is the same for both deterministic and non-deterministic signed + messages). + + .. versionadded:: 43.0.0 + + :raises cryptography.exceptions.UnsupportedAlgorithm: If + ``deterministic_signing`` is set to ``True`` and the version of + OpenSSL does not support ECDSA with deterministic signing. + .. doctest:: >>> from cryptography.hazmat.primitives import hashes diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 406b1ea990a2..eaaaf783f1c5 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -358,6 +358,12 @@ def ed448_supported(self) -> bool: and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL ) + def ecdsa_deterministic_supported(self) -> bool: + return ( + rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER + and not self._fips_enabled + ) + def _zero_data(self, data, length: int) -> None: # We clear things this way because at the moment we're not # sure of a better way that can guarantee it overwrites the diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py index b612b40149d4..da1fbea13a6e 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ec.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py @@ -8,6 +8,7 @@ import typing from cryptography import utils +from cryptography.exceptions import UnsupportedAlgorithm, _Reasons from cryptography.hazmat._oid import ObjectIdentifier from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import _serialization, hashes @@ -319,8 +320,21 @@ class ECDSA(EllipticCurveSignatureAlgorithm): def __init__( self, algorithm: asym_utils.Prehashed | hashes.HashAlgorithm, + deterministic_signing: bool = False, ): + from cryptography.hazmat.backends.openssl.backend import backend + + if ( + deterministic_signing + and not backend.ecdsa_deterministic_supported() + ): + raise UnsupportedAlgorithm( + "ECDSA with deterministic signature (RFC 6979) is not " + "supported by this version of OpenSSL.", + _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, + ) self._algorithm = algorithm + self._deterministic_signing = deterministic_signing @property def algorithm( @@ -328,6 +342,12 @@ def algorithm( ) -> asym_utils.Prehashed | hashes.HashAlgorithm: return self._algorithm + @property + def deterministic_signing( + self, + ) -> bool: + return self._deterministic_signing + generate_private_key = rust_openssl.ec.generate_private_key diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index cfec09f6abdf..04bef373ca35 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -10,6 +10,6 @@ rust-version = "1.65.0" [dependencies] cfg-if = "1" openssl = "0.10.64" -ffi = { package = "openssl-sys", version = "0.9.99" } +ffi = { package = "openssl-sys", version = "0.9.101" } foreign-types = "0.3" foreign-types-shared = "0.1" diff --git a/src/rust/cryptography-openssl/build.rs b/src/rust/cryptography-openssl/build.rs index 5e626f7de614..87e1fa528b22 100644 --- a/src/rust/cryptography-openssl/build.rs +++ b/src/rust/cryptography-openssl/build.rs @@ -12,6 +12,9 @@ fn main() { if version >= 0x3_00_00_00_0 { println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_300_OR_GREATER"); } + if version >= 0x3_02_00_00_0 { + println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_320_OR_GREATER"); + } } if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 624b753c07cb..1c4cf95d0f61 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -273,8 +273,7 @@ impl ECPrivateKey { )), )); } - - let (data, _) = utils::calculate_digest_and_algorithm( + let (data, algo) = utils::calculate_digest_and_algorithm( py, data.as_bytes(), signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, @@ -282,6 +281,28 @@ impl ECPrivateKey { let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)]{ + let deterministic: bool = signature_algorithm + .getattr(pyo3::intern!(py, "deterministic_signing"))? + .extract()?; + if deterministic { + let hash_function_name = algo + .getattr(pyo3::intern!(py, "name"))? + .extract::<&str>()?; + let hash_function = openssl::md::Md::fetch(None, hash_function_name, None)?; + // Setting a deterministic nonce type requires to explicitly set the hash function. + // See https://github.com/openssl/openssl/issues/23205 + signer.set_signature_md(&hash_function)?; + signer.set_nonce_type(openssl::pkey_ctx::NonceType::DETERMINISTIC_K)?; + } else { + signer.set_nonce_type(openssl::pkey_ctx::NonceType::RANDOM_K)?; + } + } else { + let _ = algo; + } + } + // TODO: This does an extra allocation and copy. This can't easily use // `PyBytes::new_with` because the exact length of the signature isn't // easily known a priori (if `r` or `s` has a leading 0, the signature diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index a558af3b9b70..33b4c6d065f3 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -16,6 +16,10 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.primitives.asymmetric.ec import ( + EllipticCurvePrivateKey, + EllipticCurvePublicKey, +) from cryptography.hazmat.primitives.asymmetric.utils import ( Prehashed, encode_dss_signature, @@ -27,6 +31,7 @@ load_fips_ecdsa_signing_vectors, load_kasvs_ecdh_vectors, load_nist_vectors, + load_rfc6979_vectors, load_vectors_from_file, raises_unsupported_algorithm, ) @@ -508,6 +513,68 @@ def test_signature_failures(self, backend, subtests): signature, vector["message"], ec.ECDSA(hash_type()) ) + def test_unsupported_deterministic_nonce(self, backend): + if backend.ecdsa_deterministic_supported(): + pytest.skip( + f"ECDSA deterministic signing is supported by this" + f" backend {backend}" + ) + with pytest.raises(exceptions.UnsupportedAlgorithm): + ec.ECDSA(hashes.SHA256(), deterministic_signing=True) + + def test_deterministic_nonce(self, backend, subtests): + if not backend.ecdsa_deterministic_supported(): + pytest.skip( + f"ECDSA deterministic signing is not supported by this" + f" backend {backend}" + ) + + supported_hash_algorithms = { + "SHA1": hashes.SHA1(), + "SHA224": hashes.SHA224(), + "SHA256": hashes.SHA256(), + "SHA384": hashes.SHA384(), + "SHA512": hashes.SHA512(), + } + vectors = load_vectors_from_file( + os.path.join( + "asymmetric", "ECDSA", "RFC6979", "evppkey_ecdsa_rfc6979.txt" + ), + load_rfc6979_vectors, + ) + + for vector in vectors: + with subtests.test(): + input = bytes(vector["input"], "utf-8") + output = bytes.fromhex(vector["output"]) + key = bytes("\n".join(vector["key"]), "utf-8") + if "digest_sign" in vector: + algorithm = vector["digest_sign"] + hash_algorithm = supported_hash_algorithms[algorithm] + algorithm = ec.ECDSA( + hash_algorithm, + deterministic_signing=vector["deterministic_nonce"], + ) + private_key = serialization.load_pem_private_key( + key, password=None + ) + assert isinstance(private_key, EllipticCurvePrivateKey) + signature = private_key.sign(input, algorithm) + assert signature == output + else: + assert "digest_verify" in vector + algorithm = vector["digest_verify"] + assert algorithm in supported_hash_algorithms + hash_algorithm = supported_hash_algorithms[algorithm] + algorithm = ec.ECDSA(hash_algorithm) + public_key = serialization.load_pem_public_key(key) + assert isinstance(public_key, EllipticCurvePublicKey) + if vector["verify_error"]: + with pytest.raises(exceptions.InvalidSignature): + public_key.verify(output, input, algorithm) + else: + public_key.verify(output, input, algorithm) + def test_sign(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) message = b"one little message" diff --git a/tests/utils.py b/tests/utils.py index 595e8dc04e1c..c1aa34ef4d30 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -701,6 +701,57 @@ def load_kasvs_ecdh_vectors(vector_data): return vectors +def load_rfc6979_vectors(vector_data): + """ + Loads data out of the ECDSA and DSA RFC6979 vector files. + """ + vectors = [] + keys: typing.Dict[str, typing.List[str]] = dict() + reading_key = False + current_key_name = None + + data: typing.Dict[str, object] = dict() + for line in vector_data: + line = line.strip() + + if reading_key and current_key_name: + keys[current_key_name].append(line) + if line.startswith("-----END"): + reading_key = False + current_key_name = None + + if line.startswith("PrivateKey=") or line.startswith("PublicKey="): + reading_key = True + current_key_name = line.split("=")[1].strip() + keys[current_key_name] = [] + elif line.startswith("DigestSign = "): + data["digest_sign"] = line.split("=")[1].strip() + data["deterministic_nonce"] = False + elif line.startswith("DigestVerify = "): + data["digest_verify"] = line.split("=")[1].strip() + data["verify_error"] = False + elif line.startswith("Key = "): + key_name = line.split("=")[1].strip() + assert key_name in keys + data["key"] = keys[key_name] + elif line.startswith("NonceType = "): + nonce_type = line.split("=")[1].strip() + data["deterministic_nonce"] = nonce_type == "deterministic" + elif line.startswith("Input = "): + data["input"] = line.split("=")[1].strip(' "') + elif line.startswith("Output = "): + data["output"] = line.split("=")[1].strip() + elif line.startswith("Result = "): + data["verify_error"] = line.split("=")[1].strip() == "VERIFY_ERROR" + + elif not line: + if data: + vectors.append(data) + data = {} + + return vectors + + def load_x963_vectors(vector_data): """ Loads data out of the X9.63 vector data From bcaf37597f6033b523dec7236344ccdc67fa0b93 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 26 Feb 2024 17:42:14 -0500 Subject: [PATCH 190/868] verification: add RFC822Name (#10487) * verification: add RFC822Name Signed-off-by: William Woodruff * verification: clippy Signed-off-by: William Woodruff * verification: clippage Signed-off-by: William Woodruff * verification: feedback Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../src/types.rs | 109 +++++++++++++++++- 1 file changed, 108 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509-verification/src/types.rs b/src/rust/cryptography-x509-verification/src/types.rs index f564715219cd..529ecbe8f8e6 100644 --- a/src/rust/cryptography-x509-verification/src/types.rs +++ b/src/rust/cryptography-x509-verification/src/types.rs @@ -5,6 +5,11 @@ use std::net::IpAddr; use std::str::FromStr; +use asn1::IA5String; + +// RFC 2822 3.2.4 +static ATEXT_CHARS: &str = "!#$%&'*+-/=?^_`{|}~"; + /// A `DNSName` is an `asn1::IA5String` with additional invariant preservations /// per [RFC 5280 4.2.1.6], which in turn uses the preferred name syntax defined /// in [RFC 1034 3.5] and amended in [RFC 1123 2.1]. @@ -298,9 +303,54 @@ impl IPConstraint { } } +/// An `RFC822Name` represents an email address, as defined in [RFC 822 6.1] +/// and as amended by [RFC 2821 4.1.2]. In particular, it represents the `Mailbox` +/// rule from RFC 2821's grammar. +/// +/// This type does not currently support the quoted local-part form; email +/// addresses that use this form will be rejected. +/// +/// [RFC 822 6.1]: https://datatracker.ietf.org/doc/html/rfc822#section-6.1 +/// [RFC 2821 4.1.2]: https://datatracker.ietf.org/doc/html/rfc2821#section-4.1.2 +pub struct RFC822Name<'a> { + pub mailbox: IA5String<'a>, + pub domain: DNSName<'a>, +} + +impl<'a> RFC822Name<'a> { + pub fn new(value: &'a str) -> Option { + // Mailbox = Local-part "@" Domain + // Both must be present. + let (local_part, domain) = value.split_once('@')?; + let local_part = IA5String::new(local_part)?; + + // Local-part = Dot-string / Quoted-string + // NOTE(ww): We do not support the Quoted-string form, for now. + // + // Dot-string: Atom *("." Atom) + // Atom = 1*atext + // + // NOTE(ww): `atext`'s production is in RFC 2822 3.2.4. + for component in local_part.as_str().split('.') { + if component.is_empty() + || !component + .chars() + .all(|c| c.is_ascii_alphanumeric() || ATEXT_CHARS.contains(c)) + { + return None; + } + } + + Some(Self { + mailbox: local_part, + domain: DNSName::new(domain)?, + }) + } +} + #[cfg(test)] mod tests { - use crate::types::{DNSConstraint, DNSName, DNSPattern, IPAddress, IPConstraint}; + use crate::types::{DNSConstraint, DNSName, DNSPattern, IPAddress, IPConstraint, RFC822Name}; #[test] fn test_dnsname_debug_trait() { @@ -587,4 +637,61 @@ mod tests { assert!(!ipv6_128.matches(&IPAddress::from_str("2600::ff00:dede").unwrap())); assert!(!ipv6_128.matches(&IPAddress::from_str("2600:db8::ff00:0").unwrap())); } + + #[test] + fn test_rfc822name() { + for bad_case in &[ + "", + // Missing local-part. + "@example.com", + " @example.com", + " @example.com", + // Missing domain cases. + "foo", + "foo@", + "foo@ ", + "foo@ ", + // Invalid domains. + "foo@!!!", + "foo@white space", + "foo@🙈", + // Invalid local part (empty mailbox sections). + ".@example.com", + "foo.@example.com", + ".foo@example.com", + ".foo.@example.com", + ".f.o.o.@example.com", + // Invalid local part (@ in mailbox). + "lol@lol@example.com", + "lol\\@lol@example.com", + "example@example.com@example.com", + "@@example.com", + // Invalid local part (invalid characters). + "lol\"lol@example.com", + "lol;lol@example.com", + "🙈@example.com", + // Intentionally unsupported quoted local parts. + "\"validbutunsupported\"@example.com", + ] { + assert!(RFC822Name::new(bad_case).is_none()); + } + + // Each good case is (address, (mailbox, domain)). + for (address, (mailbox, domain)) in &[ + // Normal mailboxes. + ("foo@example.com", ("foo", "example.com")), + ("foo.bar@example.com", ("foo.bar", "example.com")), + ("foo.bar.baz@example.com", ("foo.bar.baz", "example.com")), + ("1.2.3.4.5@example.com", ("1.2.3.4.5", "example.com")), + // Mailboxes with special but valid characters. + ("{legal}@example.com", ("{legal}", "example.com")), + ("{&*.legal}@example.com", ("{&*.legal}", "example.com")), + ("``````````@example.com", ("``````````", "example.com")), + ("hello?@sub.example.com", ("hello?", "sub.example.com")), + ] { + let parsed = RFC822Name::new(&address).unwrap(); + assert_eq!(&parsed.mailbox.as_str(), mailbox); + assert_eq!(&parsed.domain.as_str(), domain); + } + } } From 899902f80ae4b4c442423435b13873419e888479 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 19:16:20 -0500 Subject: [PATCH 191/868] Bump BoringSSL and/or OpenSSL in CI (#10489) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2de2ca8d27d6..b334e78bddc1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9d7535f51f84a079c05b27134fcf6111649c56c9"}} + # Latest commit on the BoringSSL master branch, as of Feb 27, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5bed5b9aaab4edc8c0ee62493b6e760f9f7a3457"}} # Latest commit on the OpenSSL master branch, as of Feb 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2d70cc9cecf8b322d795985efecee06242b203b3"}} # Builds with various Rust versions. Includes MSRV and next From fbeef5177e350eadb90742a862aecb7aa37fd9ac Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 26 Feb 2024 19:27:00 -0500 Subject: [PATCH 192/868] Added basic PKCS#12 ASN.1 structures (#10488) --- src/rust/cryptography-x509/src/lib.rs | 1 + src/rust/cryptography-x509/src/pkcs12.rs | 20 ++++++++++++++++++++ src/rust/cryptography-x509/src/pkcs7.rs | 6 ++++++ 3 files changed, 27 insertions(+) create mode 100644 src/rust/cryptography-x509/src/pkcs12.rs diff --git a/src/rust/cryptography-x509/src/lib.rs b/src/rust/cryptography-x509/src/lib.rs index c74424acfa34..5fbedbf7ebc7 100644 --- a/src/rust/cryptography-x509/src/lib.rs +++ b/src/rust/cryptography-x509/src/lib.rs @@ -14,4 +14,5 @@ pub mod name; pub mod ocsp_req; pub mod ocsp_resp; pub mod oid; +pub mod pkcs12; pub mod pkcs7; diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs new file mode 100644 index 000000000000..e5676bfb59e6 --- /dev/null +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -0,0 +1,20 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::pkcs7; + +// #[derive(asn1::Asn1Write)] +pub struct Pfx<'a> { + pub version: u8, + pub auth_safe: pkcs7::ContentInfo<'a>, + pub mac_data: Option>, +} + +// #[derive(asn1::Asn1Write)] +pub struct MacData<'a> { + pub mac: pkcs7::DigestInfo<'a>, + pub salt: &'a [u8], + // #[default(1)] + pub iterations: u64, +} diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index 6b5c9541aaf5..e1581a0e069a 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -58,3 +58,9 @@ pub struct IssuerAndSerialNumber<'a> { pub issuer: name::Name<'a>, pub serial_number: asn1::BigInt<'a>, } + +// #[derive(asn1::Asn1Write)] +pub struct DigestInfo<'a> { + pub algorithm: common::AlgorithmIdentifier<'a>, + pub digest: &'a [u8], +} From ce7f7fb973cfb469f3b84cbeef527e114ef2da54 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 27 Feb 2024 00:30:44 +0000 Subject: [PATCH 193/868] Bump x509-limbo and/or wycheproof in CI (#10490) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 3d027df32788..4434eb909f29 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 23, 2024. - ref: "c8f6a4f4946076db55778ed7b3cffdab082a1a12" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Feb 27, 2024. + ref: "2217a0e4c579edc231dd502c961caeb5a4763796" # x509-limbo-ref From 524d9459a707f91cdebe097b7dba98be2d57c24b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Feb 2024 07:04:50 -0500 Subject: [PATCH 194/868] Bump readme-renderer from 42.0 to 43.0 (#10491) Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 42.0 to 43.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/42.0...43.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 15fb32977180..069e8b731dd9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -101,7 +101,7 @@ pytest-randomly==3.15.0 # via cryptography (pyproject.toml) pytest-xdist==3.5.0 # via cryptography (pyproject.toml) -readme-renderer==42.0 +readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx From 3c256f0e36aa757a8ac861029ee56f3fe56af2df Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 27 Feb 2024 11:52:46 -0500 Subject: [PATCH 195/868] Remove unused typedefs (#10495) --- src/_cffi_src/openssl/ec.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index 6816934ed0be..9450b1262609 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -11,8 +11,6 @@ TYPES = """ typedef ... EC_KEY; -typedef ... EC_GROUP; -typedef ... EC_POINT; typedef struct { int nid; const char *comment; From 3ddf14fb80d9168a097ece0c5a9d1ae87b559837 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Feb 2024 11:00:42 -0600 Subject: [PATCH 196/868] Bump readme-renderer from 42.0 to 43.0 in /.github/requirements (#10493) * Bump readme-renderer from 42.0 to 43.0 in /.github/requirements Bumps [readme-renderer](https://github.com/pypa/readme_renderer) from 42.0 to 43.0. - [Release notes](https://github.com/pypa/readme_renderer/releases) - [Changelog](https://github.com/pypa/readme_renderer/blob/main/CHANGES.rst) - [Commits](https://github.com/pypa/readme_renderer/compare/42.0...43.0) --- updated-dependencies: - dependency-name: readme-renderer dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 67ee1c0c2652..26a844cd7215 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -522,9 +522,9 @@ python-dateutil==2.8.2 \ --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9 # via betterproto -readme-renderer==42.0 \ - --hash=sha256:13d039515c1f24de668e2c93f2e877b9dbe6c6c32328b90a40a49d8b2b85f36d \ - --hash=sha256:2d55489f83be4992fe4454939d1a051c33edbab778e82761d060c9fc6b308cd1 +readme-renderer==43.0 \ + --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ + --hash=sha256:19db308d86ecd60e5affa3b2a98f017af384678c63c88e5d4556a380e674f3f9 # via twine requests==2.31.0 \ --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \ From 8a16f598e7006342fdfd5e25073dd4ef545d7c7c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Feb 2024 11:00:57 -0600 Subject: [PATCH 197/868] Bump email-validator from 2.1.0.post1 to 2.1.1 in /.github/requirements (#10492) * Bump email-validator from 2.1.0.post1 to 2.1.1 in /.github/requirements Bumps [email-validator](https://github.com/JoshData/python-email-validator) from 2.1.0.post1 to 2.1.1. - [Release notes](https://github.com/JoshData/python-email-validator/releases) - [Changelog](https://github.com/JoshData/python-email-validator/blob/main/CHANGELOG.md) - [Commits](https://github.com/JoshData/python-email-validator/commits/v2.1.1) --- updated-dependencies: - dependency-name: email-validator dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 26a844cd7215..6d6b85f7043f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -211,9 +211,9 @@ docutils==0.20.1 \ --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ --hash=sha256:f08a4e276c3a1583a86dce3e34aba3fe04d02bba2dd51ed16106244e8a923e3b # via readme-renderer -email-validator==2.1.0.post1 \ - --hash=sha256:a4b0bd1cf55f073b924258d19321b1f3aa74b4b5a71a42c305575dba920e1a44 \ - --hash=sha256:c973053efbeddfef924dc0bd93f6e77a1ea7ee0fce935aea7103c7a3d6d2d637 +email-validator==2.1.1 \ + --hash=sha256:200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84 \ + --hash=sha256:97d882d174e2a65732fb43bfce81a3a834cbc1bde8bf419e30ef5ea976370a05 # via pydantic grpclib==0.4.7 \ --hash=sha256:2988ef57c02b22b7a2e8e961792c41ccf97efc2ace91ae7a5b0de03c363823c3 From 9b4008b805b68b7077c52459d2bdec5f35652851 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 28 Feb 2024 00:16:24 +0000 Subject: [PATCH 198/868] Bump BoringSSL and/or OpenSSL in CI (#10498) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b334e78bddc1..7ffd1d6a1920 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 27, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5bed5b9aaab4edc8c0ee62493b6e760f9f7a3457"}} + # Latest commit on the BoringSSL master branch, as of Feb 28, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a9a3ca49444bb1efac115e64d3ab469c54bec984"}} # Latest commit on the OpenSSL master branch, as of Feb 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2d70cc9cecf8b322d795985efecee06242b203b3"}} # Builds with various Rust versions. Includes MSRV and next From be31fd5f2e2eb9132d8a06e2d4e3fddae408eaf4 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 27 Feb 2024 19:34:20 -0500 Subject: [PATCH 199/868] verification: add RFC822Constraint (#10497) * verification: add RFC822Constraint Signed-off-by: William Woodruff * verification: derive, don't be so clever Signed-off-by: William Woodruff * verification: reduce cleverness some more Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .../src/types.rs | 166 ++++++++++++++++++ 1 file changed, 166 insertions(+) diff --git a/src/rust/cryptography-x509-verification/src/types.rs b/src/rust/cryptography-x509-verification/src/types.rs index 529ecbe8f8e6..dfb05b9b52f2 100644 --- a/src/rust/cryptography-x509-verification/src/types.rs +++ b/src/rust/cryptography-x509-verification/src/types.rs @@ -80,6 +80,17 @@ impl<'a> DNSName<'a> { fn rlabels(&self) -> impl Iterator { self.as_str().rsplit('.') } + + /// Returns true if this domain is a subdomain of the other domain. + fn is_subdomain_of(&self, other: &DNSName<'_>) -> bool { + // NOTE: This is nearly identical to `DNSConstraint::matches`, + // except that the subdomain must be strictly longer than the parent domain. + self.as_str().len() > other.as_str().len() + && self + .rlabels() + .zip(other.rlabels()) + .all(|(a, o)| a.eq_ignore_ascii_case(o)) + } } impl PartialEq for DNSName<'_> { @@ -312,6 +323,7 @@ impl IPConstraint { /// /// [RFC 822 6.1]: https://datatracker.ietf.org/doc/html/rfc822#section-6.1 /// [RFC 2821 4.1.2]: https://datatracker.ietf.org/doc/html/rfc2821#section-4.1.2 +#[derive(PartialEq)] pub struct RFC822Name<'a> { pub mailbox: IA5String<'a>, pub domain: DNSName<'a>, @@ -348,10 +360,45 @@ impl<'a> RFC822Name<'a> { } } +/// An `RFC822Constraint` represents a Name Constraint on email addresses. +pub enum RFC822Constraint<'a> { + /// A constraint for an exact match on a specific email address. + Exact(RFC822Name<'a>), + /// A constraint for any mailbox on a particular domain. + OnDomain(DNSName<'a>), + /// A constraint for any mailbox *within* a particular domain. + /// For example, `InDomain("example.com")` will match `foo@bar.example.com` + /// but not `foo@example.com`, since `bar.example.com` is in `example.com` + /// but `example.com` is not within itself. + InDomain(DNSName<'a>), +} + +impl<'a> RFC822Constraint<'a> { + pub fn new(constraint: &'a str) -> Option { + if let Some(constraint) = constraint.strip_prefix('.') { + Some(Self::InDomain(DNSName::new(constraint)?)) + } else if let Some(email) = RFC822Name::new(constraint) { + Some(Self::Exact(email)) + } else { + Some(Self::OnDomain(DNSName::new(constraint)?)) + } + } + + pub fn matches(&self, email: &RFC822Name<'_>) -> bool { + match self { + Self::Exact(pat) => pat == email, + Self::OnDomain(pat) => &email.domain == pat, + Self::InDomain(pat) => email.domain.is_subdomain_of(pat), + } + } +} + #[cfg(test)] mod tests { use crate::types::{DNSConstraint, DNSName, DNSPattern, IPAddress, IPConstraint, RFC822Name}; + use super::RFC822Constraint; + #[test] fn test_dnsname_debug_trait() { // Just to get coverage on the `Debug` derive. @@ -442,6 +489,33 @@ mod tests { ); } + #[test] + fn test_dnsname_is_subdomain_of() { + for (sup, sub, check) in &[ + // good cases + ("example.com", "sub.example.com", true), + ("example.com", "a.b.example.com", true), + ("sub.example.com", "sub.sub.example.com", true), + ("sub.example.com", "sub.sub.sub.example.com", true), + ("com", "example.com", true), + ("example.com", "com.example.com", true), + ("example.com", "com.example.example.com", true), + // bad cases + ("example.com", "example.com", false), + ("example.com", "com", false), + ("sub.example.com", "example.com", false), + ("sub.sub.example.com", "sub.sub.example.com", false), + ("sub.sub.example.com", "example.com", false), + ("com.example.com", "com.example.com", false), + ("com.example.example.com", "com.example.example.com", false), + ] { + let sup = DNSName::new(sup).unwrap(); + let sub = DNSName::new(sub).unwrap(); + + assert_eq!(sub.is_subdomain_of(&sup), *check); + } + } + #[test] fn test_dnspattern_new() { assert_eq!(DNSPattern::new("*"), None); @@ -694,4 +768,96 @@ mod tests { assert_eq!(&parsed.domain.as_str(), domain); } } + + #[test] + fn test_rfc822constraint_new() { + for (case, valid) in &[ + // good cases + ("foo@example.com", true), + ("foo.bar@example.com", true), + ("foo!bar@example.com", true), + ("example.com", true), + ("sub.example.com", true), + ("foo@sub.example.com", true), + ("foo.bar@sub.example.com", true), + ("foo!bar@sub.example.com", true), + (".example.com", true), + (".sub.example.com", true), + // bad cases + ("@example.com", false), + ("@@example.com", false), + ("foo@.example.com", false), + (".foo@example.com", false), + (".foo.@example.com", false), + ("foo.@example.com", false), + ("invaliddomain!", false), + ("..example.com", false), + ("foo..example.com", false), + (".foo..example.com", false), + ("..foo..example.com", false), + ] { + assert_eq!(RFC822Constraint::new(case).is_some(), *valid); + } + } + + #[test] + fn test_rfc822constraint_matches() { + { + let exact = RFC822Constraint::new("foo@example.com").unwrap(); + + // Ordinary exact match. + assert!(exact.matches(&RFC822Name::new("foo@example.com").unwrap())); + // Case changes are okay in the domain. + assert!(exact.matches(&RFC822Name::new("foo@EXAMPLE.com").unwrap())); + + // Case changes are not okay in the mailbox. + assert!(!exact.matches(&RFC822Name::new("Foo@example.com").unwrap())); + assert!(!exact.matches(&RFC822Name::new("FOO@example.com").unwrap())); + + // Different mailboxes and domains do not match. + assert!(!exact.matches(&RFC822Name::new("foo.bar@example.com").unwrap())); + assert!(!exact.matches(&RFC822Name::new("foo@sub.example.com").unwrap())); + } + + { + let on_domain = RFC822Constraint::new("example.com").unwrap(); + + // Ordinary domain matches. + assert!(on_domain.matches(&RFC822Name::new("foo@example.com").unwrap())); + assert!(on_domain.matches(&RFC822Name::new("bar@example.com").unwrap())); + assert!(on_domain.matches(&RFC822Name::new("foo.bar@example.com").unwrap())); + assert!(on_domain.matches(&RFC822Name::new("foo!bar@example.com").unwrap())); + // Case changes are okay in the domain and in the mailbox, + // since any mailbox on the domain is okay. + assert!(on_domain.matches(&RFC822Name::new("foo@EXAMPLE.com").unwrap())); + assert!(on_domain.matches(&RFC822Name::new("FOO@example.com").unwrap())); + + // Subdomains and other domains do not match. + assert!(!on_domain.matches(&RFC822Name::new("foo@sub.example.com").unwrap())); + assert!(!on_domain.matches(&RFC822Name::new("foo@localhost").unwrap())); + } + + { + let in_domain = RFC822Constraint::new(".example.com").unwrap(); + + // Any subdomain and mailbox matches. + assert!(in_domain.matches(&RFC822Name::new("foo@sub.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo@sub.sub.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo@com.example.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo.bar@com.example.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo!bar@com.example.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("bar@com.example.example.com").unwrap())); + // Case changes are okay in the subdomains and in the mailbox, since any mailbox + // in the domain is okay. + assert!(in_domain.matches(&RFC822Name::new("foo@SUB.example.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo@sub.EXAMPLE.com").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("foo@sub.example.COM").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("FOO@sub.example.COM").unwrap())); + assert!(in_domain.matches(&RFC822Name::new("FOO@sub.example.com").unwrap())); + + // Superdomains and other domains do not match. + assert!(!in_domain.matches(&RFC822Name::new("foo@example.com").unwrap())); + assert!(!in_domain.matches(&RFC822Name::new("foo@com").unwrap())); + } + } } From 5f688ec2ac69927dd215306a50ecbcef34b2e289 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 28 Feb 2024 07:20:08 -0500 Subject: [PATCH 200/868] Bump peter-evans/create-pull-request from 6.0.0 to 6.0.1 (#10500) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/b1ddad2c994a25fbc81a28b3ec0e368bb2021c50...a4f52f8033a6168103c2538976c07b467e8163bc) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 4cc08f5983d3..d20aea2bee15 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0 + uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1 with: commit-message: "Bump BoringSSL and/or OpenSSL in CI" title: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 9866e266065d..c8b14038a15f 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0 + uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1 with: commit-message: "Bump x509-limbo and/or wycheproof in CI" title: "Bump x509-limbo and/or wycheproof in CI" From 7b814efe779f0a42df5301635394c125a8ac1ce8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 28 Feb 2024 16:58:30 -0600 Subject: [PATCH 201/868] Bump keyring from 24.3.0 to 24.3.1 in /.github/requirements (#10499) * Bump keyring from 24.3.0 to 24.3.1 in /.github/requirements Bumps [keyring](https://github.com/jaraco/keyring) from 24.3.0 to 24.3.1. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v24.3.0...v24.3.1) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 6d6b85f7043f..090ca39d3578 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -256,9 +256,9 @@ jeepney==0.8.0 \ # via # keyring # secretstorage -keyring==24.3.0 \ - --hash=sha256:4446d35d636e6a10b8bce7caa66913dd9eca5fd222ca03a3d42c38608ac30836 \ - --hash=sha256:e730ecffd309658a08ee82535a3b5ec4b4c8669a9be11efb66249d8e0aeb9a25 +keyring==24.3.1 \ + --hash=sha256:c3327b6ffafc0e8befbdb597cacdb4928ffe5c1212f7645f186e6d9957a898db \ + --hash=sha256:df38a4d7419a6a60fea5cef1e45a948a3e8430dd12ad88b0f423c5c143906218 # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ From c1a90af5a68083f444dbf9e2a6b713692857cdf4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 00:14:27 +0000 Subject: [PATCH 202/868] Bump BoringSSL and/or OpenSSL in CI (#10503) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7ffd1d6a1920..f394a819a380 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 28, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a9a3ca49444bb1efac115e64d3ab469c54bec984"}} + # Latest commit on the BoringSSL master branch, as of Feb 29, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "df3b58ea74c50ff785ab902be3b007ff008d3e3c"}} # Latest commit on the OpenSSL master branch, as of Feb 26, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2d70cc9cecf8b322d795985efecee06242b203b3"}} # Builds with various Rust versions. Includes MSRV and next From 9ea2b5f1965c6f2566595ae7a3f71679f62cb002 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 12:06:06 +0000 Subject: [PATCH 203/868] Bump syn from 2.0.51 to 2.0.52 in /src/rust (#10504) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.51 to 2.0.52. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.51...2.0.52) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index bb54df84cecb..9066b8c06006 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" -version = "2.0.51" +version = "2.0.52" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ab617d94515e94ae53b8406c628598680aa0c9587474ecbe58188f7b345d66c" +checksum = "b699d15b36d1f02c3e7c69f8ffef53de37aefae075d8488d4ba1a7788d574a07" dependencies = [ "proc-macro2", "quote", From 269f1c0b4cd116f3c850fd006c9de2370768adb8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 11:34:20 -0600 Subject: [PATCH 204/868] Bump rich from 13.7.0 to 13.7.1 in /.github/requirements (#10505) * Bump rich from 13.7.0 to 13.7.1 in /.github/requirements Bumps [rich](https://github.com/Textualize/rich) from 13.7.0 to 13.7.1. - [Release notes](https://github.com/Textualize/rich/releases) - [Changelog](https://github.com/Textualize/rich/blob/master/CHANGELOG.md) - [Commits](https://github.com/Textualize/rich/compare/v13.7.0...v13.7.1) --- updated-dependencies: - dependency-name: rich dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 090ca39d3578..62bf3cb38826 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -544,9 +544,9 @@ rfc3986==2.0.0 \ --hash=sha256:50b1502b60e289cb37883f3dfd34532b8873c7de9f49bb546641ce9cbd256ebd \ --hash=sha256:97aacf9dbd4bfd829baad6e6309fa6573aaf1be3f6fa735c8ab05e46cecb261c # via twine -rich==13.7.0 \ - --hash=sha256:5cb5123b5cf9ee70584244246816e9114227e0b98ad9176eede6ad54bf5403fa \ - --hash=sha256:6da14c108c4866ee9520bbffa71f6fe3962e193b7da68720583850cd4548e235 +rich==13.7.1 \ + --hash=sha256:4edbae314f59eb482f54e9e30bf00d33350aaa94f4bfcd4e9e3110e64d0d7222 \ + --hash=sha256:9be308cb1fe2f1f57d67ce99e95af38a1e2bc71ad9813b0e247cf7ffbcc3a432 # via # sigstore # twine From 992188efe4b14b6375c7d1c904b9fea04c554317 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 29 Feb 2024 17:36:19 +0000 Subject: [PATCH 205/868] Bump build from 1.0.3 to 1.1.0 (#10508) Bumps [build](https://github.com/pypa/build) from 1.0.3 to 1.1.0. - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/1.0.3...v1.1.0) --- updated-dependencies: - dependency-name: build dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 069e8b731dd9..6a38c5019dec 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.2.2; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx -build==1.0.3 +build==1.1.0 # via # check-sdist # cryptography (pyproject.toml) From 905983fe56bddce6c2aa18dbe52d78c51e8c5285 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 29 Feb 2024 12:54:19 -0500 Subject: [PATCH 206/868] Upgraded version of ruff (#10509) --- ci-constraints-requirements.txt | 2 +- noxfile.py | 2 +- .../hazmat/primitives/ciphers/base.py | 12 ++-- src/cryptography/hazmat/primitives/keywrap.py | 2 +- src/cryptography/x509/base.py | 6 +- src/cryptography/x509/extensions.py | 68 ++++++++----------- src/cryptography/x509/name.py | 6 +- tests/hazmat/primitives/decrepit/test_3des.py | 1 - tests/hazmat/primitives/decrepit/test_rc2.py | 1 - tests/hazmat/primitives/test_hashes.py | 2 +- tests/hazmat/primitives/test_hmac.py | 2 +- tests/hazmat/primitives/test_padding.py | 4 +- tests/hazmat/primitives/test_pkcs7.py | 6 +- tests/hazmat/primitives/test_ssh.py | 2 +- tests/test_fernet.py | 2 +- tests/x509/test_x509.py | 2 +- tests/x509/test_x509_ext.py | 10 +-- 17 files changed, 54 insertions(+), 76 deletions(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6a38c5019dec..7e40b5095cd1 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.2.2 +ruff==0.3.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx diff --git a/noxfile.py b/noxfile.py index ea4f205e1764..9d7d50c761a8 100644 --- a/noxfile.py +++ b/noxfile.py @@ -175,7 +175,7 @@ def flake(session: nox.Session) -> None: ) install(session, "-e", "vectors/") - session.run("ruff", ".") + session.run("ruff", "check", ".") session.run("ruff", "format", "--check", ".") session.run( "mypy", diff --git a/src/cryptography/hazmat/primitives/ciphers/base.py b/src/cryptography/hazmat/primitives/ciphers/base.py index 7c32cbec693e..a9fa2bf07b9d 100644 --- a/src/cryptography/hazmat/primitives/ciphers/base.py +++ b/src/cryptography/hazmat/primitives/ciphers/base.py @@ -88,14 +88,12 @@ def __init__( @typing.overload def encryptor( self: Cipher[modes.ModeWithAuthenticationTag], - ) -> AEADEncryptionContext: - ... + ) -> AEADEncryptionContext: ... @typing.overload def encryptor( self: _CIPHER_TYPE, - ) -> CipherContext: - ... + ) -> CipherContext: ... def encryptor(self): if isinstance(self.mode, modes.ModeWithAuthenticationTag): @@ -111,14 +109,12 @@ def encryptor(self): @typing.overload def decryptor( self: Cipher[modes.ModeWithAuthenticationTag], - ) -> AEADDecryptionContext: - ... + ) -> AEADDecryptionContext: ... @typing.overload def decryptor( self: _CIPHER_TYPE, - ) -> CipherContext: - ... + ) -> CipherContext: ... def decryptor(self): return rust_openssl.ciphers.create_decryption_ctx( diff --git a/src/cryptography/hazmat/primitives/keywrap.py b/src/cryptography/hazmat/primitives/keywrap.py index 3ee152b7903a..b93d87d31cff 100644 --- a/src/cryptography/hazmat/primitives/keywrap.py +++ b/src/cryptography/hazmat/primitives/keywrap.py @@ -86,7 +86,7 @@ def aes_key_wrap_with_padding( if len(wrapping_key) not in [16, 24, 32]: raise ValueError("The wrapping key must be a valid AES key length") - aiv = b"\xA6\x59\x59\xA6" + len(key_to_wrap).to_bytes( + aiv = b"\xa6\x59\x59\xa6" + len(key_to_wrap).to_bytes( length=4, byteorder="big" ) # pad the key to wrap if necessary diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 89a75a23ac36..2ab482ec817f 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -503,12 +503,10 @@ def __len__(self) -> int: """ @typing.overload - def __getitem__(self, idx: int) -> RevokedCertificate: - ... + def __getitem__(self, idx: int) -> RevokedCertificate: ... @typing.overload - def __getitem__(self, idx: slice) -> list[RevokedCertificate]: - ... + def __getitem__(self, idx: slice) -> list[RevokedCertificate]: ... @abc.abstractmethod def __getitem__( diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index db6e3bb5a621..7dd38700e537 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -1456,32 +1456,29 @@ def get_values_for_type( type: type[DNSName] | type[UniformResourceIdentifier] | type[RFC822Name], - ) -> list[str]: - ... + ) -> list[str]: ... @typing.overload def get_values_for_type( self, type: type[DirectoryName], - ) -> list[Name]: - ... + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, type: type[RegisteredID], - ) -> list[ObjectIdentifier]: - ... + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( self, type: type[IPAddress] - ) -> list[_IPAddressTypes]: - ... + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: - ... + def get_values_for_type( + self, type: type[OtherName] + ) -> list[OtherName]: ... def get_values_for_type( self, @@ -1534,32 +1531,29 @@ def get_values_for_type( type: type[DNSName] | type[UniformResourceIdentifier] | type[RFC822Name], - ) -> list[str]: - ... + ) -> list[str]: ... @typing.overload def get_values_for_type( self, type: type[DirectoryName], - ) -> list[Name]: - ... + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, type: type[RegisteredID], - ) -> list[ObjectIdentifier]: - ... + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( self, type: type[IPAddress] - ) -> list[_IPAddressTypes]: - ... + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: - ... + def get_values_for_type( + self, type: type[OtherName] + ) -> list[OtherName]: ... def get_values_for_type( self, @@ -1609,32 +1603,29 @@ def get_values_for_type( type: type[DNSName] | type[UniformResourceIdentifier] | type[RFC822Name], - ) -> list[str]: - ... + ) -> list[str]: ... @typing.overload def get_values_for_type( self, type: type[DirectoryName], - ) -> list[Name]: - ... + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, type: type[RegisteredID], - ) -> list[ObjectIdentifier]: - ... + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( self, type: type[IPAddress] - ) -> list[_IPAddressTypes]: - ... + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: - ... + def get_values_for_type( + self, type: type[OtherName] + ) -> list[OtherName]: ... def get_values_for_type( self, @@ -1684,32 +1675,29 @@ def get_values_for_type( type: type[DNSName] | type[UniformResourceIdentifier] | type[RFC822Name], - ) -> list[str]: - ... + ) -> list[str]: ... @typing.overload def get_values_for_type( self, type: type[DirectoryName], - ) -> list[Name]: - ... + ) -> list[Name]: ... @typing.overload def get_values_for_type( self, type: type[RegisteredID], - ) -> list[ObjectIdentifier]: - ... + ) -> list[ObjectIdentifier]: ... @typing.overload def get_values_for_type( self, type: type[IPAddress] - ) -> list[_IPAddressTypes]: - ... + ) -> list[_IPAddressTypes]: ... @typing.overload - def get_values_for_type(self, type: type[OtherName]) -> list[OtherName]: - ... + def get_values_for_type( + self, type: type[OtherName] + ) -> list[OtherName]: ... def get_values_for_type( self, diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py index 5e8ccfff5994..1edfc2b4f598 100644 --- a/src/cryptography/x509/name.py +++ b/src/cryptography/x509/name.py @@ -263,14 +263,12 @@ def __repr__(self) -> str: class Name: @typing.overload - def __init__(self, attributes: typing.Iterable[NameAttribute]) -> None: - ... + def __init__(self, attributes: typing.Iterable[NameAttribute]) -> None: ... @typing.overload def __init__( self, attributes: typing.Iterable[RelativeDistinguishedName] - ) -> None: - ... + ) -> None: ... def __init__( self, diff --git a/tests/hazmat/primitives/decrepit/test_3des.py b/tests/hazmat/primitives/decrepit/test_3des.py index f64cbd2d4412..2b7a10470c0f 100644 --- a/tests/hazmat/primitives/decrepit/test_3des.py +++ b/tests/hazmat/primitives/decrepit/test_3des.py @@ -6,7 +6,6 @@ Test using the NIST Test Vectors """ - import binascii import os diff --git a/tests/hazmat/primitives/decrepit/test_rc2.py b/tests/hazmat/primitives/decrepit/test_rc2.py index ecd4ce2accc2..dd2ce5d4b4b8 100644 --- a/tests/hazmat/primitives/decrepit/test_rc2.py +++ b/tests/hazmat/primitives/decrepit/test_rc2.py @@ -6,7 +6,6 @@ Test using the NIST Test Vectors """ - import binascii import os diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py index 1d096772aed0..092ba9af41d4 100644 --- a/tests/hazmat/primitives/test_hashes.py +++ b/tests/hazmat/primitives/test_hashes.py @@ -19,7 +19,7 @@ class TestHashContext: def test_hash_reject_unicode(self, backend): m = hashes.Hash(hashes.SHA1(), backend=backend) with pytest.raises(TypeError): - m.update("\u00FC") # type: ignore[arg-type] + m.update("\u00fc") # type: ignore[arg-type] def test_hash_algorithm_instance(self, backend): with pytest.raises(TypeError): diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 04c3e8588f01..52d3e8ee9b07 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -33,7 +33,7 @@ class TestHMAC: def test_hmac_reject_unicode(self, backend): h = hmac.HMAC(b"mykey", hashes.SHA1(), backend=backend) with pytest.raises(TypeError): - h.update("\u00FC") # type: ignore[arg-type] + h.update("\u00fc") # type: ignore[arg-type] def test_hmac_algorithm_instance(self, backend): with pytest.raises(TypeError): diff --git a/tests/hazmat/primitives/test_padding.py b/tests/hazmat/primitives/test_padding.py index 1a9a01f6cf15..2e20363f6f75 100644 --- a/tests/hazmat/primitives/test_padding.py +++ b/tests/hazmat/primitives/test_padding.py @@ -62,7 +62,7 @@ def __str__(self): b"111111111111111122222222222222\x02\x02", ), (128, b"1" * 16, b"1" * 16 + b"\x10" * 16), - (128, b"1" * 17, b"1" * 17 + b"\x0F" * 15), + (128, b"1" * 17, b"1" * 17 + b"\x0f" * 15), ], ) def test_pad(self, size, unpadded, padded): @@ -185,7 +185,7 @@ def __str__(self): b"111111111111111122222222222222\x00\x02", ), (128, b"1" * 16, b"1" * 16 + b"\x00" * 15 + b"\x10"), - (128, b"1" * 17, b"1" * 17 + b"\x00" * 14 + b"\x0F"), + (128, b"1" * 17, b"1" * 17 + b"\x00" * 14 + b"\x0f"), ], ) def test_pad(self, size, unpadded, padded): diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index a929a9e83ae3..9a9eab3da503 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -91,7 +91,7 @@ def test_load_pkcs7_unsupported_type(self, backend): ) def test_load_pkcs7_empty_certificates(self): - der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" + der = b"\x30\x0b\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02" with pytest.raises(ValueError): pkcs7.load_der_pkcs7_certificates(der) @@ -573,7 +573,7 @@ def test_smime_capabilities(self, backend): assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x0f" in sig_binary # 2.16.840.1.101.3.4.1.42 (aes256-CBC-PAD) as an ASN.1 DER encoded OID - aes256_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x2A" + aes256_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x2a" # 2.16.840.1.101.3.4.1.22 (aes192-CBC-PAD) as an ASN.1 DER encoded OID aes192_cbc_pad_oid = b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x16" # 2.16.840.1.101.3.4.1.2 (aes128-CBC-PAD) as an ASN.1 DER encoded OID @@ -730,7 +730,7 @@ def test_rsa_pkcs_padding_options(self, pad, backend): # another in the SignerInfo data structure in the # `digest_encryption_algorithm` field. assert ( - sig.count(b"\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01") == 2 + sig.count(b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01") == 2 ) _pkcs7_verify( serialization.Encoding.DER, diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py index d3372566e93f..cda2aad77b59 100644 --- a/tests/hazmat/primitives/test_ssh.py +++ b/tests/hazmat/primitives/test_ssh.py @@ -390,7 +390,7 @@ def make_file( b"\x04" * 65, ), priv_type=None, - priv_fields=(b"nistp256", b"\x04" * 65, b"\x7F" * 32), + priv_fields=(b"nistp256", b"\x04" * 65, b"\x7f" * 32), comment=b"comment", checkval1=b"1234", checkval2=b"1234", diff --git a/tests/test_fernet.py b/tests/test_fernet.py index ef4ef70e25b0..7ebab3e59915 100644 --- a/tests/test_fernet.py +++ b/tests/test_fernet.py @@ -138,7 +138,7 @@ def test_ttl_required_in_decrypt_at_time(self, backend): current_time=int(time.time()), ) - @pytest.mark.parametrize("message", [b"", b"Abc!", b"\x00\xFF\x00\x80"]) + @pytest.mark.parametrize("message", [b"", b"Abc!", b"\x00\xff\x00\x80"]) def test_roundtrips(self, message, backend): f = Fernet(Fernet.generate_key(), backend=backend) assert f.decrypt(f.encrypt(message)) == message diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 1a6fc7b437cc..e5e941e45e4a 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -5732,7 +5732,7 @@ def test_init_bad_country_code_value(self): # unicode string of length 2, but > 2 bytes with pytest.raises(ValueError): - x509.NameAttribute(NameOID.COUNTRY_NAME, "\U0001F37A\U0001F37A") + x509.NameAttribute(NameOID.COUNTRY_NAME, "\U0001f37a\U0001f37a") def test_invalid_type(self): with pytest.raises(TypeError): diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index fc3e3e06f00e..491271ade526 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -5994,11 +5994,11 @@ def test_simple(self, backend): == x509.certificate_transparency.SignatureAlgorithm.ECDSA ) assert sct.signature == ( - b"\x30\x45\x02\x21\x00\xB8\x03\xAD\x34\xF6\xFC\x0F\x2C\xFF\x84\xA0" - b"\x86\xE5\xD7\xCF\x5A\xF0\x0A\x07\x62\x6A\x7F\xB3\xA6\x44\x64\xF1" - b"\x95\xA4\x48\x45\x11\x02\x20\x2F\x61\x8D\x53\x1B\x6F\x4A\xB8\x0A" - b"\x67\xB2\x07\xE1\x8F\x6D\xAD\xD1\x04\x4A\x5E\xB3\x89\xEF\x7C\x60" - b"\xC2\x68\x53\xF9\x3D\x1F\x6D" + b"\x30\x45\x02\x21\x00\xb8\x03\xad\x34\xf6\xfc\x0f\x2c\xff\x84\xa0" + b"\x86\xe5\xd7\xcf\x5a\xf0\x0a\x07\x62\x6a\x7f\xb3\xa6\x44\x64\xf1" + b"\x95\xa4\x48\x45\x11\x02\x20\x2f\x61\x8d\x53\x1b\x6f\x4a\xb8\x0a" + b"\x67\xb2\x07\xe1\x8f\x6d\xad\xd1\x04\x4a\x5e\xb3\x89\xef\x7c\x60" + b"\xc2\x68\x53\xf9\x3d\x1f\x6d" ) assert sct.extension_bytes == b"" From 276f7e2cd49b60604c5c224d30ad527d65c843f1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 00:31:59 +0000 Subject: [PATCH 207/868] Bump x509-limbo and/or wycheproof in CI (#10511) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4434eb909f29..55213e6beba7 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Feb 27, 2024. - ref: "2217a0e4c579edc231dd502c961caeb5a4763796" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 01, 2024. + ref: "a9c42d8d243942e95d9365e39bd45822e5af6981" # x509-limbo-ref From a08ae1c2cb025488bc3a2d7629b4c9812914529f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 07:02:01 -0500 Subject: [PATCH 208/868] Bump actions/cache from 4.0.0 to 4.0.1 (#10513) Bumps [actions/cache](https://github.com/actions/cache) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/13aacd865c20de90d75de3b17ebe84f7a17d57d2...ab5e6d0c87105b4c9c2047343972218f562e4319) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f394a819a380..ea81517da372 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -91,7 +91,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 id: ossl-cache timeout-minutes: 2 with: From 6911dd847f25ad7c2e86684623bbd4fda4a00ea3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 07:02:15 -0500 Subject: [PATCH 209/868] Bump build from 1.1.0 to 1.1.1 (#10512) Bumps [build](https://github.com/pypa/build) from 1.1.0 to 1.1.1. - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/v1.1.0...1.1.1) --- updated-dependencies: - dependency-name: build dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7e40b5095cd1..c3b1e8885ddb 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.2.2; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx -build==1.1.0 +build==1.1.1 # via # check-sdist # cryptography (pyproject.toml) From 1cb4c9f5384a2b751f09177d7df2f1e022d606a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 1 Mar 2024 09:11:16 -0500 Subject: [PATCH 210/868] Update local nox session for ruff change (#10515) --- noxfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index 9d7d50c761a8..c66fe6bae578 100644 --- a/noxfile.py +++ b/noxfile.py @@ -268,7 +268,7 @@ def local(session): session.run("flit", "install", "-s", silent=True) session.run("ruff", "format", ".") - session.run("ruff", ".") + session.run("ruff", "check", ".") with session.chdir("src/rust/"): session.run("cargo", "fmt", "--all", external=True) From 5c2193f500672eefee7c42854f023b7119cb5e19 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 08:19:00 -0600 Subject: [PATCH 211/868] Bump python-dateutil from 2.8.2 to 2.9.0 in /.github/requirements (#10514) * Bump python-dateutil from 2.8.2 to 2.9.0 in /.github/requirements Bumps [python-dateutil](https://github.com/dateutil/dateutil) from 2.8.2 to 2.9.0. - [Release notes](https://github.com/dateutil/dateutil/releases) - [Changelog](https://github.com/dateutil/dateutil/blob/master/NEWS) - [Commits](https://github.com/dateutil/dateutil/compare/2.8.2...2.9.0) --- updated-dependencies: - dependency-name: python-dateutil dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 62bf3cb38826..ed7c1d3813aa 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -518,9 +518,9 @@ pyopenssl==24.0.0 \ --hash=sha256:6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a334530bf \ --hash=sha256:ba07553fb6fd6a7a2259adb9b84e12302a9a8a75c44046e8bb5d3e5ee887e3c3 # via sigstore -python-dateutil==2.8.2 \ - --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ - --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9 +python-dateutil==2.9.0 \ + --hash=sha256:78e73e19c63f5b20ffa567001531680d939dc042bf7850431877645523c66709 \ + --hash=sha256:cbf2f1da5e6083ac2fbfd4da39a25f34312230110440f424a14c7558bb85d82e # via betterproto readme-renderer==43.0 \ --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ From 17710c7e61d2373b89468e547895d32ac41600d0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 1 Mar 2024 19:20:07 -0500 Subject: [PATCH 212/868] Bump BoringSSL and/or OpenSSL in CI (#10516) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ea81517da372..cbb740d630b1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 29, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "df3b58ea74c50ff785ab902be3b007ff008d3e3c"}} - # Latest commit on the OpenSSL master branch, as of Feb 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2d70cc9cecf8b322d795985efecee06242b203b3"}} + # Latest commit on the OpenSSL master branch, as of Mar 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fbce6ebf706cdd273f2569edfea7ade106426e0b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e64f50992919c9f5e00a0fa8f3bd62e9496a608a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 2 Mar 2024 23:21:02 -0500 Subject: [PATCH 213/868] Bump BoringSSL and/or OpenSSL in CI (#10519) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cbb740d630b1..e384bfe8805e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Feb 29, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "df3b58ea74c50ff785ab902be3b007ff008d3e3c"}} - # Latest commit on the OpenSSL master branch, as of Mar 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fbce6ebf706cdd273f2569edfea7ade106426e0b"}} + # Latest commit on the OpenSSL master branch, as of Mar 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5677992679b38950c6a0c3775fd57378e1879ba5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 6e6b17d8ba9d9ea36f1d457b803713df64ff71ff Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Mar 2024 00:33:45 -0500 Subject: [PATCH 214/868] Conert PKCS12Certificate to Rust (#10521) --- .../hazmat/bindings/_rust/pkcs12.pyi | 9 ++ .../hazmat/primitives/serialization/pkcs12.py | 38 +-------- src/rust/src/pkcs12.rs | 84 ++++++++++++++++--- src/rust/src/types.rs | 4 - tests/hazmat/primitives/test_pkcs12.py | 2 +- 5 files changed, 85 insertions(+), 52 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi index c82892f6debc..109ae4fce5d8 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi @@ -10,6 +10,15 @@ from cryptography.hazmat.primitives.serialization.pkcs12 import ( PKCS12KeyAndCertificates, ) +class PKCS12Certificate: + def __init__( + self, cert: x509.Certificate, friendly_name: bytes | None + ) -> None: ... + @property + def friendly_name(self) -> bytes | None: ... + @property + def certificate(self) -> x509.Certificate: ... + def load_key_and_certificates( data: bytes, password: bytes | None, diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index b6d6a198a4f6..8ed5f1e0872b 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -38,43 +38,7 @@ ] -class PKCS12Certificate: - def __init__( - self, - cert: x509.Certificate, - friendly_name: bytes | None, - ): - if not isinstance(cert, x509.Certificate): - raise TypeError("Expecting x509.Certificate object") - if friendly_name is not None and not isinstance(friendly_name, bytes): - raise TypeError("friendly_name must be bytes or None") - self._cert = cert - self._friendly_name = friendly_name - - @property - def friendly_name(self) -> bytes | None: - return self._friendly_name - - @property - def certificate(self) -> x509.Certificate: - return self._cert - - def __eq__(self, other: object) -> bool: - if not isinstance(other, PKCS12Certificate): - return NotImplemented - - return ( - self.certificate == other.certificate - and self.friendly_name == other.friendly_name - ) - - def __hash__(self) -> int: - return hash((self.certificate, self.friendly_name)) - - def __repr__(self) -> str: - return "".format( - self.certificate, self.friendly_name - ) +PKCS12Certificate = rust_pkcs12.PKCS12Certificate class PKCS12KeyAndCertificates: diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 34b2c8f04c5e..58178fe3918d 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -5,8 +5,72 @@ use crate::backend::keys; use crate::buf::CffiBuf; use crate::error::CryptographyResult; +use crate::x509::certificate::Certificate; use crate::{types, x509}; use pyo3::IntoPy; +use std::collections::hash_map::DefaultHasher; +use std::hash::{Hash, Hasher}; + +#[pyo3::prelude::pyclass] +struct PKCS12Certificate { + #[pyo3(get)] + certificate: pyo3::Py, + #[pyo3(get)] + friendly_name: Option>, +} + +#[pyo3::prelude::pymethods] +impl PKCS12Certificate { + #[new] + fn new( + cert: pyo3::Py, + friendly_name: Option>, + ) -> PKCS12Certificate { + PKCS12Certificate { + certificate: cert, + friendly_name, + } + } + + fn __eq__( + &self, + py: pyo3::Python<'_>, + other: pyo3::PyRef<'_, Self>, + ) -> CryptographyResult { + let friendly_name_eq = match (&self.friendly_name, &other.friendly_name) { + (Some(a), Some(b)) => a.as_ref(py).eq(b.as_ref(py))?, + (None, None) => true, + _ => false, + }; + Ok(friendly_name_eq + && self + .certificate + .as_ref(py) + .eq(other.certificate.as_ref(py))?) + } + + fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { + let mut hasher = DefaultHasher::new(); + self.certificate.as_ref(py).hash()?.hash(&mut hasher); + match &self.friendly_name { + Some(v) => v.as_ref(py).hash()?.hash(&mut hasher), + None => None::.hash(&mut hasher), + }; + Ok(hasher.finish()) + } + + fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { + let friendly_name_repr = match &self.friendly_name { + Some(v) => v.as_ref(py).repr()?.extract()?, + None => "None", + }; + Ok(format!( + "", + self.certificate.as_ref(py).str()?, + friendly_name_repr + )) + } +} fn decode_p12( data: CffiBuf<'_>, @@ -101,12 +165,11 @@ fn load_pkcs12<'p>( let cert = if let Some(ossl_cert) = p12.cert { let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; - let alias = ossl_cert.alias(); + let alias = ossl_cert + .alias() + .map(|a| pyo3::types::PyBytes::new(py, a).into_py(py)); - types::PKCS12CERTIFICATE - .get(py)? - .call1((cert, alias))? - .into_py(py) + PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias).into_py(py) } else { py.None() }; @@ -125,12 +188,11 @@ fn load_pkcs12<'p>( for ossl_cert in it { let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; - let alias = ossl_cert.alias(); + let alias = ossl_cert + .alias() + .map(|a| pyo3::types::PyBytes::new(py, a).into_py(py)); - let p12_cert = types::PKCS12CERTIFICATE - .get(py)? - .call1((cert, alias))? - .into_py(py); + let p12_cert = PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias).into_py(py); additional_certs.append(p12_cert)?; } } @@ -146,5 +208,7 @@ pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::pr submod.add_function(pyo3::wrap_pyfunction!(load_key_and_certificates, submod)?)?; submod.add_function(pyo3::wrap_pyfunction!(load_pkcs12, submod)?)?; + submod.add_class::()?; + Ok(submod) } diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 3afdbb980914..55250a0b0b58 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -327,10 +327,6 @@ pub static SMIME_ENCODE: LazyPyImport = LazyPyImport::new( &["_smime_encode"], ); -pub static PKCS12CERTIFICATE: LazyPyImport = LazyPyImport::new( - "cryptography.hazmat.primitives.serialization.pkcs12", - &["PKCS12Certificate"], -); pub static PKCS12KEYANDCERTIFICATES: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization.pkcs12", &["PKCS12KeyAndCertificates"], diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index e096894956e8..2f702aaf9626 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -781,7 +781,7 @@ def test_certificate_equality(self, backend): assert c2a != c2b assert c2a != c3a - assert c2n != "test" + assert c2n != "test" # type: ignore[comparison-overlap] def test_certificate_hash(self, backend): cert2 = _load_cert( From 47013043cfd16d634e8eb17fe2cc01a4d2e8701e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 15:17:04 +0000 Subject: [PATCH 215/868] Bump cc from 1.0.88 to 1.0.89 in /src/rust (#10527) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.88 to 1.0.89. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.88...1.0.89) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9066b8c06006..eb46a5b38c00 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.88" +version = "1.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "02f341c093d19155a6e41631ce5971aac4e9a868262212153124c15fa22d1cdc" +checksum = "a0ba8f7aaa012f30d5b2861462f6708eccd49c3c39863fe083a308035f63d723" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index e4cd77756121..138f7a38070f 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.101" [build-dependencies] -cc = "1.0.88" +cc = "1.0.89" From 2d9d8ee43fd87d24a14dc617504cf3624987b479 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 15:17:27 +0000 Subject: [PATCH 216/868] Bump nox from 2023.4.22 to 2024.3.2 (#10522) Bumps [nox](https://github.com/wntrblm/nox) from 2023.4.22 to 2024.3.2. - [Release notes](https://github.com/wntrblm/nox/releases) - [Changelog](https://github.com/wntrblm/nox/blob/main/CHANGELOG.md) - [Commits](https://github.com/wntrblm/nox/compare/2023.04.22...2024.03.02) --- updated-dependencies: - dependency-name: nox dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c3b1e8885ddb..f0336b49ccd5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -58,7 +58,7 @@ mypy-extensions==1.0.0 # via mypy nh3==0.2.15 # via readme-renderer -nox==2023.4.22 +nox==2024.3.2 # via cryptography (pyproject.toml) packaging==23.2 # via From ec028756101c34be2e7285af724ee80647dd6aaa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 10:05:34 -0600 Subject: [PATCH 217/868] Bump pkginfo from 1.9.6 to 1.10.0 in /.github/requirements (#10525) * Bump pkginfo from 1.9.6 to 1.10.0 in /.github/requirements Bumps [pkginfo](https://code.launchpad.net/~tseaver/pkginfo/trunk) from 1.9.6 to 1.10.0. --- updated-dependencies: - dependency-name: pkginfo dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index ed7c1d3813aa..2e1905e09069 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -382,9 +382,9 @@ nh3==0.2.15 \ --hash=sha256:d1e30ff2d8d58fb2a14961f7aac1bbb1c51f9bdd7da727be35c63826060b0bf3 \ --hash=sha256:f3b53ba93bb7725acab1e030bc2ecd012a817040fd7851b332f86e2f9bb98dc6 # via readme-renderer -pkginfo==1.9.6 \ - --hash=sha256:4b7a555a6d5a22169fcc9cf7bfd78d296b0361adad412a346c1226849af5e546 \ - --hash=sha256:8fd5896e8718a4372f0ea9cc9d96f6417c9b986e23a4d116dda26b62cc29d046 +pkginfo==1.10.0 \ + --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ + --hash=sha256:889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097 # via twine pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ From d50249fe19806c5a44dd86afa2126ee9110a3577 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 10:05:48 -0600 Subject: [PATCH 218/868] Bump python-dateutil from 2.9.0 to 2.9.0.post0 in /.github/requirements (#10526) * Bump python-dateutil from 2.9.0 to 2.9.0.post0 in /.github/requirements Bumps [python-dateutil](https://github.com/dateutil/dateutil) from 2.9.0 to 2.9.0.post0. - [Release notes](https://github.com/dateutil/dateutil/releases) - [Changelog](https://github.com/dateutil/dateutil/blob/master/NEWS) - [Commits](https://github.com/dateutil/dateutil/compare/2.9.0...2.9.0.post0) --- updated-dependencies: - dependency-name: python-dateutil dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 2e1905e09069..a4cc7ce4314f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -518,9 +518,9 @@ pyopenssl==24.0.0 \ --hash=sha256:6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a334530bf \ --hash=sha256:ba07553fb6fd6a7a2259adb9b84e12302a9a8a75c44046e8bb5d3e5ee887e3c3 # via sigstore -python-dateutil==2.9.0 \ - --hash=sha256:78e73e19c63f5b20ffa567001531680d939dc042bf7850431877645523c66709 \ - --hash=sha256:cbf2f1da5e6083ac2fbfd4da39a25f34312230110440f424a14c7558bb85d82e +python-dateutil==2.9.0.post0 \ + --hash=sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3 \ + --hash=sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427 # via betterproto readme-renderer==43.0 \ --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ From 0106842b28393dc4f8a5d999dce0ef2311c0eba4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Mar 2024 15:56:34 -0500 Subject: [PATCH 219/868] Added more data structures from the PKCS#12 RFC (#10518) --- src/rust/cryptography-x509/src/pkcs12.rs | 46 +++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index e5676bfb59e6..49f2ddc629f3 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -4,6 +4,10 @@ use crate::pkcs7; +pub const CERT_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 3); +pub const X509_CERTIFICATE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 22, 1); +pub const FRIENDLY_NAME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 20); + // #[derive(asn1::Asn1Write)] pub struct Pfx<'a> { pub version: u8, @@ -15,6 +19,46 @@ pub struct Pfx<'a> { pub struct MacData<'a> { pub mac: pkcs7::DigestInfo<'a>, pub salt: &'a [u8], - // #[default(1)] + // #[default(1u64)] pub iterations: u64, } + +// #[derive(asn1::Asn1Write)] +pub struct SafeBag<'a> { + pub _bag_id: asn1::DefinedByMarker, + // #[defined_by(_bag_id)] + pub bag_value: asn1::Explicit, 0>, + // pub attributes: Option>>, +} + +// #[derive(asn1::Asn1Write)] +pub struct Attribute<'a> { + pub _attr_id: asn1::DefinedByMarker, + // #[defined_by(_attr_id)] + pub attr_values: AttributeSet<'a>, +} + +// #[derive(asn1::Asn1DefinedByWrite)] +pub enum AttributeSet<'a> { + // #[defined_by(FRIENDLY_NAME_OID)] + FriendlyName(asn1::SetOfWriter<'a, asn1::BMPString<'a>>), +} + +// #[derive(asn1::Asn1DefinedByWrite)] +pub enum BagValue<'a> { + // #[defined_by(CERT_BAG_OID)] + CertBag(CertBag<'a>), +} + +// #[derive(asn1::Asn1Write)] +pub struct CertBag<'a> { + pub _cert_id: asn1::DefinedByMarker, + // #[defined_by(_cert_id)] + pub cert_value: asn1::Explicit, 0>, +} + +// #[derive(asn1::Asn1DefinedByWrite)] +pub enum CertType<'a> { + // #[defined_by(X509_CERTIFICATE_OID)] + X509(asn1::OctetStringEncoded>), +} From 6238f91634dfc9009ef15bbdf782d9c4f2a73613 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Mar 2024 16:21:13 -0500 Subject: [PATCH 220/868] Allow clippy::result_large_err (#10532) This is triggered by the latest rust-asn1 (see #10530) --- src/rust/cryptography-key-parsing/src/lib.rs | 4 ++++ src/rust/cryptography-key-parsing/src/rsa.rs | 2 +- src/rust/cryptography-key-parsing/src/spki.rs | 2 +- src/rust/cryptography-x509-verification/src/lib.rs | 1 + src/rust/cryptography-x509/src/lib.rs | 1 + src/rust/src/lib.rs | 2 +- 6 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/rust/cryptography-key-parsing/src/lib.rs b/src/rust/cryptography-key-parsing/src/lib.rs index 93c49181c1fe..c97bc3f754c6 100644 --- a/src/rust/cryptography-key-parsing/src/lib.rs +++ b/src/rust/cryptography-key-parsing/src/lib.rs @@ -2,6 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +#![forbid(unsafe_code)] +#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#![allow(unknown_lints, clippy::result_large_err)] + pub mod rsa; pub mod spki; diff --git a/src/rust/cryptography-key-parsing/src/rsa.rs b/src/rust/cryptography-key-parsing/src/rsa.rs index 5a2f57d58a6b..05bbc41dae2e 100644 --- a/src/rust/cryptography-key-parsing/src/rsa.rs +++ b/src/rust/cryptography-key-parsing/src/rsa.rs @@ -13,7 +13,7 @@ pub struct Pksc1RsaPublicKey<'a> { pub fn parse_pkcs1_public_key( data: &[u8], ) -> KeyParsingResult> { - let k = asn1::parse_single::(data)?; + let k = asn1::parse_single::>(data)?; let n = openssl::bn::BigNum::from_slice(k.n.as_bytes())?; let e = openssl::bn::BigNum::from_slice(k.e.as_bytes())?; diff --git a/src/rust/cryptography-key-parsing/src/spki.rs b/src/rust/cryptography-key-parsing/src/spki.rs index e6e1133c490a..68f2f33e06e3 100644 --- a/src/rust/cryptography-key-parsing/src/spki.rs +++ b/src/rust/cryptography-key-parsing/src/spki.rs @@ -9,7 +9,7 @@ use crate::{KeyParsingError, KeyParsingResult}; pub fn parse_public_key( data: &[u8], ) -> KeyParsingResult> { - let k = asn1::parse_single::(data)?; + let k = asn1::parse_single::>(data)?; match k.algorithm.params { AlgorithmParameters::Ec(ec_params) => match ec_params { diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 5ded892d5cbb..1c18f498cd88 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -4,6 +4,7 @@ #![forbid(unsafe_code)] #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#![allow(unknown_lints, clippy::result_large_err)] pub mod certificate; pub mod ops; diff --git a/src/rust/cryptography-x509/src/lib.rs b/src/rust/cryptography-x509/src/lib.rs index 5fbedbf7ebc7..54c3b12aa942 100644 --- a/src/rust/cryptography-x509/src/lib.rs +++ b/src/rust/cryptography-x509/src/lib.rs @@ -4,6 +4,7 @@ #![forbid(unsafe_code)] #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#![allow(unknown_lints, clippy::result_large_err)] pub mod certificate; pub mod common; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index e8b881126f20..47102dfde1dd 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -3,7 +3,7 @@ // for complete details. #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] -#![allow(unknown_lints, non_local_definitions)] +#![allow(unknown_lints, non_local_definitions, clippy::result_large_err)] #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use crate::error::CryptographyResult; From f40cf4a743ae380bcb910f96f943ae759cf086d0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 4 Mar 2024 15:29:07 -0600 Subject: [PATCH 221/868] fix rsa key name typo (#10533) --- src/rust/cryptography-key-parsing/src/rsa.rs | 4 ++-- src/rust/cryptography-x509-verification/src/policy/mod.rs | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/cryptography-key-parsing/src/rsa.rs b/src/rust/cryptography-key-parsing/src/rsa.rs index 05bbc41dae2e..bf33a492352e 100644 --- a/src/rust/cryptography-key-parsing/src/rsa.rs +++ b/src/rust/cryptography-key-parsing/src/rsa.rs @@ -5,7 +5,7 @@ use crate::KeyParsingResult; #[derive(asn1::Asn1Read)] -pub struct Pksc1RsaPublicKey<'a> { +pub struct Pkcs1RsaPublicKey<'a> { pub n: asn1::BigUint<'a>, e: asn1::BigUint<'a>, } @@ -13,7 +13,7 @@ pub struct Pksc1RsaPublicKey<'a> { pub fn parse_pkcs1_public_key( data: &[u8], ) -> KeyParsingResult> { - let k = asn1::parse_single::>(data)?; + let k = asn1::parse_single::>(data)?; let n = openssl::bn::BigNum::from_slice(k.n.as_bytes())?; let e = openssl::bn::BigNum::from_slice(k.e.as_bytes())?; diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index f0a2ba5a7e63..8f704a39c0e2 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -9,7 +9,7 @@ use std::ops::Range; use std::sync::Arc; use asn1::ObjectIdentifier; -use cryptography_key_parsing::rsa::Pksc1RsaPublicKey; +use cryptography_key_parsing::rsa::Pkcs1RsaPublicKey; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{ AlgorithmIdentifier, AlgorithmParameters, EcParameters, RsaPssParameters, Time, @@ -512,7 +512,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { issuer_spki.algorithm.params, AlgorithmParameters::Rsa(_) | AlgorithmParameters::RsaPss(_) ) { - let rsa_key: Pksc1RsaPublicKey<'_> = + let rsa_key: Pkcs1RsaPublicKey<'_> = asn1::parse_single(issuer_spki.subject_public_key.as_bytes())?; if rsa_key.n.as_bytes().len() * 8 < self.minimum_rsa_modulus { From 9ddf6c08ca189ad5289a65020904814e1d8a8cc0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 21:37:46 +0000 Subject: [PATCH 222/868] Bump asn1 from 0.16.0 to 0.16.1 in /src/rust (#10530) Bumps [asn1](https://github.com/alex/rust-asn1) from 0.16.0 to 0.16.1. - [Commits](https://github.com/alex/rust-asn1/compare/0.16.0...0.16.1) --- updated-dependencies: - dependency-name: asn1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index eb46a5b38c00..3eaa4b11a19a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,18 +4,18 @@ version = 3 [[package]] name = "asn1" -version = "0.16.0" +version = "0.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a227d599843d72985b747c71958d16d670a6e6bc06fadf064570cae70c11fd0a" +checksum = "889adc8fd6c1344619926529e605cccad1f832b3a2a5a3fe6d7c8557c8f05368" dependencies = [ "asn1_derive", ] [[package]] name = "asn1_derive" -version = "0.16.0" +version = "0.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87132221a3cb3794c8def2208c723276686e0cd771541deb7768905ce13dc603" +checksum = "e2271cec9b830009b9c3b9e21767083c553f51f996b690c476c27f541199aa99" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 96ea8425ec45..e3145ca05262 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -11,7 +11,7 @@ rust-version = "1.65.0" once_cell = "1" cfg-if = "1" pyo3 = { version = "0.20", features = ["abi3"] } -asn1 = { version = "0.16.0", default-features = false } +asn1 = { version = "0.16.1", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-key-parsing = { path = "cryptography-key-parsing" } cryptography-x509 = { path = "cryptography-x509" } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 138ff6cd7984..d5071e5ef8a4 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.0", default-features = false } +asn1 = { version = "0.16.1", default-features = false } cfg-if = "1" openssl = "0.10.64" openssl-sys = "0.9.101" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 5ba846878633..2ffa8e3d273e 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.0", default-features = false } +asn1 = { version = "0.16.1", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } cryptography-key-parsing = { path = "../cryptography-key-parsing" } once_cell = "1" diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index cf6df6f3d3c4..2332756b2275 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.0", default-features = false } +asn1 = { version = "0.16.1", default-features = false } From af56f15f6cde23db25a9bc919f411847772e7d14 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Mar 2024 16:57:53 -0500 Subject: [PATCH 223/868] added KeyBag to pkcs12 structs (#10534) --- src/rust/cryptography-x509/src/pkcs12.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index 49f2ddc629f3..328961fce053 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -5,6 +5,7 @@ use crate::pkcs7; pub const CERT_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 3); +pub const KEY_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 1); pub const X509_CERTIFICATE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 22, 1); pub const FRIENDLY_NAME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 20); @@ -48,6 +49,9 @@ pub enum AttributeSet<'a> { pub enum BagValue<'a> { // #[defined_by(CERT_BAG_OID)] CertBag(CertBag<'a>), + + // #[defined_by(KEY_BAG_OID)] + KeyBag(asn1::Tlv<'a>), } // #[derive(asn1::Asn1Write)] From c3ddb58c58acf74cb06604b1bac0a5aa060df857 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 4 Mar 2024 18:18:36 -0500 Subject: [PATCH 224/868] Mark PKCS12Certificate as frozen (#10535) --- src/rust/src/pkcs12.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 58178fe3918d..0743e5e7778f 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -11,7 +11,7 @@ use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -#[pyo3::prelude::pyclass] +#[pyo3::prelude::pyclass(frozen)] struct PKCS12Certificate { #[pyo3(get)] certificate: pyo3::Py, From e1d313af94b75e38dfb9f4f5123e5dd5243d89bc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 19:15:42 -0500 Subject: [PATCH 225/868] Bump BoringSSL and/or OpenSSL in CI (#10536) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e384bfe8805e..351c479bea23 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Feb 29, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "df3b58ea74c50ff785ab902be3b007ff008d3e3c"}} + # Latest commit on the BoringSSL master branch, as of Mar 05, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e3af7710ed006e228382c8041782cba81ff4040a"}} # Latest commit on the OpenSSL master branch, as of Mar 03, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5677992679b38950c6a0c3775fd57378e1879ba5"}} # Builds with various Rust versions. Includes MSRV and next From 8221e18abdb361c3e249809de0f6228c3d12c55d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 4 Mar 2024 19:44:20 -0500 Subject: [PATCH 226/868] test_limbo: skip non-SERVER cases for now (#10538) * test_limbo: skip non-SERVER cases for now Signed-off-by: William Woodruff * Bump x509-limbo and/or wycheproof in CI --------- Signed-off-by: William Woodruff Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- tests/x509/verification/test_limbo.py | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 55213e6beba7..55cae6733457 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 01, 2024. - ref: "a9c42d8d243942e95d9365e39bd45822e5af6981" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 05, 2024. + ref: "b13ff3276809afc754434808033bd1a48f0157f6" # x509-limbo-ref diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index edcb0fc9bda5..133482476c6b 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -73,6 +73,9 @@ # with what webpki and rustls do, but inconsistent with Go and OpenSSL. "rfc5280::ca-as-leaf", "pathlen::validation-ignores-pathlen-in-leaf", + # Client testcases are not supported yet. + "rfc5280::nc::nc-permits-email-exact", + "rfc5280::nc::nc-permits-email-domain", } From b507701ab4c14c345fd036c20ec7b95dae78c1a4 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 4 Mar 2024 20:09:19 -0500 Subject: [PATCH 227/868] test_limbo: skip things more idiomatically (#10539) --- tests/x509/verification/test_limbo.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 133482476c6b..c745bdbe5729 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -73,9 +73,6 @@ # with what webpki and rustls do, but inconsistent with Go and OpenSSL. "rfc5280::ca-as-leaf", "pathlen::validation-ignores-pathlen-in-leaf", - # Client testcases are not supported yet. - "rfc5280::nc::nc-permits-email-exact", - "rfc5280::nc::nc-permits-email-domain", } @@ -91,12 +88,16 @@ def _get_limbo_peer(expected_peer): def _limbo_testcase(id_, testcase): if id_ in LIMBO_SKIP_TESTCASES: - return + pytest.skip(f"explicitly skipped testcase: {id_}") features = testcase["features"] - if LIMBO_UNSUPPORTED_FEATURES.intersection(features): - return - assert testcase["validation_kind"] == "SERVER" + unsupported = LIMBO_UNSUPPORTED_FEATURES.intersection(features) + if unsupported: + pytest.skip(f"explicitly skipped features: {unsupported}") + + if testcase["validation_kind"] != "SERVER": + pytest.skip("non-SERVER testcase") + assert testcase["signature_algorithms"] == [] assert testcase["extended_key_usage"] == [] or testcase[ "extended_key_usage" From 45739ef264c3032b816b3240297dcae9a019dea6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 00:15:09 +0000 Subject: [PATCH 228/868] Bump BoringSSL and/or OpenSSL in CI (#10542) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 351c479bea23..a6fe6771ec54 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 05, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e3af7710ed006e228382c8041782cba81ff4040a"}} + # Latest commit on the BoringSSL master branch, as of Mar 06, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2fb5cdb6c44506442fce110c2d3903a880888dfb"}} # Latest commit on the OpenSSL master branch, as of Mar 03, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5677992679b38950c6a0c3775fd57378e1879ba5"}} # Builds with various Rust versions. Includes MSRV and next From 7c72b458720b6619e340de40ab0a6d11f53e658c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 6 Mar 2024 00:28:14 +0000 Subject: [PATCH 229/868] Bump x509-limbo and/or wycheproof in CI (#10543) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 55cae6733457..a16a6da481bb 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 05, 2024. - ref: "b13ff3276809afc754434808033bd1a48f0157f6" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 06, 2024. + ref: "ad25d168bd7bdaa13e42d91fb6a5845ae9ddf96e" # x509-limbo-ref From c48eabb6f46da8181b17ce29d4fc45f365c41f46 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 5 Mar 2024 19:41:36 -0500 Subject: [PATCH 230/868] Use uv with the local nox session (#10540) --- noxfile.py | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/noxfile.py b/noxfile.py index c66fe6bae578..71f878572c44 100644 --- a/noxfile.py +++ b/noxfile.py @@ -22,14 +22,18 @@ nox.options.reuse_existing_virtualenvs = True -def install(session: nox.Session, *args: str, silent: bool = False) -> None: - if not silent: +def install( + session: nox.Session, + *args: str, + verbose: bool = True, +) -> None: + if verbose: args += ("-v",) session.install( "-c", "ci-constraints-requirements.txt", *args, - silent=silent, + silent=False, ) @@ -247,7 +251,7 @@ def rust(session: nox.Session) -> None: process_rust_coverage(session, rust_tests, prof_location) -@nox.session +@nox.session(venv_backend="uv") def local(session): pyproject_data = load_pyproject_toml() test_dependencies = pyproject_data["project"]["optional-dependencies"][ @@ -261,11 +265,9 @@ def local(session): *test_dependencies, *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], - "flit", - silent=True, + "cryptography_vectors @ ./vectors/", + verbose=False, ) - with session.cd("vectors/"): - session.run("flit", "install", "-s", silent=True) session.run("ruff", "format", ".") session.run("ruff", "check", ".") @@ -292,7 +294,15 @@ def local(session): "noxfile.py", ) - install(session, ".") + install( + session, + # Needed until https://github.com/astral-sh/uv/issues/2152 is fixed + "--reinstall-package", + "cryptography", + "--refresh-package", + "cryptography", + "cryptography @ .", + ) if session.posargs: tests = session.posargs From b5a51ae323de9855b66a345a898305967ef30388 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 00:12:53 +0000 Subject: [PATCH 231/868] Bump BoringSSL and/or OpenSSL in CI (#10545) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a6fe6771ec54..0e2aa229f188 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 06, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2fb5cdb6c44506442fce110c2d3903a880888dfb"}} - # Latest commit on the OpenSSL master branch, as of Mar 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5677992679b38950c6a0c3775fd57378e1879ba5"}} + # Latest commit on the BoringSSL master branch, as of Mar 07, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "860db9e98f23c6e2692afb143a04987cc232e1f5"}} + # Latest commit on the OpenSSL master branch, as of Mar 07, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8d8866aff39399dbee2d49c59aca466794c53ba7"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From d4364b5931ab275c1ef7b7f4be68de6fdced8e68 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 12:07:02 +0000 Subject: [PATCH 232/868] Bump cc from 1.0.89 to 1.0.90 in /src/rust (#10547) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.89 to 1.0.90. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.89...1.0.90) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3eaa4b11a19a..600408d4e880 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.89" +version = "1.0.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a0ba8f7aaa012f30d5b2861462f6708eccd49c3c39863fe083a308035f63d723" +checksum = "8cd6604a82acf3039f1144f54b8eb34e91ffba622051189e71b781822d5ee1f5" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 138f7a38070f..00b214f6f7e3 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.20", features = ["abi3"] } openssl-sys = "0.9.101" [build-dependencies] -cc = "1.0.89" +cc = "1.0.90" From dcf6ac240de1d9c465868964c972a632ebbf0170 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 7 Mar 2024 13:57:37 -0500 Subject: [PATCH 233/868] Updates for ruff 0.3.1 (#10548) --- .../custom-vectors/arc4/generate_arc4.py | 5 ++--- .../rsa-oaep-sha2/generate_rsa_oaep_sha2.py | 5 ++--- .../hazmat/backends/openssl/backend.py | 8 +++---- .../hazmat/bindings/openssl/binding.py | 5 ++--- .../hazmat/primitives/ciphers/modes.py | 19 ++++++---------- .../hazmat/primitives/kdf/pbkdf2.py | 4 +--- src/cryptography/x509/extensions.py | 21 +++++++++--------- tests/hazmat/primitives/test_dsa.py | 5 ++--- tests/hazmat/primitives/test_ec.py | 5 ++--- tests/hazmat/primitives/test_pkcs12.py | 22 ++++++++----------- tests/wycheproof/test_rsa.py | 5 ++--- 11 files changed, 44 insertions(+), 60 deletions(-) diff --git a/docs/development/custom-vectors/arc4/generate_arc4.py b/docs/development/custom-vectors/arc4/generate_arc4.py index 208d18585ac6..3f81691e817a 100644 --- a/docs/development/custom-vectors/arc4/generate_arc4.py +++ b/docs/development/custom-vectors/arc4/generate_arc4.py @@ -80,9 +80,8 @@ def _build_vectors(): output.append(f"OFFSET = {offset}") output.append(f"PLAINTEXT = {binascii.hexlify(plaintext)}") output.append( - "CIPHERTEXT = {}".format( - binascii.hexlify(encryptor.update(plaintext)) - ) + f"CIPHERTEXT = " + f"{binascii.hexlify(encryptor.update(plaintext))}" ) current_offset += len(plaintext) assert not encryptor.finalize() diff --git a/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py b/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py index f9e79122686e..42975ff1a07a 100644 --- a/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py +++ b/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py @@ -82,9 +82,8 @@ def build_vectors(mgf1alg, hashalg, filename): ), ) output.append( - "# OAEP Example {} alg={} mgf1={}".format( - count, hashalg.name, mgf1alg.name - ) + f"# OAEP Example {count} alg={hashalg.name} " + f"mgf1={mgf1alg.name}" ) count += 1 output.append("# Message:") diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index eaaaf783f1c5..99442cf8aa03 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -87,10 +87,10 @@ def __init__(self) -> None: self._fips_enabled = rust_openssl.is_fips_enabled() def __repr__(self) -> str: - return "".format( - self.openssl_version_text(), - self._fips_enabled, - rust_openssl._legacy_provider_loaded, + return ( + f"" ) def openssl_assert(self, ok: bool) -> None: diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index f5d8cb0b7d9f..d4dfeef485d1 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -95,9 +95,8 @@ def _verify_package_version(version: str) -> None: "shared object. This can happen if you have multiple copies of " "cryptography installed in your Python path. Please try creating " "a new virtual environment to resolve this issue. " - "Loaded python version: {}, shared object version: {}".format( - version, so_package_version - ) + f"Loaded python version: {version}, " + f"shared object version: {so_package_version}" ) _openssl_assert( diff --git a/src/cryptography/hazmat/primitives/ciphers/modes.py b/src/cryptography/hazmat/primitives/ciphers/modes.py index 712ccd3f7945..1dd2cc1e80c3 100644 --- a/src/cryptography/hazmat/primitives/ciphers/modes.py +++ b/src/cryptography/hazmat/primitives/ciphers/modes.py @@ -77,12 +77,9 @@ def _check_aes_key_length(self: Mode, algorithm: CipherAlgorithm) -> None: def _check_iv_length( self: ModeWithInitializationVector, algorithm: BlockCipherAlgorithm ) -> None: - if len(self.initialization_vector) * 8 != algorithm.block_size: - raise ValueError( - "Invalid IV size ({}) for {}.".format( - len(self.initialization_vector), self.name - ) - ) + iv_len = len(self.initialization_vector) + if iv_len * 8 != algorithm.block_size: + raise ValueError(f"Invalid IV size ({iv_len}) for {self.name}.") def _check_nonce_length( @@ -242,9 +239,8 @@ def __init__( raise ValueError("min_tag_length must be >= 4") if len(tag) < min_tag_length: raise ValueError( - "Authentication tag must be {} bytes or longer.".format( - min_tag_length - ) + f"Authentication tag must be {min_tag_length} bytes or " + "longer." ) self._tag = tag self._min_tag_length = min_tag_length @@ -267,7 +263,6 @@ def validate_for_algorithm(self, algorithm: CipherAlgorithm) -> None: block_size_bytes = algorithm.block_size // 8 if self._tag is not None and len(self._tag) > block_size_bytes: raise ValueError( - "Authentication tag cannot be more than {} bytes.".format( - block_size_bytes - ) + f"Authentication tag cannot be more than {block_size_bytes} " + "bytes." ) diff --git a/src/cryptography/hazmat/primitives/kdf/pbkdf2.py b/src/cryptography/hazmat/primitives/kdf/pbkdf2.py index 623e1ca7f9eb..82689ebca4ae 100644 --- a/src/cryptography/hazmat/primitives/kdf/pbkdf2.py +++ b/src/cryptography/hazmat/primitives/kdf/pbkdf2.py @@ -33,9 +33,7 @@ def __init__( if not ossl.pbkdf2_hmac_supported(algorithm): raise UnsupportedAlgorithm( - "{} is not supported for PBKDF2 by this backend.".format( - algorithm.name - ), + f"{algorithm.name} is not supported for PBKDF2.", _Reasons.UNSUPPORTED_HASH, ) self._used = False diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 7dd38700e537..1842a9e2b0c6 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -401,8 +401,8 @@ def __init__( def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __eq__(self, other: object) -> bool: @@ -456,8 +456,9 @@ def path_length(self) -> int | None: def __repr__(self) -> str: return ( - "" - ).format(self) + f"" + ) def __eq__(self, other: object) -> bool: if not isinstance(other, BasicConstraints): @@ -876,8 +877,8 @@ def __init__( def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __eq__(self, other: object) -> bool: @@ -928,8 +929,8 @@ def __init__( def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __eq__(self, other: object) -> bool: @@ -968,8 +969,8 @@ def __init__( def __repr__(self) -> str: return ( - "".format(self) + f"" ) def __eq__(self, other: object) -> bool: diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index 2928a1eb9d8c..35b7f56f69e0 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -46,9 +46,8 @@ def _skip_if_dsa_not_supported( ) -> None: if not backend.dsa_hash_supported(algorithm): pytest.skip( - "{} does not support the provided args. p: {}, hash: {}".format( - backend, p.bit_length(), algorithm.name - ) + f"{backend} does not support the provided args. " + f"p: {p.bit_length()}, hash: {algorithm.name}" ) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 33b4c6d065f3..b0e29b3803e6 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -52,9 +52,8 @@ def _skip_ecdsa_vector(backend, curve: ec.EllipticCurve, hash_type): ec.ECDSA(hash_type()), curve ): pytest.skip( - "ECDSA not supported with this hash {} and curve {}.".format( - hash_type().name, curve.name - ) + f"ECDSA not supported with this hash {hash_type().name} and " + f"curve {curve.name}." ) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 2f702aaf9626..9ee3cc3fc769 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -954,19 +954,15 @@ def test_key_and_certificates_repr(self, backend): cert2 = _load_cert( backend, os.path.join("x509", "cryptography.io.pem") ) - assert ( - repr( - PKCS12KeyAndCertificates( - key, - PKCS12Certificate(cert, None), - [PKCS12Certificate(cert2, b"name2")], - ) - ) - == ", additional_certs=[])>".format( + assert repr( + PKCS12KeyAndCertificates( key, - cert, - cert2, + PKCS12Certificate(cert, None), + [PKCS12Certificate(cert2, b"name2")], ) + ) == ( + f", " + f"additional_certs=[" + f"])>" ) diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py index c85eb6e7a669..d3b26a2ab3ba 100644 --- a/tests/wycheproof/test_rsa.py +++ b/tests/wycheproof/test_rsa.py @@ -113,9 +113,8 @@ def test_rsa_pkcs1v15_signature_generation(backend, wycheproof): digest, hashes.SHA1 ): pytest.skip( - "Invalid params for FIPS. key: {} bits, digest: {}".format( - key.key_size, digest.name - ) + f"Invalid params for FIPS. key: {key.key_size} bits, " + f"digest: {digest.name}" ) sig = key.sign( From 0c0e9f9012ba6f70f7fc29746dd2a74e03349894 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 19:04:50 +0000 Subject: [PATCH 234/868] Bump ruff from 0.3.0 to 0.3.1 (#10546) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.0 to 0.3.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.0...v0.3.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f0336b49ccd5..e8339a581eb5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.0 +ruff==0.3.1 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From bec370e8a1a5c4840105432aacb3020ed54b040f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 00:14:35 +0000 Subject: [PATCH 235/868] Bump BoringSSL and/or OpenSSL in CI (#10549) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0e2aa229f188..267d507f5164 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 07, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "860db9e98f23c6e2692afb143a04987cc232e1f5"}} - # Latest commit on the OpenSSL master branch, as of Mar 07, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8d8866aff39399dbee2d49c59aca466794c53ba7"}} + # Latest commit on the BoringSSL master branch, as of Mar 08, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5a3faaa2d50b2540c6973531841723f633f388cd"}} + # Latest commit on the OpenSSL master branch, as of Mar 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6d42be3af76aa16586b3f32a176837ee4a4bb65b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 6d7326c1c931afff18440d3a6659efb2d87d173e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 16:29:20 -0800 Subject: [PATCH 236/868] Bump x509-limbo and/or wycheproof in CI (#10550) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index a16a6da481bb..863b978f0909 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 06, 2024. - ref: "ad25d168bd7bdaa13e42d91fb6a5845ae9ddf96e" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 08, 2024. + ref: "1b1c161b8b4cb03b90c236450bfb2f6567dd7a03" # x509-limbo-ref From 5fe526d00f9f540451b41bedd916b798dedb4d3c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 07:04:02 -0500 Subject: [PATCH 237/868] Bump argcomplete from 3.2.2 to 3.2.3 (#10552) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.2.2 to 3.2.3. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.2.2...v3.2.3) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e8339a581eb5..1cd9aa61cd31 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.16 # via sphinx -argcomplete==3.2.2; python_version >= "3.8" +argcomplete==3.2.3; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx From e0d022c3a33b3dcf312d0b21a888667287c66eae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 07:19:00 -0800 Subject: [PATCH 238/868] Bump importlib-metadata from 7.0.1 to 7.0.2 in /.github/requirements (#10551) * Bump importlib-metadata from 7.0.1 to 7.0.2 in /.github/requirements Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.0.1 to 7.0.2. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.0.1...v7.0.2) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index a4cc7ce4314f..635c06617e4f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -240,9 +240,9 @@ idna==3.6 \ # via # email-validator # requests -importlib-metadata==7.0.1 \ - --hash=sha256:4805911c3a4ec7c3966410053e9ec6a1fecd629117df5adee56dfc9432a1081e \ - --hash=sha256:f238736bb06590ae52ac1fab06a3a9ef1d8dce2b7a35b5ab329371d6c8f5d2cc +importlib-metadata==7.0.2 \ + --hash=sha256:198f568f3230878cb1b44fbd7975f87906c22336dba2e4a7f05278c281fbd792 \ + --hash=sha256:f4bc4c0c070c490abf4ce96d715f68e95923320370efb66143df00199bb6c100 # via # keyring # twine From 549738cc679d747ecf784e533d98a40427d9022b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 9 Mar 2024 00:13:39 +0000 Subject: [PATCH 239/868] Bump BoringSSL and/or OpenSSL in CI (#10554) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 267d507f5164..36b0a6162ab8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 08, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "5a3faaa2d50b2540c6973531841723f633f388cd"}} - # Latest commit on the OpenSSL master branch, as of Mar 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6d42be3af76aa16586b3f32a176837ee4a4bb65b"}} + # Latest commit on the BoringSSL master branch, as of Mar 09, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "cf4f615d706d54fca9323fb1595d88f7ee2d7517"}} + # Latest commit on the OpenSSL master branch, as of Mar 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a24f29bbb4e7c2c73b0b3b2193b81c9b444b0864"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 8d7c60d7b2a95f0e039ff45b469b960a0d439af2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 19:54:24 -0500 Subject: [PATCH 240/868] Bump x509-limbo and/or wycheproof in CI (#10555) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 863b978f0909..3338913bee86 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 08, 2024. - ref: "1b1c161b8b4cb03b90c236450bfb2f6567dd7a03" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 09, 2024. + ref: "d12e21223160fb03db412c3060e897ffd3e836d5" # x509-limbo-ref From 7c0b5b562dd85e93a7780010424e5c501d8dbefa Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Mar 2024 01:10:28 -0500 Subject: [PATCH 241/868] Remove weird self-import (#10556) --- src/rust/src/x509/ocsp.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index b86753110606..3565588bc0f1 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -10,7 +10,6 @@ use once_cell::sync::Lazy; use crate::backend::hashes::Hash; use crate::error::CryptographyResult; -use crate::x509; use crate::x509::certificate::Certificate; pub(crate) static ALGORITHM_PARAMETERS_TO_HASH: Lazy< @@ -93,7 +92,7 @@ pub(crate) fn certid_new<'p>( )?; Ok(CertID { - hash_algorithm: x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm + hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm .getattr(pyo3::intern!(py, "name"))? .extract::<&str>()?] .clone(), @@ -111,7 +110,7 @@ pub(crate) fn certid_new_from_hash<'p>( hash_algorithm: &'p pyo3::PyAny, ) -> CryptographyResult> { Ok(CertID { - hash_algorithm: x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm + hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm .getattr(pyo3::intern!(py, "name"))? .extract::<&str>()?] .clone(), From 9c3cec67406ac74ab05638b5170e1fc086683091 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Mar 2024 18:23:48 -0500 Subject: [PATCH 242/868] Set mac_iter to OpenSSL's default (#10561) On OpenSSL 3, it uses 2048 iterations for mac_iter by default. We've been doing this with NoEncryption for two years, so I guess it's fine now and the comment is out of date. --- src/cryptography/hazmat/backends/openssl/backend.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 99442cf8aa03..42ec1a2c9519 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -410,6 +410,7 @@ def serialize_key_and_certificates_to_pkcs12( nid_cert = -1 nid_key = -1 pkcs12_iter = 0 + # mac_iter of 0 uses OpenSSL's default value mac_iter = 0 mac_alg = self._ffi.NULL elif isinstance( @@ -426,10 +427,7 @@ def serialize_key_and_certificates_to_pkcs12( nid_key = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC # At least we can set this higher than OpenSSL's default pkcs12_iter = 20000 - # mac_iter chosen for compatibility reasons, see: - # https://www.openssl.org/docs/man1.1.1/man3/PKCS12_create.html - # Did we mention how lousy PKCS12 encryption is? - mac_iter = 1 + mac_iter = 0 # MAC algorithm can only be set on OpenSSL 3.0.0+ mac_alg = self._ffi.NULL password = encryption_algorithm.password @@ -446,8 +444,7 @@ def serialize_key_and_certificates_to_pkcs12( nid_key = 0 # Use the default iters we use in best available pkcs12_iter = 20000 - # See the Best Available comment for why this is 1 - mac_iter = 1 + mac_iter = 0 password = encryption_algorithm.password keycertalg = encryption_algorithm._key_cert_algorithm if keycertalg is PBES.PBESv1SHA1And3KeyTripleDESCBC: From dd1d6059b385e0b7d47ee71ce89eebb7f6de1099 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Mar 2024 18:24:00 -0500 Subject: [PATCH 243/868] Additional type asserts for latest mypy (#10560) --- tests/hazmat/primitives/test_pkcs7.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 9a9eab3da503..36abfae9c052 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -316,11 +316,15 @@ def test_smime_sign_detached(self, backend): # Parse the message to get the signed data, which is the # first payload in the message message = email.parser.BytesParser().parsebytes(sig) - signed_data = message.get_payload()[0].get_payload().encode() + payload = message.get_payload() + assert isinstance(payload, list) + assert isinstance(payload[0], email.message.Message) + signed_data = payload[0].get_payload() + assert isinstance(signed_data, str) _pkcs7_verify( serialization.Encoding.SMIME, sig, - signed_data, + signed_data.encode(), [cert], options, backend, @@ -546,7 +550,10 @@ def test_sign_text(self, backend): # Parse the message to get the signed data, which is the # first payload in the message message = email.parser.BytesParser().parsebytes(sig_pem) - signed_data = message.get_payload()[0].as_bytes( + payload = message.get_payload() + assert isinstance(payload, list) + assert isinstance(payload[0], email.message.Message) + signed_data = payload[0].as_bytes( policy=message.policy.clone(linesep="\r\n") ) _pkcs7_verify( From 94535feda6fdcd2666f62766011f3c17dd1e234f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Mar 2024 23:32:33 +0000 Subject: [PATCH 244/868] Bump pytest from 8.0.2 to 8.1.1 (#10559) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.0.2 to 8.1.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.0.2...8.1.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 1cd9aa61cd31..de3e2511e62e 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==8.0.2; python_version >= "3.8" +pytest==8.1.1; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From 1fe050e0e7a986f89c3dc7bc30eabf888cf1f641 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Mar 2024 23:34:22 +0000 Subject: [PATCH 245/868] Bump ruff from 0.3.1 to 0.3.2 (#10558) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.1 to 0.3.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.1...v0.3.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index de3e2511e62e..12c13d048553 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.1 +ruff==0.3.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From f05298e08b1d9c5095a4639377a829ef417015a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Mar 2024 23:36:22 +0000 Subject: [PATCH 246/868] Bump mypy from 1.8.0 to 1.9.0 (#10557) Bumps [mypy](https://github.com/python/mypy) from 1.8.0 to 1.9.0. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.8.0...1.9.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 12c13d048553..887d0b006555 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.3 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.8.0 +mypy==1.9.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From 8da2444fc85138e5b02f720e9eb3e3273b31156c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 10 Mar 2024 00:17:14 +0000 Subject: [PATCH 247/868] Bump BoringSSL and/or OpenSSL in CI (#10562) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 36b0a6162ab8..ec0855c8a7b2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 09, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "cf4f615d706d54fca9323fb1595d88f7ee2d7517"}} - # Latest commit on the OpenSSL master branch, as of Mar 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a24f29bbb4e7c2c73b0b3b2193b81c9b444b0864"}} + # Latest commit on the BoringSSL master branch, as of Mar 10, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "29bb1a7ebe55102c90611c021a142fdb6e97f8d5"}} + # Latest commit on the OpenSSL master branch, as of Mar 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bf7ae259a405a642dee93b18ffe5b875a056045a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c8991dafe72679071a28114fa9b5a5c49b758844 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 9 Mar 2024 21:04:42 -0500 Subject: [PATCH 248/868] Small refactors to HMAC to make it usable from Rust code (#10563) --- src/rust/src/backend/hmac.rs | 44 +++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index d035a6156c3d..f8572f9103c9 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -11,13 +11,37 @@ use crate::exceptions; module = "cryptography.hazmat.bindings._rust.openssl.hmac", name = "HMAC" )] -struct Hmac { +pub(crate) struct Hmac { #[pyo3(get)] algorithm: pyo3::Py, ctx: Option, } impl Hmac { + pub(crate) fn new_bytes( + py: pyo3::Python<'_>, + key: &[u8], + algorithm: &pyo3::PyAny, + ) -> CryptographyResult { + let md = message_digest_from_algorithm(py, algorithm)?; + let ctx = cryptography_openssl::hmac::Hmac::new(key, md).map_err(|_| { + exceptions::UnsupportedAlgorithm::new_err(( + "Digest is not supported for HMAC", + exceptions::Reasons::UNSUPPORTED_HASH, + )) + })?; + + Ok(Hmac { + ctx: Some(ctx), + algorithm: algorithm.into(), + }) + } + + pub(crate) fn update_bytes(&mut self, data: &[u8]) -> CryptographyResult<()> { + self.get_mut_ctx()?.update(data)?; + Ok(()) + } + fn get_ctx(&self) -> CryptographyResult<&cryptography_openssl::hmac::Hmac> { if let Some(ctx) = self.ctx.as_ref() { return Ok(ctx); @@ -45,26 +69,14 @@ impl Hmac { ) -> CryptographyResult { let _ = backend; - let md = message_digest_from_algorithm(py, algorithm)?; - let ctx = cryptography_openssl::hmac::Hmac::new(key.as_bytes(), md).map_err(|_| { - exceptions::UnsupportedAlgorithm::new_err(( - "Digest is not supported for HMAC", - exceptions::Reasons::UNSUPPORTED_HASH, - )) - })?; - - Ok(Hmac { - ctx: Some(ctx), - algorithm: algorithm.into(), - }) + Hmac::new_bytes(py, key.as_bytes(), algorithm) } fn update(&mut self, data: CffiBuf<'_>) -> CryptographyResult<()> { - self.get_mut_ctx()?.update(data.as_bytes())?; - Ok(()) + self.update_bytes(data.as_bytes()) } - fn finalize<'p>( + pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { From d27f912473485c3f04697ee478214ca2ee4a61c7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 Mar 2024 20:44:17 +0000 Subject: [PATCH 249/868] Bump packaging from 23.2 to 24.0 (#10566) Bumps [packaging](https://github.com/pypa/packaging) from 23.2 to 24.0. - [Release notes](https://github.com/pypa/packaging/releases) - [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/packaging/compare/23.2...24.0) --- updated-dependencies: - dependency-name: packaging dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 887d0b006555..bde74a2c536a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -60,7 +60,7 @@ nh3==0.2.15 # via readme-renderer nox==2024.3.2 # via cryptography (pyproject.toml) -packaging==23.2 +packaging==24.0 # via # build # nox From bcf76c6926313ac645021c9bb9614951e3e36130 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 11 Mar 2024 00:15:15 +0000 Subject: [PATCH 250/868] Bump BoringSSL and/or OpenSSL in CI (#10568) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ec0855c8a7b2..8b633649397a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 10, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "29bb1a7ebe55102c90611c021a142fdb6e97f8d5"}} - # Latest commit on the OpenSSL master branch, as of Mar 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bf7ae259a405a642dee93b18ffe5b875a056045a"}} + # Latest commit on the OpenSSL master branch, as of Mar 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "53a8728686663f4fe044cd1a5757f6fcfd777317"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From d66d571b7655492c7e449a96a4fff2e019070d3e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Mar 2024 07:33:14 -0500 Subject: [PATCH 251/868] Bump pyopenssl from 24.0.0 to 24.1.0 in /.github/requirements (#10567) * Bump pyopenssl from 24.0.0 to 24.1.0 in /.github/requirements Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 24.0.0 to 24.1.0. - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/pyopenssl/compare/24.0.0...24.1.0) --- updated-dependencies: - dependency-name: pyopenssl dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 635c06617e4f..7f2d889e758c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -514,9 +514,9 @@ pyjwt==2.8.0 \ --hash=sha256:57e28d156e3d5c10088e0c68abb90bfac3df82b40a71bd0daa20c65ccd5c23de \ --hash=sha256:59127c392cc44c2da5bb3192169a91f429924e17aff6534d70fdc02ab3e04320 # via sigstore -pyopenssl==24.0.0 \ - --hash=sha256:6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a334530bf \ - --hash=sha256:ba07553fb6fd6a7a2259adb9b84e12302a9a8a75c44046e8bb5d3e5ee887e3c3 +pyopenssl==24.1.0 \ + --hash=sha256:17ed5be5936449c5418d1cd269a1a9e9081bc54c17aed272b45856a3d3dc86ad \ + --hash=sha256:cabed4bfaa5df9f1a16c0ef64a0cb65318b5cd077a7eda7d6970131ca2f41a6f # via sigstore python-dateutil==2.9.0.post0 \ --hash=sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3 \ From fe82ffa1971ac0299eeba46178a863f4c61926d6 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 11 Mar 2024 23:40:05 -0400 Subject: [PATCH 252/868] verification: forbid unsupported NCs (#10570) * verification: forbid unsupported NCs ...rather than silently ignoring them. Signed-off-by: William Woodruff * fetch-vectors: bump Signed-off-by: William Woodruff * fetch-vectors: bump limbo Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- .github/actions/fetch-vectors/action.yml | 4 ++-- src/rust/cryptography-x509-verification/src/lib.rs | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 3338913bee86..ed335bad876f 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 09, 2024. - ref: "d12e21223160fb03db412c3060e897ffd3e836d5" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 11, 2024. + ref: "b64509b2ce6d788667220b2509be559ee1a72dfe" # x509-limbo-ref diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 1c18f498cd88..01bc76affc59 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -137,6 +137,18 @@ impl<'a, 'chain> NameChain<'a, 'chain> { ))), } } + // All other matching pairs of (constraint, name) are currently unsupported. + (GeneralName::OtherName(_), GeneralName::OtherName(_)) + | (GeneralName::X400Address(_), GeneralName::X400Address(_)) + | (GeneralName::DirectoryName(_), GeneralName::DirectoryName(_)) + | (GeneralName::EDIPartyName(_), GeneralName::EDIPartyName(_)) + | ( + GeneralName::UniformResourceIdentifier(_), + GeneralName::UniformResourceIdentifier(_), + ) + | (GeneralName::RegisteredID(_), GeneralName::RegisteredID(_)) => Err( + ValidationError::Other("unsupported name constraint".to_string()), + ), _ => Ok(Skipped), } } From 4674f29d5866c78813b1e03cfd1e4a46922cf74f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Mar 2024 07:28:02 -0400 Subject: [PATCH 253/868] Bump proc-macro2 from 1.0.78 to 1.0.79 in /src/rust (#10572) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.78 to 1.0.79. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.78...1.0.79) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 600408d4e880..6f9b5dbf258c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -269,9 +269,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.78" +version = "1.0.79" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae" +checksum = "e835ff2298f5721608eb1a980ecaee1aef2c132bf95ecc026a11b7bf3c01c02e" dependencies = [ "unicode-ident", ] From 3f84c7df9e48810c50794402e4b971626ea69bdb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Mar 2024 07:29:18 -0400 Subject: [PATCH 254/868] Bump wheel from 0.42.0 to 0.43.0 in /.github/requirements (#10573) Bumps [wheel](https://github.com/pypa/wheel) from 0.42.0 to 0.43.0. - [Release notes](https://github.com/pypa/wheel/releases) - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](https://github.com/pypa/wheel/compare/0.42.0...0.43.0) --- updated-dependencies: - dependency-name: wheel dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 3dd62d074f81..102059b986dd 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -74,9 +74,9 @@ tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f # via setuptools-rust -wheel==0.42.0 \ - --hash=sha256:177f9c9b0d45c47873b619f5b650346d632cdc35fb5e4d25058e09c9e581433d \ - --hash=sha256:c45be39f7882c9d34243236f2d63cbd58039e360f85d0913425fbd7ceea617a8 +wheel==0.43.0 \ + --hash=sha256:465ef92c69fa5c5da2d1cf8ac40559a8c940886afcef87dcf14b9470862f1d85 \ + --hash=sha256:55c570405f142630c6b9f72fe09d9b67cf1477fcf543ae5b8dcb1f5b7377da81 # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: From de40739bc7f80a6c7e682eeb0842d0431b8c2ada Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 12 Mar 2024 12:42:11 +0000 Subject: [PATCH 255/868] Bump BoringSSL and/or OpenSSL in CI (#10574) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8b633649397a..a7f5a3072168 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 10, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "29bb1a7ebe55102c90611c021a142fdb6e97f8d5"}} - # Latest commit on the OpenSSL master branch, as of Mar 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "53a8728686663f4fe044cd1a5757f6fcfd777317"}} + # Latest commit on the BoringSSL master branch, as of Mar 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "dbad745811195c00b729efd0ee0a09b7d9fce1d2"}} + # Latest commit on the OpenSSL master branch, as of Mar 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "52a75f4088f2b2c59721152d9ec6ecf4d17c7e43"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1db62a1f91a44963521316dd9b18e380a5e12cee Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 12 Mar 2024 16:23:39 -0400 Subject: [PATCH 256/868] verification: abbreviate two errors slightly (#10575) Signed-off-by: William Woodruff --- src/rust/cryptography-x509-verification/src/policy/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 8f704a39c0e2..47bc387d54af 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -484,7 +484,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { { return Err(ValidationError::Other(format!( "Forbidden public key algorithm: {:?}", - &child.tbs_cert.spki.algorithm + &child.tbs_cert.spki.algorithm.oid() ))); } @@ -500,7 +500,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { { return Err(ValidationError::Other(format!( "Forbidden signature algorithm: {:?}", - &child.signature_alg + &child.signature_alg.oid() ))); } From ef9e652c18d689f97d4b260a289ea687c92fc949 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 12 Mar 2024 17:08:45 -0400 Subject: [PATCH 257/868] Revert "verification: abbreviate two errors slightly (#10575)" (#10576) This reverts commit 1db62a1f91a44963521316dd9b18e380a5e12cee. --- src/rust/cryptography-x509-verification/src/policy/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 47bc387d54af..8f704a39c0e2 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -484,7 +484,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { { return Err(ValidationError::Other(format!( "Forbidden public key algorithm: {:?}", - &child.tbs_cert.spki.algorithm.oid() + &child.tbs_cert.spki.algorithm ))); } @@ -500,7 +500,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { { return Err(ValidationError::Other(format!( "Forbidden signature algorithm: {:?}", - &child.signature_alg.oid() + &child.signature_alg ))); } From 0b2194af0afc8e90f60f74c13d2ebea207abd1b8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 00:20:01 +0000 Subject: [PATCH 258/868] Bump BoringSSL and/or OpenSSL in CI (#10577) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a7f5a3072168..c5a8f109c29b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "dbad745811195c00b729efd0ee0a09b7d9fce1d2"}} - # Latest commit on the OpenSSL master branch, as of Mar 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "52a75f4088f2b2c59721152d9ec6ecf4d17c7e43"}} + # Latest commit on the BoringSSL master branch, as of Mar 13, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "356d37861f5772e2d87ef443f61f33c020e52b04"}} + # Latest commit on the OpenSSL master branch, as of Mar 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7649b5548e5c0352b91d9d3ed695e42a2ac1e99c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From da744c3587494cd009cc593e0467e0551cb8802c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 00:28:56 +0000 Subject: [PATCH 259/868] Bump x509-limbo and/or wycheproof in CI (#10578) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index ed335bad876f..e69a221ad41b 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -10,11 +10,11 @@ runs: repository: "google/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Oct 28, 2023. - ref: "d9f6ec7d8bd8c96da05368999094e4a75ba5cb3d" # wycheproof-ref + ref: "3ea6fe11370fd0dd6ba5a68129ce82045b0e81ec" # wycheproof-ref - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 11, 2024. - ref: "b64509b2ce6d788667220b2509be559ee1a72dfe" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 13, 2024. + ref: "b112d32703c254124b4611c6d6dda0c61ee00ffe" # x509-limbo-ref From 5f410fd366be3376be3f1f897c7e5ad159a0f7bb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 12 Mar 2024 23:00:59 -0400 Subject: [PATCH 260/868] fix updating commit date for wycheproof (#10579) * fix updating commit date for wycheproof * Update .github/workflows/x509-limbo-version-bump.yml Co-authored-by: Paul Kehrer --------- Co-authored-by: Paul Kehrer --- .github/workflows/x509-limbo-version-bump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index c8b14038a15f..effab7a2b08d 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -46,7 +46,7 @@ jobs: run: | set -xe CURRENT_DATE=$(date "+%b %d, %Y") - sed -E -i "s/Latest commit on the wycheproof main branch.*/Latest commit on the wycheproof main branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml + sed -E -i "s/Latest commit on the wycheproof master branch.*/Latest commit on the wycheproof master branch, as of ${CURRENT_DATE}./" .github/actions/fetch-vectors/action.yml sed -E -i "s/ref: \"[0-9a-f]{40}\" # wycheproof-ref/ref: \"${{ steps.check-sha-wycheproof.outputs.COMMIT_SHA }}\" # wycheproof-ref/" .github/actions/fetch-vectors/action.yml git status if: steps.check-sha-wycheproof.outputs.COMMIT_SHA From f3a0366f27c48760ced381af1b9b653cf31d7ff2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 07:03:32 -0400 Subject: [PATCH 261/868] Bump peter-evans/create-pull-request from 6.0.1 to 6.0.2 (#10581) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/a4f52f8033a6168103c2538976c07b467e8163bc...70a41aba780001da0a30141984ae2a0c95d8704e) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index d20aea2bee15..42535a26b6d2 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1 + uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 with: commit-message: "Bump BoringSSL and/or OpenSSL in CI" title: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index effab7a2b08d..951a663e56ea 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1 + uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 with: commit-message: "Bump x509-limbo and/or wycheproof in CI" title: "Bump x509-limbo and/or wycheproof in CI" From 4287f0284fc8ddff6d24cb5f21efcf9b80333442 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 07:42:14 -0400 Subject: [PATCH 262/868] Bump setuptools from 69.1.1 to 69.2.0 in /.github/requirements (#10584) Bumps [setuptools](https://github.com/pypa/setuptools) from 69.1.1 to 69.2.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.1.1...v69.2.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 102059b986dd..cbec6164e9df 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.43.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.1.1 \ - --hash=sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56 \ - --hash=sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8 +setuptools==69.2.0 \ + --hash=sha256:0ff4183f8f42cd8fa3acea16c45205521a4ef28f73c6391d8a25e92893134f2e \ + --hash=sha256:c21c49fb1042386df081cb5d86759792ab89efca84cf114889191cd09aacc80c # via # -r build-requirements.in # setuptools-rust From e42ba6895a1761a29ee2a66f0576b695104f3fa9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 16:49:51 -0500 Subject: [PATCH 263/868] Bump zipp from 3.17.0 to 3.18.0 in /.github/requirements (#10583) * Bump zipp from 3.17.0 to 3.18.0 in /.github/requirements Bumps [zipp](https://github.com/jaraco/zipp) from 3.17.0 to 3.18.0. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.17.0...v3.18.0) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7f2d889e758c..e00c2c242d76 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -596,7 +596,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.17.0 \ - --hash=sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31 \ - --hash=sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0 +zipp==3.18.0 \ + --hash=sha256:c1bb803ed69d2cce2373152797064f7e79bc43f0a3748eb494096a867e0ebf79 \ + --hash=sha256:df8d042b02765029a09b157efd8e820451045890acc30f8e37dd2f94a060221f # via importlib-metadata From 5e96f922aa8c480da19c5213f4a1440708192233 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 14 Mar 2024 00:20:51 +0000 Subject: [PATCH 264/868] Bump BoringSSL and/or OpenSSL in CI (#10585) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c5a8f109c29b..c84bb9a320e8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,10 +42,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 13, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "356d37861f5772e2d87ef443f61f33c020e52b04"}} - # Latest commit on the OpenSSL master branch, as of Mar 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7649b5548e5c0352b91d9d3ed695e42a2ac1e99c"}} + # Latest commit on the BoringSSL master branch, as of Mar 14, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fae0964b3d44e94ca2a2d21f86e61dabe683d130"}} + # Latest commit on the OpenSSL master branch, as of Mar 14, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3cb0755323281267211fbe951b94a2552e99d32a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 608ed22e27fbc4c0d9d6145faa064993bb862a5a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 14 Mar 2024 00:42:46 +0000 Subject: [PATCH 265/868] Bump x509-limbo and/or wycheproof in CI (#10586) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index e69a221ad41b..19a1633b19c4 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -9,12 +9,12 @@ runs: with: repository: "google/wycheproof" path: "wycheproof" - # Latest commit on the wycheproof master branch, as of Oct 28, 2023. - ref: "3ea6fe11370fd0dd6ba5a68129ce82045b0e81ec" # wycheproof-ref + # Latest commit on the wycheproof master branch, as of Mar 14, 2024. + ref: "dbe819bb94a5dc6081f440eeb4a6809c7ff66511" # wycheproof-ref - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 13, 2024. - ref: "b112d32703c254124b4611c6d6dda0c61ee00ffe" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 14, 2024. + ref: "a04fb05cf132e1405f71c12616cf0aead829909a" # x509-limbo-ref From 24a0c022acf88fef28bc27f472fecaee984a4eca Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 00:14:46 +0000 Subject: [PATCH 266/868] Bump BoringSSL and/or OpenSSL in CI (#10587) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c84bb9a320e8..cc8422d9140c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 14, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fae0964b3d44e94ca2a2d21f86e61dabe683d130"}} - # Latest commit on the OpenSSL master branch, as of Mar 14, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3cb0755323281267211fbe951b94a2552e99d32a"}} + # Latest commit on the OpenSSL master branch, as of Mar 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f08be096517f9bdae8a9d1d837748237db4d13a9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c5830e5d7986de0b9f2b361cdc2db4d873351854 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 07:05:03 -0400 Subject: [PATCH 267/868] Bump coverage from 7.4.3 to 7.4.4 (#10589) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.4.3 to 7.4.4. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.3...7.4.4) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bde74a2c536a..74a6b882d209 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.4.3; python_version >= "3.8" +coverage==7.4.4; python_version >= "3.8" # via # coverage # pytest-cov From 8aee481d191e8b99237572783a43d79e5e0f7c70 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 07:39:37 -0500 Subject: [PATCH 268/868] Bump zipp from 3.18.0 to 3.18.1 in /.github/requirements (#10588) * Bump zipp from 3.18.0 to 3.18.1 in /.github/requirements Bumps [zipp](https://github.com/jaraco/zipp) from 3.18.0 to 3.18.1. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.18.0...v3.18.1) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e00c2c242d76..8e185c6e2645 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -596,7 +596,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.18.0 \ - --hash=sha256:c1bb803ed69d2cce2373152797064f7e79bc43f0a3748eb494096a867e0ebf79 \ - --hash=sha256:df8d042b02765029a09b157efd8e820451045890acc30f8e37dd2f94a060221f +zipp==3.18.1 \ + --hash=sha256:206f5a15f2af3dbaee80769fb7dc6f249695e940acca08dfb2a4769fe61e538b \ + --hash=sha256:2884ed22e7d8961de1c9a05142eb69a247f120291bc0206a00a7642f09b5b715 # via importlib-metadata From 3ce6f735fa8a0c0a431ecddac6695009a5190350 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 15 Mar 2024 18:18:48 -0400 Subject: [PATCH 269/868] Bump pydantic version (#10590) dependabot chokes on this one for whatever reason --- .github/requirements/publish-requirements.txt | 192 ++++++++---------- 1 file changed, 83 insertions(+), 109 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 8e185c6e2645..533df0772235 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -390,119 +390,93 @@ pycparser==2.21 \ --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 # via cffi -pydantic[email]==2.5.3 \ - --hash=sha256:b3ef57c62535b0941697cce638c08900d87fcb67e29cfa99e8a68f747f393f7a \ - --hash=sha256:d0caf5954bee831b6bfe7e338c32b9e30c85dfe080c843680783ac2b631673b4 +pydantic[email]==2.6.4 \ + --hash=sha256:b1704e0847db01817624a6b86766967f552dd9dbf3afba4004409f908dcc84e6 \ + --hash=sha256:cc46fce86607580867bdc3361ad462bab9c222ef042d3da86f2fb333e1d916c5 # via # id # sigstore # sigstore-rekor-types -pydantic-core==2.14.6 \ - --hash=sha256:00646784f6cd993b1e1c0e7b0fdcbccc375d539db95555477771c27555e3c556 \ - --hash=sha256:00b1087dabcee0b0ffd104f9f53d7d3eaddfaa314cdd6726143af6bc713aa27e \ - --hash=sha256:0348b1dc6b76041516e8a854ff95b21c55f5a411c3297d2ca52f5528e49d8411 \ - --hash=sha256:036137b5ad0cb0004c75b579445a1efccd072387a36c7f217bb8efd1afbe5245 \ - --hash=sha256:095b707bb287bfd534044166ab767bec70a9bba3175dcdc3371782175c14e43c \ - --hash=sha256:0c08de15d50fa190d577e8591f0329a643eeaed696d7771760295998aca6bc66 \ - --hash=sha256:1302a54f87b5cd8528e4d6d1bf2133b6aa7c6122ff8e9dc5220fbc1e07bffebd \ - --hash=sha256:172de779e2a153d36ee690dbc49c6db568d7b33b18dc56b69a7514aecbcf380d \ - --hash=sha256:1b027c86c66b8627eb90e57aee1f526df77dc6d8b354ec498be9a757d513b92b \ - --hash=sha256:1ce830e480f6774608dedfd4a90c42aac4a7af0a711f1b52f807130c2e434c06 \ - --hash=sha256:1fd0c1d395372843fba13a51c28e3bb9d59bd7aebfeb17358ffaaa1e4dbbe948 \ - --hash=sha256:23598acb8ccaa3d1d875ef3b35cb6376535095e9405d91a3d57a8c7db5d29341 \ - --hash=sha256:24368e31be2c88bd69340fbfe741b405302993242ccb476c5c3ff48aeee1afe0 \ - --hash=sha256:26a92ae76f75d1915806b77cf459811e772d8f71fd1e4339c99750f0e7f6324f \ - --hash=sha256:27e524624eace5c59af499cd97dc18bb201dc6a7a2da24bfc66ef151c69a5f2a \ - --hash=sha256:2b8719037e570639e6b665a4050add43134d80b687288ba3ade18b22bbb29dd2 \ - --hash=sha256:2c5bcf3414367e29f83fd66f7de64509a8fd2368b1edf4351e862910727d3e51 \ - --hash=sha256:2dbe357bc4ddda078f79d2a36fc1dd0494a7f2fad83a0a684465b6f24b46fe80 \ - --hash=sha256:2f5fa187bde8524b1e37ba894db13aadd64faa884657473b03a019f625cee9a8 \ - --hash=sha256:2f6ffc6701a0eb28648c845f4945a194dc7ab3c651f535b81793251e1185ac3d \ - --hash=sha256:314ccc4264ce7d854941231cf71b592e30d8d368a71e50197c905874feacc8a8 \ - --hash=sha256:36026d8f99c58d7044413e1b819a67ca0e0b8ebe0f25e775e6c3d1fabb3c38fb \ - --hash=sha256:36099c69f6b14fc2c49d7996cbf4f87ec4f0e66d1c74aa05228583225a07b590 \ - --hash=sha256:36fa402dcdc8ea7f1b0ddcf0df4254cc6b2e08f8cd80e7010d4c4ae6e86b2a87 \ - --hash=sha256:370ffecb5316ed23b667d99ce4debe53ea664b99cc37bfa2af47bc769056d534 \ - --hash=sha256:3860c62057acd95cc84044e758e47b18dcd8871a328ebc8ccdefd18b0d26a21b \ - --hash=sha256:399ac0891c284fa8eb998bcfa323f2234858f5d2efca3950ae58c8f88830f145 \ - --hash=sha256:3a0b5db001b98e1c649dd55afa928e75aa4087e587b9524a4992316fa23c9fba \ - --hash=sha256:3dcf1978be02153c6a31692d4fbcc2a3f1db9da36039ead23173bc256ee3b91b \ - --hash=sha256:4241204e4b36ab5ae466ecec5c4c16527a054c69f99bba20f6f75232a6a534e2 \ - --hash=sha256:438027a975cc213a47c5d70672e0d29776082155cfae540c4e225716586be75e \ - --hash=sha256:43e166ad47ba900f2542a80d83f9fc65fe99eb63ceec4debec160ae729824052 \ - --hash=sha256:478e9e7b360dfec451daafe286998d4a1eeaecf6d69c427b834ae771cad4b622 \ - --hash=sha256:4ce8299b481bcb68e5c82002b96e411796b844d72b3e92a3fbedfe8e19813eab \ - --hash=sha256:4f86f1f318e56f5cbb282fe61eb84767aee743ebe32c7c0834690ebea50c0a6b \ - --hash=sha256:55a23dcd98c858c0db44fc5c04fc7ed81c4b4d33c653a7c45ddaebf6563a2f66 \ - --hash=sha256:599c87d79cab2a6a2a9df4aefe0455e61e7d2aeede2f8577c1b7c0aec643ee8e \ - --hash=sha256:5aa90562bc079c6c290f0512b21768967f9968e4cfea84ea4ff5af5d917016e4 \ - --hash=sha256:64634ccf9d671c6be242a664a33c4acf12882670b09b3f163cd00a24cffbd74e \ - --hash=sha256:667aa2eac9cd0700af1ddb38b7b1ef246d8cf94c85637cbb03d7757ca4c3fdec \ - --hash=sha256:6a31d98c0d69776c2576dda4b77b8e0c69ad08e8b539c25c7d0ca0dc19a50d6c \ - --hash=sha256:6af4b3f52cc65f8a0bc8b1cd9676f8c21ef3e9132f21fed250f6958bd7223bed \ - --hash=sha256:6c8edaea3089bf908dd27da8f5d9e395c5b4dc092dbcce9b65e7156099b4b937 \ - --hash=sha256:71d72ca5eaaa8d38c8df16b7deb1a2da4f650c41b58bb142f3fb75d5ad4a611f \ - --hash=sha256:72f9a942d739f09cd42fffe5dc759928217649f070056f03c70df14f5770acf9 \ - --hash=sha256:747265448cb57a9f37572a488a57d873fd96bf51e5bb7edb52cfb37124516da4 \ - --hash=sha256:75ec284328b60a4e91010c1acade0c30584f28a1f345bc8f72fe8b9e46ec6a96 \ - --hash=sha256:78d0768ee59baa3de0f4adac9e3748b4b1fffc52143caebddfd5ea2961595277 \ - --hash=sha256:78ee52ecc088c61cce32b2d30a826f929e1708f7b9247dc3b921aec367dc1b23 \ - --hash=sha256:7be719e4d2ae6c314f72844ba9d69e38dff342bc360379f7c8537c48e23034b7 \ - --hash=sha256:7e1f4744eea1501404b20b0ac059ff7e3f96a97d3e3f48ce27a139e053bb370b \ - --hash=sha256:7e90d6cc4aad2cc1f5e16ed56e46cebf4877c62403a311af20459c15da76fd91 \ - --hash=sha256:7ebe3416785f65c28f4f9441e916bfc8a54179c8dea73c23023f7086fa601c5d \ - --hash=sha256:7f41533d7e3cf9520065f610b41ac1c76bc2161415955fbcead4981b22c7611e \ - --hash=sha256:7f5025db12fc6de7bc1104d826d5aee1d172f9ba6ca936bf6474c2148ac336c1 \ - --hash=sha256:86c963186ca5e50d5c8287b1d1c9d3f8f024cbe343d048c5bd282aec2d8641f2 \ - --hash=sha256:86ce5fcfc3accf3a07a729779d0b86c5d0309a4764c897d86c11089be61da160 \ - --hash=sha256:8a14c192c1d724c3acbfb3f10a958c55a2638391319ce8078cb36c02283959b9 \ - --hash=sha256:8b93785eadaef932e4fe9c6e12ba67beb1b3f1e5495631419c784ab87e975670 \ - --hash=sha256:8ed1af8692bd8d2a29d702f1a2e6065416d76897d726e45a1775b1444f5928a7 \ - --hash=sha256:92879bce89f91f4b2416eba4429c7b5ca22c45ef4a499c39f0c5c69257522c7c \ - --hash=sha256:94fc0e6621e07d1e91c44e016cc0b189b48db053061cc22d6298a611de8071bb \ - --hash=sha256:982487f8931067a32e72d40ab6b47b1628a9c5d344be7f1a4e668fb462d2da42 \ - --hash=sha256:9862bf828112e19685b76ca499b379338fd4c5c269d897e218b2ae8fcb80139d \ - --hash=sha256:99b14dbea2fdb563d8b5a57c9badfcd72083f6006caf8e126b491519c7d64ca8 \ - --hash=sha256:9c6a5c79b28003543db3ba67d1df336f253a87d3112dac3a51b94f7d48e4c0e1 \ - --hash=sha256:a19b794f8fe6569472ff77602437ec4430f9b2b9ec7a1105cfd2232f9ba355e6 \ - --hash=sha256:a306cdd2ad3a7d795d8e617a58c3a2ed0f76c8496fb7621b6cd514eb1532cae8 \ - --hash=sha256:a3dde6cac75e0b0902778978d3b1646ca9f438654395a362cb21d9ad34b24acf \ - --hash=sha256:a874f21f87c485310944b2b2734cd6d318765bcbb7515eead33af9641816506e \ - --hash=sha256:a983cca5ed1dd9a35e9e42ebf9f278d344603bfcb174ff99a5815f953925140a \ - --hash=sha256:aca48506a9c20f68ee61c87f2008f81f8ee99f8d7f0104bff3c47e2d148f89d9 \ - --hash=sha256:b2602177668f89b38b9f84b7b3435d0a72511ddef45dc14446811759b82235a1 \ - --hash=sha256:b3e5fe4538001bb82e2295b8d2a39356a84694c97cb73a566dc36328b9f83b40 \ - --hash=sha256:b6ca36c12a5120bad343eef193cc0122928c5c7466121da7c20f41160ba00ba2 \ - --hash=sha256:b89f4477d915ea43b4ceea6756f63f0288941b6443a2b28c69004fe07fde0d0d \ - --hash=sha256:b9a9d92f10772d2a181b5ca339dee066ab7d1c9a34ae2421b2a52556e719756f \ - --hash=sha256:c99462ffc538717b3e60151dfaf91125f637e801f5ab008f81c402f1dff0cd0f \ - --hash=sha256:cb92f9061657287eded380d7dc455bbf115430b3aa4741bdc662d02977e7d0af \ - --hash=sha256:cdee837710ef6b56ebd20245b83799fce40b265b3b406e51e8ccc5b85b9099b7 \ - --hash=sha256:cf10b7d58ae4a1f07fccbf4a0a956d705356fea05fb4c70608bb6fa81d103cda \ - --hash=sha256:d15687d7d7f40333bd8266f3814c591c2e2cd263fa2116e314f60d82086e353a \ - --hash=sha256:d5c28525c19f5bb1e09511669bb57353d22b94cf8b65f3a8d141c389a55dec95 \ - --hash=sha256:d5f916acf8afbcab6bacbb376ba7dc61f845367901ecd5e328fc4d4aef2fcab0 \ - --hash=sha256:dab03ed811ed1c71d700ed08bde8431cf429bbe59e423394f0f4055f1ca0ea60 \ - --hash=sha256:db453f2da3f59a348f514cfbfeb042393b68720787bbef2b4c6068ea362c8149 \ - --hash=sha256:de2a0645a923ba57c5527497daf8ec5df69c6eadf869e9cd46e86349146e5975 \ - --hash=sha256:dea7fcd62915fb150cdc373212141a30037e11b761fbced340e9db3379b892d4 \ - --hash=sha256:dfcbebdb3c4b6f739a91769aea5ed615023f3c88cb70df812849aef634c25fbe \ - --hash=sha256:dfcebb950aa7e667ec226a442722134539e77c575f6cfaa423f24371bb8d2e94 \ - --hash=sha256:e0641b506486f0b4cd1500a2a65740243e8670a2549bb02bc4556a83af84ae03 \ - --hash=sha256:e33b0834f1cf779aa839975f9d8755a7c2420510c0fa1e9fa0497de77cd35d2c \ - --hash=sha256:e4ace1e220b078c8e48e82c081e35002038657e4b37d403ce940fa679e57113b \ - --hash=sha256:e4cf2d5829f6963a5483ec01578ee76d329eb5caf330ecd05b3edd697e7d768a \ - --hash=sha256:e574de99d735b3fc8364cba9912c2bec2da78775eba95cbb225ef7dda6acea24 \ - --hash=sha256:e646c0e282e960345314f42f2cea5e0b5f56938c093541ea6dbf11aec2862391 \ - --hash=sha256:e8a5ac97ea521d7bde7621d86c30e86b798cdecd985723c4ed737a2aa9e77d0c \ - --hash=sha256:eedf97be7bc3dbc8addcef4142f4b4164066df0c6f36397ae4aaed3eb187d8ab \ - --hash=sha256:ef633add81832f4b56d3b4c9408b43d530dfca29e68fb1b797dcb861a2c734cd \ - --hash=sha256:f27207e8ca3e5e021e2402ba942e5b4c629718e665c81b8b306f3c8b1ddbb786 \ - --hash=sha256:f85f3843bdb1fe80e8c206fe6eed7a1caeae897e496542cee499c374a85c6e08 \ - --hash=sha256:f8e81e4b55930e5ffab4a68db1af431629cf2e4066dbdbfef65348b8ab804ea8 \ - --hash=sha256:f96ae96a060a8072ceff4cfde89d261837b4294a4f28b84a28765470d502ccc6 \ - --hash=sha256:fd9e98b408384989ea4ab60206b8e100d8687da18b5c813c11e92fd8212a98e0 \ - --hash=sha256:ffff855100bc066ff2cd3aa4a60bc9534661816b110f0243e59503ec2df38421 +pydantic-core==2.16.3 \ + --hash=sha256:00ee1c97b5364b84cb0bd82e9bbf645d5e2871fb8c58059d158412fee2d33d8a \ + --hash=sha256:0d32576b1de5a30d9a97f300cc6a3f4694c428d956adbc7e6e2f9cad279e45ed \ + --hash=sha256:0df446663464884297c793874573549229f9eca73b59360878f382a0fc085979 \ + --hash=sha256:0f56ae86b60ea987ae8bcd6654a887238fd53d1384f9b222ac457070b7ac4cff \ + --hash=sha256:13dcc4802961b5f843a9385fc821a0b0135e8c07fc3d9949fd49627c1a5e6ae5 \ + --hash=sha256:162e498303d2b1c036b957a1278fa0899d02b2842f1ff901b6395104c5554a45 \ + --hash=sha256:1b662180108c55dfbf1280d865b2d116633d436cfc0bba82323554873967b340 \ + --hash=sha256:1cac689f80a3abab2d3c0048b29eea5751114054f032a941a32de4c852c59cad \ + --hash=sha256:21b888c973e4f26b7a96491c0965a8a312e13be108022ee510248fe379a5fa23 \ + --hash=sha256:287073c66748f624be4cef893ef9174e3eb88fe0b8a78dc22e88eca4bc357ca6 \ + --hash=sha256:2a1ef6a36fdbf71538142ed604ad19b82f67b05749512e47f247a6ddd06afdc7 \ + --hash=sha256:2a72fb9963cba4cd5793854fd12f4cfee731e86df140f59ff52a49b3552db241 \ + --hash=sha256:2acca2be4bb2f2147ada8cac612f8a98fc09f41c89f87add7256ad27332c2fda \ + --hash=sha256:2f583bd01bbfbff4eaee0868e6fc607efdfcc2b03c1c766b06a707abbc856187 \ + --hash=sha256:33809aebac276089b78db106ee692bdc9044710e26f24a9a2eaa35a0f9fa70ba \ + --hash=sha256:36fa178aacbc277bc6b62a2c3da95226520da4f4e9e206fdf076484363895d2c \ + --hash=sha256:4204e773b4b408062960e65468d5346bdfe139247ee5f1ca2a378983e11388a2 \ + --hash=sha256:4384a8f68ddb31a0b0c3deae88765f5868a1b9148939c3f4121233314ad5532c \ + --hash=sha256:456855f57b413f077dff513a5a28ed838dbbb15082ba00f80750377eed23d132 \ + --hash=sha256:49d5d58abd4b83fb8ce763be7794d09b2f50f10aa65c0f0c1696c677edeb7cbf \ + --hash=sha256:4ac6b4ce1e7283d715c4b729d8f9dab9627586dafce81d9eaa009dd7f25dd972 \ + --hash=sha256:4df8a199d9f6afc5ae9a65f8f95ee52cae389a8c6b20163762bde0426275b7db \ + --hash=sha256:500960cb3a0543a724a81ba859da816e8cf01b0e6aaeedf2c3775d12ee49cade \ + --hash=sha256:519ae0312616026bf4cedc0fe459e982734f3ca82ee8c7246c19b650b60a5ee4 \ + --hash=sha256:578114bc803a4c1ff9946d977c221e4376620a46cf78da267d946397dc9514a8 \ + --hash=sha256:5c5cbc703168d1b7a838668998308018a2718c2130595e8e190220238addc96f \ + --hash=sha256:6162f8d2dc27ba21027f261e4fa26f8bcb3cf9784b7f9499466a311ac284b5b9 \ + --hash=sha256:704d35ecc7e9c31d48926150afada60401c55efa3b46cd1ded5a01bdffaf1d48 \ + --hash=sha256:716b542728d4c742353448765aa7cdaa519a7b82f9564130e2b3f6766018c9ec \ + --hash=sha256:72282ad4892a9fb2da25defeac8c2e84352c108705c972db82ab121d15f14e6d \ + --hash=sha256:7233d65d9d651242a68801159763d09e9ec96e8a158dbf118dc090cd77a104c9 \ + --hash=sha256:732da3243e1b8d3eab8c6ae23ae6a58548849d2e4a4e03a1924c8ddf71a387cb \ + --hash=sha256:75b81e678d1c1ede0785c7f46690621e4c6e63ccd9192af1f0bd9d504bbb6bf4 \ + --hash=sha256:75f76ee558751746d6a38f89d60b6228fa174e5172d143886af0f85aa306fd89 \ + --hash=sha256:7ee8d5f878dccb6d499ba4d30d757111847b6849ae07acdd1205fffa1fc1253c \ + --hash=sha256:7f752826b5b8361193df55afcdf8ca6a57d0232653494ba473630a83ba50d8c9 \ + --hash=sha256:86b3d0033580bd6bbe07590152007275bd7af95f98eaa5bd36f3da219dcd93da \ + --hash=sha256:8d62da299c6ecb04df729e4b5c52dc0d53f4f8430b4492b93aa8de1f541c4aac \ + --hash=sha256:8e47755d8152c1ab5b55928ab422a76e2e7b22b5ed8e90a7d584268dd49e9c6b \ + --hash=sha256:9091632a25b8b87b9a605ec0e61f241c456e9248bfdcf7abdf344fdb169c81cf \ + --hash=sha256:936e5db01dd49476fa8f4383c259b8b1303d5dd5fb34c97de194560698cc2c5e \ + --hash=sha256:99b6add4c0b39a513d323d3b93bc173dac663c27b99860dd5bf491b240d26137 \ + --hash=sha256:9c865a7ee6f93783bd5d781af5a4c43dadc37053a5b42f7d18dc019f8c9d2bd1 \ + --hash=sha256:a425479ee40ff021f8216c9d07a6a3b54b31c8267c6e17aa88b70d7ebd0e5e5b \ + --hash=sha256:a4b2bf78342c40b3dc830880106f54328928ff03e357935ad26c7128bbd66ce8 \ + --hash=sha256:a6b1bb0827f56654b4437955555dc3aeeebeddc47c2d7ed575477f082622c49e \ + --hash=sha256:aaf09e615a0bf98d406657e0008e4a8701b11481840be7d31755dc9f97c44053 \ + --hash=sha256:b1f6f5938d63c6139860f044e2538baeee6f0b251a1816e7adb6cbce106a1f01 \ + --hash=sha256:b29eeb887aa931c2fcef5aa515d9d176d25006794610c264ddc114c053bf96fe \ + --hash=sha256:b3992a322a5617ded0a9f23fd06dbc1e4bd7cf39bc4ccf344b10f80af58beacd \ + --hash=sha256:b5b6079cc452a7c53dd378c6f881ac528246b3ac9aae0f8eef98498a75657805 \ + --hash=sha256:b60cc1a081f80a2105a59385b92d82278b15d80ebb3adb200542ae165cd7d183 \ + --hash=sha256:b926dd38db1519ed3043a4de50214e0d600d404099c3392f098a7f9d75029ff8 \ + --hash=sha256:bd87f48924f360e5d1c5f770d6155ce0e7d83f7b4e10c2f9ec001c73cf475c99 \ + --hash=sha256:bda1ee3e08252b8d41fa5537413ffdddd58fa73107171a126d3b9ff001b9b820 \ + --hash=sha256:be0ec334369316fa73448cc8c982c01e5d2a81c95969d58b8f6e272884df0074 \ + --hash=sha256:c6119dc90483a5cb50a1306adb8d52c66e447da88ea44f323e0ae1a5fcb14256 \ + --hash=sha256:c9803edf8e29bd825f43481f19c37f50d2b01899448273b3a7758441b512acf8 \ + --hash=sha256:c9bd22a2a639e26171068f8ebb5400ce2c1bc7d17959f60a3b753ae13c632975 \ + --hash=sha256:cbcc558401de90a746d02ef330c528f2e668c83350f045833543cd57ecead1ad \ + --hash=sha256:cf6204fe865da605285c34cf1172879d0314ff267b1c35ff59de7154f35fdc2e \ + --hash=sha256:d33dd21f572545649f90c38c227cc8631268ba25c460b5569abebdd0ec5974ca \ + --hash=sha256:d89ca19cdd0dd5f31606a9329e309d4fcbb3df860960acec32630297d61820df \ + --hash=sha256:d8f99b147ff3fcf6b3cc60cb0c39ea443884d5559a30b1481e92495f2310ff2b \ + --hash=sha256:d937653a696465677ed583124b94a4b2d79f5e30b2c46115a68e482c6a591c8a \ + --hash=sha256:dcca5d2bf65c6fb591fff92da03f94cd4f315972f97c21975398bd4bd046854a \ + --hash=sha256:ded1c35f15c9dea16ead9bffcde9bb5c7c031bff076355dc58dcb1cb436c4721 \ + --hash=sha256:e3e70c94a0c3841e6aa831edab1619ad5c511199be94d0c11ba75fe06efe107a \ + --hash=sha256:e56f8186d6210ac7ece503193ec84104da7ceb98f68ce18c07282fcc2452e76f \ + --hash=sha256:e7774b570e61cb998490c5235740d475413a1f6de823169b4cf94e2fe9e9f6b2 \ + --hash=sha256:e7c6ed0dc9d8e65f24f5824291550139fe6f37fac03788d4580da0d33bc00c97 \ + --hash=sha256:ec08be75bb268473677edb83ba71e7e74b43c008e4a7b1907c6d57e940bf34b6 \ + --hash=sha256:ecdf6bf5f578615f2e985a5e1f6572e23aa632c4bd1dc67f8f406d445ac115ed \ + --hash=sha256:ed25e1835c00a332cb10c683cd39da96a719ab1dfc08427d476bce41b92531fc \ + --hash=sha256:f4cb85f693044e0f71f394ff76c98ddc1bc0953e48c061725e540396d5c8a2e1 \ + --hash=sha256:f53aace168a2a10582e570b7736cc5bef12cae9cf21775e3eafac597e8551fbe \ + --hash=sha256:f651dd19363c632f4abe3480a7c87a9773be27cfe1341aef06e8759599454120 \ + --hash=sha256:fc4ad7f7ee1a13d9cb49d8198cd7d7e3aa93e425f371a68235f784e99741561f \ + --hash=sha256:fee427241c2d9fb7192b658190f9f5fd6dfe41e02f3c1489d2ec1e6a5ab1e04a # via pydantic pygments==2.17.2 \ --hash=sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c \ From 1af96015f8673644d6d3efb7c00e580d9bdacb45 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 22:19:19 +0000 Subject: [PATCH 270/868] Bump ruff from 0.3.2 to 0.3.3 (#10591) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.2 to 0.3.3. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.2...v0.3.3) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 74a6b882d209..60342287e07a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.2 +ruff==0.3.3 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 87d224f613ca4d84cf58ba45eaa43a298a9dd68a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 15 Mar 2024 21:12:50 -0400 Subject: [PATCH 271/868] Bump x509-limbo and/or wycheproof in CI (#10592) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 19a1633b19c4..d3e8f3ad9d0b 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -9,12 +9,12 @@ runs: with: repository: "google/wycheproof" path: "wycheproof" - # Latest commit on the wycheproof master branch, as of Mar 14, 2024. - ref: "dbe819bb94a5dc6081f440eeb4a6809c7ff66511" # wycheproof-ref + # Latest commit on the wycheproof master branch, as of Mar 16, 2024. + ref: "1621269c9f8e4a11f7de5dd2cb353400f054ce6f" # wycheproof-ref - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 14, 2024. - ref: "a04fb05cf132e1405f71c12616cf0aead829909a" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 16, 2024. + ref: "1381655977188ad42f49cc5cd0eabff9b3c77670" # x509-limbo-ref From 1dccbcd2df5d017926bb0d7eeef0f58f458a7e30 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 16 Mar 2024 01:23:30 +0000 Subject: [PATCH 272/868] Bump BoringSSL and/or OpenSSL in CI (#10594) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc8422d9140c..7f269947a5f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,8 +44,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 14, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fae0964b3d44e94ca2a2d21f86e61dabe683d130"}} - # Latest commit on the OpenSSL master branch, as of Mar 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f08be096517f9bdae8a9d1d837748237db4d13a9"}} + # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 37e3e2916544c8d557c2a452a2fd4f4628265411 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 15 Mar 2024 22:20:55 -0400 Subject: [PATCH 273/868] Use distinct branch names for different bump jobs (#10593) --- .github/workflows/boring-open-version-bump.yml | 1 + .github/workflows/x509-limbo-version-bump.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 42535a26b6d2..cfe495d2652a 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -60,6 +60,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 with: + branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" title: "Bump BoringSSL and/or OpenSSL in CI" author: "pyca-boringbot[bot] " diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 951a663e56ea..dfd4f9b46c59 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -59,6 +59,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 with: + branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" title: "Bump x509-limbo and/or wycheproof in CI" author: "pyca-boringbot[bot] " From c4046a4bdd9d7a06aee9360bfbc2ac6bfc2e39d4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 17 Mar 2024 00:17:17 +0000 Subject: [PATCH 274/868] Bump BoringSSL and/or OpenSSL in CI (#10595) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7f269947a5f5..ff04e0493efa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 14, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fae0964b3d44e94ca2a2d21f86e61dabe683d130"}} + # Latest commit on the BoringSSL master branch, as of Mar 17, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f57a11ae566ac17c1b028d79950227a33ae32fad"}} # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next From 152f06b35bac094fb4e93f0651452345f2449e7c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 17 Mar 2024 00:19:48 +0000 Subject: [PATCH 275/868] Bump syn from 2.0.52 to 2.0.53 in /src/rust (#10597) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.52 to 2.0.53. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.52...2.0.53) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6f9b5dbf258c..1f28cb2d9c02 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "syn" -version = "2.0.52" +version = "2.0.53" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b699d15b36d1f02c3e7c69f8ffef53de37aefae075d8488d4ba1a7788d574a07" +checksum = "7383cd0e49fff4b6b90ca5670bfd3e9d6a733b3f90c686605aa7eec8c4996032" dependencies = [ "proc-macro2", "quote", From 0314ebfcebcacbf29163d8a53186877e42d350f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 17 Mar 2024 00:20:02 +0000 Subject: [PATCH 276/868] Bump dawidd6/action-download-artifact from 3.1.2 to 3.1.3 (#10596) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/71072fbb1229e1317f1a8de6b04206afb461bd67...a430ac5786b39ad5869da25a98130624d2ce340c) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ff04e0493efa..283e53c27a8a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -253,7 +253,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 + - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -313,7 +313,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 + - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index f95c72b497dc..7f9ea2c9563a 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -47,7 +47,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 + - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 15380e301d51..27cf1e8c8176 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -232,7 +232,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 + - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -329,7 +329,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@71072fbb1229e1317f1a8de6b04206afb461bd67 # v3.1.2 + - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 with: repo: pyca/infra workflow: build-windows-openssl.yml From 725f8c2c1d9cac4e21fc3f0fc7692d1271dad0c9 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 17 Mar 2024 22:32:49 -0400 Subject: [PATCH 277/868] Bump BoringSSL and/or OpenSSL in CI (#10599) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 283e53c27a8a..600a9ea1cefc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 17, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f57a11ae566ac17c1b028d79950227a33ae32fad"}} + # Latest commit on the BoringSSL master branch, as of Mar 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b85a0d1ebe76d80986708ce3a8faa120d49ef8fe"}} # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next From 3401dc2681063b3de501a3395bafb2b1abce9f5f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Mar 2024 07:47:43 -0500 Subject: [PATCH 278/868] Bump dawidd6/action-download-artifact from 3.1.3 to 3.1.4 (#10601) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/a430ac5786b39ad5869da25a98130624d2ce340c...09f2f74827fd3a8607589e5ad7f9398816f540fe) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 600a9ea1cefc..00789cd0003e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -253,7 +253,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 + - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -313,7 +313,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 + - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 7f9ea2c9563a..433b1a1b1ac4 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -47,7 +47,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 + - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 27cf1e8c8176..9367b2d16ccf 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -232,7 +232,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 + - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -329,7 +329,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@a430ac5786b39ad5869da25a98130624d2ce340c # v3.1.3 + - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 with: repo: pyca/infra workflow: build-windows-openssl.yml From c694fa2913416c78428bf959162f54d24b9a6ffd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 19 Mar 2024 00:16:05 +0000 Subject: [PATCH 279/868] Bump BoringSSL and/or OpenSSL in CI (#10602) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 00789cd0003e..70ec07f92311 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b85a0d1ebe76d80986708ce3a8faa120d49ef8fe"}} + # Latest commit on the BoringSSL master branch, as of Mar 19, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "044fbc86ef5505d5fdab2befd476992ad1074665"}} # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next From fa43111758a6bfd65cef2901484f8686c4200448 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 18 Mar 2024 20:16:18 -0500 Subject: [PATCH 280/868] Bump x509-limbo and/or wycheproof in CI (#10603) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index d3e8f3ad9d0b..1a481b11756a 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 16, 2024. - ref: "1381655977188ad42f49cc5cd0eabff9b3c77670" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 19, 2024. + ref: "bd3c2cf87448dc5770b8b372b22bffbfc928d7a0" # x509-limbo-ref From 78ad21339ec158c7bdf21228ea171585698d204e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 01:15:53 +0000 Subject: [PATCH 281/868] Bump BoringSSL and/or OpenSSL in CI (#10605) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 70ec07f92311..118ce5155416 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 19, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "044fbc86ef5505d5fdab2befd476992ad1074665"}} + # Latest commit on the BoringSSL master branch, as of Mar 20, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c5e9b4be0f2fabaac68961c0edce381703731d03"}} # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next From 9f065e9a477f15d4be0b4544b10d69a98d46c68f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 01:16:27 +0000 Subject: [PATCH 282/868] Bump x509-limbo and/or wycheproof in CI (#10606) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 1a481b11756a..804ef8de51c8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 19, 2024. - ref: "bd3c2cf87448dc5770b8b372b22bffbfc928d7a0" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 20, 2024. + ref: "511fe1c0565f7931db6f4f9eb986778effb68a44" # x509-limbo-ref From 94ed69d83540d49eab1e20289854136caddabe54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 07:09:15 -0400 Subject: [PATCH 283/868] Bump actions/cache from 4.0.1 to 4.0.2 (#10610) Bumps [actions/cache](https://github.com/actions/cache) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/ab5e6d0c87105b4c9c2047343972218f562e4319...0c45773b623bea8c8e75f6c82b208c3cf94ea4f9) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 118ce5155416..cb16e53b5af1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -91,7 +91,7 @@ jobs: CONFIG_FLAGS: ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }} if: matrix.PYTHON.OPENSSL - name: Load OpenSSL cache - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: ossl-cache timeout-minutes: 2 with: From c5659517c65ca97b98efdf02d814caa375d1d510 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 07:53:05 -0500 Subject: [PATCH 284/868] Bump sigstore from 2.1.2 to 2.1.3 in /.github/requirements (#10611) * Bump sigstore from 2.1.2 to 2.1.3 in /.github/requirements Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 2.1.2 to 2.1.3. - [Release notes](https://github.com/sigstore/sigstore-python/releases) - [Changelog](https://github.com/sigstore/sigstore-python/blob/v2.1.3/CHANGELOG.md) - [Commits](https://github.com/sigstore/sigstore-python/compare/v2.1.2...v2.1.3) --- updated-dependencies: - dependency-name: sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 533df0772235..bb925eb0f5b7 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -534,9 +534,9 @@ securesystemslib==0.31.0 \ # via # sigstore # tuf -sigstore==2.1.2 \ - --hash=sha256:94139c1efa0784135516d11b79c8b06d4ea61245624e69cda44494e87560b07c \ - --hash=sha256:fd9069b50b5789c6e229641e948a9b47c07525e8924f5e4d20d7dc1a8db6d6e2 +sigstore==2.1.3 \ + --hash=sha256:7a0c1252cb7974024aee87c8e0f0f6247604af16e8b5a8e3d0a9e1201e330aa2 \ + --hash=sha256:f3aaa564c0d48a62fb40c103615bba01af787eaf9fda3b6e1a3e1dc5abc2d311 # via -r publish-requirements.in sigstore-protobuf-specs==0.2.2 \ --hash=sha256:62c7beabc6910fb570dc4c600e33e81f2d2d683f785202ee109ca394bd829e94 \ From 1cdfd410f6044b616088c642aa7aa9b9d39acdf2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 20 Mar 2024 13:14:55 -0500 Subject: [PATCH 285/868] add openssl 3.3.0-alpha1 to testing (#10612) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cb16e53b5af1..3a2bc38e5174 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,6 +36,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0-alpha1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} From 95764126ca1649281744ddff254776b8338b773b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 00:16:01 +0000 Subject: [PATCH 286/868] Bump BoringSSL and/or OpenSSL in CI (#10613) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3a2bc38e5174..b660cdbaf860 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 20, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c5e9b4be0f2fabaac68961c0edce381703731d03"}} + # Latest commit on the BoringSSL master branch, as of Mar 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a200650ac344338f9af86822266984804eb86370"}} # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} # Builds with various Rust versions. Includes MSRV and next From ee8e8c4910d501fc8ad8a67e96d8d0684b3959b9 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 20:46:43 -0400 Subject: [PATCH 287/868] Bump x509-limbo and/or wycheproof in CI (#10614) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 804ef8de51c8..4e3a214ce086 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 20, 2024. - ref: "511fe1c0565f7931db6f4f9eb986778effb68a44" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 21, 2024. + ref: "2d797b4f9d21e8c0ac3c070d2ff8198b4640acf9" # x509-limbo-ref From 4a3e7dcc977cc3f9091154c15e6ecdcee3b1d00d Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Mar 2024 21:00:00 -0400 Subject: [PATCH 288/868] verification: client verification APIs (#10345) * verification: WIP client verification skeleton Signed-off-by: William Woodruff * verify: fill in build_client_verifier Signed-off-by: William Woodruff * implement ClientVerifier.verify Signed-off-by: William Woodruff * verification: make Python 3.8 happy Signed-off-by: William Woodruff * switch to a full VerifiedClient type Signed-off-by: William Woodruff * remove the SubjectOwner::None hack Signed-off-by: William Woodruff * docs: fix ClientVerifier Signed-off-by: William Woodruff * verification: replace match with if Signed-off-by: William Woodruff * return GNs directly, not whole extension Signed-off-by: William Woodruff * docs/verification: document UnsupportedGeneralNameType raise Signed-off-by: William Woodruff * lib: RFC822 checks on NCs * test_limbo: enable client tests * tests: flake * test_verification: more Python API coverage * verification: filter GNs by NC support * verification: forbid unsupported NC GNs This is what we should have been doing originally, per RFC 5280 4.2.1.10: > If a name constraints extension that is marked as critical > imposes constraints on a particular name form, and an instance of > that name form appears in the subject field or subjectAltName > extension of a subsequent certificate, then the application MUST > either process the constraint or reject the certificate. * docs/verification: remove old sentence Signed-off-by: William Woodruff * verification: ensure the right EKU for client/server paths Signed-off-by: William Woodruff * test_limbo: fixup EKU assertion * verification: feedback --------- Signed-off-by: William Woodruff --- docs/x509/verification.rst | 84 +++++++++++- .../hazmat/bindings/_rust/x509.pyi | 20 +++ src/cryptography/x509/verification.py | 4 + .../cryptography-x509-verification/src/lib.rs | 14 ++ .../src/policy/extension.rs | 20 +-- .../src/policy/mod.rs | 50 ++++++- src/rust/src/x509/verify.rs | 122 +++++++++++++++++- tests/x509/verification/test_limbo.py | 45 +++++-- tests/x509/verification/test_verification.py | 34 +++++ 9 files changed, 361 insertions(+), 32 deletions(-) diff --git a/docs/x509/verification.rst b/docs/x509/verification.rst index 6afc75f289e5..ab360417b482 100644 --- a/docs/x509/verification.rst +++ b/docs/x509/verification.rst @@ -104,6 +104,73 @@ the root of trust: :class:`cryptography.x509.general_name.DNSName`, :class:`cryptography.x509.general_name.IPAddress`. +.. class:: VerifiedClient + + .. versionadded:: 43.0.0 + + .. attribute:: subjects + + :type: list of :class:`~cryptography.x509.GeneralName` + + The subjects presented in the verified client's Subject Alternative Name + extension. + + .. attribute:: chain + + :type: A list of :class:`~cryptography.x509.Certificate`, in leaf-first order + + The chain of certificates that forms the valid chain to the client + certificate. + + +.. class:: ClientVerifier + + .. versionadded:: 43.0.0 + + A ClientVerifier verifies client certificates. + + It contains and describes various pieces of configurable path + validation logic, such as how deep prospective validation chains may go, + which signature algorithms are allowed, and so forth. + + ClientVerifier instances cannot be constructed directly; + :class:`PolicyBuilder` must be used. + + .. attribute:: validation_time + + :type: :class:`datetime.datetime` + + The verifier's validation time. + + .. attribute:: max_chain_depth + + :type: :class:`int` + + The verifier's maximum intermediate CA chain depth. + + .. attribute:: store + + :type: :class:`Store` + + The verifier's trust store. + + .. method:: verify(leaf, intermediates) + + Performs path validation on ``leaf``, returning a valid path + if one exists. The path is returned in leaf-first order: + the first member is ``leaf``, followed by the intermediates used + (if any), followed by a member of the ``store``. + + :param leaf: The leaf :class:`~cryptography.x509.Certificate` to validate + :param intermediates: A :class:`list` of intermediate :class:`~cryptography.x509.Certificate` to attempt to use + + :returns: + A new instance of :class:`VerifiedClient` + + :raises VerificationError: If a valid chain cannot be constructed + + :raises UnsupportedGeneralNameType: If a valid chain exists, but contains an unsupported general name type + .. class:: ServerVerifier .. versionadded:: 42.0.0 @@ -174,7 +241,8 @@ the root of trust: Sets the verifier's verification time. If not called explicitly, this is set to :meth:`datetime.datetime.now` - when :meth:`build_server_verifier` is called. + when :meth:`build_server_verifier` or :meth:`build_client_verifier` + is called. :param new_time: The :class:`datetime.datetime` to use in the verifier @@ -209,3 +277,17 @@ the root of trust: :param subject: A :class:`Subject` to use in the verifier :returns: An instance of :class:`ServerVerifier` + + .. method:: build_client_verifier() + + .. versionadded:: 43.0.0 + + Builds a verifier for verifying client certificates. + + .. warning:: + + This API is not suitable for website (i.e. server) certificate + verification. You **must** use :meth:`build_server_verifier` + for server verification. + + :returns: An instance of :class:`ClientVerifier` diff --git a/src/cryptography/hazmat/bindings/_rust/x509.pyi b/src/cryptography/hazmat/bindings/_rust/x509.pyi index 418184f8a6fd..aa85657fcfd8 100644 --- a/src/cryptography/hazmat/bindings/_rust/x509.pyi +++ b/src/cryptography/hazmat/bindings/_rust/x509.pyi @@ -62,10 +62,30 @@ class PolicyBuilder: def time(self, new_time: datetime.datetime) -> PolicyBuilder: ... def store(self, new_store: Store) -> PolicyBuilder: ... def max_chain_depth(self, new_max_chain_depth: int) -> PolicyBuilder: ... + def build_client_verifier(self) -> ClientVerifier: ... def build_server_verifier( self, subject: x509.verification.Subject ) -> ServerVerifier: ... +class VerifiedClient: + @property + def subjects(self) -> list[x509.GeneralName]: ... + @property + def chain(self) -> list[x509.Certificate]: ... + +class ClientVerifier: + @property + def validation_time(self) -> datetime.datetime: ... + @property + def store(self) -> Store: ... + @property + def max_chain_depth(self) -> int: ... + def verify( + self, + leaf: x509.Certificate, + intermediates: list[x509.Certificate], + ) -> VerifiedClient: ... + class ServerVerifier: @property def subject(self) -> x509.verification.Subject: ... diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index ab1a37ae6b01..191705e8352b 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -12,6 +12,8 @@ __all__ = [ "Store", "Subject", + "VerifiedClient", + "ClientVerifier", "ServerVerifier", "PolicyBuilder", "VerificationError", @@ -19,6 +21,8 @@ Store = rust_x509.Store Subject = typing.Union[DNSName, IPAddress] +VerifiedClient = rust_x509.VerifiedClient +ClientVerifier = rust_x509.ClientVerifier ServerVerifier = rust_x509.ServerVerifier PolicyBuilder = rust_x509.PolicyBuilder VerificationError = rust_x509.VerificationError diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 01bc76affc59..036e9dcd1b0f 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -20,6 +20,7 @@ use cryptography_x509::{ name::GeneralName, oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID}, }; +use types::{RFC822Constraint, RFC822Name}; use crate::certificate::cert_is_self_issued; use crate::ops::{CryptoOps, VerificationCertificate}; @@ -137,6 +138,19 @@ impl<'a, 'chain> NameChain<'a, 'chain> { ))), } } + (GeneralName::RFC822Name(pattern), GeneralName::RFC822Name(name)) => { + match (RFC822Constraint::new(pattern.0), RFC822Name::new(name.0)) { + (Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))), + (_, None) => Err(ValidationError::Other(format!( + "unsatisfiable RFC822 name constraint: malformed SAN {:?}", + name.0, + ))), + (None, _) => Err(ValidationError::Other(format!( + "malformed RFC822 name constraints: {:?}", + pattern.0 + ))), + } + } // All other matching pairs of (constraint, name) are currently unsupported. (GeneralName::OtherName(_), GeneralName::OtherName(_)) | (GeneralName::X400Address(_), GeneralName::X400Address(_)) diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index 9ab88ab5189d..a707b0d8d65f 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -303,15 +303,17 @@ pub(crate) mod ee { _ => (), }; - let san: SubjectAlternativeName<'_> = extn.value()?; - if !policy - .subject - .as_ref() - .map_or_else(|| false, |sub| sub.matches(&san)) - { - return Err(ValidationError::Other( - "leaf certificate has no matching subjectAltName".into(), - )); + // NOTE: We only verify the SAN against the policy's subject if the + // policy actually contains one. This enables both client and server + // profiles to use this validator, **with the expectation** that + // server profile construction requires a subject to be present. + if let Some(sub) = policy.subject.as_ref() { + let san: SubjectAlternativeName<'_> = extn.value()?; + if !sub.matches(&san) { + return Err(ValidationError::Other( + "leaf certificate has no matching subjectAltName".into(), + )); + } } Ok(()) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 8f704a39c0e2..22f5a13dc0aa 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -19,7 +19,8 @@ use cryptography_x509::common::{ use cryptography_x509::extensions::{BasicConstraints, Extensions, SubjectAlternativeName}; use cryptography_x509::name::GeneralName; use cryptography_x509::oid::{ - BASIC_CONSTRAINTS_OID, EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_SERVER_AUTH_OID, + BASIC_CONSTRAINTS_OID, EC_SECP256R1, EC_SECP384R1, EC_SECP521R1, EKU_CLIENT_AUTH_OID, + EKU_SERVER_AUTH_OID, }; use once_cell::sync::Lazy; @@ -234,20 +235,19 @@ pub struct Policy<'a, B: CryptoOps> { } impl<'a, B: CryptoOps> Policy<'a, B> { - /// Create a new policy with defaults for the server certificate profile - /// defined in the CA/B Forum's Basic Requirements. - pub fn server( + fn new( ops: B, - subject: Subject<'a>, + subject: Option>, time: asn1::DateTime, max_chain_depth: Option, + extended_key_usage: ObjectIdentifier, ) -> Self { Self { ops, max_chain_depth: max_chain_depth.unwrap_or(DEFAULT_MAX_CHAIN_DEPTH), - subject: Some(subject), + subject, validation_time: time, - extended_key_usage: EKU_SERVER_AUTH_OID.clone(), + extended_key_usage, minimum_rsa_modulus: WEBPKI_MINIMUM_RSA_MODULUS, permitted_public_key_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SPKI_ALGORITHMS), permitted_signature_algorithms: Arc::clone(&*WEBPKI_PERMITTED_SIGNATURE_ALGORITHMS), @@ -316,6 +316,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> { Some(ee::key_usage), ), // CA/B 7.1.2.7.12 Subscriber Certificate Subject Alternative Name + // This validator handles both client and server cases by only matching against + // the SAN if the profile contains a subject, which it won't in the client + // validation case. subject_alternative_name: ExtensionValidator::present( Criticality::Agnostic, Some(ee::subject_alternative_name), @@ -337,6 +340,39 @@ impl<'a, B: CryptoOps> Policy<'a, B> { } } + /// Create a new policy with suitable defaults for client certification + /// validation. + /// + /// **IMPORTANT**: This is **not** the appropriate API for verifying + /// website (i.e. server) certificates. For that, you **must** use + /// [`Policy::server`]. + pub fn client(ops: B, time: asn1::DateTime, max_chain_depth: Option) -> Self { + Self::new( + ops, + None, + time, + max_chain_depth, + EKU_CLIENT_AUTH_OID.clone(), + ) + } + + /// Create a new policy with defaults for the server certificate profile + /// defined in the CA/B Forum's Basic Requirements. + pub fn server( + ops: B, + subject: Subject<'a>, + time: asn1::DateTime, + max_chain_depth: Option, + ) -> Self { + Self::new( + ops, + Some(subject), + time, + max_chain_depth, + EKU_SERVER_AUTH_OID.clone(), + ) + } + fn permits_basic(&self, cert: &Certificate<'_>) -> Result<(), ValidationError> { // CA/B 7.1.1: // Certificates MUST be of type X.509 v3. diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index d35c3a61ceaa..2c65f6327103 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -2,13 +2,16 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use cryptography_x509::certificate::Certificate; +use cryptography_x509::{ + certificate::Certificate, extensions::SubjectAlternativeName, oid::SUBJECT_ALTERNATIVE_NAME_OID, +}; use cryptography_x509_verification::{ ops::{CryptoOps, VerificationCertificate}, policy::{Policy, Subject}, trust_store::Store, types::{DNSName, IPAddress}, }; +use pyo3::IntoPy; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; @@ -17,6 +20,8 @@ use crate::x509::certificate::Certificate as PyCertificate; use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime}; use crate::x509::sign; +use super::parse_general_names; + pub(crate) struct PyCryptoOps {} impl CryptoOps for PyCryptoOps { @@ -118,6 +123,28 @@ impl PolicyBuilder { }) } + fn build_client_verifier(&self, py: pyo3::Python<'_>) -> CryptographyResult { + let store = match self.store.as_ref() { + Some(s) => s.clone_ref(py), + None => { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "A client verifier must have a trust store.", + ), + )); + } + }; + + let time = match self.time.as_ref() { + Some(t) => t.clone(), + None => datetime_now(py)?, + }; + + let policy = PyCryptoPolicy(Policy::client(PyCryptoOps {}, time, self.max_chain_depth)); + + Ok(PyClientVerifier { policy, store }) + } + fn build_server_verifier( &self, py: pyo3::Python<'_>, @@ -180,6 +207,97 @@ self_cell::self_cell!( } ); +#[pyo3::pyclass( + frozen, + name = "VerifiedClient", + module = "cryptography.hazmat.bindings._rust.x509" +)] +struct PyVerifiedClient { + #[pyo3(get)] + subjects: pyo3::Py, + #[pyo3(get)] + chain: pyo3::Py, +} + +#[pyo3::pyclass( + frozen, + name = "ClientVerifier", + module = "cryptography.hazmat.bindings._rust.x509" +)] +struct PyClientVerifier { + policy: PyCryptoPolicy<'static>, + #[pyo3(get)] + store: pyo3::Py, +} + +impl PyClientVerifier { + fn as_policy(&self) -> &Policy<'_, PyCryptoOps> { + &self.policy.0 + } +} + +#[pyo3::pymethods] +impl PyClientVerifier { + #[getter] + fn validation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + datetime_to_py(py, &self.as_policy().validation_time) + } + + #[getter] + fn max_chain_depth(&self) -> u8 { + self.as_policy().max_chain_depth + } + + fn verify( + &self, + py: pyo3::Python<'_>, + leaf: pyo3::Py, + intermediates: Vec>, + ) -> CryptographyResult { + let policy = self.as_policy(); + let store = self.store.get(); + + let chain = cryptography_x509_verification::verify( + &VerificationCertificate::new( + leaf.get().raw.borrow_dependent().clone(), + leaf.clone_ref(py), + ), + intermediates.iter().map(|i| { + VerificationCertificate::new( + i.get().raw.borrow_dependent().clone(), + i.clone_ref(py), + ) + }), + policy, + store.raw.borrow_dependent(), + ) + .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; + + let py_chain = pyo3::types::PyList::empty(py); + for c in &chain { + py_chain.append(c.extra())?; + } + + // NOTE: These `unwrap()`s cannot fail, since the underlying policy + // enforces the presence of a SAN and the well-formedness of the + // extension set. + let leaf_san = &chain[0] + .certificate() + .extensions() + .unwrap() + .get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) + .unwrap(); + + let leaf_gns = leaf_san.value::>()?; + let py_gns = parse_general_names(py, &leaf_gns)?; + + Ok(PyVerifiedClient { + subjects: py_gns, + chain: py_chain.into_py(py), + }) + } +} + #[pyo3::pyclass( frozen, name = "ServerVerifier", @@ -333,6 +451,8 @@ impl PyStore { } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { + module.add_class::()?; + module.add_class::()?; module.add_class::()?; module.add_class::()?; module.add_class::()?; diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index c745bdbe5729..2675ca735475 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -12,7 +12,9 @@ from cryptography import x509 from cryptography.x509 import load_pem_x509_certificate from cryptography.x509.verification import ( + ClientVerifier, PolicyBuilder, + ServerVerifier, Store, VerificationError, ) @@ -78,12 +80,14 @@ def _get_limbo_peer(expected_peer): kind = expected_peer["kind"] - assert kind in ("DNS", "IP") + assert kind in ("DNS", "IP", "RFC822") value = expected_peer["value"] if kind == "DNS": return x509.DNSName(value) - else: + elif kind == "IP": return x509.IPAddress(ipaddress.ip_address(value)) + else: + return x509.RFC822Name(value) def _limbo_testcase(id_, testcase): @@ -95,14 +99,7 @@ def _limbo_testcase(id_, testcase): if unsupported: pytest.skip(f"explicitly skipped features: {unsupported}") - if testcase["validation_kind"] != "SERVER": - pytest.skip("non-SERVER testcase") - assert testcase["signature_algorithms"] == [] - assert testcase["extended_key_usage"] == [] or testcase[ - "extended_key_usage" - ] == ["serverAuth"] - assert testcase["expected_peer_names"] == [] trusted_certs = [ load_pem_x509_certificate(cert.encode()) @@ -115,7 +112,6 @@ def _limbo_testcase(id_, testcase): peer_certificate = load_pem_x509_certificate( testcase["peer_certificate"].encode() ) - peer_name = _get_limbo_peer(testcase["expected_peer_name"]) validation_time = testcase["validation_time"] validation_time = ( datetime.datetime.fromisoformat(validation_time) @@ -131,12 +127,33 @@ def _limbo_testcase(id_, testcase): if max_chain_depth is not None: builder = builder.max_chain_depth(max_chain_depth) - verifier = builder.build_server_verifier(peer_name) + verifier: ServerVerifier | ClientVerifier + if testcase["validation_kind"] == "SERVER": + assert testcase["extended_key_usage"] == [] or testcase[ + "extended_key_usage" + ] == ["serverAuth"] + peer_name = _get_limbo_peer(testcase["expected_peer_name"]) + verifier = builder.build_server_verifier(peer_name) + else: + assert testcase["extended_key_usage"] == ["clientAuth"] + verifier = builder.build_client_verifier() if should_pass: - built_chain = verifier.verify( - peer_certificate, untrusted_intermediates - ) + if isinstance(verifier, ServerVerifier): + built_chain = verifier.verify( + peer_certificate, untrusted_intermediates + ) + else: + verified_client = verifier.verify( + peer_certificate, untrusted_intermediates + ) + + expected_subjects = [ + _get_limbo_peer(p) for p in testcase["expected_peer_names"] + ] + assert expected_subjects == verified_client.subjects + + built_chain = verified_client.chain # Assert that the verifier returns chains in [EE, ..., TA] order. assert built_chain[0] == peer_certificate diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py index 8c2be7054227..e8c280fce0e6 100644 --- a/tests/x509/verification/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -105,6 +105,40 @@ def test_store_rejects_non_certificates(self): Store(["not a cert"]) # type: ignore[list-item] +class TestClientVerifier: + def test_build_client_verifier_missing_store(self): + with pytest.raises( + ValueError, match="A client verifier must have a trust store" + ): + PolicyBuilder().build_client_verifier() + + def test_verify(self): + # expires 2018-11-16 01:15:03 UTC + leaf = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + ) + + store = Store([leaf]) + + validation_time = datetime.datetime.fromisoformat( + "2018-11-16T00:00:00+00:00" + ) + builder = PolicyBuilder().store(store) + builder = builder.time(validation_time).max_chain_depth(16) + verifier = builder.build_client_verifier() + + assert verifier.validation_time == validation_time.replace(tzinfo=None) + assert verifier.max_chain_depth == 16 + + verified_client = verifier.verify(leaf, []) + assert verified_client.chain == [leaf] + + assert x509.DNSName("www.cryptography.io") in verified_client.subjects + assert x509.DNSName("cryptography.io") in verified_client.subjects + assert len(verified_client.subjects) == 2 + + class TestServerVerifier: @pytest.mark.parametrize( ("validation_time", "valid"), From 71e4ae3434aea8b434aea97ac156cc31804e81cd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 20 Mar 2024 21:14:08 -0400 Subject: [PATCH 289/868] Added the PKCS#12 KDF (#10564) --- src/rust/src/pkcs12.rs | 155 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 155 insertions(+) diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 0743e5e7778f..1df4d51ae2e8 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -72,6 +72,113 @@ impl PKCS12Certificate { } } +#[allow(dead_code)] +const KDF_ENCRYPTION_KEY_ID: u8 = 1; +#[allow(dead_code)] +const KDF_IV_ID: u8 = 2; +#[allow(dead_code)] +const KDF_MAC_KEY_ID: u8 = 3; +#[allow(dead_code)] +fn pkcs12_kdf( + pass: &[u8], + salt: &[u8], + id: u8, + rounds: u64, + key_len: usize, + hash_alg: openssl::hash::MessageDigest, +) -> CryptographyResult> { + // Encode the password as big-endian UTF-16 with NUL trailer + let pass = std::str::from_utf8(pass) + .map_err(|_| pyo3::exceptions::PyValueError::new_err("key must be valid UTF-8"))? + .encode_utf16() + .chain([0]) + .flat_map(|v| v.to_be_bytes()) + .collect::>(); + + // Comments are borrowed from BoringSSL. + // In the spec, |block_size| is called "v", but measured in bits. + let block_size = hash_alg.block_size(); + + // 1. Construct a string, D (the "diversifier"), by concatenating v/8 copies + // of ID. + let d = vec![id; block_size]; + + // 2. Concatenate copies of the salt together to create a string S of length + // v(ceiling(s/v)) bits (the final copy of the salt may be truncated to + // create S). Note that if the salt is the empty string, then so is S. + // + // 3. Concatenate copies of the password together to create a string P of + // length v(ceiling(p/v)) bits (the final copy of the password may be + // truncated to create P). Note that if the password is the empty string, + // then so is P. + // + // 4. Set I=S||P to be the concatenation of S and P. + let s_len = block_size * ((salt.len() + block_size - 1) / block_size); + let p_len = block_size * ((pass.len() + block_size - 1) / block_size); + + let mut init_key = vec![0; s_len + p_len]; + for i in 0..s_len { + init_key[i] = salt[i % salt.len()]; + } + for i in 0..p_len { + init_key[i + s_len] = pass[i % pass.len()]; + } + + let mut result = vec![0; key_len]; + let mut pos = 0; + loop { + // A. Set A_i=H^r(D||I). (i.e., the r-th hash of D||I, + // H(H(H(... H(D||I)))) + + let mut h = openssl::hash::Hasher::new(hash_alg)?; + h.update(&d)?; + h.update(&init_key)?; + let mut a = h.finish()?; + + for _ in 1..rounds { + let mut h = openssl::hash::Hasher::new(hash_alg)?; + h.update(&a)?; + a = h.finish()?; + } + + let to_add = a.len().min(result.len() - pos); + result[pos..pos + to_add].copy_from_slice(&a[..to_add]); + pos += to_add; + if pos == result.len() { + break; + } + + // B. Concatenate copies of A_i to create a string B of length v bits (the + // final copy of A_i may be truncated to create B). + let mut b = vec![0; block_size]; + for i in 0..block_size { + b[i] = a[i % a.len()]; + } + + // C. Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit blocks, + // where k=ceiling(s/v)+ceiling(p/v), modify I by setting I_j=(I_j+B+1) mod + // 2^v for each j. + assert!(init_key.len() % block_size == 0); + let mut j = 0; + while j < init_key.len() { + let mut carry = 1u16; + let mut k = block_size - 1; + loop { + carry += init_key[k + j] as u16 + b[k] as u16; + init_key[j + k] = carry as u8; + carry >>= 8; + if k == 0 { + break; + } + k -= 1; + } + j += block_size; + } + } + + Ok(result) +} + fn decode_p12( data: CffiBuf<'_>, password: Option>, @@ -212,3 +319,51 @@ pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::pr Ok(submod) } + +#[cfg(test)] +mod tests { + use super::{pkcs12_kdf, KDF_ENCRYPTION_KEY_ID, KDF_IV_ID, KDF_MAC_KEY_ID}; + + #[test] + fn test_pkcs12_kdf() { + for (password, salt, id, rounds, key_len, hash, expected_key) in [ + // From https://github.com/RustCrypto/formats/blob/master/pkcs12/tests/kdf.rs + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 100, 32, openssl::hash::MessageDigest::sha256(), b"\xfa\xe4\xd4\x95z<\xc7\x81\xe1\x18\x0b\x9dO\xb7\x9c\x1e\x0c\x85y\xb7F\xa3\x17~[\x07h\xa3\x11\x8b\xf8c" as &[u8]), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_IV_ID, 100, 32, openssl::hash::MessageDigest::sha256(), b"\xe5\xff\x81;\xc6T}\xe5\x15[\x14\xd2\xfa\xda\x85\xb3 \x1a\x97sI\xdbn&\xcc\xc9\x98\xd9\xe8\xf8=l"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_MAC_KEY_ID, 100, 32, openssl::hash::MessageDigest::sha256(), b"\x13cU\xed\x944Qf\x82SOF\xd69V\xdb_\xf0k\x84G\x02\xc2\xc1\xf3\xb4c!\xe2RJM"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 100, 20, openssl::hash::MessageDigest::sha256(), b"\xfa\xe4\xd4\x95z<\xc7\x81\xe1\x18\x0b\x9dO\xb7\x9c\x1e\x0c\x85y\xb7"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_IV_ID, 100, 20, openssl::hash::MessageDigest::sha256(), b"\xe5\xff\x81;\xc6T}\xe5\x15[\x14\xd2\xfa\xda\x85\xb3 \x1a\x97s"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_MAC_KEY_ID, 100, 20, openssl::hash::MessageDigest::sha256(), b"\x13cU\xed\x944Qf\x82SOF\xd69V\xdb_\xf0k\x84"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 100, 12, openssl::hash::MessageDigest::sha256(), b"\xfa\xe4\xd4\x95z<\xc7\x81\xe1\x18\x0b\x9d"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_IV_ID, 100, 12, openssl::hash::MessageDigest::sha256(), b"\xe5\xff\x81;\xc6T}\xe5\x15[\x14\xd2"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_MAC_KEY_ID, 100, 12, openssl::hash::MessageDigest::sha256(), b"\x13cU\xed\x944Qf\x82SOF"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 1000, 32, openssl::hash::MessageDigest::sha256(), b"+\x95\xa0V\x9bc\xf6A\xfa\xe1\xef\xca2\xe8M\xb3i\x9a\xb7E@b\x8b\xa6b\x83\xb5\x8c\xf5@\x05'"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_IV_ID, 1000, 32, openssl::hash::MessageDigest::sha256(), b"dr\xc0\xeb\xad?\xabA#\xe8\xb5\xedx4\xde!\xee\xb2\x01\x87\xb3\xef\xf7\x8a}\x1c\xdf\xfa@4\x85\x1d"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_MAC_KEY_ID, 1000, 32, openssl::hash::MessageDigest::sha256(), b"?\x91\x13\xf0\\0\xa9\x96\xc4\xa5\x16@\x9b\xda\xc9\xd0e\xf4B\x96\xcc\xd5+\xb7]\xe3\xfc\xfd\xbe+\xf10"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 1000, 100, openssl::hash::MessageDigest::sha256(), b"+\x95\xa0V\x9bc\xf6A\xfa\xe1\xef\xca2\xe8M\xb3i\x9a\xb7E@b\x8b\xa6b\x83\xb5\x8c\xf5@\x05\'\xd8\xd0\xeb\xe2\xcc\xbfv\x8cQ\xc4\xd8\xfb\xd1\xbb\x15k\xe0l\x1cY\xcb\xb6\x9eD\x05/\xfc77o\xdbG\xb2\xde\x7f\x9eT=\xe9\xd0\x96\xd8\xe5GK\"\x04\x10\xff\x1c]\x8b\xb7\xe5\xbc\x0fa\xba\xea\xa1/\xd0\xda\x1dz\x97\x01r"), + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 1000, 200, openssl::hash::MessageDigest::sha256(), b"+\x95\xa0V\x9bc\xf6A\xfa\xe1\xef\xca2\xe8M\xb3i\x9a\xb7E@b\x8b\xa6b\x83\xb5\x8c\xf5@\x05\'\xd8\xd0\xeb\xe2\xcc\xbfv\x8cQ\xc4\xd8\xfb\xd1\xbb\x15k\xe0l\x1cY\xcb\xb6\x9eD\x05/\xfc77o\xdbG\xb2\xde\x7f\x9eT=\xe9\xd0\x96\xd8\xe5GK\"\x04\x10\xff\x1c]\x8b\xb7\xe5\xbc\x0fa\xba\xea\xa1/\xd0\xda\x1dz\x97\x01r\x9c\xea`\x14\xd7\xfeb\xa2\xed\x92m\xc3ka0\x7f\x11\x9dd\xed\xbc\xebZ\x9cX\x13;\xbfu\xba\x0b\xef\x00\n\x1aQ\x80\xe4\xb1\xde}\x89\xc8\x95(\xbc\xb7\x89\x9a\x1eF\xfdM\xa0\xd9\xde\x8f\x8ee\xe8\xd0\xd7u\xe3=\x12G\xe7mYj401a\xb2\x19\xf3\x9a\xfd\xa4H\xbfQ\x8a(5\xfc^(\xf0\xb5Z\x1ba7\xa2\xc7\x0c\xf7"), + + ("ge@äheim".as_bytes(), b"\x01\x02\x03\x04\x05\x06\x07\x08", KDF_ENCRYPTION_KEY_ID, 100, 32, openssl::hash::MessageDigest::sha512(), b"\xb1J\x9f\x01\xbf\xd9\xdc\xe4\xc9\xd6m/\xe9\x93~_\xd9\xf1\xaf\xa5\x9e7\no\xa4\xfc\x81\xc1\xcc\x8e\xc8\xee"), + + // From https://cs.opensource.google/go/x/crypto/+/master:pkcs12/pbkdf_test.go + (b"sesame", b"\xff\xff\xff\xff\xff\xff\xff\xff", KDF_ENCRYPTION_KEY_ID, 2048, 24, openssl::hash::MessageDigest::sha1(), b"\x7c\xd9\xfd\x3e\x2b\x3b\xe7\x69\x1a\x44\xe3\xbe\xf0\xf9\xea\x0f\xb9\xb8\x97\xd4\xe3\x25\xd9\xd1"), + ] { + let result = pkcs12_kdf(password, salt, id, rounds, key_len, hash).map_err(|_| ()).unwrap(); + assert_eq!(result, expected_key); + } + } + + #[test] + fn test_pkcs12_kdf_error() { + // Key is not valid UTF-8 + let result = pkcs12_kdf( + b"\x91\x82%\xa1", + b"\x01\x02\x03\x04", + KDF_ENCRYPTION_KEY_ID, + 100, + 8, + openssl::hash::MessageDigest::sha256(), + ); + assert!(matches!(result, Err(_))); + } +} From 9482fdef7b40a2d43913b48a53a36e8c5b055bc0 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 20 Mar 2024 21:15:24 -0400 Subject: [PATCH 290/868] CHANGELOG: record new X.509 client verification APIs (#10615) --- .gitignore | 4 +++- CHANGELOG.rst | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 035b15ccd025..1d4ebfbc597a 100644 --- a/.gitignore +++ b/.gitignore @@ -13,4 +13,6 @@ htmlcov/ *.py[cdo] .hypothesis/ target/ -.rust-cov/ \ No newline at end of file +.rust-cov/ +*.lcov +*.profdata diff --git a/CHANGELOG.rst b/CHANGELOG.rst index fb71418f32f5..a1ce4d63793c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -29,6 +29,12 @@ Changelog They will be removed from the ``cipher`` module in 48.0.0. * Added support for deterministic :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA` (:rfc:`6979`) +* Added support for client certificate verification to the + :mod:`X.509 path validation ` APIs in the + form of :class:`~cryptography.x509.verification.ClientVerifier`, + :class:`~cryptography.x509.verification.VerifiedClient`, and + ``PolicyBuilder`` + :meth:`~cryptography.x509.verification.PolicyBuilder.build_client_verifier`. .. _v42-0-5: From deb2bae5117266781cc65fe56eae87075ac0cb37 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 11:09:58 +0000 Subject: [PATCH 291/868] Bump smallvec from 1.13.1 to 1.13.2 in /src/rust (#10617) Bumps [smallvec](https://github.com/servo/rust-smallvec) from 1.13.1 to 1.13.2. - [Release notes](https://github.com/servo/rust-smallvec/releases) - [Commits](https://github.com/servo/rust-smallvec/compare/v1.13.1...v1.13.2) --- updated-dependencies: - dependency-name: smallvec dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1f28cb2d9c02..a8102b1b9a96 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -371,9 +371,9 @@ checksum = "58bf37232d3bb9a2c4e641ca2a11d83b5062066f88df7fed36c28772046d65ba" [[package]] name = "smallvec" -version = "1.13.1" +version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" +checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" From de7d0b0bd0d99f5a3ba58090372bf67f0342f6c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 08:02:41 -0400 Subject: [PATCH 292/868] Bump sigstore-protobuf-specs from 0.2.2 to 0.3.0 in /.github/requirements (#10619) * Bump sigstore-protobuf-specs in /.github/requirements Bumps [sigstore-protobuf-specs](https://github.com/sigstore/protobuf-specs) from 0.2.2 to 0.3.0. - [Release notes](https://github.com/sigstore/protobuf-specs/releases) - [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/protobuf-specs/compare/release/python/v0.2.2...v0.3.0) --- updated-dependencies: - dependency-name: sigstore-protobuf-specs dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index bb925eb0f5b7..b894aff8d091 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -538,9 +538,9 @@ sigstore==2.1.3 \ --hash=sha256:7a0c1252cb7974024aee87c8e0f0f6247604af16e8b5a8e3d0a9e1201e330aa2 \ --hash=sha256:f3aaa564c0d48a62fb40c103615bba01af787eaf9fda3b6e1a3e1dc5abc2d311 # via -r publish-requirements.in -sigstore-protobuf-specs==0.2.2 \ - --hash=sha256:62c7beabc6910fb570dc4c600e33e81f2d2d683f785202ee109ca394bd829e94 \ - --hash=sha256:c05c1e7478a80af0c7dea9cc2d11f047826e4c029573d564137f788e11377391 +sigstore-protobuf-specs==0.3.0 \ + --hash=sha256:3322adb73992bca0f3dc6d4c2c38bac29086a11d2631a983adb2798e58e32a54 \ + --hash=sha256:e06321d28e58cb1505ae682b63756b4fb858da6b11bd7b49a2b6beabe412ebfd # via sigstore sigstore-rekor-types==0.0.11 \ --hash=sha256:791a696eccd5d07c933cc11d46dea22983efedaf5f1068734263ce0f25695bba \ From 6e9b22af436c9da1b1752c811b9e63e326cb05f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 08:02:54 -0400 Subject: [PATCH 293/868] Bump importlib-metadata from 7.0.2 to 7.1.0 in /.github/requirements (#10618) * Bump importlib-metadata from 7.0.2 to 7.1.0 in /.github/requirements Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.0.2 to 7.1.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.0.2...v7.1.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b894aff8d091..2dfde9d77409 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -240,9 +240,9 @@ idna==3.6 \ # via # email-validator # requests -importlib-metadata==7.0.2 \ - --hash=sha256:198f568f3230878cb1b44fbd7975f87906c22336dba2e4a7f05278c281fbd792 \ - --hash=sha256:f4bc4c0c070c490abf4ce96d715f68e95923320370efb66143df00199bb6c100 +importlib-metadata==7.1.0 \ + --hash=sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570 \ + --hash=sha256:b78938b926ee8d5f020fc4772d487045805a55ddbad2ecf21c6d60938dc7fcd2 # via # keyring # twine From f9b78cf489528ca90ebb51ca67b35983537fdbcf Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 21:54:58 -0400 Subject: [PATCH 294/868] Bump BoringSSL and/or OpenSSL in CI (#10624) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b660cdbaf860..55823ac088a5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a200650ac344338f9af86822266984804eb86370"}} - # Latest commit on the OpenSSL master branch, as of Mar 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "dc9bc6c8e1bd329ead703417a2235ab3e97557ec"}} + # Latest commit on the BoringSSL master branch, as of Mar 22, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "06fb6e1b129d426b0f543e0e77890295175f012a"}} + # Latest commit on the OpenSSL master branch, as of Mar 22, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9abcf116962e9a117717c751de93846f11da16cd"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 8bd15a1d28c78b48791e68aa6800271fd11abf8b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 21 Mar 2024 22:08:56 -0400 Subject: [PATCH 295/868] Added additional PKCS#12 tests (#10622) --- tests/hazmat/primitives/test_pkcs12.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 9ee3cc3fc769..f5284b788cc3 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -414,7 +414,33 @@ def test_generate_cas_friendly_names(self, backend): p12_cert = load_pkcs12(p12, None, backend) cas = p12_cert.additional_certs + assert cas[0].certificate == cert2 assert cas[0].friendly_name == b"cert2" + assert cas[1].certificate == cert3 + assert cas[1].friendly_name is None + + def test_generate_cas_friendly_names_no_key(self, backend): + cert2 = _load_cert( + backend, os.path.join("x509", "custom", "dsa_selfsigned_ca.pem") + ) + cert3 = _load_cert(backend, os.path.join("x509", "letsencryptx3.pem")) + encryption = serialization.NoEncryption() + p12 = serialize_key_and_certificates( + None, + None, + None, + [ + PKCS12Certificate(cert2, b"cert2"), + PKCS12Certificate(cert3, None), + ], + encryption, + ) + + p12_cert = load_pkcs12(p12, None, backend) + cas = p12_cert.additional_certs + assert cas[0].certificate == cert2 + assert cas[0].friendly_name == b"cert2" + assert cas[1].certificate == cert3 assert cas[1].friendly_name is None def test_generate_wrong_types(self, backend): From 089039d0f6bb34d6a8b4dcdb04265547abc74c1d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 21 Mar 2024 22:44:41 -0400 Subject: [PATCH 296/868] Added additional PKCS#12 tests (#10625) --- tests/hazmat/primitives/test_pkcs12.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index f5284b788cc3..9217e4eca5f2 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -529,6 +529,30 @@ def test_generate_cert_only(self, encryption_algorithm, password, backend): assert parsed_key is None assert parsed_more_certs == [cert] + def test_generate_cert_only_none_cas(self, backend): + # Same as test_generate_cert_only, but passing None instead of an + # empty list for cas. + cert, _ = _load_ca(backend) + p12 = serialize_key_and_certificates( + None, None, cert, None, serialization.NoEncryption() + ) + parsed_key, parsed_cert, parsed_more_certs = load_key_and_certificates( + p12, None + ) + assert parsed_cert is None + assert parsed_key is None + assert parsed_more_certs == [cert] + + def test_invalid_utf8_friendly_name(self, backend): + if rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL: + pytest.skip("Temporarily doesn't work on LibreSSL") + + cert, _ = _load_ca(backend) + with pytest.raises(ValueError): + serialize_key_and_certificates( + b"\xc9", None, cert, None, serialization.NoEncryption() + ) + def test_must_supply_something(self): with pytest.raises(ValueError) as exc: serialize_key_and_certificates( From 51a6dd28ccbb7587fff9e951299b17aac39ee5cc Mon Sep 17 00:00:00 2001 From: commonism Date: Fri, 22 Mar 2024 04:24:22 +0100 Subject: [PATCH 297/868] Adding support for OpenSSH ecdsa-sk & ed25519-sk public keys (#10608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Adding support for OpenSSH ecdsa-sk & ed25519-sk public keys fixes #10604 * Revert changing the keygen * Add application string to sk key generation * Typing - fix load_application return value annotation * fix sk keys skipping loading in the tests * fix ruff E509 * Fix ruff … * comment wording Co-authored-by: Alex Gaynor * requested changes * no subclassing * fix SyntaxError: annotated name '_KEY_FORMATS' can't be global in python 3.7 c.f. https://github.com/python/cpython/issues/79120 * typo * Update src/cryptography/hazmat/primitives/serialization/ssh.py Co-authored-by: Alex Gaynor * Update src/cryptography/hazmat/primitives/serialization/ssh.py Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- .../hazmat/primitives/serialization/ssh.py | 56 +++++++++++++++++++ tests/hazmat/primitives/test_ssh.py | 33 +++++++++-- .../asymmetric/OpenSSH/gen.sh | 6 +- .../asymmetric/OpenSSH/sk-ecdsa-nopsw.key | 11 ++++ .../asymmetric/OpenSSH/sk-ecdsa-nopsw.key.pub | 1 + .../asymmetric/OpenSSH/sk-ecdsa-psw.key | 12 ++++ .../asymmetric/OpenSSH/sk-ecdsa-psw.key.pub | 1 + .../asymmetric/OpenSSH/sk-ed25519-nopsw.key | 10 ++++ .../OpenSSH/sk-ed25519-nopsw.key.pub | 1 + .../asymmetric/OpenSSH/sk-ed25519-psw.key | 11 ++++ .../asymmetric/OpenSSH/sk-ed25519-psw.key.pub | 1 + 11 files changed, 138 insertions(+), 5 deletions(-) create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key.pub create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key.pub create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key.pub create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key.pub diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index f33edd55e0ea..fc9fbf42584f 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -64,6 +64,10 @@ def _bcrypt_kdf( _ECDSA_NISTP521 = b"ecdsa-sha2-nistp521" _CERT_SUFFIX = b"-cert-v01@openssh.com" +# U2F application string suffixed pubkey +_SK_SSH_ED25519 = b"sk-ssh-ed25519@openssh.com" +_SK_SSH_ECDSA_NISTP256 = b"sk-ecdsa-sha2-nistp256@openssh.com" + # These are not key types, only algorithms, so they cannot appear # as a public key type _SSH_RSA_SHA256 = b"rsa-sha2-256" @@ -572,6 +576,56 @@ def encode_private( f_priv.put_sshstr(f_keypair) +def load_application(data) -> tuple[memoryview, memoryview]: + """ + U2F application strings + """ + application, data = _get_sshstr(data) + if not application.tobytes().startswith(b"ssh:"): + raise ValueError( + "U2F application string does not start with b'ssh:' " + f"({application})" + ) + return application, data + + +class _SSHFormatSKEd25519: + """ + The format of a sk-ssh-ed25519@openssh.com public key is: + + string "sk-ssh-ed25519@openssh.com" + string public key + string application (user-specified, but typically "ssh:") + """ + + def load_public( + self, data: memoryview + ) -> tuple[ed25519.Ed25519PublicKey, memoryview]: + """Make Ed25519 public key from data.""" + public_key, data = _lookup_kformat(_SSH_ED25519).load_public(data) + application, data = load_application(data) + return public_key, data + + +class _SSHFormatSKECDSA: + """ + The format of a sk-ecdsa-sha2-nistp256@openssh.com public key is: + + string "sk-ecdsa-sha2-nistp256@openssh.com" + string curve name + ec_point Q + string application (user-specified, but typically "ssh:") + """ + + def load_public( + self, data: memoryview + ) -> tuple[ec.EllipticCurvePublicKey, memoryview]: + """Make Ed25519 public key from data.""" + public_key, data = _lookup_kformat(_ECDSA_NISTP256).load_public(data) + application, data = load_application(data) + return public_key, data + + _KEY_FORMATS = { _SSH_RSA: _SSHFormatRSA(), _SSH_DSA: _SSHFormatDSA(), @@ -579,6 +633,8 @@ def encode_private( _ECDSA_NISTP256: _SSHFormatECDSA(b"nistp256", ec.SECP256R1()), _ECDSA_NISTP384: _SSHFormatECDSA(b"nistp384", ec.SECP384R1()), _ECDSA_NISTP521: _SSHFormatECDSA(b"nistp521", ec.SECP521R1()), + _SK_SSH_ED25519: _SSHFormatSKEd25519(), + _SK_SSH_ECDSA_NISTP256: _SSHFormatSKECDSA(), } diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py index cda2aad77b59..82f398305e21 100644 --- a/tests/hazmat/primitives/test_ssh.py +++ b/tests/hazmat/primitives/test_ssh.py @@ -55,6 +55,10 @@ class TestOpenSSHSerialization: ("ecdsa-nopsw.key.pub", "ecdsa-nopsw.key-cert.pub"), ("ed25519-psw.key.pub", None), ("ed25519-nopsw.key.pub", "ed25519-nopsw.key-cert.pub"), + ("sk-ecdsa-psw.key.pub", None), + ("sk-ecdsa-nopsw.key.pub", None), + ("sk-ed25519-psw.key.pub", None), + ("sk-ed25519-nopsw.key.pub", None), ], ) def test_load_ssh_public_key(self, key_file, cert_file, backend): @@ -80,10 +84,14 @@ def test_load_ssh_public_key(self, key_file, cert_file, backend): ) else: public_key = load_ssh_public_key(pub_data, backend) - assert ( - public_key.public_bytes(Encoding.OpenSSH, PublicFormat.OpenSSH) - == nocomment_data - ) + if not key_file.startswith("sk-"): + # SK keys do not round-trip + assert ( + public_key.public_bytes( + Encoding.OpenSSH, PublicFormat.OpenSSH + ) + == nocomment_data + ) self.run_partial_pubkey(pub_data, backend) @@ -1800,3 +1808,20 @@ def test_sign_and_byte_compare_ed25519(self, monkeypatch, backend): b"t8yRa8IRbxvOyA9TZYDGG1dRE3DiR0fuudU20v6vqfTd1gx0S5QyEdECXLl9ZI3" b"AwZgc=" ) + + +class TestSSHSK: + @staticmethod + def ssh_str(application): + data = ( + len(application).to_bytes(length=4, byteorder="big") + + application.encode() + ) + return memoryview(data) + + def test_load_application(self): + ssh.load_application(self.ssh_str("ssh:test")) + + def test_load_application_valueerror(self): + with pytest.raises(ValueError): + ssh.load_application(self.ssh_str("hss:test")) diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/gen.sh b/vectors/cryptography_vectors/asymmetric/OpenSSH/gen.sh index b18c338b3803..4a494bda1153 100755 --- a/vectors/cryptography_vectors/asymmetric/OpenSSH/gen.sh +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/gen.sh @@ -19,10 +19,13 @@ getecbits() { genkey() { fn="$1" args="-f $fn -C $fn" + sk="-O application=ssh:the-application-string" case "$fn" in + sk-ecdsa-*) args="$args -t ecdsa-sk -b $(getecbits) $sk" ;; ecdsa-*) args="$args -t ecdsa -b $(getecbits)" ;; rsa-*) args="$args -t rsa" ;; dsa-*) args="$args -t dsa" ;; + sk-ed25519-*) args="$args -t ed25519-sk $sk" ;; ed25519-*) args="$args -t ed25519" ;; esac password='' @@ -33,12 +36,13 @@ genkey() { } # generate private key files -for ktype in rsa dsa ecdsa ed25519; do +for ktype in rsa dsa ecdsa sk-ecdsa ed25519 sk-ed25519; do for psw in nopsw psw; do genkey "${ktype}-${psw}.key" done done + # generate public key files for fn in *.key; do ssh-keygen -q -y -f "$fn" > /dev/null diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key new file mode 100644 index 000000000000..23fd193a92fa --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key @@ -0,0 +1,11 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlQAAACJzay1lY2 +RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQQ7XunI8QRf +myT0PKWJXtaE0lA6+Hy5HTfIDfHexsZV68AGAj0nYyf2+mAK/vPp6IyVBALJqdzdJYiyeX +p/3neLAAAAGnNzaDp0aGUtYXBwbGljYXRpb24tc3RyaW5nAAABAOGdI7jhnSO4AAAAInNr +LWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDte6c +jxBF+bJPQ8pYle1oTSUDr4fLkdN8gN8d7GxlXrwAYCPSdjJ/b6YAr+8+nojJUEAsmp3N0l +iLJ5en/ed4sAAAAac3NoOnRoZS1hcHBsaWNhdGlvbi1zdHJpbmcBAAAAQDkL+WvhalaEJi +Lf/MaFsFeYzwvC06GZVqUXgCnzyutZzMB9a1deF9uFke1ib56tgZR9iVsskIJeWuwiAIg0 +es4AAAAAAAAAEnNrLWVjZHNhLW5vcHN3LmtleQECAwQ= +-----END OPENSSH PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key.pub new file mode 100644 index 000000000000..7c4193df3826 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-nopsw.key.pub @@ -0,0 +1 @@ +sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDte6cjxBF+bJPQ8pYle1oTSUDr4fLkdN8gN8d7GxlXrwAYCPSdjJ/b6YAr+8+nojJUEAsmp3N0liLJ5en/ed4sAAAAac3NoOnRoZS1hcHBsaWNhdGlvbi1zdHJpbmc= sk-ecdsa-nopsw.key diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key new file mode 100644 index 000000000000..b406fa06800d --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key @@ -0,0 +1,12 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDIj2qUG3 +LdljUMp0/4zuFuAAAAEAAAAAEAAACVAAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3Bl +bnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACdJuKxgDLk+a1NeeCtRqCropd0hXume/cTdO +vV/B4lmupr9viNQsUT09wbKRflnOc9jxPAiQOzZbXTkmnV8kkAAAAac3NoOnRoZS1hcHBs +aWNhdGlvbi1zdHJpbmcAAAEAO6Vsfb59XIe524NKbXMjA0xleAi3lcZ5EF0dF48yRO2LfA +12B948LzsKOrgo+Cdq7BMLkCCA1z2811yvKtvy/7cR3D/p31cW7VEun4OAn+QoPCHmv25r +WVfUAv5PC5Ofdm7dtExTcMmyNUMcziovirTyhnlpc/wHD+wgp2oQGpcm+rjQlqX96cLJ7H +PM3wls38biP3wh2QWkoKWPyq7tMR4PiJOw9h6YNeZY3M1JnC9b2b0iHD6Ra/5LBBqV/Uyu +irkHWLB7ASchamexxRqu4fLFK4tjijhLV8hc/XLsQGeDNBHf4QSvZJP0usSSP37F1Ai+XM +stjM1iCsk1UEV9aA== +-----END OPENSSH PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key.pub new file mode 100644 index 000000000000..b9a6fa34156c --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ecdsa-psw.key.pub @@ -0,0 +1 @@ +sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBACdJuKxgDLk+a1NeeCtRqCropd0hXume/cTdOvV/B4lmupr9viNQsUT09wbKRflnOc9jxPAiQOzZbXTkmnV8kkAAAAac3NoOnRoZS1hcHBsaWNhdGlvbi1zdHJpbmc= sk-ecdsa-psw.key diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key new file mode 100644 index 000000000000..db48fcd3e9a5 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key @@ -0,0 +1,10 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAYAAAABpzay1zc2 +gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACB6auRr7BwVOqTawgDOxUpaUFcN8SZ7SWzoR2Vs +ubbk3wAAABpzc2g6dGhlLWFwcGxpY2F0aW9uLXN0cmluZwAAARCWIPLyliDy8gAAABpzay +1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACB6auRr7BwVOqTawgDOxUpaUFcN8SZ7SWzo +R2Vsubbk3wAAABpzc2g6dGhlLWFwcGxpY2F0aW9uLXN0cmluZwEAAACAQPv/aY2F3YN1kD +1FHPa1HpEHOGAbsYj/2b6h8Rn+N4pU6hdTD5v19Efdz5jlt8Y84c61+8HKDPCI/g5Cbcvd +3uuGHuFUdgiarOZqKyuwBj3Kll9Whb/yV4wGo/NVXtCHa2SnWr2wjYtRTGPNNCgGPsLU05 +/KTNCStsNhEcsNDjEAAAAAAAAAFHNrLWVkMjU1MTktbm9wc3cua2V5AQIDBAUGBw== +-----END OPENSSH PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key.pub new file mode 100644 index 000000000000..dc900ed9dd6f --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-nopsw.key.pub @@ -0,0 +1 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHpq5GvsHBU6pNrCAM7FSlpQVw3xJntJbOhHZWy5tuTfAAAAGnNzaDp0aGUtYXBwbGljYXRpb24tc3RyaW5n sk-ed25519-nopsw.key diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key new file mode 100644 index 000000000000..92328aa1ecdd --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key @@ -0,0 +1,11 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBZQIE5S+ +fq0J5esB3Jo4smAAAAEAAAAAEAAABgAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t +AAAAIHf0iiNQTiR7NNAbeAwY+READVx9G0mP6idSAZ7bPTrMAAAAGnNzaDp0aGUtYXBwbG +ljYXRpb24tc3RyaW5nAAABEEeyENyjnVry24AKkT0cC6nRakzHeBY7nSmDiy3MX7sQNRze +illy4uWLZyv022QlMR4GqnXwnQ9bPqcPD0S/SAhuYnFRWI6PPUXkNqiqiS/ZsMkaSKDvBS +UKv5EXjBBk3Sh9IjNXXK8tt0+WIIR973hVEtolcgxvFZpc1IJuRl9gkpKlQFNzwcANTuwB +kr6t0qad/fp0bZldBL/zRtqfgMHTSFzNoITTaxA8ZQZ1Zm585u0NIX4ZDrTaoZVaO8t7Z5 +3r1784oCk6h/lomf9Qsg2eBf6CHMGlTHVFPop5VtGDKFVlgIxQCdwt0V1e6dWK6j5zOzBh +mNA7qT0q3quRLBqUADN698q5fLRFR1PzQ5bx +-----END OPENSSH PRIVATE KEY----- diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key.pub new file mode 100644 index 000000000000..65fc4c31591b --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/sk-ed25519-psw.key.pub @@ -0,0 +1 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHf0iiNQTiR7NNAbeAwY+READVx9G0mP6idSAZ7bPTrMAAAAGnNzaDp0aGUtYXBwbGljYXRpb24tc3RyaW5n sk-ed25519-psw.key From 775bb2ffb8a6a0502def7ab707857a04b0449a92 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Mar 2024 11:11:00 +0000 Subject: [PATCH 298/868] Bump ruff from 0.3.3 to 0.3.4 (#10626) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.3 to 0.3.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.3...v0.3.4) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 60342287e07a..656b365fdbed 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.3 +ruff==0.3.4 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 857d6b1d2fb1b93251a89ca3534e2a28b32c4950 Mon Sep 17 00:00:00 2001 From: Axel Gembe Date: Fri, 22 Mar 2024 23:00:54 +0900 Subject: [PATCH 299/868] Pass -fmacro-prefix-map to cc to not leak paths into the binary (#10627) Without this compiling the CFFI generated `_openssl.c` file embeds the build path into the binary. When installed using PyPi this path is random, which makes the resulting binary not reproducible. --- src/rust/cryptography-cffi/build.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 5f73714f3415..13eae0f49df4 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -69,6 +69,13 @@ fn main() { .flag_if_supported("-Wno-error=sign-conversion") .flag_if_supported("-Wno-unused-parameter"); + // We use the `-fmacro-prefix-map` option to replace the output directory in macros with a dot. + // This is because we don't want a potentially random build path to end up in the binary because + // CFFI generated code uses the __FILE__ macro in its debug messages. + if let Some(out_dir_str) = Path::new(&out_dir).to_str() { + build.flag_if_supported(format!("-fmacro-prefix-map={}=.", out_dir_str).as_str()); + } + for python_include in env::split_paths(&python_includes) { build.include(python_include); } From 8436316862642fb515e51d5284a718df3b501bee Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 22 Mar 2024 19:34:41 -0400 Subject: [PATCH 300/868] Wycheproof lives under C2SP now (#10628) --- .github/actions/fetch-vectors/action.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 4 ++-- docs/development/test-vectors.rst | 5 +---- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4e3a214ce086..4dc167660dad 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -7,7 +7,7 @@ runs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - repository: "google/wycheproof" + repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Mar 16, 2024. ref: "1621269c9f8e4a11f7de5dd2cb353400f054ce6f" # wycheproof-ref diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index dfd4f9b46c59..225a8d37538c 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -34,12 +34,12 @@ jobs: if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA - id: check-sha-wycheproof run: | - SHA=$(git ls-remote https://github.com/google/wycheproof refs/heads/master | cut -f1) + SHA=$(git ls-remote https://github.com/C2SP/wycheproof refs/heads/master | cut -f1) LAST_COMMIT=$(grep wycheproof-ref .github/actions/fetch-vectors/action.yml | grep -oE '[a-f0-9]{40}') if ! grep -q "$SHA" .github/actions/fetch-vectors/action.yml; then echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT echo "COMMIT_MSG<> $GITHUB_OUTPUT - echo -e "## wycheproof\n[Commit: ${SHA}](https://github.com/google/wycheproof/commit/${SHA})\n\n[Diff](https://github.com/google/wycheproof/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT + echo -e "## wycheproof\n[Commit: ${SHA}](https://github.com/C2SP/wycheproof/commit/${SHA})\n\n[Diff](https://github.com/C2SP/wycheproof/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT fi - name: Update wycheproof diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index aeff528faf78..0f608e840c03 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -21,9 +21,6 @@ for various cryptographic algorithms. These are not included in the repository (or ``cryptography_vectors`` package), but rather cloned from Git in our continuous integration environments. -We have ensured all test vectors are used as of commit -``d9f6ec7d8bd8c96da05368999094e4a75ba5cb3d``. - Asymmetric ciphers ~~~~~~~~~~~~~~~~~~ @@ -1049,7 +1046,7 @@ header format (substituting the correct information): .. _`NIST`: https://www.nist.gov/ .. _`IETF`: https://www.ietf.org/ -.. _`Project Wycheproof`: https://github.com/google/wycheproof +.. _`Project Wycheproof`: https://github.com/C2SP/wycheproof .. _`NIST CAVP`: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program .. _`Bruce Schneier's vectors`: https://www.schneier.com/wp-content/uploads/2015/12/vectors-2.txt .. _`Camellia page`: https://info.isl.ntt.co.jp/crypt/eng/camellia/ From ee097cb2b7e140a98d2dfd37f0330f6c6e460688 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 23 Mar 2024 00:15:11 +0000 Subject: [PATCH 301/868] Bump BoringSSL and/or OpenSSL in CI (#10629) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 55823ac088a5..531eea195442 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 22, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "06fb6e1b129d426b0f543e0e77890295175f012a"}} - # Latest commit on the OpenSSL master branch, as of Mar 22, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9abcf116962e9a117717c751de93846f11da16cd"}} + # Latest commit on the BoringSSL master branch, as of Mar 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "231510cf506711eae6f7f06be9626bc7e44982b4"}} + # Latest commit on the OpenSSL master branch, as of Mar 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "24109dca5a793d58c68a346db5b21746079ec317"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 78fdf553a1913f86fe2bad08c33b1a2bee4cda5e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Mar 2024 08:42:00 -0400 Subject: [PATCH 302/868] Remove uv-ism that's no longer required in local nox (#10630) --- noxfile.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/noxfile.py b/noxfile.py index 71f878572c44..c254b5e3685e 100644 --- a/noxfile.py +++ b/noxfile.py @@ -265,7 +265,7 @@ def local(session): *test_dependencies, *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], - "cryptography_vectors @ ./vectors/", + "./vectors/", verbose=False, ) @@ -301,7 +301,7 @@ def local(session): "cryptography", "--refresh-package", "cryptography", - "cryptography @ .", + ".", ) if session.posargs: From e9954a0a31db22201b96d62535f51a5f0316e218 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 23 Mar 2024 08:53:01 -0400 Subject: [PATCH 303/868] fixes #10631 -- remove documentation for method that was removed (#10632) * fixes #10631 -- remove documentation for method that was removed * Update CHANGELOG.rst --- CHANGELOG.rst | 4 ++-- docs/hazmat/primitives/asymmetric/ec.rst | 25 ------------------------ 2 files changed, 2 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a1ce4d63793c..4fc48964b21b 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1168,7 +1168,7 @@ Changelog :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`, which immediately checks if the point is on the curve and supports compressed points. Deprecated the previous method - :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`. + ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point``. * Added :attr:`~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm` to ``OCSPResponse``. * Updated :doc:`/hazmat/primitives/asymmetric/x25519` support to allow @@ -1878,7 +1878,7 @@ Changelog form using ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point`` and - :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`. + ``cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point``. * Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`. * :class:`~cryptography.x509.CertificatePolicies` are now supported in the :class:`~cryptography.x509.CertificateBuilder`. diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index c0a0ff757eab..a22a64be5c41 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -200,31 +200,6 @@ Elliptic Curve Signature Algorithms :raises ValueError: Raised if the point is invalid for the curve. :returns: A new instance of :class:`EllipticCurvePublicKey`. - .. classmethod:: from_encoded_point(curve, data) - - .. versionadded:: 1.1 - - .. note:: - - This has been deprecated in favor of - :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point` - - Decodes a byte string as described in `SEC 1 v2.0`_ section 2.3.3 and - returns an :class:`EllipticCurvePublicNumbers`. This method only - supports uncompressed points. - - :param curve: An - :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve` - instance. - - :param bytes data: The serialized point byte string. - - :returns: An :class:`EllipticCurvePublicNumbers` instance. - - :raises ValueError: Raised on invalid point type or data length. - - :raises TypeError: Raised when curve is not an - :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`. Elliptic Curve Key Exchange algorithm ------------------------------------- From 2f82c251c863fb81948f9ff7d99473f4963c5db2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 24 Mar 2024 00:16:35 +0000 Subject: [PATCH 304/868] Bump BoringSSL and/or OpenSSL in CI (#10634) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 531eea195442..229eb24028dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "231510cf506711eae6f7f06be9626bc7e44982b4"}} - # Latest commit on the OpenSSL master branch, as of Mar 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "24109dca5a793d58c68a346db5b21746079ec317"}} + # Latest commit on the BoringSSL master branch, as of Mar 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "70b33d39048abaa1c810ad63ace4b05af7b94d15"}} + # Latest commit on the OpenSSL master branch, as of Mar 24, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a9e48f727ce7ad924c53a55b301e426d7e43863"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e257fc6277b71532ddc1ae133296a34f58703e98 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 24 Mar 2024 01:03:39 +0000 Subject: [PATCH 305/868] Bump indoc from 2.0.4 to 2.0.5 in /src/rust (#10635) Bumps [indoc](https://github.com/dtolnay/indoc) from 2.0.4 to 2.0.5. - [Release notes](https://github.com/dtolnay/indoc/releases) - [Commits](https://github.com/dtolnay/indoc/compare/2.0.4...2.0.5) --- updated-dependencies: - dependency-name: indoc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a8102b1b9a96..15593ef1d12a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -150,9 +150,9 @@ checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" [[package]] name = "indoc" -version = "2.0.4" +version = "2.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e186cfbae8084e513daff4240b4797e342f988cecda4fb6c939150f96315fd8" +checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" From b7b6c30ec61e2e8bbecee3997f89070046bc67e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 23 Mar 2024 23:19:17 -0400 Subject: [PATCH 306/868] Bump keyring from 24.3.1 to 25.0.0 in /.github/requirements (#10636) * Bump keyring from 24.3.1 to 25.0.0 in /.github/requirements Bumps [keyring](https://github.com/jaraco/keyring) from 24.3.1 to 25.0.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v24.3.1...v25.0.0) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 2dfde9d77409..12755fbf8fba 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -250,15 +250,23 @@ jaraco-classes==3.3.1 \ --hash=sha256:86b534de565381f6b3c1c830d13f931d7be1a75f0081c57dff615578676e2206 \ --hash=sha256:cb28a5ebda8bc47d8c8015307d93163464f9f2b91ab4006e09ff0ce07e8bfb30 # via keyring +jaraco-context==4.3.0 \ + --hash=sha256:4dad2404540b936a20acedec53355bdaea223acb88fd329fa6de9261c941566e \ + --hash=sha256:5d9e95ca0faa78943ed66f6bc658dd637430f16125d86988e77844c741ff2f11 + # via keyring +jaraco-functools==4.0.0 \ + --hash=sha256:c279cb24c93d694ef7270f970d499cab4d3813f4e08273f95398651a634f0925 \ + --hash=sha256:daf276ddf234bea897ef14f43c4e1bf9eefeac7b7a82a4dd69228ac20acff68d + # via keyring jeepney==0.8.0 \ --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ --hash=sha256:c0a454ad016ca575060802ee4d590dd912e35c122fa04e70306de3d076cce755 # via # keyring # secretstorage -keyring==24.3.1 \ - --hash=sha256:c3327b6ffafc0e8befbdb597cacdb4928ffe5c1212f7645f186e6d9957a898db \ - --hash=sha256:df38a4d7419a6a60fea5cef1e45a948a3e8430dd12ad88b0f423c5c143906218 +keyring==25.0.0 \ + --hash=sha256:9a15cd280338920388e8c1787cb8792b9755dabb3e7c61af5ac1f8cd437cefde \ + --hash=sha256:fc024ed53c7ea090e30723e6bd82f58a39dc25d9a6797d866203ecd0ee6306cb # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ @@ -271,7 +279,9 @@ mdurl==0.1.2 \ more-itertools==10.2.0 \ --hash=sha256:686b06abe565edfab151cb8fd385a05651e1fdf8f0a14191e4439283421f8684 \ --hash=sha256:8fccb480c43d3e99a00087634c06dd02b0d50fbf088b380de5a41a015ec239e1 - # via jaraco-classes + # via + # jaraco-classes + # jaraco-functools multidict==6.0.5 \ --hash=sha256:01265f5e40f5a17f8241d52656ed27192be03bfa8764d88e8220141d1e4b3556 \ --hash=sha256:0275e35209c27a3f7951e1ce7aaf93ce0d163b28948444bec61dd7badc6d3f8c \ From 4486017868fba383d1075e0e350bf0bc4830a021 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 24 Mar 2024 20:17:44 +0000 Subject: [PATCH 307/868] Bump syn from 2.0.53 to 2.0.55 in /src/rust (#10638) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.53 to 2.0.55. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.53...2.0.55) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 15593ef1d12a..11ee8b08475d 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.53" +version = "2.0.55" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7383cd0e49fff4b6b90ca5670bfd3e9d6a733b3f90c686605aa7eec8c4996032" +checksum = "002a1b3dbf967edfafc32655d0f377ab0bb7b994aa1d32c8cc7e9b8bf3ebb8f0" dependencies = [ "proc-macro2", "quote", From ca606189dc6bb377bba48d2e38013547b1857059 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Mar 2024 08:01:20 -0400 Subject: [PATCH 308/868] Bump pytest-cov from 4.1.0 to 5.0.0 (#10639) * Bump pytest-cov from 4.1.0 to 5.0.0 Bumps [pytest-cov](https://github.com/pytest-dev/pytest-cov) from 4.1.0 to 5.0.0. - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-cov/compare/v4.1.0...v5.0.0) --- updated-dependencies: - dependency-name: pytest-cov dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update ci-constraints-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 656b365fdbed..87b0a646c3db 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -95,7 +95,7 @@ pytest==8.1.1; python_version >= "3.8" # pytest-xdist pytest-benchmark==4.0.0 # via cryptography (pyproject.toml) -pytest-cov==4.1.0 +pytest-cov==5.0.0; python_version >= "3.8" # via cryptography (pyproject.toml) pytest-randomly==3.15.0 # via cryptography (pyproject.toml) From 558875fd8333006f5e29008815fc0aac44542b07 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 00:14:50 +0000 Subject: [PATCH 309/868] Bump BoringSSL and/or OpenSSL in CI (#10640) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 229eb24028dc..f48557aedfd5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "70b33d39048abaa1c810ad63ace4b05af7b94d15"}} - # Latest commit on the OpenSSL master branch, as of Mar 24, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a9e48f727ce7ad924c53a55b301e426d7e43863"}} + # Latest commit on the BoringSSL master branch, as of Mar 26, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ee4c2a38a05873b8812fed97efae0ffc5ff51d46"}} + # Latest commit on the OpenSSL master branch, as of Mar 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a4cbffcd8998180b98bb9f7ce6065ed37d079d8b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 19ef6dd741bd2cb0127a2320557ba37b29b6c76f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 25 Mar 2024 20:26:59 -0400 Subject: [PATCH 310/868] run cron lock jobs at a diff time (#10641) --- .github/workflows/lock.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 88379415f801..f037c6555c4f 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -2,7 +2,7 @@ name: Lock Issues on: workflow_dispatch: schedule: - - cron: '0 0 * * *' + - cron: '0 3 * * *' permissions: issues: "write" From 72da5a87ea05a1ec65cd6b6b933ad13c82f1064b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 00:28:07 +0000 Subject: [PATCH 311/868] Bump x509-limbo and/or wycheproof in CI (#10642) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4dc167660dad..c872ad5e74d3 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 21, 2024. - ref: "2d797b4f9d21e8c0ac3c070d2ff8198b4640acf9" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 26, 2024. + ref: "dd62010dad89bd0102c448fbf85303ea70bfcbe2" # x509-limbo-ref From 21788cc353dd512e361afa06736cfdd96fdc1a3e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 07:08:02 -0400 Subject: [PATCH 312/868] Bump filelock from 3.13.1 to 3.13.3 (#10644) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.13.1 to 3.13.3. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.13.1...3.13.3) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 87b0a646c3db..ba89573b4e69 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.0 # via pytest execnet==2.0.2 # via pytest-xdist -filelock==3.13.1; python_version >= "3.8" +filelock==3.13.3; python_version >= "3.8" # via virtualenv idna==3.6 # via requests From a32da2e10f5974e9338cb191cc471a6f1b77e300 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 11:12:53 +0000 Subject: [PATCH 313/868] Bump autocfg from 1.1.0 to 1.2.0 in /src/rust (#10645) Bumps [autocfg](https://github.com/cuviper/autocfg) from 1.1.0 to 1.2.0. - [Commits](https://github.com/cuviper/autocfg/compare/1.1.0...1.2.0) --- updated-dependencies: - dependency-name: autocfg dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 11ee8b08475d..6aa04afe6fc1 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -24,9 +24,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.1.0" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80" [[package]] name = "base64" From 1fe44c21cac785f1887b91ee5c57b03551c40671 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 20:16:32 -0400 Subject: [PATCH 314/868] Bump BoringSSL and/or OpenSSL in CI (#10648) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f48557aedfd5..3f353321e48d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 26, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ee4c2a38a05873b8812fed97efae0ffc5ff51d46"}} - # Latest commit on the OpenSSL master branch, as of Mar 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a4cbffcd8998180b98bb9f7ce6065ed37d079d8b"}} + # Latest commit on the OpenSSL master branch, as of Mar 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1967539e212c17139dc810096da987c8100b1ba2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 9fdcea4f35b05670dc98e601a9d42b137cc4aba6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 00:29:00 +0000 Subject: [PATCH 315/868] Bump x509-limbo and/or wycheproof in CI (#10649) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c872ad5e74d3..f633964e3d21 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -9,12 +9,12 @@ runs: with: repository: "C2SP/wycheproof" path: "wycheproof" - # Latest commit on the wycheproof master branch, as of Mar 16, 2024. - ref: "1621269c9f8e4a11f7de5dd2cb353400f054ce6f" # wycheproof-ref + # Latest commit on the wycheproof master branch, as of Mar 27, 2024. + ref: "507bb993e90a87d0a62591a5284bc34a3f1c5c22" # wycheproof-ref - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 26, 2024. - ref: "dd62010dad89bd0102c448fbf85303ea70bfcbe2" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 27, 2024. + ref: "5550a13c69181f17f716eac5be382a0edb59be4b" # x509-limbo-ref From dc906c5d54035c84613f2567466ff6b07cb01fb2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 07:05:44 -0400 Subject: [PATCH 316/868] Bump actions/setup-python from 5.0.0 to 5.1.0 (#10650) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/0a5c61591373683505ea898e09a3ea4f39ef2b9c...82c7e631bb3cdc910f68e0081d67478d79c6982d) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index deeebb0f69ba..91de604df56f 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -38,7 +38,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f353321e48d..51d959646291 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,7 +60,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -240,7 +240,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -299,7 +299,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -375,7 +375,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON }} cache: pip @@ -421,7 +421,7 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.12' cache: pip diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index 0e5b688c051f..b06da096537f 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 433b1a1b1ac4..90e3ad79608f 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -34,7 +34,7 @@ jobs: - run: echo "$EVENT_CONTEXT" env: EVENT_CONTEXT: ${{ toJson(github.event) }} - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.11" - name: Get publish-requirements.txt from repository diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 9367b2d16ccf..18579f6c60fc 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -228,7 +228,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -320,7 +320,7 @@ jobs: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From 44857ea7502b4ebea4104cd44e443d4d5d928d36 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 07:06:49 -0400 Subject: [PATCH 317/868] Bump nh3 from 0.2.15 to 0.2.17 (#10652) Bumps [nh3](https://github.com/messense/nh3) from 0.2.15 to 0.2.17. - [Release notes](https://github.com/messense/nh3/releases) - [Commits](https://github.com/messense/nh3/compare/v0.2.15...v0.2.17) --- updated-dependencies: - dependency-name: nh3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ba89573b4e69..9027617cee4d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -56,7 +56,7 @@ mypy==1.9.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy -nh3==0.2.15 +nh3==0.2.17 # via readme-renderer nox==2024.3.2 # via cryptography (pyproject.toml) From c13be115e859f077e8661f1e68bc7c6984a7f9e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 07:07:05 -0400 Subject: [PATCH 318/868] Bump memoffset from 0.9.0 to 0.9.1 in /src/rust (#10653) Bumps [memoffset](https://github.com/Gilnaa/memoffset) from 0.9.0 to 0.9.1. - [Changelog](https://github.com/Gilnaa/memoffset/blob/master/CHANGELOG.md) - [Commits](https://github.com/Gilnaa/memoffset/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: memoffset dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6aa04afe6fc1..10d7821b416b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -172,9 +172,9 @@ dependencies = [ [[package]] name = "memoffset" -version = "0.9.0" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a634b1c61a95585bd15607c6ab0c4e5b226e695ff2800ba0cdccddf208c406c" +checksum = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a" dependencies = [ "autocfg", ] From 5593992417c9b75bab4d4725966fed7c17d49d40 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 08:22:35 -0400 Subject: [PATCH 319/868] Bump nh3 from 0.2.15 to 0.2.17 in /.github/requirements (#10651) * Bump nh3 from 0.2.15 to 0.2.17 in /.github/requirements Bumps [nh3](https://github.com/messense/nh3) from 0.2.15 to 0.2.17. - [Release notes](https://github.com/messense/nh3/releases) - [Commits](https://github.com/messense/nh3/compare/v0.2.15...v0.2.17) --- updated-dependencies: - dependency-name: nh3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 12755fbf8fba..010f500a8064 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -374,23 +374,23 @@ multidict==6.0.5 \ --hash=sha256:fce28b3c8a81b6b36dfac9feb1de115bab619b3c13905b419ec71d03a3fc1423 \ --hash=sha256:fe5d7785250541f7f5019ab9cba2c71169dc7d74d0f45253f8313f436458a4ef # via grpclib -nh3==0.2.15 \ - --hash=sha256:0d02d0ff79dfd8208ed25a39c12cbda092388fff7f1662466e27d97ad011b770 \ - --hash=sha256:3277481293b868b2715907310c7be0f1b9d10491d5adf9fce11756a97e97eddf \ - --hash=sha256:3b803a5875e7234907f7d64777dfde2b93db992376f3d6d7af7f3bc347deb305 \ - --hash=sha256:427fecbb1031db085eaac9931362adf4a796428ef0163070c484b5a768e71601 \ - --hash=sha256:5f0d77272ce6d34db6c87b4f894f037d55183d9518f948bba236fe81e2bb4e28 \ - --hash=sha256:60684857cfa8fdbb74daa867e5cad3f0c9789415aba660614fe16cd66cbb9ec7 \ - --hash=sha256:6f42f99f0cf6312e470b6c09e04da31f9abaadcd3eb591d7d1a88ea931dca7f3 \ - --hash=sha256:86e447a63ca0b16318deb62498db4f76fc60699ce0a1231262880b38b6cff911 \ - --hash=sha256:8d595df02413aa38586c24811237e95937ef18304e108b7e92c890a06793e3bf \ - --hash=sha256:9c0d415f6b7f2338f93035bba5c0d8c1b464e538bfbb1d598acd47d7969284f0 \ - --hash=sha256:a5167a6403d19c515217b6bcaaa9be420974a6ac30e0da9e84d4fc67a5d474c5 \ - --hash=sha256:ac19c0d68cd42ecd7ead91a3a032fdfff23d29302dbb1311e641a130dfefba97 \ - --hash=sha256:b1e97221cedaf15a54f5243f2c5894bb12ca951ae4ddfd02a9d4ea9df9e1a29d \ - --hash=sha256:bc2d086fb540d0fa52ce35afaded4ea526b8fc4d3339f783db55c95de40ef02e \ - --hash=sha256:d1e30ff2d8d58fb2a14961f7aac1bbb1c51f9bdd7da727be35c63826060b0bf3 \ - --hash=sha256:f3b53ba93bb7725acab1e030bc2ecd012a817040fd7851b332f86e2f9bb98dc6 +nh3==0.2.17 \ + --hash=sha256:0316c25b76289cf23be6b66c77d3608a4fdf537b35426280032f432f14291b9a \ + --hash=sha256:1a814dd7bba1cb0aba5bcb9bebcc88fd801b63e21e2450ae6c52d3b3336bc911 \ + --hash=sha256:1aa52a7def528297f256de0844e8dd680ee279e79583c76d6fa73a978186ddfb \ + --hash=sha256:22c26e20acbb253a5bdd33d432a326d18508a910e4dcf9a3316179860d53345a \ + --hash=sha256:40015514022af31975c0b3bca4014634fa13cb5dc4dbcbc00570acc781316dcc \ + --hash=sha256:40d0741a19c3d645e54efba71cb0d8c475b59135c1e3c580f879ad5514cbf028 \ + --hash=sha256:551672fd71d06cd828e282abdb810d1be24e1abb7ae2543a8fa36a71c1006fe9 \ + --hash=sha256:66f17d78826096291bd264f260213d2b3905e3c7fae6dfc5337d49429f1dc9f3 \ + --hash=sha256:85cdbcca8ef10733bd31f931956f7fbb85145a4d11ab9e6742bbf44d88b7e351 \ + --hash=sha256:a3f55fabe29164ba6026b5ad5c3151c314d136fd67415a17660b4aaddacf1b10 \ + --hash=sha256:b4427ef0d2dfdec10b641ed0bdaf17957eb625b2ec0ea9329b3d28806c153d71 \ + --hash=sha256:ba73a2f8d3a1b966e9cdba7b211779ad8a2561d2dba9674b8a19ed817923f65f \ + --hash=sha256:c21bac1a7245cbd88c0b0e4a420221b7bfa838a2814ee5bb924e9c2f10a1120b \ + --hash=sha256:c551eb2a3876e8ff2ac63dff1585236ed5dfec5ffd82216a7a174f7c5082a78a \ + --hash=sha256:c790769152308421283679a142dbdb3d1c46c79c823008ecea8e8141db1a2062 \ + --hash=sha256:d7a25fd8c86657f5d9d576268e3b3767c5cd4f42867c9383618be8517f0f022a # via readme-renderer pkginfo==1.10.0 \ --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ From 031d407e4df3225fddfcf52ff18fe221c5a8bf34 Mon Sep 17 00:00:00 2001 From: Julien Castiaux Date: Wed, 27 Mar 2024 19:32:35 +0100 Subject: [PATCH 320/868] Add public_key_algorithm_oid to certificate and CSR (#10517) --- CHANGELOG.rst | 6 ++ docs/development/test-vectors.rst | 2 + docs/spelling_wordlist.txt | 1 + docs/x509/reference.rst | 89 ++++++++++++++++++ src/cryptography/hazmat/_oid.py | 17 ++++ src/cryptography/x509/__init__.py | 2 + src/cryptography/x509/base.py | 7 ++ src/cryptography/x509/oid.py | 2 + src/rust/src/x509/certificate.rs | 11 +++ src/rust/src/x509/csr.rs | 11 +++ tests/x509/test_x509.py | 91 ++++++++++++++++++- .../x509/custom/ca/rsae_ca.pem | 32 +++++++ 12 files changed, 268 insertions(+), 3 deletions(-) create mode 100644 vectors/cryptography_vectors/x509/custom/ca/rsae_ca.pem diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4fc48964b21b..8a97f7d7da1a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -35,6 +35,12 @@ Changelog :class:`~cryptography.x509.verification.VerifiedClient`, and ``PolicyBuilder`` :meth:`~cryptography.x509.verification.PolicyBuilder.build_client_verifier`. +* Added Certificate + :attr:`~cryptography.x509.Certificate.public_key_algorithm_oid` + and Certificate Signing Request + :attr:`~cryptography.x509.CertificateSigningRequest.public_key_algorithm_oid` + to determine the :class:`~cryptography.hazmat._oid.PublicKeyAlgorithmOID` + Object Identifier of the public key found inside the certificate. .. _v42-0-5: diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 0f608e840c03..e0746ab792b2 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -496,6 +496,8 @@ Custom X.509 Vectors using ``ed448-pkcs8.pem`` as key. * ``ca/rsa_ca.pem`` - A self-signed RSA certificate with ``basicConstraints`` set to true. Its private key is ``ca/rsa_key.pem``. +* ``ca/rsae_ca.pem`` - A self-signed RSA certificate using a (non-PSS) RSA + public key and a RSA PSS signature. Its private key is ``ca/rsa_key.pem``. * ``invalid-sct-version.der`` - A certificate with an SCT with an unknown version. * ``invalid-sct-length.der`` - A certificate with an SCT with an internal diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 933e781308ed..9be4a107a70d 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -106,6 +106,7 @@ preprocessor preprocessors presentational pseudorandom +PSS pyOpenSSL pytest relicensed diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 166c01f9a58a..0d0db19fdee4 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -364,6 +364,21 @@ X.509 Certificate Object >>> isinstance(public_key, rsa.RSAPublicKey) True + .. attribute:: public_key_algorithm_oid + + .. versionadded:: 43.0.0 + + :type: :class:`ObjectIdentifier` + + Returns the :class:`ObjectIdentifier` of the public key algorithm found + inside the certificate. This will be one of the OIDs from + :class:`~cryptography.x509.oid.PublicKeyAlgorithmOID`. + + .. doctest:: + + >>> cert.public_key_algorithm_oid + + .. attribute:: not_valid_before :type: :class:`datetime.datetime` @@ -1033,6 +1048,21 @@ X.509 CSR (Certificate Signing Request) Object >>> isinstance(public_key, rsa.RSAPublicKey) True + .. attribute:: public_key_algorithm_oid + + .. versionadded:: 43.0.0 + + :type: :class:`ObjectIdentifier` + + Returns the :class:`ObjectIdentifier` of the public key algorithm found + inside the certificate. This will be one of the OIDs from + :class:`~cryptography.x509.oid.PublicKeyAlgorithmOID`. + + .. doctest:: + + >>> csr.public_key_algorithm_oid + + .. attribute:: subject :type: :class:`Name` @@ -3840,6 +3870,65 @@ instances. The following common OIDs are available as constants. Corresponds to the dotted string ``"1.2.840.113549.1.9.2"``. + +.. class:: PublicKeyAlgorithmOID + :canonical: cryptography.hazmat._oid.PublicKeyAlgorithmOID + + .. versionadded:: 43.0.0 + + .. attribute:: DSA + + Corresponds to the dotted string ``"1.2.840.10040.4.1"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` + public key. + + .. attribute:: EC_PUBLIC_KEY + + Corresponds to the dotted string ``"1.2.840.10045.2.1"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` + public key. + + .. attribute:: RSAES_PKCS1_v1_5 + + Corresponds to the dotted string ``"1.2.840.113549.1.1.1"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` + public key with + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15` + padding. + + .. attribute:: RSASSA_PSS + + Corresponds to the dotted string ``"1.2.840.113549.1.1.10"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` + public key with + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` + padding. + + .. attribute:: X25519 + + Corresponds to the dotted string ``"1.3.101.110"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey` + public key. + + .. attribute:: X448 + + Corresponds to the dotted string ``"1.3.101.111"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey` + public key. + + .. attribute:: ED25519 + + Corresponds to the dotted string ``"1.3.101.112"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey` + public key. + + .. attribute:: ED448 + + Corresponds to the dotted string ``"1.3.101.113"``. This is a + :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey` + public key. + + Helper Functions ~~~~~~~~~~~~~~~~ .. currentmodule:: cryptography.x509 diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py index c5d062c1374a..fd5e37d9e2ff 100644 --- a/src/cryptography/hazmat/_oid.py +++ b/src/cryptography/hazmat/_oid.py @@ -154,6 +154,17 @@ class SignatureAlgorithmOID: } +class PublicKeyAlgorithmOID: + DSA = ObjectIdentifier("1.2.840.10040.4.1") + EC_PUBLIC_KEY = ObjectIdentifier("1.2.840.10045.2.1") + RSAES_PKCS1_v1_5 = ObjectIdentifier("1.2.840.113549.1.1.1") + RSASSA_PSS = ObjectIdentifier("1.2.840.113549.1.1.10") + X25519 = ObjectIdentifier("1.3.101.110") + X448 = ObjectIdentifier("1.3.101.111") + ED25519 = ObjectIdentifier("1.3.101.112") + ED448 = ObjectIdentifier("1.3.101.113") + + class ExtendedKeyUsageOID: SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1") CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2") @@ -245,6 +256,12 @@ class AttributeOID: SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_512: ( "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)" ), + PublicKeyAlgorithmOID.DSA: "dsaEncryption", + PublicKeyAlgorithmOID.EC_PUBLIC_KEY: "id-ecPublicKey", + PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5: "rsaEncryption", + PublicKeyAlgorithmOID.RSASSA_PSS: "rsassaPss", + PublicKeyAlgorithmOID.X25519: "X25519", + PublicKeyAlgorithmOID.X448: "X448", ExtendedKeyUsageOID.SERVER_AUTH: "serverAuth", ExtendedKeyUsageOID.CLIENT_AUTH: "clientAuth", ExtendedKeyUsageOID.CODE_SIGNING: "codeSigning", diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 931618aa49d1..e73e527fc4a0 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -97,6 +97,7 @@ ExtensionOID, NameOID, ObjectIdentifier, + PublicKeyAlgorithmOID, SignatureAlgorithmOID, ) @@ -250,6 +251,7 @@ "PrecertificateSignedCertificateTimestamps", "PrecertPoison", "OCSPNonce", + "PublicKeyAlgorithmOID", "SignedCertificateTimestamps", "SignatureAlgorithmOID", "NameOID", diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 2ab482ec817f..c035cbb70b4b 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -187,6 +187,13 @@ def public_key(self) -> CertificatePublicKeyTypes: Returns the public key """ + @property + @abc.abstractmethod + def public_key_algorithm_oid(self) -> ObjectIdentifier: + """ + Returns the ObjectIdentifier of the public key. + """ + @property @abc.abstractmethod def not_valid_before(self) -> datetime.datetime: diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index cda50cced5c4..d4e409e0a2a0 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -14,6 +14,7 @@ NameOID, ObjectIdentifier, OCSPExtensionOID, + PublicKeyAlgorithmOID, SignatureAlgorithmOID, SubjectInformationAccessOID, ) @@ -28,6 +29,7 @@ "NameOID", "OCSPExtensionOID", "ObjectIdentifier", + "PublicKeyAlgorithmOID", "SignatureAlgorithmOID", "SubjectInformationAccessOID", ] diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 552f4eda7d81..d4873256fe22 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -72,6 +72,17 @@ impl Certificate { ) } + #[getter] + fn public_key_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult<&'p pyo3::PyAny> { + oid_to_py_oid( + py, + self.raw.borrow_dependent().tbs_cert.spki.algorithm.oid(), + ) + } + fn fingerprint<'p>( &self, py: pyo3::Python<'p>, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index c49f6e04421a..27eff5e12e95 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -54,6 +54,17 @@ impl CertificateSigningRequest { ) } + #[getter] + fn public_key_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult<&'p pyo3::PyAny> { + oid_to_py_oid( + py, + self.raw.borrow_dependent().csr_info.spki.algorithm.oid(), + ) + } + #[getter] fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { Ok(x509::parse_name( diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index e5e941e45e4a..40686e4eb7c2 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -37,6 +37,7 @@ ExtendedKeyUsageOID, ExtensionOID, NameOID, + PublicKeyAlgorithmOID, SignatureAlgorithmOID, SubjectInformationAccessOID, ) @@ -792,6 +793,42 @@ def test_get_revoked_certificate_doesnt_reorder( assert crl[2].serial_number == 3 +class TestRSAECertificate: + def test_load_cert_pub_key(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "ca", "rsae_ca.pem"), + x509.load_pem_x509_certificate, + ) + assert isinstance(cert, x509.Certificate) + expected_pub_key = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_key.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read(), None, unsafe_skip_rsa_key_validation=True + ), + mode="rb", + ).public_key() + assert isinstance(expected_pub_key, rsa.RSAPublicKey) + pub_key = cert.public_key() + assert isinstance(pub_key, rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) + assert pub_key == expected_pub_key + pss = cert.signature_algorithm_parameters + assert isinstance(pss, padding.PSS) + assert isinstance(pss._mgf, padding.MGF1) + assert isinstance(pss._mgf._algorithm, hashes.SHA256) + assert pss._salt_length == 0x14 + assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) + pub_key.verify( + cert.signature, + cert.tbs_certificate_bytes, + pss, + cert.signature_hash_algorithm, + ) + + class TestRSAPSSCertificate: def test_load_cert_pub_key(self, backend): cert = _load_cert( @@ -806,6 +843,9 @@ def test_load_cert_pub_key(self, backend): assert isinstance(expected_pub_key, rsa.RSAPublicKey) pub_key = cert.public_key() assert isinstance(pub_key, rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.RSASSA_PSS + ) assert pub_key == expected_pub_key pss = cert.signature_algorithm_parameters assert isinstance(pss, padding.PSS) @@ -898,6 +938,11 @@ def test_load_pem_cert(self, backend): assert isinstance( cert.signature_algorithm_parameters, padding.PKCS1v15 ) + assert isinstance(cert.public_key(), rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) def test_check_pkcs1_signature_algorithm_parameters(self, backend): cert = _load_cert( @@ -995,6 +1040,11 @@ def test_alternate_rsa_with_sha1_oid(self, backend): cert.signature_algorithm_oid == SignatureAlgorithmOID._RSA_WITH_SHA1 ) + assert isinstance(cert.public_key(), rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) def test_load_bmpstring_explicittext(self, backend): cert = _load_cert( @@ -1834,6 +1884,10 @@ def test_load_rsa_certificate_request(self, path, loader_func, backend): ) public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) + assert ( + request.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ @@ -2250,6 +2304,12 @@ def test_build_cert( cert = builder.sign(issuer_private_key, hashalg(), backend) assert cert.version is x509.Version.v3 + public_key = cert.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.RSAES_PKCS1_v1_5 + ) assert cert.signature_algorithm_oid == hashalg_oid assert type(cert.signature_hash_algorithm) is hashalg _check_cert_times( @@ -3308,6 +3368,9 @@ def test_build_cert_with_dsa_private_key( assert cert.version is x509.Version.v3 assert cert.signature_algorithm_oid == hashalg_oid + public_key = cert.public_key() + assert isinstance(public_key, dsa.DSAPublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.DSA _check_cert_times( cert, not_valid_before=not_valid_before, @@ -3380,6 +3443,12 @@ def test_build_cert_with_ec_private_key( cert = builder.sign(issuer_private_key, hashalg(), backend) assert cert.version is x509.Version.v3 + public_key = cert.public_key() + assert isinstance(public_key, ec.EllipticCurvePublicKey) + assert ( + cert.public_key_algorithm_oid + == PublicKeyAlgorithmOID.EC_PUBLIC_KEY + ) assert cert.signature_algorithm_oid == hashalg_oid assert type(cert.signature_hash_algorithm) is hashalg _check_cert_times( @@ -3480,6 +3549,7 @@ def test_build_cert_with_ed25519(self, backend): assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED25519 assert cert.signature_hash_algorithm is None assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED25519 assert cert.version is x509.Version.v3 _check_cert_times( cert, @@ -3542,6 +3612,7 @@ def test_build_cert_with_public_ed25519_rsa_sig( ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED25519 @pytest.mark.supported( only_if=lambda backend: backend.ed448_supported(), @@ -3583,6 +3654,7 @@ def test_build_cert_with_ed448(self, backend): assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED448 assert cert.signature_hash_algorithm is None assert isinstance(cert.public_key(), ed448.Ed448PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED448 assert cert.version is x509.Version.v3 _check_cert_times( cert, @@ -3645,6 +3717,7 @@ def test_build_cert_with_public_ed448_rsa_sig( ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) assert isinstance(cert.public_key(), ed448.Ed448PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED448 @pytest.mark.supported( only_if=lambda backend: ( @@ -3653,10 +3726,18 @@ def test_build_cert_with_public_ed448_rsa_sig( skip_message="Requires OpenSSL with x25519 & x448 support", ) @pytest.mark.parametrize( - ("priv_key_cls", "pub_key_cls"), + ("priv_key_cls", "pub_key_cls", "pub_key_oid"), [ - (x25519.X25519PrivateKey, x25519.X25519PublicKey), - (x448.X448PrivateKey, x448.X448PublicKey), + ( + x25519.X25519PrivateKey, + x25519.X25519PublicKey, + PublicKeyAlgorithmOID.X25519, + ), + ( + x448.X448PrivateKey, + x448.X448PublicKey, + PublicKeyAlgorithmOID.X448, + ), ], ) def test_build_cert_with_public_x25519_x448_rsa_sig( @@ -3664,6 +3745,7 @@ def test_build_cert_with_public_x25519_x448_rsa_sig( rsa_key_2048: rsa.RSAPrivateKey, priv_key_cls, pub_key_cls, + pub_key_oid, backend, ): issuer_private_key = rsa_key_2048 @@ -3699,6 +3781,7 @@ def test_build_cert_with_public_x25519_x448_rsa_sig( ) assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) assert isinstance(cert.public_key(), pub_key_cls) + assert cert.public_key_algorithm_oid == pub_key_oid def test_build_cert_with_rsa_key_too_small( self, rsa_key_512: rsa.RSAPrivateKey, backend @@ -6169,6 +6252,7 @@ def test_load_pem_cert(self, backend): # self-signed, so this will work public_key = cert.public_key() assert isinstance(public_key, ed25519.Ed25519PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED25519 public_key.verify(cert.signature, cert.tbs_certificate_bytes) assert isinstance(cert, x509.Certificate) assert cert.serial_number == 9579446940964433301 @@ -6215,6 +6299,7 @@ def test_load_pem_cert(self, backend): # self-signed, so this will work public_key = cert.public_key() assert isinstance(public_key, ed448.Ed448PublicKey) + assert cert.public_key_algorithm_oid == PublicKeyAlgorithmOID.ED448 public_key.verify(cert.signature, cert.tbs_certificate_bytes) assert isinstance(cert, x509.Certificate) assert cert.serial_number == 448 diff --git a/vectors/cryptography_vectors/x509/custom/ca/rsae_ca.pem b/vectors/cryptography_vectors/x509/custom/ca/rsae_ca.pem new file mode 100644 index 000000000000..1b357a1007d6 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/ca/rsae_ca.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFczCCAyygAwIBAgIUXd3jDutyo6oiszLWxbtjcQQQh9kwPAYJKoZIhvcNAQEK +MC+gDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF +ADAaMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wHhcNMjQwMzIzMjMwNzU1WhcN +NDMwNTIzMjMwNzU1WjAaMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDQSIXkXNR0+DM1eRr1Gw5PQhVOg06J +kQKTakZos64kapujmOB7d3e9QV6IOvyAZKgJ2eP1yUONBuLFQ2+dpNdaD73yfxea +XPulKjwS/kBs2BpCaLmwKlxaSOqMNKmshTUC79E/aOModEEDqBr4Apr/daporS62 +TV7uFPUu+hvg4hkk/kMjJDMY/lbBkbEUQbn1dbq3J7xVo1OkNvnK9nKdJjABvejU +8iLJGIifLy9N1s+A1+JJTuF+O3z5g51PzjJ+Em7zGfPeo9S9CdOEvrlU4U5MUFnB +XKl4V+ajPJM3IyVJsmxZW39edI91ornFuPCv4+3ydMfat4lKOBr2tHKEnIJSVnIK +PwQQsBQ8PDVW2u56cUkTImkt6k79HRBXEZ7wcnPu4chscZVnUxPbR4rFCNXmVZPT +/c4qjTmSrHGPGV9fvwuDPV+vWOwPCO+BeXTtuyEcnBIDq0qNs9TYX0sG6ia/Wtkw +bUbBYp5/K4ygSMzZ9BOafYztVo8bZHIx3116SzfBRTL6GCPZfyvmVg5vbG6GhfI6 +4KM0nNNOABXpgB+/ZpghlUSl59bwwKOAywuqdzYgRWEHGG1vVfm3hg+rK7BesSbb +mP1MLT0Ti1ks7ggq2f+AZZqTbEdHoSBRb8xCo1+q0dsqd2CpYLg2zATCjKX0hsQB +cHGezomsUdtFBwIDAQABo1MwUTAdBgNVHQ4EFgQU1qwA85hiqD2SFTX+kL5zmDDr +TIQwHwYDVR0jBBgwFoAU1qwA85hiqD2SFTX+kL5zmDDrTIQwDwYDVR0TAQH/BAUw +AwEB/zA8BgkqhkiG9w0BAQowL6APMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcN +AQEIMA0GCWCGSAFlAwQCAQUAA4ICAQCyy7dZwQGOiS7id+sSFIm7EPR8GGFEE49D +2CfKl6eRqfwwRBeGE8NO+Ndh3ZD88cVKDlyHLZdNefnY0fXK5dakZDAP6cCSvJYP +lo0q2ugZy80SmQstDtMTfOic6sfQTmdtCf5PqFgSt+zeDnU7RpmAVY8QO2WVS1HK +5X4/WW1YG/fEU1r/5KN80GsLaxyWip9xBlQ5M0FvFML7kKawbQn2e2juckvJMMhL +bQnS/viPqFjqk6e9NwXO7uTr3eXKJ2gLasFrP2WDXLvpnfjFIPyE7cg+oZFSNa96 +i0bzDGgQPa13cT5Bz5BzHrCmvnFOV5xX54MdkKNROxmyLBC8rTLqtUqaoW27q05S +novxXRVfxDbHVgNcealaAX40xLPXAF+Os8wWbZ58Gnhi4g/UvxOV5oqT7oql3n4M +f67B5ko45fetLAbyezT6znAd7sapaukEDWyiSOftHdxhnDKi16F96EMdh1h0ZrRE +u/CfUUntm6ET6sGAM+exrH7Rd3NTYfTof00I9H0hVxEIHSmszWTQjrF8EScJkgcL +PgkuKOQ32TzKjq+QQVIvk5tXf02VlBSUA9THctPxGewGzk9YJBCSYiBkSjqXqyiS +5MflShh/ktK07jGGMlC+k8+IhPjMUnEzQxwseHiIVlwMz6h7tmsL1ciVN1oLrAld +zvv7WyNrLA== +-----END CERTIFICATE----- From 143fff00145dbb7c1b0d32a65e1c53f35e8e017f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 28 Mar 2024 00:22:10 +0000 Subject: [PATCH 321/868] Bump BoringSSL and/or OpenSSL in CI (#10657) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51d959646291..a3739e2c6669 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 26, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ee4c2a38a05873b8812fed97efae0ffc5ff51d46"}} + # Latest commit on the BoringSSL master branch, as of Mar 28, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54c956b2e668e11c75f1ee0367f1b3a0ad28eff9"}} # Latest commit on the OpenSSL master branch, as of Mar 27, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1967539e212c17139dc810096da987c8100b1ba2"}} # Builds with various Rust versions. Includes MSRV and next From 2b7715460782711def3d0c5669f75a6c589e1f2a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 28 Mar 2024 08:00:44 -0400 Subject: [PATCH 322/868] libressl 3.8.4 (#10658) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3739e2c6669..263e4ff604dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,7 +41,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 28, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54c956b2e668e11c75f1ee0367f1b3a0ad28eff9"}} From e4ae5e9faf9cc0c7df6a2567f8733b9074176509 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Mar 2024 21:25:13 +0000 Subject: [PATCH 323/868] Bump build from 1.1.1 to 1.2.1 (#10660) Bumps [build](https://github.com/pypa/build) from 1.1.1 to 1.2.1. - [Release notes](https://github.com/pypa/build/releases) - [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/build/compare/1.1.1...1.2.1) --- updated-dependencies: - dependency-name: build dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9027617cee4d..18b2d07fdfcc 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -11,7 +11,7 @@ argcomplete==3.2.3; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx -build==1.1.1 +build==1.2.1 # via # check-sdist # cryptography (pyproject.toml) From 29f2eb350a635589594f4bbef58808289fd78fdb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 Mar 2024 21:26:57 +0000 Subject: [PATCH 324/868] Bump openssl-sys from 0.9.101 to 0.9.102 in /src/rust (#10659) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.101 to 0.9.102. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.101...openssl-sys-v0.9.102) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 10d7821b416b..207bbdd96232 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -213,9 +213,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.101" +version = "0.9.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dda2b0f344e78efc2facf7d195d098df0dd72151b26ab98da807afc26c198dff" +checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e3145ca05262..ffb3205cb8f8 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -19,7 +19,7 @@ cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.64" -openssl-sys = "0.9.101" +openssl-sys = "0.9.102" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 00b214f6f7e3..d944fb7e977e 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -9,7 +9,7 @@ rust-version = "1.65.0" [dependencies] pyo3 = { version = "0.20", features = ["abi3"] } -openssl-sys = "0.9.101" +openssl-sys = "0.9.102" [build-dependencies] cc = "1.0.90" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index d5071e5ef8a4..2b2313453269 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -11,5 +11,5 @@ rust-version = "1.65.0" asn1 = { version = "0.16.1", default-features = false } cfg-if = "1" openssl = "0.10.64" -openssl-sys = "0.9.101" +openssl-sys = "0.9.102" cryptography-x509 = { path = "../cryptography-x509" } From 6d9a52cd50bab4e956798bf5677168a131b5acb6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 28 Mar 2024 17:36:56 -0400 Subject: [PATCH 325/868] Update CI for new libressl releases (#10565) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 263e4ff604dc..5c5ce9156417 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,6 +42,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 28, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54c956b2e668e11c75f1ee0367f1b3a0ad28eff9"}} From 83b2933c4a8c8e807e1f463ad4f13b519b55d497 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 28 Mar 2024 21:53:48 -0400 Subject: [PATCH 326/868] Bump x509-limbo and/or wycheproof in CI (#10661) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f633964e3d21..0756a07dc1d2 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 27, 2024. - ref: "5550a13c69181f17f716eac5be382a0edb59be4b" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Mar 29, 2024. + ref: "4c4634d102feab973d06625cd974530d6f9dc98d" # x509-limbo-ref From 01561ded0ed75d123357035d9e2bec25060ffd74 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 29 Mar 2024 08:27:29 -0400 Subject: [PATCH 327/868] Added test for ClientVerifier.store (#10665) --- tests/x509/verification/test_verification.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py index e8c280fce0e6..409f6f9b6408 100644 --- a/tests/x509/verification/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -130,6 +130,7 @@ def test_verify(self): assert verifier.validation_time == validation_time.replace(tzinfo=None) assert verifier.max_chain_depth == 16 + assert verifier.store is store verified_client = verifier.verify(leaf, []) assert verified_client.chain == [leaf] From 78c0be4b029036fbbe504b6a20db094316e3f8ea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 29 Mar 2024 11:13:39 -0400 Subject: [PATCH 328/868] Test with 3.3.0-beta1 (#10666) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5c5ce9156417..f4460278409b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0-alpha1"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0-beta1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} From 99f44085a889d7b9e4be994166ccc1bda014f7c5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 29 Mar 2024 20:50:11 -0400 Subject: [PATCH 329/868] Bump BoringSSL and/or OpenSSL in CI (#10668) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f4460278409b..4065d7ac666f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 28, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54c956b2e668e11c75f1ee0367f1b3a0ad28eff9"}} - # Latest commit on the OpenSSL master branch, as of Mar 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1967539e212c17139dc810096da987c8100b1ba2"}} + # Latest commit on the BoringSSL master branch, as of Mar 30, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ec6cb3e3a016a8e7ffee42d589d423e6057f21bf"}} + # Latest commit on the OpenSSL master branch, as of Mar 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4169d58c855718d90424fd5da632cf2f2b46e691"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From f82c09691ebd3932f6ef539446b6789371926b54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 30 Mar 2024 12:44:22 +0000 Subject: [PATCH 330/868] Bump syn from 2.0.55 to 2.0.57 in /src/rust (#10670) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.55 to 2.0.57. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.55...2.0.57) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 207bbdd96232..3d2d33f780ba 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.55" +version = "2.0.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "002a1b3dbf967edfafc32655d0f377ab0bb7b994aa1d32c8cc7e9b8bf3ebb8f0" +checksum = "11a6ae1e52eb25aab8f3fb9fca13be982a373b8f1157ca14b897a825ba4a2d35" dependencies = [ "proc-macro2", "quote", From 74ed3a4b734369b195efa6d45509874e59e886bb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 30 Mar 2024 08:55:09 -0400 Subject: [PATCH 331/868] Remove a pair of derives that are unused (#10669) --- src/rust/cryptography-x509-verification/src/lib.rs | 2 +- src/rust/cryptography-x509/src/extensions.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 036e9dcd1b0f..169226c908ea 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -30,7 +30,7 @@ use crate::types::DNSName; use crate::types::{DNSConstraint, IPAddress, IPConstraint}; use crate::ApplyNameConstraintStatus::{Applied, Skipped}; -#[derive(Debug, PartialEq, Eq)] +#[derive(Debug)] pub enum ValidationError { CandidatesExhausted(Box), Malformed(asn1::ParseError), diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index bbd0f2377896..1a1e13484272 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -8,7 +8,7 @@ use crate::common; use crate::crl; use crate::name; -#[derive(Debug, PartialEq, Eq)] +#[derive(Debug)] pub struct DuplicateExtensionsError(pub asn1::ObjectIdentifier); pub type RawExtensions<'a> = common::Asn1ReadableOrWritable< From d6f2a7bed1ac300f4ad2d9494e7c649a283e80d8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 30 Mar 2024 13:26:42 -0500 Subject: [PATCH 332/868] Bump pycparser from 2.21 to 2.22 in /.github/requirements (#10672) * Bump pycparser from 2.21 to 2.22 in /.github/requirements Bumps [pycparser](https://github.com/eliben/pycparser) from 2.21 to 2.22. - [Release notes](https://github.com/eliben/pycparser/releases) - [Changelog](https://github.com/eliben/pycparser/blob/main/CHANGES) - [Commits](https://github.com/eliben/pycparser/compare/release_v2.21...release_v2.22) --- updated-dependencies: - dependency-name: pycparser dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/build-requirements.txt | 6 +++--- .github/requirements/publish-requirements.txt | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index cbec6164e9df..70fe56dc3ca1 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -58,9 +58,9 @@ cffi==1.16.0 ; platform_python_implementation != "PyPy" \ --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via -r build-requirements.in -pycparser==2.21 \ - --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ - --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 +pycparser==2.22 \ + --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ + --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi semantic-version==2.10.0 \ --hash=sha256:bdabb6d336998cbb378d4b9db3a4b56a1e3235701dc05ea2690d9a997ed5041c \ diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 010f500a8064..647f3d7cc6b7 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -396,9 +396,9 @@ pkginfo==1.10.0 \ --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ --hash=sha256:889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097 # via twine -pycparser==2.21 \ - --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \ - --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206 +pycparser==2.22 \ + --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ + --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi pydantic[email]==2.6.4 \ --hash=sha256:b1704e0847db01817624a6b86766967f552dd9dbf3afba4004409f908dcc84e6 \ From 7b52f3796c6b9da9137a87fc4d1706f857acb4ae Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 31 Mar 2024 00:16:51 +0000 Subject: [PATCH 333/868] Bump BoringSSL and/or OpenSSL in CI (#10673) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4065d7ac666f..67403a8b936b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Mar 30, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ec6cb3e3a016a8e7ffee42d589d423e6057f21bf"}} - # Latest commit on the OpenSSL master branch, as of Mar 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4169d58c855718d90424fd5da632cf2f2b46e691"}} + # Latest commit on the OpenSSL master branch, as of Mar 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "15e06b12ee9df6347433398cb3f732c4458d4218"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 60a54ea81213a0f421d899e34f64254609daea78 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 31 Mar 2024 22:00:44 -0400 Subject: [PATCH 334/868] Build LibreSSL with cmake instead of vanilla make (#10674) --- .github/workflows/build_openssl.sh | 8 +++----- .github/workflows/ci.yml | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index b646a325a98a..abdd09cf3e55 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -60,9 +60,8 @@ elif [[ "${TYPE}" == "libressl" ]]; then curl -O "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz" tar zxf "libressl-${VERSION}.tar.gz" pushd "libressl-${VERSION}" - ./configure --disable-shared --prefix="${OSSL_PATH}" - shlib_sed - make -j"$(nproc)" install CFLAGS="-fPIC" + cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" + make -C build -j"$(nproc)" install # delete binaries, libtls, and docs we don't need. can't skip install/compile sadly rm -rf "${OSSL_PATH}/bin" rm -rf "${OSSL_PATH}/share" @@ -73,8 +72,7 @@ elif [[ "${TYPE}" == "boringssl" ]]; then pushd boringssl git checkout "${VERSION}" cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" - make -C build -j"$(nproc)" - make -C build install + make -C build -j"$(nproc)" install # delete binaries we don't need rm -rf "${OSSL_PATH}/bin" popd diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 67403a8b936b..47bb66365129 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -101,7 +101,7 @@ jobs: # When altering the openssl build process you may need to increment # the value on the end of this cache key so that you can prevent it # from fetching the cache and skipping the build step. - key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-11 + key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.OPENSSL_HASH }}-12 if: matrix.PYTHON.OPENSSL - name: Build custom OpenSSL/LibreSSL run: .github/workflows/build_openssl.sh From ad0ef5e556444ad057106660a90cd9c7f350fa74 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 07:27:07 -0500 Subject: [PATCH 335/868] Bump jaraco-classes from 3.3.1 to 3.4.0 in /.github/requirements (#10675) * Bump jaraco-classes from 3.3.1 to 3.4.0 in /.github/requirements Bumps [jaraco-classes](https://github.com/jaraco/jaraco.classes) from 3.3.1 to 3.4.0. - [Release notes](https://github.com/jaraco/jaraco.classes/releases) - [Changelog](https://github.com/jaraco/jaraco.classes/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.classes/compare/v3.3.1...v3.4.0) --- updated-dependencies: - dependency-name: jaraco-classes dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 647f3d7cc6b7..c61ee4e7ce20 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -246,9 +246,9 @@ importlib-metadata==7.1.0 \ # via # keyring # twine -jaraco-classes==3.3.1 \ - --hash=sha256:86b534de565381f6b3c1c830d13f931d7be1a75f0081c57dff615578676e2206 \ - --hash=sha256:cb28a5ebda8bc47d8c8015307d93163464f9f2b91ab4006e09ff0ce07e8bfb30 +jaraco-classes==3.4.0 \ + --hash=sha256:47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd \ + --hash=sha256:f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790 # via keyring jaraco-context==4.3.0 \ --hash=sha256:4dad2404540b936a20acedec53355bdaea223acb88fd329fa6de9261c941566e \ From 6c83965454704e0dec0c63cb95c301cd1c9c1e4d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 1 Apr 2024 16:12:54 -0400 Subject: [PATCH 336/868] Attempt to port to pyo3 0.21 more minimally (#10671) --- src/rust/Cargo.lock | 20 ++++++------ src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-cffi/src/lib.rs | 11 +++---- src/rust/src/backend/cipher_registry.rs | 2 +- src/rust/src/backend/ciphers.rs | 2 +- src/rust/src/lib.rs | 2 +- src/rust/src/x509/extensions.rs | 42 +++++++++++++++---------- 8 files changed, 46 insertions(+), 37 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3d2d33f780ba..580672e2bebc 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -278,9 +278,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.20.3" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "53bdbb96d49157e65d45cc287af5f32ffadd5f4761438b527b055fb0d4bb8233" +checksum = "a7a8b1990bd018761768d5e608a13df8bd1ac5f678456e0f301bb93e5f3ea16b" dependencies = [ "cfg-if", "indoc", @@ -296,9 +296,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.20.3" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "deaa5745de3f5231ce10517a1f5dd97d53e5a2fd77aa6b5842292085831d48d7" +checksum = "650dca34d463b6cdbdb02b1d71bfd6eb6b6816afc708faebb3bac1380ff4aef7" dependencies = [ "once_cell", "target-lexicon", @@ -306,9 +306,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.20.3" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62b42531d03e08d4ef1f6e85a2ed422eb678b8cd62b762e53891c05faf0d4afa" +checksum = "09a7da8fc04a8a2084909b59f29e1b8474decac98b951d77b80b26dc45f046ad" dependencies = [ "libc", "pyo3-build-config", @@ -316,9 +316,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.20.3" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7305c720fa01b8055ec95e484a6eca7a83c841267f0dd5280f0c8b8551d2c158" +checksum = "4b8a199fce11ebb28e3569387228836ea98110e43a804a530a9fd83ade36d513" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -328,9 +328,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.20.3" +version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c7e9b68bb9c3149c5b0cade5d07f953d6d125eb4337723c4ccdb665f1f96185" +checksum = "93fbbfd7eb553d10036513cb122b888dcd362a945a00b06c165f2ab480d4cc3b" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index ffb3205cb8f8..e8a26cfd53ae 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.65.0" [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.20", features = ["abi3"] } +pyo3 = { version = "0.21.1", features = ["abi3", "gil-refs"] } asn1 = { version = "0.16.1", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-key-parsing = { path = "cryptography-key-parsing" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index d944fb7e977e..5ef7438651e6 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -pyo3 = { version = "0.20", features = ["abi3"] } +pyo3 = { version = "0.21.1", features = ["abi3", "gil-refs"] } openssl-sys = "0.9.102" [build-dependencies] diff --git a/src/rust/cryptography-cffi/src/lib.rs b/src/rust/cryptography-cffi/src/lib.rs index 110341a1901e..17d63c44c43f 100644 --- a/src/rust/cryptography-cffi/src/lib.rs +++ b/src/rust/cryptography-cffi/src/lib.rs @@ -4,9 +4,6 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] -#[cfg(not(python_implementation = "PyPy"))] -use pyo3::FromPyPointer; - #[cfg(python_implementation = "PyPy")] extern "C" { fn Cryptography_make_openssl_module() -> std::os::raw::c_int; @@ -16,18 +13,20 @@ extern "C" { fn PyInit__openssl() -> *mut pyo3::ffi::PyObject; } -pub fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::types::PyModule> { +pub fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { #[cfg(python_implementation = "PyPy")] let openssl_mod = unsafe { let res = Cryptography_make_openssl_module(); assert_eq!(res, 0); - pyo3::types::PyModule::import(py, "_openssl")? + pyo3::types::PyModule::import_bound(py, "_openssl")?.clone() }; #[cfg(not(python_implementation = "PyPy"))] // SAFETY: `PyInit__openssl` returns an owned reference. let openssl_mod = unsafe { let ptr = PyInit__openssl(); - pyo3::types::PyModule::from_owned_ptr(py, ptr) + pyo3::Py::from_owned_ptr(py, ptr).bind(py).clone() }; Ok(openssl_mod) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 46f6e09b5aac..ef54b7460e82 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -259,7 +259,7 @@ fn get_cipher_registry( // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER // even when the cipher is unavailable. if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) - || types::LEGACY_PROVIDER_LOADED.get(py)?.is_true()? + || types::LEGACY_PROVIDER_LOADED.get(py)?.is_truthy()? { #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] { diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 3695ca1d89df..8becdc597f22 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -29,7 +29,7 @@ impl CipherContext { format!( "cipher {} in {} mode is not supported ", algorithm.getattr(pyo3::intern!(py, "name"))?, - if mode.is_true()? { + if mode.is_truthy()? { mode.getattr(pyo3::intern!(py, "name"))? } else { mode diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 47102dfde1dd..9c445fa1776f 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -115,7 +115,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> crate::x509::ocsp_resp::add_to_module(ocsp_mod)?; m.add_submodule(ocsp_mod)?; - m.add_submodule(cryptography_cffi::create_module(py)?)?; + m.add_submodule(cryptography_cffi::create_module(py)?.into_gil_ref())?; let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; openssl_mod.add( diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 03fd1da9ff07..76bdf3c388d5 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -139,51 +139,58 @@ fn encode_key_usage(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResu &mut bs, 0, ext.getattr(pyo3::intern!(py, "digital_signature"))? - .is_true()?, + .is_truthy()?, ); certificate::set_bit( &mut bs, 1, ext.getattr(pyo3::intern!(py, "content_commitment"))? - .is_true()?, + .is_truthy()?, ); certificate::set_bit( &mut bs, 2, ext.getattr(pyo3::intern!(py, "key_encipherment"))? - .is_true()?, + .is_truthy()?, ); certificate::set_bit( &mut bs, 3, ext.getattr(pyo3::intern!(py, "data_encipherment"))? - .is_true()?, + .is_truthy()?, ); certificate::set_bit( &mut bs, 4, - ext.getattr(pyo3::intern!(py, "key_agreement"))?.is_true()?, + ext.getattr(pyo3::intern!(py, "key_agreement"))? + .is_truthy()?, ); certificate::set_bit( &mut bs, 5, - ext.getattr(pyo3::intern!(py, "key_cert_sign"))?.is_true()?, + ext.getattr(pyo3::intern!(py, "key_cert_sign"))? + .is_truthy()?, ); certificate::set_bit( &mut bs, 6, - ext.getattr(pyo3::intern!(py, "crl_sign"))?.is_true()?, + ext.getattr(pyo3::intern!(py, "crl_sign"))?.is_truthy()?, ); - if ext.getattr(pyo3::intern!(py, "key_agreement"))?.is_true()? { + if ext + .getattr(pyo3::intern!(py, "key_agreement"))? + .is_truthy()? + { certificate::set_bit( &mut bs, 7, - ext.getattr(pyo3::intern!(py, "encipher_only"))?.is_true()?, + ext.getattr(pyo3::intern!(py, "encipher_only"))? + .is_truthy()?, ); certificate::set_bit( &mut bs, 8, - ext.getattr(pyo3::intern!(py, "decipher_only"))?.is_true()?, + ext.getattr(pyo3::intern!(py, "decipher_only"))? + .is_truthy()?, ); } let (bits, unused_bits) = if bs[1] == 0 { @@ -208,7 +215,7 @@ fn encode_certificate_policies( let py_policy_info = py_policy_info?; let py_policy_qualifiers = py_policy_info.getattr(pyo3::intern!(py, "policy_qualifiers"))?; - let qualifiers = if py_policy_qualifiers.is_true()? { + let qualifiers = if py_policy_qualifiers.is_truthy()? { let mut qualifiers = vec![]; for py_qualifier in py_policy_qualifiers.iter()? { let py_qualifier = py_qualifier?; @@ -228,7 +235,7 @@ fn encode_certificate_policies( } } else { let py_notice = py_qualifier.getattr(pyo3::intern!(py, "notice_reference"))?; - let notice_ref = if py_notice.is_true()? { + let notice_ref = if py_notice.is_truthy()? { let mut notice_numbers = vec![]; for py_num in py_notice .getattr(pyo3::intern!(py, "notice_numbers"))? @@ -255,7 +262,7 @@ fn encode_certificate_policies( }; let py_explicit_text = py_qualifier.getattr(pyo3::intern!(py, "explicit_text"))?; - let explicit_text = if py_explicit_text.is_true()? { + let explicit_text = if py_explicit_text.is_truthy()? { Some(extensions::DisplayText::Utf8String(asn1::Utf8String::new( py_explicit_text.extract()?, ))) @@ -296,7 +303,7 @@ fn encode_issuing_distribution_point( ) -> CryptographyResult> { let only_some_reasons = if ext .getattr(pyo3::intern!(py, "only_some_reasons"))? - .is_true()? + .is_truthy()? { let py_reasons = ext.getattr(pyo3::intern!(py, "only_some_reasons"))?; let reasons = certificate::encode_distribution_point_reasons(ext.py(), py_reasons)?; @@ -304,13 +311,16 @@ fn encode_issuing_distribution_point( } else { None }; - let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_true()? { + let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_truthy()? { let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; let gns = x509::common::encode_general_names(ext.py(), py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) - } else if ext.getattr(pyo3::intern!(py, "relative_name"))?.is_true()? { + } else if ext + .getattr(pyo3::intern!(py, "relative_name"))? + .is_truthy()? + { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { name_entries.push(x509::common::encode_name_entry(ext.py(), py_name_entry?)?); From c30cc6fd6592c8ed177ff7b406f2c6f0c392ee33 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 1 Apr 2024 17:57:58 -0400 Subject: [PATCH 337/868] Convert `py_uint_to_big_endian_bytes` to the new pyo3 APIs (#10677) --- src/rust/src/asn1.rs | 7 ++++--- src/rust/src/x509/crl.rs | 2 +- src/rust/src/x509/extensions.rs | 9 +++++---- src/rust/src/x509/ocsp_req.rs | 2 +- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 641417545fce..9677064b536c 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -6,6 +6,7 @@ use asn1::SimpleAsn1Readable; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; use cryptography_x509::name::Name; +use pyo3::prelude::PyAnyMethods; use pyo3::types::IntoPyDict; use pyo3::ToPyObject; @@ -65,7 +66,7 @@ fn decode_dss_signature( pub(crate) fn py_uint_to_big_endian_bytes<'p>( py: pyo3::Python<'p>, - v: &'p pyo3::types::PyLong, + v: pyo3::Bound<'p, pyo3::types::PyLong>, ) -> pyo3::PyResult<&'p [u8]> { let zero = (0).to_object(py); if v.lt(zero)? { @@ -114,8 +115,8 @@ pub(crate) fn encode_der_data<'p>( #[pyo3::prelude::pyfunction] fn encode_dss_signature( py: pyo3::Python<'_>, - r: &pyo3::types::PyLong, - s: &pyo3::types::PyLong, + r: pyo3::Bound<'_, pyo3::types::PyLong>, + s: pyo3::Bound<'_, pyo3::types::PyLong>, ) -> CryptographyResult { let sig = DssSignature { r: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, r)?).unwrap(), diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 8e43832986c2..c040abfffe85 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -375,7 +375,7 @@ impl CertificateRevocationList { fn get_revoked_certificate_by_serial_number( &self, py: pyo3::Python<'_>, - serial: &pyo3::types::PyLong, + serial: pyo3::Bound<'_, pyo3::types::PyLong>, ) -> pyo3::PyResult> { let serial_bytes = py_uint_to_big_endian_bytes(py, serial)?; let owned = OwnedRevokedCertificate::try_new(Arc::clone(&self.owned), |v| { diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 76bdf3c388d5..54cf0d555e3a 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -8,6 +8,7 @@ use crate::asn1::{py_oid_to_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; +use pyo3::PyNativeType; fn encode_general_subtrees<'a>( py: pyo3::Python<'a>, @@ -39,7 +40,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( struct PyAuthorityKeyIdentifier<'a> { key_identifier: Option<&'a [u8]>, authority_cert_issuer: Option<&'a pyo3::PyAny>, - authority_cert_serial_number: Option<&'a pyo3::types::PyLong>, + authority_cert_serial_number: Option>, } let aki = py_aki.extract::>()?; let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { @@ -241,7 +242,7 @@ fn encode_certificate_policies( .getattr(pyo3::intern!(py, "notice_numbers"))? .iter()? { - let bytes = py_uint_to_big_endian_bytes(ext.py(), py_num?.downcast()?)?; + let bytes = py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?; notice_numbers.push(asn1::BigUint::new(bytes).unwrap()); } @@ -444,7 +445,7 @@ pub(crate) fn encode_extension( let intval = ext .getattr(pyo3::intern!(py, "skip_certs"))? .downcast::()?; - let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; + let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), )?)) @@ -491,7 +492,7 @@ pub(crate) fn encode_extension( let intval = ext .getattr(pyo3::intern!(py, "crl_number"))? .downcast::()?; - let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; + let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), )?)) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index baa2dd00dfb4..931036c4b0a7 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -192,7 +192,7 @@ fn create_ocsp_request( let (issuer_name_hash, issuer_key_hash, py_serial, py_hash): ( &[u8], &[u8], - &pyo3::types::PyLong, + pyo3::Bound<'_, pyo3::types::PyLong>, &pyo3::PyAny, ) = builder .getattr(pyo3::intern!(py, "_request_hash"))? From c69e7cb79a49f1147ba5649e1f440a9ec6b40bd5 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 20:35:55 -0400 Subject: [PATCH 338/868] Bump x509-limbo and/or wycheproof in CI (#10681) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 0756a07dc1d2..b152b7af5c1c 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Mar 29, 2024. - ref: "4c4634d102feab973d06625cd974530d6f9dc98d" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 02, 2024. + ref: "daf8dd36c0f7457d2b9ea006a514b30a4d49b6c1" # x509-limbo-ref From e26f437af4c3e3493c2735364440b8925d9ce641 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 1 Apr 2024 20:37:43 -0400 Subject: [PATCH 339/868] sign: bound-ify sig_alg APIs (#10679) * sign: bound-ify sig_alg APIs This unfortunately taints a few certificate, CRL, etc. APIs in the process. However, each is a singular top-level API, so the diff isn't too bad. * types: implement get via get_bound --- src/rust/src/types.rs | 25 ++++++++++++++++--------- src/rust/src/x509/certificate.rs | 4 ++-- src/rust/src/x509/crl.rs | 2 +- src/rust/src/x509/csr.rs | 4 ++-- src/rust/src/x509/sign.rs | 25 ++++++++++++++++--------- 5 files changed, 37 insertions(+), 23 deletions(-) diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 55250a0b0b58..c3590948bf90 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -18,15 +18,22 @@ impl LazyPyImport { } pub fn get<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - self.value - .get_or_try_init(py, || { - let mut obj = py.import(self.module)?.as_ref(); - for name in self.names { - obj = obj.getattr(*name)?; - } - obj.extract() - }) - .map(|p| p.as_ref(py)) + Ok(self.get_bound(py)?.into_gil_ref()) + } + + pub fn get_bound<'p>( + &'p self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let p = self.value.get_or_try_init(py, || { + let mut obj = py.import(self.module)?.as_ref(); + for name in self.names { + obj = obj.getattr(*name)?; + } + obj.extract() + })?; + + Ok(p.clone().into_bound(py)) } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d4873256fe22..27f30f329b6f 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -257,7 +257,7 @@ impl Certificate { fn signature_hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { sign::identify_signature_hash_algorithm(py, &self.raw.borrow_dependent().signature_alg) } @@ -270,7 +270,7 @@ impl Certificate { fn signature_algorithm_parameters<'p>( &'p self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::PyAny> { + ) -> CryptographyResult> { sign::identify_signature_algorithm_parameters( py, &self.raw.borrow_dependent().signature_alg, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index c040abfffe85..67c8b1d0093d 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -207,7 +207,7 @@ impl CertificateRevocationList { fn signature_algorithm_parameters<'p>( &'p self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::PyAny> { + ) -> CryptographyResult> { sign::identify_signature_algorithm_parameters( py, &self.owned.borrow_dependent().signature_algorithm, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 27eff5e12e95..704dd2c93655 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -91,7 +91,7 @@ impl CertificateSigningRequest { fn signature_hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { sign::identify_signature_hash_algorithm(py, &self.raw.borrow_dependent().signature_alg) } @@ -104,7 +104,7 @@ impl CertificateSigningRequest { fn signature_algorithm_parameters<'p>( &'p self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::PyAny> { + ) -> CryptographyResult> { sign::identify_signature_algorithm_parameters( py, &self.raw.borrow_dependent().signature_alg, diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 638bbbe909af..e1d2b877938c 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -6,6 +6,8 @@ use std::collections::HashMap; use cryptography_x509::{common, oid}; use once_cell::sync::Lazy; +use pyo3::prelude::PyAnyMethods; +use pyo3::PyNativeType; use crate::asn1::oid_to_py_oid; use crate::error::{CryptographyError, CryptographyResult}; @@ -427,9 +429,12 @@ fn identify_alg_params_for_hash_type( fn hash_oid_py_hash( py: pyo3::Python<'_>, oid: asn1::ObjectIdentifier, -) -> CryptographyResult<&pyo3::PyAny> { +) -> CryptographyResult> { match HASH_OIDS_TO_HASH.get(&oid) { - Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE + .get_bound(py)? + .getattr(*alg_name)? + .call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -442,7 +447,7 @@ fn hash_oid_py_hash( pub(crate) fn identify_signature_hash_algorithm<'p>( py: pyo3::Python<'p>, signature_algorithm: &common::AlgorithmIdentifier<'_>, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get(py)?; match &signature_algorithm.params { common::AlgorithmParameters::RsaPss(opt_pss) => { @@ -455,7 +460,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( let py_sig_alg_oid = oid_to_py_oid(py, signature_algorithm.oid())?; let hash_alg = sig_oids_to_hash.get_item(py_sig_alg_oid); match hash_alg { - Ok(data) => Ok(data), + Ok(data) => Ok(data.as_borrowed().to_owned()), Err(_) => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -470,7 +475,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( pub(crate) fn identify_signature_algorithm_parameters<'p>( py: pyo3::Python<'p>, signature_algorithm: &common::AlgorithmIdentifier<'_>, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { match &signature_algorithm.params { common::AlgorithmParameters::RsaPss(opt_pss) => { let pss = opt_pss.as_ref().ok_or_else(|| { @@ -487,7 +492,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( let py_mask_gen_hash_alg = hash_oid_py_hash(py, pss.mask_gen_algorithm.params.oid().clone())?; let py_mgf = types::MGF1.get(py)?.call1((py_mask_gen_hash_alg,))?; - Ok(types::PSS.get(py)?.call1((py_mgf, pss.salt_length))?) + Ok(types::PSS.get_bound(py)?.call1((py_mgf, pss.salt_length))?) } common::AlgorithmParameters::RsaWithSha1(_) | common::AlgorithmParameters::RsaWithSha1Alt(_) @@ -499,7 +504,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( | common::AlgorithmParameters::RsaWithSha3_256(_) | common::AlgorithmParameters::RsaWithSha3_384(_) | common::AlgorithmParameters::RsaWithSha3_512(_) => { - Ok(types::PKCS1V15.get(py)?.call0()?) + Ok(types::PKCS1V15.get_bound(py)?.call0()?) } common::AlgorithmParameters::EcDsaWithSha224(_) | common::AlgorithmParameters::EcDsaWithSha256(_) @@ -512,9 +517,11 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( let signature_hash_algorithm = identify_signature_hash_algorithm(py, signature_algorithm)?; - Ok(types::ECDSA.get(py)?.call1((signature_hash_algorithm,))?) + Ok(types::ECDSA + .get_bound(py)? + .call1((signature_hash_algorithm,))?) } - _ => Ok(py.None().into_ref(py)), + _ => Ok(py.None().into_bound(py)), } } From d2ee468c0da38a97af70827a3e4735421b68f3d7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 2 Apr 2024 00:40:07 +0000 Subject: [PATCH 340/868] Bump BoringSSL and/or OpenSSL in CI (#10680) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 47bb66365129..a98f02e3f531 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Mar 30, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ec6cb3e3a016a8e7ffee42d589d423e6057f21bf"}} - # Latest commit on the OpenSSL master branch, as of Mar 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "15e06b12ee9df6347433398cb3f732c4458d4218"}} + # Latest commit on the BoringSSL master branch, as of Apr 02, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "077d4d2b1a768028603ae1b26287224d7f985d1f"}} + # Latest commit on the OpenSSL master branch, as of Apr 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "81f2b0420abab47a7fd9fc9ef69309578115d342"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e8180e2349a20ae4fc91baf890cc654e94061b90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Apr 2024 07:01:39 -0400 Subject: [PATCH 341/868] Bump ruff from 0.3.4 to 0.3.5 (#10683) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.4 to 0.3.5. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.4...v0.3.5) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 18b2d07fdfcc..702299344a67 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.4 +ruff==0.3.5 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 598870229f466ddf082dd5e9dabe0ae140799133 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 3 Apr 2024 00:16:23 +0000 Subject: [PATCH 342/868] Bump BoringSSL and/or OpenSSL in CI (#10689) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a98f02e3f531..640f2a574632 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 02, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "077d4d2b1a768028603ae1b26287224d7f985d1f"}} - # Latest commit on the OpenSSL master branch, as of Apr 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "81f2b0420abab47a7fd9fc9ef69309578115d342"}} + # Latest commit on the BoringSSL master branch, as of Apr 03, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "68c6fd8943ffba4e5054ff3a9befa8882b6b226a"}} + # Latest commit on the OpenSSL master branch, as of Apr 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c45ca0656f8d1fe43b8cf444c88d295a063341ca"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 46b5be8c8ca647774e272f7e543a3dabdeb2f33e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Apr 2024 07:06:13 -0400 Subject: [PATCH 343/868] Bump syn from 2.0.57 to 2.0.58 in /src/rust (#10690) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.57 to 2.0.58. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.57...2.0.58) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 580672e2bebc..91ac810df5c2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -377,9 +377,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.57" +version = "2.0.58" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "11a6ae1e52eb25aab8f3fb9fca13be982a373b8f1157ca14b897a825ba4a2d35" +checksum = "44cfb93f38070beee36b3fef7d4f5a16f27751d94b187b666a5cc5e9b0d30687" dependencies = [ "proc-macro2", "quote", From f9c422f074931bd8edcc4da836a2776abf8780be Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 4 Apr 2024 00:15:23 +0000 Subject: [PATCH 344/868] Bump BoringSSL and/or OpenSSL in CI (#10695) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 640f2a574632..6ef592535110 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 03, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "68c6fd8943ffba4e5054ff3a9befa8882b6b226a"}} - # Latest commit on the OpenSSL master branch, as of Apr 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c45ca0656f8d1fe43b8cf444c88d295a063341ca"}} + # Latest commit on the BoringSSL master branch, as of Apr 04, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e97787e7f33fe8f0aeb2fc3ee7fbb86e1a074ba5"}} + # Latest commit on the OpenSSL master branch, as of Apr 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "882a387d0dc12afe8612c4d3f6b9cae5c04611d7"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a54ca106c43e25e8313eec994d6f7c6b9e2d7c7e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Apr 2024 07:16:10 +0200 Subject: [PATCH 345/868] Bump sigstore-protobuf-specs from 0.3.0 to 0.3.1 in /.github/requirements (#10691) * Bump sigstore-protobuf-specs in /.github/requirements Bumps [sigstore-protobuf-specs](https://github.com/sigstore/protobuf-specs) from 0.3.0 to 0.3.1. - [Release notes](https://github.com/sigstore/protobuf-specs/releases) - [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/protobuf-specs/compare/v0.3.0...v0.3.1) --- updated-dependencies: - dependency-name: sigstore-protobuf-specs dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index c61ee4e7ce20..1abe043ba1a5 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -548,9 +548,9 @@ sigstore==2.1.3 \ --hash=sha256:7a0c1252cb7974024aee87c8e0f0f6247604af16e8b5a8e3d0a9e1201e330aa2 \ --hash=sha256:f3aaa564c0d48a62fb40c103615bba01af787eaf9fda3b6e1a3e1dc5abc2d311 # via -r publish-requirements.in -sigstore-protobuf-specs==0.3.0 \ - --hash=sha256:3322adb73992bca0f3dc6d4c2c38bac29086a11d2631a983adb2798e58e32a54 \ - --hash=sha256:e06321d28e58cb1505ae682b63756b4fb858da6b11bd7b49a2b6beabe412ebfd +sigstore-protobuf-specs==0.3.1 \ + --hash=sha256:c40b61975b957ae906eb29a5bc7040ec015b68b6b46005cc5805e629493e8dec \ + --hash=sha256:ea6d7325af70019b6639e0fd16ef6f78511645d46dd3f9876fb008641d80a125 # via sigstore sigstore-rekor-types==0.0.11 \ --hash=sha256:791a696eccd5d07c933cc11d46dea22983efedaf5f1068734263ce0f25695bba \ From e5b847a193092c4eb66fa2c4473216187a92ddb9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Apr 2024 07:16:27 +0200 Subject: [PATCH 346/868] Bump keyring from 25.0.0 to 25.1.0 in /.github/requirements (#10692) * Bump keyring from 25.0.0 to 25.1.0 in /.github/requirements Bumps [keyring](https://github.com/jaraco/keyring) from 25.0.0 to 25.1.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v25.0.0...v25.1.0) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 1abe043ba1a5..160ac650d276 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -264,9 +264,9 @@ jeepney==0.8.0 \ # via # keyring # secretstorage -keyring==25.0.0 \ - --hash=sha256:9a15cd280338920388e8c1787cb8792b9755dabb3e7c61af5ac1f8cd437cefde \ - --hash=sha256:fc024ed53c7ea090e30723e6bd82f58a39dc25d9a6797d866203ecd0ee6306cb +keyring==25.1.0 \ + --hash=sha256:26fc12e6a329d61d24aa47b22a7c5c3f35753df7d8f2860973cf94f4e1fb3427 \ + --hash=sha256:7230ea690525133f6ad536a9b5def74a4bd52642abe594761028fc044d7c7893 # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ From 14e8a3296acde6622f0b713f2f194f133f77cc35 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:17:18 -0400 Subject: [PATCH 347/868] Convert `src/backend/utils.rs` to new pyo3 APIs (#10678) --- src/rust/src/backend/dh.rs | 5 +++-- src/rust/src/backend/dsa.rs | 5 +++-- src/rust/src/backend/ec.rs | 5 +++-- src/rust/src/backend/ed25519.rs | 4 ++-- src/rust/src/backend/ed448.rs | 4 ++-- src/rust/src/backend/rsa.rs | 5 +++-- src/rust/src/backend/utils.rs | 39 +++++++++++++++++---------------- src/rust/src/backend/x25519.rs | 4 ++-- src/rust/src/backend/x448.rs | 4 ++-- 9 files changed, 40 insertions(+), 35 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index eb6cbdcdc9e4..1145b32327c3 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -8,6 +8,7 @@ use crate::asn1::encode_der_data; use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{types, x509}; +use pyo3::prelude::PyAnyMethods; const MIN_MODULUS_SIZE: u32 = 512; @@ -226,7 +227,7 @@ impl DHPrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if !format.is(types::PRIVATE_FORMAT_PKCS8.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -260,7 +261,7 @@ impl DHPublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if !format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index bf341ac71314..2d567db5e086 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -6,6 +6,7 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +use pyo3::prelude::PyAnyMethods; #[pyo3::prelude::pyclass( frozen, @@ -133,7 +134,7 @@ impl DsaPrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -205,7 +206,7 @@ impl DsaPublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 1c4cf95d0f61..0291c96b7f70 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,6 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; +use pyo3::prelude::PyAnyMethods; use pyo3::ToPyObject; use crate::backend::utils; @@ -357,7 +358,7 @@ impl ECPrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -438,7 +439,7 @@ impl ECPublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 81ca3230088e..4fc199969aec 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -102,7 +102,7 @@ impl Ed25519PrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -145,7 +145,7 @@ impl Ed25519PublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, true) } diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 15b679d5f993..79d650a1cb46 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -100,7 +100,7 @@ impl Ed448PrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -142,7 +142,7 @@ impl Ed448PublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, true) } diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 662f30aff084..1d47b8c6c326 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -9,6 +9,7 @@ use crate::backend::{hashes, utils}; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; +use pyo3::prelude::PyAnyMethods; #[pyo3::prelude::pyclass( frozen, @@ -402,7 +403,7 @@ impl RsaPrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -514,7 +515,7 @@ impl RsaPublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 5c15cba57741..ecd83edfe467 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -5,6 +5,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; +use pyo3::prelude::PyAnyMethods; use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( @@ -26,10 +27,10 @@ pub(crate) fn py_int_to_bn( pub(crate) fn bn_to_py_int<'p>( py: pyo3::Python<'p>, b: &openssl::bn::BigNumRef, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { assert!(!b.is_negative()); - let int_type = py.get_type::(); + let int_type = py.get_type_bound::(); Ok(int_type.call_method1( pyo3::intern!(py, "from_bytes"), (b.to_vec(), pyo3::intern!(py, "big")), @@ -50,7 +51,7 @@ pub(crate) fn pkey_private_bytes<'p>( encryption_algorithm: &pyo3::PyAny, openssh_allowed: bool, raw_allowed: bool, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { +) -> CryptographyResult> { if !encoding.is_instance(types::ENCODING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( @@ -86,7 +87,7 @@ pub(crate) fn pkey_private_bytes<'p>( ))); } let raw_bytes = pkey.raw_private_key()?; - return Ok(pyo3::types::PyBytes::new(py, &raw_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)); } let password = if encryption_algorithm.is_instance(types::NO_ENCRYPTION.get(py)?)? { @@ -124,7 +125,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { let der_bytes = if password.is_empty() { pkey.private_key_to_pkcs8()? @@ -134,7 +135,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Unsupported encoding for PKCS8"), @@ -152,7 +153,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( @@ -163,7 +164,7 @@ pub(crate) fn pkey_private_bytes<'p>( } let der_bytes = rsa.private_key_to_der()?; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(dsa) = pkey.dsa() { if encoding.is(types::ENCODING_PEM.get(py)?) { @@ -175,7 +176,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( @@ -186,7 +187,7 @@ pub(crate) fn pkey_private_bytes<'p>( } let der_bytes = dsa.private_key_to_der()?; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(ec) = pkey.ec_key() { if encoding.is(types::ENCODING_PEM.get(py)?) { @@ -198,7 +199,7 @@ pub(crate) fn pkey_private_bytes<'p>( password, )? }; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( @@ -209,7 +210,7 @@ pub(crate) fn pkey_private_bytes<'p>( } let der_bytes = ec.private_key_to_der()?; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } } @@ -243,7 +244,7 @@ pub(crate) fn pkey_public_bytes<'p>( format: &pyo3::PyAny, openssh_allowed: bool, raw_allowed: bool, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { +) -> CryptographyResult> { if !encoding.is_instance(types::ENCODING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( @@ -273,17 +274,17 @@ pub(crate) fn pkey_public_bytes<'p>( )); } let raw_bytes = pkey.raw_public_key()?; - return Ok(pyo3::types::PyBytes::new(py, &raw_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)); } // SubjectPublicKeyInfo + PEM/DER if format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { if encoding.is(types::ENCODING_PEM.get(py)?) { let pem_bytes = pkey.public_key_to_pem()?; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { let der_bytes = pkey.public_key_to_der()?; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -309,7 +310,7 @@ pub(crate) fn pkey_public_bytes<'p>( let data = ec .public_key() .to_bytes(ec.group(), point_form, &mut bn_ctx)?; - return Ok(pyo3::types::PyBytes::new(py, &data)); + return Ok(pyo3::types::PyBytes::new_bound(py, &data)); } } @@ -317,10 +318,10 @@ pub(crate) fn pkey_public_bytes<'p>( if format.is(types::PUBLIC_FORMAT_PKCS1.get(py)?) { if encoding.is(types::ENCODING_PEM.get(py)?) { let pem_bytes = rsa.public_key_to_pem_pkcs1()?; - return Ok(pyo3::types::PyBytes::new(py, &pem_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); } else if encoding.is(types::ENCODING_DER.get(py)?) { let der_bytes = rsa.public_key_to_der_pkcs1()?; - return Ok(pyo3::types::PyBytes::new(py, &der_bytes)); + return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index b193e18b0483..1789c9f20a03 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -103,7 +103,7 @@ impl X25519PrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -132,7 +132,7 @@ impl X25519PublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, false, true) } diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 7a64002d943d..ae61ac4eafe9 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -102,7 +102,7 @@ impl X448PrivateKey { encoding: &pyo3::PyAny, format: &pyo3::PyAny, encryption_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_private_bytes( py, slf, @@ -131,7 +131,7 @@ impl X448PublicKey { py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, false, true) } From bbb1a75dc180ea4ee3da9d75fe5bbc19be796269 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:18:31 -0400 Subject: [PATCH 348/868] Convert cipher registry to new pyo3 API (#10682) Refs https://github.com/pyca/cryptography/issues/10676 --- src/rust/src/backend/cipher_registry.rs | 5 +- src/rust/src/backend/ciphers.rs | 119 ++++++++++++------------ src/rust/src/backend/cmac.rs | 9 +- 3 files changed, 69 insertions(+), 64 deletions(-) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index ef54b7460e82..1ceccbe0a1cd 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -5,6 +5,7 @@ use std::collections::HashMap; use openssl::cipher::Cipher; +use pyo3::prelude::PyAnyMethods; use crate::error::CryptographyResult; use crate::types; @@ -305,8 +306,8 @@ fn get_cipher_registry( pub(crate) fn get_cipher<'py>( py: pyo3::Python<'py>, - algorithm: &pyo3::PyAny, - mode_cls: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode_cls: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let registry = get_cipher_registry(py)?; diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 8becdc597f22..2cf97d7b8800 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -7,6 +7,7 @@ use crate::buf::{CffiBuf, CffiMutBuf}; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use crate::types; +use pyo3::prelude::PyAnyMethods; use pyo3::IntoPy; struct CipherContext { @@ -17,54 +18,56 @@ struct CipherContext { impl CipherContext { fn new( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, side: openssl::symm::Mode, ) -> CryptographyResult { - let cipher = match cipher_registry::get_cipher(py, algorithm, mode.get_type())? { - Some(c) => c, - None => { - return Err(CryptographyError::from( - exceptions::UnsupportedAlgorithm::new_err(( - format!( - "cipher {} in {} mode is not supported ", - algorithm.getattr(pyo3::intern!(py, "name"))?, - if mode.is_truthy()? { - mode.getattr(pyo3::intern!(py, "name"))? - } else { - mode - } - ), - exceptions::Reasons::UNSUPPORTED_CIPHER, - )), - )) - } - }; - - let iv_nonce = if mode.is_instance(types::MODE_WITH_INITIALIZATION_VECTOR.get(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "initialization_vector"))? - .extract::>()?, - ) - } else if mode.is_instance(types::MODE_WITH_TWEAK.get(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "tweak"))? - .extract::>()?, - ) - } else if mode.is_instance(types::MODE_WITH_NONCE.get(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "nonce"))? - .extract::>()?, - ) - } else if algorithm.is_instance(types::CHACHA20.get(py)?)? { - Some( - algorithm - .getattr(pyo3::intern!(py, "nonce"))? - .extract::>()?, - ) - } else { - None - }; + let cipher = + match cipher_registry::get_cipher(py, algorithm.clone(), mode.get_type().into_any())? { + Some(c) => c, + None => { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + format!( + "cipher {} in {} mode is not supported ", + algorithm.getattr(pyo3::intern!(py, "name"))?, + if mode.is_truthy()? { + mode.getattr(pyo3::intern!(py, "name"))? + } else { + mode + } + ), + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )) + } + }; + + let iv_nonce = + if mode.is_instance(&types::MODE_WITH_INITIALIZATION_VECTOR.get_bound(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "initialization_vector"))? + .extract::>()?, + ) + } else if mode.is_instance(&types::MODE_WITH_TWEAK.get_bound(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "tweak"))? + .extract::>()?, + ) + } else if mode.is_instance(&types::MODE_WITH_NONCE.get_bound(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else if algorithm.is_instance(&types::CHACHA20.get_bound(py)?)? { + Some( + algorithm + .getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else { + None + }; let key = algorithm .getattr(pyo3::intern!(py, "key"))? @@ -85,7 +88,7 @@ impl CipherContext { } } - if mode.is_instance(types::XTS.get(py)?)? { + if mode.is_instance(&types::XTS.get_bound(py)?)? { init_op( &mut ctx, None, @@ -471,12 +474,12 @@ impl PyAEADDecryptionContext { #[pyo3::prelude::pyfunction] fn create_encryption_ctx( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let ctx = CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Encrypt)?; + let ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Encrypt)?; - if mode.is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { + if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { Ok(PyAEADEncryptionContext { ctx: Some(ctx), tag: None, @@ -497,12 +500,12 @@ fn create_encryption_ctx( #[pyo3::prelude::pyfunction] fn create_decryption_ctx( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let mut ctx = CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Decrypt)?; + let mut ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Decrypt)?; - if mode.is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { + if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { if let Some(tag) = mode.getattr(pyo3::intern!(py, "tag"))?.extract()? { ctx.ctx.set_tag(tag)?; } @@ -526,10 +529,10 @@ fn create_decryption_ctx( #[pyo3::prelude::pyfunction] fn cipher_supported( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - Ok(cipher_registry::get_cipher(py, algorithm, mode.get_type())?.is_some()) + Ok(cipher_registry::get_cipher(py, algorithm, mode.get_type().into_any())?.is_some()) } #[pyo3::prelude::pyfunction] diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index acacbf02f6ad..f23ccca37271 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -7,6 +7,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; +use pyo3::prelude::PyAnyMethods; #[pyo3::prelude::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.cmac", @@ -37,12 +38,12 @@ impl Cmac { #[new] fn new( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, backend: Option<&pyo3::PyAny>, ) -> CryptographyResult { let _ = backend; - if !algorithm.is_instance(types::BLOCK_CIPHER_ALGORITHM.get(py)?)? { + if !algorithm.is_instance(&types::BLOCK_CIPHER_ALGORITHM.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Expected instance of BlockCipherAlgorithm.", @@ -50,8 +51,8 @@ impl Cmac { )); } - let cipher = - cipher_registry::get_cipher(py, algorithm, types::CBC.get(py)?)?.ok_or_else(|| { + let cipher = cipher_registry::get_cipher(py, algorithm.clone(), types::CBC.get_bound(py)?)? + .ok_or_else(|| { exceptions::UnsupportedAlgorithm::new_err(( "CMAC is not supported with this algorithm", exceptions::Reasons::UNSUPPORTED_CIPHER, From ec025527487d129e6c305c37ffb0694a229c2741 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:19:05 -0400 Subject: [PATCH 349/868] Convert `src/buf.rs` to new pyo3 APIs (#10684) --- src/rust/src/buf.rs | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index 028322dfe0da..c480216147ff 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -3,31 +3,32 @@ // for complete details. use crate::types; +use pyo3::prelude::PyAnyMethods; use pyo3::types::IntoPyDict; use std::slice; pub(crate) struct CffiBuf<'p> { - _pyobj: &'p pyo3::PyAny, - _bufobj: &'p pyo3::PyAny, + _pyobj: pyo3::Bound<'p, pyo3::PyAny>, + _bufobj: pyo3::Bound<'p, pyo3::PyAny>, buf: &'p [u8], } -fn _extract_buffer_length( - pyobj: &pyo3::PyAny, +fn _extract_buffer_length<'p>( + pyobj: &pyo3::Bound<'p, pyo3::PyAny>, mutable: bool, -) -> pyo3::PyResult<(&pyo3::PyAny, usize)> { +) -> pyo3::PyResult<(pyo3::Bound<'p, pyo3::PyAny>, usize)> { let py = pyobj.py(); let bufobj = if mutable { - let kwargs = [(pyo3::intern!(py, "require_writable"), true)].into_py_dict(py); + let kwargs = [(pyo3::intern!(py, "require_writable"), true)].into_py_dict_bound(py); types::FFI_FROM_BUFFER - .get(py)? - .call((pyobj,), Some(kwargs))? + .get_bound(py)? + .call((pyobj,), Some(&kwargs))? } else { - types::FFI_FROM_BUFFER.get(py)?.call1((pyobj,))? + types::FFI_FROM_BUFFER.get_bound(py)?.call1((pyobj,))? }; let ptrval = types::FFI_CAST .get(py)? - .call1((pyo3::intern!(py, "uintptr_t"), bufobj))? + .call1((pyo3::intern!(py, "uintptr_t"), bufobj.clone()))? .call_method0(pyo3::intern!(py, "__int__"))? .extract::()?; Ok((bufobj, ptrval)) @@ -40,7 +41,7 @@ impl CffiBuf<'_> { } impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { - fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { + fn extract_bound(pyobj: &pyo3::Bound<'a, pyo3::PyAny>) -> pyo3::PyResult { let (bufobj, ptrval) = _extract_buffer_length(pyobj, false)?; let len = bufobj.len()?; let buf = if len == 0 { @@ -58,7 +59,7 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { }; Ok(CffiBuf { - _pyobj: pyobj, + _pyobj: pyobj.clone(), _bufobj: bufobj, buf, }) @@ -66,8 +67,8 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { } pub(crate) struct CffiMutBuf<'p> { - _pyobj: &'p pyo3::PyAny, - _bufobj: &'p pyo3::PyAny, + _pyobj: pyo3::Bound<'p, pyo3::PyAny>, + _bufobj: pyo3::Bound<'p, pyo3::PyAny>, buf: &'p mut [u8], } @@ -78,7 +79,7 @@ impl CffiMutBuf<'_> { } impl<'a> pyo3::conversion::FromPyObject<'a> for CffiMutBuf<'a> { - fn extract(pyobj: &'a pyo3::PyAny) -> pyo3::PyResult { + fn extract_bound(pyobj: &pyo3::Bound<'a, pyo3::PyAny>) -> pyo3::PyResult { let (bufobj, ptrval) = _extract_buffer_length(pyobj, true)?; let len = bufobj.len()?; @@ -97,7 +98,7 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiMutBuf<'a> { }; Ok(CffiMutBuf { - _pyobj: pyobj, + _pyobj: pyobj.clone(), _bufobj: bufobj, buf, }) From 80c7ad811a05ec291ee7c9dde67a345d62003123 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:20:38 -0400 Subject: [PATCH 350/868] Convert `src/error.rs` to new pyo3 APIs (#10686) --- src/rust/src/error.rs | 22 ++++++++++++---------- src/rust/src/x509/extensions.rs | 19 ++++++++++++------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 62b1ff4a6daa..380531c65509 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::PyListMethods; use pyo3::ToPyObject; use crate::exceptions; @@ -32,8 +33,8 @@ impl From for CryptographyError { } } -impl From> for CryptographyError { - fn from(e: pyo3::PyDowncastError<'_>) -> CryptographyError { +impl From> for CryptographyError { + fn from(e: pyo3::DowncastError<'_, '_>) -> CryptographyError { CryptographyError::Py(e.into()) } } @@ -83,12 +84,12 @@ impl From for CryptographyError { pub(crate) fn list_from_openssl_error( py: pyo3::Python<'_>, error_stack: openssl::error::ErrorStack, -) -> &pyo3::types::PyList { - let errors = pyo3::types::PyList::empty(py); +) -> pyo3::Bound<'_, pyo3::types::PyList> { + let errors = pyo3::types::PyList::empty_bound(py); for e in error_stack.errors() { errors .append( - pyo3::PyCell::new(py, OpenSSLError { e: e.clone() }) + pyo3::Bound::new(py, OpenSSLError { e: e.clone() }) .expect("Failed to create OpenSSLError"), ) .expect("Failed to append to list"); @@ -186,10 +187,12 @@ impl OpenSSLError { } #[pyo3::prelude::pyfunction] -pub(crate) fn capture_error_stack(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::types::PyList> { - let errs = pyo3::types::PyList::empty(py); +pub(crate) fn capture_error_stack( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let errs = pyo3::types::PyList::empty_bound(py); for e in openssl::error::ErrorStack::get().errors() { - errs.append(pyo3::PyCell::new(py, OpenSSLError { e: e.clone() })?)?; + errs.append(pyo3::Bound::new(py, OpenSSLError { e: e.clone() })?)?; } Ok(errs) } @@ -210,8 +213,7 @@ mod tests { let py_e: pyo3::PyErr = e.into(); assert!(py_e.is_instance_of::(py)); - let e: CryptographyError = - pyo3::PyDowncastError::new(py.None().as_ref(py), "abc").into(); + let e: CryptographyError = pyo3::DowncastError::new(py.None().bind(py), "abc").into(); assert!(matches!(e, CryptographyError::Py(_))); let e = cryptography_key_parsing::KeyParsingError::OpenSSL( diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 54cf0d555e3a..eede1e5c0ab9 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -8,6 +8,7 @@ use crate::asn1::{py_oid_to_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; +use pyo3::prelude::PyAnyMethods; use pyo3::PyNativeType; fn encode_general_subtrees<'a>( @@ -375,16 +376,16 @@ fn encode_tls_features(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyR fn encode_scts(ext: &pyo3::PyAny) -> CryptographyResult> { let mut length = 0; for sct in ext.iter()? { - let sct = sct?.downcast::>()?; - length += sct.borrow().sct_data.len() + 2; + let sct = sct?.as_borrowed().downcast::()?.clone(); + length += sct.get().sct_data.len() + 2; } let mut result = vec![]; result.extend_from_slice(&(length as u16).to_be_bytes()); for sct in ext.iter()? { - let sct = sct?.downcast::>()?; - result.extend_from_slice(&(sct.borrow().sct_data.len() as u16).to_be_bytes()); - result.extend_from_slice(&sct.borrow().sct_data); + let sct = sct?.as_borrowed().downcast::()?.clone(); + result.extend_from_slice(&(sct.get().sct_data.len() as u16).to_be_bytes()); + result.extend_from_slice(&sct.get().sct_data); } Ok(asn1::write_single(&result.as_slice())?) } @@ -444,7 +445,9 @@ pub(crate) fn encode_extension( &oid::INHIBIT_ANY_POLICY_OID => { let intval = ext .getattr(pyo3::intern!(py, "skip_certs"))? - .downcast::()?; + .as_borrowed() + .downcast::()? + .clone(); let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), @@ -491,7 +494,9 @@ pub(crate) fn encode_extension( &oid::CRL_NUMBER_OID | &oid::DELTA_CRL_INDICATOR_OID => { let intval = ext .getattr(pyo3::intern!(py, "crl_number"))? - .downcast::()?; + .as_borrowed() + .downcast::()? + .clone(); let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), From a693a9767908ca1366cd8600b439202b6b9cf4b7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:22:30 -0400 Subject: [PATCH 351/868] Convert `src/pkcs12.rs` to new pyo3 APIs (#10687) --- src/rust/src/lib.rs | 2 +- src/rust/src/pkcs12.rs | 59 +++++++++++++++++++++--------------------- 2 files changed, 31 insertions(+), 30 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 9c445fa1776f..8ea8709c6e11 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -98,7 +98,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(asn1::create_submodule(py)?)?; m.add_submodule(pkcs7::create_submodule(py)?)?; - m.add_submodule(pkcs12::create_submodule(py)?)?; + m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; m.add_submodule(exceptions::create_submodule(py)?)?; let x509_mod = pyo3::prelude::PyModule::new(py, "x509")?; diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 1df4d51ae2e8..084cee6660bc 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -7,6 +7,7 @@ use crate::buf::CffiBuf; use crate::error::CryptographyResult; use crate::x509::certificate::Certificate; use crate::{types, x509}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -38,22 +39,18 @@ impl PKCS12Certificate { other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { let friendly_name_eq = match (&self.friendly_name, &other.friendly_name) { - (Some(a), Some(b)) => a.as_ref(py).eq(b.as_ref(py))?, + (Some(a), Some(b)) => a.bind(py).eq(b.bind(py))?, (None, None) => true, _ => false, }; - Ok(friendly_name_eq - && self - .certificate - .as_ref(py) - .eq(other.certificate.as_ref(py))?) + Ok(friendly_name_eq && self.certificate.bind(py).eq(other.certificate.bind(py))?) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { let mut hasher = DefaultHasher::new(); - self.certificate.as_ref(py).hash()?.hash(&mut hasher); + self.certificate.bind(py).hash()?.hash(&mut hasher); match &self.friendly_name { - Some(v) => v.as_ref(py).hash()?.hash(&mut hasher), + Some(v) => v.bind(py).hash()?.hash(&mut hasher), None => None::.hash(&mut hasher), }; Ok(hasher.finish()) @@ -61,12 +58,12 @@ impl PKCS12Certificate { fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let friendly_name_repr = match &self.friendly_name { - Some(v) => v.as_ref(py).repr()?.extract()?, + Some(v) => v.bind(py).repr()?.extract()?, None => "None", }; Ok(format!( "", - self.certificate.as_ref(py).str()?, + self.certificate.bind(py).str()?, friendly_name_repr )) } @@ -208,11 +205,11 @@ fn load_key_and_certificates<'p>( py: pyo3::Python<'p>, data: CffiBuf<'_>, password: Option>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult<( pyo3::PyObject, Option, - &'p pyo3::types::PyList, + pyo3::Bound<'p, pyo3::types::PyList>, )> { let _ = backend; @@ -224,14 +221,14 @@ fn load_key_and_certificates<'p>( py.None() }; let cert = if let Some(ossl_cert) = p12.cert { - let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); Some(x509::certificate::load_der_x509_certificate( py, cert_der, None, )?) } else { None }; - let additional_certs = pyo3::types::PyList::empty(py); + let additional_certs = pyo3::types::PyList::empty_bound(py); if let Some(ossl_certs) = p12.ca { cfg_if::cfg_if! { if #[cfg(any( @@ -244,7 +241,7 @@ fn load_key_and_certificates<'p>( }; for ossl_cert in it { - let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; additional_certs.append(cert.into_py(py))?; } @@ -258,8 +255,8 @@ fn load_pkcs12<'p>( py: pyo3::Python<'p>, data: CffiBuf<'_>, password: Option>, - backend: Option<&pyo3::PyAny>, -) -> CryptographyResult<&'p pyo3::PyAny> { + backend: Option>, +) -> CryptographyResult> { let _ = backend; let p12 = decode_p12(data, password)?; @@ -270,17 +267,17 @@ fn load_pkcs12<'p>( py.None() }; let cert = if let Some(ossl_cert) = p12.cert { - let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; let alias = ossl_cert .alias() - .map(|a| pyo3::types::PyBytes::new(py, a).into_py(py)); + .map(|a| pyo3::types::PyBytes::new_bound(py, a).unbind()); PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias).into_py(py) } else { py.None() }; - let additional_certs = pyo3::types::PyList::empty(py); + let additional_certs = pyo3::types::PyList::empty_bound(py); if let Some(ossl_certs) = p12.ca { cfg_if::cfg_if! { if #[cfg(any( @@ -293,27 +290,31 @@ fn load_pkcs12<'p>( }; for ossl_cert in it { - let cert_der = pyo3::types::PyBytes::new(py, &ossl_cert.to_der()?).into_py(py); + let cert_der = pyo3::types::PyBytes::new_bound(py, &ossl_cert.to_der()?).unbind(); let cert = x509::certificate::load_der_x509_certificate(py, cert_der, None)?; let alias = ossl_cert .alias() - .map(|a| pyo3::types::PyBytes::new(py, a).into_py(py)); + .map(|a| pyo3::types::PyBytes::new_bound(py, a).unbind()); let p12_cert = PKCS12Certificate::new(pyo3::Py::new(py, cert)?, alias).into_py(py); additional_certs.append(p12_cert)?; } } - Ok(types::PKCS12KEYANDCERTIFICATES - .get(py)? - .call1((private_key, cert, additional_certs))?) + Ok(types::PKCS12KEYANDCERTIFICATES.get_bound(py)?.call1(( + private_key, + cert, + additional_certs, + ))?) } -pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let submod = pyo3::prelude::PyModule::new(py, "pkcs12")?; +pub(crate) fn create_submodule( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let submod = pyo3::prelude::PyModule::new_bound(py, "pkcs12")?; - submod.add_function(pyo3::wrap_pyfunction!(load_key_and_certificates, submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(load_pkcs12, submod)?)?; + submod.add_function(pyo3::wrap_pyfunction!(load_key_and_certificates, &submod)?)?; + submod.add_function(pyo3::wrap_pyfunction!(load_pkcs12, &submod)?)?; submod.add_class::()?; From e4929125067e19029ac17513c00e36e026efc78b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:23:22 -0400 Subject: [PATCH 352/868] Convert `src/oid.rs` to new pyo3 APIs (#10688) --- src/rust/src/oid.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 7996895ca1f0..18f3be654f1e 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -23,8 +23,8 @@ impl ObjectIdentifier { } #[getter] - fn dotted_string<'p>(&self, py: pyo3::Python<'p>) -> &'p pyo3::types::PyString { - pyo3::types::PyString::new(py, &self.oid.to_string()) + fn dotted_string(&self) -> String { + self.oid.to_string() } #[getter] @@ -41,7 +41,7 @@ impl ObjectIdentifier { slf } - fn __repr__(slf: &pyo3::PyCell, py: pyo3::Python<'_>) -> pyo3::PyResult { + fn __repr__(slf: &pyo3::Bound<'_, Self>, py: pyo3::Python<'_>) -> pyo3::PyResult { let name = Self::_name(slf.borrow(), py)?.extract::<&str>()?; Ok(format!( "", From f44cf82977800f05ba6d57024c936a1c6763878c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:25:38 -0400 Subject: [PATCH 353/868] Convert py_oid_to_oid to new pyo3 APIs (#10694) --- src/rust/src/asn1.rs | 8 +++++--- src/rust/src/x509/common.rs | 33 +++++++++++++++++++++++++-------- src/rust/src/x509/csr.rs | 7 ++++--- src/rust/src/x509/extensions.rs | 6 +++--- 4 files changed, 37 insertions(+), 17 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 9677064b536c..2257b3bf9663 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -13,10 +13,12 @@ use pyo3::ToPyObject; use crate::error::{CryptographyError, CryptographyResult}; use crate::types; -pub(crate) fn py_oid_to_oid(py_oid: &pyo3::PyAny) -> pyo3::PyResult { +pub(crate) fn py_oid_to_oid( + py_oid: pyo3::Bound<'_, pyo3::PyAny>, +) -> pyo3::PyResult { Ok(py_oid - .downcast::>()? - .borrow() + .downcast::()? + .get() .oid .clone()) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index d838c2f8dfe1..7a7bd50ce1f9 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -7,8 +7,9 @@ use cryptography_x509::extensions::{ AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, }; use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; +use pyo3::prelude::PyAnyMethods; use pyo3::types::IntoPyDict; -use pyo3::{IntoPy, ToPyObject}; +use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -75,7 +76,11 @@ pub(crate) fn encode_name_entry<'p>( .getattr(pyo3::intern!(py, "value"))? .extract()? }; - let oid = py_oid_to_oid(py_name_entry.getattr(pyo3::intern!(py, "oid"))?)?; + let py_oid = py_name_entry + .getattr(pyo3::intern!(py, "oid"))? + .as_borrowed() + .to_owned(); + let oid = py_oid_to_oid(py_oid)?; Ok(AttributeTypeValue { type_id: oid, @@ -124,8 +129,12 @@ pub(crate) fn encode_general_name<'a>( let name = encode_name(py, gn_value)?; Ok(GeneralName::DirectoryName(name)) } else if gn_type.is(types::OTHER_NAME.get(py)?) { + let py_oid = gn + .getattr(pyo3::intern!(py, "type_id"))? + .as_borrowed() + .to_owned(); Ok(GeneralName::OtherName(OtherName { - type_id: py_oid_to_oid(gn.getattr(pyo3::intern!(py, "type_id"))?)?, + type_id: py_oid_to_oid(py_oid)?, value: asn1::parse_single(gn_value.extract::<&[u8]>()?).map_err(|e| { pyo3::exceptions::PyValueError::new_err(format!( "OtherName value must be valid DER: {e:?}" @@ -142,7 +151,7 @@ pub(crate) fn encode_general_name<'a>( .extract::<&[u8]>()?, )) } else if gn_type.is(types::REGISTERED_ID.get(py)?) { - let oid = py_oid_to_oid(gn_value)?; + let oid = py_oid_to_oid(gn_value.as_borrowed().to_owned())?; Ok(GeneralName::RegisteredID(oid)) } else { Err(CryptographyError::from( @@ -158,7 +167,11 @@ pub(crate) fn encode_access_descriptions<'a>( let mut ads = vec![]; for py_ad in py_ads.iter()? { let py_ad = py_ad?; - let access_method = py_oid_to_oid(py_ad.getattr(pyo3::intern!(py, "access_method"))?)?; + let py_oid = py_ad + .getattr(pyo3::intern!(py, "access_method"))? + .as_borrowed() + .to_owned(); + let access_method = py_oid_to_oid(py_oid)?; let access_location = encode_general_name(py, py_ad.getattr(pyo3::intern!(py, "access_location"))?)?; ads.push(AccessDescription { @@ -412,7 +425,11 @@ pub(crate) fn encode_extensions< let mut exts = vec![]; for py_ext in py_exts.iter()? { let py_ext = py_ext?; - let oid = py_oid_to_oid(py_ext.getattr(pyo3::intern!(py, "oid"))?)?; + let py_oid = py_ext + .getattr(pyo3::intern!(py, "oid"))? + .as_borrowed() + .to_owned(); + let oid = py_oid_to_oid(py_oid)?; let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?; if ext_val.is_instance(types::UNRECOGNIZED_EXTENSION.get(py)?)? { @@ -453,11 +470,11 @@ pub(crate) fn encode_extensions< #[pyo3::prelude::pyfunction] fn encode_extension_value<'p>( py: pyo3::Python<'p>, - py_ext: &'p pyo3::PyAny, + py_ext: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult<&'p pyo3::types::PyBytes> { let oid = py_oid_to_oid(py_ext.getattr(pyo3::intern!(py, "oid"))?)?; - if let Some(data) = x509::extensions::encode_extension(py, &oid, py_ext)? { + if let Some(data) = x509::extensions::encode_extension(py, &oid, py_ext.into_gil_ref())? { // TODO: extra copy let py_data = pyo3::types::PyBytes::new(py, &data); return Ok(py_data); diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 704dd2c93655..ce527d054d29 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -124,13 +124,13 @@ impl CertificateSigningRequest { fn get_attribute_for_oid<'p>( &self, py: pyo3::Python<'p>, - oid: &pyo3::PyAny, + oid: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult<&'p pyo3::PyAny> { let warning_cls = types::DEPRECATED_IN_36.get(py)?; let warning_msg = "CertificateSigningRequest.get_attribute_for_oid has been deprecated. Please switch to request.attributes.get_attribute_for_oid."; pyo3::PyErr::warn(py, warning_cls, warning_msg, 1)?; - let rust_oid = py_oid_to_oid(oid)?; + let rust_oid = py_oid_to_oid(oid.clone())?; for attribute in self .raw .borrow_dependent() @@ -314,7 +314,8 @@ fn create_x509_csr( } for py_attr in builder.getattr(pyo3::intern!(py, "_attributes"))?.iter()? { - let (py_oid, value, tag): (&pyo3::PyAny, &[u8], Option) = py_attr?.extract()?; + let (py_oid, value, tag): (pyo3::Bound<'_, pyo3::PyAny>, &[u8], Option) = + py_attr?.extract()?; let oid = py_oid_to_oid(py_oid)?; let tag = if let Some(tag) = tag { asn1::Tag::from_bytes(&[tag])?.0 diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index eede1e5c0ab9..c44d1c888c47 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -290,7 +290,7 @@ fn encode_certificate_policies( }; let py_policy_id = py_policy_info.getattr(pyo3::intern!(py, "policy_identifier"))?; policy_informations.push(extensions::PolicyInformation { - policy_identifier: py_oid_to_oid(py_policy_id)?, + policy_identifier: py_oid_to_oid(py_policy_id.as_borrowed().to_owned())?, policy_qualifiers: qualifiers, }); } @@ -354,7 +354,7 @@ fn encode_issuing_distribution_point( fn encode_oid_sequence(ext: &pyo3::PyAny) -> CryptographyResult> { let mut oids = vec![]; for el in ext.iter()? { - let oid = py_oid_to_oid(el?)?; + let oid = py_oid_to_oid(el?.as_borrowed().to_owned())?; oids.push(oid); } Ok(asn1::write_single(&asn1::SequenceOfWriter::new(oids))?) @@ -515,7 +515,7 @@ pub(crate) fn encode_extension( &oid::MS_CERTIFICATE_TEMPLATE => { let py_template_id = ext.getattr(pyo3::intern!(py, "template_id"))?; let mstpl = extensions::MSCertificateTemplate { - template_id: py_oid_to_oid(py_template_id)?, + template_id: py_oid_to_oid(py_template_id.as_borrowed().to_owned())?, major_version: ext.getattr(pyo3::intern!(py, "major_version"))?.extract()?, minor_version: ext.getattr(pyo3::intern!(py, "minor_version"))?.extract()?, }; From 71f1e092eb44b987cd8b02e0a308fbdd3622f4a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 01:27:06 -0400 Subject: [PATCH 354/868] Convert `src/backend/aead.rs` to new pyo3 APIs (#10696) --- src/rust/src/backend/aead.rs | 65 +++++++++++++++++++----------------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 35 insertions(+), 32 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 2438ae644cb6..55ac8b842dca 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -5,6 +5,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; fn check_length(data: &[u8]) -> CryptographyResult<()> { if data.len() > (i32::MAX as usize) { @@ -21,7 +22,7 @@ fn check_length(data: &[u8]) -> CryptographyResult<()> { enum Aad<'a> { Single(CffiBuf<'a>), - List(&'a pyo3::types::PyList), + List(pyo3::Bound<'a, pyo3::types::PyList>), } struct EvpCipherAead { @@ -131,7 +132,7 @@ impl EvpCipherAead { plaintext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_encryption_ctx)?; Self::encrypt_with_context( @@ -156,7 +157,7 @@ impl EvpCipherAead { tag_len: usize, tag_first: bool, is_ccm: bool, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { check_length(plaintext)?; if !is_ccm { @@ -171,7 +172,7 @@ impl EvpCipherAead { Self::process_aad(&mut ctx, aad)?; - Ok(pyo3::types::PyBytes::new_with( + Ok(pyo3::types::PyBytes::new_bound_with( py, plaintext.len() + tag_len, |b| { @@ -198,7 +199,7 @@ impl EvpCipherAead { ciphertext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut ctx = openssl::cipher_ctx::CipherCtx::new()?; ctx.copy(&self.base_decryption_ctx)?; Self::decrypt_with_context( @@ -223,7 +224,7 @@ impl EvpCipherAead { tag_len: usize, tag_first: bool, is_ccm: bool, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if ciphertext.len() < tag_len { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } @@ -253,7 +254,7 @@ impl EvpCipherAead { Self::process_aad(&mut ctx, aad)?; - Ok(pyo3::types::PyBytes::new_with( + Ok(pyo3::types::PyBytes::new_bound_with( py, ciphertext_data.len(), |b| { @@ -299,8 +300,8 @@ impl LazyEvpCipherAead { plaintext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let key_buf = self.key.as_ref(py).extract::>()?; + ) -> CryptographyResult> { + let key_buf = self.key.bind(py).extract::>()?; let mut encryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; if self.is_ccm { @@ -330,8 +331,8 @@ impl LazyEvpCipherAead { ciphertext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let key_buf = self.key.as_ref(py).extract::>()?; + ) -> CryptographyResult> { + let key_buf = self.key.bind(py).extract::>()?; let mut decryption_ctx = openssl::cipher_ctx::CipherCtx::new()?; if self.is_ccm { @@ -388,7 +389,7 @@ impl EvpAead { plaintext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { check_length(plaintext)?; let ad = if let Some(Aad::Single(ad)) = &aad { @@ -398,7 +399,7 @@ impl EvpAead { assert!(aad.is_none()); b"" }; - Ok(pyo3::types::PyBytes::new_with( + Ok(pyo3::types::PyBytes::new_bound_with( py, plaintext.len() + self.tag_len, |b| { @@ -416,7 +417,7 @@ impl EvpAead { ciphertext: &[u8], aad: Option>, nonce: Option<&[u8]>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if ciphertext.len() < self.tag_len { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } @@ -429,7 +430,7 @@ impl EvpAead { b"" }; - Ok(pyo3::types::PyBytes::new_with( + Ok(pyo3::types::PyBytes::new_bound_with( py, ciphertext.len() - self.tag_len, |b| { @@ -541,7 +542,7 @@ impl ChaCha20Poly1305 { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -561,7 +562,7 @@ impl ChaCha20Poly1305 { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -653,7 +654,7 @@ impl AesGcm { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -673,7 +674,7 @@ impl AesGcm { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -761,7 +762,7 @@ impl AesCcm { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let data_bytes = data.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -794,7 +795,7 @@ impl AesCcm { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let data_bytes = data.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -890,8 +891,8 @@ impl AesSiv { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - associated_data: Option<&pyo3::types::PyList>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + associated_data: Option>, + ) -> CryptographyResult> { let data_bytes = data.as_bytes(); let aad = associated_data.map(Aad::List); @@ -908,8 +909,8 @@ impl AesSiv { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - associated_data: Option<&pyo3::types::PyList>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + associated_data: Option>, + ) -> CryptographyResult> { let aad = associated_data.map(Aad::List); self.ctx.decrypt(py, data.as_bytes(), aad, None) } @@ -986,7 +987,7 @@ impl AesOcb3 { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -1007,7 +1008,7 @@ impl AesOcb3 { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -1092,7 +1093,7 @@ impl AesGcmSiv { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let data_bytes = data.as_bytes(); let aad = associated_data.map(Aad::Single); @@ -1117,7 +1118,7 @@ impl AesGcmSiv { nonce: CffiBuf<'_>, data: CffiBuf<'_>, associated_data: Option>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let nonce_bytes = nonce.as_bytes(); let aad = associated_data.map(Aad::Single); if nonce_bytes.len() != 12 { @@ -1130,8 +1131,10 @@ impl AesGcmSiv { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "aead")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "aead")?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index be7b2d0ac280..ceedacb8614b 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -24,7 +24,7 @@ pub(crate) mod x25519; pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_submodule(aead::create_module(module.py())?)?; + module.add_submodule(aead::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ciphers::create_module(module.py())?)?; module.add_submodule(cmac::create_module(module.py())?)?; module.add_submodule(dh::create_module(module.py())?)?; From bb45dc6a0d29db4f679bbc1f577dc3ef5e9a1b3f Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 11:22:05 +0200 Subject: [PATCH 355/868] Start converting `src/backend/rsa.rs` to the new pyo3 APIs (#10693) --- src/rust/src/backend/dh.rs | 16 ++-- src/rust/src/backend/dsa.rs | 28 +++---- src/rust/src/backend/ec.rs | 12 +-- src/rust/src/backend/ed25519.rs | 4 +- src/rust/src/backend/ed448.rs | 4 +- src/rust/src/backend/mod.rs | 2 +- src/rust/src/backend/rsa.rs | 133 ++++++++++++++++---------------- src/rust/src/backend/utils.rs | 6 +- src/rust/src/backend/x25519.rs | 4 +- src/rust/src/backend/x448.rs | 4 +- 10 files changed, 106 insertions(+), 107 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 1145b32327c3..2eb9189bb1ce 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -125,13 +125,13 @@ fn dh_parameters_from_numbers( py: pyo3::Python<'_>, numbers: &DHParameterNumbers, ) -> CryptographyResult> { - let p = utils::py_int_to_bn(py, numbers.p.as_ref(py))?; + let p = utils::py_int_to_bn(py, numbers.p.bind(py))?; let q = numbers .q .as_ref() - .map(|v| utils::py_int_to_bn(py, v.as_ref(py))) + .map(|v| utils::py_int_to_bn(py, v.bind(py))) .transpose()?; - let g = utils::py_int_to_bn(py, numbers.g.as_ref(py))?; + let g = utils::py_int_to_bn(py, numbers.g.bind(py))?; Ok(openssl::dh::Dh::from_pqg(p, q, g)?) } @@ -222,7 +222,7 @@ impl DHPrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -257,7 +257,7 @@ impl DHPublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -418,8 +418,8 @@ impl DHPrivateNumbers { let dh = dh_parameters_from_numbers(py, self.public_numbers.get().parameter_numbers.get())?; - let pub_key = utils::py_int_to_bn(py, self.public_numbers.get().y.as_ref(py))?; - let priv_key = utils::py_int_to_bn(py, self.x.as_ref(py))?; + let pub_key = utils::py_int_to_bn(py, self.public_numbers.get().y.bind(py))?; + let priv_key = utils::py_int_to_bn(py, self.x.bind(py))?; let dh = dh.set_key(pub_key, priv_key)?; if !dh.check_key()? { @@ -470,7 +470,7 @@ impl DHPublicNumbers { let dh = dh_parameters_from_numbers(py, self.parameter_numbers.get())?; - let pub_key = utils::py_int_to_bn(py, self.y.as_ref(py))?; + let pub_key = utils::py_int_to_bn(py, self.y.bind(py))?; let pkey = pkey_from_dh(dh.set_public_key(pub_key)?)?; diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 2d567db5e086..5023a2eace40 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -129,7 +129,7 @@ impl DsaPrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -202,7 +202,7 @@ impl DsaPublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -371,11 +371,11 @@ impl DsaPrivateNumbers { check_dsa_private_numbers(py, self)?; let dsa = openssl::dsa::Dsa::from_private_components( - utils::py_int_to_bn(py, parameter_numbers.p.as_ref(py))?, - utils::py_int_to_bn(py, parameter_numbers.q.as_ref(py))?, - utils::py_int_to_bn(py, parameter_numbers.g.as_ref(py))?, - utils::py_int_to_bn(py, self.x.as_ref(py))?, - utils::py_int_to_bn(py, public_numbers.y.as_ref(py))?, + utils::py_int_to_bn(py, parameter_numbers.p.bind(py))?, + utils::py_int_to_bn(py, parameter_numbers.q.bind(py))?, + utils::py_int_to_bn(py, parameter_numbers.g.bind(py))?, + utils::py_int_to_bn(py, self.x.bind(py))?, + utils::py_int_to_bn(py, public_numbers.y.bind(py))?, ) .unwrap(); let pkey = openssl::pkey::PKey::from_dsa(dsa)?; @@ -420,10 +420,10 @@ impl DsaPublicNumbers { check_dsa_parameters(py, parameter_numbers)?; let dsa = openssl::dsa::Dsa::from_public_components( - utils::py_int_to_bn(py, parameter_numbers.p.as_ref(py))?, - utils::py_int_to_bn(py, parameter_numbers.q.as_ref(py))?, - utils::py_int_to_bn(py, parameter_numbers.g.as_ref(py))?, - utils::py_int_to_bn(py, self.y.as_ref(py))?, + utils::py_int_to_bn(py, parameter_numbers.p.bind(py))?, + utils::py_int_to_bn(py, parameter_numbers.q.bind(py))?, + utils::py_int_to_bn(py, parameter_numbers.g.bind(py))?, + utils::py_int_to_bn(py, self.y.bind(py))?, ) .unwrap(); let pkey = openssl::pkey::PKey::from_dsa(dsa)?; @@ -472,9 +472,9 @@ impl DsaParameterNumbers { check_dsa_parameters(py, self)?; let dsa = openssl::dsa::Dsa::from_pqg( - utils::py_int_to_bn(py, self.p.as_ref(py))?, - utils::py_int_to_bn(py, self.q.as_ref(py))?, - utils::py_int_to_bn(py, self.g.as_ref(py))?, + utils::py_int_to_bn(py, self.p.bind(py))?, + utils::py_int_to_bn(py, self.q.bind(py))?, + utils::py_int_to_bn(py, self.g.bind(py))?, ) .unwrap(); Ok(DsaParameters { dsa }) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 0291c96b7f70..68c53a7e9f40 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -175,7 +175,7 @@ fn generate_private_key( #[pyo3::prelude::pyfunction] fn derive_private_key( py: pyo3::Python<'_>, - py_private_value: &pyo3::types::PyLong, + py_private_value: &pyo3::Bound<'_, pyo3::types::PyLong>, py_curve: &pyo3::PyAny, ) -> CryptographyResult { let curve = curve_from_py_curve(py, py_curve, false)?; @@ -353,7 +353,7 @@ impl ECPrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -435,7 +435,7 @@ impl ECPublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -484,8 +484,8 @@ fn public_key_from_numbers( )); } - let x = utils::py_int_to_bn(py, numbers.x.as_ref(py))?; - let y = utils::py_int_to_bn(py, numbers.y.as_ref(py))?; + let x = utils::py_int_to_bn(py, numbers.x.bind(py))?; + let y = utils::py_int_to_bn(py, numbers.y.bind(py))?; let mut point = openssl::ec::EcPoint::new(curve)?; let mut bn_ctx = openssl::bn::BigNumContext::new()?; @@ -522,7 +522,7 @@ impl EllipticCurvePrivateNumbers { let curve = curve_from_py_curve(py, self.public_numbers.get().curve.as_ref(py), false)?; let public_key = public_key_from_numbers(py, self.public_numbers.get(), &curve)?; - let private_value = utils::py_int_to_bn(py, self.private_value.as_ref(py))?; + let private_value = utils::py_int_to_bn(py, self.private_value.bind(py))?; let mut bn_ctx = openssl::bn::BigNumContext::new()?; let mut expected_pub = openssl::ec::EcPoint::new(&curve)?; diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 4fc199969aec..4ddb8d14abe7 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -97,7 +97,7 @@ impl Ed25519PrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -141,7 +141,7 @@ impl Ed25519PublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 79d650a1cb46..0e6698af0f1e 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -95,7 +95,7 @@ impl Ed448PrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -138,7 +138,7 @@ impl Ed448PublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index ceedacb8614b..2b1592906a1f 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -45,7 +45,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(hashes::create_module(module.py())?)?; module.add_submodule(hmac::create_module(module.py())?)?; module.add_submodule(kdf::create_module(module.py())?)?; - module.add_submodule(rsa::create_module(module.py())?)?; + module.add_submodule(rsa::create_module(module.py())?.into_gil_ref())?; Ok(()) } diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 1d47b8c6c326..07fea2b49187 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -9,7 +9,7 @@ use crate::backend::{hashes, utils}; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; #[pyo3::prelude::pyclass( frozen, @@ -286,7 +286,7 @@ impl RsaPrivateKey { data: CffiBuf<'_>, padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::PyAny> { + ) -> CryptographyResult> { let (data, algorithm) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; @@ -297,7 +297,7 @@ impl RsaPrivateKey { setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), true)?; let length = ctx.sign(data, None)?; - Ok(pyo3::types::PyBytes::new_with(py, length, |b| { + Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { let length = ctx.sign(data, Some(b)).map_err(|_| { pyo3::exceptions::PyValueError::new_err( "Digest or salt length too long for key size. Use a larger key or shorter salt length if you are specifying a PSS salt", @@ -305,7 +305,7 @@ impl RsaPrivateKey { })?; assert_eq!(length, b.len()); Ok(()) - })?) + })?.into_any()) } fn decrypt<'p>( @@ -313,7 +313,7 @@ impl RsaPrivateKey { py: pyo3::Python<'p>, ciphertext: &[u8], padding: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let key_size_bytes = usize::try_from((self.pkey.rsa().unwrap().n().num_bits() + 7) / 8).unwrap(); if key_size_bytes != ciphertext.len() { @@ -345,7 +345,7 @@ impl RsaPrivateKey { let result = ctx.decrypt(ciphertext, Some(&mut plaintext)); let py_result = - pyo3::types::PyBytes::new(py, &plaintext[..*result.as_ref().unwrap_or(&length)]); + pyo3::types::PyBytes::new_bound(py, &plaintext[..*result.as_ref().unwrap_or(&length)]); if result.is_err() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Decryption failed"), @@ -398,7 +398,7 @@ impl RsaPrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -449,14 +449,14 @@ impl RsaPublicKey { py: pyo3::Python<'p>, plaintext: &[u8], padding: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.encrypt_init()?; setup_encryption_ctx(py, &mut ctx, padding)?; let length = ctx.encrypt(plaintext, None)?; - Ok(pyo3::types::PyBytes::new_with(py, length, |b| { + Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { let length = ctx .encrypt(plaintext, Some(b)) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Encryption failed"))?; @@ -471,7 +471,7 @@ impl RsaPublicKey { signature: &[u8], padding: &pyo3::PyAny, algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if algorithm.is_instance(types::PREHASHED.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( @@ -490,7 +490,7 @@ impl RsaPublicKey { .verify_recover(signature, Some(&mut buf)) .map_err(|_| exceptions::InvalidSignature::new_err(()))?; - Ok(pyo3::types::PyBytes::new(py, &buf[..length])) + Ok(pyo3::types::PyBytes::new_bound(py, &buf[..length])) } #[getter] @@ -511,7 +511,7 @@ impl RsaPublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -564,14 +564,14 @@ struct RsaPublicNumbers { #[allow(clippy::too_many_arguments)] fn check_private_key_components( - p: &pyo3::types::PyLong, - q: &pyo3::types::PyLong, - private_exponent: &pyo3::types::PyLong, - dmp1: &pyo3::types::PyLong, - dmq1: &pyo3::types::PyLong, - iqmp: &pyo3::types::PyLong, - public_exponent: &pyo3::types::PyLong, - modulus: &pyo3::types::PyLong, + p: &pyo3::Bound<'_, pyo3::types::PyLong>, + q: &pyo3::Bound<'_, pyo3::types::PyLong>, + private_exponent: &pyo3::Bound<'_, pyo3::types::PyLong>, + dmp1: &pyo3::Bound<'_, pyo3::types::PyLong>, + dmq1: &pyo3::Bound<'_, pyo3::types::PyLong>, + iqmp: &pyo3::Bound<'_, pyo3::types::PyLong>, + public_exponent: &pyo3::Bound<'_, pyo3::types::PyLong>, + modulus: &pyo3::Bound<'_, pyo3::types::PyLong>, ) -> CryptographyResult<()> { if modulus.lt(3)? { return Err(CryptographyError::from( @@ -682,25 +682,25 @@ impl RsaPrivateNumbers { let _ = backend; check_private_key_components( - self.p.as_ref(py), - self.q.as_ref(py), - self.d.as_ref(py), - self.dmp1.as_ref(py), - self.dmq1.as_ref(py), - self.iqmp.as_ref(py), - self.public_numbers.get().e.as_ref(py), - self.public_numbers.get().n.as_ref(py), + self.p.bind(py), + self.q.bind(py), + self.d.bind(py), + self.dmp1.bind(py), + self.dmq1.bind(py), + self.iqmp.bind(py), + self.public_numbers.get().e.bind(py), + self.public_numbers.get().n.bind(py), )?; let public_numbers = self.public_numbers.get(); let rsa = openssl::rsa::Rsa::from_private_components( - utils::py_int_to_bn(py, public_numbers.n.as_ref(py))?, - utils::py_int_to_bn(py, public_numbers.e.as_ref(py))?, - utils::py_int_to_bn(py, self.d.as_ref(py))?, - utils::py_int_to_bn(py, self.p.as_ref(py))?, - utils::py_int_to_bn(py, self.q.as_ref(py))?, - utils::py_int_to_bn(py, self.dmp1.as_ref(py))?, - utils::py_int_to_bn(py, self.dmq1.as_ref(py))?, - utils::py_int_to_bn(py, self.iqmp.as_ref(py))?, + utils::py_int_to_bn(py, public_numbers.n.bind(py))?, + utils::py_int_to_bn(py, public_numbers.e.bind(py))?, + utils::py_int_to_bn(py, self.d.bind(py))?, + utils::py_int_to_bn(py, self.p.bind(py))?, + utils::py_int_to_bn(py, self.q.bind(py))?, + utils::py_int_to_bn(py, self.dmp1.bind(py))?, + utils::py_int_to_bn(py, self.dmq1.bind(py))?, + utils::py_int_to_bn(py, self.iqmp.bind(py))?, ) .unwrap(); if !unsafe_skip_rsa_key_validation { @@ -715,34 +715,34 @@ impl RsaPrivateNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.p.as_ref(py).eq(other.p.as_ref(py))? - && self.q.as_ref(py).eq(other.q.as_ref(py))? - && self.d.as_ref(py).eq(other.d.as_ref(py))? - && self.dmp1.as_ref(py).eq(other.dmp1.as_ref(py))? - && self.dmq1.as_ref(py).eq(other.dmq1.as_ref(py))? - && self.iqmp.as_ref(py).eq(other.iqmp.as_ref(py))? + Ok(self.p.bind(py).eq(other.p.bind(py))? + && self.q.bind(py).eq(other.q.bind(py))? + && self.d.bind(py).eq(other.d.bind(py))? + && self.dmp1.bind(py).eq(other.dmp1.bind(py))? + && self.dmq1.bind(py).eq(other.dmq1.bind(py))? + && self.iqmp.bind(py).eq(other.iqmp.bind(py))? && self .public_numbers - .as_ref(py) - .eq(other.public_numbers.as_ref(py))?) + .bind(py) + .eq(other.public_numbers.bind(py))?) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { let mut hasher = DefaultHasher::new(); - self.p.as_ref(py).hash()?.hash(&mut hasher); - self.q.as_ref(py).hash()?.hash(&mut hasher); - self.d.as_ref(py).hash()?.hash(&mut hasher); - self.dmp1.as_ref(py).hash()?.hash(&mut hasher); - self.dmq1.as_ref(py).hash()?.hash(&mut hasher); - self.iqmp.as_ref(py).hash()?.hash(&mut hasher); - self.public_numbers.as_ref(py).hash()?.hash(&mut hasher); + self.p.bind(py).hash()?.hash(&mut hasher); + self.q.bind(py).hash()?.hash(&mut hasher); + self.d.bind(py).hash()?.hash(&mut hasher); + self.dmp1.bind(py).hash()?.hash(&mut hasher); + self.dmq1.bind(py).hash()?.hash(&mut hasher); + self.iqmp.bind(py).hash()?.hash(&mut hasher); + self.public_numbers.bind(py).hash()?.hash(&mut hasher); Ok(hasher.finish()) } } fn check_public_key_components( - e: &pyo3::types::PyLong, - n: &pyo3::types::PyLong, + e: &pyo3::Bound<'_, pyo3::types::PyLong>, + n: &pyo3::Bound<'_, pyo3::types::PyLong>, ) -> CryptographyResult<()> { if n.lt(3)? { return Err(CryptographyError::from( @@ -780,11 +780,11 @@ impl RsaPublicNumbers { ) -> CryptographyResult { let _ = backend; - check_public_key_components(self.e.as_ref(py), self.n.as_ref(py))?; + check_public_key_components(self.e.bind(py), self.n.bind(py))?; let rsa = openssl::rsa::Rsa::from_public_components( - utils::py_int_to_bn(py, self.n.as_ref(py))?, - utils::py_int_to_bn(py, self.e.as_ref(py))?, + utils::py_int_to_bn(py, self.n.bind(py))?, + utils::py_int_to_bn(py, self.e.bind(py))?, ) .unwrap(); let pkey = openssl::pkey::PKey::from_rsa(rsa)?; @@ -796,29 +796,28 @@ impl RsaPublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok( - self.e.as_ref(py).eq(other.e.as_ref(py))? - && self.n.as_ref(py).eq(other.n.as_ref(py))?, - ) + Ok(self.e.bind(py).eq(other.e.bind(py))? && self.n.bind(py).eq(other.n.bind(py))?) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { let mut hasher = DefaultHasher::new(); - self.e.as_ref(py).hash()?.hash(&mut hasher); - self.n.as_ref(py).hash()?.hash(&mut hasher); + self.e.bind(py).hash()?.hash(&mut hasher); + self.n.bind(py).hash()?.hash(&mut hasher); Ok(hasher.finish()) } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let e = self.e.as_ref(py); - let n = self.n.as_ref(py); + let e = self.e.bind(py); + let n = self.n.bind(py); Ok(format!("")) } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "rsa")?; - m.add_function(pyo3::wrap_pyfunction!(generate_private_key, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "rsa")?; + m.add_function(pyo3::wrap_pyfunction!(generate_private_key, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index ecd83edfe467..f44db97101ed 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -10,7 +10,7 @@ use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, - v: &pyo3::PyAny, + v: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let n = v .call_method0(pyo3::intern!(py, "bit_length"))? @@ -44,7 +44,7 @@ pub(crate) fn bn_to_big_endian_bytes(b: &openssl::bn::BigNumRef) -> Cryptography #[allow(clippy::too_many_arguments)] pub(crate) fn pkey_private_bytes<'p>( py: pyo3::Python<'p>, - key_obj: &pyo3::PyAny, + key_obj: &pyo3::Bound<'p, pyo3::PyAny>, pkey: &openssl::pkey::PKey, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -238,7 +238,7 @@ pub(crate) fn pkey_private_bytes<'p>( pub(crate) fn pkey_public_bytes<'p>( py: pyo3::Python<'p>, - key_obj: &pyo3::PyAny, + key_obj: &pyo3::Bound<'p, pyo3::PyAny>, pkey: &openssl::pkey::PKey, encoding: &pyo3::PyAny, format: &pyo3::PyAny, diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 1789c9f20a03..89d8a53e500e 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -98,7 +98,7 @@ impl X25519PrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -128,7 +128,7 @@ impl X25519PublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index ae61ac4eafe9..49dbfbd65e06 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -97,7 +97,7 @@ impl X448PrivateKey { } fn private_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, @@ -127,7 +127,7 @@ impl X448PublicKey { } fn public_bytes<'p>( - slf: &pyo3::PyCell, + slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, encoding: &pyo3::PyAny, format: &pyo3::PyAny, From 4abd5febcadcc0e8c492cf4a37f9a96807c6506b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 4 Apr 2024 13:06:47 +0200 Subject: [PATCH 356/868] migrate backend args to bound (#10698) this doesn't touch a few files to try to avoid potential conflicts --- src/rust/src/backend/cmac.rs | 2 +- src/rust/src/backend/dsa.rs | 6 +++--- src/rust/src/backend/ec.rs | 6 +++--- src/rust/src/backend/hashes.rs | 2 +- src/rust/src/backend/hmac.rs | 2 +- src/rust/src/backend/keys.rs | 8 ++++---- src/rust/src/x509/certificate.rs | 4 ++-- src/rust/src/x509/crl.rs | 4 ++-- src/rust/src/x509/csr.rs | 4 ++-- 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index f23ccca37271..7bf0fe1d4ff0 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -39,7 +39,7 @@ impl Cmac { fn new( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 5023a2eace40..a62de7c73239 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -361,7 +361,7 @@ impl DsaPrivateNumbers { fn private_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -411,7 +411,7 @@ impl DsaPublicNumbers { fn public_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -465,7 +465,7 @@ impl DsaParameterNumbers { fn parameters( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 68c53a7e9f40..f63444ef0fab 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -159,7 +159,7 @@ pub(crate) fn public_key_from_pkey( fn generate_private_key( py: pyo3::Python<'_>, curve: &pyo3::PyAny, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -516,7 +516,7 @@ impl EllipticCurvePrivateNumbers { fn private_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -597,7 +597,7 @@ impl EllipticCurvePublicNumbers { fn public_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index ac5de597c354..e26727092a6c 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -84,7 +84,7 @@ impl Hash { pub(crate) fn new( py: pyo3::Python<'_>, algorithm: &pyo3::PyAny, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index f8572f9103c9..3c19f1d124cb 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -65,7 +65,7 @@ impl Hmac { py: pyo3::Python<'_>, key: CffiBuf<'_>, algorithm: &pyo3::PyAny, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index a41b6805695f..d31f76b1d7ac 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -15,7 +15,7 @@ fn load_der_private_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, password: Option>, - backend: Option<&pyo3::PyAny>, + backend: Option>, unsafe_skip_rsa_key_validation: bool, ) -> CryptographyResult { let _ = backend; @@ -46,7 +46,7 @@ fn load_pem_private_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, password: Option>, - backend: Option<&pyo3::PyAny>, + backend: Option>, unsafe_skip_rsa_key_validation: bool, ) -> CryptographyResult { let _ = backend; @@ -119,7 +119,7 @@ pub(crate) fn private_key_from_pkey( fn load_der_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; load_der_public_key_bytes(py, data.as_bytes()) @@ -147,7 +147,7 @@ pub(crate) fn load_der_public_key_bytes( fn load_pem_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; let p = pem::parse(data.as_bytes())?; diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 27f30f329b6f..d21892eb9703 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -346,7 +346,7 @@ fn cert_version(py: pyo3::Python<'_>, version: u8) -> Result<&pyo3::PyAny, Crypt fn load_pem_x509_certificate( py: pyo3::Python<'_>, data: &[u8], - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -392,7 +392,7 @@ fn load_pem_x509_certificates( pub(crate) fn load_der_x509_certificate( py: pyo3::Python<'_>, data: pyo3::Py, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 67c8b1d0093d..6d1cbd6beb33 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -27,7 +27,7 @@ use crate::{exceptions, types, x509}; fn load_der_x509_crl( py: pyo3::Python<'_>, data: pyo3::Py, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> Result { let _ = backend; @@ -56,7 +56,7 @@ fn load_der_x509_crl( fn load_pem_x509_crl( py: pyo3::Python<'_>, data: &[u8], - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> Result { let _ = backend; diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index ce527d054d29..d5342175a69e 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -235,7 +235,7 @@ impl CertificateSigningRequest { fn load_pem_x509_csr( py: pyo3::Python<'_>, data: &[u8], - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -257,7 +257,7 @@ fn load_pem_x509_csr( fn load_der_x509_csr( py: pyo3::Python<'_>, data: pyo3::Py, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; From 974d5e7743d1de6138b6cf5b9481f908bc6a2023 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 07:45:50 -0400 Subject: [PATCH 357/868] Convert `src/backend/cipher_registry.rs` to new pyo3 APIs (#10700) --- src/rust/src/backend/cipher_registry.rs | 217 ++++++++++++------------ 1 file changed, 111 insertions(+), 106 deletions(-) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 1ceccbe0a1cd..ee95e6539540 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -30,8 +30,8 @@ impl RegistryKey { algorithm: algorithm.clone_ref(py), mode: mode.clone_ref(py), key_size, - algorithm_hash: algorithm.as_ref(py).hash()?, - mode_hash: mode.as_ref(py).hash()?, + algorithm_hash: algorithm.bind(py).hash()?, + mode_hash: mode.bind(py).hash()?, }) } } @@ -87,13 +87,18 @@ impl<'p> RegistryBuilder<'p> { fn add( &mut self, - algorithm: &pyo3::PyAny, - mode: &pyo3::PyAny, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, + mode: &pyo3::Bound<'_, pyo3::PyAny>, key_size: Option, cipher: impl Into, ) -> CryptographyResult<()> { self.m.insert( - RegistryKey::new(self.py, algorithm.into(), mode.into(), key_size)?, + RegistryKey::new( + self.py, + algorithm.clone().unbind(), + mode.clone().unbind(), + key_size, + )?, cipher.into(), ); @@ -114,147 +119,147 @@ fn get_cipher_registry( REGISTRY.get_or_try_init(py, || { let mut m = RegistryBuilder::new(py); - let aes = types::AES.get(py)?; - let aes128 = types::AES128.get(py)?; - let aes256 = types::AES256.get(py)?; - let triple_des = types::TRIPLE_DES.get(py)?; + let aes = types::AES.get_bound(py)?; + let aes128 = types::AES128.get_bound(py)?; + let aes256 = types::AES256.get_bound(py)?; + let triple_des = types::TRIPLE_DES.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - let camellia = types::CAMELLIA.get(py)?; + let camellia = types::CAMELLIA.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] - let blowfish = types::BLOWFISH.get(py)?; + let blowfish = types::BLOWFISH.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] - let cast5 = types::CAST5.get(py)?; + let cast5 = types::CAST5.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] - let idea = types::IDEA.get(py)?; + let idea = types::IDEA.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] - let sm4 = types::SM4.get(py)?; + let sm4 = types::SM4.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] - let seed = types::SEED.get(py)?; - let arc4 = types::ARC4.get(py)?; + let seed = types::SEED.get_bound(py)?; + let arc4 = types::ARC4.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let chacha20 = types::CHACHA20.get(py)?; - let rc2 = types::RC2.get(py)?; + let chacha20 = types::CHACHA20.get_bound(py)?; + let rc2 = types::RC2.get_bound(py)?; - let cbc = types::CBC.get(py)?; + let cbc = types::CBC.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let cfb = types::CFB.get(py)?; + let cfb = types::CFB.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let cfb8 = types::CFB8.get(py)?; - let ofb = types::OFB.get(py)?; - let ecb = types::ECB.get(py)?; - let ctr = types::CTR.get(py)?; - let gcm = types::GCM.get(py)?; + let cfb8 = types::CFB8.get_bound(py)?; + let ofb = types::OFB.get_bound(py)?; + let ecb = types::ECB.get_bound(py)?; + let ctr = types::CTR.get_bound(py)?; + let gcm = types::GCM.get_bound(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let xts = types::XTS.get(py)?; + let xts = types::XTS.get_bound(py)?; let none = py.None(); - let none_type = none.as_ref(py).get_type(); + let none_type = none.bind(py).get_type(); - m.add(aes, cbc, Some(128), Cipher::aes_128_cbc())?; - m.add(aes, cbc, Some(192), Cipher::aes_192_cbc())?; - m.add(aes, cbc, Some(256), Cipher::aes_256_cbc())?; + m.add(&aes, &cbc, Some(128), Cipher::aes_128_cbc())?; + m.add(&aes, &cbc, Some(192), Cipher::aes_192_cbc())?; + m.add(&aes, &cbc, Some(256), Cipher::aes_256_cbc())?; - m.add(aes, ofb, Some(128), Cipher::aes_128_ofb())?; - m.add(aes, ofb, Some(192), Cipher::aes_192_ofb())?; - m.add(aes, ofb, Some(256), Cipher::aes_256_ofb())?; + m.add(&aes, &ofb, Some(128), Cipher::aes_128_ofb())?; + m.add(&aes, &ofb, Some(192), Cipher::aes_192_ofb())?; + m.add(&aes, &ofb, Some(256), Cipher::aes_256_ofb())?; - m.add(aes, gcm, Some(128), Cipher::aes_128_gcm())?; - m.add(aes, gcm, Some(192), Cipher::aes_192_gcm())?; - m.add(aes, gcm, Some(256), Cipher::aes_256_gcm())?; + m.add(&aes, &gcm, Some(128), Cipher::aes_128_gcm())?; + m.add(&aes, &gcm, Some(192), Cipher::aes_192_gcm())?; + m.add(&aes, &gcm, Some(256), Cipher::aes_256_gcm())?; - m.add(aes, ctr, Some(128), Cipher::aes_128_ctr())?; - m.add(aes, ctr, Some(192), Cipher::aes_192_ctr())?; - m.add(aes, ctr, Some(256), Cipher::aes_256_ctr())?; + m.add(&aes, &ctr, Some(128), Cipher::aes_128_ctr())?; + m.add(&aes, &ctr, Some(192), Cipher::aes_192_ctr())?; + m.add(&aes, &ctr, Some(256), Cipher::aes_256_ctr())?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { - m.add(aes, cfb8, Some(128), Cipher::aes_128_cfb8())?; - m.add(aes, cfb8, Some(192), Cipher::aes_192_cfb8())?; - m.add(aes, cfb8, Some(256), Cipher::aes_256_cfb8())?; + m.add(&aes, &cfb8, Some(128), Cipher::aes_128_cfb8())?; + m.add(&aes, &cfb8, Some(192), Cipher::aes_192_cfb8())?; + m.add(&aes, &cfb8, Some(256), Cipher::aes_256_cfb8())?; - m.add(aes, cfb, Some(128), Cipher::aes_128_cfb128())?; - m.add(aes, cfb, Some(192), Cipher::aes_192_cfb128())?; - m.add(aes, cfb, Some(256), Cipher::aes_256_cfb128())?; + m.add(&aes, &cfb, Some(128), Cipher::aes_128_cfb128())?; + m.add(&aes, &cfb, Some(192), Cipher::aes_192_cfb128())?; + m.add(&aes, &cfb, Some(256), Cipher::aes_256_cfb128())?; } - m.add(aes, ecb, Some(128), Cipher::aes_128_ecb())?; - m.add(aes, ecb, Some(192), Cipher::aes_192_ecb())?; - m.add(aes, ecb, Some(256), Cipher::aes_256_ecb())?; + m.add(&aes, &ecb, Some(128), Cipher::aes_128_ecb())?; + m.add(&aes, &ecb, Some(192), Cipher::aes_192_ecb())?; + m.add(&aes, &ecb, Some(256), Cipher::aes_256_ecb())?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { - m.add(aes, xts, Some(256), Cipher::aes_128_xts())?; - m.add(aes, xts, Some(512), Cipher::aes_256_xts())?; + m.add(&aes, &xts, Some(256), Cipher::aes_128_xts())?; + m.add(&aes, &xts, Some(512), Cipher::aes_256_xts())?; } - m.add(aes128, cbc, Some(128), Cipher::aes_128_cbc())?; - m.add(aes256, cbc, Some(256), Cipher::aes_256_cbc())?; + m.add(&aes128, &cbc, Some(128), Cipher::aes_128_cbc())?; + m.add(&aes256, &cbc, Some(256), Cipher::aes_256_cbc())?; - m.add(aes128, ofb, Some(128), Cipher::aes_128_ofb())?; - m.add(aes256, ofb, Some(256), Cipher::aes_256_ofb())?; + m.add(&aes128, &ofb, Some(128), Cipher::aes_128_ofb())?; + m.add(&aes256, &ofb, Some(256), Cipher::aes_256_ofb())?; - m.add(aes128, gcm, Some(128), Cipher::aes_128_gcm())?; - m.add(aes256, gcm, Some(256), Cipher::aes_256_gcm())?; + m.add(&aes128, &gcm, Some(128), Cipher::aes_128_gcm())?; + m.add(&aes256, &gcm, Some(256), Cipher::aes_256_gcm())?; - m.add(aes128, ctr, Some(128), Cipher::aes_128_ctr())?; - m.add(aes256, ctr, Some(256), Cipher::aes_256_ctr())?; + m.add(&aes128, &ctr, Some(128), Cipher::aes_128_ctr())?; + m.add(&aes256, &ctr, Some(256), Cipher::aes_256_ctr())?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { - m.add(aes128, cfb8, Some(128), Cipher::aes_128_cfb8())?; - m.add(aes256, cfb8, Some(256), Cipher::aes_256_cfb8())?; + m.add(&aes128, &cfb8, Some(128), Cipher::aes_128_cfb8())?; + m.add(&aes256, &cfb8, Some(256), Cipher::aes_256_cfb8())?; - m.add(aes128, cfb, Some(128), Cipher::aes_128_cfb128())?; - m.add(aes256, cfb, Some(256), Cipher::aes_256_cfb128())?; + m.add(&aes128, &cfb, Some(128), Cipher::aes_128_cfb128())?; + m.add(&aes256, &cfb, Some(256), Cipher::aes_256_cfb128())?; } - m.add(aes128, ecb, Some(128), Cipher::aes_128_ecb())?; - m.add(aes256, ecb, Some(256), Cipher::aes_256_ecb())?; + m.add(&aes128, &ecb, Some(128), Cipher::aes_128_ecb())?; + m.add(&aes256, &ecb, Some(256), Cipher::aes_256_ecb())?; - m.add(triple_des, cbc, Some(192), Cipher::des_ede3_cbc())?; - m.add(triple_des, ecb, Some(192), Cipher::des_ede3_ecb())?; + m.add(&triple_des, &cbc, Some(192), Cipher::des_ede3_cbc())?; + m.add(&triple_des, &ecb, Some(192), Cipher::des_ede3_ecb())?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { - m.add(triple_des, cfb8, Some(192), Cipher::des_ede3_cfb8())?; - m.add(triple_des, cfb, Some(192), Cipher::des_ede3_cfb64())?; - m.add(triple_des, ofb, Some(192), Cipher::des_ede3_ofb())?; + m.add(&triple_des, &cfb8, Some(192), Cipher::des_ede3_cfb8())?; + m.add(&triple_des, &cfb, Some(192), Cipher::des_ede3_cfb64())?; + m.add(&triple_des, &ofb, Some(192), Cipher::des_ede3_ofb())?; } #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] { - m.add(camellia, cbc, Some(128), Cipher::camellia128_cbc())?; - m.add(camellia, cbc, Some(192), Cipher::camellia192_cbc())?; - m.add(camellia, cbc, Some(256), Cipher::camellia256_cbc())?; + m.add(&camellia, &cbc, Some(128), Cipher::camellia128_cbc())?; + m.add(&camellia, &cbc, Some(192), Cipher::camellia192_cbc())?; + m.add(&camellia, &cbc, Some(256), Cipher::camellia256_cbc())?; - m.add(camellia, ecb, Some(128), Cipher::camellia128_ecb())?; - m.add(camellia, ecb, Some(192), Cipher::camellia192_ecb())?; - m.add(camellia, ecb, Some(256), Cipher::camellia256_ecb())?; + m.add(&camellia, &ecb, Some(128), Cipher::camellia128_ecb())?; + m.add(&camellia, &ecb, Some(192), Cipher::camellia192_ecb())?; + m.add(&camellia, &ecb, Some(256), Cipher::camellia256_ecb())?; - m.add(camellia, ofb, Some(128), Cipher::camellia128_ofb())?; - m.add(camellia, ofb, Some(192), Cipher::camellia192_ofb())?; - m.add(camellia, ofb, Some(256), Cipher::camellia256_ofb())?; + m.add(&camellia, &ofb, Some(128), Cipher::camellia128_ofb())?; + m.add(&camellia, &ofb, Some(192), Cipher::camellia192_ofb())?; + m.add(&camellia, &ofb, Some(256), Cipher::camellia256_ofb())?; - m.add(camellia, cfb, Some(128), Cipher::camellia128_cfb128())?; - m.add(camellia, cfb, Some(192), Cipher::camellia192_cfb128())?; - m.add(camellia, cfb, Some(256), Cipher::camellia256_cfb128())?; + m.add(&camellia, &cfb, Some(128), Cipher::camellia128_cfb128())?; + m.add(&camellia, &cfb, Some(192), Cipher::camellia192_cfb128())?; + m.add(&camellia, &cfb, Some(256), Cipher::camellia256_cfb128())?; } #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] { - m.add(sm4, cbc, Some(128), Cipher::sm4_cbc())?; - m.add(sm4, ctr, Some(128), Cipher::sm4_ctr())?; - m.add(sm4, cfb, Some(128), Cipher::sm4_cfb128())?; - m.add(sm4, ofb, Some(128), Cipher::sm4_ofb())?; - m.add(sm4, ecb, Some(128), Cipher::sm4_ecb())?; + m.add(&sm4, &cbc, Some(128), Cipher::sm4_cbc())?; + m.add(&sm4, &ctr, Some(128), Cipher::sm4_ctr())?; + m.add(&sm4, &cfb, Some(128), Cipher::sm4_cfb128())?; + m.add(&sm4, &ofb, Some(128), Cipher::sm4_ofb())?; + m.add(&sm4, &ecb, Some(128), Cipher::sm4_ecb())?; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] if let Ok(c) = Cipher::fetch(None, "sm4-gcm", None) { - m.add(sm4, gcm, Some(128), c)?; + m.add(&sm4, &gcm, Some(128), c)?; } } #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - m.add(chacha20, none_type, None, Cipher::chacha20())?; + m.add(&chacha20, none_type.as_any(), None, Cipher::chacha20())?; // Don't register legacy ciphers if they're unavailable. In theory // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER @@ -264,39 +269,39 @@ fn get_cipher_registry( { #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] { - m.add(blowfish, cbc, None, Cipher::bf_cbc())?; - m.add(blowfish, cfb, None, Cipher::bf_cfb64())?; - m.add(blowfish, ofb, None, Cipher::bf_ofb())?; - m.add(blowfish, ecb, None, Cipher::bf_ecb())?; + m.add(&blowfish, &cbc, None, Cipher::bf_cbc())?; + m.add(&blowfish, &cfb, None, Cipher::bf_cfb64())?; + m.add(&blowfish, &ofb, None, Cipher::bf_ofb())?; + m.add(&blowfish, &ecb, None, Cipher::bf_ecb())?; } #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] { - m.add(seed, cbc, Some(128), Cipher::seed_cbc())?; - m.add(seed, cfb, Some(128), Cipher::seed_cfb128())?; - m.add(seed, ofb, Some(128), Cipher::seed_ofb())?; - m.add(seed, ecb, Some(128), Cipher::seed_ecb())?; + m.add(&seed, &cbc, Some(128), Cipher::seed_cbc())?; + m.add(&seed, &cfb, Some(128), Cipher::seed_cfb128())?; + m.add(&seed, &ofb, Some(128), Cipher::seed_ofb())?; + m.add(&seed, &ecb, Some(128), Cipher::seed_ecb())?; } #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] { - m.add(cast5, cbc, None, Cipher::cast5_cbc())?; - m.add(cast5, ecb, None, Cipher::cast5_ecb())?; - m.add(cast5, ofb, None, Cipher::cast5_ofb())?; - m.add(cast5, cfb, None, Cipher::cast5_cfb64())?; + m.add(&cast5, &cbc, None, Cipher::cast5_cbc())?; + m.add(&cast5, &ecb, None, Cipher::cast5_ecb())?; + m.add(&cast5, &ofb, None, Cipher::cast5_ofb())?; + m.add(&cast5, &cfb, None, Cipher::cast5_cfb64())?; } #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] { - m.add(idea, cbc, Some(128), Cipher::idea_cbc())?; - m.add(idea, ecb, Some(128), Cipher::idea_ecb())?; - m.add(idea, ofb, Some(128), Cipher::idea_ofb())?; - m.add(idea, cfb, Some(128), Cipher::idea_cfb64())?; + m.add(&idea, &cbc, Some(128), Cipher::idea_cbc())?; + m.add(&idea, &ecb, Some(128), Cipher::idea_ecb())?; + m.add(&idea, &ofb, Some(128), Cipher::idea_ofb())?; + m.add(&idea, &cfb, Some(128), Cipher::idea_cfb64())?; } - m.add(arc4, none_type, None, Cipher::rc4())?; + m.add(&arc4, none_type.as_any(), None, Cipher::rc4())?; if let Some(rc2_cbc) = Cipher::from_nid(openssl::nid::Nid::RC2_CBC) { - m.add(rc2, cbc, Some(128), rc2_cbc)?; + m.add(&rc2, &cbc, Some(128), rc2_cbc)?; } } From ccec416c6c4cc0956a8dd7d2d27f8b699a90793d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 07:54:32 -0400 Subject: [PATCH 358/868] Convert `oid_to_py_oid` to new pyo3 APIs (#10701) --- src/rust/src/asn1.rs | 4 ++-- src/rust/src/x509/certificate.rs | 7 +++++-- src/rust/src/x509/common.rs | 2 +- src/rust/src/x509/crl.rs | 5 ++++- src/rust/src/x509/csr.rs | 7 +++++-- src/rust/src/x509/ocsp_resp.rs | 5 ++++- 6 files changed, 21 insertions(+), 9 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 2257b3bf9663..dcc06bdcf7a0 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -26,8 +26,8 @@ pub(crate) fn py_oid_to_oid( pub(crate) fn oid_to_py_oid<'p>( py: pyo3::Python<'p>, oid: &asn1::ObjectIdentifier, -) -> pyo3::PyResult<&'p pyo3::PyAny> { - Ok(pyo3::Py::new(py, crate::oid::ObjectIdentifier { oid: oid.clone() })?.into_ref(py)) +) -> pyo3::PyResult> { + Ok(pyo3::Bound::new(py, crate::oid::ObjectIdentifier { oid: oid.clone() })?.into_any()) } #[pyo3::prelude::pyfunction] diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d21892eb9703..dde9aa1dc278 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -76,7 +76,7 @@ impl Certificate { fn public_key_algorithm_oid<'p>( &self, py: pyo3::Python<'p>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + ) -> pyo3::PyResult> { oid_to_py_oid( py, self.raw.borrow_dependent().tbs_cert.spki.algorithm.oid(), @@ -262,7 +262,10 @@ impl Certificate { } #[getter] - fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn signature_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { oid_to_py_oid(py, self.raw.borrow_dependent().signature_alg.oid()) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 7a7bd50ce1f9..27f162a8c6e9 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -397,7 +397,7 @@ pub(crate) fn parse_and_cache_extensions< Some(e) => e, None => types::UNRECOGNIZED_EXTENSION .get(py)? - .call1((oid_obj, raw_ext.extn_value))?, + .call1((oid_obj.clone(), raw_ext.extn_value))?, }; let ext_obj = types::EXTENSION diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 6d1cbd6beb33..cac3692e3017 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -184,7 +184,10 @@ impl CertificateRevocationList { } #[getter] - fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn signature_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { oid_to_py_oid(py, self.owned.borrow_dependent().signature_algorithm.oid()) } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index d5342175a69e..1f1eb9f9de9c 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -58,7 +58,7 @@ impl CertificateSigningRequest { fn public_key_algorithm_oid<'p>( &self, py: pyo3::Python<'p>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + ) -> pyo3::PyResult> { oid_to_py_oid( py, self.raw.borrow_dependent().csr_info.spki.algorithm.oid(), @@ -96,7 +96,10 @@ impl CertificateSigningRequest { } #[getter] - fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn signature_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { oid_to_py_oid(py, self.raw.borrow_dependent().signature_alg.oid()) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e5f8b479576a..1f088a484e5d 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -172,7 +172,10 @@ impl OCSPResponse { } #[getter] - fn signature_algorithm_oid<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn signature_algorithm_oid<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; oid_to_py_oid(py, resp.signature_algorithm.oid()) } From 01d27ac06c7a7cc721fe716834b9794573284034 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 14:25:53 +0200 Subject: [PATCH 359/868] Convert `src/backend/hashes.rs` to new pyo3 APIs (#10705) --- src/rust/src/backend/hashes.rs | 28 +++++----- src/rust/src/backend/hmac.rs | 3 +- src/rust/src/backend/kdf.rs | 2 +- src/rust/src/backend/mod.rs | 2 +- src/rust/src/backend/rsa.rs | 87 ++++++++++++++++++++------------ src/rust/src/backend/utils.rs | 6 +-- src/rust/src/x509/certificate.rs | 6 +-- src/rust/src/x509/crl.rs | 6 +-- src/rust/src/x509/ocsp.rs | 5 +- 9 files changed, 86 insertions(+), 59 deletions(-) diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index e26727092a6c..c97171689863 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::IntoPy; use std::borrow::Cow; use crate::buf::CffiBuf; @@ -39,9 +41,9 @@ impl Hash { pub(crate) fn message_digest_from_algorithm( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - if !algorithm.is_instance(types::HASH_ALGORITHM.get(py)?)? { + if !algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err("Expected instance of hashes.HashAlgorithm."), )); @@ -83,8 +85,8 @@ impl Hash { #[pyo3(signature = (algorithm, backend=None))] pub(crate) fn new( py: pyo3::Python<'_>, - algorithm: &pyo3::PyAny, - backend: Option>, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, + backend: Option<&pyo3::Bound<'_, pyo3::PyAny>>, ) -> CryptographyResult { let _ = backend; @@ -92,7 +94,7 @@ impl Hash { let ctx = openssl::hash::Hasher::new(md)?; Ok(Hash { - algorithm: algorithm.into(), + algorithm: algorithm.clone().into_py(py), ctx: Some(ctx), }) } @@ -104,17 +106,17 @@ impl Hash { pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL)))] { let algorithm = self.algorithm.clone_ref(py); - let algorithm = algorithm.as_ref(py); - if algorithm.is_instance(types::EXTENDABLE_OUTPUT_FUNCTION.get(py)?)? { + let algorithm = algorithm.bind(py); + if algorithm.is_instance(&types::EXTENDABLE_OUTPUT_FUNCTION.get_bound(py)?)? { let ctx = self.get_mut_ctx()?; let digest_size = algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::()?; - let result = pyo3::types::PyBytes::new_with(py, digest_size, |b| { + let result = pyo3::types::PyBytes::new_bound_with(py, digest_size, |b| { ctx.finish_xof(b).unwrap(); Ok(()) })?; @@ -125,7 +127,7 @@ impl Hash { let data = self.get_mut_ctx()?.finish()?; self.ctx = None; - Ok(pyo3::types::PyBytes::new(py, &data)) + Ok(pyo3::types::PyBytes::new_bound(py, &data)) } fn copy(&self, py: pyo3::Python<'_>) -> CryptographyResult { @@ -136,8 +138,10 @@ impl Hash { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "hashes")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "hashes")?; m.add_class::()?; Ok(m) diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index 3c19f1d124cb..4d1b4b325bdb 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -6,6 +6,7 @@ use crate::backend::hashes::{already_finalized_error, message_digest_from_algori use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +use pyo3::PyNativeType; #[pyo3::prelude::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.hmac", @@ -23,7 +24,7 @@ impl Hmac { key: &[u8], algorithm: &pyo3::PyAny, ) -> CryptographyResult { - let md = message_digest_from_algorithm(py, algorithm)?; + let md = message_digest_from_algorithm(py, &algorithm.as_borrowed())?; let ctx = cryptography_openssl::hmac::Hmac::new(key, md).map_err(|_| { exceptions::UnsupportedAlgorithm::new_err(( "Digest is not supported for HMAC", diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index 35cf0eb266a3..942b5613cd5f 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -10,7 +10,7 @@ use crate::error::CryptographyResult; fn derive_pbkdf2_hmac<'p>( py: pyo3::Python<'p>, key_material: CffiBuf<'_>, - algorithm: &pyo3::PyAny, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, salt: &[u8], iterations: usize, length: usize, diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 2b1592906a1f..bab72f289056 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -42,7 +42,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(poly1305::create_module(module.py())?)?; - module.add_submodule(hashes::create_module(module.py())?)?; + module.add_submodule(hashes::create_module(module.py())?.into_gil_ref())?; module.add_submodule(hmac::create_module(module.py())?)?; module.add_submodule(kdf::create_module(module.py())?)?; module.add_submodule(rsa::create_module(module.py())?.into_gil_ref())?; diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 07fea2b49187..45dd5c309c4f 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -10,6 +10,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::PyNativeType; #[pyo3::prelude::pyclass( frozen, @@ -80,9 +81,9 @@ fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { fn setup_encryption_ctx( py: pyo3::Python<'_>, ctx: &mut openssl::pkey_ctx::PkeyCtx, - padding: &pyo3::PyAny, + padding: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - if !padding.is_instance(types::ASYMMETRIC_PADDING.get(py)?)? { + if !padding.is_instance(&types::ASYMMETRIC_PADDING.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Padding must be an instance of AsymmetricPadding.", @@ -90,12 +91,12 @@ fn setup_encryption_ctx( )); } - let padding_enum = if padding.is_instance(types::PKCS1V15.get(py)?)? { + let padding_enum = if padding.is_instance(&types::PKCS1V15.get_bound(py)?)? { openssl::rsa::Padding::PKCS1 - } else if padding.is_instance(types::OAEP.get(py)?)? { + } else if padding.is_instance(&types::OAEP.get_bound(py)?)? { if !padding .getattr(pyo3::intern!(py, "_mgf"))? - .is_instance(types::MGF1.get(py)?)? + .is_instance(&types::MGF1.get_bound(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -123,13 +124,13 @@ fn setup_encryption_ctx( if padding_enum == openssl::rsa::Padding::PKCS1_OAEP { let mgf1_md = hashes::message_digest_from_algorithm( py, - padding + &padding .getattr(pyo3::intern!(py, "_mgf"))? .getattr(pyo3::intern!(py, "_algorithm"))?, )?; let oaep_md = hashes::message_digest_from_algorithm( py, - padding.getattr(pyo3::intern!(py, "_algorithm"))?, + &padding.getattr(pyo3::intern!(py, "_algorithm"))?, )?; if !oaep_hash_supported(&mgf1_md) || !oaep_hash_supported(&oaep_md) { @@ -160,12 +161,12 @@ fn setup_encryption_ctx( fn setup_signature_ctx( py: pyo3::Python<'_>, ctx: &mut openssl::pkey_ctx::PkeyCtx, - padding: &pyo3::PyAny, - algorithm: &pyo3::PyAny, + padding: &pyo3::Bound<'_, pyo3::PyAny>, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, key_size: usize, is_signing: bool, ) -> CryptographyResult<()> { - if !padding.is_instance(types::ASYMMETRIC_PADDING.get(py)?)? { + if !padding.is_instance(&types::ASYMMETRIC_PADDING.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Padding must be an instance of AsymmetricPadding.", @@ -173,12 +174,12 @@ fn setup_signature_ctx( )); } - let padding_enum = if padding.is_instance(types::PKCS1V15.get(py)?)? { + let padding_enum = if padding.is_instance(&types::PKCS1V15.get_bound(py)?)? { openssl::rsa::Padding::PKCS1 - } else if padding.is_instance(types::PSS.get(py)?)? { + } else if padding.is_instance(&types::PSS.get_bound(py)?)? { if !padding .getattr(pyo3::intern!(py, "_mgf"))? - .is_instance(types::MGF1.get(py)?)? + .is_instance(&types::MGF1.get_bound(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -189,7 +190,7 @@ fn setup_signature_ctx( } // PSS padding requires a hash algorithm - if !algorithm.is_instance(types::HASH_ALGORITHM.get(py)?)? { + if !algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Expected instance of hashes.HashAlgorithm.", @@ -250,11 +251,11 @@ fn setup_signature_ctx( if padding_enum == openssl::rsa::Padding::PKCS1_PSS { let salt = padding.getattr(pyo3::intern!(py, "_salt_length"))?; - if salt.is_instance(types::PADDING_MAX_LENGTH.get(py)?)? { + if salt.is_instance(&types::PADDING_MAX_LENGTH.get_bound(py)?)? { ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::MAXIMUM_LENGTH)?; - } else if salt.is_instance(types::PADDING_DIGEST_LENGTH.get(py)?)? { + } else if salt.is_instance(&types::PADDING_DIGEST_LENGTH.get_bound(py)?)? { ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?; - } else if salt.is_instance(types::PADDING_AUTO.get(py)?)? { + } else if salt.is_instance(&types::PADDING_AUTO.get_bound(py)?)? { if is_signing { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -268,7 +269,7 @@ fn setup_signature_ctx( let mgf1_md = hashes::message_digest_from_algorithm( py, - padding + &padding .getattr(pyo3::intern!(py, "_mgf"))? .getattr(pyo3::intern!(py, "_algorithm"))?, )?; @@ -284,17 +285,27 @@ impl RsaPrivateKey { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - padding: &pyo3::PyAny, - algorithm: &pyo3::PyAny, + padding: &pyo3::Bound<'p, pyo3::PyAny>, + algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - let (data, algorithm) = - utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; + let (data, algorithm) = utils::calculate_digest_and_algorithm( + py, + data.as_bytes(), + algorithm.clone().into_gil_ref(), + )?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.sign_init().map_err(|_| { pyo3::exceptions::PyValueError::new_err("Unable to sign/verify with this key") })?; - setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), true)?; + setup_signature_ctx( + py, + &mut ctx, + padding, + &algorithm.as_borrowed(), + self.pkey.size(), + true, + )?; let length = ctx.sign(data, None)?; Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { @@ -312,7 +323,7 @@ impl RsaPrivateKey { &self, py: pyo3::Python<'p>, ciphertext: &[u8], - padding: &pyo3::PyAny, + padding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let key_size_bytes = usize::try_from((self.pkey.rsa().unwrap().n().num_bits() + 7) / 8).unwrap(); @@ -424,15 +435,25 @@ impl RsaPublicKey { py: pyo3::Python<'_>, signature: CffiBuf<'_>, data: CffiBuf<'_>, - padding: &pyo3::PyAny, - algorithm: &pyo3::PyAny, + padding: &pyo3::Bound<'_, pyo3::PyAny>, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - let (data, algorithm) = - utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; + let (data, algorithm) = utils::calculate_digest_and_algorithm( + py, + data.as_bytes(), + algorithm.clone().into_gil_ref(), + )?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.verify_init()?; - setup_signature_ctx(py, &mut ctx, padding, algorithm, self.pkey.size(), false)?; + setup_signature_ctx( + py, + &mut ctx, + padding, + &algorithm.as_borrowed(), + self.pkey.size(), + false, + )?; let valid = ctx.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { @@ -448,7 +469,7 @@ impl RsaPublicKey { &self, py: pyo3::Python<'p>, plaintext: &[u8], - padding: &pyo3::PyAny, + padding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.encrypt_init()?; @@ -469,10 +490,10 @@ impl RsaPublicKey { &self, py: pyo3::Python<'p>, signature: &[u8], - padding: &pyo3::PyAny, - algorithm: &pyo3::PyAny, + padding: &pyo3::Bound<'_, pyo3::PyAny>, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - if algorithm.is_instance(types::PREHASHED.get(py)?)? { + if algorithm.is_instance(&types::PREHASHED.get(py)?.as_borrowed())? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Prehashed is only supported in the sign and verify methods. It cannot be used with recover_data_from_signature.", diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index f44db97101ed..63ee13bca525 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; use pyo3::prelude::PyAnyMethods; -use pyo3::ToPyObject; +use pyo3::{PyNativeType, ToPyObject}; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, @@ -362,9 +362,9 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( } else { // Potential optimization: rather than allocate a PyBytes in // `h.finalize()`, have a way to get the `DigestBytes` directly. - let mut h = Hash::new(py, algorithm, None)?; + let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?; h.update_bytes(data)?; - data = h.finalize(py)?.as_bytes(); + data = h.finalize(py)?.into_gil_ref().as_bytes(); } if data.len() != algorithm.getattr("digest_size")?.extract()? { diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index dde9aa1dc278..9797c30f39f8 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,7 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; -use pyo3::{IntoPy, ToPyObject}; +use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, @@ -90,9 +90,9 @@ impl Certificate { ) -> CryptographyResult<&'p pyo3::PyAny> { let serialized = asn1::write_single(&self.raw.borrow_dependent())?; - let mut h = hashes::Hash::new(py, algorithm, None)?; + let mut h = hashes::Hash::new(py, &algorithm.as_borrowed(), None)?; h.update_bytes(&serialized)?; - Ok(h.finalize(py)?) + Ok(h.finalize(py)?.into_gil_ref()) } fn public_bytes<'p>( diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index cac3692e3017..3521adf71b34 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -13,7 +13,7 @@ use cryptography_x509::{ }, name, oid, }; -use pyo3::{IntoPy, ToPyObject}; +use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, @@ -178,9 +178,9 @@ impl CertificateRevocationList { ) -> pyo3::PyResult<&'p pyo3::PyAny> { let data = self.public_bytes_der()?; - let mut h = Hash::new(py, algorithm, None)?; + let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?; h.update_bytes(&data)?; - Ok(h.finalize(py)?) + Ok(h.finalize(py)?.into_gil_ref()) } #[getter] diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 3565588bc0f1..10590354b8df 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -7,6 +7,7 @@ use std::collections::HashMap; use cryptography_x509::common; use cryptography_x509::ocsp_req::CertID; use once_cell::sync::Lazy; +use pyo3::PyNativeType; use crate::backend::hashes::Hash; use crate::error::CryptographyResult; @@ -125,7 +126,7 @@ pub(crate) fn hash_data<'p>( py_hash_alg: &'p pyo3::PyAny, data: &[u8], ) -> pyo3::PyResult<&'p [u8]> { - let mut h = Hash::new(py, py_hash_alg, None)?; + let mut h = Hash::new(py, &py_hash_alg.as_borrowed(), None)?; h.update_bytes(data)?; - Ok(h.finalize(py)?.as_bytes()) + Ok(h.finalize(py)?.into_gil_ref().as_bytes()) } From 6813602069304f5282109c091f355d0a3c2dd804 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 08:40:48 -0400 Subject: [PATCH 360/868] Convert two more `asn1.rs` APIs to new pyo3 APIs (#10704) --- src/rust/src/asn1.rs | 19 +++++++++++-------- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/crl.rs | 5 ++++- src/rust/src/x509/ocsp_req.rs | 2 +- src/rust/src/x509/ocsp_resp.rs | 12 +++++++++--- 5 files changed, 26 insertions(+), 14 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index dcc06bdcf7a0..394f19218083 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -31,25 +31,28 @@ pub(crate) fn oid_to_py_oid<'p>( } #[pyo3::prelude::pyfunction] -fn parse_spki_for_data( - py: pyo3::Python<'_>, +fn parse_spki_for_data<'p>( + py: pyo3::Python<'p>, data: &[u8], -) -> Result { +) -> Result, CryptographyError> { let spki = asn1::parse_single::>(data)?; if spki.subject_public_key.padding_bits() != 0 { return Err(pyo3::exceptions::PyValueError::new_err("Invalid public key encoding").into()); } - Ok(pyo3::types::PyBytes::new(py, spki.subject_public_key.as_bytes()).to_object(py)) + Ok(pyo3::types::PyBytes::new_bound( + py, + spki.subject_public_key.as_bytes(), + )) } pub(crate) fn big_byte_slice_to_py_int<'p>( py: pyo3::Python<'p>, v: &'_ [u8], -) -> pyo3::PyResult<&'p pyo3::PyAny> { - let int_type = py.get_type::(); - let kwargs = [("signed", true)].into_py_dict(py); - int_type.call_method(pyo3::intern!(py, "from_bytes"), (v, "big"), Some(kwargs)) +) -> pyo3::PyResult> { + let int_type = py.get_type_bound::(); + let kwargs = [("signed", true)].into_py_dict_bound(py); + int_type.call_method(pyo3::intern!(py, "from_bytes"), (v, "big"), Some(&kwargs)) } #[pyo3::prelude::pyfunction] diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 9797c30f39f8..2be995def916 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -109,7 +109,7 @@ impl Certificate { fn serial_number<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let bytes = self.raw.borrow_dependent().tbs_cert.serial.as_bytes(); warn_if_negative_serial(py, bytes)?; Ok(big_byte_slice_to_py_int(py, bytes)?) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 3521adf71b34..900914241ec2 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -521,7 +521,10 @@ struct RevokedCertificate { #[pyo3::prelude::pymethods] impl RevokedCertificate { #[getter] - fn serial_number<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn serial_number<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { big_byte_slice_to_py_int( py, self.owned.borrow_dependent().user_certificate.as_bytes(), diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 931036c4b0a7..5d6674d04b3f 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -105,7 +105,7 @@ impl OCSPRequest { fn serial_number<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let bytes = self.cert_id().serial_number.as_bytes(); Ok(big_byte_slice_to_py_int(py, bytes)?) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 1f088a484e5d..7d93fde6fc6a 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -256,7 +256,10 @@ impl OCSPResponse { } #[getter] - fn serial_number<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn serial_number<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_serial_number(&single_resp, py) @@ -461,7 +464,7 @@ fn single_response<'a>( fn singleresp_py_serial_number<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> pyo3::PyResult<&'p pyo3::PyAny> { +) -> pyo3::PyResult> { big_byte_slice_to_py_int(py, resp.cert_id.serial_number.as_bytes()) } @@ -781,7 +784,10 @@ impl OCSPSingleResponse { #[pyo3::prelude::pymethods] impl OCSPSingleResponse { #[getter] - fn serial_number<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn serial_number<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { singleresp_py_serial_number(self.single_response(), py) } From 632389f2fd0689a7de7a80f26d8f18ac255870e5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 09:10:49 -0400 Subject: [PATCH 361/868] Convert `src/backend/ciphers.rs` to new pyo3 APIs (#10703) --- src/rust/src/backend/ciphers.rs | 81 ++++++++++++++++++--------------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 46 insertions(+), 37 deletions(-) diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 2cf97d7b8800..5677e0fbba3d 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -7,7 +7,7 @@ use crate::buf::{CffiBuf, CffiMutBuf}; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use crate::types; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; use pyo3::IntoPy; struct CipherContext { @@ -121,10 +121,10 @@ impl CipherContext { &mut self, py: pyo3::Python<'p>, buf: &[u8], - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut out_buf = vec![0; buf.len() + self.ctx.block_size()]; let n = self.update_into(py, buf, &mut out_buf)?; - Ok(pyo3::types::PyBytes::new(py, &out_buf[..n])) + Ok(pyo3::types::PyBytes::new_bound(py, &out_buf[..n])) } fn update_into( @@ -146,7 +146,11 @@ impl CipherContext { for chunk in buf.chunks(1 << 29) { // SAFETY: We ensure that outbuf is sufficiently large above. unsafe { - let n = if self.py_mode.as_ref(py).is_instance(types::XTS.get(py)?)? { + let n = if self + .py_mode + .bind(py) + .is_instance(&types::XTS.get_bound(py)?)? + { self.ctx.cipher_update_unchecked(chunk, Some(&mut out_buf[total_written..])).map_err(|_| { pyo3::exceptions::PyValueError::new_err( "In XTS mode you must supply at least a full block in the first update call. For AES this is 16 bytes." @@ -171,14 +175,14 @@ impl CipherContext { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut out_buf = vec![0; self.ctx.block_size()]; let n = self.ctx.cipher_final(&mut out_buf).or_else(|e| { if e.errors().is_empty() && self .py_mode - .as_ref(py) - .is_instance(types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? + .bind(py) + .is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } @@ -188,7 +192,7 @@ impl CipherContext { ), )) })?; - Ok(pyo3::types::PyBytes::new(py, &out_buf[..n])) + Ok(pyo3::types::PyBytes::new_bound(py, &out_buf[..n])) } } @@ -233,7 +237,7 @@ impl PyCipherContext { &mut self, py: pyo3::Python<'p>, buf: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { get_mut_ctx(self.ctx.as_mut())?.update(py, buf.as_bytes()) } @@ -249,7 +253,7 @@ impl PyCipherContext { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let result = get_mut_ctx(self.ctx.as_mut())?.finalize(py)?; self.ctx = None; Ok(result) @@ -262,7 +266,7 @@ impl PyAEADEncryptionContext { &mut self, py: pyo3::Python<'p>, buf: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let data = buf.as_bytes(); self.updated = true; @@ -314,16 +318,16 @@ impl PyAEADEncryptionContext { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let ctx = get_mut_ctx(self.ctx.as_mut())?; let result = ctx.finalize(py)?; // XXX: do not hard code 16 - let tag = pyo3::types::PyBytes::new_with(py, 16, |t| { + let tag = pyo3::types::PyBytes::new_bound_with(py, 16, |t| { ctx.ctx.tag(t).map_err(CryptographyError::from)?; Ok(()) })?; - self.tag = Some(tag.into_py(py)); + self.tag = Some(tag.unbind()); self.ctx = None; Ok(result) @@ -349,7 +353,7 @@ impl PyAEADDecryptionContext { &mut self, py: pyo3::Python<'p>, buf: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let data = buf.as_bytes(); self.updated = true; @@ -401,12 +405,12 @@ impl PyAEADDecryptionContext { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let ctx = get_mut_ctx(self.ctx.as_mut())?; if ctx .py_mode - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "tag"))? .is_none() { @@ -426,12 +430,12 @@ impl PyAEADDecryptionContext { &mut self, py: pyo3::Python<'p>, tag: &[u8], - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let ctx = get_mut_ctx(self.ctx.as_mut())?; if !ctx .py_mode - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "tag"))? .is_none() { @@ -444,7 +448,7 @@ impl PyAEADDecryptionContext { let min_tag_length = ctx .py_mode - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "_min_tag_length"))? .extract()?; // XXX: Do not hard code 16 @@ -506,8 +510,11 @@ fn create_decryption_ctx( let mut ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Decrypt)?; if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { - if let Some(tag) = mode.getattr(pyo3::intern!(py, "tag"))?.extract()? { - ctx.ctx.set_tag(tag)?; + if let Some(tag) = mode + .getattr(pyo3::intern!(py, "tag"))? + .extract::>()? + { + ctx.ctx.set_tag(&tag)?; } Ok(PyAEADDecryptionContext { @@ -536,31 +543,33 @@ fn cipher_supported( } #[pyo3::prelude::pyfunction] -fn _advance(ctx: &pyo3::PyAny, n: u64) { - if let Ok(c) = ctx.downcast::>() { +fn _advance(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { + if let Ok(c) = ctx.downcast::() { c.borrow_mut().bytes_remaining -= n; - } else if let Ok(c) = ctx.downcast::>() { + } else if let Ok(c) = ctx.downcast::() { c.borrow_mut().bytes_remaining -= n; } } #[pyo3::prelude::pyfunction] -fn _advance_aad(ctx: &pyo3::PyAny, n: u64) { - if let Ok(c) = ctx.downcast::>() { +fn _advance_aad(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { + if let Ok(c) = ctx.downcast::() { c.borrow_mut().aad_bytes_remaining -= n; - } else if let Ok(c) = ctx.downcast::>() { + } else if let Ok(c) = ctx.downcast::() { c.borrow_mut().aad_bytes_remaining -= n; } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "ciphers")?; - m.add_function(pyo3::wrap_pyfunction!(create_encryption_ctx, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(create_decryption_ctx, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(cipher_supported, m)?)?; - - m.add_function(pyo3::wrap_pyfunction!(_advance, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(_advance_aad, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "ciphers")?; + m.add_function(pyo3::wrap_pyfunction!(create_encryption_ctx, &m)?)?; + m.add_function(pyo3::wrap_pyfunction!(create_decryption_ctx, &m)?)?; + m.add_function(pyo3::wrap_pyfunction!(cipher_supported, &m)?)?; + + m.add_function(pyo3::wrap_pyfunction!(_advance, &m)?)?; + m.add_function(pyo3::wrap_pyfunction!(_advance_aad, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index bab72f289056..4cae1e3d5bef 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -25,7 +25,7 @@ pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_submodule(aead::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(ciphers::create_module(module.py())?)?; + module.add_submodule(ciphers::create_module(module.py())?.into_gil_ref())?; module.add_submodule(cmac::create_module(module.py())?)?; module.add_submodule(dh::create_module(module.py())?)?; module.add_submodule(dsa::create_module(module.py())?)?; From 52bed48a925024d744a2c29a1be917e6a5f639c6 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 16:46:25 +0200 Subject: [PATCH 362/868] Convert `private_bytes` methods to new pyo3 APIs (#10707) --- src/rust/src/backend/dh.rs | 6 +++--- src/rust/src/backend/dsa.rs | 6 +++--- src/rust/src/backend/ec.rs | 6 +++--- src/rust/src/backend/ed25519.rs | 6 +++--- src/rust/src/backend/ed448.rs | 6 +++--- src/rust/src/backend/rsa.rs | 10 +++++----- src/rust/src/backend/utils.rs | 28 ++++++++++++++-------------- src/rust/src/backend/x25519.rs | 6 +++--- src/rust/src/backend/x448.rs | 6 +++--- 9 files changed, 40 insertions(+), 40 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 2eb9189bb1ce..5e84febbc1c1 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -224,9 +224,9 @@ impl DHPrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if !format.is(types::PRIVATE_FORMAT_PKCS8.get(py)?) { return Err(CryptographyError::from( diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index a62de7c73239..0bcfd2bf7120 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -131,9 +131,9 @@ impl DsaPrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index f63444ef0fab..500e0b6e7a22 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -355,9 +355,9 @@ impl ECPrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 4ddb8d14abe7..55db28c30c55 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -99,9 +99,9 @@ impl Ed25519PrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 0e6698af0f1e..a8678a6aa01e 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -97,9 +97,9 @@ impl Ed448PrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 45dd5c309c4f..f1d9217d9f62 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -147,10 +147,10 @@ fn setup_encryption_ctx( if let Some(label) = padding .getattr(pyo3::intern!(py, "_label"))? - .extract::>()? + .extract::>()? { if !label.is_empty() { - ctx.set_rsa_oaep_label(label)?; + ctx.set_rsa_oaep_label(&label)?; } } } @@ -411,9 +411,9 @@ impl RsaPrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 63ee13bca525..7c01e0be3772 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -46,27 +46,27 @@ pub(crate) fn pkey_private_bytes<'p>( py: pyo3::Python<'p>, key_obj: &pyo3::Bound<'p, pyo3::PyAny>, pkey: &openssl::pkey::PKey, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, openssh_allowed: bool, raw_allowed: bool, ) -> CryptographyResult> { - if !encoding.is_instance(types::ENCODING.get(py)?)? { + if !encoding.is_instance(&types::ENCODING.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "encoding must be an item from the Encoding enum", ), )); } - if !format.is_instance(types::PRIVATE_FORMAT.get(py)?)? { + if !format.is_instance(&types::PRIVATE_FORMAT.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "format must be an item from the PrivateFormat enum", ), )); } - if !encryption_algorithm.is_instance(types::KEY_SERIALIZATION_ENCRYPTION.get(py)?)? { + if !encryption_algorithm.is_instance(&types::KEY_SERIALIZATION_ENCRYPTION.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Encryption algorithm must be a KeySerializationEncryption instance", @@ -80,7 +80,7 @@ pub(crate) fn pkey_private_bytes<'p>( { if !encoding.is(types::ENCODING_RAW.get(py)?) || !format.is(types::PRIVATE_FORMAT_RAW.get(py)?) - || !encryption_algorithm.is_instance(types::NO_ENCRYPTION.get(py)?)? + || !encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? { return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err( "When using Raw both encoding and format must be Raw and encryption_algorithm must be NoEncryption()" @@ -90,10 +90,10 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)); } - let password = if encryption_algorithm.is_instance(types::NO_ENCRYPTION.get(py)?)? { + let password = if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? { b"" - } else if encryption_algorithm.is_instance(types::BEST_AVAILABLE_ENCRYPTION.get(py)?)? - || (encryption_algorithm.is_instance(types::ENCRYPTION_BUILDER.get(py)?)? + } else if encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get_bound(py)?)? + || (encryption_algorithm.is_instance(&types::ENCRYPTION_BUILDER.get_bound(py)?)? && encryption_algorithm .getattr(pyo3::intern!(py, "_format"))? .is(format)) @@ -144,7 +144,7 @@ pub(crate) fn pkey_private_bytes<'p>( if format.is(types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get(py)?) { if let Ok(rsa) = pkey.rsa() { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = if password.is_empty() { rsa.private_key_to_pem()? } else { @@ -154,7 +154,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -167,7 +167,7 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(dsa) = pkey.dsa() { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = if password.is_empty() { dsa.private_key_to_pem()? } else { @@ -177,7 +177,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 89d8a53e500e..45d397e751f0 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -100,9 +100,9 @@ impl X25519PrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 49dbfbd65e06..bd2833df48dc 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -99,9 +99,9 @@ impl X448PrivateKey { fn private_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, - encryption_algorithm: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, + encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_private_bytes( py, From c0b80d6d0b6157304a10e3172ad302e99b21b4b7 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 19:39:02 +0200 Subject: [PATCH 363/868] Convert more `utils.rs` APIs to new pyo3 APIs (#10708) --- src/rust/src/backend/dh.rs | 4 ++-- src/rust/src/backend/dsa.rs | 11 +++++++---- src/rust/src/backend/ec.rs | 20 +++++++++++--------- src/rust/src/backend/ed25519.rs | 4 ++-- src/rust/src/backend/ed448.rs | 4 ++-- src/rust/src/backend/rsa.rs | 18 ++++++------------ src/rust/src/backend/utils.rs | 21 +++++++++++---------- src/rust/src/backend/x25519.rs | 4 ++-- src/rust/src/backend/x448.rs | 4 ++-- 9 files changed, 45 insertions(+), 45 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 5e84febbc1c1..b0527fca16b5 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -259,8 +259,8 @@ impl DHPublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if !format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { return Err(CryptographyError::from( diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 0bcfd2bf7120..9793da8a0c7b 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -7,6 +7,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use pyo3::prelude::PyAnyMethods; +use pyo3::PyNativeType; #[pyo3::prelude::pyclass( frozen, @@ -71,7 +72,8 @@ impl DsaPrivateKey { data: CffiBuf<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; + let (data, _) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -157,7 +159,8 @@ impl DsaPublicKey { data: CffiBuf<'_>, algorithm: &pyo3::PyAny, ) -> CryptographyResult<()> { - let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; + let (data, _) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; @@ -204,8 +207,8 @@ impl DsaPublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 500e0b6e7a22..a34fc131e8f9 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -6,7 +6,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; use pyo3::prelude::PyAnyMethods; -use pyo3::ToPyObject; +use pyo3::{PyNativeType, ToPyObject}; use crate::backend::utils; use crate::buf::CffiBuf; @@ -274,11 +274,11 @@ impl ECPrivateKey { )), )); } - let (data, algo) = utils::calculate_digest_and_algorithm( - py, - data.as_bytes(), - signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, - )?; + let bound_algorithm = signature_algorithm + .getattr(pyo3::intern!(py, "algorithm"))? + .as_borrowed(); + let (data, algo) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), &bound_algorithm)?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -398,7 +398,9 @@ impl ECPublicKey { let (data, _) = utils::calculate_digest_and_algorithm( py, data.as_bytes(), - signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, + &signature_algorithm + .as_borrowed() + .getattr(pyo3::intern!(py, "algorithm"))?, )?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; @@ -437,8 +439,8 @@ impl ECPublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 55db28c30c55..383fa3a5fd2d 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -143,8 +143,8 @@ impl Ed25519PublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, true) } diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index a8678a6aa01e..9d9bf485cd61 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -140,8 +140,8 @@ impl Ed448PublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, true) } diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index f1d9217d9f62..512b12ece224 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -288,11 +288,8 @@ impl RsaPrivateKey { padding: &pyo3::Bound<'p, pyo3::PyAny>, algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - let (data, algorithm) = utils::calculate_digest_and_algorithm( - py, - data.as_bytes(), - algorithm.clone().into_gil_ref(), - )?; + let (data, algorithm) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.sign_init().map_err(|_| { @@ -438,11 +435,8 @@ impl RsaPublicKey { padding: &pyo3::Bound<'_, pyo3::PyAny>, algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - let (data, algorithm) = utils::calculate_digest_and_algorithm( - py, - data.as_bytes(), - algorithm.clone().into_gil_ref(), - )?; + let (data, algorithm) = + utils::calculate_digest_and_algorithm(py, data.as_bytes(), algorithm)?; let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.verify_init()?; @@ -534,8 +528,8 @@ impl RsaPublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, true, false) } diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 7c01e0be3772..d3cc3b24b580 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; use pyo3::prelude::PyAnyMethods; -use pyo3::{PyNativeType, ToPyObject}; +use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( py: pyo3::Python<'_>, @@ -240,19 +240,19 @@ pub(crate) fn pkey_public_bytes<'p>( py: pyo3::Python<'p>, key_obj: &pyo3::Bound<'p, pyo3::PyAny>, pkey: &openssl::pkey::PKey, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, openssh_allowed: bool, raw_allowed: bool, ) -> CryptographyResult> { - if !encoding.is_instance(types::ENCODING.get(py)?)? { + if !encoding.is_instance(&types::ENCODING.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "encoding must be an item from the Encoding enum", ), )); } - if !format.is_instance(types::PUBLIC_FORMAT.get(py)?)? { + if !format.is_instance(&types::PUBLIC_FORMAT.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "format must be an item from the PublicFormat enum", @@ -355,10 +355,11 @@ pub(crate) fn pkey_public_bytes<'p>( pub(crate) fn calculate_digest_and_algorithm<'p>( py: pyo3::Python<'p>, mut data: &'p [u8], - mut algorithm: &'p pyo3::PyAny, -) -> CryptographyResult<(&'p [u8], &'p pyo3::PyAny)> { - if algorithm.is_instance(types::PREHASHED.get(py)?)? { - algorithm = algorithm.getattr("_algorithm")?; + algorithm: &pyo3::Bound<'p, pyo3::PyAny>, +) -> CryptographyResult<(&'p [u8], pyo3::Bound<'p, pyo3::PyAny>)> { + let mut algorithm_result = algorithm.clone(); + if algorithm.is_instance(&types::PREHASHED.get_bound(py)?)? { + algorithm_result = algorithm.getattr("_algorithm")?; } else { // Potential optimization: rather than allocate a PyBytes in // `h.finalize()`, have a way to get the `DigestBytes` directly. @@ -375,7 +376,7 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( )); } - Ok((data, algorithm)) + Ok((data, algorithm_result)) } pub(crate) enum PasswordCallbackStatus { diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 45d397e751f0..970f8b8ea646 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -130,8 +130,8 @@ impl X25519PublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, false, true) } diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index bd2833df48dc..517fc48c0493 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -129,8 +129,8 @@ impl X448PublicKey { fn public_bytes<'p>( slf: &pyo3::Bound<'p, Self>, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - format: &pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { utils::pkey_public_bytes(py, slf, &slf.borrow().pkey, encoding, format, false, true) } From d764ae2a0b8622d4957c2dcece37163e611d1351 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 21:42:37 +0200 Subject: [PATCH 364/868] Convert more APIs in `certificate.rs` to new pyo3 APIs (#10709) --- src/rust/src/x509/certificate.rs | 196 ++++++++++++++++++++----------- src/rust/src/x509/crl.rs | 18 ++- src/rust/src/x509/csr.rs | 2 +- src/rust/src/x509/extensions.rs | 6 +- 4 files changed, 144 insertions(+), 78 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 2be995def916..8b41d36a879f 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,6 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; +use pyo3::prelude::PyAnyMethods; use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{ @@ -86,23 +87,30 @@ impl Certificate { fn fingerprint<'p>( &self, py: pyo3::Python<'p>, - algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::PyAny> { + algorithm: &pyo3::Bound<'p, pyo3::PyAny>, + ) -> CryptographyResult> { let serialized = asn1::write_single(&self.raw.borrow_dependent())?; let mut h = hashes::Hash::new(py, &algorithm.as_borrowed(), None)?; h.update_bytes(&serialized)?; - Ok(h.finalize(py)?.into_gil_ref()) + Ok(h.finalize(py)?.into_any()) } fn public_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &'p pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; - encode_der_data(py, "CERTIFICATE".to_string(), result, encoding) + Ok(encode_der_data( + py, + "CERTIFICATE".to_string(), + result, + encoding.clone().into_gil_ref(), + )? + .as_borrowed() + .to_owned()) } #[getter] @@ -116,37 +124,44 @@ impl Certificate { } #[getter] - fn version<'p>(&self, py: pyo3::Python<'p>) -> Result<&'p pyo3::PyAny, CryptographyError> { + fn version<'p>( + &self, + py: pyo3::Python<'p>, + ) -> Result, CryptographyError> { let version = &self.raw.borrow_dependent().tbs_cert.version; cert_version(py, *version) } #[getter] - fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name(py, self.raw.borrow_dependent().issuer()) - .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))?) + .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))? + .as_borrowed() + .to_owned()) } #[getter] - fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name(py, self.raw.borrow_dependent().subject()) - .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))?) + .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))? + .as_borrowed() + .to_owned()) } #[getter] fn tbs_certificate_bytes<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let result = asn1::write_single(&self.raw.borrow_dependent().tbs_cert)?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } #[getter] fn tbs_precertificate_bytes<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let val = self.raw.borrow_dependent(); let mut tbs_precert = val.tbs_cert.clone(); // Remove the SCT list extension @@ -173,7 +188,7 @@ impl Certificate { tbs_precert.raw_extensions = Some(filtered_extensions); let result = asn1::write_single(&tbs_precert)?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } Err(DuplicateExtensionsError(oid)) => { let oid_obj = oid_to_py_oid(py, &oid)?; @@ -187,12 +202,15 @@ impl Certificate { } #[getter] - fn signature<'p>(&self, py: pyo3::Python<'p>) -> &'p pyo3::types::PyBytes { - pyo3::types::PyBytes::new(py, self.raw.borrow_dependent().signature.as_bytes()) + fn signature<'p>(&self, py: pyo3::Python<'p>) -> pyo3::Bound<'p, pyo3::types::PyBytes> { + pyo3::types::PyBytes::new_bound(py, self.raw.borrow_dependent().signature.as_bytes()) } #[getter] - fn not_valid_before<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn not_valid_before<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn( py, @@ -207,11 +225,14 @@ impl Certificate { .validity .not_before .as_datetime(); - x509::datetime_to_py(py, dt) + Ok(x509::datetime_to_py(py, dt)?.as_borrowed().to_owned()) } #[getter] - fn not_valid_before_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn not_valid_before_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let dt = &self .raw .borrow_dependent() @@ -219,11 +240,14 @@ impl Certificate { .validity .not_before .as_datetime(); - x509::datetime_to_py_utc(py, dt) + Ok(x509::datetime_to_py_utc(py, dt)?.as_borrowed().to_owned()) } #[getter] - fn not_valid_after<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn not_valid_after<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn( py, @@ -238,11 +262,14 @@ impl Certificate { .validity .not_after .as_datetime(); - x509::datetime_to_py(py, dt) + Ok(x509::datetime_to_py(py, dt)?.as_borrowed().to_owned()) } #[getter] - fn not_valid_after_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn not_valid_after_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let dt = &self .raw .borrow_dependent() @@ -250,7 +277,7 @@ impl Certificate { .validity .not_after .as_datetime(); - x509::datetime_to_py_utc(py, dt) + Ok(x509::datetime_to_py_utc(py, dt)?.as_borrowed().to_owned()) } #[getter] @@ -300,7 +327,7 @@ impl Certificate { .call1((scts,))?, )) } - _ => parse_cert_ext(py, ext), + _ => parse_cert_ext(py, ext).map(|x| x.map(|y| y.into_gil_ref())), }, ) } @@ -332,10 +359,13 @@ impl Certificate { } } -fn cert_version(py: pyo3::Python<'_>, version: u8) -> Result<&pyo3::PyAny, CryptographyError> { +fn cert_version( + py: pyo3::Python<'_>, + version: u8, +) -> Result, CryptographyError> { match version { - 0 => Ok(types::CERTIFICATE_VERSION_V1.get(py)?), - 2 => Ok(types::CERTIFICATE_VERSION_V3.get(py)?), + 0 => Ok(types::CERTIFICATE_VERSION_V1.get_bound(py)?), + 2 => Ok(types::CERTIFICATE_VERSION_V3.get_bound(py)?), _ => Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( format!("{version} is not a valid X509 version"), @@ -654,7 +684,7 @@ pub(crate) fn parse_distribution_point_reasons( pub(crate) fn encode_distribution_point_reasons( py: pyo3::Python<'_>, - py_reasons: &pyo3::PyAny, + py_reasons: &pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { let reason_flag_mapping = types::CRL_REASON_FLAGS.get(py)?; @@ -675,7 +705,7 @@ pub(crate) fn encode_distribution_point_reasons( pub(crate) fn parse_authority_key_identifier<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, -) -> Result<&'p pyo3::PyAny, CryptographyError> { +) -> Result, CryptographyError> { let aki = ext.value::>()?; let serial = match aki.authority_cert_serial_number { Some(biguint) => big_byte_slice_to_py_int(py, biguint.as_bytes())?.to_object(py), @@ -687,7 +717,9 @@ pub(crate) fn parse_authority_key_identifier<'p>( }; Ok(types::AUTHORITY_KEY_IDENTIFIER .get(py)? - .call1((aki.key_identifier, issuer, serial))?) + .call1((aki.key_identifier, issuer, serial))? + .as_borrowed() + .to_owned()) } pub(crate) fn parse_access_descriptions( @@ -711,20 +743,24 @@ pub(crate) fn parse_access_descriptions( pub fn parse_cert_ext<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, -) -> CryptographyResult> { +) -> CryptographyResult>> { match ext.extn_id { oid::SUBJECT_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let sans = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::SUBJECT_ALTERNATIVE_NAME.get(py)?.call1((sans,))?, + types::SUBJECT_ALTERNATIVE_NAME + .get_bound(py)? + .call1((sans,))?, )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME + .get_bound(py)? + .call1((ians,))?, )) } oid::TLS_FEATURE_OID => { @@ -735,13 +771,13 @@ pub fn parse_cert_ext<'p>( let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; features.append(py_feature)?; } - Ok(Some(types::TLS_FEATURE.get(py)?.call1((features,))?)) + Ok(Some(types::TLS_FEATURE.get_bound(py)?.call1((features,))?)) } oid::SUBJECT_KEY_IDENTIFIER_OID => { let identifier = ext.value::<&[u8]>()?; Ok(Some( types::SUBJECT_KEY_IDENTIFIER - .get(py)? + .get_bound(py)? .call1((identifier,))?, )) } @@ -751,12 +787,14 @@ pub fn parse_cert_ext<'p>( let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; } - Ok(Some(types::EXTENDED_KEY_USAGE.get(py)?.call1((ekus,))?)) + Ok(Some( + types::EXTENDED_KEY_USAGE.get_bound(py)?.call1((ekus,))?, + )) } oid::KEY_USAGE_OID => { let kus = ext.value::>()?; - Ok(Some(types::KEY_USAGE.get(py)?.call1(( + Ok(Some(types::KEY_USAGE.get_bound(py)?.call1(( kus.digital_signature(), kus.content_comitment(), kus.key_encipherment(), @@ -771,51 +809,61 @@ pub fn parse_cert_ext<'p>( oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS + .get_bound(py)? + .call1((ads,))?, )) } oid::SUBJECT_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - types::SUBJECT_INFORMATION_ACCESS.get(py)?.call1((ads,))?, + types::SUBJECT_INFORMATION_ACCESS + .get_bound(py)? + .call1((ads,))?, )) } oid::CERTIFICATE_POLICIES_OID => { let cp = parse_cp(py, ext)?; - Ok(Some(types::CERTIFICATE_POLICIES.get(py)?.call1((cp,))?)) + Ok(Some( + types::CERTIFICATE_POLICIES.get_bound(py)?.call1((cp,))?, + )) } oid::POLICY_CONSTRAINTS_OID => { let pc = ext.value::()?; - Ok(Some(types::POLICY_CONSTRAINTS.get(py)?.call1(( + Ok(Some(types::POLICY_CONSTRAINTS.get_bound(py)?.call1(( pc.require_explicit_policy, pc.inhibit_policy_mapping, ))?)) } oid::OCSP_NO_CHECK_OID => { ext.value::<()>()?; - Ok(Some(types::OCSP_NO_CHECK.get(py)?.call0()?)) + Ok(Some(types::OCSP_NO_CHECK.get_bound(py)?.call0()?)) } oid::INHIBIT_ANY_POLICY_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some(types::INHIBIT_ANY_POLICY.get(py)?.call1((pynum,))?)) + Ok(Some( + types::INHIBIT_ANY_POLICY.get_bound(py)?.call1((pynum,))?, + )) } oid::BASIC_CONSTRAINTS_OID => { let bc = ext.value::()?; Ok(Some( types::BASIC_CONSTRAINTS - .get(py)? + .get_bound(py)? .call1((bc.ca, bc.path_length))?, )) } oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some(parse_authority_key_identifier(py, ext)?)), oid::CRL_DISTRIBUTION_POINTS_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some(types::CRL_DISTRIBUTION_POINTS.get(py)?.call1((dp,))?)) + Ok(Some( + types::CRL_DISTRIBUTION_POINTS.get_bound(py)?.call1((dp,))?, + )) } oid::FRESHEST_CRL_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) + Ok(Some(types::FRESHEST_CRL.get_bound(py)?.call1((dp,))?)) } oid::NAME_CONSTRAINTS_OID => { let nc = ext.value::>()?; @@ -829,18 +877,16 @@ pub fn parse_cert_ext<'p>( }; Ok(Some( types::NAME_CONSTRAINTS - .get(py)? + .get_bound(py)? .call1((permitted_subtrees, excluded_subtrees))?, )) } oid::MS_CERTIFICATE_TEMPLATE => { let ms_cert_tpl = ext.value::()?; let py_oid = oid_to_py_oid(py, &ms_cert_tpl.template_id)?; - Ok(Some(types::MS_CERTIFICATE_TEMPLATE.get(py)?.call1(( - py_oid, - ms_cert_tpl.major_version, - ms_cert_tpl.minor_version, - ))?)) + Ok(Some(types::MS_CERTIFICATE_TEMPLATE.get_bound(py)?.call1( + (py_oid, ms_cert_tpl.major_version, ms_cert_tpl.minor_version), + )?)) } _ => Ok(None), } @@ -848,9 +894,9 @@ pub fn parse_cert_ext<'p>( pub(crate) fn time_from_py( py: pyo3::Python<'_>, - val: &pyo3::PyAny, + val: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let dt = x509::py_to_datetime(py, val)?; + let dt = x509::py_to_datetime(py, val.clone().into_gil_ref())?; time_from_datetime(dt) } @@ -867,13 +913,17 @@ pub(crate) fn time_from_datetime(dt: asn1::DateTime) -> CryptographyResult, - builder: &pyo3::PyAny, - private_key: &pyo3::PyAny, - hash_algorithm: &pyo3::PyAny, - rsa_padding: &pyo3::PyAny, + builder: &pyo3::Bound<'_, pyo3::PyAny>, + private_key: &pyo3::Bound<'_, pyo3::PyAny>, + hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>, + rsa_padding: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let sigalg = - x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)?; + let sigalg = x509::sign::compute_signature_algorithm( + py, + private_key.clone().into_gil_ref(), + hash_algorithm.clone().into_gil_ref(), + rsa_padding.clone().into_gil_ref(), + )?; let der = types::ENCODING_DER.get(py)?; let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; @@ -898,25 +948,33 @@ fn create_x509_certificate( .extract()?, serial: asn1::BigInt::new(py_uint_to_big_endian_bytes(py, py_serial)?).unwrap(), signature_alg: sigalg.clone(), - issuer: x509::common::encode_name(py, py_issuer_name)?, + issuer: x509::common::encode_name(py, py_issuer_name.clone().into_gil_ref())?, validity: cryptography_x509::certificate::Validity { - not_before: time_from_py(py, py_not_before)?, - not_after: time_from_py(py, py_not_after)?, + not_before: time_from_py(py, &py_not_before)?, + not_after: time_from_py(py, &py_not_after)?, }, - subject: x509::common::encode_name(py, py_subject_name)?, + subject: x509::common::encode_name(py, py_subject_name.clone().into_gil_ref())?, spki: asn1::parse_single(spki_bytes)?, issuer_unique_id: None, subject_unique_id: None, raw_extensions: x509::common::encode_extensions( py, - builder.getattr(pyo3::intern!(py, "_extensions"))?, + builder + .getattr(pyo3::intern!(py, "_extensions"))? + .clone() + .into_gil_ref(), extensions::encode_extension, )?, }; let tbs_bytes = asn1::write_single(&tbs_cert)?; - let signature = - x509::sign::sign_data(py, private_key, hash_algorithm, rsa_padding, &tbs_bytes)?; + let signature = x509::sign::sign_data( + py, + private_key.clone().into_gil_ref(), + hash_algorithm.clone().into_gil_ref(), + rsa_padding.clone().into_gil_ref(), + &tbs_bytes, + )?; let data = asn1::write_single(&cryptography_x509::certificate::Certificate { tbs_cert, signature_alg: sigalg, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 900914241ec2..479a1769ed60 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -339,9 +339,9 @@ impl CertificateRevocationList { types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } - oid::AUTHORITY_KEY_IDENTIFIER_OID => { - Ok(Some(certificate::parse_authority_key_identifier(py, ext)?)) - } + oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some( + certificate::parse_authority_key_identifier(py, ext)?.into_gil_ref(), + )), oid::ISSUING_DISTRIBUTION_POINT_OID => { let idp = ext.value::>()?; let (full_name, relative_name) = match idp.distribution_point { @@ -638,7 +638,10 @@ fn create_x509_crl( revoked_certs.push(crl::RevokedCertificate { user_certificate: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, serial_number)?) .unwrap(), - revocation_date: x509::certificate::time_from_py(py, py_revocation_date)?, + revocation_date: x509::certificate::time_from_py( + py, + &py_revocation_date.as_borrowed(), + )?, raw_crl_entry_extensions: x509::common::encode_extensions( py, py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, @@ -654,8 +657,11 @@ fn create_x509_crl( version: Some(1), signature: sigalg.clone(), issuer: x509::common::encode_name(py, py_issuer_name)?, - this_update: x509::certificate::time_from_py(py, py_this_update)?, - next_update: Some(x509::certificate::time_from_py(py, py_next_update)?), + this_update: x509::certificate::time_from_py(py, &py_this_update.as_borrowed())?, + next_update: Some(x509::certificate::time_from_py( + py, + &py_next_update.as_borrowed(), + )?), revoked_certificates: if revoked_certs.is_empty() { None } else { diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 1f1eb9f9de9c..4fb3a301ed47 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -213,7 +213,7 @@ impl CertificateSigningRequest { })?; x509::parse_and_cache_extensions(py, &self.cached_extensions, &raw_exts, |ext| { - certificate::parse_cert_ext(py, ext) + certificate::parse_cert_ext(py, ext).map(|x| x.map(|y| y.into_gil_ref())) }) } diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index c44d1c888c47..d618fb29fa1a 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -107,7 +107,8 @@ pub(crate) fn encode_distribution_points<'p>( None }; let reasons = if let Some(py_reasons) = py_dp.reasons { - let reasons = certificate::encode_distribution_point_reasons(py, py_reasons)?; + let reasons = + certificate::encode_distribution_point_reasons(py, &py_reasons.as_borrowed())?; Some(common::Asn1ReadableOrWritable::new_write(reasons)) } else { None @@ -308,7 +309,8 @@ fn encode_issuing_distribution_point( .is_truthy()? { let py_reasons = ext.getattr(pyo3::intern!(py, "only_some_reasons"))?; - let reasons = certificate::encode_distribution_point_reasons(ext.py(), py_reasons)?; + let reasons = + certificate::encode_distribution_point_reasons(ext.py(), &py_reasons.as_borrowed())?; Some(common::Asn1ReadableOrWritable::new_write(reasons)) } else { None From 88004e9a93a24c334665484f841be4091d61894b Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 4 Apr 2024 22:22:11 +0200 Subject: [PATCH 365/868] Finish migrating `certificate.rs` to new pyo3 APIs (#10710) --- src/rust/src/x509/certificate.rs | 74 ++++++++++++++++++-------------- 1 file changed, 41 insertions(+), 33 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 8b41d36a879f..b552fde8086d 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,7 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{ @@ -211,10 +211,10 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn( + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_before_utc.", 1, )?; @@ -248,10 +248,10 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn( + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Properties that return a naïve datetime object have been deprecated. Please switch to not_valid_after_utc.", 1, )?; @@ -392,7 +392,7 @@ fn load_pem_x509_certificate( )?; load_der_x509_certificate( py, - pyo3::types::PyBytes::new(py, parsed.contents()).into_py(py), + pyo3::types::PyBytes::new_bound(py, parsed.contents()).unbind(), None, ) } @@ -408,7 +408,7 @@ fn load_pem_x509_certificates( .map(|p| { load_der_x509_certificate( py, - pyo3::types::PyBytes::new(py, p.contents()).into_py(py), + pyo3::types::PyBytes::new_bound(py, p.contents()).unbind(), None, ) }) @@ -452,10 +452,10 @@ pub(crate) fn load_der_x509_certificate( fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyResult<()> { if bytes[0] & 0x80 != 0 { - let warning_cls = types::DEPRECATED_IN_36.get(py)?; - pyo3::PyErr::warn( + let warning_cls = types::DEPRECATED_IN_36.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Parsed a negative serial number, which is disallowed by RFC 5280. Loading this certificate will cause an exception in the next release of cryptography.", 1, )?; @@ -476,10 +476,10 @@ fn warn_if_invalid_params( | AlgorithmParameters::DsaWithSha256(Some(..)) | AlgorithmParameters::DsaWithSha384(Some(..)) | AlgorithmParameters::DsaWithSha512(Some(..)) => { - let warning_cls = types::DEPRECATED_IN_41.get(py)?; - pyo3::PyErr::warn( + let warning_cls = types::DEPRECATED_IN_41.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "The parsed certificate contains a NULL parameter value in its signature algorithm parameters. This is invalid and will be rejected in a future version of cryptography. If this certificate was created via Java, please upgrade to JDK21+ or the latest JDK11/17 once a fix is issued. If this certificate was created in some other fashion please report the issue to the cryptography issue tracker. See https://github.com/pyca/cryptography/issues/8996 and https://github.com/pyca/cryptography/issues/9253 for more details.", 2, )?; @@ -494,22 +494,26 @@ fn parse_display_text( text: DisplayText<'_>, ) -> pyo3::PyResult { match text { - DisplayText::IA5String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()).to_object(py)), - DisplayText::Utf8String(o) => Ok(pyo3::types::PyString::new(py, o.as_str()).to_object(py)), + DisplayText::IA5String(o) => { + Ok(pyo3::types::PyString::new_bound(py, o.as_str()).to_object(py)) + } + DisplayText::Utf8String(o) => { + Ok(pyo3::types::PyString::new_bound(py, o.as_str()).to_object(py)) + } DisplayText::VisibleString(o) => { if asn1::VisibleString::new(o.as_str()).is_none() { - let warning_cls = types::DEPRECATED_IN_41.get(py)?; - pyo3::PyErr::warn( + let warning_cls = types::DEPRECATED_IN_41.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Invalid ASN.1 (UTF-8 characters in a VisibleString) in the explicit text and/or notice reference of the certificate policies extension. In a future version of cryptography, an exception will be raised.", 1, )?; } - Ok(pyo3::types::PyString::new(py, o.as_str()).to_object(py)) + Ok(pyo3::types::PyString::new_bound(py, o.as_str()).to_object(py)) } DisplayText::BmpString(o) => { - let py_bytes = pyo3::types::PyBytes::new(py, o.as_utf16_be_bytes()); + let py_bytes = pyo3::types::PyBytes::new_bound(py, o.as_utf16_be_bytes()); // TODO: do the string conversion in rust perhaps Ok(py_bytes .call_method1( @@ -532,7 +536,7 @@ fn parse_user_notice( let nr = match un.notice_ref { Some(data) => { let org = parse_display_text(py, data.organization)?; - let numbers = pyo3::types::PyList::empty(py); + let numbers = pyo3::types::PyList::empty_bound(py); for num in data.notice_numbers.unwrap_read().clone() { numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?.to_object(py))?; } @@ -550,12 +554,12 @@ fn parse_policy_qualifiers<'a>( py: pyo3::Python<'_>, policy_qualifiers: &asn1::SequenceOf<'a, PolicyQualifierInfo<'a>>, ) -> Result { - let py_pq = pyo3::types::PyList::empty(py); + let py_pq = pyo3::types::PyList::empty_bound(py); for pqi in policy_qualifiers.clone() { let qualifier = match pqi.qualifier { Qualifier::CpsUri(data) => { if pqi.policy_qualifier_id == oid::CP_CPS_URI_OID { - pyo3::types::PyString::new(py, data.as_str()).to_object(py) + pyo3::types::PyString::new_bound(py, data.as_str()).to_object(py) } else { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -585,7 +589,7 @@ fn parse_cp( ext: &Extension<'_>, ) -> Result { let cp = ext.value::>>()?; - let certificate_policies = pyo3::types::PyList::empty(py); + let certificate_policies = pyo3::types::PyList::empty_bound(py); for policyinfo in cp { let pi_oid = oid_to_py_oid(py, &policyinfo.policy_identifier)?.to_object(py); let py_pqis = match policyinfo.policy_qualifiers { @@ -607,7 +611,7 @@ fn parse_general_subtrees( py: pyo3::Python<'_>, subtrees: SequenceOfSubtrees<'_>, ) -> Result { - let gns = pyo3::types::PyList::empty(py); + let gns = pyo3::types::PyList::empty_bound(py); for gs in subtrees.unwrap_read().clone() { gns.append(x509::parse_general_name(py, gs.base)?)?; } @@ -654,7 +658,7 @@ pub(crate) fn parse_distribution_points( ext: &Extension<'_>, ) -> Result { let dps = ext.value::>>()?; - let py_dps = pyo3::types::PyList::empty(py); + let py_dps = pyo3::types::PyList::empty_bound(py); for dp in dps { let py_dp = parse_distribution_point(py, dp)?; py_dps.append(py_dp)?; @@ -676,7 +680,7 @@ pub(crate) fn parse_distribution_point_reasons( vec.push(reason_bit_mapping.get_item(i)?); } } - pyo3::types::PyFrozenSet::new(py, &vec)?.to_object(py) + pyo3::types::PyFrozenSet::new_bound(py, &vec)?.to_object(py) } None => py.None(), }) @@ -726,7 +730,7 @@ pub(crate) fn parse_access_descriptions( py: pyo3::Python<'_>, ext: &Extension<'_>, ) -> Result { - let ads = pyo3::types::PyList::empty(py); + let ads = pyo3::types::PyList::empty_bound(py); let parsed = ext.value::>()?; for access in parsed.unwrap_read().clone() { let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); @@ -766,7 +770,7 @@ pub fn parse_cert_ext<'p>( oid::TLS_FEATURE_OID => { let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get(py)?; - let features = pyo3::types::PyList::empty(py); + let features = pyo3::types::PyList::empty_bound(py); for feature in ext.value::>()? { let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; features.append(py_feature)?; @@ -782,7 +786,7 @@ pub fn parse_cert_ext<'p>( )) } oid::EXTENDED_KEY_USAGE_OID => { - let ekus = pyo3::types::PyList::empty(py); + let ekus = pyo3::types::PyList::empty_bound(py); for oid in ext.value::>()? { let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; @@ -980,7 +984,11 @@ fn create_x509_certificate( signature_alg: sigalg, signature: asn1::BitString::new(signature, 0).unwrap(), })?; - load_der_x509_certificate(py, pyo3::types::PyBytes::new(py, &data).into_py(py), None) + load_der_x509_certificate( + py, + pyo3::types::PyBytes::new_bound(py, &data).unbind(), + None, + ) } pub(crate) fn set_bit(vals: &mut [u8], n: usize, set: bool) { From 69e7e5bbec2f7e9777ef7c427701e4401ce85872 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 18:42:02 -0400 Subject: [PATCH 366/868] Convert `src/x509/sct.rs` to new pyo3 APIs (#10713) --- src/rust/src/lib.rs | 2 +- src/rust/src/x509/sct.rs | 17 ++++++++++------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 8ea8709c6e11..022c78eaf515 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -106,7 +106,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> crate::x509::common::add_to_module(x509_mod)?; crate::x509::crl::add_to_module(x509_mod)?; crate::x509::csr::add_to_module(x509_mod)?; - crate::x509::sct::add_to_module(x509_mod)?; + crate::x509::sct::add_to_module(&x509_mod.as_borrowed())?; crate::x509::verify::add_to_module(x509_mod)?; m.add_submodule(x509_mod)?; diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index b7cce3ff4036..a7bfbb5eb472 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -5,6 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; +use pyo3::prelude::{PyAnyMethods, PyDictMethods, PyListMethods, PyModuleMethods}; use pyo3::ToPyObject; use crate::error::CryptographyError; @@ -163,20 +164,20 @@ impl Sct { } #[getter] - fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; - let kwargs = pyo3::types::PyDict::new(py); + let kwargs = pyo3::types::PyDict::new_bound(py); kwargs.set_item("microsecond", self.timestamp % 1000 * 1000)?; kwargs.set_item("tzinfo", None::>)?; types::DATETIME_DATETIME - .get(py)? + .get_bound(py)? .call_method1( pyo3::intern!(py, "fromtimestamp"), (self.timestamp / 1000, utc), )? - .call_method("replace", (), Some(kwargs)) + .call_method("replace", (), Some(&kwargs)) } #[getter] @@ -222,7 +223,7 @@ pub(crate) fn parse_scts( ) -> Result { let mut reader = TLSReader::new(data).read_length_prefixed()?; - let py_scts = pyo3::types::PyList::empty(py); + let py_scts = pyo3::types::PyList::empty_bound(py); while !reader.is_empty() { let mut sct_data = reader.read_length_prefixed()?; let raw_sct_data = sct_data.data.to_vec(); @@ -250,12 +251,14 @@ pub(crate) fn parse_scts( extension_bytes, sct_data: raw_sct_data, }; - py_scts.append(pyo3::PyCell::new(py, sct)?)?; + py_scts.append(pyo3::Bound::new(py, sct)?)?; } Ok(py_scts.to_object(py)) } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module( + module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, +) -> pyo3::PyResult<()> { module.add_class::()?; Ok(()) From c65793bf124d758c42f9a3279f24458a1dd4df0c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 18:42:43 -0400 Subject: [PATCH 367/868] Convert `src/exceptions.rs` to new pyo3 APIs (#10712) --- src/rust/src/exceptions.rs | 30 +++++++++++++++++------------- src/rust/src/lib.rs | 2 +- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index 67f57b9adcb5..95600faf08bd 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::PyModuleMethods; + #[pyo3::prelude::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.exceptions", @@ -23,20 +25,22 @@ pub(crate) enum Reasons { UNSUPPORTED_MAC, } -pyo3::import_exception!(cryptography.exceptions, AlreadyUpdated); -pyo3::import_exception!(cryptography.exceptions, AlreadyFinalized); -pyo3::import_exception!(cryptography.exceptions, InternalError); -pyo3::import_exception!(cryptography.exceptions, InvalidSignature); -pyo3::import_exception!(cryptography.exceptions, InvalidTag); -pyo3::import_exception!(cryptography.exceptions, NotYetFinalized); -pyo3::import_exception!(cryptography.exceptions, UnsupportedAlgorithm); -pyo3::import_exception!(cryptography.x509, AttributeNotFound); -pyo3::import_exception!(cryptography.x509, DuplicateExtension); -pyo3::import_exception!(cryptography.x509, UnsupportedGeneralNameType); -pyo3::import_exception!(cryptography.x509, InvalidVersion); +pyo3::import_exception_bound!(cryptography.exceptions, AlreadyUpdated); +pyo3::import_exception_bound!(cryptography.exceptions, AlreadyFinalized); +pyo3::import_exception_bound!(cryptography.exceptions, InternalError); +pyo3::import_exception_bound!(cryptography.exceptions, InvalidSignature); +pyo3::import_exception_bound!(cryptography.exceptions, InvalidTag); +pyo3::import_exception_bound!(cryptography.exceptions, NotYetFinalized); +pyo3::import_exception_bound!(cryptography.exceptions, UnsupportedAlgorithm); +pyo3::import_exception_bound!(cryptography.x509, AttributeNotFound); +pyo3::import_exception_bound!(cryptography.x509, DuplicateExtension); +pyo3::import_exception_bound!(cryptography.x509, UnsupportedGeneralNameType); +pyo3::import_exception_bound!(cryptography.x509, InvalidVersion); -pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let submod = pyo3::prelude::PyModule::new(py, "exceptions")?; +pub(crate) fn create_submodule( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let submod = pyo3::prelude::PyModule::new_bound(py, "exceptions")?; submod.add_class::()?; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 022c78eaf515..0e3b0a3150b7 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -99,7 +99,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(asn1::create_submodule(py)?)?; m.add_submodule(pkcs7::create_submodule(py)?)?; m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; - m.add_submodule(exceptions::create_submodule(py)?)?; + m.add_submodule(exceptions::create_submodule(py)?.into_gil_ref())?; let x509_mod = pyo3::prelude::PyModule::new(py, "x509")?; crate::x509::certificate::add_to_module(x509_mod)?; From f284aeea05a5519cb6b69e1306efa937767d262c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 18:43:33 -0400 Subject: [PATCH 368/868] Convert `src/asn1.rs` to new pyo3 APIs (#10711) --- src/rust/src/asn1.rs | 36 +++++++++++++++++++++--------------- src/rust/src/backend/dh.rs | 2 +- src/rust/src/lib.rs | 2 +- src/rust/src/pkcs7.rs | 4 ++-- src/rust/src/x509/crl.rs | 2 +- src/rust/src/x509/csr.rs | 2 +- 6 files changed, 27 insertions(+), 21 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 394f19218083..62cbd069bfd9 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -7,6 +7,7 @@ use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; use cryptography_x509::name::Name; use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::PyModuleMethods; use pyo3::types::IntoPyDict; use pyo3::ToPyObject; @@ -97,11 +98,11 @@ pub(crate) fn encode_der_data<'p>( pem_tag: String, data: Vec, encoding: &'p pyo3::PyAny, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if encoding.is(types::ENCODING_DER.get(py)?) { - Ok(pyo3::types::PyBytes::new(py, &data)) - } else if encoding.is(types::ENCODING_PEM.get(py)?) { - Ok(pyo3::types::PyBytes::new( +) -> CryptographyResult> { + if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + Ok(pyo3::types::PyBytes::new_bound(py, &data)) + } else if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + Ok(pyo3::types::PyBytes::new_bound( py, &pem::encode_config( &pem::Pem::new(pem_tag, data), @@ -118,17 +119,17 @@ pub(crate) fn encode_der_data<'p>( } #[pyo3::prelude::pyfunction] -fn encode_dss_signature( - py: pyo3::Python<'_>, +fn encode_dss_signature<'p>( + py: pyo3::Python<'p>, r: pyo3::Bound<'_, pyo3::types::PyLong>, s: pyo3::Bound<'_, pyo3::types::PyLong>, -) -> CryptographyResult { +) -> CryptographyResult> { let sig = DssSignature { r: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, r)?).unwrap(), s: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, s)?).unwrap(), }; let result = asn1::write_single(&sig)?; - Ok(pyo3::types::PyBytes::new(py, &result).to_object(py)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.asn1")] @@ -173,14 +174,19 @@ fn test_parse_certificate(data: &[u8]) -> Result) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let submod = pyo3::prelude::PyModule::new(py, "asn1")?; - submod.add_function(pyo3::wrap_pyfunction!(parse_spki_for_data, submod)?)?; +pub(crate) fn create_submodule( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let submod = pyo3::prelude::PyModule::new_bound(py, "asn1")?; + submod.add_function(pyo3::wrap_pyfunction_bound!(parse_spki_for_data, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(decode_dss_signature, submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(encode_dss_signature, submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!(decode_dss_signature, &submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!(encode_dss_signature, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(test_parse_certificate, submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!( + test_parse_certificate, + &submod + )?)?; Ok(submod) } diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index b0527fca16b5..defe32333734 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -343,7 +343,7 @@ impl DHParameters { py: pyo3::Python<'p>, encoding: &'p pyo3::PyAny, format: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { if !format.is(types::PARAMETER_FORMAT_PKCS3.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Only PKCS3 serialization is supported"), diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 0e3b0a3150b7..97bb54bf1631 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -96,7 +96,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_function(pyo3::wrap_pyfunction!(padding::check_ansix923_padding, m)?)?; m.add_class::()?; - m.add_submodule(asn1::create_submodule(py)?)?; + m.add_submodule(asn1::create_submodule(py)?.into_gil_ref())?; m.add_submodule(pkcs7::create_submodule(py)?)?; m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; m.add_submodule(exceptions::create_submodule(py)?.into_gil_ref())?; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 9732b6b93b9b..b33d054b4ef8 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -44,7 +44,7 @@ fn serialize_certificates<'p>( py: pyo3::Python<'p>, py_certs: Vec>, encoding: &'p pyo3::PyAny, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { +) -> CryptographyResult> { if py_certs.is_empty() { return Err(pyo3::exceptions::PyTypeError::new_err( "certs must be a list of certs with length >= 1", @@ -84,7 +84,7 @@ fn sign_and_serialize<'p>( builder: &'p pyo3::PyAny, encoding: &'p pyo3::PyAny, options: &'p pyo3::types::PyList, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { +) -> CryptographyResult> { let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; let (data_with_header, data_without_header) = diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 479a1769ed60..529e499fcb72 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -235,7 +235,7 @@ impl CertificateRevocationList { &self, py: pyo3::Python<'p>, encoding: &'p pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let result = asn1::write_single(&self.owned.borrow_dependent())?; encode_der_data(py, "X509 CRL".to_string(), result, encoding) diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 4fb3a301ed47..999276fa3e62 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -118,7 +118,7 @@ impl CertificateSigningRequest { &self, py: pyo3::Python<'p>, encoding: &'p pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; encode_der_data(py, "CERTIFICATE REQUEST".to_string(), result, encoding) From 98e6fd407255ba1008fc454263d011703290b9d0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 19:13:08 -0400 Subject: [PATCH 369/868] Convert `src/backend/dh.rs` to new pyo3 APIs (#10714) --- src/rust/src/backend/dh.rs | 59 +++++++++++++++++++------------------ src/rust/src/backend/mod.rs | 2 +- 2 files changed, 32 insertions(+), 29 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index defe32333734..e52b8760212c 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -8,7 +8,7 @@ use crate::asn1::encode_der_data; use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{types, x509}; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; const MIN_MODULUS_SIZE: u32 = 512; @@ -31,7 +31,7 @@ struct DHParameters { fn generate_parameters( generator: u32, key_size: u32, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -89,7 +89,7 @@ fn pkey_from_dh( #[pyo3::prelude::pyfunction] fn from_der_parameters( data: &[u8], - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; let asn1_params = asn1::parse_single::>(data)?; @@ -109,7 +109,7 @@ fn from_der_parameters( #[pyo3::prelude::pyfunction] fn from_pem_parameters( data: &[u8], - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; let parsed = x509::find_in_pem( @@ -156,13 +156,14 @@ impl DHPrivateKey { &self, py: pyo3::Python<'p>, peer_public_key: &DHPublicKey, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; - Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { + let len = deriver.len()?; + Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { let n = deriver.derive(b).unwrap(); let pad = b.len() - n; @@ -341,8 +342,8 @@ impl DHParameters { fn parameter_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &'p pyo3::PyAny, - format: &pyo3::PyAny, + encoding: pyo3::Bound<'p, pyo3::PyAny>, + format: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if !format.is(types::PARAMETER_FORMAT_PKCS3.get(py)?) { return Err(CryptographyError::from( @@ -368,7 +369,7 @@ impl DHParameters { } else { "X9.42 DH PARAMETERS" }; - encode_der_data(py, tag.to_string(), data, encoding) + encode_der_data(py, tag.to_string(), data, encoding.into_gil_ref()) } } @@ -412,7 +413,7 @@ impl DHPrivateNumbers { fn private_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -439,11 +440,11 @@ impl DHPrivateNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.x.as_ref(py).eq(other.x.as_ref(py))? + Ok(self.x.bind(py).eq(other.x.bind(py))? && self .public_numbers - .as_ref(py) - .eq(other.public_numbers.as_ref(py))?) + .bind(py) + .eq(other.public_numbers.bind(py))?) } } @@ -464,7 +465,7 @@ impl DHPublicNumbers { fn public_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -482,11 +483,11 @@ impl DHPublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.y.as_ref(py).eq(other.y.as_ref(py))? + Ok(self.y.bind(py).eq(other.y.bind(py))? && self .parameter_numbers - .as_ref(py) - .eq(other.parameter_numbers.as_ref(py))?) + .bind(py) + .eq(other.parameter_numbers.bind(py))?) } } @@ -499,13 +500,13 @@ impl DHParameterNumbers { g: pyo3::Py, q: Option>, ) -> CryptographyResult { - if g.as_ref(py).lt(2)? { + if g.bind(py).lt(2)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("DH generator must be 2 or greater"), )); } - if p.as_ref(py) + if p.bind(py) .call_method0("bit_length")? .lt(MIN_MODULUS_SIZE)? { @@ -522,7 +523,7 @@ impl DHParameterNumbers { fn parameters( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -536,21 +537,23 @@ impl DHParameterNumbers { other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { let q_equal = match (self.q.as_ref(), other.q.as_ref()) { - (Some(self_q), Some(other_q)) => self_q.as_ref(py).eq(other_q.as_ref(py))?, + (Some(self_q), Some(other_q)) => self_q.bind(py).eq(other_q.bind(py))?, (None, None) => true, _ => false, }; - Ok(self.p.as_ref(py).eq(other.p.as_ref(py))? - && self.g.as_ref(py).eq(other.g.as_ref(py))? + Ok(self.p.bind(py).eq(other.p.bind(py))? + && self.g.bind(py).eq(other.g.bind(py))? && q_equal) } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "dh")?; - m.add_function(pyo3::wrap_pyfunction!(generate_parameters, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_der_parameters, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_pem_parameters, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "dh")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_der_parameters, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_pem_parameters, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 4cae1e3d5bef..90e837f6c480 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -27,7 +27,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(aead::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ciphers::create_module(module.py())?.into_gil_ref())?; module.add_submodule(cmac::create_module(module.py())?)?; - module.add_submodule(dh::create_module(module.py())?)?; + module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; module.add_submodule(keys::create_module(module.py())?)?; From 166d21a8c6208df802e1fa7f5cc3e2382e824c2b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 20:17:00 -0400 Subject: [PATCH 370/868] Convert `src/backend/cmac.rs` to new pyo3 APIs (#10702) --- src/rust/src/backend/cmac.rs | 15 +++++++++------ src/rust/src/backend/mod.rs | 2 +- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 7bf0fe1d4ff0..599a1ee4bf27 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -7,7 +7,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyModuleMethods}; #[pyo3::prelude::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.cmac", @@ -74,14 +74,15 @@ impl Cmac { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let data = self.get_mut_ctx()?.finish()?; self.ctx = None; - Ok(pyo3::types::PyBytes::new(py, &data)) + Ok(pyo3::types::PyBytes::new_bound(py, &data)) } fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> { - let actual = self.finalize(py)?.as_bytes(); + let actual = self.finalize(py)?; + let actual = actual.as_bytes(); if actual.len() != signature.len() || !openssl::memcmp::eq(actual, signature) { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err("Signature did not match digest."), @@ -98,8 +99,10 @@ impl Cmac { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "cmac")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "cmac")?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 90e837f6c480..202d6152aa1a 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -26,7 +26,7 @@ pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { module.add_submodule(aead::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ciphers::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(cmac::create_module(module.py())?)?; + module.add_submodule(cmac::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; From c913f8885a8cf349ecd397bb23da1e480ec0488a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 20:36:00 -0400 Subject: [PATCH 371/868] Use native binop methods instead of weird calls (#10716) --- src/rust/src/backend/dsa.rs | 13 ++++--------- src/rust/src/backend/rsa.rs | 12 +++++------- 2 files changed, 9 insertions(+), 16 deletions(-) diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 9793da8a0c7b..a1dd5a9d4823 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -295,15 +295,10 @@ fn check_dsa_private_numbers( )); } - if numbers - .public_numbers - .get() - .y - .as_ref(py) - .ne(params.g.as_ref(py).call_method1( - pyo3::intern!(py, "__pow__"), - (numbers.x.as_ref(py), params.p.as_ref(py)), - )?)? + if numbers.public_numbers.get().y.as_ref(py).ne(params + .g + .bind(py) + .pow(numbers.x.as_ref(py), Some(params.p.as_ref(py)))?)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("y must be equal to (g ** x % p)."), diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 512b12ece224..11bd5a96d610 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -636,26 +636,25 @@ fn check_private_key_components( )); } - // No `bitand` method. - if public_exponent.call_method1("__and__", (1,))?.eq(0)? { + if public_exponent.bitand(1)?.eq(0)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("public_exponent must be odd."), )); } - if dmp1.call_method1("__and__", (1,))?.eq(0)? { + if dmp1.bitand(1)?.eq(0)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("dmp1 must be odd."), )); } - if dmq1.call_method1("__and__", (1,))?.eq(0)? { + if dmq1.bitand(1)?.eq(0)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("dmq1 must be odd."), )); } - if p.call_method1("__mul__", (q,))?.ne(modulus)? { + if p.mul(q)?.ne(modulus)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("p*q must equal modulus."), )); @@ -771,8 +770,7 @@ fn check_public_key_components( )); } - // No `bitand` method. - if e.call_method1("__and__", (1,))?.eq(0)? { + if e.bitand(1)?.eq(0)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("e must be odd."), )); From 0a2acb1ac61be81084a0ecc7c717ae430634e970 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 4 Apr 2024 19:36:19 -0500 Subject: [PATCH 372/868] Bump BoringSSL and/or OpenSSL in CI (#10718) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6ef592535110..2f5973b153f6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 04, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e97787e7f33fe8f0aeb2fc3ee7fbb86e1a074ba5"}} - # Latest commit on the OpenSSL master branch, as of Apr 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "882a387d0dc12afe8612c4d3f6b9cae5c04611d7"}} + # Latest commit on the BoringSSL master branch, as of Apr 05, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f94f3ed3965ea033001fb9ae006084eee408b861"}} + # Latest commit on the OpenSSL master branch, as of Apr 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a19553cd872047289d6fc730a864bf9d984283ce"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From b7602b2945cb5639deacc54c7466fd1bcb27a1c1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 20:38:28 -0400 Subject: [PATCH 373/868] Convert `src/backend/kdf.rs` to new pyo3 APIs (#10717) --- src/rust/src/backend/kdf.rs | 19 +++++++++++-------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index 942b5613cd5f..efdd89804f20 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -5,6 +5,7 @@ use crate::backend::hashes; use crate::buf::CffiBuf; use crate::error::CryptographyResult; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyfunction] fn derive_pbkdf2_hmac<'p>( @@ -14,10 +15,10 @@ fn derive_pbkdf2_hmac<'p>( salt: &[u8], iterations: usize, length: usize, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { +) -> CryptographyResult> { let md = hashes::message_digest_from_algorithm(py, algorithm)?; - Ok(pyo3::types::PyBytes::new_with(py, length, |b| { + Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { openssl::pkcs5::pbkdf2_hmac(key_material.as_bytes(), salt, iterations, md, b).unwrap(); Ok(()) })?) @@ -35,8 +36,8 @@ fn derive_scrypt<'p>( p: u64, max_mem: u64, length: usize, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { - Ok(pyo3::types::PyBytes::new_with(py, length, |b| { +) -> CryptographyResult> { + Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { openssl::pkcs5::scrypt(key_material.as_bytes(), salt, n, r, p, max_mem, b).map_err(|_| { // memory required formula explained here: // https://blog.filippo.io/the-scrypt-parameters/ @@ -48,12 +49,14 @@ fn derive_scrypt<'p>( })?) } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "kdf")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "kdf")?; - m.add_function(pyo3::wrap_pyfunction!(derive_pbkdf2_hmac, m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(derive_pbkdf2_hmac, &m)?)?; #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] - m.add_function(pyo3::wrap_pyfunction!(derive_scrypt, m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(derive_scrypt, &m)?)?; Ok(m) } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 202d6152aa1a..e26cffd10c45 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -44,7 +44,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(hashes::create_module(module.py())?.into_gil_ref())?; module.add_submodule(hmac::create_module(module.py())?)?; - module.add_submodule(kdf::create_module(module.py())?)?; + module.add_submodule(kdf::create_module(module.py())?.into_gil_ref())?; module.add_submodule(rsa::create_module(module.py())?.into_gil_ref())?; Ok(()) From adc0873f6469a699f2a07a038f7c789e96503dc3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 20:59:48 -0400 Subject: [PATCH 374/868] Convert `src/backend/keys.rs` to new pyo3 APIs (#10719) --- src/rust/src/backend/keys.rs | 15 +++++++++------ src/rust/src/backend/mod.rs | 2 +- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index d31f76b1d7ac..2113ecec3cac 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::PyModuleMethods; use pyo3::IntoPy; use crate::backend::utils; @@ -216,13 +217,15 @@ fn public_key_from_pkey( } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "keys")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "keys")?; - m.add_function(pyo3::wrap_pyfunction!(load_pem_private_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(load_der_private_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(load_der_public_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(load_pem_public_key, m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(load_pem_private_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(load_der_private_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(load_der_public_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(load_pem_public_key, &m)?)?; Ok(m) } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index e26cffd10c45..75eabba64ccb 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -30,7 +30,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; - module.add_submodule(keys::create_module(module.py())?)?; + module.add_submodule(keys::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ed25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] From 4c0859f558336f543b09d2f158faa2ef68a7ba83 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 21:13:52 -0400 Subject: [PATCH 375/868] Convert `src/backend/dsa.rs` to new pyo3 APIs (#10715) --- src/rust/src/backend/dsa.rs | 58 +++++++++++++++++++------------------ src/rust/src/backend/mod.rs | 2 +- 2 files changed, 31 insertions(+), 29 deletions(-) diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index a1dd5a9d4823..8db405c87533 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -7,7 +7,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use pyo3::prelude::PyAnyMethods; -use pyo3::PyNativeType; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass( frozen, @@ -70,8 +70,8 @@ impl DsaPrivateKey { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + ) -> CryptographyResult> { let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; @@ -79,7 +79,7 @@ impl DsaPrivateKey { signer.sign_init()?; let mut sig = vec![]; signer.sign_to_vec(data, &mut sig)?; - Ok(pyo3::types::PyBytes::new(py, &sig)) + Ok(pyo3::types::PyBytes::new_bound(py, &sig)) } #[getter] @@ -157,7 +157,7 @@ impl DsaPublicKey { py: pyo3::Python<'_>, signature: CffiBuf<'_>, data: CffiBuf<'_>, - algorithm: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; @@ -250,7 +250,7 @@ fn check_dsa_parameters( if ![1024, 2048, 3072, 4096].contains( ¶meters .p - .as_ref(py) + .bind(py) .call_method0("bit_length")? .extract::()?, ) { @@ -264,7 +264,7 @@ fn check_dsa_parameters( if ![160, 224, 256].contains( ¶meters .q - .as_ref(py) + .bind(py) .call_method0("bit_length")? .extract::()?, ) { @@ -273,7 +273,7 @@ fn check_dsa_parameters( )); } - if parameters.g.as_ref(py).le(1)? || parameters.g.as_ref(py).ge(parameters.p.as_ref(py))? { + if parameters.g.bind(py).le(1)? || parameters.g.bind(py).ge(parameters.p.bind(py))? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("g, p don't satisfy 1 < g < p."), )); @@ -289,16 +289,16 @@ fn check_dsa_private_numbers( let params = numbers.public_numbers.get().parameter_numbers.get(); check_dsa_parameters(py, params)?; - if numbers.x.as_ref(py).le(0)? || numbers.x.as_ref(py).ge(params.q.as_ref(py))? { + if numbers.x.bind(py).le(0)? || numbers.x.bind(py).ge(params.q.bind(py))? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("x must be > 0 and < q."), )); } - if numbers.public_numbers.get().y.as_ref(py).ne(params + if numbers.public_numbers.get().y.bind(py).ne(params .g .bind(py) - .pow(numbers.x.as_ref(py), Some(params.p.as_ref(py)))?)? + .pow(numbers.x.bind(py), Some(params.p.bind(py)))?)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("y must be equal to (g ** x % p)."), @@ -385,11 +385,11 @@ impl DsaPrivateNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.x.as_ref(py).eq(other.x.as_ref(py))? + Ok(self.x.bind(py).eq(other.x.bind(py))? && self .public_numbers - .as_ref(py) - .eq(other.public_numbers.as_ref(py))?) + .bind(py) + .eq(other.public_numbers.bind(py))?) } } @@ -433,16 +433,16 @@ impl DsaPublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.y.as_ref(py).eq(other.y.as_ref(py))? + Ok(self.y.bind(py).eq(other.y.bind(py))? && self .parameter_numbers - .as_ref(py) - .eq(other.parameter_numbers.as_ref(py))?) + .bind(py) + .eq(other.parameter_numbers.bind(py))?) } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let y = self.y.as_ref(py); - let parameter_numbers = self.parameter_numbers.as_ref(py).repr()?; + let y = self.y.bind(py); + let parameter_numbers = self.parameter_numbers.bind(py).repr()?; Ok(format!( "" )) @@ -483,22 +483,24 @@ impl DsaParameterNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.p.as_ref(py).eq(other.p.as_ref(py))? - && self.q.as_ref(py).eq(other.q.as_ref(py))? - && self.g.as_ref(py).eq(other.g.as_ref(py))?) + Ok(self.p.bind(py).eq(other.p.bind(py))? + && self.q.bind(py).eq(other.q.bind(py))? + && self.g.bind(py).eq(other.g.bind(py))?) } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let p = self.p.as_ref(py); - let q = self.q.as_ref(py); - let g = self.g.as_ref(py); + let p = self.p.bind(py); + let q = self.q.bind(py); + let g = self.g.bind(py); Ok(format!("")) } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "dsa")?; - m.add_function(pyo3::wrap_pyfunction!(generate_parameters, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "dsa")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 75eabba64ccb..883fee74cf4a 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -28,7 +28,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(ciphers::create_module(module.py())?.into_gil_ref())?; module.add_submodule(cmac::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(dsa::create_module(module.py())?)?; + module.add_submodule(dsa::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ec::create_module(module.py())?)?; module.add_submodule(keys::create_module(module.py())?.into_gil_ref())?; From 654e580a0c7c9d1a034c84ed612d52d36973d9b0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 22:01:49 -0400 Subject: [PATCH 376/868] Convert several functions to new pyo3 APIs (#10720) --- src/rust/src/x509/common.rs | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 27f162a8c6e9..ab6634302db0 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -212,27 +212,27 @@ fn parse_name_attribute( let py_tag = types::ASN1_TYPE_TO_ENUM.get(py)?.get_item(tag_val)?; let py_data = match attribute.value.tag().as_u8() { // BitString tag value - Some(3) => pyo3::types::PyBytes::new(py, attribute.value.data()), + Some(3) => pyo3::types::PyBytes::new_bound(py, attribute.value.data()).into_any(), // BMPString tag value Some(30) => { - let py_bytes = pyo3::types::PyBytes::new(py, attribute.value.data()); + let py_bytes = pyo3::types::PyBytes::new_bound(py, attribute.value.data()); py_bytes.call_method1(pyo3::intern!(py, "decode"), ("utf_16_be",))? } // UniversalString Some(28) => { - let py_bytes = pyo3::types::PyBytes::new(py, attribute.value.data()); + let py_bytes = pyo3::types::PyBytes::new_bound(py, attribute.value.data()); py_bytes.call_method1(pyo3::intern!(py, "decode"), ("utf_32_be",))? } _ => { let parsed = std::str::from_utf8(attribute.value.data()) .map_err(|_| asn1::ParseError::new(asn1::ParseErrorKind::InvalidValue))?; - pyo3::types::PyString::new(py, parsed) + pyo3::types::PyString::new_bound(py, parsed).into_any() } }; - let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict(py); + let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict_bound(py); Ok(types::NAME_ATTRIBUTE - .get(py)? - .call((oid, py_data, py_tag), Some(kwargs))? + .get_bound(py)? + .call((oid, py_data, py_tag), Some(&kwargs))? .to_object(py)) } @@ -259,33 +259,36 @@ pub(crate) fn parse_general_name( GeneralName::OtherName(data) => { let oid = oid_to_py_oid(py, &data.type_id)?.to_object(py); types::OTHER_NAME - .get(py)? + .get_bound(py)? .call1((oid, data.value.full_data()))? .to_object(py) } GeneralName::RFC822Name(data) => types::RFC822_NAME - .get(py)? + .get_bound(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DNSName(data) => types::DNS_NAME - .get(py)? + .get_bound(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DirectoryName(data) => { let py_name = parse_name(py, data.unwrap_read())?; types::DIRECTORY_NAME - .get(py)? + .get_bound(py)? .call1((py_name,))? .to_object(py) } GeneralName::UniformResourceIdentifier(data) => types::UNIFORM_RESOURCE_IDENTIFIER - .get(py)? + .get_bound(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; - types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py) + types::IP_ADDRESS + .get_bound(py)? + .call1((addr,))? + .to_object(py) } else { // if it's not an IPv4 or IPv6 we assume it's an IPNetwork and // verify length in this function. From 852c45dc375f874dc2d2e049a6e6c604a77e3643 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 22:05:07 -0400 Subject: [PATCH 377/868] Convert `src/backend/ec.rs` to new pyo3 APIs (#10721) --- src/rust/src/backend/ec.rs | 126 +++++++++++++++++++----------------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 68 insertions(+), 60 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index a34fc131e8f9..a562bbf74e3b 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,8 +5,8 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::prelude::PyAnyMethods; -use pyo3::{PyNativeType, ToPyObject}; +use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::ToPyObject; use crate::backend::utils; use crate::buf::CffiBuf; @@ -29,14 +29,14 @@ pub(crate) struct ECPublicKey { fn curve_from_py_curve( py: pyo3::Python<'_>, - py_curve: &pyo3::PyAny, + py_curve: pyo3::Bound<'_, pyo3::PyAny>, allow_curve_class: bool, ) -> CryptographyResult { - if !py_curve.is_instance(types::ELLIPTIC_CURVE.get(py)?)? { + if !py_curve.is_instance(&types::ELLIPTIC_CURVE.get_bound(py)?)? { if allow_curve_class { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; let warning_msg = "Curve argument must be an instance of an EllipticCurve class. Did you pass a class by mistake? This will be an exception in a future version of cryptography."; - pyo3::PyErr::warn(py, warning_cls, warning_msg, 1)?; + pyo3::PyErr::warn_bound(py, &warning_cls, warning_msg, 1)?; } else { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err("curve must be an EllipticCurve instance"), @@ -127,7 +127,7 @@ fn check_key_infinity( } #[pyo3::prelude::pyfunction] -fn curve_supported(py: pyo3::Python<'_>, py_curve: &pyo3::PyAny) -> bool { +fn curve_supported(py: pyo3::Python<'_>, py_curve: pyo3::Bound<'_, pyo3::PyAny>) -> bool { curve_from_py_curve(py, py_curve, false).is_ok() } @@ -158,7 +158,7 @@ pub(crate) fn public_key_from_pkey( #[pyo3::prelude::pyfunction] fn generate_private_key( py: pyo3::Python<'_>, - curve: &pyo3::PyAny, + curve: pyo3::Bound<'_, pyo3::PyAny>, backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -176,9 +176,9 @@ fn generate_private_key( fn derive_private_key( py: pyo3::Python<'_>, py_private_value: &pyo3::Bound<'_, pyo3::types::PyLong>, - py_curve: &pyo3::PyAny, + py_curve: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let curve = curve_from_py_curve(py, py_curve, false)?; + let curve = curve_from_py_curve(py, py_curve.clone(), false)?; let private_value = utils::py_int_to_bn(py, py_private_value)?; let mut point = openssl::ec::EcPoint::new(&curve)?; @@ -198,10 +198,10 @@ fn derive_private_key( #[pyo3::prelude::pyfunction] fn from_public_bytes( py: pyo3::Python<'_>, - py_curve: &pyo3::PyAny, + py_curve: pyo3::Bound<'_, pyo3::PyAny>, data: &[u8], ) -> CryptographyResult { - let curve = curve_from_py_curve(py, py_curve, false)?; + let curve = curve_from_py_curve(py, py_curve.clone(), false)?; let mut bn_ctx = openssl::bn::BigNumContext::new()?; let point = openssl::ec::EcPoint::from_bytes(&curve, data, &mut bn_ctx) @@ -218,17 +218,20 @@ fn from_public_bytes( #[pyo3::prelude::pymethods] impl ECPrivateKey { #[getter] - fn key_size<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - self.curve.as_ref(py).getattr(pyo3::intern!(py, "key_size")) + fn key_size<'p>( + &'p self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + self.curve.bind(py).getattr(pyo3::intern!(py, "key_size")) } fn exchange<'p>( &self, py: pyo3::Python<'p>, - algorithm: &pyo3::PyAny, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, peer_public_key: &ECPublicKey, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !algorithm.is_instance(types::ECDH.get(py)?)? { + ) -> CryptographyResult> { + if !algorithm.is_instance(&types::ECDH.get_bound(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported EC exchange algorithm", @@ -251,7 +254,8 @@ impl ECPrivateKey { .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; - Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { + let len = deriver.len()?; + Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { let n = deriver.derive(b).map_err(|_| { pyo3::exceptions::PyValueError::new_err("Error computing shared key.") })?; @@ -264,9 +268,9 @@ impl ECPrivateKey { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - signature_algorithm: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { + signature_algorithm: pyo3::Bound<'_, pyo3::PyAny>, + ) -> CryptographyResult> { + if !signature_algorithm.is_instance(&types::ECDSA.get_bound(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -274,9 +278,7 @@ impl ECPrivateKey { )), )); } - let bound_algorithm = signature_algorithm - .getattr(pyo3::intern!(py, "algorithm"))? - .as_borrowed(); + let bound_algorithm = signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?; let (data, algo) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &bound_algorithm)?; @@ -310,7 +312,7 @@ impl ECPrivateKey { // will be a byte or two shorter than the maximum possible length). let mut sig = vec![]; signer.sign_to_vec(data, &mut sig)?; - Ok(pyo3::types::PyBytes::new(py, &sig)) + Ok(pyo3::types::PyBytes::new_bound(py, &sig)) } fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { @@ -375,8 +377,11 @@ impl ECPrivateKey { #[pyo3::prelude::pymethods] impl ECPublicKey { #[getter] - fn key_size<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - self.curve.as_ref(py).getattr(pyo3::intern!(py, "key_size")) + fn key_size<'p>( + &'p self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + self.curve.bind(py).getattr(pyo3::intern!(py, "key_size")) } fn verify( @@ -384,9 +389,9 @@ impl ECPublicKey { py: pyo3::Python<'_>, signature: CffiBuf<'_>, data: CffiBuf<'_>, - signature_algorithm: &pyo3::PyAny, + signature_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - if !signature_algorithm.is_instance(types::ECDSA.get(py)?)? { + if !signature_algorithm.is_instance(&types::ECDSA.get_bound(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -478,7 +483,7 @@ fn public_key_from_numbers( curve: &openssl::ec::EcGroupRef, ) -> CryptographyResult> { let zero = (0).to_object(py); - if numbers.x.as_ref(py).lt(&zero)? || numbers.y.as_ref(py).lt(&zero)? { + if numbers.x.bind(py).lt(&zero)? || numbers.y.bind(py).lt(&zero)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "Invalid EC key. Both x and y must be non-negative.", @@ -522,7 +527,8 @@ impl EllipticCurvePrivateNumbers { ) -> CryptographyResult { let _ = backend; - let curve = curve_from_py_curve(py, self.public_numbers.get().curve.as_ref(py), false)?; + let curve = + curve_from_py_curve(py, self.public_numbers.get().curve.bind(py).clone(), false)?; let public_key = public_key_from_numbers(py, self.public_numbers.get(), &curve)?; let private_value = utils::py_int_to_bn(py, self.private_value.bind(py))?; @@ -557,18 +563,18 @@ impl EllipticCurvePrivateNumbers { ) -> CryptographyResult { Ok(self .private_value - .as_ref(py) - .eq(other.private_value.as_ref(py))? + .bind(py) + .eq(other.private_value.bind(py))? && self .public_numbers - .as_ref(py) - .eq(other.public_numbers.as_ref(py))?) + .bind(py) + .eq(other.public_numbers.bind(py))?) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { let mut hasher = DefaultHasher::new(); - self.private_value.as_ref(py).hash()?.hash(&mut hasher); - self.public_numbers.as_ref(py).hash()?.hash(&mut hasher); + self.private_value.bind(py).hash()?.hash(&mut hasher); + self.public_numbers.bind(py).hash()?.hash(&mut hasher); Ok(hasher.finish()) } } @@ -583,8 +589,8 @@ impl EllipticCurvePublicNumbers { curve: pyo3::Py, ) -> CryptographyResult { if !curve - .as_ref(py) - .is_instance(types::ELLIPTIC_CURVE.get(py)?)? + .bind(py) + .is_instance(&types::ELLIPTIC_CURVE.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( @@ -603,7 +609,7 @@ impl EllipticCurvePublicNumbers { ) -> CryptographyResult { let _ = backend; - let curve = curve_from_py_curve(py, self.curve.as_ref(py), false)?; + let curve = curve_from_py_curve(py, self.curve.bind(py).clone(), false)?; let public_key = public_key_from_numbers(py, self, &curve)?; let pkey = openssl::pkey::PKey::from_ec_key(public_key)?; @@ -619,34 +625,34 @@ impl EllipticCurvePublicNumbers { py: pyo3::Python<'_>, other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { - Ok(self.x.as_ref(py).eq(other.x.as_ref(py))? - && self.y.as_ref(py).eq(other.y.as_ref(py))? + Ok(self.x.bind(py).eq(other.x.bind(py))? + && self.y.bind(py).eq(other.y.bind(py))? && self .curve - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "name"))? - .eq(other.curve.as_ref(py).getattr(pyo3::intern!(py, "name"))?)? + .eq(other.curve.bind(py).getattr(pyo3::intern!(py, "name"))?)? && self .curve - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "key_size"))? .eq(other .curve - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "key_size"))?)?) } fn __hash__(&self, py: pyo3::Python<'_>) -> CryptographyResult { let mut hasher = DefaultHasher::new(); - self.x.as_ref(py).hash()?.hash(&mut hasher); - self.y.as_ref(py).hash()?.hash(&mut hasher); + self.x.bind(py).hash()?.hash(&mut hasher); + self.y.bind(py).hash()?.hash(&mut hasher); self.curve - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "name"))? .hash()? .hash(&mut hasher); self.curve - .as_ref(py) + .bind(py) .getattr(pyo3::intern!(py, "key_size"))? .hash()? .hash(&mut hasher); @@ -654,21 +660,23 @@ impl EllipticCurvePublicNumbers { } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { - let x = self.x.as_ref(py); - let y = self.y.as_ref(py); - let curve_name = self.curve.as_ref(py).getattr(pyo3::intern!(py, "name"))?; + let x = self.x.bind(py); + let y = self.y.bind(py); + let curve_name = self.curve.bind(py).getattr(pyo3::intern!(py, "name"))?; Ok(format!( "" )) } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "ec")?; - m.add_function(pyo3::wrap_pyfunction!(curve_supported, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(generate_private_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(derive_private_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "ec")?; + m.add_function(pyo3::wrap_pyfunction_bound!(curve_supported, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(derive_private_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 883fee74cf4a..666c15b47d48 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -29,7 +29,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(cmac::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; module.add_submodule(dsa::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(ec::create_module(module.py())?)?; + module.add_submodule(ec::create_module(module.py())?.into_gil_ref())?; module.add_submodule(keys::create_module(module.py())?.into_gil_ref())?; module.add_submodule(ed25519::create_module(module.py())?)?; From 0ac63a4bb98f6ca0a34039cf4f90867a274c7268 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 22:20:48 -0400 Subject: [PATCH 378/868] Convert `src/backend/x448.rs` to new pyo3 APIs (#10723) --- src/rust/src/backend/mod.rs | 2 +- src/rust/src/backend/x448.rs | 41 +++++++++++++++++++++--------------- 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 666c15b47d48..25142bab2622 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -38,7 +38,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(x25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(x448::create_module(module.py())?)?; + module.add_submodule(x448::create_module(module.py())?.into_gil_ref())?; module.add_submodule(poly1305::create_module(module.py())?)?; diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 517fc48c0493..1d8d9e5837cc 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -5,6 +5,7 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] pub(crate) struct X448PrivateKey { @@ -65,17 +66,21 @@ impl X448PrivateKey { &self, py: pyo3::Python<'p>, peer_public_key: &X448PublicKey, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver.set_peer(&peer_public_key.pkey)?; - Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { - let n = deriver.derive(b).map_err(|_| { - pyo3::exceptions::PyValueError::new_err("Error computing shared key.") - })?; - assert_eq!(n, b.len()); - Ok(()) - })?) + Ok(pyo3::types::PyBytes::new_bound_with( + py, + deriver.len()?, + |b| { + let n = deriver.derive(b).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Error computing shared key.") + })?; + assert_eq!(n, b.len()); + Ok(()) + }, + )?) } fn public_key(&self) -> CryptographyResult { @@ -91,9 +96,9 @@ impl X448PrivateKey { fn private_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn private_bytes<'p>( @@ -121,9 +126,9 @@ impl X448PublicKey { fn public_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn public_bytes<'p>( @@ -144,11 +149,13 @@ impl X448PublicKey { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "x448")?; - m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "x448")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; m.add_class::()?; m.add_class::()?; From c56ff9679c68c3dae1f683d098dce88ce9858474 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Apr 2024 22:32:56 -0400 Subject: [PATCH 379/868] Convert `src/backend/ed25519.rs` to new pyo3 APIs (#10722) --- src/rust/src/backend/ed25519.rs | 26 +++++++++++++++----------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 383fa3a5fd2d..565f839f7096 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -6,6 +6,7 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] pub(crate) struct Ed25519PrivateKey { @@ -67,9 +68,10 @@ impl Ed25519PrivateKey { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; - Ok(pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { + let len = signer.len()?; + Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { let n = signer .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; @@ -91,9 +93,9 @@ impl Ed25519PrivateKey { fn private_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn private_bytes<'p>( @@ -135,9 +137,9 @@ impl Ed25519PublicKey { fn public_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn public_bytes<'p>( @@ -158,11 +160,13 @@ impl Ed25519PublicKey { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "ed25519")?; - m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "ed25519")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 25142bab2622..050963f9c8b8 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -32,7 +32,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(ec::create_module(module.py())?.into_gil_ref())?; module.add_submodule(keys::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(ed25519::create_module(module.py())?)?; + module.add_submodule(ed25519::create_module(module.py())?.into_gil_ref())?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(ed448::create_module(module.py())?)?; From 8d27a3c6ce657634311f49581fbff7c83722d0cf Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 13:04:42 +0200 Subject: [PATCH 380/868] Convert `src/backend/hmac.rs` to new pyo3 APIs (#10726) --- src/rust/src/backend/hmac.rs | 21 ++++++++++++--------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index 4d1b4b325bdb..f7718ad55d90 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::{already_finalized_error, message_digest_from_algori use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::PyNativeType; +use pyo3::prelude::{PyBytesMethods, PyModuleMethods}; #[pyo3::prelude::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.hmac", @@ -22,7 +22,7 @@ impl Hmac { pub(crate) fn new_bytes( py: pyo3::Python<'_>, key: &[u8], - algorithm: &pyo3::PyAny, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let md = message_digest_from_algorithm(py, &algorithm.as_borrowed())?; let ctx = cryptography_openssl::hmac::Hmac::new(key, md).map_err(|_| { @@ -34,7 +34,7 @@ impl Hmac { Ok(Hmac { ctx: Some(ctx), - algorithm: algorithm.into(), + algorithm: algorithm.clone().unbind(), }) } @@ -65,7 +65,7 @@ impl Hmac { fn new( py: pyo3::Python<'_>, key: CffiBuf<'_>, - algorithm: &pyo3::PyAny, + algorithm: &pyo3::Bound<'_, pyo3::PyAny>, backend: Option>, ) -> CryptographyResult { let _ = backend; @@ -80,14 +80,15 @@ impl Hmac { pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let data = self.get_mut_ctx()?.finish()?; self.ctx = None; - Ok(pyo3::types::PyBytes::new(py, &data)) + Ok(pyo3::types::PyBytes::new_bound(py, &data)) } fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> { - let actual = self.finalize(py)?.as_bytes(); + let actual_bound = self.finalize(py)?; + let actual = actual_bound.as_bytes(); if actual.len() != signature.len() || !openssl::memcmp::eq(actual, signature) { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err("Signature did not match digest."), @@ -105,8 +106,10 @@ impl Hmac { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "hmac")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "hmac")?; m.add_class::()?; Ok(m) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 050963f9c8b8..baf41ea1ae9c 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -43,7 +43,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(poly1305::create_module(module.py())?)?; module.add_submodule(hashes::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(hmac::create_module(module.py())?)?; + module.add_submodule(hmac::create_module(module.py())?.into_gil_ref())?; module.add_submodule(kdf::create_module(module.py())?.into_gil_ref())?; module.add_submodule(rsa::create_module(module.py())?.into_gil_ref())?; From 1232c8a78a9bdc06d2d6b6330561e52af71bdba1 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 13:06:18 +0200 Subject: [PATCH 381/868] Convert `src/backend/poly1305.rs` to new pyo3 APIs (#10728) --- src/rust/src/backend/mod.rs | 2 +- src/rust/src/backend/poly1305.rs | 22 +++++++++++++--------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index baf41ea1ae9c..16659f6d190a 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -40,7 +40,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(x448::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(poly1305::create_module(module.py())?)?; + module.add_submodule(poly1305::create_module(module.py())?.into_gil_ref())?; module.add_submodule(hashes::create_module(module.py())?.into_gil_ref())?; module.add_submodule(hmac::create_module(module.py())?.into_gil_ref())?; diff --git a/src/rust/src/backend/poly1305.rs b/src/rust/src/backend/poly1305.rs index 66fc6239fa02..b1c3698700a4 100644 --- a/src/rust/src/backend/poly1305.rs +++ b/src/rust/src/backend/poly1305.rs @@ -6,6 +6,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +use pyo3::prelude::{PyBytesMethods, PyModuleMethods}; #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] struct Poly1305Boring { @@ -31,8 +32,8 @@ impl Poly1305Boring { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let result = pyo3::types::PyBytes::new_with(py, 16usize, |b| { + ) -> CryptographyResult> { + let result = pyo3::types::PyBytes::new_bound_with(py, 16usize, |b| { self.context.finalize(b.as_mut()); Ok(()) })?; @@ -77,8 +78,8 @@ impl Poly1305Open { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - let result = pyo3::types::PyBytes::new_with(py, self.signer.len()?, |b| { + ) -> CryptographyResult> { + let result = pyo3::types::PyBytes::new_bound_with(py, self.signer.len()?, |b| { let n = self.signer.sign(b).unwrap(); assert_eq!(n, b.len()); Ok(()) @@ -114,7 +115,7 @@ impl Poly1305 { py: pyo3::Python<'p>, key: CffiBuf<'_>, data: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut p = Poly1305::new(key)?; p.update(data)?; p.finalize(py) @@ -141,7 +142,7 @@ impl Poly1305 { fn finalize<'p>( &mut self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let res = self .inner .as_mut() @@ -152,7 +153,8 @@ impl Poly1305 { } fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> { - let actual = self.finalize(py)?.as_bytes(); + let actual_bound = self.finalize(py)?; + let actual = actual_bound.as_bytes(); if actual.len() != signature.len() || !openssl::memcmp::eq(actual, signature) { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err("Value did not match computed tag."), @@ -163,8 +165,10 @@ impl Poly1305 { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "poly1305")?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "poly1305")?; m.add_class::()?; From 1d05a6cb492c74c5f0414ab9e32628226f61d802 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 13:06:47 +0200 Subject: [PATCH 382/868] Finish conversion of `src/backend/rsa.rs` to new pyo3 APIs (#10729) --- src/rust/src/backend/rsa.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 11bd5a96d610..0a279f7fdc30 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -690,7 +690,7 @@ impl RsaPrivateNumbers { fn private_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option<&pyo3::Bound<'_, pyo3::PyAny>>, unsafe_skip_rsa_key_validation: bool, ) -> CryptographyResult { let _ = backend; @@ -789,7 +789,7 @@ impl RsaPublicNumbers { fn public_key( &self, py: pyo3::Python<'_>, - backend: Option<&pyo3::PyAny>, + backend: Option<&pyo3::Bound<'_, pyo3::PyAny>>, ) -> CryptographyResult { let _ = backend; From 855f28a6047dcd50ff50fc57472e8a6d6c9a72b0 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 13:07:40 +0200 Subject: [PATCH 383/868] Convert `src/backend/x25519.rs` to new pyo3 APIs (#10730) --- src/rust/src/backend/mod.rs | 2 +- src/rust/src/backend/x25519.rs | 41 ++++++++++++++++++++-------------- 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 16659f6d190a..a460812d8ca3 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -36,7 +36,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(ed448::create_module(module.py())?)?; - module.add_submodule(x25519::create_module(module.py())?)?; + module.add_submodule(x25519::create_module(module.py())?.into_gil_ref())?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(x448::create_module(module.py())?.into_gil_ref())?; diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 970f8b8ea646..045aa909596c 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -5,6 +5,7 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] pub(crate) struct X25519PrivateKey { @@ -66,17 +67,21 @@ impl X25519PrivateKey { &self, py: pyo3::Python<'p>, peer_public_key: &X25519PublicKey, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut deriver = openssl::derive::Deriver::new(&self.pkey)?; deriver.set_peer(&peer_public_key.pkey)?; - Ok(pyo3::types::PyBytes::new_with(py, deriver.len()?, |b| { - let n = deriver.derive(b).map_err(|_| { - pyo3::exceptions::PyValueError::new_err("Error computing shared key.") - })?; - assert_eq!(n, b.len()); - Ok(()) - })?) + Ok(pyo3::types::PyBytes::new_bound_with( + py, + deriver.len()?, + |b| { + let n = deriver.derive(b).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("Error computing shared key.") + })?; + assert_eq!(n, b.len()); + Ok(()) + }, + )?) } fn public_key(&self) -> CryptographyResult { @@ -92,9 +97,9 @@ impl X25519PrivateKey { fn private_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn private_bytes<'p>( @@ -122,9 +127,9 @@ impl X25519PublicKey { fn public_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn public_bytes<'p>( @@ -145,11 +150,13 @@ impl X25519PublicKey { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "x25519")?; - m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "x25519")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; m.add_class::()?; m.add_class::()?; From 33817b8a942d5263b34c934a9d7518492f8befa7 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 13:47:14 +0200 Subject: [PATCH 384/868] Convert `src/x509/common.rs` to new pyo3 APIs (#10732) * Convert `src/x509/common.rs` to new pyo3 APIs * Fix coverage issue in `extensions.rs` * Fix another coverage issue in `extensions.rs` --- src/rust/src/x509/certificate.rs | 4 +-- src/rust/src/x509/common.rs | 50 ++++++++++++++++---------------- src/rust/src/x509/crl.rs | 5 ++-- src/rust/src/x509/csr.rs | 7 +++-- src/rust/src/x509/extensions.rs | 22 +++++++------- src/rust/src/x509/ocsp_resp.rs | 2 +- 6 files changed, 47 insertions(+), 43 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index b552fde8086d..12b996609f3a 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -952,12 +952,12 @@ fn create_x509_certificate( .extract()?, serial: asn1::BigInt::new(py_uint_to_big_endian_bytes(py, py_serial)?).unwrap(), signature_alg: sigalg.clone(), - issuer: x509::common::encode_name(py, py_issuer_name.clone().into_gil_ref())?, + issuer: x509::common::encode_name(py, &py_issuer_name)?, validity: cryptography_x509::certificate::Validity { not_before: time_from_py(py, &py_not_before)?, not_after: time_from_py(py, &py_not_after)?, }, - subject: x509::common::encode_name(py, py_subject_name.clone().into_gil_ref())?, + subject: x509::common::encode_name(py, &py_subject_name)?, spki: asn1::parse_single(spki_bytes)?, issuer_unique_id: None, subject_unique_id: None, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index ab6634302db0..176eb6050901 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -7,7 +7,7 @@ use cryptography_x509::extensions::{ AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, }; use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; use pyo3::types::IntoPyDict; use pyo3::{IntoPy, PyNativeType, ToPyObject}; @@ -33,7 +33,7 @@ pub(crate) fn find_in_pem( pub(crate) fn encode_name<'p>( py: pyo3::Python<'p>, - py_name: &'p pyo3::PyAny, + py_name: &pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { let mut rdns = vec![]; @@ -42,7 +42,7 @@ pub(crate) fn encode_name<'p>( let mut attrs = vec![]; for py_attr in py_rdn.iter()? { - attrs.push(encode_name_entry(py, py_attr?)?); + attrs.push(encode_name_entry(py, &py_attr?)?); } rdns.push(asn1::SetOfWriter::new(attrs)); } @@ -53,7 +53,7 @@ pub(crate) fn encode_name<'p>( pub(crate) fn encode_name_entry<'p>( py: pyo3::Python<'p>, - py_name_entry: &'p pyo3::PyAny, + py_name_entry: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let attr_type = py_name_entry.getattr(pyo3::intern!(py, "_type"))?; let tag = attr_type @@ -91,20 +91,20 @@ pub(crate) fn encode_name_entry<'p>( #[pyo3::prelude::pyfunction] fn encode_name_bytes<'p>( py: pyo3::Python<'p>, - py_name: &'p pyo3::PyAny, -) -> CryptographyResult<&'p pyo3::types::PyBytes> { + py_name: &pyo3::Bound<'p, pyo3::PyAny>, +) -> CryptographyResult> { let name = encode_name(py, py_name)?; let result = asn1::write_single(&name)?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } pub(crate) fn encode_general_names<'a>( py: pyo3::Python<'a>, - py_gns: &'a pyo3::PyAny, + py_gns: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { let mut gns = vec![]; for el in py_gns.iter()? { - let gn = encode_general_name(py, el?)?; + let gn = encode_general_name(py, &el?)?; gns.push(gn); } Ok(gns) @@ -112,9 +112,9 @@ pub(crate) fn encode_general_names<'a>( pub(crate) fn encode_general_name<'a>( py: pyo3::Python<'a>, - gn: &'a pyo3::PyAny, + gn: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result, CryptographyError> { - let gn_type = gn.get_type().as_ref(); + let gn_type = gn.get_type(); let gn_value = gn.getattr(pyo3::intern!(py, "value"))?; if gn_type.is(types::DNS_NAME.get(py)?) { @@ -126,7 +126,7 @@ pub(crate) fn encode_general_name<'a>( gn_value.extract::<&str>()?, ))) } else if gn_type.is(types::DIRECTORY_NAME.get(py)?) { - let name = encode_name(py, gn_value)?; + let name = encode_name(py, &gn_value)?; Ok(GeneralName::DirectoryName(name)) } else if gn_type.is(types::OTHER_NAME.get(py)?) { let py_oid = gn @@ -162,7 +162,7 @@ pub(crate) fn encode_general_name<'a>( pub(crate) fn encode_access_descriptions<'a>( py: pyo3::Python<'a>, - py_ads: &'a pyo3::PyAny, + py_ads: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { let mut ads = vec![]; for py_ad in py_ads.iter()? { @@ -173,7 +173,7 @@ pub(crate) fn encode_access_descriptions<'a>( .to_owned(); let access_method = py_oid_to_oid(py_oid)?; let access_location = - encode_general_name(py, py_ad.getattr(pyo3::intern!(py, "access_location"))?)?; + encode_general_name(py, &py_ad.getattr(pyo3::intern!(py, "access_location"))?)?; ads.push(AccessDescription { access_method, access_location, @@ -185,13 +185,13 @@ pub(crate) fn encode_access_descriptions<'a>( pub(crate) fn parse_name<'p>( py: pyo3::Python<'p>, name: &NameReadable<'_>, -) -> Result<&'p pyo3::PyAny, CryptographyError> { - let py_rdns = pyo3::types::PyList::empty(py); +) -> Result, CryptographyError> { + let py_rdns = pyo3::types::PyList::empty_bound(py); for rdn in name.clone() { let py_rdn = parse_rdn(py, &rdn)?; py_rdns.append(py_rdn)?; } - Ok(types::NAME.get(py)?.call1((py_rdns,))?) + Ok(types::NAME.get_bound(py)?.call1((py_rdns,))?) } fn parse_name_attribute( @@ -240,7 +240,7 @@ pub(crate) fn parse_rdn<'a>( py: pyo3::Python<'_>, rdn: &asn1::SetOf<'a, AttributeTypeValue<'a>>, ) -> Result { - let py_attrs = pyo3::types::PyList::empty(py); + let py_attrs = pyo3::types::PyList::empty_bound(py); for attribute in rdn.clone() { let na = parse_name_attribute(py, attribute)?; py_attrs.append(na)?; @@ -314,7 +314,7 @@ pub(crate) fn parse_general_names<'a>( py: pyo3::Python<'_>, gn_seq: &asn1::SequenceOf<'a, GeneralName<'a>>, ) -> Result { - let gns = pyo3::types::PyList::empty(py); + let gns = pyo3::types::PyList::empty_bound(py); for gn in gn_seq.clone() { let py_gn = parse_general_name(py, gn)?; gns.append(py_gn)?; @@ -341,7 +341,7 @@ fn create_ip_network( }; let base = types::IPADDRESS_IPADDRESS .get(py)? - .call1((pyo3::types::PyBytes::new(py, &data[..data.len() / 2]),))?; + .call1((pyo3::types::PyBytes::new_bound(py, &data[..data.len() / 2]),))?; let net = format!( "{}/{}", base.getattr(pyo3::intern!(py, "exploded"))? @@ -392,7 +392,7 @@ pub(crate) fn parse_and_cache_extensions< } }; - let exts = pyo3::types::PyList::empty(py); + let exts = pyo3::types::PyList::empty_bound(py); for raw_ext in extensions.iter() { let oid_obj = oid_to_py_oid(py, &raw_ext.extn_id)?; @@ -448,11 +448,11 @@ pub(crate) fn encode_extensions< match encode_ext(py, &oid, ext_val)? { Some(data) => { // TODO: extra copy - let py_data = pyo3::types::PyBytes::new(py, &data); + let py_data = pyo3::types::PyBytes::new_bound(py, &data); exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, - extn_value: py_data.as_bytes(), + extn_value: py_data.extract()?, }); } None => { @@ -474,12 +474,12 @@ pub(crate) fn encode_extensions< fn encode_extension_value<'p>( py: pyo3::Python<'p>, py_ext: pyo3::Bound<'p, pyo3::PyAny>, -) -> pyo3::PyResult<&'p pyo3::types::PyBytes> { +) -> pyo3::PyResult> { let oid = py_oid_to_oid(py_ext.getattr(pyo3::intern!(py, "oid"))?)?; if let Some(data) = x509::extensions::encode_extension(py, &oid, py_ext.into_gil_ref())? { // TODO: extra copy - let py_data = pyo3::types::PyBytes::new(py, &data); + let py_data = pyo3::types::PyBytes::new_bound(py, &data); return Ok(py_data); } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 529e499fcb72..ba7361d0664a 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -250,7 +250,8 @@ impl CertificateRevocationList { .tbs_cert_list .issuer .unwrap_read(), - )?) + )? + .into_gil_ref()) } #[getter] @@ -656,7 +657,7 @@ fn create_x509_crl( let tbs_cert_list = crl::TBSCertList { version: Some(1), signature: sigalg.clone(), - issuer: x509::common::encode_name(py, py_issuer_name)?, + issuer: x509::common::encode_name(py, &py_issuer_name.as_borrowed())?, this_update: x509::certificate::time_from_py(py, &py_this_update.as_borrowed())?, next_update: Some(x509::certificate::time_from_py( py, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 999276fa3e62..16617bf9de04 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -8,7 +8,7 @@ use std::hash::{Hash, Hasher}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; -use pyo3::IntoPy; +use pyo3::{IntoPy, PyNativeType}; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; use crate::backend::keys; @@ -70,7 +70,8 @@ impl CertificateSigningRequest { Ok(x509::parse_name( py, self.raw.borrow_dependent().csr_info.subject.unwrap_read(), - )?) + )? + .into_gil_ref()) } #[getter] @@ -345,7 +346,7 @@ fn create_x509_csr( let csr_info = CertificationRequestInfo { version: 0, - subject: x509::common::encode_name(py, py_subject_name)?, + subject: x509::common::encode_name(py, &py_subject_name.as_borrowed())?, spki: asn1::parse_single(spki_bytes)?, attributes: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(attrs)), }; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index d618fb29fa1a..beed9cda9b3a 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -20,7 +20,7 @@ fn encode_general_subtrees<'a>( } else { let mut subtree_seq = vec![]; for name in subtrees.iter()? { - let gn = x509::common::encode_general_name(py, name?)?; + let gn = x509::common::encode_general_name(py, &name?.as_borrowed())?; subtree_seq.push(extensions::GeneralSubtree { base: gn, minimum: 0, @@ -45,7 +45,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( } let aki = py_aki.extract::>()?; let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { - let gns = x509::common::encode_general_names(py, authority_cert_issuer)?; + let gns = x509::common::encode_general_names(py, &authority_cert_issuer.as_borrowed())?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -83,7 +83,7 @@ pub(crate) fn encode_distribution_points<'p>( let py_dp = py_dp?.extract::>()?; let crl_issuer = if let Some(py_crl_issuer) = py_dp.crl_issuer { - let gns = x509::common::encode_general_names(py, py_crl_issuer)?; + let gns = x509::common::encode_general_names(py, &py_crl_issuer.as_borrowed())?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -91,14 +91,15 @@ pub(crate) fn encode_distribution_points<'p>( None }; let distribution_point = if let Some(py_full_name) = py_dp.full_name { - let gns = x509::common::encode_general_names(py, py_full_name)?; + let gns = x509::common::encode_general_names(py, &py_full_name.as_borrowed())?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) } else if let Some(py_relative_name) = py_dp.relative_name { let mut name_entries = vec![]; for py_name_entry in py_relative_name.iter()? { - name_entries.push(x509::common::encode_name_entry(py, py_name_entry?)?); + let bound_name_entry = &py_name_entry?.as_borrowed(); + name_entries.push(x509::common::encode_name_entry(py, bound_name_entry)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -317,7 +318,7 @@ fn encode_issuing_distribution_point( }; let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_truthy()? { let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; - let gns = x509::common::encode_general_names(ext.py(), py_full_name)?; + let gns = x509::common::encode_general_names(ext.py(), &py_full_name.as_borrowed())?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) @@ -327,7 +328,8 @@ fn encode_issuing_distribution_point( { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { - name_entries.push(x509::common::encode_name_entry(ext.py(), py_name_entry?)?); + let bound_name_entry = &py_name_entry?.as_borrowed(); + name_entries.push(x509::common::encode_name_entry(ext.py(), bound_name_entry)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -413,7 +415,7 @@ pub(crate) fn encode_extension( Ok(Some(der)) } &oid::AUTHORITY_INFORMATION_ACCESS_OID | &oid::SUBJECT_INFORMATION_ACCESS_OID => { - let der = x509::common::encode_access_descriptions(ext.py(), ext)?; + let der = x509::common::encode_access_descriptions(ext.py(), &ext.as_borrowed())?; Ok(Some(der)) } &oid::EXTENDED_KEY_USAGE_OID | &oid::ACCEPTABLE_RESPONSES_OID => { @@ -456,7 +458,7 @@ pub(crate) fn encode_extension( )?)) } &oid::ISSUER_ALTERNATIVE_NAME_OID | &oid::SUBJECT_ALTERNATIVE_NAME_OID => { - let gns = x509::common::encode_general_names(ext.py(), ext)?; + let gns = x509::common::encode_general_names(ext.py(), &ext.as_borrowed())?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -486,7 +488,7 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) } &oid::CERTIFICATE_ISSUER_OID => { - let gns = x509::common::encode_general_names(ext.py(), ext)?; + let gns = x509::common::encode_general_names(ext.py(), &ext.as_borrowed())?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 7d93fde6fc6a..76faa1b1ad31 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -148,7 +148,7 @@ impl OCSPResponse { let resp = self.requires_successful_response()?; match resp.tbs_response_data.responder_id { ocsp_resp::ResponderId::ByName(ref name) => { - Ok(x509::parse_name(py, name.unwrap_read())?) + Ok(x509::parse_name(py, name.unwrap_read())?.into_gil_ref()) } ocsp_resp::ResponderId::ByKey(_) => Ok(py.None().into_ref(py)), } From 0a6d3ea7502e0671b8b224376f828db3bb780b82 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 14:12:39 +0200 Subject: [PATCH 385/868] Start converting `src/x509/csr.rs` to new pyo3 APIs (#10733) --- src/rust/src/x509/csr.rs | 79 ++++++++++++++++++++++++++-------------- 1 file changed, 51 insertions(+), 28 deletions(-) diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 16617bf9de04..55031adf0418 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -8,7 +8,8 @@ use std::hash::{Hash, Hasher}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; -use pyo3::{IntoPy, PyNativeType}; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::IntoPy; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; use crate::backend::keys; @@ -78,14 +79,14 @@ impl CertificateSigningRequest { fn tbs_certrequest_bytes<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let result = asn1::write_single(&self.raw.borrow_dependent().csr_info)?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } #[getter] - fn signature<'p>(&self, py: pyo3::Python<'p>) -> &'p pyo3::types::PyBytes { - pyo3::types::PyBytes::new(py, self.raw.borrow_dependent().signature.as_bytes()) + fn signature<'p>(&self, py: pyo3::Python<'p>) -> pyo3::Bound<'p, pyo3::types::PyBytes> { + pyo3::types::PyBytes::new_bound(py, self.raw.borrow_dependent().signature.as_bytes()) } #[getter] @@ -118,21 +119,26 @@ impl CertificateSigningRequest { fn public_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &'p pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; - encode_der_data(py, "CERTIFICATE REQUEST".to_string(), result, encoding) + encode_der_data( + py, + "CERTIFICATE REQUEST".to_string(), + result, + encoding.clone().into_gil_ref(), + ) } fn get_attribute_for_oid<'p>( &self, py: pyo3::Python<'p>, oid: pyo3::Bound<'p, pyo3::PyAny>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { - let warning_cls = types::DEPRECATED_IN_36.get(py)?; + ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_36.get_bound(py)?; let warning_msg = "CertificateSigningRequest.get_attribute_for_oid has been deprecated. Please switch to request.attributes.get_attribute_for_oid."; - pyo3::PyErr::warn(py, warning_cls, warning_msg, 1)?; + pyo3::PyErr::warn_bound(py, &warning_cls, warning_msg, 1)?; let rust_oid = py_oid_to_oid(oid.clone())?; for attribute in self @@ -155,7 +161,7 @@ impl CertificateSigningRequest { || val.tag() == asn1::PrintableString::TAG || val.tag() == asn1::IA5String::TAG { - return Ok(pyo3::types::PyBytes::new(py, val.data())); + return Ok(pyo3::types::PyBytes::new_bound(py, val.data()).into_any()); } return Err(pyo3::exceptions::PyValueError::new_err(format!( "OID {} has a disallowed ASN.1 type: {:?}", @@ -171,8 +177,8 @@ impl CertificateSigningRequest { } #[getter] - fn attributes<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let pyattrs = pyo3::types::PyList::empty(py); + fn attributes<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { + let pyattrs = pyo3::types::PyList::empty_bound(py); for attribute in self .raw .borrow_dependent() @@ -188,16 +194,18 @@ impl CertificateSigningRequest { })?; let oid = oid_to_py_oid(py, &attribute.type_id)?; let val = attribute.values.unwrap_read().clone().next().unwrap(); - let serialized = pyo3::types::PyBytes::new(py, val.data()); + let serialized = pyo3::types::PyBytes::new_bound(py, val.data()); let tag = val.tag().as_u8().ok_or_else(|| { CryptographyError::from(pyo3::exceptions::PyValueError::new_err( "Long-form tags are not supported in CSR attribute values", )) })?; - let pyattr = types::ATTRIBUTE.get(py)?.call1((oid, serialized, tag))?; + let pyattr = types::ATTRIBUTE + .get_bound(py)? + .call1((oid, serialized, tag))?; pyattrs.append(pyattr)?; } - types::ATTRIBUTES.get(py)?.call1((pyattrs,)) + types::ATTRIBUTES.get_bound(py)?.call1((pyattrs,)) } #[getter] @@ -226,7 +234,7 @@ impl CertificateSigningRequest { let public_key = slf.public_key(py)?; Ok(sign::verify_signature_with_signature_algorithm( py, - public_key.as_ref(py), + public_key.bind(py).clone().into_gil_ref(), &slf.raw.borrow_dependent().signature_alg, slf.raw.borrow_dependent().signature.as_bytes(), &asn1::write_single(&slf.raw.borrow_dependent().csr_info)?, @@ -252,7 +260,7 @@ fn load_pem_x509_csr( )?; load_der_x509_csr( py, - pyo3::types::PyBytes::new(py, parsed.contents()).into_py(py), + pyo3::types::PyBytes::new_bound(py, parsed.contents()).unbind(), None, ) } @@ -286,13 +294,17 @@ fn load_der_x509_csr( #[pyo3::prelude::pyfunction] fn create_x509_csr( py: pyo3::Python<'_>, - builder: &pyo3::PyAny, - private_key: &pyo3::PyAny, - hash_algorithm: &pyo3::PyAny, - rsa_padding: &pyo3::PyAny, + builder: &pyo3::Bound<'_, pyo3::PyAny>, + private_key: &pyo3::Bound<'_, pyo3::PyAny>, + hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>, + rsa_padding: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let sigalg = - x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)?; + let sigalg = x509::sign::compute_signature_algorithm( + py, + private_key.clone().into_gil_ref(), + hash_algorithm.clone().into_gil_ref(), + rsa_padding.clone().into_gil_ref(), + )?; let der = types::ENCODING_DER.get(py)?; let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; @@ -305,7 +317,9 @@ fn create_x509_csr( let ext_bytes; if let Some(exts) = x509::common::encode_extensions( py, - builder.getattr(pyo3::intern!(py, "_extensions"))?, + builder + .getattr(pyo3::intern!(py, "_extensions"))? + .into_gil_ref(), x509::extensions::encode_extension, )? { ext_bytes = asn1::write_single(&exts)?; @@ -352,14 +366,23 @@ fn create_x509_csr( }; let tbs_bytes = asn1::write_single(&csr_info)?; - let signature = - x509::sign::sign_data(py, private_key, hash_algorithm, rsa_padding, &tbs_bytes)?; + let signature = x509::sign::sign_data( + py, + private_key.clone().into_gil_ref(), + hash_algorithm.clone().into_gil_ref(), + rsa_padding.clone().into_gil_ref(), + &tbs_bytes, + )?; let data = asn1::write_single(&Csr { csr_info, signature_alg: sigalg, signature: asn1::BitString::new(signature, 0).unwrap(), })?; - load_der_x509_csr(py, pyo3::types::PyBytes::new(py, &data).into_py(py), None) + load_der_x509_csr( + py, + pyo3::types::PyBytes::new_bound(py, &data).clone().unbind(), + None, + ) } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { From 533b35d775d4d8ec18605a3d2cabc9d01272e948 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 08:33:32 -0400 Subject: [PATCH 386/868] Remove gil-refs feature from cryptography-cffi (#10735) It doesn't need it --- src/rust/cryptography-cffi/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 5ef7438651e6..3251e6622d1d 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -pyo3 = { version = "0.21.1", features = ["abi3", "gil-refs"] } +pyo3 = { version = "0.21.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] From 62607e9f1f61a94b991e200485644fbca7ac1d90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 Apr 2024 07:35:07 -0500 Subject: [PATCH 387/868] Bump jaraco-context from 4.3.0 to 5.1.0 in /.github/requirements (#10731) * Bump jaraco-context from 4.3.0 to 5.1.0 in /.github/requirements Bumps [jaraco-context](https://github.com/jaraco/jaraco.context) from 4.3.0 to 5.1.0. - [Release notes](https://github.com/jaraco/jaraco.context/releases) - [Changelog](https://github.com/jaraco/jaraco.context/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.context/compare/v4.3.0...v5.1.0) --- updated-dependencies: - dependency-name: jaraco-context dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 160ac650d276..2444daad6f2f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -250,9 +250,9 @@ jaraco-classes==3.4.0 \ --hash=sha256:47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd \ --hash=sha256:f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790 # via keyring -jaraco-context==4.3.0 \ - --hash=sha256:4dad2404540b936a20acedec53355bdaea223acb88fd329fa6de9261c941566e \ - --hash=sha256:5d9e95ca0faa78943ed66f6bc658dd637430f16125d86988e77844c741ff2f11 +jaraco-context==5.1.0 \ + --hash=sha256:0e4161ebbaeead78850b4ca5465b5853217cf23ad74ec82d00ebfb69d8ea5fcb \ + --hash=sha256:24ec1f739aec2c5766c68027ccc70d91d7b0cb931699442f5c7ed93515b955e7 # via keyring jaraco-functools==4.0.0 \ --hash=sha256:c279cb24c93d694ef7270f970d499cab4d3813f4e08273f95398651a634f0925 \ From 4d8945d754fc33a92fe2688f5aeb0fa73083be01 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 08:37:19 -0400 Subject: [PATCH 388/868] Convert `src/backend/ed448.rs` to new pyo3 APIs (#10725) --- src/rust/src/backend/ed448.rs | 26 +++++++++++++++----------- src/rust/src/backend/mod.rs | 2 +- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 9d9bf485cd61..ef6c193e1fa7 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -6,6 +6,7 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; +use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] pub(crate) struct Ed448PrivateKey { @@ -65,9 +66,10 @@ impl Ed448PrivateKey { &self, py: pyo3::Python<'p>, data: CffiBuf<'_>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let mut signer = openssl::sign::Signer::new_without_digest(&self.pkey)?; - Ok(pyo3::types::PyBytes::new_with(py, signer.len()?, |b| { + let len = signer.len()?; + Ok(pyo3::types::PyBytes::new_bound_with(py, len, |b| { let n = signer .sign_oneshot(b, data.as_bytes()) .map_err(CryptographyError::from)?; @@ -89,9 +91,9 @@ impl Ed448PrivateKey { fn private_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_private_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn private_bytes<'p>( @@ -132,9 +134,9 @@ impl Ed448PublicKey { fn public_bytes_raw<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let raw_bytes = self.pkey.raw_public_key()?; - Ok(pyo3::types::PyBytes::new(py, &raw_bytes)) + Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)) } fn public_bytes<'p>( @@ -155,11 +157,13 @@ impl Ed448PublicKey { } } -pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let m = pyo3::prelude::PyModule::new(py, "ed448")?; - m.add_function(pyo3::wrap_pyfunction!(generate_key, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_private_bytes, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(from_public_bytes, m)?)?; +pub(crate) fn create_module( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let m = pyo3::prelude::PyModule::new_bound(py, "ed448")?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index a460812d8ca3..062b9a85ecf5 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -34,7 +34,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(ed25519::create_module(module.py())?.into_gil_ref())?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(ed448::create_module(module.py())?)?; + module.add_submodule(ed448::create_module(module.py())?.into_gil_ref())?; module.add_submodule(x25519::create_module(module.py())?.into_gil_ref())?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] From 9d7e72149802ab5b90de7bdee835d8e61c83af91 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 08:46:12 -0400 Subject: [PATCH 389/868] Convert part of `crl.rs` to new pyo3 APIs (#10724) --- src/rust/src/x509/crl.rs | 116 +++++++++++++++++++++------------ src/rust/src/x509/ocsp_resp.rs | 2 +- 2 files changed, 74 insertions(+), 44 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index ba7361d0664a..7c935bf2a7d9 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -13,7 +13,8 @@ use cryptography_x509::{ }, name, oid, }; -use pyo3::{IntoPy, PyNativeType, ToPyObject}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PySliceMethods}; +use pyo3::{PyNativeType, ToPyObject}; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, @@ -67,7 +68,7 @@ fn load_pem_x509_crl( )?; load_der_x509_crl( py, - pyo3::types::PyBytes::new(py, block.contents()).into_py(py), + pyo3::types::PyBytes::new_bound(py, block.contents()).unbind(), None, ) } @@ -138,7 +139,7 @@ impl CertificateRevocationList { fn __getitem__( &self, py: pyo3::Python<'_>, - idx: &pyo3::PyAny, + idx: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { self.revoked_certs.get_or_init(py, || { let mut revoked_certs = vec![]; @@ -153,9 +154,9 @@ impl CertificateRevocationList { let indices = idx .downcast::()? .indices(self.len().try_into().unwrap())?; - let result = pyo3::types::PyList::empty(py); + let result = pyo3::types::PyList::empty_bound(py); for i in (indices.start..indices.stop).step_by(indices.step.try_into().unwrap()) { - let revoked_cert = pyo3::PyCell::new(py, self.revoked_cert(py, i as usize))?; + let revoked_cert = pyo3::Bound::new(py, self.revoked_cert(py, i as usize))?; result.append(revoked_cert)?; } Ok(result.to_object(py)) @@ -167,20 +168,20 @@ impl CertificateRevocationList { if idx >= (self.len() as isize) || idx < 0 { return Err(pyo3::exceptions::PyIndexError::new_err(())); } - Ok(pyo3::PyCell::new(py, self.revoked_cert(py, idx as usize))?.to_object(py)) + Ok(pyo3::Bound::new(py, self.revoked_cert(py, idx as usize))?.to_object(py)) } } fn fingerprint<'p>( &self, py: pyo3::Python<'p>, - algorithm: &pyo3::PyAny, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + ) -> pyo3::PyResult> { let data = self.public_bytes_der()?; let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?; h.update_bytes(&data)?; - Ok(h.finalize(py)?.into_gil_ref()) + Ok(h.finalize(py)?) } #[getter] @@ -226,19 +227,19 @@ impl CertificateRevocationList { fn tbs_certlist_bytes<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let b = asn1::write_single(&self.owned.borrow_dependent().tbs_cert_list)?; - Ok(pyo3::types::PyBytes::new(py, &b)) + Ok(pyo3::types::PyBytes::new_bound(py, &b)) } fn public_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &'p pyo3::PyAny, + encoding: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let result = asn1::write_single(&self.owned.borrow_dependent())?; - encode_der_data(py, "X509 CRL".to_string(), result, encoding) + encode_der_data(py, "X509 CRL".to_string(), result, encoding.into_gil_ref()) } #[getter] @@ -255,45 +256,60 @@ impl CertificateRevocationList { } #[getter] - fn next_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn( + fn next_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.", 1, )?; match &self.owned.borrow_dependent().tbs_cert_list.next_update { - Some(t) => x509::datetime_to_py(py, t.as_datetime()), - None => Ok(py.None().into_ref(py)), + Some(t) => Ok(x509::datetime_to_py(py, t.as_datetime())? + .as_borrowed() + .to_owned()), + None => Ok(py.None().bind(py).clone()), } } #[getter] - fn next_update_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn next_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { match &self.owned.borrow_dependent().tbs_cert_list.next_update { - Some(t) => x509::datetime_to_py_utc(py, t.as_datetime()), - None => Ok(py.None().into_ref(py)), + Some(t) => Ok(x509::datetime_to_py_utc(py, t.as_datetime())? + .as_borrowed() + .to_owned()), + None => Ok(py.None().bind(py).clone()), } } #[getter] - fn last_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn( + fn last_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Properties that return a naïve datetime object have been deprecated. Please switch to last_update_utc.", 1, )?; - x509::datetime_to_py( + Ok(x509::datetime_to_py( py, self.owned .borrow_dependent() .tbs_cert_list .this_update .as_datetime(), - ) + )? + .as_borrowed() + .to_owned()) } #[getter] @@ -408,7 +424,7 @@ impl CertificateRevocationList { fn is_signature_valid<'p>( slf: pyo3::PyRef<'_, Self>, py: pyo3::Python<'p>, - public_key: &'p pyo3::PyAny, + public_key: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult { if slf.owned.borrow_dependent().tbs_cert_list.signature != slf.owned.borrow_dependent().signature_algorithm @@ -418,11 +434,11 @@ impl CertificateRevocationList { // Error on invalid public key -- below we treat any error as just // being an invalid signature. - sign::identify_public_key_type(py, public_key)?; + sign::identify_public_key_type(py, public_key.clone().into_gil_ref())?; Ok(sign::verify_signature_with_signature_algorithm( py, - public_key, + public_key.into_gil_ref(), &slf.owned.borrow_dependent().signature_algorithm, slf.owned.borrow_dependent().signature_value.as_bytes(), &asn1::write_single(&slf.owned.borrow_dependent().tbs_cert_list)?, @@ -533,26 +549,36 @@ impl RevokedCertificate { } #[getter] - fn revocation_date<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - let warning_cls = types::DEPRECATED_IN_42.get(py)?; - pyo3::PyErr::warn( + fn revocation_date<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + pyo3::PyErr::warn_bound( py, - warning_cls, + &warning_cls, "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.", 1, )?; - x509::datetime_to_py( + Ok(x509::datetime_to_py( py, self.owned.borrow_dependent().revocation_date.as_datetime(), - ) + )? + .as_borrowed() + .to_owned()) } #[getter] - fn revocation_date_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - x509::datetime_to_py_utc( + fn revocation_date_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + Ok(x509::datetime_to_py_utc( py, self.owned.borrow_dependent().revocation_date.as_datetime(), - ) + )? + .as_borrowed() + .to_owned()) } #[getter] @@ -569,7 +595,7 @@ impl RevokedCertificate { pub(crate) fn parse_crl_reason_flags<'p>( py: pyo3::Python<'p>, reason: &crl::CRLReason, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { let flag_name = match reason.value() { 0 => "unspecified", 1 => "key_compromise", @@ -589,7 +615,7 @@ pub(crate) fn parse_crl_reason_flags<'p>( )) } }; - Ok(types::REASON_FLAGS.get(py)?.getattr(flag_name)?) + Ok(types::REASON_FLAGS.get_bound(py)?.getattr(flag_name)?) } pub fn parse_crl_entry_ext<'p>( @@ -685,7 +711,11 @@ fn create_x509_crl( signature_algorithm: sigalg, signature_value: asn1::BitString::new(signature, 0).unwrap(), })?; - load_der_x509_crl(py, pyo3::types::PyBytes::new(py, &data).into_py(py), None) + load_der_x509_crl( + py, + pyo3::types::PyBytes::new_bound(py, &data).unbind(), + None, + ) } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 76faa1b1ad31..89c5a0d25e7b 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -518,7 +518,7 @@ fn singleresp_py_revocation_reason<'p>( ) -> CryptographyResult<&'p pyo3::PyAny> { match &resp.cert_status { ocsp_resp::CertStatus::Revoked(revoked_info) => match revoked_info.revocation_reason { - Some(ref v) => crl::parse_crl_reason_flags(py, v), + Some(ref v) => Ok(crl::parse_crl_reason_flags(py, v)?.into_gil_ref()), None => Ok(py.None().into_ref(py)), }, ocsp_resp::CertStatus::Good(_) | ocsp_resp::CertStatus::Unknown(_) => { From afe3951956dd737a04fae369d21e8c5e56dff644 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 15:36:21 +0200 Subject: [PATCH 390/868] Start converting `src/x509/verify.rs` to new pyo3 APIs (#10736) * Start converting `src/x509/verify.rs` to new pyo3 APIs * Fix errors with temp values being dropped * Fix error when using `Bound::to_str` in Python<3.10 * Remove extra clone() call * Add TODO message --- src/rust/src/x509/verify.rs | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 2c65f6327103..23d865df7191 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -11,7 +11,7 @@ use cryptography_x509_verification::{ trust_store::Store, types::{DNSName, IPAddress}, }; -use pyo3::IntoPy; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; @@ -75,7 +75,7 @@ impl PolicyBuilder { fn time( &self, py: pyo3::Python<'_>, - new_time: &pyo3::PyAny, + new_time: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { if self.time.is_some() { return Err(CryptographyError::from( @@ -85,7 +85,7 @@ impl PolicyBuilder { )); } Ok(PolicyBuilder { - time: Some(py_to_datetime(py, new_time)?), + time: Some(py_to_datetime(py, new_time.clone().into_gil_ref())?), store: self.store.as_ref().map(|s| s.clone_ref(py)), max_chain_depth: self.max_chain_depth, }) @@ -273,7 +273,7 @@ impl PyClientVerifier { ) .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; - let py_chain = pyo3::types::PyList::empty(py); + let py_chain = pyo3::types::PyList::empty_bound(py); for c in &chain { py_chain.append(c.extra())?; } @@ -293,7 +293,7 @@ impl PyClientVerifier { Ok(PyVerifiedClient { subjects: py_gns, - chain: py_chain.into_py(py), + chain: py_chain.unbind(), }) } } @@ -334,7 +334,7 @@ impl PyServerVerifier { py: pyo3::Python<'p>, leaf: pyo3::Py, intermediates: Vec>, - ) -> CryptographyResult<&'p pyo3::types::PyList> { + ) -> CryptographyResult> { let policy = self.as_policy(); let store = self.store.get(); @@ -354,7 +354,7 @@ impl PyServerVerifier { ) .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; - let result = pyo3::types::PyList::empty(py); + let result = pyo3::types::PyList::empty_bound(py); for c in chain { result.append(c.extra())?; } @@ -366,21 +366,22 @@ fn build_subject_owner( py: pyo3::Python<'_>, subject: &pyo3::Py, ) -> pyo3::PyResult { - let subject = subject.as_ref(py); + let subject = subject.bind(py); - if subject.is_instance(types::DNS_NAME.get(py)?)? { + if subject.is_instance(&types::DNS_NAME.get_bound(py)?)? { let value = subject .getattr(pyo3::intern!(py, "value"))? - .downcast::()?; - - Ok(SubjectOwner::DNSName(value.to_str()?.to_owned())) - } else if subject.is_instance(types::IP_ADDRESS.get(py)?)? { + // TODO: switch this to borrowing the string (using Bound::to_str) once our + // minimum Python version is 3.10 + .extract::()?; + Ok(SubjectOwner::DNSName(value)) + } else if subject.is_instance(&types::IP_ADDRESS.get_bound(py)?)? { let value = subject .getattr(pyo3::intern!(py, "_packed"))? .call0()? - .downcast::()?; - - Ok(SubjectOwner::IPAddress(value.into())) + .downcast::()? + .clone(); + Ok(SubjectOwner::IPAddress(value.unbind())) } else { Err(pyo3::exceptions::PyTypeError::new_err( "unsupported subject type", @@ -458,7 +459,7 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_class::()?; module.add( "VerificationError", - module.py().get_type::(), + module.py().get_type_bound::(), )?; Ok(()) From f79b6a1e0f4c23a081128c21ef62e2500956be09 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 10:01:10 -0400 Subject: [PATCH 391/868] Convert more datetime functions to new pyo3 APIs (#10737) --- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/common.rs | 18 +++++----- src/rust/src/x509/crl.rs | 23 ++++++------ src/rust/src/x509/extensions.rs | 6 +++- src/rust/src/x509/ocsp_resp.rs | 60 +++++++++++++++++++++++--------- src/rust/src/x509/verify.rs | 14 +++++--- 6 files changed, 78 insertions(+), 45 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 12b996609f3a..7ee3f8709920 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -900,7 +900,7 @@ pub(crate) fn time_from_py( py: pyo3::Python<'_>, val: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let dt = x509::py_to_datetime(py, val.clone().into_gil_ref())?; + let dt = x509::py_to_datetime(py, val.clone())?; time_from_datetime(dt) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 176eb6050901..b8cf6a3e7246 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -491,8 +491,8 @@ fn encode_extension_value<'p>( pub(crate) fn datetime_to_py<'p>( py: pyo3::Python<'p>, dt: &asn1::DateTime, -) -> pyo3::PyResult<&'p pyo3::PyAny> { - types::DATETIME_DATETIME.get(py)?.call1(( +) -> pyo3::PyResult> { + types::DATETIME_DATETIME.get_bound(py)?.call1(( dt.year(), dt.month(), dt.day(), @@ -505,9 +505,9 @@ pub(crate) fn datetime_to_py<'p>( pub(crate) fn datetime_to_py_utc<'p>( py: pyo3::Python<'p>, dt: &asn1::DateTime, -) -> pyo3::PyResult<&'p pyo3::PyAny> { - let timezone = types::DATETIME_TIMEZONE_UTC.get(py)?; - types::DATETIME_DATETIME.get(py)?.call1(( +) -> pyo3::PyResult> { + let timezone = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; + types::DATETIME_DATETIME.get_bound(py)?.call1(( dt.year(), dt.month(), dt.day(), @@ -521,14 +521,14 @@ pub(crate) fn datetime_to_py_utc<'p>( pub(crate) fn py_to_datetime( py: pyo3::Python<'_>, - val: &pyo3::PyAny, + val: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { // We treat naive datetimes as UTC times, while aware datetimes get // normalized to UTC before conversion. let val_utc = if val.getattr(pyo3::intern!(py, "tzinfo"))?.is_none() { val } else { - let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; val.call_method1(pyo3::intern!(py, "astimezone"), (utc,))? }; @@ -544,12 +544,12 @@ pub(crate) fn py_to_datetime( } pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult { - let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; py_to_datetime( py, types::DATETIME_DATETIME - .get(py)? + .get_bound(py)? .call_method1(pyo3::intern!(py, "now"), (utc,))?, ) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 7c935bf2a7d9..c776a7178285 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -268,10 +268,8 @@ impl CertificateRevocationList { 1, )?; match &self.owned.borrow_dependent().tbs_cert_list.next_update { - Some(t) => Ok(x509::datetime_to_py(py, t.as_datetime())? - .as_borrowed() - .to_owned()), - None => Ok(py.None().bind(py).clone()), + Some(t) => x509::datetime_to_py(py, t.as_datetime()), + None => Ok(py.None().into_bound(py)), } } @@ -281,10 +279,8 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { match &self.owned.borrow_dependent().tbs_cert_list.next_update { - Some(t) => Ok(x509::datetime_to_py_utc(py, t.as_datetime())? - .as_borrowed() - .to_owned()), - None => Ok(py.None().bind(py).clone()), + Some(t) => x509::datetime_to_py_utc(py, t.as_datetime()), + None => Ok(py.None().into_bound(py)), } } @@ -313,7 +309,10 @@ impl CertificateRevocationList { } #[getter] - fn last_update_utc<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn last_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { x509::datetime_to_py_utc( py, self.owned @@ -573,12 +572,10 @@ impl RevokedCertificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - Ok(x509::datetime_to_py_utc( + x509::datetime_to_py_utc( py, self.owned.borrow_dependent().revocation_date.as_datetime(), - )? - .as_borrowed() - .to_owned()) + ) } #[getter] diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index beed9cda9b3a..9bbd7443a594 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -492,7 +492,11 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { - let dt = x509::py_to_datetime(py, ext.getattr(pyo3::intern!(py, "invalidity_date"))?)?; + let py_dt = ext + .getattr(pyo3::intern!(py, "invalidity_date"))? + .as_borrowed() + .to_owned(); + let dt = x509::py_to_datetime(py, py_dt)?; Ok(Some(asn1::write_single(&asn1::GeneralizedTime::new(dt)?)?)) } &oid::CRL_NUMBER_OID | &oid::DELTA_CRL_INDICATOR_OID => { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 89c5a0d25e7b..1ea7cf19b055 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::IntoPy; +use pyo3::{IntoPy, PyNativeType}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -166,7 +166,10 @@ impl OCSPResponse { } #[getter] - fn produced_at<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn produced_at<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; x509::datetime_to_py(py, resp.tbs_response_data.produced_at.as_datetime()) } @@ -297,7 +300,10 @@ impl OCSPResponse { } #[getter] - fn revocation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn revocation_time<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_revocation_time(&single_resp, py) @@ -311,14 +317,20 @@ impl OCSPResponse { } #[getter] - fn this_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn this_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_this_update(&single_resp, py) } #[getter] - fn next_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn next_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_next_update(&single_resp, py) @@ -498,17 +510,17 @@ fn singleresp_py_hash_algorithm<'p>( fn singleresp_py_this_update<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> pyo3::PyResult<&'p pyo3::PyAny> { +) -> pyo3::PyResult> { x509::datetime_to_py(py, resp.this_update.as_datetime()) } fn singleresp_py_next_update<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> pyo3::PyResult<&'p pyo3::PyAny> { +) -> pyo3::PyResult> { match &resp.next_update { Some(v) => x509::datetime_to_py(py, v.as_datetime()), - None => Ok(py.None().into_ref(py)), + None => Ok(py.None().into_bound(py)), } } @@ -530,13 +542,13 @@ fn singleresp_py_revocation_reason<'p>( fn singleresp_py_revocation_time<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> pyo3::PyResult<&'p pyo3::PyAny> { +) -> pyo3::PyResult> { match &resp.cert_status { ocsp_resp::CertStatus::Revoked(revoked_info) => { x509::datetime_to_py(py, revoked_info.revocation_time.as_datetime()) } ocsp_resp::CertStatus::Good(_) | ocsp_resp::CertStatus::Unknown(_) => { - Ok(py.None().into_ref(py)) + Ok(py.None().into_bound(py)) } } } @@ -594,8 +606,10 @@ fn create_ocsp_response( // REVOKED let py_revocation_time = py_single_resp.getattr(pyo3::intern!(py, "_revocation_time"))?; - let revocation_time = - asn1::GeneralizedTime::new(py_to_datetime(py, py_revocation_time)?)?; + let revocation_time = asn1::GeneralizedTime::new(py_to_datetime( + py, + py_revocation_time.as_borrowed().to_owned(), + )?)?; ocsp_resp::CertStatus::Revoked(ocsp_resp::RevokedInfo { revocation_time, revocation_reason, @@ -608,13 +622,16 @@ fn create_ocsp_response( let py_next_update = py_single_resp.getattr(pyo3::intern!(py, "_next_update"))?; Some(asn1::GeneralizedTime::new(py_to_datetime( py, - py_next_update, + py_next_update.as_borrowed().to_owned(), )?)?) } else { None }; let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; - let this_update = asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update)?)?; + let this_update = asn1::GeneralizedTime::new(py_to_datetime( + py, + py_this_update.as_borrowed().to_owned(), + )?)?; let responses = vec![SingleResponse { cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, py_cert_hash_algorithm)?, @@ -819,7 +836,10 @@ impl OCSPSingleResponse { } #[getter] - fn revocation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn revocation_time<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let single_resp = self.single_response(); singleresp_py_revocation_time(single_resp, py) } @@ -831,13 +851,19 @@ impl OCSPSingleResponse { } #[getter] - fn this_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn this_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let single_resp = self.single_response(); singleresp_py_this_update(single_resp, py) } #[getter] - fn next_update<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn next_update<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let single_resp = self.single_response(); singleresp_py_next_update(single_resp, py) } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 23d865df7191..c5babda8ea76 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -75,7 +75,7 @@ impl PolicyBuilder { fn time( &self, py: pyo3::Python<'_>, - new_time: &pyo3::Bound<'_, pyo3::PyAny>, + new_time: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { if self.time.is_some() { return Err(CryptographyError::from( @@ -85,7 +85,7 @@ impl PolicyBuilder { )); } Ok(PolicyBuilder { - time: Some(py_to_datetime(py, new_time.clone().into_gil_ref())?), + time: Some(py_to_datetime(py, new_time)?), store: self.store.as_ref().map(|s| s.clone_ref(py)), max_chain_depth: self.max_chain_depth, }) @@ -239,7 +239,10 @@ impl PyClientVerifier { #[pyo3::pymethods] impl PyClientVerifier { #[getter] - fn validation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn validation_time<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { datetime_to_py(py, &self.as_policy().validation_time) } @@ -320,7 +323,10 @@ impl PyServerVerifier { #[pyo3::pymethods] impl PyServerVerifier { #[getter] - fn validation_time<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn validation_time<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { datetime_to_py(py, &self.as_policy().validation_time) } From 0a57074ca359c5cd4592c154117ba124095517c4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 10:08:38 -0400 Subject: [PATCH 392/868] Fix a compilation error without gil-refs (#10738) --- src/rust/src/x509/extensions.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 9bbd7443a594..bbba8170d416 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -39,8 +39,8 @@ pub(crate) fn encode_authority_key_identifier<'a>( ) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyAuthorityKeyIdentifier<'a> { - key_identifier: Option<&'a [u8]>, - authority_cert_issuer: Option<&'a pyo3::PyAny>, + key_identifier: Option, + authority_cert_issuer: Option>, authority_cert_serial_number: Option>, } let aki = py_aki.extract::>()?; @@ -62,7 +62,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( Ok(asn1::write_single(&extensions::AuthorityKeyIdentifier { authority_cert_issuer, authority_cert_serial_number, - key_identifier: aki.key_identifier, + key_identifier: aki.key_identifier.as_deref(), })?) } From 6c11a3e6aab163056689a3c3dea7d98abef6cd83 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 10:25:02 -0400 Subject: [PATCH 393/868] Convert more module creation to new pyo3 APIs (#10739) --- src/rust/src/lib.rs | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 97bb54bf1631..94137ce8c2c6 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -117,7 +117,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(cryptography_cffi::create_module(py)?.into_gil_ref())?; - let openssl_mod = pyo3::prelude::PyModule::new(py, "openssl")?; + let openssl_mod = pyo3::prelude::PyModule::new_bound(py, "openssl")?; openssl_mod.add( "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), @@ -140,20 +140,29 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> } openssl_mod.add("_providers", providers)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(enable_fips, m)?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(enable_fips, &openssl_mod)?)?; } else { // default value for non-openssl 3+ openssl_mod.add("_legacy_provider_loaded", false)?; } } - openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version, m)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(openssl_version_text, m)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(error::raise_openssl_error, m)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(error::capture_error_stack, m)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction!(is_fips_enabled, m)?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(openssl_version, &openssl_mod)?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( + openssl_version_text, + &openssl_mod + )?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( + error::raise_openssl_error, + &openssl_mod + )?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( + error::capture_error_stack, + &openssl_mod + )?)?; + openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(is_fips_enabled, &openssl_mod)?)?; openssl_mod.add_class::()?; - crate::backend::add_to_module(openssl_mod)?; - m.add_submodule(openssl_mod)?; + crate::backend::add_to_module(openssl_mod.clone().into_gil_ref())?; + m.add_submodule(openssl_mod.into_gil_ref())?; Ok(()) } From 07afd49006013157362f85beb1d90f1ea0084f00 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 17:07:25 +0200 Subject: [PATCH 394/868] Convert more of `src/pkcs7.rs` to new pyo3 APIs (#10741) --- src/rust/src/lib.rs | 2 +- src/rust/src/pkcs7.rs | 58 +++++++++++++++++++++++++++++-------------- 2 files changed, 41 insertions(+), 19 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 94137ce8c2c6..cade7d5e5869 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -97,7 +97,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_class::()?; m.add_submodule(asn1::create_submodule(py)?.into_gil_ref())?; - m.add_submodule(pkcs7::create_submodule(py)?)?; + m.add_submodule(pkcs7::create_submodule(py)?.into_gil_ref())?; m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; m.add_submodule(exceptions::create_submodule(py)?.into_gil_ref())?; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index b33d054b4ef8..e80a2406e2a2 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -11,6 +11,7 @@ use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use openssl::pkcs7::Pkcs7; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; @@ -43,7 +44,7 @@ static OIDS_TO_MIC_NAME: Lazy> = Lazy::ne fn serialize_certificates<'p>( py: pyo3::Python<'p>, py_certs: Vec>, - encoding: &'p pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if py_certs.is_empty() { return Err(pyo3::exceptions::PyTypeError::new_err( @@ -75,15 +76,20 @@ fn serialize_certificates<'p>( }; let content_info_bytes = asn1::write_single(&content_info)?; - encode_der_data(py, "PKCS7".to_string(), content_info_bytes, encoding) + encode_der_data( + py, + "PKCS7".to_string(), + content_info_bytes, + encoding.clone().into_gil_ref(), + ) } #[pyo3::prelude::pyfunction] fn sign_and_serialize<'p>( py: pyo3::Python<'p>, - builder: &'p pyo3::PyAny, - encoding: &'p pyo3::PyAny, - options: &'p pyo3::types::PyList, + builder: &pyo3::Bound<'p, pyo3::PyAny>, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + options: &pyo3::Bound<'p, pyo3::types::PyList>, ) -> CryptographyResult> { let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; @@ -258,7 +264,12 @@ fn sign_and_serialize<'p>( .extract()?) } else { // Handles the DER, PEM, and error cases - encode_der_data(py, "PKCS7".to_string(), ci_bytes, encoding) + encode_der_data( + py, + "PKCS7".to_string(), + ci_bytes, + encoding.clone().into_gil_ref(), + ) } } @@ -320,7 +331,7 @@ fn smime_canonicalize(data: &[u8], text_mode: bool) -> (Cow<'_, [u8]>, Cow<'_, [ fn load_pkcs7_certificates( py: pyo3::Python<'_>, pkcs7: Pkcs7, -) -> CryptographyResult<&pyo3::types::PyList> { +) -> CryptographyResult> { let nid = pkcs7.type_().map(|t| t.nid()); if nid != Some(openssl::nid::Nid::PKCS7_SIGNED) { let nid_string = nid.map_or("empty".to_string(), |n| n.as_raw().to_string()); @@ -340,9 +351,9 @@ fn load_pkcs7_certificates( ), )), Some(certificates) => { - let result = pyo3::types::PyList::empty(py); + let result = pyo3::types::PyList::empty_bound(py); for c in certificates { - let cert_der = pyo3::types::PyBytes::new(py, c.to_der()?.as_slice()).into_py(py); + let cert_der = pyo3::types::PyBytes::new_bound(py, c.to_der()?.as_slice()).unbind(); let cert = load_der_x509_certificate(py, cert_der, None)?; result.append(cert.into_py(py))?; } @@ -355,7 +366,7 @@ fn load_pkcs7_certificates( fn load_pem_pkcs7_certificates<'p>( py: pyo3::Python<'p>, data: &[u8], -) -> CryptographyResult<&'p pyo3::types::PyList> { +) -> CryptographyResult> { cfg_if::cfg_if! { if #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_pem(data).map_err(|_| { @@ -381,7 +392,7 @@ fn load_pem_pkcs7_certificates<'p>( fn load_der_pkcs7_certificates<'p>( py: pyo3::Python<'p>, data: &[u8], -) -> CryptographyResult<&'p pyo3::types::PyList> { +) -> CryptographyResult> { cfg_if::cfg_if! { if #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] { let pkcs7_decoded = openssl::pkcs7::Pkcs7::from_der(data).map_err(|_| { @@ -403,13 +414,24 @@ fn load_der_pkcs7_certificates<'p>( } } -pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> { - let submod = pyo3::prelude::PyModule::new(py, "pkcs7")?; - - submod.add_function(pyo3::wrap_pyfunction!(serialize_certificates, submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(sign_and_serialize, submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(load_pem_pkcs7_certificates, submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(load_der_pkcs7_certificates, submod)?)?; +pub(crate) fn create_submodule( + py: pyo3::Python<'_>, +) -> pyo3::PyResult> { + let submod = pyo3::prelude::PyModule::new_bound(py, "pkcs7")?; + + submod.add_function(pyo3::wrap_pyfunction_bound!( + serialize_certificates, + &submod + )?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!(sign_and_serialize, &submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!( + load_pem_pkcs7_certificates, + &submod + )?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!( + load_der_pkcs7_certificates, + &submod + )?)?; Ok(submod) } From 22bd720f61ce1db76216a711e38f00d3d6d92cdc Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 17:33:21 +0200 Subject: [PATCH 395/868] Convert more of `src/x509/ocsp_req.rs` to new pyo3 APIs (#10743) --- src/rust/src/x509/ocsp_req.rs | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 5d6674d04b3f..846fefae6c8b 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -7,7 +7,7 @@ use cryptography_x509::{ ocsp_req::{self, OCSPRequest as RawOCSPRequest}, oid, }; -use pyo3::IntoPy; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -132,7 +132,7 @@ impl OCSPRequest { } oid::ACCEPTABLE_RESPONSES_OID => { let oids = ext.value::>()?; - let py_oids = pyo3::types::PyList::empty(py); + let py_oids = pyo3::types::PyList::empty_bound(py); for oid in oids { py_oids.append(oid_to_py_oid(py, &oid)?)?; } @@ -152,23 +152,23 @@ impl OCSPRequest { fn public_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !encoding.is(types::ENCODING_DER.get(py)?) { + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + ) -> CryptographyResult> { + if !encoding.is(&types::ENCODING_DER.get_bound(py)?) { return Err(pyo3::exceptions::PyValueError::new_err( "The only allowed encoding value is Encoding.DER", ) .into()); } let result = asn1::write_single(self.raw.borrow_dependent())?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } } #[pyo3::prelude::pyfunction] fn create_ocsp_request( py: pyo3::Python<'_>, - builder: &pyo3::PyAny, + builder: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let builder_request = builder.getattr(pyo3::intern!(py, "_request"))?; @@ -209,7 +209,10 @@ fn create_ocsp_request( let extensions = x509::common::encode_extensions( py, - builder.getattr(pyo3::intern!(py, "_extensions"))?, + builder + .getattr(pyo3::intern!(py, "_extensions"))? + .clone() + .into_gil_ref(), extensions::encode_extension, )?; let reqs = [ocsp_req::Request { @@ -228,7 +231,7 @@ fn create_ocsp_request( optional_signature: None, }; let data = asn1::write_single(&ocsp_req)?; - load_der_ocsp_request(py, pyo3::types::PyBytes::new(py, &data).into_py(py)) + load_der_ocsp_request(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { From 2a6ea3cb5b014471cd11f0c57bed0721ca03bdba Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 13:39:59 -0400 Subject: [PATCH 396/868] Convert more module creation to new pyo3 APIs (#10742) --- src/rust/src/lib.rs | 16 ++++++++-------- src/rust/src/x509/certificate.rs | 24 ++++++++++++++++++------ src/rust/src/x509/common.rs | 11 +++++++---- src/rust/src/x509/crl.rs | 10 +++++----- src/rust/src/x509/csr.rs | 10 +++++----- src/rust/src/x509/verify.rs | 4 ++-- 6 files changed, 45 insertions(+), 30 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index cade7d5e5869..2fe5777b7d8f 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -101,14 +101,14 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; m.add_submodule(exceptions::create_submodule(py)?.into_gil_ref())?; - let x509_mod = pyo3::prelude::PyModule::new(py, "x509")?; - crate::x509::certificate::add_to_module(x509_mod)?; - crate::x509::common::add_to_module(x509_mod)?; - crate::x509::crl::add_to_module(x509_mod)?; - crate::x509::csr::add_to_module(x509_mod)?; - crate::x509::sct::add_to_module(&x509_mod.as_borrowed())?; - crate::x509::verify::add_to_module(x509_mod)?; - m.add_submodule(x509_mod)?; + let x509_mod = pyo3::prelude::PyModule::new_bound(py, "x509")?; + crate::x509::certificate::add_to_module(&x509_mod)?; + crate::x509::common::add_to_module(&x509_mod)?; + crate::x509::crl::add_to_module(&x509_mod)?; + crate::x509::csr::add_to_module(&x509_mod)?; + crate::x509::sct::add_to_module(&x509_mod)?; + crate::x509::verify::add_to_module(&x509_mod)?; + m.add_submodule(x509_mod.into_gil_ref())?; let ocsp_mod = pyo3::prelude::PyModule::new(py, "ocsp")?; crate::x509::ocsp_req::add_to_module(ocsp_mod)?; diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 7ee3f8709920..f8cb944894f8 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,7 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::{IntoPy, PyNativeType, ToPyObject}; use crate::asn1::{ @@ -999,11 +999,23 @@ pub(crate) fn set_bit(vals: &mut [u8], n: usize, set: bool) { } } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(load_der_x509_certificate, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(load_pem_x509_certificate, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(load_pem_x509_certificates, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(create_x509_certificate, module)?)?; +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!( + load_der_x509_certificate, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!( + load_pem_x509_certificate, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!( + load_pem_x509_certificates, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!( + create_x509_certificate, + module + )?)?; module.add_class::()?; diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index b8cf6a3e7246..4d4951821ca2 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -7,7 +7,7 @@ use cryptography_x509::extensions::{ AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, }; use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::types::IntoPyDict; use pyo3::{IntoPy, PyNativeType, ToPyObject}; @@ -554,9 +554,12 @@ pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(encode_extension_value, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(encode_name_bytes, module)?)?; +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!( + encode_extension_value, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(encode_name_bytes, module)?)?; Ok(()) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index c776a7178285..3a02eb6788b7 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -13,7 +13,7 @@ use cryptography_x509::{ }, name, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PySliceMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods, PySliceMethods}; use pyo3::{PyNativeType, ToPyObject}; use crate::asn1::{ @@ -715,10 +715,10 @@ fn create_x509_crl( ) } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(load_der_x509_crl, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(load_pem_x509_crl, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(create_x509_crl, module)?)?; +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!(load_der_x509_crl, module)?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(load_pem_x509_crl, module)?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(create_x509_crl, module)?)?; module.add_class::()?; module.add_class::()?; diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 55031adf0418..66b365115043 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -8,7 +8,7 @@ use std::hash::{Hash, Hasher}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::IntoPy; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; @@ -385,10 +385,10 @@ fn create_x509_csr( ) } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(load_der_x509_csr, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(load_pem_x509_csr, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(create_x509_csr, module)?)?; +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!(load_der_x509_csr, module)?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(load_pem_x509_csr, module)?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(create_x509_csr, module)?)?; module.add_class::()?; diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index c5babda8ea76..e327a09eb4c9 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -11,7 +11,7 @@ use cryptography_x509_verification::{ trust_store::Store, types::{DNSName, IPAddress}, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; @@ -457,7 +457,7 @@ impl PyStore { } } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { module.add_class::()?; module.add_class::()?; module.add_class::()?; From d00ef6a4515fc14a46df442b889229a358fd2e28 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 13:41:59 -0400 Subject: [PATCH 397/868] Convert portions of `ocsp_resp.rs` to new pyo3 APIs (#10740) --- src/rust/src/x509/ocsp_resp.rs | 88 ++++++++++++++++++++++------------ 1 file changed, 58 insertions(+), 30 deletions(-) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 1ea7cf19b055..df1ce0dd3fbc 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,8 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::{IntoPy, PyNativeType}; +use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::PyNativeType; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -144,24 +145,30 @@ impl OCSPResponse { } #[getter] - fn responder_name<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn responder_name<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; match resp.tbs_response_data.responder_id { ocsp_resp::ResponderId::ByName(ref name) => { - Ok(x509::parse_name(py, name.unwrap_read())?.into_gil_ref()) + Ok(x509::parse_name(py, name.unwrap_read())?) } - ocsp_resp::ResponderId::ByKey(_) => Ok(py.None().into_ref(py)), + ocsp_resp::ResponderId::ByKey(_) => Ok(py.None().into_bound(py)), } } #[getter] - fn responder_key_hash<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn responder_key_hash<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; match resp.tbs_response_data.responder_id { ocsp_resp::ResponderId::ByKey(key_hash) => { - Ok(pyo3::types::PyBytes::new(py, key_hash).as_ref()) + Ok(pyo3::types::PyBytes::new_bound(py, key_hash).into_any()) } - ocsp_resp::ResponderId::ByName(_) => Ok(py.None().into_ref(py)), + ocsp_resp::ResponderId::ByName(_) => Ok(py.None().into_bound(py)), } } @@ -208,25 +215,34 @@ impl OCSPResponse { } #[getter] - fn signature<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::types::PyBytes> { + fn signature<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; - Ok(pyo3::types::PyBytes::new(py, resp.signature.as_bytes())) + Ok(pyo3::types::PyBytes::new_bound( + py, + resp.signature.as_bytes(), + )) } #[getter] fn tbs_response_bytes<'p>( &self, py: pyo3::Python<'p>, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { + ) -> CryptographyResult> { let resp = self.requires_successful_response()?; let result = asn1::write_single(&resp.tbs_response_data)?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } #[getter] - fn certificates<'p>(&self, py: pyo3::Python<'p>) -> Result<&'p pyo3::PyAny, CryptographyError> { + fn certificates<'p>( + &self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { let resp = self.requires_successful_response()?; - let py_certs = pyo3::types::PyList::empty(py); + let py_certs = pyo3::types::PyList::empty_bound(py); let certs = match &resp.certs { Some(certs) => certs.unwrap_read(), None => return Ok(py_certs), @@ -247,7 +263,7 @@ impl OCSPResponse { .nth(i) .unwrap() }); - py_certs.append(pyo3::PyCell::new( + py_certs.append(pyo3::Bound::new( py, x509::certificate::Certificate { raw: raw_cert, @@ -293,7 +309,10 @@ impl OCSPResponse { } #[getter] - fn certificate_status<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn certificate_status<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_certificate_status(&single_resp, py) @@ -310,7 +329,10 @@ impl OCSPResponse { } #[getter] - fn revocation_reason<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn revocation_reason<'p>( + &self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_revocation_reason(&single_resp, py) @@ -407,16 +429,16 @@ impl OCSPResponse { fn public_bytes<'p>( &self, py: pyo3::Python<'p>, - encoding: &pyo3::PyAny, - ) -> CryptographyResult<&'p pyo3::types::PyBytes> { - if !encoding.is(types::ENCODING_DER.get(py)?) { + encoding: pyo3::Bound<'_, pyo3::PyAny>, + ) -> CryptographyResult> { + if !encoding.is(&types::ENCODING_DER.get_bound(py)?) { return Err(pyo3::exceptions::PyValueError::new_err( "The only allowed encoding value is Encoding.DER", ) .into()); } let result = asn1::write_single(self.raw.borrow_dependent())?; - Ok(pyo3::types::PyBytes::new(py, &result)) + Ok(pyo3::types::PyBytes::new_bound(py, &result)) } } @@ -483,13 +505,13 @@ fn singleresp_py_serial_number<'p>( fn singleresp_py_certificate_status<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> pyo3::PyResult<&'p pyo3::PyAny> { +) -> pyo3::PyResult> { let attr = match resp.cert_status { ocsp_resp::CertStatus::Good(_) => pyo3::intern!(py, "GOOD"), ocsp_resp::CertStatus::Revoked(_) => pyo3::intern!(py, "REVOKED"), ocsp_resp::CertStatus::Unknown(_) => pyo3::intern!(py, "UNKNOWN"), }; - types::OCSP_CERT_STATUS.get(py)?.getattr(attr) + types::OCSP_CERT_STATUS.get_bound(py)?.getattr(attr) } fn singleresp_py_hash_algorithm<'p>( @@ -527,14 +549,14 @@ fn singleresp_py_next_update<'p>( fn singleresp_py_revocation_reason<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { match &resp.cert_status { ocsp_resp::CertStatus::Revoked(revoked_info) => match revoked_info.revocation_reason { - Some(ref v) => Ok(crl::parse_crl_reason_flags(py, v)?.into_gil_ref()), - None => Ok(py.None().into_ref(py)), + Some(ref v) => Ok(crl::parse_crl_reason_flags(py, v)?), + None => Ok(py.None().into_bound(py)), }, ocsp_resp::CertStatus::Good(_) | ocsp_resp::CertStatus::Unknown(_) => { - Ok(py.None().into_ref(py)) + Ok(py.None().into_bound(py)) } } } @@ -579,7 +601,7 @@ fn create_ocsp_response( .extract()?; let py_cert_hash_algorithm = py_single_resp.getattr(pyo3::intern!(py, "_algorithm"))?; let (responder_cert, responder_encoding): ( - &pyo3::PyCell, + pyo3::Bound<'_, x509::certificate::Certificate>, &pyo3::PyAny, ) = builder .getattr(pyo3::intern!(py, "_responder_id"))? @@ -735,7 +757,7 @@ fn create_ocsp_response( response_bytes, }; let data = asn1::write_single(&resp)?; - load_der_ocsp_response(py, pyo3::types::PyBytes::new(py, &data).into_py(py)) + load_der_ocsp_response(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { @@ -830,7 +852,10 @@ impl OCSPSingleResponse { } #[getter] - fn certificate_status<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn certificate_status<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let single_resp = self.single_response(); singleresp_py_certificate_status(single_resp, py) } @@ -845,7 +870,10 @@ impl OCSPSingleResponse { } #[getter] - fn revocation_reason<'p>(&self, py: pyo3::Python<'p>) -> CryptographyResult<&'p pyo3::PyAny> { + fn revocation_reason<'p>( + &self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { let single_resp = self.single_response(); singleresp_py_revocation_reason(single_resp, py) } From 4acc8eddd004b71a85f89e7986822eb9f637ad96 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 13:53:33 -0400 Subject: [PATCH 398/868] Convert more sign functions to new pyo3 APIs (#10734) --- src/rust/src/pkcs7.rs | 24 ++++++++--- src/rust/src/x509/certificate.rs | 12 +++--- src/rust/src/x509/crl.rs | 21 ++++++--- src/rust/src/x509/csr.rs | 14 +++--- src/rust/src/x509/ocsp_resp.rs | 12 +++--- src/rust/src/x509/sign.rs | 73 ++++++++++++++++---------------- src/rust/src/x509/verify.rs | 2 +- 7 files changed, 90 insertions(+), 68 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index e80a2406e2a2..d817b4d48b80 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -14,6 +14,7 @@ use openssl::pkcs7::Pkcs7; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; +use pyo3::PyNativeType; use crate::asn1::encode_der_data; use crate::buf::CffiBuf; @@ -140,9 +141,9 @@ fn sign_and_serialize<'p>( None, x509::sign::sign_data( py, - py_private_key, - py_hash_alg, - rsa_padding, + py_private_key.as_borrowed().to_owned(), + py_hash_alg.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), &data_with_header, )?, ) @@ -189,7 +190,13 @@ fn sign_and_serialize<'p>( Some(common::Asn1ReadableOrWritable::new_write( asn1::SetOfWriter::new(authenticated_attrs), )), - x509::sign::sign_data(py, py_private_key, py_hash_alg, rsa_padding, &signed_data)?, + x509::sign::sign_data( + py, + py_private_key.as_borrowed().to_owned(), + py_hash_alg.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + &signed_data, + )?, ) }; @@ -279,7 +286,7 @@ fn compute_pkcs7_signature_algorithm<'p>( hash_algorithm: &'p pyo3::PyAny, rsa_padding: &'p pyo3::PyAny, ) -> pyo3::PyResult> { - let key_type = x509::sign::identify_key_type(py, private_key)?; + let key_type = x509::sign::identify_key_type(py, private_key.as_borrowed().to_owned())?; let has_pss_padding = rsa_padding.is_instance(types::PSS.get(py)?)?; // For RSA signatures (with no PSS padding), the OID is always the same no matter the // digest algorithm. See RFC 3370 (section 3.2). @@ -289,7 +296,12 @@ fn compute_pkcs7_signature_algorithm<'p>( params: common::AlgorithmParameters::Rsa(Some(())), }) } else { - x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding) + x509::sign::compute_signature_algorithm( + py, + private_key.as_borrowed().to_owned(), + hash_algorithm.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + ) } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index f8cb944894f8..d6751b7d0861 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -924,9 +924,9 @@ fn create_x509_certificate( ) -> CryptographyResult { let sigalg = x509::sign::compute_signature_algorithm( py, - private_key.clone().into_gil_ref(), - hash_algorithm.clone().into_gil_ref(), - rsa_padding.clone().into_gil_ref(), + private_key.clone(), + hash_algorithm.clone(), + rsa_padding.clone(), )?; let der = types::ENCODING_DER.get(py)?; @@ -974,9 +974,9 @@ fn create_x509_certificate( let tbs_bytes = asn1::write_single(&tbs_cert)?; let signature = x509::sign::sign_data( py, - private_key.clone().into_gil_ref(), - hash_algorithm.clone().into_gil_ref(), - rsa_padding.clone().into_gil_ref(), + private_key.clone(), + hash_algorithm.clone(), + rsa_padding.clone(), &tbs_bytes, )?; let data = asn1::write_single(&cryptography_x509::certificate::Certificate { diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 3a02eb6788b7..888fb114966b 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -433,11 +433,11 @@ impl CertificateRevocationList { // Error on invalid public key -- below we treat any error as just // being an invalid signature. - sign::identify_public_key_type(py, public_key.clone().into_gil_ref())?; + sign::identify_public_key_type(py, public_key.clone())?; Ok(sign::verify_signature_with_signature_algorithm( py, - public_key.into_gil_ref(), + public_key, &slf.owned.borrow_dependent().signature_algorithm, slf.owned.borrow_dependent().signature_value.as_bytes(), &asn1::write_single(&slf.owned.borrow_dependent().tbs_cert_list)?, @@ -646,8 +646,12 @@ fn create_x509_crl( hash_algorithm: &pyo3::PyAny, rsa_padding: &pyo3::PyAny, ) -> CryptographyResult { - let sigalg = - x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding)?; + let sigalg = x509::sign::compute_signature_algorithm( + py, + private_key.as_borrowed().to_owned(), + hash_algorithm.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + )?; let mut revoked_certs = vec![]; for py_revoked_cert in builder .getattr(pyo3::intern!(py, "_revoked_certificates"))? @@ -701,8 +705,13 @@ fn create_x509_crl( }; let tbs_bytes = asn1::write_single(&tbs_cert_list)?; - let signature = - x509::sign::sign_data(py, private_key, hash_algorithm, rsa_padding, &tbs_bytes)?; + let signature = x509::sign::sign_data( + py, + private_key.as_borrowed().to_owned(), + hash_algorithm.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + &tbs_bytes, + )?; let data = asn1::write_single(&crl::CertificateRevocationList { tbs_cert_list, signature_algorithm: sigalg, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 66b365115043..f79c84fd84b2 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -234,7 +234,7 @@ impl CertificateSigningRequest { let public_key = slf.public_key(py)?; Ok(sign::verify_signature_with_signature_algorithm( py, - public_key.bind(py).clone().into_gil_ref(), + public_key.bind(py).clone(), &slf.raw.borrow_dependent().signature_alg, slf.raw.borrow_dependent().signature.as_bytes(), &asn1::write_single(&slf.raw.borrow_dependent().csr_info)?, @@ -301,9 +301,9 @@ fn create_x509_csr( ) -> CryptographyResult { let sigalg = x509::sign::compute_signature_algorithm( py, - private_key.clone().into_gil_ref(), - hash_algorithm.clone().into_gil_ref(), - rsa_padding.clone().into_gil_ref(), + private_key.clone(), + hash_algorithm.clone(), + rsa_padding.clone(), )?; let der = types::ENCODING_DER.get(py)?; @@ -368,9 +368,9 @@ fn create_x509_csr( let tbs_bytes = asn1::write_single(&csr_info)?; let signature = x509::sign::sign_data( py, - private_key.clone().into_gil_ref(), - hash_algorithm.clone().into_gil_ref(), - rsa_padding.clone().into_gil_ref(), + private_key.clone(), + hash_algorithm.clone(), + rsa_padding.clone(), &tbs_bytes, )?; let data = asn1::write_single(&Csr { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index df1ce0dd3fbc..c83f5600afbb 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -704,16 +704,16 @@ fn create_ocsp_response( let sigalg = x509::sign::compute_signature_algorithm( py, - private_key, - hash_algorithm, - py.None().into_ref(py), + private_key.as_borrowed().to_owned(), + hash_algorithm.as_borrowed().to_owned(), + py.None().into_bound(py), )?; let tbs_bytes = asn1::write_single(&tbs_response_data)?; let signature = x509::sign::sign_data( py, - private_key, - hash_algorithm, - py.None().into_ref(py), + private_key.as_borrowed().to_owned(), + hash_algorithm.as_borrowed().to_owned(), + py.None().into_bound(py), &tbs_bytes, )?; diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index e1d2b877938c..72938687791e 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -52,17 +52,17 @@ enum HashType { pub(crate) fn identify_key_type( py: pyo3::Python<'_>, - private_key: &pyo3::PyAny, + private_key: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - if private_key.is_instance(types::RSA_PRIVATE_KEY.get(py)?)? { + if private_key.is_instance(&types::RSA_PRIVATE_KEY.get_bound(py)?)? { Ok(KeyType::Rsa) - } else if private_key.is_instance(types::DSA_PRIVATE_KEY.get(py)?)? { + } else if private_key.is_instance(&types::DSA_PRIVATE_KEY.get_bound(py)?)? { Ok(KeyType::Dsa) - } else if private_key.is_instance(types::ELLIPTIC_CURVE_PRIVATE_KEY.get(py)?)? { + } else if private_key.is_instance(&types::ELLIPTIC_CURVE_PRIVATE_KEY.get_bound(py)?)? { Ok(KeyType::Ec) - } else if private_key.is_instance(types::ED25519_PRIVATE_KEY.get(py)?)? { + } else if private_key.is_instance(&types::ED25519_PRIVATE_KEY.get_bound(py)?)? { Ok(KeyType::Ed25519) - } else if private_key.is_instance(types::ED448_PRIVATE_KEY.get(py)?)? { + } else if private_key.is_instance(&types::ED448_PRIVATE_KEY.get_bound(py)?)? { Ok(KeyType::Ed448) } else { Err(pyo3::exceptions::PyTypeError::new_err( @@ -73,13 +73,13 @@ pub(crate) fn identify_key_type( fn identify_hash_type( py: pyo3::Python<'_>, - hash_algorithm: &pyo3::PyAny, + hash_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { if hash_algorithm.is_none() { return Ok(HashType::None); } - if !hash_algorithm.is_instance(types::HASH_ALGORITHM.get(py)?)? { + if !hash_algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { return Err(pyo3::exceptions::PyTypeError::new_err( "Algorithm must be a registered hash algorithm.", )); @@ -105,17 +105,17 @@ fn identify_hash_type( fn compute_pss_salt_length<'p>( py: pyo3::Python<'p>, - private_key: &'p pyo3::PyAny, - hash_algorithm: &'p pyo3::PyAny, - rsa_padding: &'p pyo3::PyAny, + private_key: pyo3::Bound<'p, pyo3::PyAny>, + hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, + rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult { let py_saltlen = rsa_padding.getattr(pyo3::intern!(py, "_salt_length"))?; - if py_saltlen.is_instance(types::PADDING_MAX_LENGTH.get(py)?)? { + if py_saltlen.is_instance(&types::PADDING_MAX_LENGTH.get_bound(py)?)? { types::CALCULATE_MAX_PSS_SALT_LENGTH - .get(py)? + .get_bound(py)? .call1((private_key, hash_algorithm))? .extract::() - } else if py_saltlen.is_instance(types::PADDING_DIGEST_LENGTH.get(py)?)? { + } else if py_saltlen.is_instance(&types::PADDING_DIGEST_LENGTH.get_bound(py)?)? { hash_algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::() @@ -130,26 +130,27 @@ fn compute_pss_salt_length<'p>( pub(crate) fn compute_signature_algorithm<'p>( py: pyo3::Python<'p>, - private_key: &'p pyo3::PyAny, - hash_algorithm: &'p pyo3::PyAny, - rsa_padding: &'p pyo3::PyAny, + private_key: pyo3::Bound<'p, pyo3::PyAny>, + hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, + rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { - let key_type = identify_key_type(py, private_key)?; - let hash_type = identify_hash_type(py, hash_algorithm)?; + let key_type = identify_key_type(py, private_key.clone())?; + let hash_type = identify_hash_type(py, hash_algorithm.clone())?; // If this is RSA-PSS we need to compute the signature algorithm from the // parameters provided in rsa_padding. - if rsa_padding.is_instance(types::PSS.get(py)?)? { + if rsa_padding.is_instance(&types::PSS.get_bound(py)?)? { let hash_alg_params = identify_alg_params_for_hash_type(hash_type)?; let hash_algorithm_id = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), params: hash_alg_params, }; - let salt_length = compute_pss_salt_length(py, private_key, hash_algorithm, rsa_padding)?; + let salt_length = + compute_pss_salt_length(py, private_key, hash_algorithm, rsa_padding.clone())?; let py_mgf_alg = rsa_padding .getattr(pyo3::intern!(py, "_mgf"))? .getattr(pyo3::intern!(py, "_algorithm"))?; - let mgf_hash_type = identify_hash_type(py, py_mgf_alg)?; + let mgf_hash_type = identify_hash_type(py, py_mgf_alg.as_borrowed().to_owned())?; let mgf_alg = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), params: identify_alg_params_for_hash_type(mgf_hash_type)?, @@ -281,25 +282,25 @@ pub(crate) fn compute_signature_algorithm<'p>( pub(crate) fn sign_data<'p>( py: pyo3::Python<'p>, - private_key: &'p pyo3::PyAny, - hash_algorithm: &'p pyo3::PyAny, - rsa_padding: &'p pyo3::PyAny, + private_key: pyo3::Bound<'p, pyo3::PyAny>, + hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, + rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, data: &[u8], ) -> pyo3::PyResult<&'p [u8]> { - let key_type = identify_key_type(py, private_key)?; + let key_type = identify_key_type(py, private_key.clone())?; let signature = match key_type { KeyType::Ed25519 | KeyType::Ed448 => { private_key.call_method1(pyo3::intern!(py, "sign"), (data,))? } KeyType::Ec => { - let ecdsa = types::ECDSA.get(py)?.call1((hash_algorithm,))?; + let ecdsa = types::ECDSA.get_bound(py)?.call1((hash_algorithm,))?; private_key.call_method1(pyo3::intern!(py, "sign"), (data, ecdsa))? } KeyType::Rsa => { let mut padding = rsa_padding; if padding.is_none() { - padding = types::PKCS1V15.get(py)?.call0()?; + padding = types::PKCS1V15.get_bound(py)?.call0()?; } private_key.call_method1(pyo3::intern!(py, "sign"), (data, padding, hash_algorithm))? } @@ -312,12 +313,12 @@ pub(crate) fn sign_data<'p>( pub(crate) fn verify_signature_with_signature_algorithm<'p>( py: pyo3::Python<'p>, - issuer_public_key: &'p pyo3::PyAny, + issuer_public_key: pyo3::Bound<'p, pyo3::PyAny>, signature_algorithm: &common::AlgorithmIdentifier<'_>, signature: &[u8], data: &[u8], ) -> CryptographyResult<()> { - let key_type = identify_public_key_type(py, issuer_public_key)?; + let key_type = identify_public_key_type(py, issuer_public_key.clone())?; let sig_key_type = identify_key_type_for_algorithm_params(&signature_algorithm.params)?; if key_type != sig_key_type { return Err(CryptographyError::from( @@ -356,17 +357,17 @@ pub(crate) fn verify_signature_with_signature_algorithm<'p>( pub(crate) fn identify_public_key_type( py: pyo3::Python<'_>, - public_key: &pyo3::PyAny, + public_key: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - if public_key.is_instance(types::RSA_PUBLIC_KEY.get(py)?)? { + if public_key.is_instance(&types::RSA_PUBLIC_KEY.get_bound(py)?)? { Ok(KeyType::Rsa) - } else if public_key.is_instance(types::DSA_PUBLIC_KEY.get(py)?)? { + } else if public_key.is_instance(&types::DSA_PUBLIC_KEY.get_bound(py)?)? { Ok(KeyType::Dsa) - } else if public_key.is_instance(types::ELLIPTIC_CURVE_PUBLIC_KEY.get(py)?)? { + } else if public_key.is_instance(&types::ELLIPTIC_CURVE_PUBLIC_KEY.get_bound(py)?)? { Ok(KeyType::Ec) - } else if public_key.is_instance(types::ED25519_PUBLIC_KEY.get(py)?)? { + } else if public_key.is_instance(&types::ED25519_PUBLIC_KEY.get_bound(py)?)? { Ok(KeyType::Ed25519) - } else if public_key.is_instance(types::ED448_PUBLIC_KEY.get(py)?)? { + } else if public_key.is_instance(&types::ED448_PUBLIC_KEY.get_bound(py)?)? { Ok(KeyType::Ed448) } else { Err(pyo3::exceptions::PyTypeError::new_err( diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index e327a09eb4c9..570184cc1882 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -39,7 +39,7 @@ impl CryptoOps for PyCryptoOps { pyo3::Python::with_gil(|py| -> CryptographyResult<()> { sign::verify_signature_with_signature_algorithm( py, - key.as_ref(py), + key.bind(py).clone(), &cert.signature_alg, cert.signature.as_bytes(), &asn1::write_single(&cert.tbs_cert)?, From 6e58a58f80fb7def82f754007b4db0c45039a1a0 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 20:45:49 +0200 Subject: [PATCH 399/868] Convert `src/x509/crl.rs` to new pyo3 APIs (#10744) --- src/rust/src/x509/crl.rs | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 888fb114966b..4a68cb028e10 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -14,7 +14,7 @@ use cryptography_x509::{ name, oid, }; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods, PySliceMethods}; -use pyo3::{PyNativeType, ToPyObject}; +use pyo3::ToPyObject; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, @@ -641,16 +641,16 @@ pub fn parse_crl_entry_ext<'p>( #[pyo3::prelude::pyfunction] fn create_x509_crl( py: pyo3::Python<'_>, - builder: &pyo3::PyAny, - private_key: &pyo3::PyAny, - hash_algorithm: &pyo3::PyAny, - rsa_padding: &pyo3::PyAny, + builder: &pyo3::Bound<'_, pyo3::PyAny>, + private_key: &pyo3::Bound<'_, pyo3::PyAny>, + hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>, + rsa_padding: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let sigalg = x509::sign::compute_signature_algorithm( py, - private_key.as_borrowed().to_owned(), - hash_algorithm.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), + private_key.to_owned(), + hash_algorithm.to_owned(), + rsa_padding.to_owned(), )?; let mut revoked_certs = vec![]; for py_revoked_cert in builder @@ -672,7 +672,10 @@ fn create_x509_crl( )?, raw_crl_entry_extensions: x509::common::encode_extensions( py, - py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, + py_revoked_cert + .getattr(pyo3::intern!(py, "extensions"))? + .clone() + .into_gil_ref(), extensions::encode_extension, )?, }); @@ -699,7 +702,10 @@ fn create_x509_crl( }, raw_crl_extensions: x509::common::encode_extensions( py, - builder.getattr(pyo3::intern!(py, "_extensions"))?, + builder + .getattr(pyo3::intern!(py, "_extensions"))? + .clone() + .into_gil_ref(), extensions::encode_extension, )?, }; From 1868ba1a3cc34956ca28d36f59461f20d4597ce9 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 21:52:24 +0200 Subject: [PATCH 400/868] Convert module-related code to new pyo3 APIs (#10745) --- src/rust/src/backend/mod.rs | 38 +++++++++++++++++++--------------- src/rust/src/lib.rs | 36 ++++++++++++++++++-------------- src/rust/src/x509/ocsp_req.rs | 10 +++++---- src/rust/src/x509/ocsp_resp.rs | 13 ++++++++---- 4 files changed, 57 insertions(+), 40 deletions(-) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 062b9a85ecf5..dd7620c19e2c 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::PyModuleMethods; + pub(crate) mod aead; pub(crate) mod cipher_registry; pub(crate) mod ciphers; @@ -23,29 +25,31 @@ pub(crate) mod x25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] pub(crate) mod x448; -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_submodule(aead::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(ciphers::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(cmac::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(dh::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(dsa::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(ec::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(keys::create_module(module.py())?.into_gil_ref())?; +pub(crate) fn add_to_module( + module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, +) -> pyo3::PyResult<()> { + module.add_submodule(&aead::create_module(module.py())?)?; + module.add_submodule(&ciphers::create_module(module.py())?)?; + module.add_submodule(&cmac::create_module(module.py())?)?; + module.add_submodule(&dh::create_module(module.py())?)?; + module.add_submodule(&dsa::create_module(module.py())?)?; + module.add_submodule(&ec::create_module(module.py())?)?; + module.add_submodule(&keys::create_module(module.py())?)?; - module.add_submodule(ed25519::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&ed25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(ed448::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&ed448::create_module(module.py())?)?; - module.add_submodule(x25519::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&x25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(x448::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&x448::create_module(module.py())?)?; - module.add_submodule(poly1305::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&poly1305::create_module(module.py())?)?; - module.add_submodule(hashes::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(hmac::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(kdf::create_module(module.py())?.into_gil_ref())?; - module.add_submodule(rsa::create_module(module.py())?.into_gil_ref())?; + module.add_submodule(&hashes::create_module(module.py())?)?; + module.add_submodule(&hmac::create_module(module.py())?)?; + module.add_submodule(&kdf::create_module(module.py())?)?; + module.add_submodule(&rsa::create_module(module.py())?)?; Ok(()) } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 2fe5777b7d8f..ac076e667f4e 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -91,15 +91,21 @@ fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { } #[pyo3::prelude::pymodule] -fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> { - m.add_function(pyo3::wrap_pyfunction!(padding::check_pkcs7_padding, m)?)?; - m.add_function(pyo3::wrap_pyfunction!(padding::check_ansix923_padding, m)?)?; +fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + m.add_function(pyo3::wrap_pyfunction_bound!( + padding::check_pkcs7_padding, + m + )?)?; + m.add_function(pyo3::wrap_pyfunction_bound!( + padding::check_ansix923_padding, + m + )?)?; m.add_class::()?; - m.add_submodule(asn1::create_submodule(py)?.into_gil_ref())?; - m.add_submodule(pkcs7::create_submodule(py)?.into_gil_ref())?; - m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?; - m.add_submodule(exceptions::create_submodule(py)?.into_gil_ref())?; + m.add_submodule(&asn1::create_submodule(py)?)?; + m.add_submodule(&pkcs7::create_submodule(py)?)?; + m.add_submodule(&pkcs12::create_submodule(py)?)?; + m.add_submodule(&exceptions::create_submodule(py)?)?; let x509_mod = pyo3::prelude::PyModule::new_bound(py, "x509")?; crate::x509::certificate::add_to_module(&x509_mod)?; @@ -108,14 +114,14 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> crate::x509::csr::add_to_module(&x509_mod)?; crate::x509::sct::add_to_module(&x509_mod)?; crate::x509::verify::add_to_module(&x509_mod)?; - m.add_submodule(x509_mod.into_gil_ref())?; + m.add_submodule(&x509_mod)?; - let ocsp_mod = pyo3::prelude::PyModule::new(py, "ocsp")?; - crate::x509::ocsp_req::add_to_module(ocsp_mod)?; - crate::x509::ocsp_resp::add_to_module(ocsp_mod)?; - m.add_submodule(ocsp_mod)?; + let ocsp_mod = pyo3::prelude::PyModule::new_bound(py, "ocsp")?; + crate::x509::ocsp_req::add_to_module(&ocsp_mod)?; + crate::x509::ocsp_resp::add_to_module(&ocsp_mod)?; + m.add_submodule(&ocsp_mod)?; - m.add_submodule(cryptography_cffi::create_module(py)?.into_gil_ref())?; + m.add_submodule(&cryptography_cffi::create_module(py)?)?; let openssl_mod = pyo3::prelude::PyModule::new_bound(py, "openssl")?; openssl_mod.add( @@ -161,8 +167,8 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()> )?)?; openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(is_fips_enabled, &openssl_mod)?)?; openssl_mod.add_class::()?; - crate::backend::add_to_module(openssl_mod.clone().into_gil_ref())?; - m.add_submodule(openssl_mod.into_gil_ref())?; + crate::backend::add_to_module(&openssl_mod)?; + m.add_submodule(&openssl_mod)?; Ok(()) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 846fefae6c8b..d5c1d071d27f 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -7,7 +7,7 @@ use cryptography_x509::{ ocsp_req::{self, OCSPRequest as RawOCSPRequest}, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -234,9 +234,11 @@ fn create_ocsp_request( load_der_ocsp_request(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(load_der_ocsp_request, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(create_ocsp_request, module)?)?; +pub(crate) fn add_to_module( + module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, +) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!(load_der_ocsp_request, module)?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_request, module)?)?; Ok(()) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index c83f5600afbb..b70f55b684c0 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods}; +use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::PyNativeType; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; @@ -760,9 +760,14 @@ fn create_ocsp_response( load_der_ocsp_response(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } -pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction!(load_der_ocsp_response, module)?)?; - module.add_function(pyo3::wrap_pyfunction!(create_ocsp_response, module)?)?; +pub(crate) fn add_to_module( + module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, +) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!( + load_der_ocsp_response, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_response, module)?)?; Ok(()) } From 5b50868544cbe32c03668f9cb5054a141c7b2b4d Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 22:38:43 +0200 Subject: [PATCH 401/868] Misc oscp pyo3 migrations (#10748) * Misc. migrations for `x509/ocsp*.rs` files to new pyo3 APIs * Fix parameter to be Bound and run cargo fmt --- src/rust/src/pkcs7.rs | 118 +++++++++++++++++---------------- src/rust/src/x509/ocsp.rs | 8 +-- src/rust/src/x509/ocsp_req.rs | 3 +- src/rust/src/x509/ocsp_resp.rs | 20 +++--- 4 files changed, 77 insertions(+), 72 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index d817b4d48b80..085d5e891528 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -134,71 +134,73 @@ fn sign_and_serialize<'p>( .map(|p| p.raw.borrow_dependent()) .collect::>(); for (cert, py_private_key, py_hash_alg, rsa_padding) in &py_signers { - let (authenticated_attrs, signature) = if options - .contains(types::PKCS7_NO_ATTRIBUTES.get(py)?)? - { - ( - None, - x509::sign::sign_data( + let (authenticated_attrs, signature) = + if options.contains(types::PKCS7_NO_ATTRIBUTES.get(py)?)? { + ( + None, + x509::sign::sign_data( + py, + py_private_key.as_borrowed().to_owned(), + py_hash_alg.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + &data_with_header, + )?, + ) + } else { + let mut authenticated_attrs = vec![ + Attribute { + type_id: PKCS7_CONTENT_TYPE_OID, + values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( + [asn1::parse_single(&content_type_bytes).unwrap()], + )), + }, + Attribute { + type_id: PKCS7_SIGNING_TIME_OID, + values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( + [asn1::parse_single(&signing_time_bytes).unwrap()], + )), + }, + ]; + + let digest = asn1::write_single(&x509::ocsp::hash_data( py, - py_private_key.as_borrowed().to_owned(), - py_hash_alg.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), + &py_hash_alg.as_borrowed(), &data_with_header, - )?, - ) - } else { - let mut authenticated_attrs = vec![ - Attribute { - type_id: PKCS7_CONTENT_TYPE_OID, - values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(&content_type_bytes).unwrap(), - ])), - }, - Attribute { - type_id: PKCS7_SIGNING_TIME_OID, - values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(&signing_time_bytes).unwrap(), - ])), - }, - ]; - - let digest = - asn1::write_single(&x509::ocsp::hash_data(py, py_hash_alg, &data_with_header)?)?; - // Gross hack: copy to PyBytes to extend the lifetime to 'p - let digest_bytes = pyo3::types::PyBytes::new(py, &digest); - authenticated_attrs.push(Attribute { - type_id: PKCS7_MESSAGE_DIGEST_OID, - values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(digest_bytes.as_bytes()).unwrap(), - ])), - }); - - if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? { + )?)?; + // Gross hack: copy to PyBytes to extend the lifetime to 'p + let digest_bytes = pyo3::types::PyBytes::new(py, &digest); authenticated_attrs.push(Attribute { - type_id: PKCS7_SMIME_CAP_OID, + type_id: PKCS7_MESSAGE_DIGEST_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(&smime_cap_bytes).unwrap(), + asn1::parse_single(digest_bytes.as_bytes()).unwrap(), ])), }); - } - - let signed_data = - asn1::write_single(&asn1::SetOfWriter::new(authenticated_attrs.as_slice()))?; - ( - Some(common::Asn1ReadableOrWritable::new_write( - asn1::SetOfWriter::new(authenticated_attrs), - )), - x509::sign::sign_data( - py, - py_private_key.as_borrowed().to_owned(), - py_hash_alg.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), - &signed_data, - )?, - ) - }; + if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? { + authenticated_attrs.push(Attribute { + type_id: PKCS7_SMIME_CAP_OID, + values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( + [asn1::parse_single(&smime_cap_bytes).unwrap()], + )), + }); + } + + let signed_data = + asn1::write_single(&asn1::SetOfWriter::new(authenticated_attrs.as_slice()))?; + + ( + Some(common::Asn1ReadableOrWritable::new_write( + asn1::SetOfWriter::new(authenticated_attrs), + )), + x509::sign::sign_data( + py, + py_private_key.as_borrowed().to_owned(), + py_hash_alg.as_borrowed().to_owned(), + rsa_padding.as_borrowed().to_owned(), + &signed_data, + )?, + ) + }; let digest_alg = x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[py_hash_alg .getattr(pyo3::intern!(py, "name"))? diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 10590354b8df..0dbdb4b4eeb6 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -7,7 +7,7 @@ use std::collections::HashMap; use cryptography_x509::common; use cryptography_x509::ocsp_req::CertID; use once_cell::sync::Lazy; -use pyo3::PyNativeType; +use pyo3::prelude::PyAnyMethods; use crate::backend::hashes::Hash; use crate::error::CryptographyResult; @@ -76,7 +76,7 @@ pub(crate) fn certid_new<'p>( py: pyo3::Python<'p>, cert: &'p Certificate, issuer: &'p Certificate, - hash_algorithm: &'p pyo3::PyAny, + hash_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let issuer_der = asn1::write_single(&cert.raw.borrow_dependent().tbs_cert.issuer)?; let issuer_name_hash = hash_data(py, hash_algorithm, &issuer_der)?; @@ -123,10 +123,10 @@ pub(crate) fn certid_new_from_hash<'p>( pub(crate) fn hash_data<'p>( py: pyo3::Python<'p>, - py_hash_alg: &'p pyo3::PyAny, + py_hash_alg: &pyo3::Bound<'p, pyo3::PyAny>, data: &[u8], ) -> pyo3::PyResult<&'p [u8]> { - let mut h = Hash::new(py, &py_hash_alg.as_borrowed(), None)?; + let mut h = Hash::new(py, py_hash_alg, None)?; h.update_bytes(data)?; Ok(h.finalize(py)?.into_gil_ref().as_bytes()) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index d5c1d071d27f..32cb7e6a2e22 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -8,6 +8,7 @@ use cryptography_x509::{ oid, }; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::PyNativeType; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -187,7 +188,7 @@ fn create_ocsp_request( py_cert = tuple.0; py_issuer = tuple.1; py_hash = tuple.2; - ocsp::certid_new(py, &py_cert, &py_issuer, py_hash)? + ocsp::certid_new(py, &py_cert, &py_issuer, &py_hash.as_borrowed())? } else { let (issuer_name_hash, issuer_key_hash, py_serial, py_hash): ( &[u8], diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index b70f55b684c0..394c3bdea577 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -11,7 +11,6 @@ use cryptography_x509::{ oid, }; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; -use pyo3::PyNativeType; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -578,10 +577,10 @@ fn singleresp_py_revocation_time<'p>( #[pyo3::prelude::pyfunction] fn create_ocsp_response( py: pyo3::Python<'_>, - status: &pyo3::PyAny, - builder: &pyo3::PyAny, - private_key: &pyo3::PyAny, - hash_algorithm: &pyo3::PyAny, + status: &pyo3::Bound<'_, pyo3::PyAny>, + builder: &pyo3::Bound<'_, pyo3::PyAny>, + private_key: &pyo3::Bound<'_, pyo3::PyAny>, + hash_algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let response_status = status .getattr(pyo3::intern!(py, "value"))? @@ -656,7 +655,7 @@ fn create_ocsp_response( )?)?; let responses = vec![SingleResponse { - cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, py_cert_hash_algorithm)?, + cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, cert_status, next_update, this_update, @@ -665,10 +664,10 @@ fn create_ocsp_response( borrowed_cert = responder_cert.borrow(); let responder_id = if responder_encoding.is(types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { - let sha1 = types::SHA1.get(py)?.call0()?; + let sha1 = types::SHA1.get_bound(py)?.call0()?; ocsp_resp::ResponderId::ByKey(ocsp::hash_data( py, - sha1, + &sha1, borrowed_cert .raw .borrow_dependent() @@ -697,7 +696,10 @@ fn create_ocsp_response( )), raw_response_extensions: x509::common::encode_extensions( py, - builder.getattr(pyo3::intern!(py, "_extensions"))?, + builder + .getattr(pyo3::intern!(py, "_extensions"))? + .clone() + .into_gil_ref(), extensions::encode_extension, )?, }; From 2e345f26d4826d14366ff02bfd0760e3417d1963 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Fri, 5 Apr 2024 23:41:55 +0200 Subject: [PATCH 402/868] Migrate more `x509/extensions.rs` APIs to new pyo3 APIs (and other migrations) (#10749) * Migrate `encode_der_data` to new pyo3 APIs * Convert more `x509/extensions.rs` APIs to the new pyo3 APIs * Remove redundant function calls --- src/rust/src/asn1.rs | 2 +- src/rust/src/backend/dh.rs | 2 +- src/rust/src/pkcs7.rs | 14 ++----------- src/rust/src/x509/certificate.rs | 14 ++----------- src/rust/src/x509/common.rs | 12 +++++------ src/rust/src/x509/crl.rs | 12 +++-------- src/rust/src/x509/csr.rs | 11 ++-------- src/rust/src/x509/extensions.rs | 35 ++++++++++++++++++-------------- src/rust/src/x509/ocsp_req.rs | 5 +---- src/rust/src/x509/ocsp_resp.rs | 5 +---- 10 files changed, 39 insertions(+), 73 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 62cbd069bfd9..35de6049382a 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -97,7 +97,7 @@ pub(crate) fn encode_der_data<'p>( py: pyo3::Python<'p>, pem_tag: String, data: Vec, - encoding: &'p pyo3::PyAny, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { if encoding.is(&types::ENCODING_DER.get_bound(py)?) { Ok(pyo3::types::PyBytes::new_bound(py, &data)) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index e52b8760212c..9d597b9ec216 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -369,7 +369,7 @@ impl DHParameters { } else { "X9.42 DH PARAMETERS" }; - encode_der_data(py, tag.to_string(), data, encoding.into_gil_ref()) + encode_der_data(py, tag.to_string(), data, &encoding) } } diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 085d5e891528..977d0c912eed 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -77,12 +77,7 @@ fn serialize_certificates<'p>( }; let content_info_bytes = asn1::write_single(&content_info)?; - encode_der_data( - py, - "PKCS7".to_string(), - content_info_bytes, - encoding.clone().into_gil_ref(), - ) + encode_der_data(py, "PKCS7".to_string(), content_info_bytes, encoding) } #[pyo3::prelude::pyfunction] @@ -273,12 +268,7 @@ fn sign_and_serialize<'p>( .extract()?) } else { // Handles the DER, PEM, and error cases - encode_der_data( - py, - "PKCS7".to_string(), - ci_bytes, - encoding.clone().into_gil_ref(), - ) + encode_der_data(py, "PKCS7".to_string(), ci_bytes, encoding) } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index d6751b7d0861..02c3f857636d 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -103,14 +103,7 @@ impl Certificate { ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; - Ok(encode_der_data( - py, - "CERTIFICATE".to_string(), - result, - encoding.clone().into_gil_ref(), - )? - .as_borrowed() - .to_owned()) + encode_der_data(py, "CERTIFICATE".to_string(), result, encoding) } #[getter] @@ -963,10 +956,7 @@ fn create_x509_certificate( subject_unique_id: None, raw_extensions: x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, }; diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 4d4951821ca2..ee4b0a3e408c 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -9,7 +9,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::types::IntoPyDict; -use pyo3::{IntoPy, PyNativeType, ToPyObject}; +use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -418,11 +418,11 @@ pub(crate) fn encode_extensions< F: Fn( pyo3::Python<'_>, &asn1::ObjectIdentifier, - &pyo3::PyAny, + &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult>>, >( py: pyo3::Python<'p>, - py_exts: &'p pyo3::PyAny, + py_exts: &pyo3::Bound<'p, pyo3::PyAny>, encode_ext: F, ) -> pyo3::PyResult>> { let mut exts = vec![]; @@ -435,7 +435,7 @@ pub(crate) fn encode_extensions< let oid = py_oid_to_oid(py_oid)?; let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?; - if ext_val.is_instance(types::UNRECOGNIZED_EXTENSION.get(py)?)? { + if ext_val.is_instance(&types::UNRECOGNIZED_EXTENSION.get_bound(py)?)? { exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, @@ -445,7 +445,7 @@ pub(crate) fn encode_extensions< }); continue; } - match encode_ext(py, &oid, ext_val)? { + match encode_ext(py, &oid, &ext_val)? { Some(data) => { // TODO: extra copy let py_data = pyo3::types::PyBytes::new_bound(py, &data); @@ -477,7 +477,7 @@ fn encode_extension_value<'p>( ) -> pyo3::PyResult> { let oid = py_oid_to_oid(py_ext.getattr(pyo3::intern!(py, "oid"))?)?; - if let Some(data) = x509::extensions::encode_extension(py, &oid, py_ext.into_gil_ref())? { + if let Some(data) = x509::extensions::encode_extension(py, &oid, &py_ext)? { // TODO: extra copy let py_data = pyo3::types::PyBytes::new_bound(py, &data); return Ok(py_data); diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 4a68cb028e10..c57917709414 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -239,7 +239,7 @@ impl CertificateRevocationList { ) -> CryptographyResult> { let result = asn1::write_single(&self.owned.borrow_dependent())?; - encode_der_data(py, "X509 CRL".to_string(), result, encoding.into_gil_ref()) + encode_der_data(py, "X509 CRL".to_string(), result, &encoding) } #[getter] @@ -672,10 +672,7 @@ fn create_x509_crl( )?, raw_crl_entry_extensions: x509::common::encode_extensions( py, - py_revoked_cert - .getattr(pyo3::intern!(py, "extensions"))? - .clone() - .into_gil_ref(), + &py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, extensions::encode_extension, )?, }); @@ -702,10 +699,7 @@ fn create_x509_crl( }, raw_crl_extensions: x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, }; diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index f79c84fd84b2..6049a5be2d51 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -123,12 +123,7 @@ impl CertificateSigningRequest { ) -> CryptographyResult> { let result = asn1::write_single(self.raw.borrow_dependent())?; - encode_der_data( - py, - "CERTIFICATE REQUEST".to_string(), - result, - encoding.clone().into_gil_ref(), - ) + encode_der_data(py, "CERTIFICATE REQUEST".to_string(), result, encoding) } fn get_attribute_for_oid<'p>( @@ -317,9 +312,7 @@ fn create_x509_csr( let ext_bytes; if let Some(exts) = x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, x509::extensions::encode_extension, )? { ext_bytes = asn1::write_single(&exts)?; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index bbba8170d416..3e0b7ec83822 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -13,7 +13,7 @@ use pyo3::PyNativeType; fn encode_general_subtrees<'a>( py: pyo3::Python<'a>, - subtrees: &'a pyo3::PyAny, + subtrees: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { if subtrees.is_none() { Ok(None) @@ -35,7 +35,7 @@ fn encode_general_subtrees<'a>( pub(crate) fn encode_authority_key_identifier<'a>( py: pyo3::Python<'a>, - py_aki: &'a pyo3::PyAny, + py_aki: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyAuthorityKeyIdentifier<'a> { @@ -68,7 +68,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( pub(crate) fn encode_distribution_points<'p>( py: pyo3::Python<'p>, - py_dps: &'p pyo3::PyAny, + py_dps: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyDistributionPoint<'a> { @@ -123,7 +123,7 @@ pub(crate) fn encode_distribution_points<'p>( Ok(asn1::write_single(&asn1::SequenceOfWriter::new(dps))?) } -fn encode_basic_constraints(ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_basic_constraints(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyBasicConstraints { ca: bool, @@ -137,7 +137,10 @@ fn encode_basic_constraints(ext: &pyo3::PyAny) -> CryptographyResult> { Ok(asn1::write_single(&bc)?) } -fn encode_key_usage(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_key_usage( + py: pyo3::Python<'_>, + ext: &pyo3::Bound<'_, pyo3::PyAny>, +) -> CryptographyResult> { let mut bs = [0, 0]; certificate::set_bit( &mut bs, @@ -212,7 +215,7 @@ fn encode_key_usage(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResu fn encode_certificate_policies( py: pyo3::Python<'_>, - ext: &pyo3::PyAny, + ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let mut policy_informations = vec![]; for py_policy_info in ext.iter()? { @@ -303,7 +306,7 @@ fn encode_certificate_policies( fn encode_issuing_distribution_point( py: pyo3::Python<'_>, - ext: &pyo3::PyAny, + ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let only_some_reasons = if ext .getattr(pyo3::intern!(py, "only_some_reasons"))? @@ -328,8 +331,7 @@ fn encode_issuing_distribution_point( { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { - let bound_name_entry = &py_name_entry?.as_borrowed(); - name_entries.push(x509::common::encode_name_entry(ext.py(), bound_name_entry)?); + name_entries.push(x509::common::encode_name_entry(ext.py(), &py_name_entry?)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -355,7 +357,7 @@ fn encode_issuing_distribution_point( Ok(asn1::write_single(&idp)?) } -fn encode_oid_sequence(ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_oid_sequence(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut oids = vec![]; for el in ext.iter()? { let oid = py_oid_to_oid(el?.as_borrowed().to_owned())?; @@ -364,7 +366,10 @@ fn encode_oid_sequence(ext: &pyo3::PyAny) -> CryptographyResult> { Ok(asn1::write_single(&asn1::SequenceOfWriter::new(oids))?) } -fn encode_tls_features(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_tls_features( + py: pyo3::Python<'_>, + ext: &pyo3::Bound<'_, pyo3::PyAny>, +) -> CryptographyResult> { // Ideally we'd skip building up a vec and just write directly into the // writer. This isn't possible at the moment because the callback to write // an asn1::Sequence can't return an error, and we need to handle errors @@ -377,7 +382,7 @@ fn encode_tls_features(py: pyo3::Python<'_>, ext: &pyo3::PyAny) -> CryptographyR Ok(asn1::write_single(&asn1::SequenceOfWriter::new(els))?) } -fn encode_scts(ext: &pyo3::PyAny) -> CryptographyResult> { +fn encode_scts(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut length = 0; for sct in ext.iter()? { let sct = sct?.as_borrowed().downcast::()?.clone(); @@ -397,7 +402,7 @@ fn encode_scts(ext: &pyo3::PyAny) -> CryptographyResult> { pub(crate) fn encode_extension( py: pyo3::Python<'_>, oid: &asn1::ObjectIdentifier, - ext: &pyo3::PyAny, + ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult>> { match oid { &oid::BASIC_CONSTRAINTS_OID => { @@ -441,8 +446,8 @@ pub(crate) fn encode_extension( let permitted = ext.getattr(pyo3::intern!(py, "permitted_subtrees"))?; let excluded = ext.getattr(pyo3::intern!(py, "excluded_subtrees"))?; let nc = extensions::NameConstraints { - permitted_subtrees: encode_general_subtrees(ext.py(), permitted)?, - excluded_subtrees: encode_general_subtrees(ext.py(), excluded)?, + permitted_subtrees: encode_general_subtrees(ext.py(), &permitted)?, + excluded_subtrees: encode_general_subtrees(ext.py(), &excluded)?, }; Ok(Some(asn1::write_single(&nc)?)) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 32cb7e6a2e22..d74f33947312 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -210,10 +210,7 @@ fn create_ocsp_request( let extensions = x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?; let reqs = [ocsp_req::Request { diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 394c3bdea577..3b9e11531f94 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -696,10 +696,7 @@ fn create_ocsp_response( )), raw_response_extensions: x509::common::encode_extensions( py, - builder - .getattr(pyo3::intern!(py, "_extensions"))? - .clone() - .into_gil_ref(), + &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, }; From 6633a4ded4636aa2079eb5de436d5b9899022b24 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 17:43:57 -0400 Subject: [PATCH 403/868] Fixed lifetime/scoping error with gil-refs disabled (#10747) --- src/rust/src/x509/ocsp_req.rs | 32 +++++++++++--------------------- 1 file changed, 11 insertions(+), 21 deletions(-) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index d74f33947312..ec59ffdaf188 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -8,7 +8,6 @@ use cryptography_x509::{ oid, }; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; -use pyo3::PyNativeType; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -174,37 +173,28 @@ fn create_ocsp_request( let builder_request = builder.getattr(pyo3::intern!(py, "_request"))?; // Declare outside the if-block so the lifetimes are right. - let (py_cert, py_issuer, py_hash): ( + let (py_cert, py_issuer, py_hash, issuer_name_hash, issuer_key_hash): ( pyo3::PyRef<'_, x509::certificate::Certificate>, pyo3::PyRef<'_, x509::certificate::Certificate>, - &pyo3::PyAny, + pyo3::Bound<'_, pyo3::PyAny>, + pyo3::pybacked::PyBackedBytes, + pyo3::pybacked::PyBackedBytes, ); let req_cert = if !builder_request.is_none() { - let tuple = builder_request.extract::<( - pyo3::PyRef<'_, x509::certificate::Certificate>, - pyo3::PyRef<'_, x509::certificate::Certificate>, - &pyo3::PyAny, - )>()?; - py_cert = tuple.0; - py_issuer = tuple.1; - py_hash = tuple.2; - ocsp::certid_new(py, &py_cert, &py_issuer, &py_hash.as_borrowed())? + (py_cert, py_issuer, py_hash) = builder_request.extract()?; + ocsp::certid_new(py, &py_cert, &py_issuer, &py_hash)? } else { - let (issuer_name_hash, issuer_key_hash, py_serial, py_hash): ( - &[u8], - &[u8], - pyo3::Bound<'_, pyo3::types::PyLong>, - &pyo3::PyAny, - ) = builder + let py_serial: pyo3::Bound<'_, pyo3::types::PyLong>; + (issuer_name_hash, issuer_key_hash, py_serial, py_hash) = builder .getattr(pyo3::intern!(py, "_request_hash"))? .extract()?; let serial_number = asn1::BigInt::new(py_uint_to_big_endian_bytes(py, py_serial)?).unwrap(); ocsp::certid_new_from_hash( py, - issuer_name_hash, - issuer_key_hash, + &issuer_name_hash, + &issuer_key_hash, serial_number, - py_hash, + py_hash.into_gil_ref(), )? }; From 28beda0d53749d1b7958cf38aabe163db43dcf85 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 17:44:12 -0400 Subject: [PATCH 404/868] Fix three more warnings in OCSP (#10746) --- src/rust/src/x509/ocsp_resp.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 3b9e11531f94..5038a2b0c994 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -703,15 +703,15 @@ fn create_ocsp_response( let sigalg = x509::sign::compute_signature_algorithm( py, - private_key.as_borrowed().to_owned(), - hash_algorithm.as_borrowed().to_owned(), + private_key.clone(), + hash_algorithm.clone(), py.None().into_bound(py), )?; let tbs_bytes = asn1::write_single(&tbs_response_data)?; let signature = x509::sign::sign_data( py, - private_key.as_borrowed().to_owned(), - hash_algorithm.as_borrowed().to_owned(), + private_key.clone(), + hash_algorithm.clone(), py.None().into_bound(py), &tbs_bytes, )?; From e41f97d314da54315f581da8b163e52c719df399 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 6 Apr 2024 00:15:49 +0000 Subject: [PATCH 405/868] Bump BoringSSL and/or OpenSSL in CI (#10753) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2f5973b153f6..e0f8828ff63e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 05, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f94f3ed3965ea033001fb9ae006084eee408b861"}} - # Latest commit on the OpenSSL master branch, as of Apr 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a19553cd872047289d6fc730a864bf9d984283ce"}} + # Latest commit on the OpenSSL master branch, as of Apr 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0d2a5f600c7b6bef6fa6cf720204876560a6194b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 15b11864d1350aea6767884bb4c030a62892df77 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 23:21:22 -0400 Subject: [PATCH 406/868] Fix lifetimes for CSR attribtues with gil-refs disabled (#10752) --- src/rust/src/x509/csr.rs | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 6049a5be2d51..cc4b2dcbe9c5 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -324,14 +324,18 @@ fn create_x509_csr( }); } + let mut attr_values = vec![]; for py_attr in builder.getattr(pyo3::intern!(py, "_attributes"))?.iter()? { - let (py_oid, value, tag): (pyo3::Bound<'_, pyo3::PyAny>, &[u8], Option) = - py_attr?.extract()?; + let (py_oid, value, tag): ( + pyo3::Bound<'_, pyo3::PyAny>, + pyo3::pybacked::PyBackedBytes, + Option, + ) = py_attr?.extract()?; let oid = py_oid_to_oid(py_oid)?; let tag = if let Some(tag) = tag { asn1::Tag::from_bytes(&[tag])?.0 } else { - if std::str::from_utf8(value).is_err() { + if std::str::from_utf8(&value).is_err() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "Attribute values must be valid utf-8.", @@ -341,10 +345,14 @@ fn create_x509_csr( asn1::Utf8String::TAG }; + attr_values.push((oid, tag, value)); + } + + for (oid, tag, value) in &attr_values { attrs.push(Attribute { - type_id: oid, + type_id: oid.clone(), values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - common::RawTlv::new(tag, value), + common::RawTlv::new(*tag, value), ])), }); } From 85cc4e43112160876a6279613d763bb1080a6b92 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 23:41:14 -0400 Subject: [PATCH 407/868] Resolve new clippy warnings (#10755) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The fixes themselves are of marginal value 🙃 --- src/rust/src/x509/crl.rs | 17 ++++++++++++----- src/rust/src/x509/ocsp_resp.rs | 23 +++++++++++++++++------ 2 files changed, 29 insertions(+), 11 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index c57917709414..7fb591d38506 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -471,11 +471,18 @@ fn try_map_arc_data_mut_crl_iterator( ) -> Result, E>, ) -> Result { OwnedRevokedCertificate::try_new(Arc::clone(it.borrow_owner()), |inner_it| { - // SAFETY: This is safe because `Arc::clone` ensures the data is - // alive, but Rust doesn't understand the lifetime relationship it - // produces. Open-coded implementation of the API discussed in - // https://github.com/joshua-maros/ouroboros/issues/38 - it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) })) + it.with_dependent_mut(|_, value| { + // SAFETY: This is safe because `Arc::clone` ensures the data is + // alive, but Rust doesn't understand the lifetime relationship it + // produces. Open-coded implementation of the API discussed in + // https://github.com/joshua-maros/ouroboros/issues/38 + f(inner_it, unsafe { + std::mem::transmute::< + &mut Option>>, + &mut Option>>, + >(value) + }) + }) }) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 5038a2b0c994..8fd58e93616f 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -457,7 +457,11 @@ fn map_arc_data_ocsp_response( // alive, but Rust doesn't understand the lifetime relationship it // produces. Open-coded implementation of the API discussed in // https://github.com/joshua-maros/ouroboros/issues/38 - f(inner_it.as_bytes(py), unsafe { std::mem::transmute(value) }) + f(inner_it.as_bytes(py), unsafe { + std::mem::transmute::<&ocsp_resp::OCSPResponse<'_>, &ocsp_resp::OCSPResponse<'_>>( + value, + ) + }) }) }) } @@ -469,11 +473,18 @@ fn try_map_arc_data_mut_ocsp_response_iterator( ) -> Result, E>, ) -> Result { OwnedSingleResponse::try_new(Arc::clone(it.borrow_owner()), |inner_it| { - // SAFETY: This is safe because `Arc::clone` ensures the data is - // alive, but Rust doesn't understand the lifetime relationship it - // produces. Open-coded implementation of the API discussed in - // https://github.com/joshua-maros/ouroboros/issues/38 - it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) })) + it.with_dependent_mut(|_, value| { + // SAFETY: This is safe because `Arc::clone` ensures the data is + // alive, but Rust doesn't understand the lifetime relationship it + // produces. Open-coded implementation of the API discussed in + // https://github.com/joshua-maros/ouroboros/issues/38 + f(inner_it, unsafe { + std::mem::transmute::< + &mut asn1::SequenceOf<'_, ocsp_resp::SingleResponse<'_>>, + &mut asn1::SequenceOf<'_, ocsp_resp::SingleResponse<'_>>, + >(value) + }) + }) }) } From b93e165615217f0359992b333fa33fcf6f5cecf4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 23:41:57 -0400 Subject: [PATCH 408/868] Convert some types usage to bound (#10750) --- src/rust/src/backend/aead.rs | 39 +++++++++++++++++++++++++----------- src/rust/src/backend/dh.rs | 6 +++--- 2 files changed, 30 insertions(+), 15 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 55ac8b842dca..16ea74f20030 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -532,8 +532,8 @@ impl ChaCha20Poly1305 { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>) -> CryptographyResult<&pyo3::PyAny> { - Ok(types::OS_URANDOM.get(py)?.call1((32,))?) + fn generate_key(py: pyo3::Python<'_>) -> CryptographyResult> { + Ok(types::OS_URANDOM.get_bound(py)?.call1((32,))?) } fn encrypt<'p>( @@ -638,14 +638,17 @@ impl AesGcm { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + fn generate_key( + py: pyo3::Python<'_>, + bit_length: usize, + ) -> CryptographyResult> { if bit_length != 128 && bit_length != 192 && bit_length != 256 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), )); } - Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) } fn encrypt<'p>( @@ -746,14 +749,17 @@ impl AesCcm { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + fn generate_key( + py: pyo3::Python<'_>, + bit_length: usize, + ) -> CryptographyResult> { if bit_length != 128 && bit_length != 192 && bit_length != 256 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), )); } - Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) } fn encrypt<'p>( @@ -876,14 +882,17 @@ impl AesSiv { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + fn generate_key( + py: pyo3::Python<'_>, + bit_length: usize, + ) -> CryptographyResult> { if bit_length != 256 && bit_length != 384 && bit_length != 512 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("bit_length must be 256, 384, or 512"), )); } - Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (data, associated_data))] @@ -970,14 +979,17 @@ impl AesOcb3 { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + fn generate_key( + py: pyo3::Python<'_>, + bit_length: usize, + ) -> CryptographyResult> { if bit_length != 128 && bit_length != 192 && bit_length != 256 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), )); } - Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (nonce, data, associated_data))] @@ -1076,14 +1088,17 @@ impl AesGcmSiv { } #[staticmethod] - fn generate_key(py: pyo3::Python<'_>, bit_length: usize) -> CryptographyResult<&pyo3::PyAny> { + fn generate_key( + py: pyo3::Python<'_>, + bit_length: usize, + ) -> CryptographyResult> { if bit_length != 128 && bit_length != 192 && bit_length != 256 { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("bit_length must be 128, 192, or 256"), )); } - Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (nonce, data, associated_data))] diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 9d597b9ec216..70a57d50b57b 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -229,7 +229,7 @@ impl DHPrivateKey { format: &pyo3::Bound<'p, pyo3::PyAny>, encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(types::PRIVATE_FORMAT_PKCS8.get(py)?) { + if !format.is(&types::PRIVATE_FORMAT_PKCS8.get_bound(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "DH private keys support only PKCS8 serialization", @@ -263,7 +263,7 @@ impl DHPublicKey { encoding: &pyo3::Bound<'p, pyo3::PyAny>, format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { + if !format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "DH public keys support only SubjectPublicKeyInfo serialization", @@ -345,7 +345,7 @@ impl DHParameters { encoding: pyo3::Bound<'p, pyo3::PyAny>, format: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(types::PARAMETER_FORMAT_PKCS3.get(py)?) { + if !format.is(&types::PARAMETER_FORMAT_PKCS3.get_bound(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Only PKCS3 serialization is supported"), )); From 5f19fad7be68f75a4522ec88624114306f35294d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Apr 2024 23:44:01 -0400 Subject: [PATCH 409/868] Fix lifetimes for PKCS#7 digests with gil-refs disabled (#10751) --- src/rust/src/pkcs7.rs | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 977d0c912eed..58f36ec1a81f 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -128,9 +128,21 @@ fn sign_and_serialize<'p>( .iter() .map(|p| p.raw.borrow_dependent()) .collect::>(); - for (cert, py_private_key, py_hash_alg, rsa_padding) in &py_signers { + + let mut digests = vec![]; + if !options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { + for (_, _, py_hash_alg, _) in &py_signers { + let digest = asn1::write_single(&x509::ocsp::hash_data( + py, + &py_hash_alg.as_borrowed(), + &data_with_header, + )?)?; + digests.push(digest); + } + } + for (i, (cert, py_private_key, py_hash_alg, rsa_padding)) in py_signers.iter().enumerate() { let (authenticated_attrs, signature) = - if options.contains(types::PKCS7_NO_ATTRIBUTES.get(py)?)? { + if options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { ( None, x509::sign::sign_data( @@ -157,17 +169,10 @@ fn sign_and_serialize<'p>( }, ]; - let digest = asn1::write_single(&x509::ocsp::hash_data( - py, - &py_hash_alg.as_borrowed(), - &data_with_header, - )?)?; - // Gross hack: copy to PyBytes to extend the lifetime to 'p - let digest_bytes = pyo3::types::PyBytes::new(py, &digest); authenticated_attrs.push(Attribute { type_id: PKCS7_MESSAGE_DIGEST_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(digest_bytes.as_bytes()).unwrap(), + asn1::parse_single(&digests[i]).unwrap(), ])), }); From 070ebf2d929f4fc3e96607a153fbad1600c36887 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 08:14:36 -0400 Subject: [PATCH 410/868] Fixed lifetime error in `csr.rs` with `gil-refs` disabled (#10756) --- src/rust/src/x509/csr.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index cc4b2dcbe9c5..5ee6c25e2a7b 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -306,7 +306,7 @@ fn create_x509_csr( let spki_bytes = private_key .call_method0(pyo3::intern!(py, "public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? - .extract::<&[u8]>()?; + .extract::()?; let mut attrs = vec![]; let ext_bytes; @@ -362,7 +362,7 @@ fn create_x509_csr( let csr_info = CertificationRequestInfo { version: 0, subject: x509::common::encode_name(py, &py_subject_name.as_borrowed())?, - spki: asn1::parse_single(spki_bytes)?, + spki: asn1::parse_single(&spki_bytes)?, attributes: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(attrs)), }; From 5303b8d4213b6602b3cd30217165aa6319b33093 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 08:32:51 -0400 Subject: [PATCH 411/868] Fixed lifetime errors in `ec.rs` with `gil-refs` disabled (#10757) --- src/rust/src/backend/ec.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index a562bbf74e3b..30a36dd1ebf8 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -44,8 +44,8 @@ fn curve_from_py_curve( } } - let curve_name = py_curve.getattr(pyo3::intern!(py, "name"))?.extract()?; - let nid = match curve_name { + let py_curve_name = py_curve.getattr(pyo3::intern!(py, "name"))?; + let nid = match py_curve_name.extract()? { "secp192r1" => openssl::nid::Nid::X9_62_PRIME192V1, "secp224r1" => openssl::nid::Nid::SECP224R1, "secp256r1" => openssl::nid::Nid::X9_62_PRIME256V1, @@ -74,7 +74,7 @@ fn curve_from_py_curve( #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] "brainpoolP512r1" => openssl::nid::Nid::BRAINPOOL_P512R1, - _ => { + curve_name => { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( format!("Curve {curve_name} is not supported"), @@ -292,8 +292,8 @@ impl ECPrivateKey { if deterministic { let hash_function_name = algo .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?; - let hash_function = openssl::md::Md::fetch(None, hash_function_name, None)?; + .extract::()?; + let hash_function = openssl::md::Md::fetch(None, &hash_function_name, None)?; // Setting a deterministic nonce type requires to explicitly set the hash function. // See https://github.com/openssl/openssl/issues/23205 signer.set_signature_md(&hash_function)?; From dc14634f2090405b75880d9e824d358e8bda9766 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 09:28:34 -0400 Subject: [PATCH 412/868] Fixed lifetime error in `pkcs12.rs` with `gil-refs` disabled (#10758) --- src/rust/src/pkcs12.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 084cee6660bc..3fc765017710 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -57,8 +57,12 @@ impl PKCS12Certificate { } fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { + let py_friendly_name_repr; let friendly_name_repr = match &self.friendly_name { - Some(v) => v.bind(py).repr()?.extract()?, + Some(v) => { + py_friendly_name_repr = v.bind(py).repr()?; + py_friendly_name_repr.extract()? + } None => "None", }; Ok(format!( From 2ab8b23dd67295fb3ab8a1348c06535bc8040f33 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 09:29:37 -0400 Subject: [PATCH 413/868] Convert `src/types.rs` to new pyo3 APIs (#10754) --- src/rust/src/types.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index c3590948bf90..6200801be28b 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -2,6 +2,8 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use pyo3::prelude::PyAnyMethods; + pub struct LazyPyImport { module: &'static str, names: &'static [&'static str], @@ -26,11 +28,11 @@ impl LazyPyImport { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let p = self.value.get_or_try_init(py, || { - let mut obj = py.import(self.module)?.as_ref(); + let mut obj = py.import_bound(self.module)?.into_any(); for name in self.names { obj = obj.getattr(*name)?; } - obj.extract() + Ok::<_, pyo3::PyErr>(obj.unbind()) })?; Ok(p.clone().into_bound(py)) From a63af2fcf397a35c32a35766561ea28bfe03f676 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 11:34:25 -0400 Subject: [PATCH 414/868] Fixed lifetime errors in `certificate.rs` with `gil-refs` disabled (#10760) --- src/rust/src/x509/certificate.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 02c3f857636d..cbc8007fb0ea 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -58,7 +58,7 @@ impl Certificate { fn __repr__(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { let subject = self.subject(py)?; - let subject_repr = subject.repr()?.extract::<&str>()?; + let subject_repr = subject.repr()?.extract::()?; Ok(format!("")) } @@ -927,7 +927,7 @@ fn create_x509_certificate( let spki_bytes = builder .getattr(pyo3::intern!(py, "_public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? - .extract::<&[u8]>()?; + .extract::()?; let py_serial = builder .getattr(pyo3::intern!(py, "_serial_number"))? @@ -951,7 +951,7 @@ fn create_x509_certificate( not_after: time_from_py(py, &py_not_after)?, }, subject: x509::common::encode_name(py, &py_subject_name)?, - spki: asn1::parse_single(spki_bytes)?, + spki: asn1::parse_single(&spki_bytes)?, issuer_unique_id: None, subject_unique_id: None, raw_extensions: x509::common::encode_extensions( From 3505402383072199fa9b608e13db1e6d173df19a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 11:39:39 -0400 Subject: [PATCH 415/868] Fixed lifetime errors in `utils.rs` with `gil-refs` disabled (#10761) --- src/rust/src/backend/utils.rs | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index d3cc3b24b580..a3f60d851cdc 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -17,11 +17,11 @@ pub(crate) fn py_int_to_bn( .extract::()? / 8 + 1; - let bytes: &[u8] = v + let bytes = v .call_method1(pyo3::intern!(py, "to_bytes"), (n, pyo3::intern!(py, "big")))? - .extract()?; + .extract::()?; - Ok(openssl::bn::BigNum::from_slice(bytes)?) + Ok(openssl::bn::BigNum::from_slice(&bytes)?) } pub(crate) fn bn_to_py_int<'p>( @@ -90,17 +90,19 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &raw_bytes)); } + let py_password; let password = if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? { - b"" + b"" as &[u8] } else if encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get_bound(py)?)? || (encryption_algorithm.is_instance(&types::ENCRYPTION_BUILDER.get_bound(py)?)? && encryption_algorithm .getattr(pyo3::intern!(py, "_format"))? .is(format)) { - encryption_algorithm + py_password = encryption_algorithm .getattr(pyo3::intern!(py, "password"))? - .extract::<&[u8]>()? + .extract::()?; + &py_password } else { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Unsupported encryption type"), From c588f578d37cab272b7a16ed50da3a622bd9597e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 13:05:27 -0400 Subject: [PATCH 416/868] Fixed two lifetime errors in `extensions.rs` with `gil-refs` disabled (#10762) --- src/rust/src/x509/extensions.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 3e0b7ec83822..cd1da1417494 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -412,8 +412,8 @@ pub(crate) fn encode_extension( &oid::SUBJECT_KEY_IDENTIFIER_OID => { let digest = ext .getattr(pyo3::intern!(py, "digest"))? - .extract::<&[u8]>()?; - Ok(Some(asn1::write_single(&digest)?)) + .extract::()?; + Ok(Some(asn1::write_single(&digest.as_ref())?)) } &oid::KEY_USAGE_OID => { let der = encode_key_usage(py, ext)?; @@ -522,8 +522,8 @@ pub(crate) fn encode_extension( &oid::NONCE_OID => { let nonce = ext .getattr(pyo3::intern!(py, "nonce"))? - .extract::<&[u8]>()?; - Ok(Some(asn1::write_single(&nonce)?)) + .extract::()?; + Ok(Some(asn1::write_single(&nonce.as_ref())?)) } &oid::MS_CERTIFICATE_TEMPLATE => { let py_template_id = ext.getattr(pyo3::intern!(py, "template_id"))?; From 3bcbbe7adfa8a6569bcffb1230048dc3a05cc082 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Apr 2024 16:43:21 -0400 Subject: [PATCH 417/868] Fixed lifetime error in `hashes.rs` with `gil-refs` disabled (#10759) --- src/rust/src/backend/hashes.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index c97171689863..ac989024e849 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -51,14 +51,14 @@ pub(crate) fn message_digest_from_algorithm( let name = algorithm .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?; + .extract::()?; let openssl_name = if name == "blake2b" || name == "blake2s" { let digest_size = algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::()?; Cow::Owned(format!("{}{}", name, digest_size * 8)) } else { - Cow::Borrowed(name) + Cow::Borrowed(name.as_ref()) }; match openssl::hash::MessageDigest::from_name(&openssl_name) { From 3d02b96c3c11725972202f542c0e878399a5c013 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 7 Apr 2024 07:57:23 -0400 Subject: [PATCH 418/868] Simplify OCSP response generating code (#10763) Wrapping nearly the entire function body with an `if` made it less readable --- src/rust/src/x509/ocsp_resp.rs | 296 +++++++++++++++++---------------- 1 file changed, 149 insertions(+), 147 deletions(-) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 8fd58e93616f..488aff625bc3 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -601,169 +601,171 @@ fn create_ocsp_response( let py_issuer: pyo3::PyRef<'_, x509::certificate::Certificate>; let borrowed_cert; let py_certs: Option>>; - let response_bytes = if response_status == SUCCESSFUL_RESPONSE { - let py_single_resp = builder.getattr(pyo3::intern!(py, "_response"))?; - py_cert = py_single_resp - .getattr(pyo3::intern!(py, "_cert"))? - .extract()?; - py_issuer = py_single_resp - .getattr(pyo3::intern!(py, "_issuer"))? - .extract()?; - let py_cert_hash_algorithm = py_single_resp.getattr(pyo3::intern!(py, "_algorithm"))?; - let (responder_cert, responder_encoding): ( - pyo3::Bound<'_, x509::certificate::Certificate>, - &pyo3::PyAny, - ) = builder - .getattr(pyo3::intern!(py, "_responder_id"))? - .extract()?; - - let py_cert_status = py_single_resp.getattr(pyo3::intern!(py, "_cert_status"))?; - let cert_status = if py_cert_status.is(types::OCSP_CERT_STATUS_GOOD.get(py)?) { - ocsp_resp::CertStatus::Good(()) - } else if py_cert_status.is(types::OCSP_CERT_STATUS_UNKNOWN.get(py)?) { - ocsp_resp::CertStatus::Unknown(()) - } else { - let revocation_reason = if !py_single_resp - .getattr(pyo3::intern!(py, "_revocation_reason"))? - .is_none() - { - let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE - .get(py)? - .get_item(py_single_resp.getattr(pyo3::intern!(py, "_revocation_reason"))?)? - .extract::()?; - Some(asn1::Enumerated::new(value)) - } else { - None - }; - // REVOKED - let py_revocation_time = - py_single_resp.getattr(pyo3::intern!(py, "_revocation_time"))?; - let revocation_time = asn1::GeneralizedTime::new(py_to_datetime( - py, - py_revocation_time.as_borrowed().to_owned(), - )?)?; - ocsp_resp::CertStatus::Revoked(ocsp_resp::RevokedInfo { - revocation_time, - revocation_reason, - }) + if response_status != SUCCESSFUL_RESPONSE { + let resp = ocsp_resp::OCSPResponse { + response_status: asn1::Enumerated::new(response_status), + response_bytes: None, }; - let next_update = if !py_single_resp - .getattr(pyo3::intern!(py, "_next_update"))? + let data = asn1::write_single(&resp)?; + return load_der_ocsp_response(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()); + } + + let py_single_resp = builder.getattr(pyo3::intern!(py, "_response"))?; + py_cert = py_single_resp + .getattr(pyo3::intern!(py, "_cert"))? + .extract()?; + py_issuer = py_single_resp + .getattr(pyo3::intern!(py, "_issuer"))? + .extract()?; + let py_cert_hash_algorithm = py_single_resp.getattr(pyo3::intern!(py, "_algorithm"))?; + let (responder_cert, responder_encoding): ( + pyo3::Bound<'_, x509::certificate::Certificate>, + &pyo3::PyAny, + ) = builder + .getattr(pyo3::intern!(py, "_responder_id"))? + .extract()?; + + let py_cert_status = py_single_resp.getattr(pyo3::intern!(py, "_cert_status"))?; + let cert_status = if py_cert_status.is(types::OCSP_CERT_STATUS_GOOD.get(py)?) { + ocsp_resp::CertStatus::Good(()) + } else if py_cert_status.is(types::OCSP_CERT_STATUS_UNKNOWN.get(py)?) { + ocsp_resp::CertStatus::Unknown(()) + } else { + let revocation_reason = if !py_single_resp + .getattr(pyo3::intern!(py, "_revocation_reason"))? .is_none() { - let py_next_update = py_single_resp.getattr(pyo3::intern!(py, "_next_update"))?; - Some(asn1::GeneralizedTime::new(py_to_datetime( - py, - py_next_update.as_borrowed().to_owned(), - )?)?) + let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE + .get(py)? + .get_item(py_single_resp.getattr(pyo3::intern!(py, "_revocation_reason"))?)? + .extract::()?; + Some(asn1::Enumerated::new(value)) } else { None }; - let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; - let this_update = asn1::GeneralizedTime::new(py_to_datetime( + // REVOKED + let py_revocation_time = py_single_resp.getattr(pyo3::intern!(py, "_revocation_time"))?; + let revocation_time = asn1::GeneralizedTime::new(py_to_datetime( py, - py_this_update.as_borrowed().to_owned(), + py_revocation_time.as_borrowed().to_owned(), )?)?; - - let responses = vec![SingleResponse { - cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, - cert_status, - next_update, - this_update, - raw_single_extensions: None, - }]; - - borrowed_cert = responder_cert.borrow(); - let responder_id = if responder_encoding.is(types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { - let sha1 = types::SHA1.get_bound(py)?.call0()?; - ocsp_resp::ResponderId::ByKey(ocsp::hash_data( - py, - &sha1, - borrowed_cert - .raw - .borrow_dependent() - .tbs_cert - .spki - .subject_public_key - .as_bytes(), - )?) - } else { - ocsp_resp::ResponderId::ByName( - borrowed_cert - .raw - .borrow_dependent() - .tbs_cert - .subject - .clone(), - ) - }; - - let tbs_response_data = ocsp_resp::ResponseData { - version: 0, - produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?, - responder_id, - responses: common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new( - responses, - )), - raw_response_extensions: x509::common::encode_extensions( - py, - &builder.getattr(pyo3::intern!(py, "_extensions"))?, - extensions::encode_extension, - )?, - }; - - let sigalg = x509::sign::compute_signature_algorithm( + ocsp_resp::CertStatus::Revoked(ocsp_resp::RevokedInfo { + revocation_time, + revocation_reason, + }) + }; + let next_update = if !py_single_resp + .getattr(pyo3::intern!(py, "_next_update"))? + .is_none() + { + let py_next_update = py_single_resp.getattr(pyo3::intern!(py, "_next_update"))?; + Some(asn1::GeneralizedTime::new(py_to_datetime( py, - private_key.clone(), - hash_algorithm.clone(), - py.None().into_bound(py), - )?; - let tbs_bytes = asn1::write_single(&tbs_response_data)?; - let signature = x509::sign::sign_data( + py_next_update.as_borrowed().to_owned(), + )?)?) + } else { + None + }; + let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; + let this_update = + asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update.as_borrowed().to_owned())?)?; + + let responses = vec![SingleResponse { + cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, + cert_status, + next_update, + this_update, + raw_single_extensions: None, + }]; + + borrowed_cert = responder_cert.borrow(); + let responder_id = if responder_encoding.is(types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { + let sha1 = types::SHA1.get_bound(py)?.call0()?; + ocsp_resp::ResponderId::ByKey(ocsp::hash_data( py, - private_key.clone(), - hash_algorithm.clone(), - py.None().into_bound(py), - &tbs_bytes, - )?; + &sha1, + borrowed_cert + .raw + .borrow_dependent() + .tbs_cert + .spki + .subject_public_key + .as_bytes(), + )?) + } else { + ocsp_resp::ResponderId::ByName( + borrowed_cert + .raw + .borrow_dependent() + .tbs_cert + .subject + .clone(), + ) + }; - if !responder_cert - .call_method0(pyo3::intern!(py, "public_key"))? - .eq(private_key.call_method0(pyo3::intern!(py, "public_key"))?)? - { - return Err(CryptographyError::from( - pyo3::exceptions::PyValueError::new_err( - "Certificate public key and provided private key do not match", - ), - )); - } + let tbs_response_data = ocsp_resp::ResponseData { + version: 0, + produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?, + responder_id, + responses: common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new( + responses, + )), + raw_response_extensions: x509::common::encode_extensions( + py, + &builder.getattr(pyo3::intern!(py, "_extensions"))?, + extensions::encode_extension, + )?, + }; - py_certs = builder.getattr(pyo3::intern!(py, "_certs"))?.extract()?; - let certs = py_certs.as_ref().map(|py_certs| { - common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new( - py_certs - .iter() - .map(|c| c.raw.borrow_dependent().clone()) - .collect(), - )) - }); + let sigalg = x509::sign::compute_signature_algorithm( + py, + private_key.clone(), + hash_algorithm.clone(), + py.None().into_bound(py), + )?; + let tbs_bytes = asn1::write_single(&tbs_response_data)?; + let signature = x509::sign::sign_data( + py, + private_key.clone(), + hash_algorithm.clone(), + py.None().into_bound(py), + &tbs_bytes, + )?; + + if !responder_cert + .call_method0(pyo3::intern!(py, "public_key"))? + .eq(private_key.call_method0(pyo3::intern!(py, "public_key"))?)? + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Certificate public key and provided private key do not match", + ), + )); + } - let basic_resp = ocsp_resp::BasicOCSPResponse { - tbs_response_data, - signature: asn1::BitString::new(signature, 0).unwrap(), - signature_algorithm: sigalg, - certs, - }; - Some(ocsp_resp::ResponseBytes { - response_type: (BASIC_RESPONSE_OID).clone(), - response: asn1::OctetStringEncoded::new(basic_resp), - }) - } else { - None + py_certs = builder.getattr(pyo3::intern!(py, "_certs"))?.extract()?; + let certs = py_certs.as_ref().map(|py_certs| { + common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new( + py_certs + .iter() + .map(|c| c.raw.borrow_dependent().clone()) + .collect(), + )) + }); + + let basic_resp = ocsp_resp::BasicOCSPResponse { + tbs_response_data, + signature: asn1::BitString::new(signature, 0).unwrap(), + signature_algorithm: sigalg, + certs, }; + let response_bytes = Some(ocsp_resp::ResponseBytes { + response_type: (BASIC_RESPONSE_OID).clone(), + response: asn1::OctetStringEncoded::new(basic_resp), + }); let resp = ocsp_resp::OCSPResponse { - response_status: asn1::Enumerated::new(response_status), + response_status: asn1::Enumerated::new(SUCCESSFUL_RESPONSE), response_bytes, }; let data = asn1::write_single(&resp)?; From 030f70f9188009e596638edd68b4a986cfd059ca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:09:20 +0000 Subject: [PATCH 419/868] Bump typing-extensions from 4.10.0 to 4.11.0 (#10768) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.10.0 to 4.11.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.10.0...4.11.0) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 702299344a67..c3621cda6549 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -typing-extensions==4.10.0; python_version >= "3.8" +typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests From a2b37ceeaed10956813a6973809b6f0a9d978eef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:11:49 +0000 Subject: [PATCH 420/868] Bump cc from 1.0.90 to 1.0.91 in /src/rust (#10769) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.90 to 1.0.91. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.90...1.0.91) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 91ac810df5c2..5290d2b20c6c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.90" +version = "1.0.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8cd6604a82acf3039f1144f54b8eb34e91ffba622051189e71b781822d5ee1f5" +checksum = "1fd97381a8cc6493395a5afc4c691c1084b3768db713b73aa215217aa245d153" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 3251e6622d1d..98491ea1f633 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.90" +cc = "1.0.91" From 2cd75bdbd72f952750dbcaf84095360e69d5fd96 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:13:56 +0000 Subject: [PATCH 421/868] Bump typing-extensions from 4.10.0 to 4.11.0 in /.github/requirements (#10765) * Bump typing-extensions from 4.10.0 to 4.11.0 in /.github/requirements Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.10.0 to 4.11.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.10.0...4.11.0) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 2444daad6f2f..b358f8822a59 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -568,9 +568,9 @@ twine==5.0.0 \ --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ --hash=sha256:a262933de0b484c53408f9edae2e7821c1c45a3314ff2df9bdd343aa7ab8edc0 # via -r publish-requirements.in -typing-extensions==4.10.0 \ - --hash=sha256:69b1a937c3a517342112fb4c6df7e72fc39a38e7891a5730ed4985b5214b5475 \ - --hash=sha256:b0abd7c89e8fb96f98db18d86106ff1d90ab692004eb746cf6eda2682f91b3cb +typing-extensions==4.11.0 \ + --hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \ + --hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a # via # pydantic # pydantic-core From 68e0836bdd7662f754f16811530a72aef21e3bf1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:19:33 +0000 Subject: [PATCH 422/868] Bump jaraco-context from 5.1.0 to 5.3.0 in /.github/requirements (#10766) * Bump jaraco-context from 5.1.0 to 5.3.0 in /.github/requirements Bumps [jaraco-context](https://github.com/jaraco/jaraco.context) from 5.1.0 to 5.3.0. - [Release notes](https://github.com/jaraco/jaraco.context/releases) - [Changelog](https://github.com/jaraco/jaraco.context/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.context/compare/v5.1.0...v5.3.0) --- updated-dependencies: - dependency-name: jaraco-context dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b358f8822a59..20c50a03244f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -12,6 +12,10 @@ appdirs==1.4.4 \ --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 # via sigstore +backports-tarfile==1.0.0 \ + --hash=sha256:2688f159c21afd56a07b75f01306f9f52c79aebcc5f4a117fb8fbb4445352c75 \ + --hash=sha256:bcd36290d9684beb524d3fe74f4a2db056824c47746583f090b8e55daf0776e4 + # via jaraco-context betterproto==2.0.0b6 \ --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ --hash=sha256:a0839ec165d110a69d0d116f4d0e2bec8d186af4db826257931f0831dab73fcf @@ -250,9 +254,9 @@ jaraco-classes==3.4.0 \ --hash=sha256:47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd \ --hash=sha256:f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790 # via keyring -jaraco-context==5.1.0 \ - --hash=sha256:0e4161ebbaeead78850b4ca5465b5853217cf23ad74ec82d00ebfb69d8ea5fcb \ - --hash=sha256:24ec1f739aec2c5766c68027ccc70d91d7b0cb931699442f5c7ed93515b955e7 +jaraco-context==5.3.0 \ + --hash=sha256:3e16388f7da43d384a1a7cd3452e72e14732ac9fe459678773a3608a812bf266 \ + --hash=sha256:c2f67165ce1f9be20f32f650f25d8edfc1646a8aeee48ae06fb35f90763576d2 # via keyring jaraco-functools==4.0.0 \ --hash=sha256:c279cb24c93d694ef7270f970d499cab4d3813f4e08273f95398651a634f0925 \ From 3c964ca7a0098161f121bf519786e7bcf338dace Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:29:24 +0000 Subject: [PATCH 423/868] Bump execnet from 2.0.2 to 2.1.1 (#10767) * Bump execnet from 2.0.2 to 2.1.1 Bumps [execnet](https://github.com/pytest-dev/execnet) from 2.0.2 to 2.1.1. - [Changelog](https://github.com/pytest-dev/execnet/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/execnet/compare/v2.0.2...v2.1.1) --- updated-dependencies: - dependency-name: execnet dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update ci-constraints-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c3621cda6549..cad42aaaff17 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -38,7 +38,7 @@ docutils==0.20.1 # sphinx-rtd-theme exceptiongroup==1.2.0 # via pytest -execnet==2.0.2 +execnet==2.1.1; python_version >= "3.8" # via pytest-xdist filelock==3.13.3; python_version >= "3.8" # via virtualenv From 5d7dcf62f71c3396186f9515a1700a0aaa368f7d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 21:53:32 +0000 Subject: [PATCH 424/868] Bump pem from 3.0.3 to 3.0.4 in /src/rust (#10772) Bumps [pem](https://github.com/jcreekmore/pem-rs) from 3.0.3 to 3.0.4. - [Changelog](https://github.com/jcreekmore/pem-rs/blob/master/CHANGELOG.md) - [Commits](https://github.com/jcreekmore/pem-rs/compare/v3.0.3...v3.0.4) --- updated-dependencies: - dependency-name: pem dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5290d2b20c6c..b362357cf490 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -30,9 +30,9 @@ checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80" [[package]] name = "base64" -version = "0.21.7" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" +checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51" [[package]] name = "bitflags" @@ -248,9 +248,9 @@ dependencies = [ [[package]] name = "pem" -version = "3.0.3" +version = "3.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b8fcc794035347fb64beda2d3b462595dd2753e3f268d89c5aae77e8cf2c310" +checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae" dependencies = [ "base64", ] From 659dda1395cad7ae9b3fcede80d32ecf61946fa7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 22:15:40 +0000 Subject: [PATCH 425/868] Bump cc from 1.0.91 to 1.0.92 in /src/rust (#10773) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.91 to 1.0.92. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.91...1.0.92) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b362357cf490..879be6b55bbf 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.91" +version = "1.0.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1fd97381a8cc6493395a5afc4c691c1084b3768db713b73aa215217aa245d153" +checksum = "2678b2e3449475e95b0aa6f9b506a28e61b3dc8996592b983695e8ebb58a8b41" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 98491ea1f633..f22d8e4b07a0 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.91" +cc = "1.0.92" From 42192fab0a96b484089021148ed1eaa12053f7ed Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Apr 2024 00:18:40 +0000 Subject: [PATCH 426/868] Bump BoringSSL and/or OpenSSL in CI (#10775) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e0f8828ff63e..8d9b87fa7566 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 05, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f94f3ed3965ea033001fb9ae006084eee408b861"}} - # Latest commit on the OpenSSL master branch, as of Apr 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0d2a5f600c7b6bef6fa6cf720204876560a6194b"}} + # Latest commit on the OpenSSL master branch, as of Apr 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a3e8f08306c64366318e26162ae0a0eb7b1a006"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 99ac2da221b709b6cae9d585b041c69573689941 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Apr 2024 00:32:06 +0000 Subject: [PATCH 427/868] Bump x509-limbo and/or wycheproof in CI (#10776) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index b152b7af5c1c..4a6973e7581c 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -9,12 +9,12 @@ runs: with: repository: "C2SP/wycheproof" path: "wycheproof" - # Latest commit on the wycheproof master branch, as of Mar 27, 2024. - ref: "507bb993e90a87d0a62591a5284bc34a3f1c5c22" # wycheproof-ref + # Latest commit on the wycheproof master branch, as of Apr 09, 2024. + ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 02, 2024. - ref: "daf8dd36c0f7457d2b9ea006a514b30a4d49b6c1" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 09, 2024. + ref: "038dccdb57fc4c5fbec6ad090f24ae868e15f88f" # x509-limbo-ref From a45f694febdffa2de149ff4c63f7ef45fbc78f55 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Apr 2024 05:52:24 -0400 Subject: [PATCH 428/868] Bump sigstore from 2.1.3 to 2.1.5 in /.github/requirements (#10774) * Bump sigstore from 2.1.3 to 2.1.5 in /.github/requirements Bumps [sigstore](https://github.com/sigstore/sigstore-python) from 2.1.3 to 2.1.5. - [Release notes](https://github.com/sigstore/sigstore-python/releases) - [Changelog](https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/sigstore-python/compare/v2.1.3...v2.1.5) --- updated-dependencies: - dependency-name: sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 20c50a03244f..13839120ca3c 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -548,9 +548,9 @@ securesystemslib==0.31.0 \ # via # sigstore # tuf -sigstore==2.1.3 \ - --hash=sha256:7a0c1252cb7974024aee87c8e0f0f6247604af16e8b5a8e3d0a9e1201e330aa2 \ - --hash=sha256:f3aaa564c0d48a62fb40c103615bba01af787eaf9fda3b6e1a3e1dc5abc2d311 +sigstore==2.1.5 \ + --hash=sha256:7771153c5ac5a51d6556481f4680dfb602cb5c32c94fe56f87ff1801b8a8f243 \ + --hash=sha256:86d3ba41135004818c20d09d120140d59d4bd535a092690ff46478047bb8df5b # via -r publish-requirements.in sigstore-protobuf-specs==0.3.1 \ --hash=sha256:c40b61975b957ae906eb29a5bc7040ec015b68b6b46005cc5805e629493e8dec \ From 1278eaa16cfcf2d213b9e2ae0fc99f2949ad5549 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 9 Apr 2024 12:44:13 -0400 Subject: [PATCH 429/868] openssl 3.3 (#10779) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8d9b87fa7566..1292d0197a95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0-beta1"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} From dde87830d3e8f7f8b6aa048be1a9c88515f1e359 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 00:17:09 +0000 Subject: [PATCH 430/868] Bump BoringSSL and/or OpenSSL in CI (#10781) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1292d0197a95..f845d63bcc30 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 05, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f94f3ed3965ea033001fb9ae006084eee408b861"}} - # Latest commit on the OpenSSL master branch, as of Apr 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4a3e8f08306c64366318e26162ae0a0eb7b1a006"}} + # Latest commit on the OpenSSL master branch, as of Apr 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "309c7ffd17334a9f9f5b04286892f10a9aca8a2e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1b4f37615775521b081abaf293749dbe3af46eef Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 00:28:44 +0000 Subject: [PATCH 431/868] Bump x509-limbo and/or wycheproof in CI (#10782) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4a6973e7581c..c7d18e3acb39 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 09, 2024. - ref: "038dccdb57fc4c5fbec6ad090f24ae868e15f88f" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 10, 2024. + ref: "7861a8249dcce920d887e6e27adc9657c1be8319" # x509-limbo-ref From 10cd4642018eb7b1e9c12c48cfae298e84fa1b54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 06:41:28 -0400 Subject: [PATCH 432/868] Bump filelock from 3.13.3 to 3.13.4 (#10784) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.13.3 to 3.13.4. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.13.3...3.13.4) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cad42aaaff17..b93f1e69d2c7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.0 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist -filelock==3.13.3; python_version >= "3.8" +filelock==3.13.4; python_version >= "3.8" # via virtualenv idna==3.6 # via requests From c929515c99b0e8c4db549fd8a027a443591f6e9a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 07:06:37 -0400 Subject: [PATCH 433/868] Bump quote from 1.0.35 to 1.0.36 in /src/rust (#10786) Bumps [quote](https://github.com/dtolnay/quote) from 1.0.35 to 1.0.36. - [Release notes](https://github.com/dtolnay/quote/releases) - [Commits](https://github.com/dtolnay/quote/compare/1.0.35...1.0.36) --- updated-dependencies: - dependency-name: quote dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 879be6b55bbf..9a335a8616a0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -341,9 +341,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.35" +version = "1.0.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" +checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" dependencies = [ "proc-macro2", ] From c794cf7a77ee0abe96f1269efd7b3ecd9971fc29 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 07:56:48 -0500 Subject: [PATCH 434/868] Bump docutils from 0.20.1 to 0.21 in /.github/requirements (#10785) * Bump docutils from 0.20.1 to 0.21 in /.github/requirements Bumps [docutils](https://docutils.sourceforge.io) from 0.20.1 to 0.21. --- updated-dependencies: - dependency-name: docutils dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 13839120ca3c..2fb18b95763b 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -211,9 +211,9 @@ dnspython==2.6.1 \ --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc # via email-validator -docutils==0.20.1 \ - --hash=sha256:96f387a2c5562db4476f09f13bbab2192e764cac08ebbf3a34a95d9b1e4a59d6 \ - --hash=sha256:f08a4e276c3a1583a86dce3e34aba3fe04d02bba2dd51ed16106244e8a923e3b +docutils==0.21 \ + --hash=sha256:518e29081124e7d8159550958e6de240622562aa824f945f501ec3d3c5b67d19 \ + --hash=sha256:c26e17ca4915b9df42a4ce2ccca1b25b8b896f33caedb1a558684f0789d0783e # via readme-renderer email-validator==2.1.1 \ --hash=sha256:200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84 \ From 17eb49f36bdd7a30487471a44c337aa3b3ec9a71 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 20:17:36 -0400 Subject: [PATCH 435/868] Bump BoringSSL and/or OpenSSL in CI (#10787) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f845d63bcc30..e608860723ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 05, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f94f3ed3965ea033001fb9ae006084eee408b861"}} - # Latest commit on the OpenSSL master branch, as of Apr 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "309c7ffd17334a9f9f5b04286892f10a9aca8a2e"}} + # Latest commit on the BoringSSL master branch, as of Apr 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "89f097740e6376521926eb56a61b25f639c473ac"}} + # Latest commit on the OpenSSL master branch, as of Apr 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8cd3f34758b292e137ce112a09f566821549115d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c12aaac750b06eb44d3261f4fcae0ba873549e29 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Apr 2024 06:53:40 -0400 Subject: [PATCH 436/868] Bump idna from 3.6 to 3.7 (#10789) Bumps [idna](https://github.com/kjd/idna) from 3.6 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.6...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b93f1e69d2c7..38e5685df1df 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -42,7 +42,7 @@ execnet==2.1.1; python_version >= "3.8" # via pytest-xdist filelock==3.13.4; python_version >= "3.8" # via virtualenv -idna==3.6 +idna==3.7 # via requests imagesize==1.4.1 # via sphinx From f36de7c2da9cc349acb0a645f757196ef5f702d9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Apr 2024 07:28:44 -0500 Subject: [PATCH 437/868] Bump idna from 3.6 to 3.7 in /.github/requirements (#10791) * Bump idna from 3.6 to 3.7 in /.github/requirements Bumps [idna](https://github.com/kjd/idna) from 3.6 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.6...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 2fb18b95763b..99349572e699 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -238,9 +238,9 @@ id==1.3.0 \ --hash=sha256:c5dbb6048a469466054f065e92dba9b202a57d718cf12a0f24a082d0df988e18 \ --hash=sha256:da320bc6d6e612a2c16364ca95bb905e87c74332d4fc9b34850a26c304790694 # via sigstore -idna==3.6 \ - --hash=sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca \ - --hash=sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f +idna==3.7 \ + --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ + --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via # email-validator # requests From b3dfcf32c0ac65e8928d6a51911a919cb55bf481 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Apr 2024 07:29:21 -0500 Subject: [PATCH 438/868] Bump docutils from 0.21 to 0.21.1 in /.github/requirements (#10792) * Bump docutils from 0.21 to 0.21.1 in /.github/requirements Bumps [docutils](https://docutils.sourceforge.io) from 0.21 to 0.21.1. --- updated-dependencies: - dependency-name: docutils dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 99349572e699..28107d1f36bb 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -211,9 +211,9 @@ dnspython==2.6.1 \ --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc # via email-validator -docutils==0.21 \ - --hash=sha256:518e29081124e7d8159550958e6de240622562aa824f945f501ec3d3c5b67d19 \ - --hash=sha256:c26e17ca4915b9df42a4ce2ccca1b25b8b896f33caedb1a558684f0789d0783e +docutils==0.21.1 \ + --hash=sha256:14c8d34a55b46c88f9f714adb29cefbdd69fb82f3fef825e59c5faab935390d8 \ + --hash=sha256:65249d8a5345bc95e0f40f280ba63c98eb24de35c6c8f5b662e3e8948adea83f # via readme-renderer email-validator==2.1.1 \ --hash=sha256:200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84 \ From 2263d8575c0e0af05e7a539aba719cf118aca202 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 11 Apr 2024 08:29:59 -0400 Subject: [PATCH 439/868] Cleanup a few uses of `into_gil_refs` (#10793) --- src/rust/src/x509/crl.rs | 5 ++--- src/rust/src/x509/csr.rs | 5 ++--- src/rust/src/x509/ocsp.rs | 10 +++++----- src/rust/src/x509/ocsp_req.rs | 2 +- 4 files changed, 10 insertions(+), 12 deletions(-) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 7fb591d38506..9cc0861c021d 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -243,7 +243,7 @@ impl CertificateRevocationList { } #[getter] - fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name( py, self.owned @@ -251,8 +251,7 @@ impl CertificateRevocationList { .tbs_cert_list .issuer .unwrap_read(), - )? - .into_gil_ref()) + )?) } #[getter] diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 5ee6c25e2a7b..c38968743447 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -67,12 +67,11 @@ impl CertificateSigningRequest { } #[getter] - fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name( py, self.raw.borrow_dependent().csr_info.subject.unwrap_read(), - )? - .into_gil_ref()) + )?) } #[getter] diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 0dbdb4b4eeb6..64c6ee2a66bb 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -108,13 +108,13 @@ pub(crate) fn certid_new_from_hash<'p>( issuer_name_hash: &'p [u8], issuer_key_hash: &'p [u8], serial_number: asn1::BigInt<'p>, - hash_algorithm: &'p pyo3::PyAny, + hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { + let hash_name = hash_algorithm + .getattr(pyo3::intern!(py, "name"))? + .extract::()?; Ok(CertID { - hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm - .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?] - .clone(), + hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[&*hash_name].clone(), issuer_name_hash, issuer_key_hash, serial_number, diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index ec59ffdaf188..9d6ecea71ba9 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -194,7 +194,7 @@ fn create_ocsp_request( &issuer_name_hash, &issuer_key_hash, serial_number, - py_hash.into_gil_ref(), + py_hash, )? }; From 0a671cba6608f7ec876ed88f616f6da4116519f4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 00:15:55 +0000 Subject: [PATCH 440/868] Bump BoringSSL and/or OpenSSL in CI (#10795) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e608860723ce..57bce58850cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "89f097740e6376521926eb56a61b25f639c473ac"}} - # Latest commit on the OpenSSL master branch, as of Apr 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8cd3f34758b292e137ce112a09f566821549115d"}} + # Latest commit on the BoringSSL master branch, as of Apr 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "bdb7b19c3cd336b9e44086f677a0e37402c4bf13"}} + # Latest commit on the OpenSSL master branch, as of Apr 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8e5918fb8eb90289a0c89f6a4c6d623ecf49cf43"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1844ab3bfd881e80da1c652a5583a8f85cde5709 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 11 Apr 2024 20:31:47 -0400 Subject: [PATCH 441/868] Cleanup a few uses of `as_borrowed` (#10794) --- src/rust/src/pkcs7.rs | 41 +++++++++++++++----------------- src/rust/src/x509/certificate.rs | 30 ++++++++++------------- 2 files changed, 32 insertions(+), 39 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 58f36ec1a81f..ffb0df18b975 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -14,7 +14,6 @@ use openssl::pkcs7::Pkcs7; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; -use pyo3::PyNativeType; use crate::asn1::encode_der_data; use crate::buf::CffiBuf; @@ -111,11 +110,12 @@ fn sign_and_serialize<'p>( &asn1::SequenceOfWriter::new([AES_128_CBC_OID]), ]))?; + #[allow(clippy::type_complexity)] let py_signers: Vec<( pyo3::PyRef<'p, x509::certificate::Certificate>, - &pyo3::PyAny, - &pyo3::PyAny, - &pyo3::PyAny, + pyo3::Bound<'_, pyo3::PyAny>, + pyo3::Bound<'_, pyo3::PyAny>, + pyo3::Bound<'_, pyo3::PyAny>, )> = builder.getattr(pyo3::intern!(py, "_signers"))?.extract()?; let py_certs: Vec> = builder @@ -132,11 +132,8 @@ fn sign_and_serialize<'p>( let mut digests = vec![]; if !options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { for (_, _, py_hash_alg, _) in &py_signers { - let digest = asn1::write_single(&x509::ocsp::hash_data( - py, - &py_hash_alg.as_borrowed(), - &data_with_header, - )?)?; + let digest = + asn1::write_single(&x509::ocsp::hash_data(py, py_hash_alg, &data_with_header)?)?; digests.push(digest); } } @@ -147,9 +144,9 @@ fn sign_and_serialize<'p>( None, x509::sign::sign_data( py, - py_private_key.as_borrowed().to_owned(), - py_hash_alg.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), + py_private_key.clone(), + py_hash_alg.clone(), + rsa_padding.clone(), &data_with_header, )?, ) @@ -194,9 +191,9 @@ fn sign_and_serialize<'p>( )), x509::sign::sign_data( py, - py_private_key.as_borrowed().to_owned(), - py_hash_alg.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), + py_private_key.clone(), + py_hash_alg.clone(), + rsa_padding.clone(), &signed_data, )?, ) @@ -222,9 +219,9 @@ fn sign_and_serialize<'p>( authenticated_attributes: authenticated_attrs, digest_encryption_algorithm: compute_pkcs7_signature_algorithm( py, - py_private_key, - py_hash_alg, - rsa_padding, + py_private_key.clone(), + py_hash_alg.clone(), + rsa_padding.clone(), )?, encrypted_digest: signature, unauthenticated_attributes: None, @@ -279,12 +276,12 @@ fn sign_and_serialize<'p>( fn compute_pkcs7_signature_algorithm<'p>( py: pyo3::Python<'p>, - private_key: &'p pyo3::PyAny, - hash_algorithm: &'p pyo3::PyAny, - rsa_padding: &'p pyo3::PyAny, + private_key: pyo3::Bound<'p, pyo3::PyAny>, + hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, + rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { let key_type = x509::sign::identify_key_type(py, private_key.as_borrowed().to_owned())?; - let has_pss_padding = rsa_padding.is_instance(types::PSS.get(py)?)?; + let has_pss_padding = rsa_padding.is_instance(&types::PSS.get_bound(py)?)?; // For RSA signatures (with no PSS padding), the OID is always the same no matter the // digest algorithm. See RFC 3370 (section 3.2). if key_type == x509::sign::KeyType::Rsa && !has_pss_padding { diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index cbc8007fb0ea..ca07e79cfae2 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -18,7 +18,7 @@ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; -use pyo3::{IntoPy, PyNativeType, ToPyObject}; +use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{ big_byte_slice_to_py_int, encode_der_data, oid_to_py_oid, py_uint_to_big_endian_bytes, @@ -91,7 +91,7 @@ impl Certificate { ) -> CryptographyResult> { let serialized = asn1::write_single(&self.raw.borrow_dependent())?; - let mut h = hashes::Hash::new(py, &algorithm.as_borrowed(), None)?; + let mut h = hashes::Hash::new(py, algorithm, None)?; h.update_bytes(&serialized)?; Ok(h.finalize(py)?.into_any()) } @@ -128,17 +128,13 @@ impl Certificate { #[getter] fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name(py, self.raw.borrow_dependent().issuer()) - .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))? - .as_borrowed() - .to_owned()) + .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))?) } #[getter] fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(x509::parse_name(py, self.raw.borrow_dependent().subject()) - .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))? - .as_borrowed() - .to_owned()) + .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))?) } #[getter] @@ -218,7 +214,7 @@ impl Certificate { .validity .not_before .as_datetime(); - Ok(x509::datetime_to_py(py, dt)?.as_borrowed().to_owned()) + x509::datetime_to_py(py, dt) } #[getter] @@ -233,7 +229,7 @@ impl Certificate { .validity .not_before .as_datetime(); - Ok(x509::datetime_to_py_utc(py, dt)?.as_borrowed().to_owned()) + x509::datetime_to_py_utc(py, dt) } #[getter] @@ -255,7 +251,7 @@ impl Certificate { .validity .not_after .as_datetime(); - Ok(x509::datetime_to_py(py, dt)?.as_borrowed().to_owned()) + x509::datetime_to_py(py, dt) } #[getter] @@ -270,7 +266,7 @@ impl Certificate { .validity .not_after .as_datetime(); - Ok(x509::datetime_to_py_utc(py, dt)?.as_borrowed().to_owned()) + x509::datetime_to_py_utc(py, dt) } #[getter] @@ -712,11 +708,11 @@ pub(crate) fn parse_authority_key_identifier<'p>( Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, None => py.None(), }; - Ok(types::AUTHORITY_KEY_IDENTIFIER - .get(py)? - .call1((aki.key_identifier, issuer, serial))? - .as_borrowed() - .to_owned()) + Ok(types::AUTHORITY_KEY_IDENTIFIER.get_bound(py)?.call1(( + aki.key_identifier, + issuer, + serial, + ))?) } pub(crate) fn parse_access_descriptions( From 1642d60f436aa8d96916265ef41a826e54a15b6d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 11 Apr 2024 23:13:29 -0400 Subject: [PATCH 442/868] Cleanup almost all remaining `&pyo3::PyAny` refs (#10796) --- src/rust/src/backend/ec.rs | 8 ++++---- src/rust/src/oid.rs | 10 +++++----- src/rust/src/x509/crl.rs | 16 +++++++++------- src/rust/src/x509/extensions.rs | 12 +++++------- src/rust/src/x509/ocsp_req.rs | 7 +++++-- src/rust/src/x509/ocsp_resp.rs | 26 ++++++++++++++++---------- src/rust/src/x509/sct.rs | 21 ++++++++++++--------- 7 files changed, 56 insertions(+), 44 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 30a36dd1ebf8..7a86f8a8d88c 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,7 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::prelude::{PyAnyMethods, PyDictMethods, PyModuleMethods}; use pyo3::ToPyObject; use crate::backend::utils; @@ -90,7 +90,7 @@ fn curve_from_py_curve( fn py_curve_from_curve<'p>( py: pyo3::Python<'p>, curve: &openssl::ec::EcGroupRef, -) -> CryptographyResult<&'p pyo3::PyAny> { +) -> CryptographyResult> { if curve.asn1_flag() == openssl::ec::Asn1Flag::EXPLICIT_CURVE { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -102,8 +102,8 @@ fn py_curve_from_curve<'p>( let name = curve.curve_name().unwrap().short_name()?; types::CURVE_TYPES - .get(py)? - .extract::<&pyo3::types::PyDict>()? + .get_bound(py)? + .extract::>()? .get_item(name)? .ok_or_else(|| { CryptographyError::from(exceptions::UnsupportedAlgorithm::new_err(( diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 18f3be654f1e..5735ef0ce704 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -2,11 +2,11 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use std::collections::hash_map::DefaultHasher; -use std::hash::{Hash, Hasher}; - use crate::error::CryptographyResult; use crate::types; +use pyo3::prelude::PyAnyMethods; +use std::collections::hash_map::DefaultHasher; +use std::hash::{Hash, Hasher}; #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] pub(crate) struct ObjectIdentifier { @@ -31,9 +31,9 @@ impl ObjectIdentifier { fn _name<'p>( slf: pyo3::PyRef<'_, Self>, py: pyo3::Python<'p>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + ) -> pyo3::PyResult> { types::OID_NAMES - .get(py)? + .get_bound(py)? .call_method1(pyo3::intern!(py, "get"), (slf, "Unknown OID")) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 9cc0861c021d..8b7b63481a06 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -196,9 +196,9 @@ impl CertificateRevocationList { fn signature_hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + ) -> pyo3::PyResult> { let oid = self.signature_algorithm_oid(py)?; - match types::SIG_OIDS_TO_HASH.get(py)?.get_item(oid) { + match types::SIG_OIDS_TO_HASH.get_bound(py)?.get_item(oid) { Ok(v) => Ok(v), Err(_) => Err(exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -590,7 +590,7 @@ impl RevokedCertificate { py, &self.cached_extensions, &self.owned.borrow_dependent().raw_crl_entry_extensions, - |ext| parse_crl_entry_ext(py, ext), + |ext| parse_crl_entry_ext(py, ext).map(|v| v.map(|v| v.into_gil_ref())), ) } } @@ -624,21 +624,23 @@ pub(crate) fn parse_crl_reason_flags<'p>( pub fn parse_crl_entry_ext<'p>( py: pyo3::Python<'p>, ext: &Extension<'_>, -) -> CryptographyResult> { +) -> CryptographyResult>> { match ext.extn_id { oid::CRL_REASON_OID => { let flags = parse_crl_reason_flags(py, &ext.value::()?)?; - Ok(Some(types::CRL_REASON.get(py)?.call1((flags,))?)) + Ok(Some(types::CRL_REASON.get_bound(py)?.call1((flags,))?)) } oid::CERTIFICATE_ISSUER_OID => { let gn_seq = ext.value::>>()?; let gns = x509::parse_general_names(py, &gn_seq)?; - Ok(Some(types::CERTIFICATE_ISSUER.get(py)?.call1((gns,))?)) + Ok(Some( + types::CERTIFICATE_ISSUER.get_bound(py)?.call1((gns,))?, + )) } oid::INVALIDITY_DATE_OID => { let time = ext.value::()?; let py_dt = x509::datetime_to_py(py, time.as_datetime())?; - Ok(Some(types::INVALIDITY_DATE.get(py)?.call1((py_dt,))?)) + Ok(Some(types::INVALIDITY_DATE.get_bound(py)?.call1((py_dt,))?)) } _ => Ok(None), } diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index cd1da1417494..22f2da338fab 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -9,7 +9,6 @@ use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; use pyo3::prelude::PyAnyMethods; -use pyo3::PyNativeType; fn encode_general_subtrees<'a>( py: pyo3::Python<'a>, @@ -72,10 +71,10 @@ pub(crate) fn encode_distribution_points<'p>( ) -> CryptographyResult> { #[derive(pyo3::prelude::FromPyObject)] struct PyDistributionPoint<'a> { - crl_issuer: Option<&'a pyo3::PyAny>, - full_name: Option<&'a pyo3::PyAny>, - relative_name: Option<&'a pyo3::PyAny>, - reasons: Option<&'a pyo3::PyAny>, + crl_issuer: Option>, + full_name: Option>, + relative_name: Option>, + reasons: Option>, } let mut dps = vec![]; @@ -98,8 +97,7 @@ pub(crate) fn encode_distribution_points<'p>( } else if let Some(py_relative_name) = py_dp.relative_name { let mut name_entries = vec![]; for py_name_entry in py_relative_name.iter()? { - let bound_name_entry = &py_name_entry?.as_borrowed(); - name_entries.push(x509::common::encode_name_entry(py, bound_name_entry)?); + name_entries.push(x509::common::encode_name_entry(py, &py_name_entry?)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 9d6ecea71ba9..6e0005c4ced6 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -87,11 +87,14 @@ impl OCSPRequest { fn hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let cert_id = self.cert_id(); match ocsp::ALGORITHM_PARAMETERS_TO_HASH.get(&cert_id.hash_algorithm.params) { - Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE + .get_bound(py)? + .getattr(*alg_name)? + .call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 488aff625bc3..715a97330316 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -124,7 +124,10 @@ impl OCSPResponse { } #[getter] - fn response_status<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn response_status<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { let status = self.raw.borrow_dependent().response_status.value(); let attr = if status == SUCCESSFUL_RESPONSE { "SUCCESSFUL" @@ -140,7 +143,7 @@ impl OCSPResponse { assert_eq!(status, UNAUTHORIZED_RESPONSE); "UNAUTHORIZED" }; - types::OCSP_RESPONSE_STATUS.get(py)?.getattr(attr) + types::OCSP_RESPONSE_STATUS.get_bound(py)?.getattr(attr) } #[getter] @@ -193,9 +196,9 @@ impl OCSPResponse { fn signature_hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let hash_alg = types::SIG_OIDS_TO_HASH - .get(py)? + .get_bound(py)? .get_item(self.signature_algorithm_oid(py)?); match hash_alg { Ok(data) => Ok(data), @@ -301,7 +304,7 @@ impl OCSPResponse { fn hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_hash_algorithm(&single_resp, py) @@ -420,7 +423,7 @@ impl OCSPResponse { .call1((scts,))?, )) } - _ => crl::parse_crl_entry_ext(py, ext), + _ => crl::parse_crl_entry_ext(py, ext).map(|v| v.map(|v| v.into_gil_ref())), }, ) } @@ -527,9 +530,12 @@ fn singleresp_py_certificate_status<'p>( fn singleresp_py_hash_algorithm<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, -) -> Result<&'p pyo3::PyAny, CryptographyError> { +) -> Result, CryptographyError> { match ocsp::ALGORITHM_PARAMETERS_TO_HASH.get(&resp.cert_id.hash_algorithm.params) { - Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE + .get_bound(py)? + .getattr(*alg_name)? + .call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -620,7 +626,7 @@ fn create_ocsp_response( let py_cert_hash_algorithm = py_single_resp.getattr(pyo3::intern!(py, "_algorithm"))?; let (responder_cert, responder_encoding): ( pyo3::Bound<'_, x509::certificate::Certificate>, - &pyo3::PyAny, + pyo3::Bound<'_, pyo3::PyAny>, ) = builder .getattr(pyo3::intern!(py, "_responder_id"))? .extract()?; @@ -863,7 +869,7 @@ impl OCSPSingleResponse { fn hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> Result<&'p pyo3::PyAny, CryptographyError> { + ) -> Result, CryptographyError> { let single_resp = self.single_response(); singleresp_py_hash_algorithm(single_resp, py) } diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index a7bfbb5eb472..f531a3738599 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -154,8 +154,8 @@ impl Sct { } #[getter] - fn version<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - types::CERTIFICATE_TRANSPARENCY_VERSION_V1.get(py) + fn version<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { + types::CERTIFICATE_TRANSPARENCY_VERSION_V1.get_bound(py) } #[getter] @@ -181,10 +181,10 @@ impl Sct { } #[getter] - fn entry_type<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn entry_type<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(match self.entry_type { - LogEntryType::Certificate => types::LOG_ENTRY_TYPE_X509_CERTIFICATE.get(py)?, - LogEntryType::PreCertificate => types::LOG_ENTRY_TYPE_PRE_CERTIFICATE.get(py)?, + LogEntryType::Certificate => types::LOG_ENTRY_TYPE_X509_CERTIFICATE.get_bound(py)?, + LogEntryType::PreCertificate => types::LOG_ENTRY_TYPE_PRE_CERTIFICATE.get_bound(py)?, }) } @@ -192,16 +192,19 @@ impl Sct { fn signature_hash_algorithm<'p>( &self, py: pyo3::Python<'p>, - ) -> pyo3::PyResult<&'p pyo3::PyAny> { + ) -> pyo3::PyResult> { types::HASHES_MODULE - .get(py)? + .get_bound(py)? .call_method0(self.hash_algorithm.to_attr()) } #[getter] - fn signature_algorithm<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { + fn signature_algorithm<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { types::SIGNATURE_ALGORITHM - .get(py)? + .get_bound(py)? .getattr(self.signature_algorithm.to_attr()) } From 18bc7ef6bd2628122245f6a60ebaf049e137c16a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 07:06:17 -0400 Subject: [PATCH 443/868] Bump peter-evans/create-pull-request from 6.0.2 to 6.0.3 (#10798) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/70a41aba780001da0a30141984ae2a0c95d8704e...c55203cfde3e5c11a452d352b4393e68b85b4533) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index cfe495d2652a..c496f81f3d15 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 + uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 225a8d37538c..fb3f532f5e85 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 + uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From d5434c27c8161d1113b1ad77e7bffa95bad85063 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 07:06:35 -0400 Subject: [PATCH 444/868] Bump ruff from 0.3.5 to 0.3.7 (#10799) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.5 to 0.3.7. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.5...v0.3.7) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 38e5685df1df..ccd015582b2c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.5 +ruff==0.3.7 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 0edb94a0c1b3bff6cf60a7a782ef6a96f7394ac5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 10:28:54 -0400 Subject: [PATCH 445/868] Cleanup remaining `&pyo3::PyAny` refs (#10800) --- src/rust/src/x509/certificate.rs | 6 ++--- src/rust/src/x509/common.rs | 13 +++++----- src/rust/src/x509/crl.rs | 44 +++++++++++++++++++------------- src/rust/src/x509/csr.rs | 2 +- src/rust/src/x509/ocsp_req.rs | 4 +-- src/rust/src/x509/ocsp_resp.rs | 6 ++--- 6 files changed, 42 insertions(+), 33 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index ca07e79cfae2..cd32c4802dd6 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -305,18 +305,18 @@ impl Certificate { |ext| match ext.extn_id { oid::PRECERT_POISON_OID => { ext.value::<()>()?; - Ok(Some(types::PRECERT_POISON.get(py)?.call0()?)) + Ok(Some(types::PRECERT_POISON.get_bound(py)?.call0()?)) } oid::PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS_OID => { let contents = ext.value::<&[u8]>()?; let scts = sct::parse_scts(py, contents, sct::LogEntryType::PreCertificate)?; Ok(Some( types::PRECERTIFICATE_SIGNED_CERTIFICATE_TIMESTAMPS - .get(py)? + .get_bound(py)? .call1((scts,))?, )) } - _ => parse_cert_ext(py, ext).map(|x| x.map(|y| y.into_gil_ref())), + _ => parse_cert_ext(py, ext), }, ) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index ee4b0a3e408c..67d952fbcc7c 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -372,7 +372,7 @@ fn ipv6_netmask(num: u128) -> Result { pub(crate) fn parse_and_cache_extensions< 'p, - F: Fn(&Extension<'_>) -> Result, CryptographyError>, + F: Fn(&Extension<'_>) -> Result>, CryptographyError>, >( py: pyo3::Python<'p>, cached_extensions: &pyo3::sync::GILOnceCell, @@ -399,13 +399,14 @@ pub(crate) fn parse_and_cache_extensions< let extn_value = match parse_ext(&raw_ext)? { Some(e) => e, None => types::UNRECOGNIZED_EXTENSION - .get(py)? + .get_bound(py)? .call1((oid_obj.clone(), raw_ext.extn_value))?, }; - let ext_obj = - types::EXTENSION - .get(py)? - .call1((oid_obj, raw_ext.critical, extn_value))?; + let ext_obj = types::EXTENSION.get_bound(py)?.call1(( + oid_obj, + raw_ext.critical, + extn_value, + ))?; exts.append(ext_obj)?; } Ok(types::EXTENSIONS.get(py)?.call1((exts,))?.to_object(py)) diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 8b7b63481a06..05dcc3eb8766 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -334,29 +334,35 @@ impl CertificateRevocationList { oid::CRL_NUMBER_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some(types::CRL_NUMBER.get(py)?.call1((pynum,))?)) + Ok(Some(types::CRL_NUMBER.get_bound(py)?.call1((pynum,))?)) } oid::DELTA_CRL_INDICATOR_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some(types::DELTA_CRL_INDICATOR.get(py)?.call1((pynum,))?)) + Ok(Some( + types::DELTA_CRL_INDICATOR.get_bound(py)?.call1((pynum,))?, + )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME + .get_bound(py)? + .call1((ians,))?, )) } oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = certificate::parse_access_descriptions(py, ext)?; Ok(Some( - types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS + .get_bound(py)? + .call1((ads,))?, )) } - oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some( - certificate::parse_authority_key_identifier(py, ext)?.into_gil_ref(), - )), + oid::AUTHORITY_KEY_IDENTIFIER_OID => { + Ok(Some(certificate::parse_authority_key_identifier(py, ext)?)) + } oid::ISSUING_DISTRIBUTION_POINT_OID => { let idp = ext.value::>()?; let (full_name, relative_name) = match idp.distribution_point { @@ -371,19 +377,21 @@ impl CertificateRevocationList { } else { py.None() }; - Ok(Some(types::ISSUING_DISTRIBUTION_POINT.get(py)?.call1(( - full_name, - relative_name, - idp.only_contains_user_certs, - idp.only_contains_ca_certs, - py_reasons, - idp.indirect_crl, - idp.only_contains_attribute_certs, - ))?)) + Ok(Some( + types::ISSUING_DISTRIBUTION_POINT.get_bound(py)?.call1(( + full_name, + relative_name, + idp.only_contains_user_certs, + idp.only_contains_ca_certs, + py_reasons, + idp.indirect_crl, + idp.only_contains_attribute_certs, + ))?, + )) } oid::FRESHEST_CRL_OID => { let dp = certificate::parse_distribution_points(py, ext)?; - Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) + Ok(Some(types::FRESHEST_CRL.get_bound(py)?.call1((dp,))?)) } _ => Ok(None), }, @@ -590,7 +598,7 @@ impl RevokedCertificate { py, &self.cached_extensions, &self.owned.borrow_dependent().raw_crl_entry_extensions, - |ext| parse_crl_entry_ext(py, ext).map(|v| v.map(|v| v.into_gil_ref())), + |ext| parse_crl_entry_ext(py, ext), ) } } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index c38968743447..43fad223fc04 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -216,7 +216,7 @@ impl CertificateSigningRequest { })?; x509::parse_and_cache_extensions(py, &self.cached_extensions, &raw_exts, |ext| { - certificate::parse_cert_ext(py, ext).map(|x| x.map(|y| y.into_gil_ref())) + certificate::parse_cert_ext(py, ext) }) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 6e0005c4ced6..5ee9e2097016 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -131,7 +131,7 @@ impl OCSPRequest { // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); - Ok(Some(types::OCSP_NONCE.get(py)?.call1((nonce,))?)) + Ok(Some(types::OCSP_NONCE.get_bound(py)?.call1((nonce,))?)) } oid::ACCEPTABLE_RESPONSES_OID => { let oids = ext.value::>()?; @@ -142,7 +142,7 @@ impl OCSPRequest { Ok(Some( types::OCSP_ACCEPTABLE_RESPONSES - .get(py)? + .get_bound(py)? .call1((py_oids,))?, )) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 715a97330316..4c6b00cbeee8 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -388,7 +388,7 @@ impl OCSPResponse { // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); - Ok(Some(types::OCSP_NONCE.get(py)?.call1((nonce,))?)) + Ok(Some(types::OCSP_NONCE.get_bound(py)?.call1((nonce,))?)) } _ => Ok(None), } @@ -419,11 +419,11 @@ impl OCSPResponse { let scts = sct::parse_scts(py, contents, sct::LogEntryType::Certificate)?; Ok(Some( types::SIGNED_CERTIFICATE_TIMESTAMPS - .get(py)? + .get_bound(py)? .call1((scts,))?, )) } - _ => crl::parse_crl_entry_ext(py, ext).map(|v| v.map(|v| v.into_gil_ref())), + _ => crl::parse_crl_entry_ext(py, ext), }, ) } From 1d04970f372adeee3b86650698a020fd4c323210 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 10:50:40 -0400 Subject: [PATCH 446/868] Remove all remaining uses of `as_borrowed()` (#10801) --- src/rust/src/backend/dsa.rs | 6 ++--- src/rust/src/backend/ec.rs | 4 +-- src/rust/src/backend/hmac.rs | 2 +- src/rust/src/backend/rsa.rs | 21 +++------------- src/rust/src/backend/utils.rs | 2 +- src/rust/src/pkcs7.rs | 9 ++----- src/rust/src/x509/common.rs | 22 ++++------------- src/rust/src/x509/crl.rs | 34 +++++++++----------------- src/rust/src/x509/csr.rs | 2 +- src/rust/src/x509/extensions.rs | 43 ++++++++++++++------------------- src/rust/src/x509/ocsp_resp.rs | 10 +++----- src/rust/src/x509/sign.rs | 7 +++--- 12 files changed, 52 insertions(+), 110 deletions(-) diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 8db405c87533..06143428c7e8 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -72,8 +72,7 @@ impl DsaPrivateKey { data: CffiBuf<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - let (data, _) = - utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm)?; let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; @@ -159,8 +158,7 @@ impl DsaPublicKey { data: CffiBuf<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - let (data, _) = - utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm.as_borrowed())?; + let (data, _) = utils::calculate_digest_and_algorithm(py, data.as_bytes(), &algorithm)?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 7a86f8a8d88c..41cd8e057d88 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -403,9 +403,7 @@ impl ECPublicKey { let (data, _) = utils::calculate_digest_and_algorithm( py, data.as_bytes(), - &signature_algorithm - .as_borrowed() - .getattr(pyo3::intern!(py, "algorithm"))?, + &signature_algorithm.getattr(pyo3::intern!(py, "algorithm"))?, )?; let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index f7718ad55d90..5f08ff117167 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -24,7 +24,7 @@ impl Hmac { key: &[u8], algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - let md = message_digest_from_algorithm(py, &algorithm.as_borrowed())?; + let md = message_digest_from_algorithm(py, algorithm)?; let ctx = cryptography_openssl::hmac::Hmac::new(key, md).map_err(|_| { exceptions::UnsupportedAlgorithm::new_err(( "Digest is not supported for HMAC", diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 0a279f7fdc30..c1af3879eb98 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -10,7 +10,6 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; -use pyo3::PyNativeType; #[pyo3::prelude::pyclass( frozen, @@ -295,14 +294,7 @@ impl RsaPrivateKey { ctx.sign_init().map_err(|_| { pyo3::exceptions::PyValueError::new_err("Unable to sign/verify with this key") })?; - setup_signature_ctx( - py, - &mut ctx, - padding, - &algorithm.as_borrowed(), - self.pkey.size(), - true, - )?; + setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), true)?; let length = ctx.sign(data, None)?; Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { @@ -440,14 +432,7 @@ impl RsaPublicKey { let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; ctx.verify_init()?; - setup_signature_ctx( - py, - &mut ctx, - padding, - &algorithm.as_borrowed(), - self.pkey.size(), - false, - )?; + setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), false)?; let valid = ctx.verify(data, signature.as_bytes()).unwrap_or(false); if !valid { @@ -487,7 +472,7 @@ impl RsaPublicKey { padding: &pyo3::Bound<'_, pyo3::PyAny>, algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - if algorithm.is_instance(&types::PREHASHED.get(py)?.as_borrowed())? { + if algorithm.is_instance(&types::PREHASHED.get_bound(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Prehashed is only supported in the sign and verify methods. It cannot be used with recover_data_from_signature.", diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index a3f60d851cdc..827f56f688f0 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -365,7 +365,7 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( } else { // Potential optimization: rather than allocate a PyBytes in // `h.finalize()`, have a way to get the `DigestBytes` directly. - let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?; + let mut h = Hash::new(py, algorithm, None)?; h.update_bytes(data)?; data = h.finalize(py)?.into_gil_ref().as_bytes(); } diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index ffb0df18b975..2daee2a9ca4b 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -280,7 +280,7 @@ fn compute_pkcs7_signature_algorithm<'p>( hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { - let key_type = x509::sign::identify_key_type(py, private_key.as_borrowed().to_owned())?; + let key_type = x509::sign::identify_key_type(py, private_key.clone())?; let has_pss_padding = rsa_padding.is_instance(&types::PSS.get_bound(py)?)?; // For RSA signatures (with no PSS padding), the OID is always the same no matter the // digest algorithm. See RFC 3370 (section 3.2). @@ -290,12 +290,7 @@ fn compute_pkcs7_signature_algorithm<'p>( params: common::AlgorithmParameters::Rsa(Some(())), }) } else { - x509::sign::compute_signature_algorithm( - py, - private_key.as_borrowed().to_owned(), - hash_algorithm.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), - ) + x509::sign::compute_signature_algorithm(py, private_key, hash_algorithm, rsa_padding) } } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 67d952fbcc7c..c17208820a0d 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -76,10 +76,7 @@ pub(crate) fn encode_name_entry<'p>( .getattr(pyo3::intern!(py, "value"))? .extract()? }; - let py_oid = py_name_entry - .getattr(pyo3::intern!(py, "oid"))? - .as_borrowed() - .to_owned(); + let py_oid = py_name_entry.getattr(pyo3::intern!(py, "oid"))?; let oid = py_oid_to_oid(py_oid)?; Ok(AttributeTypeValue { @@ -129,10 +126,7 @@ pub(crate) fn encode_general_name<'a>( let name = encode_name(py, &gn_value)?; Ok(GeneralName::DirectoryName(name)) } else if gn_type.is(types::OTHER_NAME.get(py)?) { - let py_oid = gn - .getattr(pyo3::intern!(py, "type_id"))? - .as_borrowed() - .to_owned(); + let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?; Ok(GeneralName::OtherName(OtherName { type_id: py_oid_to_oid(py_oid)?, value: asn1::parse_single(gn_value.extract::<&[u8]>()?).map_err(|e| { @@ -151,7 +145,7 @@ pub(crate) fn encode_general_name<'a>( .extract::<&[u8]>()?, )) } else if gn_type.is(types::REGISTERED_ID.get(py)?) { - let oid = py_oid_to_oid(gn_value.as_borrowed().to_owned())?; + let oid = py_oid_to_oid(gn_value)?; Ok(GeneralName::RegisteredID(oid)) } else { Err(CryptographyError::from( @@ -167,10 +161,7 @@ pub(crate) fn encode_access_descriptions<'a>( let mut ads = vec![]; for py_ad in py_ads.iter()? { let py_ad = py_ad?; - let py_oid = py_ad - .getattr(pyo3::intern!(py, "access_method"))? - .as_borrowed() - .to_owned(); + let py_oid = py_ad.getattr(pyo3::intern!(py, "access_method"))?; let access_method = py_oid_to_oid(py_oid)?; let access_location = encode_general_name(py, &py_ad.getattr(pyo3::intern!(py, "access_location"))?)?; @@ -429,10 +420,7 @@ pub(crate) fn encode_extensions< let mut exts = vec![]; for py_ext in py_exts.iter()? { let py_ext = py_ext?; - let py_oid = py_ext - .getattr(pyo3::intern!(py, "oid"))? - .as_borrowed() - .to_owned(); + let py_oid = py_ext.getattr(pyo3::intern!(py, "oid"))?; let oid = py_oid_to_oid(py_oid)?; let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?; diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 05dcc3eb8766..b00858e27500 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -179,7 +179,7 @@ impl CertificateRevocationList { ) -> pyo3::PyResult> { let data = self.public_bytes_der()?; - let mut h = Hash::new(py, &algorithm.as_borrowed(), None)?; + let mut h = Hash::new(py, &algorithm, None)?; h.update_bytes(&data)?; Ok(h.finalize(py)?) } @@ -295,16 +295,14 @@ impl CertificateRevocationList { "Properties that return a naïve datetime object have been deprecated. Please switch to last_update_utc.", 1, )?; - Ok(x509::datetime_to_py( + x509::datetime_to_py( py, self.owned .borrow_dependent() .tbs_cert_list .this_update .as_datetime(), - )? - .as_borrowed() - .to_owned()) + ) } #[getter] @@ -573,12 +571,10 @@ impl RevokedCertificate { "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.", 1, )?; - Ok(x509::datetime_to_py( + x509::datetime_to_py( py, self.owned.borrow_dependent().revocation_date.as_datetime(), - )? - .as_borrowed() - .to_owned()) + ) } #[getter] @@ -682,10 +678,7 @@ fn create_x509_crl( revoked_certs.push(crl::RevokedCertificate { user_certificate: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, serial_number)?) .unwrap(), - revocation_date: x509::certificate::time_from_py( - py, - &py_revocation_date.as_borrowed(), - )?, + revocation_date: x509::certificate::time_from_py(py, &py_revocation_date)?, raw_crl_entry_extensions: x509::common::encode_extensions( py, &py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, @@ -700,12 +693,9 @@ fn create_x509_crl( let tbs_cert_list = crl::TBSCertList { version: Some(1), signature: sigalg.clone(), - issuer: x509::common::encode_name(py, &py_issuer_name.as_borrowed())?, - this_update: x509::certificate::time_from_py(py, &py_this_update.as_borrowed())?, - next_update: Some(x509::certificate::time_from_py( - py, - &py_next_update.as_borrowed(), - )?), + issuer: x509::common::encode_name(py, &py_issuer_name)?, + this_update: x509::certificate::time_from_py(py, &py_this_update)?, + next_update: Some(x509::certificate::time_from_py(py, &py_next_update)?), revoked_certificates: if revoked_certs.is_empty() { None } else { @@ -723,9 +713,9 @@ fn create_x509_crl( let tbs_bytes = asn1::write_single(&tbs_cert_list)?; let signature = x509::sign::sign_data( py, - private_key.as_borrowed().to_owned(), - hash_algorithm.as_borrowed().to_owned(), - rsa_padding.as_borrowed().to_owned(), + private_key.clone(), + hash_algorithm.clone(), + rsa_padding.clone(), &tbs_bytes, )?; let data = asn1::write_single(&crl::CertificateRevocationList { diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 43fad223fc04..4f6a0d46c045 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -360,7 +360,7 @@ fn create_x509_csr( let csr_info = CertificationRequestInfo { version: 0, - subject: x509::common::encode_name(py, &py_subject_name.as_borrowed())?, + subject: x509::common::encode_name(py, &py_subject_name)?, spki: asn1::parse_single(&spki_bytes)?, attributes: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(attrs)), }; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 22f2da338fab..94eb495bc7a0 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -19,7 +19,7 @@ fn encode_general_subtrees<'a>( } else { let mut subtree_seq = vec![]; for name in subtrees.iter()? { - let gn = x509::common::encode_general_name(py, &name?.as_borrowed())?; + let gn = x509::common::encode_general_name(py, &name?)?; subtree_seq.push(extensions::GeneralSubtree { base: gn, minimum: 0, @@ -44,7 +44,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( } let aki = py_aki.extract::>()?; let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { - let gns = x509::common::encode_general_names(py, &authority_cert_issuer.as_borrowed())?; + let gns = x509::common::encode_general_names(py, &authority_cert_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -82,7 +82,7 @@ pub(crate) fn encode_distribution_points<'p>( let py_dp = py_dp?.extract::>()?; let crl_issuer = if let Some(py_crl_issuer) = py_dp.crl_issuer { - let gns = x509::common::encode_general_names(py, &py_crl_issuer.as_borrowed())?; + let gns = x509::common::encode_general_names(py, &py_crl_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -90,7 +90,7 @@ pub(crate) fn encode_distribution_points<'p>( None }; let distribution_point = if let Some(py_full_name) = py_dp.full_name { - let gns = x509::common::encode_general_names(py, &py_full_name.as_borrowed())?; + let gns = x509::common::encode_general_names(py, &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) @@ -106,8 +106,7 @@ pub(crate) fn encode_distribution_points<'p>( None }; let reasons = if let Some(py_reasons) = py_dp.reasons { - let reasons = - certificate::encode_distribution_point_reasons(py, &py_reasons.as_borrowed())?; + let reasons = certificate::encode_distribution_point_reasons(py, &py_reasons)?; Some(common::Asn1ReadableOrWritable::new_write(reasons)) } else { None @@ -293,7 +292,7 @@ fn encode_certificate_policies( }; let py_policy_id = py_policy_info.getattr(pyo3::intern!(py, "policy_identifier"))?; policy_informations.push(extensions::PolicyInformation { - policy_identifier: py_oid_to_oid(py_policy_id.as_borrowed().to_owned())?, + policy_identifier: py_oid_to_oid(py_policy_id)?, policy_qualifiers: qualifiers, }); } @@ -311,15 +310,14 @@ fn encode_issuing_distribution_point( .is_truthy()? { let py_reasons = ext.getattr(pyo3::intern!(py, "only_some_reasons"))?; - let reasons = - certificate::encode_distribution_point_reasons(ext.py(), &py_reasons.as_borrowed())?; + let reasons = certificate::encode_distribution_point_reasons(ext.py(), &py_reasons)?; Some(common::Asn1ReadableOrWritable::new_write(reasons)) } else { None }; let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_truthy()? { let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; - let gns = x509::common::encode_general_names(ext.py(), &py_full_name.as_borrowed())?; + let gns = x509::common::encode_general_names(ext.py(), &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) @@ -358,7 +356,7 @@ fn encode_issuing_distribution_point( fn encode_oid_sequence(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut oids = vec![]; for el in ext.iter()? { - let oid = py_oid_to_oid(el?.as_borrowed().to_owned())?; + let oid = py_oid_to_oid(el?)?; oids.push(oid); } Ok(asn1::write_single(&asn1::SequenceOfWriter::new(oids))?) @@ -383,14 +381,14 @@ fn encode_tls_features( fn encode_scts(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { let mut length = 0; for sct in ext.iter()? { - let sct = sct?.as_borrowed().downcast::()?.clone(); + let sct = sct?.downcast::()?.clone(); length += sct.get().sct_data.len() + 2; } let mut result = vec![]; result.extend_from_slice(&(length as u16).to_be_bytes()); for sct in ext.iter()? { - let sct = sct?.as_borrowed().downcast::()?.clone(); + let sct = sct?.downcast::()?.clone(); result.extend_from_slice(&(sct.get().sct_data.len() as u16).to_be_bytes()); result.extend_from_slice(&sct.get().sct_data); } @@ -418,7 +416,7 @@ pub(crate) fn encode_extension( Ok(Some(der)) } &oid::AUTHORITY_INFORMATION_ACCESS_OID | &oid::SUBJECT_INFORMATION_ACCESS_OID => { - let der = x509::common::encode_access_descriptions(ext.py(), &ext.as_borrowed())?; + let der = x509::common::encode_access_descriptions(ext.py(), ext)?; Ok(Some(der)) } &oid::EXTENDED_KEY_USAGE_OID | &oid::ACCEPTABLE_RESPONSES_OID => { @@ -452,16 +450,15 @@ pub(crate) fn encode_extension( &oid::INHIBIT_ANY_POLICY_OID => { let intval = ext .getattr(pyo3::intern!(py, "skip_certs"))? - .as_borrowed() .downcast::()? .clone(); - let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; + let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), )?)) } &oid::ISSUER_ALTERNATIVE_NAME_OID | &oid::SUBJECT_ALTERNATIVE_NAME_OID => { - let gns = x509::common::encode_general_names(ext.py(), &ext.as_borrowed())?; + let gns = x509::common::encode_general_names(ext.py(), ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -491,24 +488,20 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) } &oid::CERTIFICATE_ISSUER_OID => { - let gns = x509::common::encode_general_names(ext.py(), &ext.as_borrowed())?; + let gns = x509::common::encode_general_names(ext.py(), ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { - let py_dt = ext - .getattr(pyo3::intern!(py, "invalidity_date"))? - .as_borrowed() - .to_owned(); + let py_dt = ext.getattr(pyo3::intern!(py, "invalidity_date"))?; let dt = x509::py_to_datetime(py, py_dt)?; Ok(Some(asn1::write_single(&asn1::GeneralizedTime::new(dt)?)?)) } &oid::CRL_NUMBER_OID | &oid::DELTA_CRL_INDICATOR_OID => { let intval = ext .getattr(pyo3::intern!(py, "crl_number"))? - .as_borrowed() .downcast::()? .clone(); - let bytes = py_uint_to_big_endian_bytes(ext.py(), intval.as_borrowed().to_owned())?; + let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; Ok(Some(asn1::write_single( &asn1::BigUint::new(bytes).unwrap(), )?)) @@ -526,7 +519,7 @@ pub(crate) fn encode_extension( &oid::MS_CERTIFICATE_TEMPLATE => { let py_template_id = ext.getattr(pyo3::intern!(py, "template_id"))?; let mstpl = extensions::MSCertificateTemplate { - template_id: py_oid_to_oid(py_template_id.as_borrowed().to_owned())?, + template_id: py_oid_to_oid(py_template_id)?, major_version: ext.getattr(pyo3::intern!(py, "major_version"))?.extract()?, minor_version: ext.getattr(pyo3::intern!(py, "minor_version"))?.extract()?, }; diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 4c6b00cbeee8..47623a77dd08 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -651,10 +651,7 @@ fn create_ocsp_response( }; // REVOKED let py_revocation_time = py_single_resp.getattr(pyo3::intern!(py, "_revocation_time"))?; - let revocation_time = asn1::GeneralizedTime::new(py_to_datetime( - py, - py_revocation_time.as_borrowed().to_owned(), - )?)?; + let revocation_time = asn1::GeneralizedTime::new(py_to_datetime(py, py_revocation_time)?)?; ocsp_resp::CertStatus::Revoked(ocsp_resp::RevokedInfo { revocation_time, revocation_reason, @@ -667,14 +664,13 @@ fn create_ocsp_response( let py_next_update = py_single_resp.getattr(pyo3::intern!(py, "_next_update"))?; Some(asn1::GeneralizedTime::new(py_to_datetime( py, - py_next_update.as_borrowed().to_owned(), + py_next_update, )?)?) } else { None }; let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; - let this_update = - asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update.as_borrowed().to_owned())?)?; + let this_update = asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update)?)?; let responses = vec![SingleResponse { cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 72938687791e..2a8ec2953b74 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -7,7 +7,6 @@ use std::collections::HashMap; use cryptography_x509::{common, oid}; use once_cell::sync::Lazy; use pyo3::prelude::PyAnyMethods; -use pyo3::PyNativeType; use crate::asn1::oid_to_py_oid; use crate::error::{CryptographyError, CryptographyResult}; @@ -150,7 +149,7 @@ pub(crate) fn compute_signature_algorithm<'p>( let py_mgf_alg = rsa_padding .getattr(pyo3::intern!(py, "_mgf"))? .getattr(pyo3::intern!(py, "_algorithm"))?; - let mgf_hash_type = identify_hash_type(py, py_mgf_alg.as_borrowed().to_owned())?; + let mgf_hash_type = identify_hash_type(py, py_mgf_alg)?; let mgf_alg = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), params: identify_alg_params_for_hash_type(mgf_hash_type)?, @@ -449,7 +448,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( py: pyo3::Python<'p>, signature_algorithm: &common::AlgorithmIdentifier<'_>, ) -> CryptographyResult> { - let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get(py)?; + let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get_bound(py)?; match &signature_algorithm.params { common::AlgorithmParameters::RsaPss(opt_pss) => { let pss = opt_pss.as_ref().ok_or_else(|| { @@ -461,7 +460,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( let py_sig_alg_oid = oid_to_py_oid(py, signature_algorithm.oid())?; let hash_alg = sig_oids_to_hash.get_item(py_sig_alg_oid); match hash_alg { - Ok(data) => Ok(data.as_borrowed().to_owned()), + Ok(data) => Ok(data), Err(_) => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", From 0acc56b7d422e59637656accd4c1c843d6470555 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 13:47:15 -0400 Subject: [PATCH 447/868] Introduce a keepalive abstraction (#10764) This effectively emulates what pyo3's old GIL pool was doing, but we'll use it in a far more targetted manner. --- src/rust/Cargo.lock | 5 +++ src/rust/Cargo.toml | 2 ++ src/rust/cryptography-keepalive/Cargo.toml | 10 ++++++ src/rust/cryptography-keepalive/src/lib.rs | 40 ++++++++++++++++++++++ src/rust/src/pkcs7.rs | 18 +++++----- 5 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 src/rust/cryptography-keepalive/Cargo.toml create mode 100644 src/rust/cryptography-keepalive/src/lib.rs diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9a335a8616a0..176a323fe5d7 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -67,6 +67,10 @@ dependencies = [ "pyo3", ] +[[package]] +name = "cryptography-keepalive" +version = "0.1.0" + [[package]] name = "cryptography-key-parsing" version = "0.1.0" @@ -96,6 +100,7 @@ dependencies = [ "asn1", "cfg-if", "cryptography-cffi", + "cryptography-keepalive", "cryptography-key-parsing", "cryptography-openssl", "cryptography-x509", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e8a26cfd53ae..a9229587b1ef 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -13,6 +13,7 @@ cfg-if = "1" pyo3 = { version = "0.21.1", features = ["abi3", "gil-refs"] } asn1 = { version = "0.16.1", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } +cryptography-keepalive = { path = "cryptography-keepalive" } cryptography-key-parsing = { path = "cryptography-key-parsing" } cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } @@ -37,6 +38,7 @@ overflow-checks = true [workspace] members = [ "cryptography-cffi", + "cryptography-keepalive", "cryptography-key-parsing", "cryptography-openssl", "cryptography-x509", diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml new file mode 100644 index 000000000000..241369773f39 --- /dev/null +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -0,0 +1,10 @@ +[package] +name = "cryptography-keepalive" +version = "0.1.0" +authors = ["The cryptography developers "] +edition = "2021" +publish = false +# This specifies the MSRV +rust-version = "1.65.0" + +[dependencies] diff --git a/src/rust/cryptography-keepalive/src/lib.rs b/src/rust/cryptography-keepalive/src/lib.rs new file mode 100644 index 000000000000..a33baba3c4bf --- /dev/null +++ b/src/rust/cryptography-keepalive/src/lib.rs @@ -0,0 +1,40 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] + +use std::cell::UnsafeCell; +use std::ops::Deref; + +pub struct KeepAlive { + values: UnsafeCell>, +} + +/// # Safety +/// Implementors of this trait must ensure that the value returned by +/// `deref()` must remain valid, even if `self` is moved. +pub unsafe trait StableDeref: Deref {} +// SAFETY: `Vec`'s data is on the heap, so as long as it's not mutated, the +// slice returned by `deref` remains valid. +unsafe impl StableDeref for Vec {} + +#[allow(clippy::new_without_default)] +impl KeepAlive { + pub fn new() -> Self { + KeepAlive { + values: UnsafeCell::new(vec![]), + } + } + + pub fn add(&self, v: T) -> &T::Target { + // SAFETY: We only ever append to `self.values`, which, when combined + // with the invariants of `StableDeref`, means that the result of + // `deref()` will always be valid for the lifetime of `&self`. + unsafe { + let values = &mut *self.values.get(); + values.push(v); + values.last().unwrap().deref() + } + } +} diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 2daee2a9ca4b..07b8bf01d8af 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -129,15 +129,8 @@ fn sign_and_serialize<'p>( .map(|p| p.raw.borrow_dependent()) .collect::>(); - let mut digests = vec![]; - if !options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { - for (_, _, py_hash_alg, _) in &py_signers { - let digest = - asn1::write_single(&x509::ocsp::hash_data(py, py_hash_alg, &data_with_header)?)?; - digests.push(digest); - } - } - for (i, (cert, py_private_key, py_hash_alg, rsa_padding)) in py_signers.iter().enumerate() { + let ka = cryptography_keepalive::KeepAlive::new(); + for (cert, py_private_key, py_hash_alg, rsa_padding) in py_signers.iter() { let (authenticated_attrs, signature) = if options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { ( @@ -166,10 +159,15 @@ fn sign_and_serialize<'p>( }, ]; + let digest = ka.add(asn1::write_single(&x509::ocsp::hash_data( + py, + py_hash_alg, + &data_with_header, + )?)?); authenticated_attrs.push(Attribute { type_id: PKCS7_MESSAGE_DIGEST_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(&digests[i]).unwrap(), + asn1::parse_single(digest).unwrap(), ])), }); From 5c559e00f4409f04da1fc4e04c9877fadfa13fee Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 13:56:36 -0400 Subject: [PATCH 448/868] Finish converting all `get()` calls to `get_bound()` (#10802) A follow up commit will rename it back. --- src/rust/src/backend/cipher_registry.rs | 2 +- src/rust/src/backend/utils.rs | 58 ++++++++++++------------- src/rust/src/buf.rs | 2 +- src/rust/src/pkcs7.rs | 14 +++--- src/rust/src/types.rs | 6 +-- src/rust/src/x509/certificate.rs | 23 +++++----- src/rust/src/x509/common.rs | 45 +++++++++++-------- src/rust/src/x509/csr.rs | 4 +- src/rust/src/x509/extensions.rs | 2 +- src/rust/src/x509/ocsp_resp.rs | 9 ++-- src/rust/src/x509/sct.rs | 2 +- src/rust/src/x509/sign.rs | 2 +- 12 files changed, 89 insertions(+), 80 deletions(-) diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index ee95e6539540..0f8dd1d2e9c4 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -265,7 +265,7 @@ fn get_cipher_registry( // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER // even when the cipher is unavailable. if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) - || types::LEGACY_PROVIDER_LOADED.get(py)?.is_truthy()? + || types::LEGACY_PROVIDER_LOADED.get_bound(py)?.is_truthy()? { #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] { diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 827f56f688f0..2acd1aa43f9f 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -75,11 +75,11 @@ pub(crate) fn pkey_private_bytes<'p>( } if raw_allowed - && (encoding.is(types::ENCODING_RAW.get(py)?) - || format.is(types::PRIVATE_FORMAT_RAW.get(py)?)) + && (encoding.is(&types::ENCODING_RAW.get_bound(py)?) + || format.is(&types::PRIVATE_FORMAT_RAW.get_bound(py)?)) { - if !encoding.is(types::ENCODING_RAW.get(py)?) - || !format.is(types::PRIVATE_FORMAT_RAW.get(py)?) + if !encoding.is(&types::ENCODING_RAW.get_bound(py)?) + || !format.is(&types::PRIVATE_FORMAT_RAW.get_bound(py)?) || !encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? { return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err( @@ -117,8 +117,8 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - if format.is(types::PRIVATE_FORMAT_PKCS8.get(py)?) { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if format.is(&types::PRIVATE_FORMAT_PKCS8.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = if password.is_empty() { pkey.private_key_to_pem_pkcs8()? } else { @@ -128,7 +128,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { let der_bytes = if password.is_empty() { pkey.private_key_to_pkcs8()? } else { @@ -144,7 +144,7 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - if format.is(types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get(py)?) { + if format.is(&types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get_bound(py)?) { if let Ok(rsa) = pkey.rsa() { if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = if password.is_empty() { @@ -192,7 +192,7 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(ec) = pkey.ec_key() { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = if password.is_empty() { ec.private_key_to_pem()? } else { @@ -202,7 +202,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -218,10 +218,10 @@ pub(crate) fn pkey_private_bytes<'p>( } // OpenSSH + PEM - if openssh_allowed && format.is(types::PRIVATE_FORMAT_OPENSSH.get(py)?) { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if openssh_allowed && format.is(&types::PRIVATE_FORMAT_OPENSSH.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { return Ok(types::SERIALIZE_SSH_PRIVATE_KEY - .get(py)? + .get_bound(py)? .call1((key_obj, password, encryption_algorithm))? .extract()?); } @@ -263,11 +263,11 @@ pub(crate) fn pkey_public_bytes<'p>( } if raw_allowed - && (encoding.is(types::ENCODING_RAW.get(py)?) - || format.is(types::PUBLIC_FORMAT_RAW.get(py)?)) + && (encoding.is(&types::ENCODING_RAW.get_bound(py)?) + || format.is(&types::PUBLIC_FORMAT_RAW.get_bound(py)?)) { - if !encoding.is(types::ENCODING_RAW.get(py)?) - || !format.is(types::PUBLIC_FORMAT_RAW.get(py)?) + if !encoding.is(&types::ENCODING_RAW.get_bound(py)?) + || !format.is(&types::PUBLIC_FORMAT_RAW.get_bound(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -280,11 +280,11 @@ pub(crate) fn pkey_public_bytes<'p>( } // SubjectPublicKeyInfo + PEM/DER - if format.is(types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = pkey.public_key_to_pem()?; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { let der_bytes = pkey.public_key_to_der()?; return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } @@ -296,10 +296,10 @@ pub(crate) fn pkey_public_bytes<'p>( } if let Ok(ec) = pkey.ec_key() { - if encoding.is(types::ENCODING_X962.get(py)?) { - let point_form = if format.is(types::PUBLIC_FORMAT_UNCOMPRESSED_POINT.get(py)?) { + if encoding.is(&types::ENCODING_X962.get_bound(py)?) { + let point_form = if format.is(&types::PUBLIC_FORMAT_UNCOMPRESSED_POINT.get_bound(py)?) { openssl::ec::PointConversionForm::UNCOMPRESSED - } else if format.is(types::PUBLIC_FORMAT_COMPRESSED_POINT.get(py)?) { + } else if format.is(&types::PUBLIC_FORMAT_COMPRESSED_POINT.get_bound(py)?) { openssl::ec::PointConversionForm::COMPRESSED } else { return Err(CryptographyError::from( @@ -317,11 +317,11 @@ pub(crate) fn pkey_public_bytes<'p>( } if let Ok(rsa) = pkey.rsa() { - if format.is(types::PUBLIC_FORMAT_PKCS1.get(py)?) { - if encoding.is(types::ENCODING_PEM.get(py)?) { + if format.is(&types::PUBLIC_FORMAT_PKCS1.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { let pem_bytes = rsa.public_key_to_pem_pkcs1()?; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(types::ENCODING_DER.get(py)?) { + } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { let der_bytes = rsa.public_key_to_der_pkcs1()?; return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } @@ -334,10 +334,10 @@ pub(crate) fn pkey_public_bytes<'p>( } // OpenSSH + OpenSSH - if openssh_allowed && format.is(types::PUBLIC_FORMAT_OPENSSH.get(py)?) { - if encoding.is(types::ENCODING_OPENSSH.get(py)?) { + if openssh_allowed && format.is(&types::PUBLIC_FORMAT_OPENSSH.get_bound(py)?) { + if encoding.is(&types::ENCODING_OPENSSH.get_bound(py)?) { return Ok(types::SERIALIZE_SSH_PUBLIC_KEY - .get(py)? + .get_bound(py)? .call1((key_obj,))? .extract()?); } diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index c480216147ff..e71086da87ea 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -27,7 +27,7 @@ fn _extract_buffer_length<'p>( types::FFI_FROM_BUFFER.get_bound(py)?.call1((pyobj,))? }; let ptrval = types::FFI_CAST - .get(py)? + .get_bound(py)? .call1((pyo3::intern!(py, "uintptr_t"), bufobj.clone()))? .call_method0(pyo3::intern!(py, "__int__"))? .extract::()?; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 07b8bf01d8af..d59f6e5edc80 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -87,9 +87,9 @@ fn sign_and_serialize<'p>( options: &pyo3::Bound<'p, pyo3::types::PyList>, ) -> CryptographyResult> { let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; - let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; + let text_mode = options.contains(types::PKCS7_TEXT.get_bound(py)?)?; let (data_with_header, data_without_header) = - if options.contains(types::PKCS7_BINARY.get(py)?)? { + if options.contains(types::PKCS7_BINARY.get_bound(py)?)? { ( Cow::Borrowed(raw_data.as_bytes()), Cow::Borrowed(raw_data.as_bytes()), @@ -171,7 +171,7 @@ fn sign_and_serialize<'p>( ])), }); - if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? { + if !options.contains(types::PKCS7_NO_CAPABILITIES.get_bound(py)?)? { authenticated_attrs.push(Attribute { type_id: PKCS7_SMIME_CAP_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( @@ -227,7 +227,7 @@ fn sign_and_serialize<'p>( } let data_tlv_bytes; - let content = if options.contains(types::PKCS7_DETACHED_SIGNATURE.get(py)?)? { + let content = if options.contains(types::PKCS7_DETACHED_SIGNATURE.get_bound(py)?)? { None } else { data_tlv_bytes = asn1::write_single(&data_with_header.deref())?; @@ -241,7 +241,7 @@ fn sign_and_serialize<'p>( _content_type: asn1::DefinedByMarker::marker(), content: pkcs7::Content::Data(content.map(asn1::Explicit::new)), }, - certificates: if options.contains(types::PKCS7_NO_CERTS.get(py)?)? { + certificates: if options.contains(types::PKCS7_NO_CERTS.get_bound(py)?)? { None } else { Some(asn1::SetOfWriter::new(&certs)) @@ -256,14 +256,14 @@ fn sign_and_serialize<'p>( }; let ci_bytes = asn1::write_single(&content_info)?; - if encoding.is(types::ENCODING_SMIME.get(py)?) { + if encoding.is(&types::ENCODING_SMIME.get_bound(py)?) { let mic_algs = digest_algs .iter() .map(|d| OIDS_TO_MIC_NAME[&d.oid()]) .collect::>() .join(","); Ok(types::SMIME_ENCODE - .get(py)? + .get_bound(py)? .call1((&*data_without_header, &*ci_bytes, mic_algs, text_mode))? .extract()?) } else { diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 6200801be28b..df6102f187a2 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -19,10 +19,6 @@ impl LazyPyImport { } } - pub fn get<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { - Ok(self.get_bound(py)?.into_gil_ref()) - } - pub fn get_bound<'p>( &'p self, py: pyo3::Python<'p>, @@ -567,7 +563,7 @@ mod tests { let v = LazyPyImport::new("foo", &["bar"]); pyo3::Python::with_gil(|py| { - assert!(v.get(py).is_err()); + assert!(v.get_bound(py).is_err()); }); } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index cd32c4802dd6..ef65139d7229 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -530,13 +530,16 @@ fn parse_user_notice( numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?.to_object(py))?; } types::NOTICE_REFERENCE - .get(py)? + .get_bound(py)? .call1((org, numbers))? .to_object(py) } None => py.None(), }; - Ok(types::USER_NOTICE.get(py)?.call1((nr, et))?.to_object(py)) + Ok(types::USER_NOTICE + .get_bound(py)? + .call1((nr, et))? + .to_object(py)) } fn parse_policy_qualifiers<'a>( @@ -588,7 +591,7 @@ fn parse_cp( None => py.None(), }; let pi = types::POLICY_INFORMATION - .get(py)? + .get_bound(py)? .call1((pi_oid, py_pqis))? .to_object(py); certificate_policies.append(pi)?; @@ -637,7 +640,7 @@ fn parse_distribution_point( None => py.None(), }; Ok(types::DISTRIBUTION_POINT - .get(py)? + .get_bound(py)? .call1((full_name, relative_name, reasons, crl_issuer))? .to_object(py)) } @@ -659,7 +662,7 @@ pub(crate) fn parse_distribution_point_reasons( py: pyo3::Python<'_>, reasons: Option<&asn1::BitString<'_>>, ) -> Result { - let reason_bit_mapping = types::REASON_BIT_MAPPING.get(py)?; + let reason_bit_mapping = types::REASON_BIT_MAPPING.get_bound(py)?; Ok(match reasons { Some(bs) => { @@ -679,7 +682,7 @@ pub(crate) fn encode_distribution_point_reasons( py: pyo3::Python<'_>, py_reasons: &pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - let reason_flag_mapping = types::CRL_REASON_FLAGS.get(py)?; + let reason_flag_mapping = types::CRL_REASON_FLAGS.get_bound(py)?; let mut bits = vec![0, 0]; for py_reason in py_reasons.iter()? { @@ -725,7 +728,7 @@ pub(crate) fn parse_access_descriptions( let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); let gn = x509::parse_general_name(py, access.access_location)?; let ad = types::ACCESS_DESCRIPTION - .get(py)? + .get_bound(py)? .call1((py_oid, gn))? .to_object(py); ads.append(ad)?; @@ -757,7 +760,7 @@ pub fn parse_cert_ext<'p>( )) } oid::TLS_FEATURE_OID => { - let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get(py)?; + let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get_bound(py)?; let features = pyo3::types::PyList::empty_bound(py); for feature in ext.value::>()? { @@ -918,8 +921,8 @@ fn create_x509_certificate( rsa_padding.clone(), )?; - let der = types::ENCODING_DER.get(py)?; - let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; + let der = types::ENCODING_DER.get_bound(py)?; + let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?; let spki_bytes = builder .getattr(pyo3::intern!(py, "_public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index c17208820a0d..2215c2425915 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -59,10 +59,10 @@ pub(crate) fn encode_name_entry<'p>( let tag = attr_type .getattr(pyo3::intern!(py, "value"))? .extract::()?; - let value: &[u8] = if !attr_type.is(types::ASN1_TYPE_BIT_STRING.get(py)?) { - let encoding = if attr_type.is(types::ASN1_TYPE_BMP_STRING.get(py)?) { + let value: &[u8] = if !attr_type.is(&types::ASN1_TYPE_BIT_STRING.get_bound(py)?) { + let encoding = if attr_type.is(&types::ASN1_TYPE_BMP_STRING.get_bound(py)?) { "utf_16_be" - } else if attr_type.is(types::ASN1_TYPE_UNIVERSAL_STRING.get(py)?) { + } else if attr_type.is(&types::ASN1_TYPE_UNIVERSAL_STRING.get_bound(py)?) { "utf_32_be" } else { "utf8" @@ -114,18 +114,18 @@ pub(crate) fn encode_general_name<'a>( let gn_type = gn.get_type(); let gn_value = gn.getattr(pyo3::intern!(py, "value"))?; - if gn_type.is(types::DNS_NAME.get(py)?) { + if gn_type.is(&types::DNS_NAME.get_bound(py)?) { Ok(GeneralName::DNSName(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(types::RFC822_NAME.get(py)?) { + } else if gn_type.is(&types::RFC822_NAME.get_bound(py)?) { Ok(GeneralName::RFC822Name(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(types::DIRECTORY_NAME.get(py)?) { + } else if gn_type.is(&types::DIRECTORY_NAME.get_bound(py)?) { let name = encode_name(py, &gn_value)?; Ok(GeneralName::DirectoryName(name)) - } else if gn_type.is(types::OTHER_NAME.get(py)?) { + } else if gn_type.is(&types::OTHER_NAME.get_bound(py)?) { let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?; Ok(GeneralName::OtherName(OtherName { type_id: py_oid_to_oid(py_oid)?, @@ -135,16 +135,16 @@ pub(crate) fn encode_general_name<'a>( )) })?, })) - } else if gn_type.is(types::UNIFORM_RESOURCE_IDENTIFIER.get(py)?) { + } else if gn_type.is(&types::UNIFORM_RESOURCE_IDENTIFIER.get_bound(py)?) { Ok(GeneralName::UniformResourceIdentifier( UnvalidatedIA5String(gn_value.extract::<&str>()?), )) - } else if gn_type.is(types::IP_ADDRESS.get(py)?) { + } else if gn_type.is(&types::IP_ADDRESS.get_bound(py)?) { Ok(GeneralName::IPAddress( gn.call_method0(pyo3::intern!(py, "_packed"))? .extract::<&[u8]>()?, )) - } else if gn_type.is(types::REGISTERED_ID.get(py)?) { + } else if gn_type.is(&types::REGISTERED_ID.get_bound(py)?) { let oid = py_oid_to_oid(gn_value)?; Ok(GeneralName::RegisteredID(oid)) } else { @@ -200,7 +200,7 @@ fn parse_name_attribute( )) })? .to_object(py); - let py_tag = types::ASN1_TYPE_TO_ENUM.get(py)?.get_item(tag_val)?; + let py_tag = types::ASN1_TYPE_TO_ENUM.get_bound(py)?.get_item(tag_val)?; let py_data = match attribute.value.tag().as_u8() { // BitString tag value Some(3) => pyo3::types::PyBytes::new_bound(py, attribute.value.data()).into_any(), @@ -237,7 +237,7 @@ pub(crate) fn parse_rdn<'a>( py_attrs.append(na)?; } Ok(types::RELATIVE_DISTINGUISHED_NAME - .get(py)? + .get_bound(py)? .call1((py_attrs,))? .to_object(py)) } @@ -275,7 +275,7 @@ pub(crate) fn parse_general_name( .to_object(py), GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { - let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; + let addr = types::IPADDRESS_IPADDRESS.get_bound(py)?.call1((data,))?; types::IP_ADDRESS .get_bound(py)? .call1((addr,))? @@ -288,7 +288,10 @@ pub(crate) fn parse_general_name( } GeneralName::RegisteredID(data) => { let oid = oid_to_py_oid(py, &data)?.to_object(py); - types::REGISTERED_ID.get(py)?.call1((oid,))?.to_object(py) + types::REGISTERED_ID + .get_bound(py)? + .call1((oid,))? + .to_object(py) } _ => { return Err(CryptographyError::from( @@ -331,7 +334,7 @@ fn create_ip_network( ))), }; let base = types::IPADDRESS_IPADDRESS - .get(py)? + .get_bound(py)? .call1((pyo3::types::PyBytes::new_bound(py, &data[..data.len() / 2]),))?; let net = format!( "{}/{}", @@ -339,8 +342,11 @@ fn create_ip_network( .extract::<&str>()?, prefix? ); - let addr = types::IPADDRESS_IPNETWORK.get(py)?.call1((net,))?; - Ok(types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py)) + let addr = types::IPADDRESS_IPNETWORK.get_bound(py)?.call1((net,))?; + Ok(types::IP_ADDRESS + .get_bound(py)? + .call1((addr,))? + .to_object(py)) } fn ipv4_netmask(num: u32) -> Result { @@ -400,7 +406,10 @@ pub(crate) fn parse_and_cache_extensions< ))?; exts.append(ext_obj)?; } - Ok(types::EXTENSIONS.get(py)?.call1((exts,))?.to_object(py)) + Ok(types::EXTENSIONS + .get_bound(py)? + .call1((exts,))? + .to_object(py)) }) .map(|p| p.clone_ref(py)) } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 4f6a0d46c045..bedc28607418 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -300,8 +300,8 @@ fn create_x509_csr( rsa_padding.clone(), )?; - let der = types::ENCODING_DER.get(py)?; - let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; + let der = types::ENCODING_DER.get_bound(py)?; + let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?; let spki_bytes = private_key .call_method0(pyo3::intern!(py, "public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 94eb495bc7a0..152d6e17706d 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -482,7 +482,7 @@ pub(crate) fn encode_extension( } &oid::CRL_REASON_OID => { let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE - .get(ext.py())? + .get_bound(ext.py())? .get_item(ext.getattr(pyo3::intern!(py, "reason"))?)? .extract::()?; Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 47623a77dd08..37b5d75d5a74 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -632,9 +632,9 @@ fn create_ocsp_response( .extract()?; let py_cert_status = py_single_resp.getattr(pyo3::intern!(py, "_cert_status"))?; - let cert_status = if py_cert_status.is(types::OCSP_CERT_STATUS_GOOD.get(py)?) { + let cert_status = if py_cert_status.is(&types::OCSP_CERT_STATUS_GOOD.get_bound(py)?) { ocsp_resp::CertStatus::Good(()) - } else if py_cert_status.is(types::OCSP_CERT_STATUS_UNKNOWN.get(py)?) { + } else if py_cert_status.is(&types::OCSP_CERT_STATUS_UNKNOWN.get_bound(py)?) { ocsp_resp::CertStatus::Unknown(()) } else { let revocation_reason = if !py_single_resp @@ -642,7 +642,7 @@ fn create_ocsp_response( .is_none() { let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE - .get(py)? + .get_bound(py)? .get_item(py_single_resp.getattr(pyo3::intern!(py, "_revocation_reason"))?)? .extract::()?; Some(asn1::Enumerated::new(value)) @@ -681,7 +681,8 @@ fn create_ocsp_response( }]; borrowed_cert = responder_cert.borrow(); - let responder_id = if responder_encoding.is(types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { + let responder_id = if responder_encoding.is(&types::OCSP_RESPONDER_ENCODING_HASH.get_bound(py)?) + { let sha1 = types::SHA1.get_bound(py)?.call0()?; ocsp_resp::ResponderId::ByKey(ocsp::hash_data( py, diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index f531a3738599..cc3680e8e064 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -165,7 +165,7 @@ impl Sct { #[getter] fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { - let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; let kwargs = pyo3::types::PyDict::new_bound(py); kwargs.set_item("microsecond", self.timestamp % 1000 * 1000)?; diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 2a8ec2953b74..2789c508dbc6 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -491,7 +491,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( } let py_mask_gen_hash_alg = hash_oid_py_hash(py, pss.mask_gen_algorithm.params.oid().clone())?; - let py_mgf = types::MGF1.get(py)?.call1((py_mask_gen_hash_alg,))?; + let py_mgf = types::MGF1.get_bound(py)?.call1((py_mask_gen_hash_alg,))?; Ok(types::PSS.get_bound(py)?.call1((py_mgf, pss.salt_length))?) } common::AlgorithmParameters::RsaWithSha1(_) From 8d36296920aca5eef31369fba32f19f91b221780 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 15:40:23 -0400 Subject: [PATCH 449/868] Rename `get_bound` back to `get` (#10803) --- src/rust/src/asn1.rs | 4 +- src/rust/src/backend/aead.rs | 12 +-- src/rust/src/backend/cipher_registry.rs | 44 +++++----- src/rust/src/backend/ciphers.rs | 63 +++++++------- src/rust/src/backend/cmac.rs | 4 +- src/rust/src/backend/dh.rs | 6 +- src/rust/src/backend/ec.rs | 14 ++-- src/rust/src/backend/hashes.rs | 4 +- src/rust/src/backend/rsa.rs | 26 +++--- src/rust/src/backend/utils.rs | 86 +++++++++---------- src/rust/src/buf.rs | 6 +- src/rust/src/oid.rs | 2 +- src/rust/src/pkcs12.rs | 8 +- src/rust/src/pkcs7.rs | 18 ++-- src/rust/src/types.rs | 7 +- src/rust/src/x509/certificate.rs | 105 ++++++++++-------------- src/rust/src/x509/common.rs | 89 +++++++++----------- src/rust/src/x509/crl.rs | 54 +++++------- src/rust/src/x509/csr.rs | 12 ++- src/rust/src/x509/extensions.rs | 2 +- src/rust/src/x509/ocsp_req.rs | 11 +-- src/rust/src/x509/ocsp_resp.rs | 28 +++---- src/rust/src/x509/sct.rs | 14 ++-- src/rust/src/x509/sign.rs | 51 ++++++------ src/rust/src/x509/verify.rs | 4 +- 25 files changed, 304 insertions(+), 370 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 35de6049382a..ba3eba7e235c 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -99,9 +99,9 @@ pub(crate) fn encode_der_data<'p>( data: Vec, encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + if encoding.is(&types::ENCODING_DER.get(py)?) { Ok(pyo3::types::PyBytes::new_bound(py, &data)) - } else if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_PEM.get(py)?) { Ok(pyo3::types::PyBytes::new_bound( py, &pem::encode_config( diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 16ea74f20030..e9dbcab652bd 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -533,7 +533,7 @@ impl ChaCha20Poly1305 { #[staticmethod] fn generate_key(py: pyo3::Python<'_>) -> CryptographyResult> { - Ok(types::OS_URANDOM.get_bound(py)?.call1((32,))?) + Ok(types::OS_URANDOM.get(py)?.call1((32,))?) } fn encrypt<'p>( @@ -648,7 +648,7 @@ impl AesGcm { )); } - Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } fn encrypt<'p>( @@ -759,7 +759,7 @@ impl AesCcm { )); } - Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } fn encrypt<'p>( @@ -892,7 +892,7 @@ impl AesSiv { )); } - Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (data, associated_data))] @@ -989,7 +989,7 @@ impl AesOcb3 { )); } - Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (nonce, data, associated_data))] @@ -1098,7 +1098,7 @@ impl AesGcmSiv { )); } - Ok(types::OS_URANDOM.get_bound(py)?.call1((bit_length / 8,))?) + Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } #[pyo3(signature = (nonce, data, associated_data))] diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 0f8dd1d2e9c4..40ae826014b4 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -119,38 +119,38 @@ fn get_cipher_registry( REGISTRY.get_or_try_init(py, || { let mut m = RegistryBuilder::new(py); - let aes = types::AES.get_bound(py)?; - let aes128 = types::AES128.get_bound(py)?; - let aes256 = types::AES256.get_bound(py)?; - let triple_des = types::TRIPLE_DES.get_bound(py)?; + let aes = types::AES.get(py)?; + let aes128 = types::AES128.get(py)?; + let aes256 = types::AES256.get(py)?; + let triple_des = types::TRIPLE_DES.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] - let camellia = types::CAMELLIA.get_bound(py)?; + let camellia = types::CAMELLIA.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] - let blowfish = types::BLOWFISH.get_bound(py)?; + let blowfish = types::BLOWFISH.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] - let cast5 = types::CAST5.get_bound(py)?; + let cast5 = types::CAST5.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_IDEA"))] - let idea = types::IDEA.get_bound(py)?; + let idea = types::IDEA.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] - let sm4 = types::SM4.get_bound(py)?; + let sm4 = types::SM4.get(py)?; #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] - let seed = types::SEED.get_bound(py)?; - let arc4 = types::ARC4.get_bound(py)?; + let seed = types::SEED.get(py)?; + let arc4 = types::ARC4.get(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let chacha20 = types::CHACHA20.get_bound(py)?; - let rc2 = types::RC2.get_bound(py)?; + let chacha20 = types::CHACHA20.get(py)?; + let rc2 = types::RC2.get(py)?; - let cbc = types::CBC.get_bound(py)?; + let cbc = types::CBC.get(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let cfb = types::CFB.get_bound(py)?; + let cfb = types::CFB.get(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let cfb8 = types::CFB8.get_bound(py)?; - let ofb = types::OFB.get_bound(py)?; - let ecb = types::ECB.get_bound(py)?; - let ctr = types::CTR.get_bound(py)?; - let gcm = types::GCM.get_bound(py)?; + let cfb8 = types::CFB8.get(py)?; + let ofb = types::OFB.get(py)?; + let ecb = types::ECB.get(py)?; + let ctr = types::CTR.get(py)?; + let gcm = types::GCM.get(py)?; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] - let xts = types::XTS.get_bound(py)?; + let xts = types::XTS.get(py)?; let none = py.None(); let none_type = none.bind(py).get_type(); @@ -265,7 +265,7 @@ fn get_cipher_registry( // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER // even when the cipher is unavailable. if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) - || types::LEGACY_PROVIDER_LOADED.get_bound(py)?.is_truthy()? + || types::LEGACY_PROVIDER_LOADED.get(py)?.is_truthy()? { #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] { diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 5677e0fbba3d..9fe9550b34c9 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -43,31 +43,30 @@ impl CipherContext { } }; - let iv_nonce = - if mode.is_instance(&types::MODE_WITH_INITIALIZATION_VECTOR.get_bound(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "initialization_vector"))? - .extract::>()?, - ) - } else if mode.is_instance(&types::MODE_WITH_TWEAK.get_bound(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "tweak"))? - .extract::>()?, - ) - } else if mode.is_instance(&types::MODE_WITH_NONCE.get_bound(py)?)? { - Some( - mode.getattr(pyo3::intern!(py, "nonce"))? - .extract::>()?, - ) - } else if algorithm.is_instance(&types::CHACHA20.get_bound(py)?)? { - Some( - algorithm - .getattr(pyo3::intern!(py, "nonce"))? - .extract::>()?, - ) - } else { - None - }; + let iv_nonce = if mode.is_instance(&types::MODE_WITH_INITIALIZATION_VECTOR.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "initialization_vector"))? + .extract::>()?, + ) + } else if mode.is_instance(&types::MODE_WITH_TWEAK.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "tweak"))? + .extract::>()?, + ) + } else if mode.is_instance(&types::MODE_WITH_NONCE.get(py)?)? { + Some( + mode.getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else if algorithm.is_instance(&types::CHACHA20.get(py)?)? { + Some( + algorithm + .getattr(pyo3::intern!(py, "nonce"))? + .extract::>()?, + ) + } else { + None + }; let key = algorithm .getattr(pyo3::intern!(py, "key"))? @@ -88,7 +87,7 @@ impl CipherContext { } } - if mode.is_instance(&types::XTS.get_bound(py)?)? { + if mode.is_instance(&types::XTS.get(py)?)? { init_op( &mut ctx, None, @@ -146,11 +145,7 @@ impl CipherContext { for chunk in buf.chunks(1 << 29) { // SAFETY: We ensure that outbuf is sufficiently large above. unsafe { - let n = if self - .py_mode - .bind(py) - .is_instance(&types::XTS.get_bound(py)?)? - { + let n = if self.py_mode.bind(py).is_instance(&types::XTS.get(py)?)? { self.ctx.cipher_update_unchecked(chunk, Some(&mut out_buf[total_written..])).map_err(|_| { pyo3::exceptions::PyValueError::new_err( "In XTS mode you must supply at least a full block in the first update call. For AES this is 16 bytes." @@ -182,7 +177,7 @@ impl CipherContext { && self .py_mode .bind(py) - .is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? + .is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { return Err(CryptographyError::from(exceptions::InvalidTag::new_err(()))); } @@ -483,7 +478,7 @@ fn create_encryption_ctx( ) -> CryptographyResult { let ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Encrypt)?; - if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { + if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { Ok(PyAEADEncryptionContext { ctx: Some(ctx), tag: None, @@ -509,7 +504,7 @@ fn create_decryption_ctx( ) -> CryptographyResult { let mut ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Decrypt)?; - if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get_bound(py)?)? { + if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? { if let Some(tag) = mode .getattr(pyo3::intern!(py, "tag"))? .extract::>()? diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 599a1ee4bf27..0d9d9ec0fdf4 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -43,7 +43,7 @@ impl Cmac { ) -> CryptographyResult { let _ = backend; - if !algorithm.is_instance(&types::BLOCK_CIPHER_ALGORITHM.get_bound(py)?)? { + if !algorithm.is_instance(&types::BLOCK_CIPHER_ALGORITHM.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Expected instance of BlockCipherAlgorithm.", @@ -51,7 +51,7 @@ impl Cmac { )); } - let cipher = cipher_registry::get_cipher(py, algorithm.clone(), types::CBC.get_bound(py)?)? + let cipher = cipher_registry::get_cipher(py, algorithm.clone(), types::CBC.get(py)?)? .ok_or_else(|| { exceptions::UnsupportedAlgorithm::new_err(( "CMAC is not supported with this algorithm", diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 70a57d50b57b..008f0674a07b 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -229,7 +229,7 @@ impl DHPrivateKey { format: &pyo3::Bound<'p, pyo3::PyAny>, encryption_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(&types::PRIVATE_FORMAT_PKCS8.get_bound(py)?) { + if !format.is(&types::PRIVATE_FORMAT_PKCS8.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "DH private keys support only PKCS8 serialization", @@ -263,7 +263,7 @@ impl DHPublicKey { encoding: &pyo3::Bound<'p, pyo3::PyAny>, format: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?) { + if !format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "DH public keys support only SubjectPublicKeyInfo serialization", @@ -345,7 +345,7 @@ impl DHParameters { encoding: pyo3::Bound<'p, pyo3::PyAny>, format: pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !format.is(&types::PARAMETER_FORMAT_PKCS3.get_bound(py)?) { + if !format.is(&types::PARAMETER_FORMAT_PKCS3.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err("Only PKCS3 serialization is supported"), )); diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 41cd8e057d88..ccba52857621 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -32,9 +32,9 @@ fn curve_from_py_curve( py_curve: pyo3::Bound<'_, pyo3::PyAny>, allow_curve_class: bool, ) -> CryptographyResult { - if !py_curve.is_instance(&types::ELLIPTIC_CURVE.get_bound(py)?)? { + if !py_curve.is_instance(&types::ELLIPTIC_CURVE.get(py)?)? { if allow_curve_class { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; let warning_msg = "Curve argument must be an instance of an EllipticCurve class. Did you pass a class by mistake? This will be an exception in a future version of cryptography."; pyo3::PyErr::warn_bound(py, &warning_cls, warning_msg, 1)?; } else { @@ -102,7 +102,7 @@ fn py_curve_from_curve<'p>( let name = curve.curve_name().unwrap().short_name()?; types::CURVE_TYPES - .get_bound(py)? + .get(py)? .extract::>()? .get_item(name)? .ok_or_else(|| { @@ -231,7 +231,7 @@ impl ECPrivateKey { algorithm: pyo3::Bound<'_, pyo3::PyAny>, peer_public_key: &ECPublicKey, ) -> CryptographyResult> { - if !algorithm.is_instance(&types::ECDH.get_bound(py)?)? { + if !algorithm.is_instance(&types::ECDH.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported EC exchange algorithm", @@ -270,7 +270,7 @@ impl ECPrivateKey { data: CffiBuf<'_>, signature_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - if !signature_algorithm.is_instance(&types::ECDSA.get_bound(py)?)? { + if !signature_algorithm.is_instance(&types::ECDSA.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -391,7 +391,7 @@ impl ECPublicKey { data: CffiBuf<'_>, signature_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - if !signature_algorithm.is_instance(&types::ECDSA.get_bound(py)?)? { + if !signature_algorithm.is_instance(&types::ECDSA.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "Unsupported elliptic curve signature algorithm", @@ -588,7 +588,7 @@ impl EllipticCurvePublicNumbers { ) -> CryptographyResult { if !curve .bind(py) - .is_instance(&types::ELLIPTIC_CURVE.get_bound(py)?)? + .is_instance(&types::ELLIPTIC_CURVE.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index ac989024e849..bc2c42016de3 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -43,7 +43,7 @@ pub(crate) fn message_digest_from_algorithm( py: pyo3::Python<'_>, algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { - if !algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { + if !algorithm.is_instance(&types::HASH_ALGORITHM.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err("Expected instance of hashes.HashAlgorithm."), )); @@ -111,7 +111,7 @@ impl Hash { { let algorithm = self.algorithm.clone_ref(py); let algorithm = algorithm.bind(py); - if algorithm.is_instance(&types::EXTENDABLE_OUTPUT_FUNCTION.get_bound(py)?)? { + if algorithm.is_instance(&types::EXTENDABLE_OUTPUT_FUNCTION.get(py)?)? { let ctx = self.get_mut_ctx()?; let digest_size = algorithm .getattr(pyo3::intern!(py, "digest_size"))? diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index c1af3879eb98..0cff56d1efba 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -82,7 +82,7 @@ fn setup_encryption_ctx( ctx: &mut openssl::pkey_ctx::PkeyCtx, padding: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult<()> { - if !padding.is_instance(&types::ASYMMETRIC_PADDING.get_bound(py)?)? { + if !padding.is_instance(&types::ASYMMETRIC_PADDING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Padding must be an instance of AsymmetricPadding.", @@ -90,12 +90,12 @@ fn setup_encryption_ctx( )); } - let padding_enum = if padding.is_instance(&types::PKCS1V15.get_bound(py)?)? { + let padding_enum = if padding.is_instance(&types::PKCS1V15.get(py)?)? { openssl::rsa::Padding::PKCS1 - } else if padding.is_instance(&types::OAEP.get_bound(py)?)? { + } else if padding.is_instance(&types::OAEP.get(py)?)? { if !padding .getattr(pyo3::intern!(py, "_mgf"))? - .is_instance(&types::MGF1.get_bound(py)?)? + .is_instance(&types::MGF1.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -165,7 +165,7 @@ fn setup_signature_ctx( key_size: usize, is_signing: bool, ) -> CryptographyResult<()> { - if !padding.is_instance(&types::ASYMMETRIC_PADDING.get_bound(py)?)? { + if !padding.is_instance(&types::ASYMMETRIC_PADDING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Padding must be an instance of AsymmetricPadding.", @@ -173,12 +173,12 @@ fn setup_signature_ctx( )); } - let padding_enum = if padding.is_instance(&types::PKCS1V15.get_bound(py)?)? { + let padding_enum = if padding.is_instance(&types::PKCS1V15.get(py)?)? { openssl::rsa::Padding::PKCS1 - } else if padding.is_instance(&types::PSS.get_bound(py)?)? { + } else if padding.is_instance(&types::PSS.get(py)?)? { if !padding .getattr(pyo3::intern!(py, "_mgf"))? - .is_instance(&types::MGF1.get_bound(py)?)? + .is_instance(&types::MGF1.get(py)?)? { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( @@ -189,7 +189,7 @@ fn setup_signature_ctx( } // PSS padding requires a hash algorithm - if !algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { + if !algorithm.is_instance(&types::HASH_ALGORITHM.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Expected instance of hashes.HashAlgorithm.", @@ -250,11 +250,11 @@ fn setup_signature_ctx( if padding_enum == openssl::rsa::Padding::PKCS1_PSS { let salt = padding.getattr(pyo3::intern!(py, "_salt_length"))?; - if salt.is_instance(&types::PADDING_MAX_LENGTH.get_bound(py)?)? { + if salt.is_instance(&types::PADDING_MAX_LENGTH.get(py)?)? { ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::MAXIMUM_LENGTH)?; - } else if salt.is_instance(&types::PADDING_DIGEST_LENGTH.get_bound(py)?)? { + } else if salt.is_instance(&types::PADDING_DIGEST_LENGTH.get(py)?)? { ctx.set_rsa_pss_saltlen(openssl::sign::RsaPssSaltlen::DIGEST_LENGTH)?; - } else if salt.is_instance(&types::PADDING_AUTO.get_bound(py)?)? { + } else if salt.is_instance(&types::PADDING_AUTO.get(py)?)? { if is_signing { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -472,7 +472,7 @@ impl RsaPublicKey { padding: &pyo3::Bound<'_, pyo3::PyAny>, algorithm: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - if algorithm.is_instance(&types::PREHASHED.get_bound(py)?)? { + if algorithm.is_instance(&types::PREHASHED.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Prehashed is only supported in the sign and verify methods. It cannot be used with recover_data_from_signature.", diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 2acd1aa43f9f..a583a71f196d 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -52,21 +52,21 @@ pub(crate) fn pkey_private_bytes<'p>( openssh_allowed: bool, raw_allowed: bool, ) -> CryptographyResult> { - if !encoding.is_instance(&types::ENCODING.get_bound(py)?)? { + if !encoding.is_instance(&types::ENCODING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "encoding must be an item from the Encoding enum", ), )); } - if !format.is_instance(&types::PRIVATE_FORMAT.get_bound(py)?)? { + if !format.is_instance(&types::PRIVATE_FORMAT.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "format must be an item from the PrivateFormat enum", ), )); } - if !encryption_algorithm.is_instance(&types::KEY_SERIALIZATION_ENCRYPTION.get_bound(py)?)? { + if !encryption_algorithm.is_instance(&types::KEY_SERIALIZATION_ENCRYPTION.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "Encryption algorithm must be a KeySerializationEncryption instance", @@ -75,12 +75,12 @@ pub(crate) fn pkey_private_bytes<'p>( } if raw_allowed - && (encoding.is(&types::ENCODING_RAW.get_bound(py)?) - || format.is(&types::PRIVATE_FORMAT_RAW.get_bound(py)?)) + && (encoding.is(&types::ENCODING_RAW.get(py)?) + || format.is(&types::PRIVATE_FORMAT_RAW.get(py)?)) { - if !encoding.is(&types::ENCODING_RAW.get_bound(py)?) - || !format.is(&types::PRIVATE_FORMAT_RAW.get_bound(py)?) - || !encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? + if !encoding.is(&types::ENCODING_RAW.get(py)?) + || !format.is(&types::PRIVATE_FORMAT_RAW.get(py)?) + || !encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)? { return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err( "When using Raw both encoding and format must be Raw and encryption_algorithm must be NoEncryption()" @@ -91,10 +91,10 @@ pub(crate) fn pkey_private_bytes<'p>( } let py_password; - let password = if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get_bound(py)?)? { + let password = if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)? { b"" as &[u8] - } else if encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get_bound(py)?)? - || (encryption_algorithm.is_instance(&types::ENCRYPTION_BUILDER.get_bound(py)?)? + } else if encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get(py)?)? + || (encryption_algorithm.is_instance(&types::ENCRYPTION_BUILDER.get(py)?)? && encryption_algorithm .getattr(pyo3::intern!(py, "_format"))? .is(format)) @@ -117,8 +117,8 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - if format.is(&types::PRIVATE_FORMAT_PKCS8.get_bound(py)?) { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if format.is(&types::PRIVATE_FORMAT_PKCS8.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { pkey.private_key_to_pem_pkcs8()? } else { @@ -128,7 +128,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { let der_bytes = if password.is_empty() { pkey.private_key_to_pkcs8()? } else { @@ -144,9 +144,9 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - if format.is(&types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get_bound(py)?) { + if format.is(&types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get(py)?) { if let Ok(rsa) = pkey.rsa() { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { rsa.private_key_to_pem()? } else { @@ -156,7 +156,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -169,7 +169,7 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(dsa) = pkey.dsa() { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { dsa.private_key_to_pem()? } else { @@ -179,7 +179,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -192,7 +192,7 @@ pub(crate) fn pkey_private_bytes<'p>( return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } } else if let Ok(ec) = pkey.ec_key() { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { ec.private_key_to_pem()? } else { @@ -202,7 +202,7 @@ pub(crate) fn pkey_private_bytes<'p>( )? }; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { if !password.is_empty() { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -218,10 +218,10 @@ pub(crate) fn pkey_private_bytes<'p>( } // OpenSSH + PEM - if openssh_allowed && format.is(&types::PRIVATE_FORMAT_OPENSSH.get_bound(py)?) { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if openssh_allowed && format.is(&types::PRIVATE_FORMAT_OPENSSH.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { return Ok(types::SERIALIZE_SSH_PRIVATE_KEY - .get_bound(py)? + .get(py)? .call1((key_obj, password, encryption_algorithm))? .extract()?); } @@ -247,14 +247,14 @@ pub(crate) fn pkey_public_bytes<'p>( openssh_allowed: bool, raw_allowed: bool, ) -> CryptographyResult> { - if !encoding.is_instance(&types::ENCODING.get_bound(py)?)? { + if !encoding.is_instance(&types::ENCODING.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "encoding must be an item from the Encoding enum", ), )); } - if !format.is_instance(&types::PUBLIC_FORMAT.get_bound(py)?)? { + if !format.is_instance(&types::PUBLIC_FORMAT.get(py)?)? { return Err(CryptographyError::from( pyo3::exceptions::PyTypeError::new_err( "format must be an item from the PublicFormat enum", @@ -263,11 +263,11 @@ pub(crate) fn pkey_public_bytes<'p>( } if raw_allowed - && (encoding.is(&types::ENCODING_RAW.get_bound(py)?) - || format.is(&types::PUBLIC_FORMAT_RAW.get_bound(py)?)) + && (encoding.is(&types::ENCODING_RAW.get(py)?) + || format.is(&types::PUBLIC_FORMAT_RAW.get(py)?)) { - if !encoding.is(&types::ENCODING_RAW.get_bound(py)?) - || !format.is(&types::PUBLIC_FORMAT_RAW.get_bound(py)?) + if !encoding.is(&types::ENCODING_RAW.get(py)?) + || !format.is(&types::PUBLIC_FORMAT_RAW.get(py)?) { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( @@ -280,11 +280,11 @@ pub(crate) fn pkey_public_bytes<'p>( } // SubjectPublicKeyInfo + PEM/DER - if format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?) { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if format.is(&types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = pkey.public_key_to_pem()?; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { let der_bytes = pkey.public_key_to_der()?; return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } @@ -296,10 +296,10 @@ pub(crate) fn pkey_public_bytes<'p>( } if let Ok(ec) = pkey.ec_key() { - if encoding.is(&types::ENCODING_X962.get_bound(py)?) { - let point_form = if format.is(&types::PUBLIC_FORMAT_UNCOMPRESSED_POINT.get_bound(py)?) { + if encoding.is(&types::ENCODING_X962.get(py)?) { + let point_form = if format.is(&types::PUBLIC_FORMAT_UNCOMPRESSED_POINT.get(py)?) { openssl::ec::PointConversionForm::UNCOMPRESSED - } else if format.is(&types::PUBLIC_FORMAT_COMPRESSED_POINT.get_bound(py)?) { + } else if format.is(&types::PUBLIC_FORMAT_COMPRESSED_POINT.get(py)?) { openssl::ec::PointConversionForm::COMPRESSED } else { return Err(CryptographyError::from( @@ -317,11 +317,11 @@ pub(crate) fn pkey_public_bytes<'p>( } if let Ok(rsa) = pkey.rsa() { - if format.is(&types::PUBLIC_FORMAT_PKCS1.get_bound(py)?) { - if encoding.is(&types::ENCODING_PEM.get_bound(py)?) { + if format.is(&types::PUBLIC_FORMAT_PKCS1.get(py)?) { + if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = rsa.public_key_to_pem_pkcs1()?; return Ok(pyo3::types::PyBytes::new_bound(py, &pem_bytes)); - } else if encoding.is(&types::ENCODING_DER.get_bound(py)?) { + } else if encoding.is(&types::ENCODING_DER.get(py)?) { let der_bytes = rsa.public_key_to_der_pkcs1()?; return Ok(pyo3::types::PyBytes::new_bound(py, &der_bytes)); } @@ -334,10 +334,10 @@ pub(crate) fn pkey_public_bytes<'p>( } // OpenSSH + OpenSSH - if openssh_allowed && format.is(&types::PUBLIC_FORMAT_OPENSSH.get_bound(py)?) { - if encoding.is(&types::ENCODING_OPENSSH.get_bound(py)?) { + if openssh_allowed && format.is(&types::PUBLIC_FORMAT_OPENSSH.get(py)?) { + if encoding.is(&types::ENCODING_OPENSSH.get(py)?) { return Ok(types::SERIALIZE_SSH_PUBLIC_KEY - .get_bound(py)? + .get(py)? .call1((key_obj,))? .extract()?); } @@ -360,7 +360,7 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult<(&'p [u8], pyo3::Bound<'p, pyo3::PyAny>)> { let mut algorithm_result = algorithm.clone(); - if algorithm.is_instance(&types::PREHASHED.get_bound(py)?)? { + if algorithm.is_instance(&types::PREHASHED.get(py)?)? { algorithm_result = algorithm.getattr("_algorithm")?; } else { // Potential optimization: rather than allocate a PyBytes in diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index e71086da87ea..e07793257496 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -21,13 +21,13 @@ fn _extract_buffer_length<'p>( let bufobj = if mutable { let kwargs = [(pyo3::intern!(py, "require_writable"), true)].into_py_dict_bound(py); types::FFI_FROM_BUFFER - .get_bound(py)? + .get(py)? .call((pyobj,), Some(&kwargs))? } else { - types::FFI_FROM_BUFFER.get_bound(py)?.call1((pyobj,))? + types::FFI_FROM_BUFFER.get(py)?.call1((pyobj,))? }; let ptrval = types::FFI_CAST - .get_bound(py)? + .get(py)? .call1((pyo3::intern!(py, "uintptr_t"), bufobj.clone()))? .call_method0(pyo3::intern!(py, "__int__"))? .extract::()?; diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 5735ef0ce704..075b7fb9adbe 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -33,7 +33,7 @@ impl ObjectIdentifier { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { types::OID_NAMES - .get_bound(py)? + .get(py)? .call_method1(pyo3::intern!(py, "get"), (slf, "Unknown OID")) } diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 3fc765017710..225b929864e4 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -305,11 +305,9 @@ fn load_pkcs12<'p>( } } - Ok(types::PKCS12KEYANDCERTIFICATES.get_bound(py)?.call1(( - private_key, - cert, - additional_certs, - ))?) + Ok(types::PKCS12KEYANDCERTIFICATES + .get(py)? + .call1((private_key, cert, additional_certs))?) } pub(crate) fn create_submodule( diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index d59f6e5edc80..8442587b407f 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -87,9 +87,9 @@ fn sign_and_serialize<'p>( options: &pyo3::Bound<'p, pyo3::types::PyList>, ) -> CryptographyResult> { let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; - let text_mode = options.contains(types::PKCS7_TEXT.get_bound(py)?)?; + let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; let (data_with_header, data_without_header) = - if options.contains(types::PKCS7_BINARY.get_bound(py)?)? { + if options.contains(types::PKCS7_BINARY.get(py)?)? { ( Cow::Borrowed(raw_data.as_bytes()), Cow::Borrowed(raw_data.as_bytes()), @@ -132,7 +132,7 @@ fn sign_and_serialize<'p>( let ka = cryptography_keepalive::KeepAlive::new(); for (cert, py_private_key, py_hash_alg, rsa_padding) in py_signers.iter() { let (authenticated_attrs, signature) = - if options.contains(&types::PKCS7_NO_ATTRIBUTES.get_bound(py)?)? { + if options.contains(&types::PKCS7_NO_ATTRIBUTES.get(py)?)? { ( None, x509::sign::sign_data( @@ -171,7 +171,7 @@ fn sign_and_serialize<'p>( ])), }); - if !options.contains(types::PKCS7_NO_CAPABILITIES.get_bound(py)?)? { + if !options.contains(types::PKCS7_NO_CAPABILITIES.get(py)?)? { authenticated_attrs.push(Attribute { type_id: PKCS7_SMIME_CAP_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new( @@ -227,7 +227,7 @@ fn sign_and_serialize<'p>( } let data_tlv_bytes; - let content = if options.contains(types::PKCS7_DETACHED_SIGNATURE.get_bound(py)?)? { + let content = if options.contains(types::PKCS7_DETACHED_SIGNATURE.get(py)?)? { None } else { data_tlv_bytes = asn1::write_single(&data_with_header.deref())?; @@ -241,7 +241,7 @@ fn sign_and_serialize<'p>( _content_type: asn1::DefinedByMarker::marker(), content: pkcs7::Content::Data(content.map(asn1::Explicit::new)), }, - certificates: if options.contains(types::PKCS7_NO_CERTS.get_bound(py)?)? { + certificates: if options.contains(types::PKCS7_NO_CERTS.get(py)?)? { None } else { Some(asn1::SetOfWriter::new(&certs)) @@ -256,14 +256,14 @@ fn sign_and_serialize<'p>( }; let ci_bytes = asn1::write_single(&content_info)?; - if encoding.is(&types::ENCODING_SMIME.get_bound(py)?) { + if encoding.is(&types::ENCODING_SMIME.get(py)?) { let mic_algs = digest_algs .iter() .map(|d| OIDS_TO_MIC_NAME[&d.oid()]) .collect::>() .join(","); Ok(types::SMIME_ENCODE - .get_bound(py)? + .get(py)? .call1((&*data_without_header, &*ci_bytes, mic_algs, text_mode))? .extract()?) } else { @@ -279,7 +279,7 @@ fn compute_pkcs7_signature_algorithm<'p>( rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { let key_type = x509::sign::identify_key_type(py, private_key.clone())?; - let has_pss_padding = rsa_padding.is_instance(&types::PSS.get_bound(py)?)?; + let has_pss_padding = rsa_padding.is_instance(&types::PSS.get(py)?)?; // For RSA signatures (with no PSS padding), the OID is always the same no matter the // digest algorithm. See RFC 3370 (section 3.2). if key_type == x509::sign::KeyType::Rsa && !has_pss_padding { diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index df6102f187a2..d60c50ea6960 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -19,10 +19,7 @@ impl LazyPyImport { } } - pub fn get_bound<'p>( - &'p self, - py: pyo3::Python<'p>, - ) -> pyo3::PyResult> { + pub fn get<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult> { let p = self.value.get_or_try_init(py, || { let mut obj = py.import_bound(self.module)?.into_any(); for name in self.names { @@ -563,7 +560,7 @@ mod tests { let v = LazyPyImport::new("foo", &["bar"]); pyo3::Python::with_gil(|py| { - assert!(v.get_bound(py).is_err()); + assert!(v.get(py).is_err()); }); } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index ef65139d7229..30be711a7760 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -200,7 +200,7 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -237,7 +237,7 @@ impl Certificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -305,14 +305,14 @@ impl Certificate { |ext| match ext.extn_id { oid::PRECERT_POISON_OID => { ext.value::<()>()?; - Ok(Some(types::PRECERT_POISON.get_bound(py)?.call0()?)) + Ok(Some(types::PRECERT_POISON.get(py)?.call0()?)) } oid::PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS_OID => { let contents = ext.value::<&[u8]>()?; let scts = sct::parse_scts(py, contents, sct::LogEntryType::PreCertificate)?; Ok(Some( types::PRECERTIFICATE_SIGNED_CERTIFICATE_TIMESTAMPS - .get_bound(py)? + .get(py)? .call1((scts,))?, )) } @@ -353,8 +353,8 @@ fn cert_version( version: u8, ) -> Result, CryptographyError> { match version { - 0 => Ok(types::CERTIFICATE_VERSION_V1.get_bound(py)?), - 2 => Ok(types::CERTIFICATE_VERSION_V3.get_bound(py)?), + 0 => Ok(types::CERTIFICATE_VERSION_V1.get(py)?), + 2 => Ok(types::CERTIFICATE_VERSION_V3.get(py)?), _ => Err(CryptographyError::from( exceptions::InvalidVersion::new_err(( format!("{version} is not a valid X509 version"), @@ -441,7 +441,7 @@ pub(crate) fn load_der_x509_certificate( fn warn_if_negative_serial(py: pyo3::Python<'_>, bytes: &'_ [u8]) -> pyo3::PyResult<()> { if bytes[0] & 0x80 != 0 { - let warning_cls = types::DEPRECATED_IN_36.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_36.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -465,7 +465,7 @@ fn warn_if_invalid_params( | AlgorithmParameters::DsaWithSha256(Some(..)) | AlgorithmParameters::DsaWithSha384(Some(..)) | AlgorithmParameters::DsaWithSha512(Some(..)) => { - let warning_cls = types::DEPRECATED_IN_41.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_41.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -491,7 +491,7 @@ fn parse_display_text( } DisplayText::VisibleString(o) => { if asn1::VisibleString::new(o.as_str()).is_none() { - let warning_cls = types::DEPRECATED_IN_41.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_41.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -530,16 +530,13 @@ fn parse_user_notice( numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?.to_object(py))?; } types::NOTICE_REFERENCE - .get_bound(py)? + .get(py)? .call1((org, numbers))? .to_object(py) } None => py.None(), }; - Ok(types::USER_NOTICE - .get_bound(py)? - .call1((nr, et))? - .to_object(py)) + Ok(types::USER_NOTICE.get(py)?.call1((nr, et))?.to_object(py)) } fn parse_policy_qualifiers<'a>( @@ -591,7 +588,7 @@ fn parse_cp( None => py.None(), }; let pi = types::POLICY_INFORMATION - .get_bound(py)? + .get(py)? .call1((pi_oid, py_pqis))? .to_object(py); certificate_policies.append(pi)?; @@ -640,7 +637,7 @@ fn parse_distribution_point( None => py.None(), }; Ok(types::DISTRIBUTION_POINT - .get_bound(py)? + .get(py)? .call1((full_name, relative_name, reasons, crl_issuer))? .to_object(py)) } @@ -662,7 +659,7 @@ pub(crate) fn parse_distribution_point_reasons( py: pyo3::Python<'_>, reasons: Option<&asn1::BitString<'_>>, ) -> Result { - let reason_bit_mapping = types::REASON_BIT_MAPPING.get_bound(py)?; + let reason_bit_mapping = types::REASON_BIT_MAPPING.get(py)?; Ok(match reasons { Some(bs) => { @@ -682,7 +679,7 @@ pub(crate) fn encode_distribution_point_reasons( py: pyo3::Python<'_>, py_reasons: &pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - let reason_flag_mapping = types::CRL_REASON_FLAGS.get_bound(py)?; + let reason_flag_mapping = types::CRL_REASON_FLAGS.get(py)?; let mut bits = vec![0, 0]; for py_reason in py_reasons.iter()? { @@ -711,11 +708,9 @@ pub(crate) fn parse_authority_key_identifier<'p>( Some(aci) => x509::parse_general_names(py, aci.unwrap_read())?, None => py.None(), }; - Ok(types::AUTHORITY_KEY_IDENTIFIER.get_bound(py)?.call1(( - aki.key_identifier, - issuer, - serial, - ))?) + Ok(types::AUTHORITY_KEY_IDENTIFIER + .get(py)? + .call1((aki.key_identifier, issuer, serial))?) } pub(crate) fn parse_access_descriptions( @@ -728,7 +723,7 @@ pub(crate) fn parse_access_descriptions( let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); let gn = x509::parse_general_name(py, access.access_location)?; let ad = types::ACCESS_DESCRIPTION - .get_bound(py)? + .get(py)? .call1((py_oid, gn))? .to_object(py); ads.append(ad)?; @@ -745,35 +740,31 @@ pub fn parse_cert_ext<'p>( let gn_seq = ext.value::>()?; let sans = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::SUBJECT_ALTERNATIVE_NAME - .get_bound(py)? - .call1((sans,))?, + types::SUBJECT_ALTERNATIVE_NAME.get(py)?.call1((sans,))?, )) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::ISSUER_ALTERNATIVE_NAME - .get_bound(py)? - .call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, )) } oid::TLS_FEATURE_OID => { - let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get_bound(py)?; + let tls_feature_type_to_enum = types::TLS_FEATURE_TYPE_TO_ENUM.get(py)?; let features = pyo3::types::PyList::empty_bound(py); for feature in ext.value::>()? { let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; features.append(py_feature)?; } - Ok(Some(types::TLS_FEATURE.get_bound(py)?.call1((features,))?)) + Ok(Some(types::TLS_FEATURE.get(py)?.call1((features,))?)) } oid::SUBJECT_KEY_IDENTIFIER_OID => { let identifier = ext.value::<&[u8]>()?; Ok(Some( types::SUBJECT_KEY_IDENTIFIER - .get_bound(py)? + .get(py)? .call1((identifier,))?, )) } @@ -783,14 +774,12 @@ pub fn parse_cert_ext<'p>( let oid_obj = oid_to_py_oid(py, &oid)?; ekus.append(oid_obj)?; } - Ok(Some( - types::EXTENDED_KEY_USAGE.get_bound(py)?.call1((ekus,))?, - )) + Ok(Some(types::EXTENDED_KEY_USAGE.get(py)?.call1((ekus,))?)) } oid::KEY_USAGE_OID => { let kus = ext.value::>()?; - Ok(Some(types::KEY_USAGE.get_bound(py)?.call1(( + Ok(Some(types::KEY_USAGE.get(py)?.call1(( kus.digital_signature(), kus.content_comitment(), kus.key_encipherment(), @@ -805,61 +794,51 @@ pub fn parse_cert_ext<'p>( oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - types::AUTHORITY_INFORMATION_ACCESS - .get_bound(py)? - .call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::SUBJECT_INFORMATION_ACCESS_OID => { let ads = parse_access_descriptions(py, ext)?; Ok(Some( - types::SUBJECT_INFORMATION_ACCESS - .get_bound(py)? - .call1((ads,))?, + types::SUBJECT_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::CERTIFICATE_POLICIES_OID => { let cp = parse_cp(py, ext)?; - Ok(Some( - types::CERTIFICATE_POLICIES.get_bound(py)?.call1((cp,))?, - )) + Ok(Some(types::CERTIFICATE_POLICIES.get(py)?.call1((cp,))?)) } oid::POLICY_CONSTRAINTS_OID => { let pc = ext.value::()?; - Ok(Some(types::POLICY_CONSTRAINTS.get_bound(py)?.call1(( + Ok(Some(types::POLICY_CONSTRAINTS.get(py)?.call1(( pc.require_explicit_policy, pc.inhibit_policy_mapping, ))?)) } oid::OCSP_NO_CHECK_OID => { ext.value::<()>()?; - Ok(Some(types::OCSP_NO_CHECK.get_bound(py)?.call0()?)) + Ok(Some(types::OCSP_NO_CHECK.get(py)?.call0()?)) } oid::INHIBIT_ANY_POLICY_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some( - types::INHIBIT_ANY_POLICY.get_bound(py)?.call1((pynum,))?, - )) + Ok(Some(types::INHIBIT_ANY_POLICY.get(py)?.call1((pynum,))?)) } oid::BASIC_CONSTRAINTS_OID => { let bc = ext.value::()?; Ok(Some( types::BASIC_CONSTRAINTS - .get_bound(py)? + .get(py)? .call1((bc.ca, bc.path_length))?, )) } oid::AUTHORITY_KEY_IDENTIFIER_OID => Ok(Some(parse_authority_key_identifier(py, ext)?)), oid::CRL_DISTRIBUTION_POINTS_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some( - types::CRL_DISTRIBUTION_POINTS.get_bound(py)?.call1((dp,))?, - )) + Ok(Some(types::CRL_DISTRIBUTION_POINTS.get(py)?.call1((dp,))?)) } oid::FRESHEST_CRL_OID => { let dp = parse_distribution_points(py, ext)?; - Ok(Some(types::FRESHEST_CRL.get_bound(py)?.call1((dp,))?)) + Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) } oid::NAME_CONSTRAINTS_OID => { let nc = ext.value::>()?; @@ -873,16 +852,18 @@ pub fn parse_cert_ext<'p>( }; Ok(Some( types::NAME_CONSTRAINTS - .get_bound(py)? + .get(py)? .call1((permitted_subtrees, excluded_subtrees))?, )) } oid::MS_CERTIFICATE_TEMPLATE => { let ms_cert_tpl = ext.value::()?; let py_oid = oid_to_py_oid(py, &ms_cert_tpl.template_id)?; - Ok(Some(types::MS_CERTIFICATE_TEMPLATE.get_bound(py)?.call1( - (py_oid, ms_cert_tpl.major_version, ms_cert_tpl.minor_version), - )?)) + Ok(Some(types::MS_CERTIFICATE_TEMPLATE.get(py)?.call1(( + py_oid, + ms_cert_tpl.major_version, + ms_cert_tpl.minor_version, + ))?)) } _ => Ok(None), } @@ -921,8 +902,8 @@ fn create_x509_certificate( rsa_padding.clone(), )?; - let der = types::ENCODING_DER.get_bound(py)?; - let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?; + let der = types::ENCODING_DER.get(py)?; + let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; let spki_bytes = builder .getattr(pyo3::intern!(py, "_public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 2215c2425915..6b115e81a1e6 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -59,10 +59,10 @@ pub(crate) fn encode_name_entry<'p>( let tag = attr_type .getattr(pyo3::intern!(py, "value"))? .extract::()?; - let value: &[u8] = if !attr_type.is(&types::ASN1_TYPE_BIT_STRING.get_bound(py)?) { - let encoding = if attr_type.is(&types::ASN1_TYPE_BMP_STRING.get_bound(py)?) { + let value: &[u8] = if !attr_type.is(&types::ASN1_TYPE_BIT_STRING.get(py)?) { + let encoding = if attr_type.is(&types::ASN1_TYPE_BMP_STRING.get(py)?) { "utf_16_be" - } else if attr_type.is(&types::ASN1_TYPE_UNIVERSAL_STRING.get_bound(py)?) { + } else if attr_type.is(&types::ASN1_TYPE_UNIVERSAL_STRING.get(py)?) { "utf_32_be" } else { "utf8" @@ -114,18 +114,18 @@ pub(crate) fn encode_general_name<'a>( let gn_type = gn.get_type(); let gn_value = gn.getattr(pyo3::intern!(py, "value"))?; - if gn_type.is(&types::DNS_NAME.get_bound(py)?) { + if gn_type.is(&types::DNS_NAME.get(py)?) { Ok(GeneralName::DNSName(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(&types::RFC822_NAME.get_bound(py)?) { + } else if gn_type.is(&types::RFC822_NAME.get(py)?) { Ok(GeneralName::RFC822Name(UnvalidatedIA5String( gn_value.extract::<&str>()?, ))) - } else if gn_type.is(&types::DIRECTORY_NAME.get_bound(py)?) { + } else if gn_type.is(&types::DIRECTORY_NAME.get(py)?) { let name = encode_name(py, &gn_value)?; Ok(GeneralName::DirectoryName(name)) - } else if gn_type.is(&types::OTHER_NAME.get_bound(py)?) { + } else if gn_type.is(&types::OTHER_NAME.get(py)?) { let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?; Ok(GeneralName::OtherName(OtherName { type_id: py_oid_to_oid(py_oid)?, @@ -135,16 +135,16 @@ pub(crate) fn encode_general_name<'a>( )) })?, })) - } else if gn_type.is(&types::UNIFORM_RESOURCE_IDENTIFIER.get_bound(py)?) { + } else if gn_type.is(&types::UNIFORM_RESOURCE_IDENTIFIER.get(py)?) { Ok(GeneralName::UniformResourceIdentifier( UnvalidatedIA5String(gn_value.extract::<&str>()?), )) - } else if gn_type.is(&types::IP_ADDRESS.get_bound(py)?) { + } else if gn_type.is(&types::IP_ADDRESS.get(py)?) { Ok(GeneralName::IPAddress( gn.call_method0(pyo3::intern!(py, "_packed"))? .extract::<&[u8]>()?, )) - } else if gn_type.is(&types::REGISTERED_ID.get_bound(py)?) { + } else if gn_type.is(&types::REGISTERED_ID.get(py)?) { let oid = py_oid_to_oid(gn_value)?; Ok(GeneralName::RegisteredID(oid)) } else { @@ -182,7 +182,7 @@ pub(crate) fn parse_name<'p>( let py_rdn = parse_rdn(py, &rdn)?; py_rdns.append(py_rdn)?; } - Ok(types::NAME.get_bound(py)?.call1((py_rdns,))?) + Ok(types::NAME.get(py)?.call1((py_rdns,))?) } fn parse_name_attribute( @@ -200,7 +200,7 @@ fn parse_name_attribute( )) })? .to_object(py); - let py_tag = types::ASN1_TYPE_TO_ENUM.get_bound(py)?.get_item(tag_val)?; + let py_tag = types::ASN1_TYPE_TO_ENUM.get(py)?.get_item(tag_val)?; let py_data = match attribute.value.tag().as_u8() { // BitString tag value Some(3) => pyo3::types::PyBytes::new_bound(py, attribute.value.data()).into_any(), @@ -222,7 +222,7 @@ fn parse_name_attribute( }; let kwargs = [(pyo3::intern!(py, "_validate"), false)].into_py_dict_bound(py); Ok(types::NAME_ATTRIBUTE - .get_bound(py)? + .get(py)? .call((oid, py_data, py_tag), Some(&kwargs))? .to_object(py)) } @@ -237,7 +237,7 @@ pub(crate) fn parse_rdn<'a>( py_attrs.append(na)?; } Ok(types::RELATIVE_DISTINGUISHED_NAME - .get_bound(py)? + .get(py)? .call1((py_attrs,))? .to_object(py)) } @@ -250,36 +250,33 @@ pub(crate) fn parse_general_name( GeneralName::OtherName(data) => { let oid = oid_to_py_oid(py, &data.type_id)?.to_object(py); types::OTHER_NAME - .get_bound(py)? + .get(py)? .call1((oid, data.value.full_data()))? .to_object(py) } GeneralName::RFC822Name(data) => types::RFC822_NAME - .get_bound(py)? + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DNSName(data) => types::DNS_NAME - .get_bound(py)? + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::DirectoryName(data) => { let py_name = parse_name(py, data.unwrap_read())?; types::DIRECTORY_NAME - .get_bound(py)? + .get(py)? .call1((py_name,))? .to_object(py) } GeneralName::UniformResourceIdentifier(data) => types::UNIFORM_RESOURCE_IDENTIFIER - .get_bound(py)? + .get(py)? .call_method1(pyo3::intern!(py, "_init_without_validation"), (data.0,))? .to_object(py), GeneralName::IPAddress(data) => { if data.len() == 4 || data.len() == 16 { - let addr = types::IPADDRESS_IPADDRESS.get_bound(py)?.call1((data,))?; - types::IP_ADDRESS - .get_bound(py)? - .call1((addr,))? - .to_object(py) + let addr = types::IPADDRESS_IPADDRESS.get(py)?.call1((data,))?; + types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py) } else { // if it's not an IPv4 or IPv6 we assume it's an IPNetwork and // verify length in this function. @@ -288,10 +285,7 @@ pub(crate) fn parse_general_name( } GeneralName::RegisteredID(data) => { let oid = oid_to_py_oid(py, &data)?.to_object(py); - types::REGISTERED_ID - .get_bound(py)? - .call1((oid,))? - .to_object(py) + types::REGISTERED_ID.get(py)?.call1((oid,))?.to_object(py) } _ => { return Err(CryptographyError::from( @@ -334,7 +328,7 @@ fn create_ip_network( ))), }; let base = types::IPADDRESS_IPADDRESS - .get_bound(py)? + .get(py)? .call1((pyo3::types::PyBytes::new_bound(py, &data[..data.len() / 2]),))?; let net = format!( "{}/{}", @@ -342,11 +336,8 @@ fn create_ip_network( .extract::<&str>()?, prefix? ); - let addr = types::IPADDRESS_IPNETWORK.get_bound(py)?.call1((net,))?; - Ok(types::IP_ADDRESS - .get_bound(py)? - .call1((addr,))? - .to_object(py)) + let addr = types::IPADDRESS_IPNETWORK.get(py)?.call1((net,))?; + Ok(types::IP_ADDRESS.get(py)?.call1((addr,))?.to_object(py)) } fn ipv4_netmask(num: u32) -> Result { @@ -396,20 +387,16 @@ pub(crate) fn parse_and_cache_extensions< let extn_value = match parse_ext(&raw_ext)? { Some(e) => e, None => types::UNRECOGNIZED_EXTENSION - .get_bound(py)? + .get(py)? .call1((oid_obj.clone(), raw_ext.extn_value))?, }; - let ext_obj = types::EXTENSION.get_bound(py)?.call1(( - oid_obj, - raw_ext.critical, - extn_value, - ))?; + let ext_obj = + types::EXTENSION + .get(py)? + .call1((oid_obj, raw_ext.critical, extn_value))?; exts.append(ext_obj)?; } - Ok(types::EXTENSIONS - .get_bound(py)? - .call1((exts,))? - .to_object(py)) + Ok(types::EXTENSIONS.get(py)?.call1((exts,))?.to_object(py)) }) .map(|p| p.clone_ref(py)) } @@ -433,7 +420,7 @@ pub(crate) fn encode_extensions< let oid = py_oid_to_oid(py_oid)?; let ext_val = py_ext.getattr(pyo3::intern!(py, "value"))?; - if ext_val.is_instance(&types::UNRECOGNIZED_EXTENSION.get_bound(py)?)? { + if ext_val.is_instance(&types::UNRECOGNIZED_EXTENSION.get(py)?)? { exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, @@ -490,7 +477,7 @@ pub(crate) fn datetime_to_py<'p>( py: pyo3::Python<'p>, dt: &asn1::DateTime, ) -> pyo3::PyResult> { - types::DATETIME_DATETIME.get_bound(py)?.call1(( + types::DATETIME_DATETIME.get(py)?.call1(( dt.year(), dt.month(), dt.day(), @@ -504,8 +491,8 @@ pub(crate) fn datetime_to_py_utc<'p>( py: pyo3::Python<'p>, dt: &asn1::DateTime, ) -> pyo3::PyResult> { - let timezone = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; - types::DATETIME_DATETIME.get_bound(py)?.call1(( + let timezone = types::DATETIME_TIMEZONE_UTC.get(py)?; + types::DATETIME_DATETIME.get(py)?.call1(( dt.year(), dt.month(), dt.day(), @@ -526,7 +513,7 @@ pub(crate) fn py_to_datetime( let val_utc = if val.getattr(pyo3::intern!(py, "tzinfo"))?.is_none() { val } else { - let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; val.call_method1(pyo3::intern!(py, "astimezone"), (utc,))? }; @@ -542,12 +529,12 @@ pub(crate) fn py_to_datetime( } pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult { - let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; py_to_datetime( py, types::DATETIME_DATETIME - .get_bound(py)? + .get(py)? .call_method1(pyo3::intern!(py, "now"), (utc,))?, ) } diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index b00858e27500..4decb291c20d 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -198,7 +198,7 @@ impl CertificateRevocationList { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { let oid = self.signature_algorithm_oid(py)?; - match types::SIG_OIDS_TO_HASH.get_bound(py)?.get_item(oid) { + match types::SIG_OIDS_TO_HASH.get(py)?.get_item(oid) { Ok(v) => Ok(v), Err(_) => Err(exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -259,7 +259,7 @@ impl CertificateRevocationList { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -288,7 +288,7 @@ impl CertificateRevocationList { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -332,30 +332,24 @@ impl CertificateRevocationList { oid::CRL_NUMBER_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some(types::CRL_NUMBER.get_bound(py)?.call1((pynum,))?)) + Ok(Some(types::CRL_NUMBER.get(py)?.call1((pynum,))?)) } oid::DELTA_CRL_INDICATOR_OID => { let bignum = ext.value::>()?; let pynum = big_byte_slice_to_py_int(py, bignum.as_bytes())?; - Ok(Some( - types::DELTA_CRL_INDICATOR.get_bound(py)?.call1((pynum,))?, - )) + Ok(Some(types::DELTA_CRL_INDICATOR.get(py)?.call1((pynum,))?)) } oid::ISSUER_ALTERNATIVE_NAME_OID => { let gn_seq = ext.value::>()?; let ians = x509::parse_general_names(py, &gn_seq)?; Ok(Some( - types::ISSUER_ALTERNATIVE_NAME - .get_bound(py)? - .call1((ians,))?, + types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?, )) } oid::AUTHORITY_INFORMATION_ACCESS_OID => { let ads = certificate::parse_access_descriptions(py, ext)?; Ok(Some( - types::AUTHORITY_INFORMATION_ACCESS - .get_bound(py)? - .call1((ads,))?, + types::AUTHORITY_INFORMATION_ACCESS.get(py)?.call1((ads,))?, )) } oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -375,21 +369,19 @@ impl CertificateRevocationList { } else { py.None() }; - Ok(Some( - types::ISSUING_DISTRIBUTION_POINT.get_bound(py)?.call1(( - full_name, - relative_name, - idp.only_contains_user_certs, - idp.only_contains_ca_certs, - py_reasons, - idp.indirect_crl, - idp.only_contains_attribute_certs, - ))?, - )) + Ok(Some(types::ISSUING_DISTRIBUTION_POINT.get(py)?.call1(( + full_name, + relative_name, + idp.only_contains_user_certs, + idp.only_contains_ca_certs, + py_reasons, + idp.indirect_crl, + idp.only_contains_attribute_certs, + ))?)) } oid::FRESHEST_CRL_OID => { let dp = certificate::parse_distribution_points(py, ext)?; - Ok(Some(types::FRESHEST_CRL.get_bound(py)?.call1((dp,))?)) + Ok(Some(types::FRESHEST_CRL.get(py)?.call1((dp,))?)) } _ => Ok(None), }, @@ -564,7 +556,7 @@ impl RevokedCertificate { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_42.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_42.get(py)?; pyo3::PyErr::warn_bound( py, &warning_cls, @@ -622,7 +614,7 @@ pub(crate) fn parse_crl_reason_flags<'p>( )) } }; - Ok(types::REASON_FLAGS.get_bound(py)?.getattr(flag_name)?) + Ok(types::REASON_FLAGS.get(py)?.getattr(flag_name)?) } pub fn parse_crl_entry_ext<'p>( @@ -632,19 +624,17 @@ pub fn parse_crl_entry_ext<'p>( match ext.extn_id { oid::CRL_REASON_OID => { let flags = parse_crl_reason_flags(py, &ext.value::()?)?; - Ok(Some(types::CRL_REASON.get_bound(py)?.call1((flags,))?)) + Ok(Some(types::CRL_REASON.get(py)?.call1((flags,))?)) } oid::CERTIFICATE_ISSUER_OID => { let gn_seq = ext.value::>>()?; let gns = x509::parse_general_names(py, &gn_seq)?; - Ok(Some( - types::CERTIFICATE_ISSUER.get_bound(py)?.call1((gns,))?, - )) + Ok(Some(types::CERTIFICATE_ISSUER.get(py)?.call1((gns,))?)) } oid::INVALIDITY_DATE_OID => { let time = ext.value::()?; let py_dt = x509::datetime_to_py(py, time.as_datetime())?; - Ok(Some(types::INVALIDITY_DATE.get_bound(py)?.call1((py_dt,))?)) + Ok(Some(types::INVALIDITY_DATE.get(py)?.call1((py_dt,))?)) } _ => Ok(None), } diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index bedc28607418..789004a60bb9 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -130,7 +130,7 @@ impl CertificateSigningRequest { py: pyo3::Python<'p>, oid: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { - let warning_cls = types::DEPRECATED_IN_36.get_bound(py)?; + let warning_cls = types::DEPRECATED_IN_36.get(py)?; let warning_msg = "CertificateSigningRequest.get_attribute_for_oid has been deprecated. Please switch to request.attributes.get_attribute_for_oid."; pyo3::PyErr::warn_bound(py, &warning_cls, warning_msg, 1)?; @@ -194,12 +194,10 @@ impl CertificateSigningRequest { "Long-form tags are not supported in CSR attribute values", )) })?; - let pyattr = types::ATTRIBUTE - .get_bound(py)? - .call1((oid, serialized, tag))?; + let pyattr = types::ATTRIBUTE.get(py)?.call1((oid, serialized, tag))?; pyattrs.append(pyattr)?; } - types::ATTRIBUTES.get_bound(py)?.call1((pyattrs,)) + types::ATTRIBUTES.get(py)?.call1((pyattrs,)) } #[getter] @@ -300,8 +298,8 @@ fn create_x509_csr( rsa_padding.clone(), )?; - let der = types::ENCODING_DER.get_bound(py)?; - let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get_bound(py)?; + let der = types::ENCODING_DER.get(py)?; + let spki = types::PUBLIC_FORMAT_SUBJECT_PUBLIC_KEY_INFO.get(py)?; let spki_bytes = private_key .call_method0(pyo3::intern!(py, "public_key"))? .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 152d6e17706d..94eb495bc7a0 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -482,7 +482,7 @@ pub(crate) fn encode_extension( } &oid::CRL_REASON_OID => { let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE - .get_bound(ext.py())? + .get(ext.py())? .get_item(ext.getattr(pyo3::intern!(py, "reason"))?)? .extract::()?; Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 5ee9e2097016..7687f7af4317 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -91,10 +91,7 @@ impl OCSPRequest { let cert_id = self.cert_id(); match ocsp::ALGORITHM_PARAMETERS_TO_HASH.get(&cert_id.hash_algorithm.params) { - Some(alg_name) => Ok(types::HASHES_MODULE - .get_bound(py)? - .getattr(*alg_name)? - .call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -131,7 +128,7 @@ impl OCSPRequest { // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); - Ok(Some(types::OCSP_NONCE.get_bound(py)?.call1((nonce,))?)) + Ok(Some(types::OCSP_NONCE.get(py)?.call1((nonce,))?)) } oid::ACCEPTABLE_RESPONSES_OID => { let oids = ext.value::>()?; @@ -142,7 +139,7 @@ impl OCSPRequest { Ok(Some( types::OCSP_ACCEPTABLE_RESPONSES - .get_bound(py)? + .get(py)? .call1((py_oids,))?, )) } @@ -157,7 +154,7 @@ impl OCSPRequest { py: pyo3::Python<'p>, encoding: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - if !encoding.is(&types::ENCODING_DER.get_bound(py)?) { + if !encoding.is(&types::ENCODING_DER.get(py)?) { return Err(pyo3::exceptions::PyValueError::new_err( "The only allowed encoding value is Encoding.DER", ) diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 37b5d75d5a74..e27c5d583afa 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -143,7 +143,7 @@ impl OCSPResponse { assert_eq!(status, UNAUTHORIZED_RESPONSE); "UNAUTHORIZED" }; - types::OCSP_RESPONSE_STATUS.get_bound(py)?.getattr(attr) + types::OCSP_RESPONSE_STATUS.get(py)?.getattr(attr) } #[getter] @@ -198,7 +198,7 @@ impl OCSPResponse { py: pyo3::Python<'p>, ) -> Result, CryptographyError> { let hash_alg = types::SIG_OIDS_TO_HASH - .get_bound(py)? + .get(py)? .get_item(self.signature_algorithm_oid(py)?); match hash_alg { Ok(data) => Ok(data), @@ -388,7 +388,7 @@ impl OCSPResponse { // the nonce. So we try parsing as a TLV and fall back to just using // the raw value. let nonce = ext.value::<&[u8]>().unwrap_or(ext.extn_value); - Ok(Some(types::OCSP_NONCE.get_bound(py)?.call1((nonce,))?)) + Ok(Some(types::OCSP_NONCE.get(py)?.call1((nonce,))?)) } _ => Ok(None), } @@ -419,7 +419,7 @@ impl OCSPResponse { let scts = sct::parse_scts(py, contents, sct::LogEntryType::Certificate)?; Ok(Some( types::SIGNED_CERTIFICATE_TIMESTAMPS - .get_bound(py)? + .get(py)? .call1((scts,))?, )) } @@ -433,7 +433,7 @@ impl OCSPResponse { py: pyo3::Python<'p>, encoding: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - if !encoding.is(&types::ENCODING_DER.get_bound(py)?) { + if !encoding.is(&types::ENCODING_DER.get(py)?) { return Err(pyo3::exceptions::PyValueError::new_err( "The only allowed encoding value is Encoding.DER", ) @@ -524,7 +524,7 @@ fn singleresp_py_certificate_status<'p>( ocsp_resp::CertStatus::Revoked(_) => pyo3::intern!(py, "REVOKED"), ocsp_resp::CertStatus::Unknown(_) => pyo3::intern!(py, "UNKNOWN"), }; - types::OCSP_CERT_STATUS.get_bound(py)?.getattr(attr) + types::OCSP_CERT_STATUS.get(py)?.getattr(attr) } fn singleresp_py_hash_algorithm<'p>( @@ -532,10 +532,7 @@ fn singleresp_py_hash_algorithm<'p>( py: pyo3::Python<'p>, ) -> Result, CryptographyError> { match ocsp::ALGORITHM_PARAMETERS_TO_HASH.get(&resp.cert_id.hash_algorithm.params) { - Some(alg_name) => Ok(types::HASHES_MODULE - .get_bound(py)? - .getattr(*alg_name)? - .call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -632,9 +629,9 @@ fn create_ocsp_response( .extract()?; let py_cert_status = py_single_resp.getattr(pyo3::intern!(py, "_cert_status"))?; - let cert_status = if py_cert_status.is(&types::OCSP_CERT_STATUS_GOOD.get_bound(py)?) { + let cert_status = if py_cert_status.is(&types::OCSP_CERT_STATUS_GOOD.get(py)?) { ocsp_resp::CertStatus::Good(()) - } else if py_cert_status.is(&types::OCSP_CERT_STATUS_UNKNOWN.get_bound(py)?) { + } else if py_cert_status.is(&types::OCSP_CERT_STATUS_UNKNOWN.get(py)?) { ocsp_resp::CertStatus::Unknown(()) } else { let revocation_reason = if !py_single_resp @@ -642,7 +639,7 @@ fn create_ocsp_response( .is_none() { let value = types::CRL_ENTRY_REASON_ENUM_TO_CODE - .get_bound(py)? + .get(py)? .get_item(py_single_resp.getattr(pyo3::intern!(py, "_revocation_reason"))?)? .extract::()?; Some(asn1::Enumerated::new(value)) @@ -681,9 +678,8 @@ fn create_ocsp_response( }]; borrowed_cert = responder_cert.borrow(); - let responder_id = if responder_encoding.is(&types::OCSP_RESPONDER_ENCODING_HASH.get_bound(py)?) - { - let sha1 = types::SHA1.get_bound(py)?.call0()?; + let responder_id = if responder_encoding.is(&types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { + let sha1 = types::SHA1.get(py)?.call0()?; ocsp_resp::ResponderId::ByKey(ocsp::hash_data( py, &sha1, diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index cc3680e8e064..0cc8c4644690 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -155,7 +155,7 @@ impl Sct { #[getter] fn version<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { - types::CERTIFICATE_TRANSPARENCY_VERSION_V1.get_bound(py) + types::CERTIFICATE_TRANSPARENCY_VERSION_V1.get(py) } #[getter] @@ -165,14 +165,14 @@ impl Sct { #[getter] fn timestamp<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { - let utc = types::DATETIME_TIMEZONE_UTC.get_bound(py)?; + let utc = types::DATETIME_TIMEZONE_UTC.get(py)?; let kwargs = pyo3::types::PyDict::new_bound(py); kwargs.set_item("microsecond", self.timestamp % 1000 * 1000)?; kwargs.set_item("tzinfo", None::>)?; types::DATETIME_DATETIME - .get_bound(py)? + .get(py)? .call_method1( pyo3::intern!(py, "fromtimestamp"), (self.timestamp / 1000, utc), @@ -183,8 +183,8 @@ impl Sct { #[getter] fn entry_type<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult> { Ok(match self.entry_type { - LogEntryType::Certificate => types::LOG_ENTRY_TYPE_X509_CERTIFICATE.get_bound(py)?, - LogEntryType::PreCertificate => types::LOG_ENTRY_TYPE_PRE_CERTIFICATE.get_bound(py)?, + LogEntryType::Certificate => types::LOG_ENTRY_TYPE_X509_CERTIFICATE.get(py)?, + LogEntryType::PreCertificate => types::LOG_ENTRY_TYPE_PRE_CERTIFICATE.get(py)?, }) } @@ -194,7 +194,7 @@ impl Sct { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { types::HASHES_MODULE - .get_bound(py)? + .get(py)? .call_method0(self.hash_algorithm.to_attr()) } @@ -204,7 +204,7 @@ impl Sct { py: pyo3::Python<'p>, ) -> pyo3::PyResult> { types::SIGNATURE_ALGORITHM - .get_bound(py)? + .get(py)? .getattr(self.signature_algorithm.to_attr()) } diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 2789c508dbc6..9483a06e5034 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -53,15 +53,15 @@ pub(crate) fn identify_key_type( py: pyo3::Python<'_>, private_key: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - if private_key.is_instance(&types::RSA_PRIVATE_KEY.get_bound(py)?)? { + if private_key.is_instance(&types::RSA_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Rsa) - } else if private_key.is_instance(&types::DSA_PRIVATE_KEY.get_bound(py)?)? { + } else if private_key.is_instance(&types::DSA_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Dsa) - } else if private_key.is_instance(&types::ELLIPTIC_CURVE_PRIVATE_KEY.get_bound(py)?)? { + } else if private_key.is_instance(&types::ELLIPTIC_CURVE_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Ec) - } else if private_key.is_instance(&types::ED25519_PRIVATE_KEY.get_bound(py)?)? { + } else if private_key.is_instance(&types::ED25519_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Ed25519) - } else if private_key.is_instance(&types::ED448_PRIVATE_KEY.get_bound(py)?)? { + } else if private_key.is_instance(&types::ED448_PRIVATE_KEY.get(py)?)? { Ok(KeyType::Ed448) } else { Err(pyo3::exceptions::PyTypeError::new_err( @@ -78,7 +78,7 @@ fn identify_hash_type( return Ok(HashType::None); } - if !hash_algorithm.is_instance(&types::HASH_ALGORITHM.get_bound(py)?)? { + if !hash_algorithm.is_instance(&types::HASH_ALGORITHM.get(py)?)? { return Err(pyo3::exceptions::PyTypeError::new_err( "Algorithm must be a registered hash algorithm.", )); @@ -109,12 +109,12 @@ fn compute_pss_salt_length<'p>( rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult { let py_saltlen = rsa_padding.getattr(pyo3::intern!(py, "_salt_length"))?; - if py_saltlen.is_instance(&types::PADDING_MAX_LENGTH.get_bound(py)?)? { + if py_saltlen.is_instance(&types::PADDING_MAX_LENGTH.get(py)?)? { types::CALCULATE_MAX_PSS_SALT_LENGTH - .get_bound(py)? + .get(py)? .call1((private_key, hash_algorithm))? .extract::() - } else if py_saltlen.is_instance(&types::PADDING_DIGEST_LENGTH.get_bound(py)?)? { + } else if py_saltlen.is_instance(&types::PADDING_DIGEST_LENGTH.get(py)?)? { hash_algorithm .getattr(pyo3::intern!(py, "digest_size"))? .extract::() @@ -138,7 +138,7 @@ pub(crate) fn compute_signature_algorithm<'p>( // If this is RSA-PSS we need to compute the signature algorithm from the // parameters provided in rsa_padding. - if rsa_padding.is_instance(&types::PSS.get_bound(py)?)? { + if rsa_padding.is_instance(&types::PSS.get(py)?)? { let hash_alg_params = identify_alg_params_for_hash_type(hash_type)?; let hash_algorithm_id = common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), @@ -293,13 +293,13 @@ pub(crate) fn sign_data<'p>( private_key.call_method1(pyo3::intern!(py, "sign"), (data,))? } KeyType::Ec => { - let ecdsa = types::ECDSA.get_bound(py)?.call1((hash_algorithm,))?; + let ecdsa = types::ECDSA.get(py)?.call1((hash_algorithm,))?; private_key.call_method1(pyo3::intern!(py, "sign"), (data, ecdsa))? } KeyType::Rsa => { let mut padding = rsa_padding; if padding.is_none() { - padding = types::PKCS1V15.get_bound(py)?.call0()?; + padding = types::PKCS1V15.get(py)?.call0()?; } private_key.call_method1(pyo3::intern!(py, "sign"), (data, padding, hash_algorithm))? } @@ -358,15 +358,15 @@ pub(crate) fn identify_public_key_type( py: pyo3::Python<'_>, public_key: pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult { - if public_key.is_instance(&types::RSA_PUBLIC_KEY.get_bound(py)?)? { + if public_key.is_instance(&types::RSA_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Rsa) - } else if public_key.is_instance(&types::DSA_PUBLIC_KEY.get_bound(py)?)? { + } else if public_key.is_instance(&types::DSA_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Dsa) - } else if public_key.is_instance(&types::ELLIPTIC_CURVE_PUBLIC_KEY.get_bound(py)?)? { + } else if public_key.is_instance(&types::ELLIPTIC_CURVE_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Ec) - } else if public_key.is_instance(&types::ED25519_PUBLIC_KEY.get_bound(py)?)? { + } else if public_key.is_instance(&types::ED25519_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Ed25519) - } else if public_key.is_instance(&types::ED448_PUBLIC_KEY.get_bound(py)?)? { + } else if public_key.is_instance(&types::ED448_PUBLIC_KEY.get(py)?)? { Ok(KeyType::Ed448) } else { Err(pyo3::exceptions::PyTypeError::new_err( @@ -431,10 +431,7 @@ fn hash_oid_py_hash( oid: asn1::ObjectIdentifier, ) -> CryptographyResult> { match HASH_OIDS_TO_HASH.get(&oid) { - Some(alg_name) => Ok(types::HASHES_MODULE - .get_bound(py)? - .getattr(*alg_name)? - .call0()?), + Some(alg_name) => Ok(types::HASHES_MODULE.get(py)?.getattr(*alg_name)?.call0()?), None => Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(format!( "Signature algorithm OID: {} not recognized", @@ -448,7 +445,7 @@ pub(crate) fn identify_signature_hash_algorithm<'p>( py: pyo3::Python<'p>, signature_algorithm: &common::AlgorithmIdentifier<'_>, ) -> CryptographyResult> { - let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get_bound(py)?; + let sig_oids_to_hash = types::SIG_OIDS_TO_HASH.get(py)?; match &signature_algorithm.params { common::AlgorithmParameters::RsaPss(opt_pss) => { let pss = opt_pss.as_ref().ok_or_else(|| { @@ -491,8 +488,8 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( } let py_mask_gen_hash_alg = hash_oid_py_hash(py, pss.mask_gen_algorithm.params.oid().clone())?; - let py_mgf = types::MGF1.get_bound(py)?.call1((py_mask_gen_hash_alg,))?; - Ok(types::PSS.get_bound(py)?.call1((py_mgf, pss.salt_length))?) + let py_mgf = types::MGF1.get(py)?.call1((py_mask_gen_hash_alg,))?; + Ok(types::PSS.get(py)?.call1((py_mgf, pss.salt_length))?) } common::AlgorithmParameters::RsaWithSha1(_) | common::AlgorithmParameters::RsaWithSha1Alt(_) @@ -504,7 +501,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( | common::AlgorithmParameters::RsaWithSha3_256(_) | common::AlgorithmParameters::RsaWithSha3_384(_) | common::AlgorithmParameters::RsaWithSha3_512(_) => { - Ok(types::PKCS1V15.get_bound(py)?.call0()?) + Ok(types::PKCS1V15.get(py)?.call0()?) } common::AlgorithmParameters::EcDsaWithSha224(_) | common::AlgorithmParameters::EcDsaWithSha256(_) @@ -517,9 +514,7 @@ pub(crate) fn identify_signature_algorithm_parameters<'p>( let signature_hash_algorithm = identify_signature_hash_algorithm(py, signature_algorithm)?; - Ok(types::ECDSA - .get_bound(py)? - .call1((signature_hash_algorithm,))?) + Ok(types::ECDSA.get(py)?.call1((signature_hash_algorithm,))?) } _ => Ok(py.None().into_bound(py)), } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 570184cc1882..9b1db24a5790 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -374,14 +374,14 @@ fn build_subject_owner( ) -> pyo3::PyResult { let subject = subject.bind(py); - if subject.is_instance(&types::DNS_NAME.get_bound(py)?)? { + if subject.is_instance(&types::DNS_NAME.get(py)?)? { let value = subject .getattr(pyo3::intern!(py, "value"))? // TODO: switch this to borrowing the string (using Bound::to_str) once our // minimum Python version is 3.10 .extract::()?; Ok(SubjectOwner::DNSName(value)) - } else if subject.is_instance(&types::IP_ADDRESS.get_bound(py)?)? { + } else if subject.is_instance(&types::IP_ADDRESS.get(py)?)? { let value = subject .getattr(pyo3::intern!(py, "_packed"))? .call0()? From 77c8656cbad2df26bda9ede075a95a93b65e250e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 13 Apr 2024 00:14:07 +0000 Subject: [PATCH 450/868] Bump BoringSSL and/or OpenSSL in CI (#10805) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 57bce58850cc..f8f19263872b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,10 +44,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "bdb7b19c3cd336b9e44086f677a0e37402c4bf13"}} - # Latest commit on the OpenSSL master branch, as of Apr 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "8e5918fb8eb90289a0c89f6a4c6d623ecf49cf43"}} + # Latest commit on the BoringSSL master branch, as of Apr 13, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1c6e10495e4f69cf9e5fd4e363d580ff1fdb1a96"}} + # Latest commit on the OpenSSL master branch, as of Apr 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d4188f24866f88b4269110ce86f9545edd44c846"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a70c92c01faf75a32abc0836fd525154d0583b9d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 12 Apr 2024 20:51:44 -0400 Subject: [PATCH 451/868] Fix lifetime error in `oid.rs` with `gil-refs` disabled (#10804) --- src/rust/src/oid.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 075b7fb9adbe..0932dbc7935c 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -42,11 +42,11 @@ impl ObjectIdentifier { } fn __repr__(slf: &pyo3::Bound<'_, Self>, py: pyo3::Python<'_>) -> pyo3::PyResult { - let name = Self::_name(slf.borrow(), py)?.extract::<&str>()?; + let name = Self::_name(slf.borrow(), py)?; Ok(format!( "", slf.get().oid, - name + name.extract::<&str>()? )) } From 3074b56d34f9b7f6dc6a096e5f2db9f2450dc380 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 13 Apr 2024 17:08:09 +0000 Subject: [PATCH 452/868] Bump cc from 1.0.92 to 1.0.94 in /src/rust (#10809) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.92 to 1.0.94. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.92...1.0.94) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 176a323fe5d7..92e4d3674450 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.92" +version = "1.0.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2678b2e3449475e95b0aa6f9b506a28e61b3dc8996592b983695e8ebb58a8b41" +checksum = "17f6e324229dc011159fcc089755d1e2e216a90d43a7dea6853ca740b84f35e7" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index f22d8e4b07a0..405fb7dc4836 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.92" +cc = "1.0.94" From 6fd5d73e04d1fe32c2f6dd0f7110997bc408016b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 13 Apr 2024 13:13:52 -0400 Subject: [PATCH 453/868] Bump setuptools from 69.2.0 to 69.5.0 in /.github/requirements (#10810) Bumps [setuptools](https://github.com/pypa/setuptools) from 69.2.0 to 69.5.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.2.0...v69.5.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 70fe56dc3ca1..149873f7f462 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.43.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.2.0 \ - --hash=sha256:0ff4183f8f42cd8fa3acea16c45205521a4ef28f73c6391d8a25e92893134f2e \ - --hash=sha256:c21c49fb1042386df081cb5d86759792ab89efca84cf114889191cd09aacc80c +setuptools==69.5.0 \ + --hash=sha256:3b2dbd8f63dcc6b7c327d0243c2d7dc8c96cc507c016f09221f3787e6e528719 \ + --hash=sha256:8d881f842bfc0e29e93bc98a2e650e8845609adff4d2989ba6c748e67b09d5be # via # -r build-requirements.in # setuptools-rust From bdb2d8b48e43a7e52a54e3ad68eed5e96781a545 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Sat, 13 Apr 2024 21:51:25 +0200 Subject: [PATCH 454/868] Fix lifetime errors in `asn1.rs` with `gil-refs` disabled (#10778) * Fix lifetime errors in `asn1.rs` with `gil-refs` disabled * Fix docstring and remove unneeded KeepAlive * Address review comments * Update src/rust/src/x509/ocsp_req.rs Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- src/rust/Cargo.lock | 3 +++ src/rust/cryptography-keepalive/Cargo.toml | 1 + src/rust/cryptography-keepalive/src/lib.rs | 5 +++++ src/rust/src/asn1.rs | 9 ++++++--- src/rust/src/x509/certificate.rs | 3 ++- src/rust/src/x509/crl.rs | 5 +++-- src/rust/src/x509/extensions.rs | 13 ++++++++----- src/rust/src/x509/ocsp_req.rs | 4 +++- 8 files changed, 31 insertions(+), 12 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 92e4d3674450..59bc8f6545e5 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -70,6 +70,9 @@ dependencies = [ [[package]] name = "cryptography-keepalive" version = "0.1.0" +dependencies = [ + "pyo3", +] [[package]] name = "cryptography-key-parsing" diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index 241369773f39..d37e8fa4fe9d 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -8,3 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] +pyo3 = { version = "0.21.1", features = ["abi3"] } diff --git a/src/rust/cryptography-keepalive/src/lib.rs b/src/rust/cryptography-keepalive/src/lib.rs index a33baba3c4bf..b367687912e2 100644 --- a/src/rust/cryptography-keepalive/src/lib.rs +++ b/src/rust/cryptography-keepalive/src/lib.rs @@ -4,6 +4,7 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +use pyo3::pybacked::PyBackedBytes; use std::cell::UnsafeCell; use std::ops::Deref; @@ -19,6 +20,10 @@ pub unsafe trait StableDeref: Deref {} // slice returned by `deref` remains valid. unsafe impl StableDeref for Vec {} +// SAFETY: `PyBackedBytes`'s data is on the heap and `bytes` objects in +// Python are immutable. +unsafe impl StableDeref for PyBackedBytes {} + #[allow(clippy::new_without_default)] impl KeepAlive { pub fn new() -> Self { diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index ba3eba7e235c..98f0190d6a6e 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -8,6 +8,7 @@ use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; use cryptography_x509::name::Name; use pyo3::prelude::PyAnyMethods; use pyo3::prelude::PyModuleMethods; +use pyo3::pybacked::PyBackedBytes; use pyo3::types::IntoPyDict; use pyo3::ToPyObject; @@ -73,7 +74,7 @@ fn decode_dss_signature( pub(crate) fn py_uint_to_big_endian_bytes<'p>( py: pyo3::Python<'p>, v: pyo3::Bound<'p, pyo3::types::PyLong>, -) -> pyo3::PyResult<&'p [u8]> { +) -> pyo3::PyResult { let zero = (0).to_object(py); if v.lt(zero)? { return Err(pyo3::exceptions::PyValueError::new_err( @@ -124,9 +125,11 @@ fn encode_dss_signature<'p>( r: pyo3::Bound<'_, pyo3::types::PyLong>, s: pyo3::Bound<'_, pyo3::types::PyLong>, ) -> CryptographyResult> { + let r_bytes = py_uint_to_big_endian_bytes(py, r)?; + let s_bytes = py_uint_to_big_endian_bytes(py, s)?; let sig = DssSignature { - r: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, r)?).unwrap(), - s: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, s)?).unwrap(), + r: asn1::BigUint::new(&r_bytes).unwrap(), + s: asn1::BigUint::new(&s_bytes).unwrap(), }; let result = asn1::write_single(&sig)?; Ok(pyo3::types::PyBytes::new_bound(py, &result)) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 30be711a7760..388448133d71 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -918,12 +918,13 @@ fn create_x509_certificate( let py_not_before = builder.getattr(pyo3::intern!(py, "_not_valid_before"))?; let py_not_after = builder.getattr(pyo3::intern!(py, "_not_valid_after"))?; + let serial_bytes = py_uint_to_big_endian_bytes(py, py_serial)?; let tbs_cert = cryptography_x509::certificate::TbsCertificate { version: builder .getattr(pyo3::intern!(py, "_version"))? .getattr(pyo3::intern!(py, "value"))? .extract()?, - serial: asn1::BigInt::new(py_uint_to_big_endian_bytes(py, py_serial)?).unwrap(), + serial: asn1::BigInt::new(&serial_bytes).unwrap(), signature_alg: sigalg.clone(), issuer: x509::common::encode_name(py, &py_issuer_name)?, validity: cryptography_x509::certificate::Validity { diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 4decb291c20d..125f67792784 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -655,6 +655,7 @@ fn create_x509_crl( rsa_padding.to_owned(), )?; let mut revoked_certs = vec![]; + let ka = cryptography_keepalive::KeepAlive::new(); for py_revoked_cert in builder .getattr(pyo3::intern!(py, "_revoked_certificates"))? .iter()? @@ -665,9 +666,9 @@ fn create_x509_crl( .extract()?; let py_revocation_date = py_revoked_cert.getattr(pyo3::intern!(py, "revocation_date_utc"))?; + let serial_bytes = ka.add(py_uint_to_big_endian_bytes(py, serial_number)?); revoked_certs.push(crl::RevokedCertificate { - user_certificate: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, serial_number)?) - .unwrap(), + user_certificate: asn1::BigUint::new(serial_bytes).unwrap(), revocation_date: x509::certificate::time_from_py(py, &py_revocation_date)?, raw_crl_entry_extensions: x509::common::encode_extensions( py, diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 94eb495bc7a0..929f17ce3575 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -51,10 +51,11 @@ pub(crate) fn encode_authority_key_identifier<'a>( } else { None }; + let serial_bytes; let authority_cert_serial_number = if let Some(authority_cert_serial_number) = aki.authority_cert_serial_number { - let serial_bytes = py_uint_to_big_endian_bytes(py, authority_cert_serial_number)?; - Some(asn1::BigUint::new(serial_bytes).unwrap()) + serial_bytes = py_uint_to_big_endian_bytes(py, authority_cert_serial_number)?; + Some(asn1::BigUint::new(&serial_bytes).unwrap()) } else { None }; @@ -215,6 +216,7 @@ fn encode_certificate_policies( ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let mut policy_informations = vec![]; + let ka = cryptography_keepalive::KeepAlive::new(); for py_policy_info in ext.iter()? { let py_policy_info = py_policy_info?; let py_policy_qualifiers = @@ -245,7 +247,8 @@ fn encode_certificate_policies( .getattr(pyo3::intern!(py, "notice_numbers"))? .iter()? { - let bytes = py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?; + let bytes = + ka.add(py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?); notice_numbers.push(asn1::BigUint::new(bytes).unwrap()); } @@ -454,7 +457,7 @@ pub(crate) fn encode_extension( .clone(); let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; Ok(Some(asn1::write_single( - &asn1::BigUint::new(bytes).unwrap(), + &asn1::BigUint::new(&bytes).unwrap(), )?)) } &oid::ISSUER_ALTERNATIVE_NAME_OID | &oid::SUBJECT_ALTERNATIVE_NAME_OID => { @@ -503,7 +506,7 @@ pub(crate) fn encode_extension( .clone(); let bytes = py_uint_to_big_endian_bytes(ext.py(), intval)?; Ok(Some(asn1::write_single( - &asn1::BigUint::new(bytes).unwrap(), + &asn1::BigUint::new(&bytes).unwrap(), )?)) } &oid::ISSUING_DISTRIBUTION_POINT_OID => { diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 7687f7af4317..6635259a2571 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -171,6 +171,7 @@ fn create_ocsp_request( builder: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { let builder_request = builder.getattr(pyo3::intern!(py, "_request"))?; + let serial_number_bytes; // Declare outside the if-block so the lifetimes are right. let (py_cert, py_issuer, py_hash, issuer_name_hash, issuer_key_hash): ( @@ -188,7 +189,8 @@ fn create_ocsp_request( (issuer_name_hash, issuer_key_hash, py_serial, py_hash) = builder .getattr(pyo3::intern!(py, "_request_hash"))? .extract()?; - let serial_number = asn1::BigInt::new(py_uint_to_big_endian_bytes(py, py_serial)?).unwrap(); + serial_number_bytes = py_uint_to_big_endian_bytes(py, py_serial)?; + let serial_number = asn1::BigInt::new(&serial_number_bytes).unwrap(); ocsp::certid_new_from_hash( py, &issuer_name_hash, From b75945c9349bd34fda63520a5aab7ed3235fa2cf Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Sat, 13 Apr 2024 22:14:15 +0200 Subject: [PATCH 455/868] Fix lifetime errors in `extensions.rs` and `sign.rs` with `gil-refs` disabled (#10780) * Fix lifetime errors in `extensions.rs` with `gil-refs` disabled * Fix lifetime errors in `sign.rs` with `gil-refs` disabled --- src/rust/cryptography-keepalive/src/lib.rs | 6 ++++- src/rust/src/pkcs7.rs | 7 +++--- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/crl.rs | 2 +- src/rust/src/x509/csr.rs | 2 +- src/rust/src/x509/extensions.rs | 27 +++++++++++++--------- src/rust/src/x509/ocsp_resp.rs | 2 +- src/rust/src/x509/sign.rs | 3 ++- 8 files changed, 31 insertions(+), 20 deletions(-) diff --git a/src/rust/cryptography-keepalive/src/lib.rs b/src/rust/cryptography-keepalive/src/lib.rs index b367687912e2..6c45cf9e81ee 100644 --- a/src/rust/cryptography-keepalive/src/lib.rs +++ b/src/rust/cryptography-keepalive/src/lib.rs @@ -4,7 +4,7 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] -use pyo3::pybacked::PyBackedBytes; +use pyo3::pybacked::{PyBackedBytes, PyBackedStr}; use std::cell::UnsafeCell; use std::ops::Deref; @@ -24,6 +24,10 @@ unsafe impl StableDeref for Vec {} // Python are immutable. unsafe impl StableDeref for PyBackedBytes {} +// SAFETY: `PyBackedStr`'s data is on the heap and `str` objects in +// Python are immutable. +unsafe impl StableDeref for PyBackedStr {} + #[allow(clippy::new_without_default)] impl KeepAlive { pub fn new() -> Self { diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 8442587b407f..e0bb14f0f3c5 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -129,7 +129,8 @@ fn sign_and_serialize<'p>( .map(|p| p.raw.borrow_dependent()) .collect::>(); - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); for (cert, py_private_key, py_hash_alg, rsa_padding) in py_signers.iter() { let (authenticated_attrs, signature) = if options.contains(&types::PKCS7_NO_ATTRIBUTES.get(py)?)? { @@ -159,7 +160,7 @@ fn sign_and_serialize<'p>( }, ]; - let digest = ka.add(asn1::write_single(&x509::ocsp::hash_data( + let digest = ka_vec.add(asn1::write_single(&x509::ocsp::hash_data( py, py_hash_alg, &data_with_header, @@ -221,7 +222,7 @@ fn sign_and_serialize<'p>( py_hash_alg.clone(), rsa_padding.clone(), )?, - encrypted_digest: signature, + encrypted_digest: ka_bytes.add(signature), unauthenticated_attributes: None, }); } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 388448133d71..c8a2ac8b4d2f 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -953,7 +953,7 @@ fn create_x509_certificate( let data = asn1::write_single(&cryptography_x509::certificate::Certificate { tbs_cert, signature_alg: sigalg, - signature: asn1::BitString::new(signature, 0).unwrap(), + signature: asn1::BitString::new(&signature, 0).unwrap(), })?; load_der_x509_certificate( py, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 125f67792784..4484efee87bf 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -712,7 +712,7 @@ fn create_x509_crl( let data = asn1::write_single(&crl::CertificateRevocationList { tbs_cert_list, signature_algorithm: sigalg, - signature_value: asn1::BitString::new(signature, 0).unwrap(), + signature_value: asn1::BitString::new(&signature, 0).unwrap(), })?; load_der_x509_crl( py, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 789004a60bb9..1aab9d3a6b96 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -374,7 +374,7 @@ fn create_x509_csr( let data = asn1::write_single(&Csr { csr_info, signature_alg: sigalg, - signature: asn1::BitString::new(signature, 0).unwrap(), + signature: asn1::BitString::new(&signature, 0).unwrap(), })?; load_der_x509_csr( py, diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 929f17ce3575..6d1137c34c56 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -9,6 +9,7 @@ use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; use pyo3::prelude::PyAnyMethods; +use pyo3::pybacked::PyBackedStr; fn encode_general_subtrees<'a>( py: pyo3::Python<'a>, @@ -216,7 +217,8 @@ fn encode_certificate_policies( ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let mut policy_informations = vec![]; - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); for py_policy_info in ext.iter()? { let py_policy_info = py_policy_info?; let py_policy_qualifiers = @@ -226,7 +228,8 @@ fn encode_certificate_policies( for py_qualifier in py_policy_qualifiers.iter()? { let py_qualifier = py_qualifier?; let qualifier = if py_qualifier.is_instance_of::() { - let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + let py_qualifier_str = ka_str.add(py_qualifier.extract::()?); + let cps_uri = match asn1::IA5String::new(py_qualifier_str) { Some(s) => s, None => { return Err(pyo3::exceptions::PyValueError::new_err( @@ -247,18 +250,18 @@ fn encode_certificate_policies( .getattr(pyo3::intern!(py, "notice_numbers"))? .iter()? { - let bytes = - ka.add(py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?); + let bytes = ka_bytes + .add(py_uint_to_big_endian_bytes(ext.py(), py_num?.extract()?)?); notice_numbers.push(asn1::BigUint::new(bytes).unwrap()); } - + let py_notice_str = ka_str.add( + py_notice + .getattr(pyo3::intern!(py, "organization"))? + .extract::()?, + ); Some(extensions::NoticeReference { organization: extensions::DisplayText::Utf8String( - asn1::Utf8String::new( - py_notice - .getattr(pyo3::intern!(py, "organization"))? - .extract()?, - ), + asn1::Utf8String::new(py_notice_str), ), notice_numbers: common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(notice_numbers), @@ -270,8 +273,10 @@ fn encode_certificate_policies( let py_explicit_text = py_qualifier.getattr(pyo3::intern!(py, "explicit_text"))?; let explicit_text = if py_explicit_text.is_truthy()? { + let py_explicit_text_str = + ka_str.add(py_explicit_text.extract::()?); Some(extensions::DisplayText::Utf8String(asn1::Utf8String::new( - py_explicit_text.extract()?, + py_explicit_text_str, ))) } else { None diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e27c5d583afa..4ec133a8e038 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -754,7 +754,7 @@ fn create_ocsp_response( let basic_resp = ocsp_resp::BasicOCSPResponse { tbs_response_data, - signature: asn1::BitString::new(signature, 0).unwrap(), + signature: asn1::BitString::new(&signature, 0).unwrap(), signature_algorithm: sigalg, certs, }; diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index 9483a06e5034..b0acbfa39763 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -7,6 +7,7 @@ use std::collections::HashMap; use cryptography_x509::{common, oid}; use once_cell::sync::Lazy; use pyo3::prelude::PyAnyMethods; +use pyo3::pybacked::PyBackedBytes; use crate::asn1::oid_to_py_oid; use crate::error::{CryptographyError, CryptographyResult}; @@ -285,7 +286,7 @@ pub(crate) fn sign_data<'p>( hash_algorithm: pyo3::Bound<'p, pyo3::PyAny>, rsa_padding: pyo3::Bound<'p, pyo3::PyAny>, data: &[u8], -) -> pyo3::PyResult<&'p [u8]> { +) -> pyo3::PyResult { let key_type = identify_key_type(py, private_key.clone())?; let signature = match key_type { From f61fc109fdce384ffbd2cf89f57e874b7fc4698c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 14 Apr 2024 18:51:08 -0400 Subject: [PATCH 456/868] Fixed two lifetime errors in `common.rs` with `gil-refs` disabled (#10811) --- src/rust/src/x509/certificate.rs | 5 +++++ src/rust/src/x509/common.rs | 10 ++++------ src/rust/src/x509/crl.rs | 9 +++++++-- src/rust/src/x509/csr.rs | 5 +++++ src/rust/src/x509/ocsp_req.rs | 5 +++++ src/rust/src/x509/ocsp_resp.rs | 5 +++++ 6 files changed, 31 insertions(+), 8 deletions(-) diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index c8a2ac8b4d2f..0607eebaa656 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -918,6 +918,9 @@ fn create_x509_certificate( let py_not_before = builder.getattr(pyo3::intern!(py, "_not_valid_before"))?; let py_not_after = builder.getattr(pyo3::intern!(py, "_not_valid_after"))?; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let serial_bytes = py_uint_to_big_endian_bytes(py, py_serial)?; let tbs_cert = cryptography_x509::certificate::TbsCertificate { version: builder @@ -937,6 +940,8 @@ fn create_x509_certificate( subject_unique_id: None, raw_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 6b115e81a1e6..17ff9693a305 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -410,6 +410,8 @@ pub(crate) fn encode_extensions< ) -> CryptographyResult>>, >( py: pyo3::Python<'p>, + ka_vec: &'p cryptography_keepalive::KeepAlive>, + ka_bytes: &'p cryptography_keepalive::KeepAlive, py_exts: &pyo3::Bound<'p, pyo3::PyAny>, encode_ext: F, ) -> pyo3::PyResult>> { @@ -424,20 +426,16 @@ pub(crate) fn encode_extensions< exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, - extn_value: ext_val - .getattr(pyo3::intern!(py, "value"))? - .extract::<&[u8]>()?, + extn_value: ka_bytes.add(ext_val.getattr(pyo3::intern!(py, "value"))?.extract()?), }); continue; } match encode_ext(py, &oid, &ext_val)? { Some(data) => { - // TODO: extra copy - let py_data = pyo3::types::PyBytes::new_bound(py, &data); exts.push(Extension { extn_id: oid, critical: py_ext.getattr(pyo3::intern!(py, "critical"))?.extract()?, - extn_value: py_data.extract()?, + extn_value: ka_vec.add(data), }); } None => { diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 4484efee87bf..b3e37e967de7 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -655,7 +655,8 @@ fn create_x509_crl( rsa_padding.to_owned(), )?; let mut revoked_certs = vec![]; - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); for py_revoked_cert in builder .getattr(pyo3::intern!(py, "_revoked_certificates"))? .iter()? @@ -666,12 +667,14 @@ fn create_x509_crl( .extract()?; let py_revocation_date = py_revoked_cert.getattr(pyo3::intern!(py, "revocation_date_utc"))?; - let serial_bytes = ka.add(py_uint_to_big_endian_bytes(py, serial_number)?); + let serial_bytes = ka_bytes.add(py_uint_to_big_endian_bytes(py, serial_number)?); revoked_certs.push(crl::RevokedCertificate { user_certificate: asn1::BigUint::new(serial_bytes).unwrap(), revocation_date: x509::certificate::time_from_py(py, &py_revocation_date)?, raw_crl_entry_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &py_revoked_cert.getattr(pyo3::intern!(py, "extensions"))?, extensions::encode_extension, )?, @@ -696,6 +699,8 @@ fn create_x509_crl( }, raw_crl_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 1aab9d3a6b96..240f7f5d6dac 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -305,10 +305,15 @@ fn create_x509_csr( .call_method1(pyo3::intern!(py, "public_bytes"), (der, spki))? .extract::()?; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let mut attrs = vec![]; let ext_bytes; if let Some(exts) = x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, x509::extensions::encode_extension, )? { diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 6635259a2571..218939dfca75 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -200,8 +200,13 @@ fn create_ocsp_request( )? }; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let extensions = x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?; diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 4ec133a8e038..e4038af1aec0 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -702,6 +702,9 @@ fn create_ocsp_response( ) }; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let tbs_response_data = ocsp_resp::ResponseData { version: 0, produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?, @@ -711,6 +714,8 @@ fn create_ocsp_response( )), raw_response_extensions: x509::common::encode_extensions( py, + &ka_vec, + &ka_bytes, &builder.getattr(pyo3::intern!(py, "_extensions"))?, extensions::encode_extension, )?, From 0fb841d70ec9ad5c4c65039200f71358869cb741 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 14 Apr 2024 18:53:18 -0400 Subject: [PATCH 457/868] Fixed two lifetime errors in `common.rs` with `gil-refs` disabled (#10807) --- src/rust/cryptography-keepalive/src/lib.rs | 2 - src/rust/src/x509/certificate.rs | 7 ++- src/rust/src/x509/common.rs | 63 ++++++++++++---------- src/rust/src/x509/crl.rs | 4 +- src/rust/src/x509/csr.rs | 4 +- src/rust/src/x509/extensions.rs | 35 +++++++----- 6 files changed, 69 insertions(+), 46 deletions(-) diff --git a/src/rust/cryptography-keepalive/src/lib.rs b/src/rust/cryptography-keepalive/src/lib.rs index 6c45cf9e81ee..46e9f3260d67 100644 --- a/src/rust/cryptography-keepalive/src/lib.rs +++ b/src/rust/cryptography-keepalive/src/lib.rs @@ -19,11 +19,9 @@ pub unsafe trait StableDeref: Deref {} // SAFETY: `Vec`'s data is on the heap, so as long as it's not mutated, the // slice returned by `deref` remains valid. unsafe impl StableDeref for Vec {} - // SAFETY: `PyBackedBytes`'s data is on the heap and `bytes` objects in // Python are immutable. unsafe impl StableDeref for PyBackedBytes {} - // SAFETY: `PyBackedStr`'s data is on the heap and `str` objects in // Python are immutable. unsafe impl StableDeref for PyBackedStr {} diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 0607eebaa656..79f1e72732bf 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -922,6 +922,9 @@ fn create_x509_certificate( let ka_bytes = cryptography_keepalive::KeepAlive::new(); let serial_bytes = py_uint_to_big_endian_bytes(py, py_serial)?; + + let ka = cryptography_keepalive::KeepAlive::new(); + let tbs_cert = cryptography_x509::certificate::TbsCertificate { version: builder .getattr(pyo3::intern!(py, "_version"))? @@ -929,12 +932,12 @@ fn create_x509_certificate( .extract()?, serial: asn1::BigInt::new(&serial_bytes).unwrap(), signature_alg: sigalg.clone(), - issuer: x509::common::encode_name(py, &py_issuer_name)?, + issuer: x509::common::encode_name(py, &ka, &py_issuer_name)?, validity: cryptography_x509::certificate::Validity { not_before: time_from_py(py, &py_not_before)?, not_after: time_from_py(py, &py_not_after)?, }, - subject: x509::common::encode_name(py, &py_subject_name)?, + subject: x509::common::encode_name(py, &ka, &py_subject_name)?, spki: asn1::parse_single(&spki_bytes)?, issuer_unique_id: None, subject_unique_id: None, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 17ff9693a305..548c810a8db8 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -32,8 +32,9 @@ pub(crate) fn find_in_pem( } pub(crate) fn encode_name<'p>( - py: pyo3::Python<'p>, - py_name: &pyo3::Bound<'p, pyo3::PyAny>, + py: pyo3::Python<'_>, + ka: &'p cryptography_keepalive::KeepAlive, + py_name: &pyo3::Bound<'_, pyo3::PyAny>, ) -> pyo3::PyResult> { let mut rdns = vec![]; @@ -42,7 +43,7 @@ pub(crate) fn encode_name<'p>( let mut attrs = vec![]; for py_attr in py_rdn.iter()? { - attrs.push(encode_name_entry(py, &py_attr?)?); + attrs.push(encode_name_entry(py, ka, &py_attr?)?); } rdns.push(asn1::SetOfWriter::new(attrs)); } @@ -52,36 +53,38 @@ pub(crate) fn encode_name<'p>( } pub(crate) fn encode_name_entry<'p>( - py: pyo3::Python<'p>, - py_name_entry: &pyo3::Bound<'p, pyo3::PyAny>, + py: pyo3::Python<'_>, + ka: &'p cryptography_keepalive::KeepAlive, + py_name_entry: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { let attr_type = py_name_entry.getattr(pyo3::intern!(py, "_type"))?; let tag = attr_type .getattr(pyo3::intern!(py, "value"))? .extract::()?; - let value: &[u8] = if !attr_type.is(&types::ASN1_TYPE_BIT_STRING.get(py)?) { - let encoding = if attr_type.is(&types::ASN1_TYPE_BMP_STRING.get(py)?) { - "utf_16_be" - } else if attr_type.is(&types::ASN1_TYPE_UNIVERSAL_STRING.get(py)?) { - "utf_32_be" + let value: pyo3::pybacked::PyBackedBytes = + if !attr_type.is(&types::ASN1_TYPE_BIT_STRING.get(py)?) { + let encoding = if attr_type.is(&types::ASN1_TYPE_BMP_STRING.get(py)?) { + "utf_16_be" + } else if attr_type.is(&types::ASN1_TYPE_UNIVERSAL_STRING.get(py)?) { + "utf_32_be" + } else { + "utf8" + }; + py_name_entry + .getattr(pyo3::intern!(py, "value"))? + .call_method1(pyo3::intern!(py, "encode"), (encoding,))? + .extract()? } else { - "utf8" + py_name_entry + .getattr(pyo3::intern!(py, "value"))? + .extract()? }; - py_name_entry - .getattr(pyo3::intern!(py, "value"))? - .call_method1(pyo3::intern!(py, "encode"), (encoding,))? - .extract()? - } else { - py_name_entry - .getattr(pyo3::intern!(py, "value"))? - .extract()? - }; let py_oid = py_name_entry.getattr(pyo3::intern!(py, "oid"))?; let oid = py_oid_to_oid(py_oid)?; Ok(AttributeTypeValue { type_id: oid, - value: RawTlv::new(asn1::Tag::from_bytes(&[tag])?.0, value), + value: RawTlv::new(asn1::Tag::from_bytes(&[tag])?.0, ka.add(value)), }) } @@ -90,25 +93,28 @@ fn encode_name_bytes<'p>( py: pyo3::Python<'p>, py_name: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - let name = encode_name(py, py_name)?; + let ka = cryptography_keepalive::KeepAlive::new(); + let name = encode_name(py, &ka, py_name)?; let result = asn1::write_single(&name)?; Ok(pyo3::types::PyBytes::new_bound(py, &result)) } pub(crate) fn encode_general_names<'a>( - py: pyo3::Python<'a>, + py: pyo3::Python<'_>, + ka: &'a cryptography_keepalive::KeepAlive, py_gns: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { let mut gns = vec![]; for el in py_gns.iter()? { - let gn = encode_general_name(py, &el?)?; + let gn = encode_general_name(py, ka, &el?)?; gns.push(gn); } Ok(gns) } pub(crate) fn encode_general_name<'a>( - py: pyo3::Python<'a>, + py: pyo3::Python<'_>, + ka: &'a cryptography_keepalive::KeepAlive, gn: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result, CryptographyError> { let gn_type = gn.get_type(); @@ -123,7 +129,7 @@ pub(crate) fn encode_general_name<'a>( gn_value.extract::<&str>()?, ))) } else if gn_type.is(&types::DIRECTORY_NAME.get(py)?) { - let name = encode_name(py, &gn_value)?; + let name = encode_name(py, ka, &gn_value)?; Ok(GeneralName::DirectoryName(name)) } else if gn_type.is(&types::OTHER_NAME.get(py)?) { let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?; @@ -159,12 +165,13 @@ pub(crate) fn encode_access_descriptions<'a>( py_ads: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { let mut ads = vec![]; + let ka = cryptography_keepalive::KeepAlive::new(); for py_ad in py_ads.iter()? { let py_ad = py_ad?; let py_oid = py_ad.getattr(pyo3::intern!(py, "access_method"))?; let access_method = py_oid_to_oid(py_oid)?; - let access_location = - encode_general_name(py, &py_ad.getattr(pyo3::intern!(py, "access_location"))?)?; + let py_access_location = py_ad.getattr(pyo3::intern!(py, "access_location"))?; + let access_location = encode_general_name(py, &ka, &py_access_location)?; ads.push(AccessDescription { access_method, access_location, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index b3e37e967de7..2d00c308de9a 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -681,13 +681,15 @@ fn create_x509_crl( }); } + let ka = cryptography_keepalive::KeepAlive::new(); + let py_issuer_name = builder.getattr(pyo3::intern!(py, "_issuer_name"))?; let py_this_update = builder.getattr(pyo3::intern!(py, "_last_update"))?; let py_next_update = builder.getattr(pyo3::intern!(py, "_next_update"))?; let tbs_cert_list = crl::TBSCertList { version: Some(1), signature: sigalg.clone(), - issuer: x509::common::encode_name(py, &py_issuer_name)?, + issuer: x509::common::encode_name(py, &ka, &py_issuer_name)?, this_update: x509::certificate::time_from_py(py, &py_this_update)?, next_update: Some(x509::certificate::time_from_py(py, &py_next_update)?), revoked_certificates: if revoked_certs.is_empty() { diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 240f7f5d6dac..03f49b5420b1 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -361,9 +361,11 @@ fn create_x509_csr( let py_subject_name = builder.getattr(pyo3::intern!(py, "_subject_name"))?; + let ka = cryptography_keepalive::KeepAlive::new(); + let csr_info = CertificationRequestInfo { version: 0, - subject: x509::common::encode_name(py, &py_subject_name)?, + subject: x509::common::encode_name(py, &ka, &py_subject_name)?, spki: asn1::parse_single(&spki_bytes)?, attributes: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(attrs)), }; diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 6d1137c34c56..ab5f6d06b847 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -12,7 +12,8 @@ use pyo3::prelude::PyAnyMethods; use pyo3::pybacked::PyBackedStr; fn encode_general_subtrees<'a>( - py: pyo3::Python<'a>, + py: pyo3::Python<'_>, + ka: &'a cryptography_keepalive::KeepAlive, subtrees: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { if subtrees.is_none() { @@ -20,7 +21,7 @@ fn encode_general_subtrees<'a>( } else { let mut subtree_seq = vec![]; for name in subtrees.iter()? { - let gn = x509::common::encode_general_name(py, &name?)?; + let gn = x509::common::encode_general_name(py, ka, &name?)?; subtree_seq.push(extensions::GeneralSubtree { base: gn, minimum: 0, @@ -44,8 +45,10 @@ pub(crate) fn encode_authority_key_identifier<'a>( authority_cert_serial_number: Option>, } let aki = py_aki.extract::>()?; + + let ka = cryptography_keepalive::KeepAlive::new(); let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { - let gns = x509::common::encode_general_names(py, &authority_cert_issuer)?; + let gns = x509::common::encode_general_names(py, &ka, &authority_cert_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -79,12 +82,13 @@ pub(crate) fn encode_distribution_points<'p>( reasons: Option>, } + let ka = cryptography_keepalive::KeepAlive::new(); let mut dps = vec![]; for py_dp in py_dps.iter()? { let py_dp = py_dp?.extract::>()?; let crl_issuer = if let Some(py_crl_issuer) = py_dp.crl_issuer { - let gns = x509::common::encode_general_names(py, &py_crl_issuer)?; + let gns = x509::common::encode_general_names(py, &ka, &py_crl_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -92,14 +96,14 @@ pub(crate) fn encode_distribution_points<'p>( None }; let distribution_point = if let Some(py_full_name) = py_dp.full_name { - let gns = x509::common::encode_general_names(py, &py_full_name)?; + let gns = x509::common::encode_general_names(py, &ka, &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) } else if let Some(py_relative_name) = py_dp.relative_name { let mut name_entries = vec![]; for py_name_entry in py_relative_name.iter()? { - name_entries.push(x509::common::encode_name_entry(py, &py_name_entry?)?); + name_entries.push(x509::common::encode_name_entry(py, &ka, &py_name_entry?)?); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -313,6 +317,8 @@ fn encode_issuing_distribution_point( py: pyo3::Python<'_>, ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { + let ka = cryptography_keepalive::KeepAlive::new(); + let only_some_reasons = if ext .getattr(pyo3::intern!(py, "only_some_reasons"))? .is_truthy()? @@ -325,7 +331,7 @@ fn encode_issuing_distribution_point( }; let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_truthy()? { let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; - let gns = x509::common::encode_general_names(ext.py(), &py_full_name)?; + let gns = x509::common::encode_general_names(ext.py(), &ka, &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) @@ -335,7 +341,8 @@ fn encode_issuing_distribution_point( { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { - name_entries.push(x509::common::encode_name_entry(ext.py(), &py_name_entry?)?); + let name_entry = x509::common::encode_name_entry(ext.py(), &ka, &py_name_entry?)?; + name_entries.push(name_entry); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -447,11 +454,13 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&pc)?)) } &oid::NAME_CONSTRAINTS_OID => { + let ka = cryptography_keepalive::KeepAlive::new(); + let permitted = ext.getattr(pyo3::intern!(py, "permitted_subtrees"))?; let excluded = ext.getattr(pyo3::intern!(py, "excluded_subtrees"))?; let nc = extensions::NameConstraints { - permitted_subtrees: encode_general_subtrees(ext.py(), &permitted)?, - excluded_subtrees: encode_general_subtrees(ext.py(), &excluded)?, + permitted_subtrees: encode_general_subtrees(ext.py(), &ka, &permitted)?, + excluded_subtrees: encode_general_subtrees(ext.py(), &ka, &excluded)?, }; Ok(Some(asn1::write_single(&nc)?)) } @@ -466,7 +475,8 @@ pub(crate) fn encode_extension( )?)) } &oid::ISSUER_ALTERNATIVE_NAME_OID | &oid::SUBJECT_ALTERNATIVE_NAME_OID => { - let gns = x509::common::encode_general_names(ext.py(), ext)?; + let ka = cryptography_keepalive::KeepAlive::new(); + let gns = x509::common::encode_general_names(ext.py(), &ka, ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -496,7 +506,8 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) } &oid::CERTIFICATE_ISSUER_OID => { - let gns = x509::common::encode_general_names(ext.py(), ext)?; + let ka = cryptography_keepalive::KeepAlive::new(); + let gns = x509::common::encode_general_names(ext.py(), &ka, ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { From b48aabacb334e696d8448d6fcd7f03f19087fbb6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 07:02:24 -0400 Subject: [PATCH 458/868] Bump argcomplete from 3.2.3 to 3.3.0 (#10813) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.2.3 to 3.3.0. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.2.3...v3.3.0) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ccd015582b2c..d8981f7e7d19 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.16 # via sphinx -argcomplete==3.2.3; python_version >= "3.8" +argcomplete==3.3.0; python_version >= "3.8" # via nox babel==2.14.0 # via sphinx From 34123efcc95ea4bb55a59472580316c48ade5fa5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 07:02:53 -0400 Subject: [PATCH 459/868] Bump setuptools from 69.5.0 to 69.5.1 in /.github/requirements (#10814) Bumps [setuptools](https://github.com/pypa/setuptools) from 69.5.0 to 69.5.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v69.5.0...v69.5.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 149873f7f462..1d3feb3e1960 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.43.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.5.0 \ - --hash=sha256:3b2dbd8f63dcc6b7c327d0243c2d7dc8c96cc507c016f09221f3787e6e528719 \ - --hash=sha256:8d881f842bfc0e29e93bc98a2e650e8845609adff4d2989ba6c748e67b09d5be +setuptools==69.5.1 \ + --hash=sha256:6c1fccdac05a97e598fb0ae3bbed5904ccb317337a51139dcd51453611bbb987 \ + --hash=sha256:c636ac361bc47580504644275c9ad802c50415c7522212252c033bd15f301f32 # via # -r build-requirements.in # setuptools-rust From b302955627a969533f8f19c36d07680306baede4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 07:03:08 -0400 Subject: [PATCH 460/868] Bump proc-macro2 from 1.0.79 to 1.0.80 in /src/rust (#10815) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.79 to 1.0.80. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.79...1.0.80) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 59bc8f6545e5..fa232467a975 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -277,9 +277,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.79" +version = "1.0.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e835ff2298f5721608eb1a980ecaee1aef2c132bf95ecc026a11b7bf3c01c02e" +checksum = "a56dea16b0a29e94408b9aa5e2940a4eedbd128a1ba20e8f7ae60fd3d465af0e" dependencies = [ "unicode-ident", ] From e7a00232ec88eb4189994ae7943ac3e0b068602b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Apr 2024 13:11:41 -0400 Subject: [PATCH 461/868] Remove one call to `into_gil_ref` (#10816) --- src/rust/src/pkcs7.rs | 11 ++++------- src/rust/src/x509/ocsp.rs | 16 +++++++++------- src/rust/src/x509/ocsp_req.rs | 8 ++++---- src/rust/src/x509/ocsp_resp.rs | 16 +++++++++------- 4 files changed, 26 insertions(+), 25 deletions(-) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index e0bb14f0f3c5..88714e7b4994 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -11,7 +11,7 @@ use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use openssl::pkcs7::Pkcs7; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; @@ -160,15 +160,12 @@ fn sign_and_serialize<'p>( }, ]; - let digest = ka_vec.add(asn1::write_single(&x509::ocsp::hash_data( - py, - py_hash_alg, - &data_with_header, - )?)?); + let digest = x509::ocsp::hash_data(py, py_hash_alg, &data_with_header)?; + let digest_wrapped = ka_vec.add(asn1::write_single(&digest.as_bytes())?); authenticated_attrs.push(Attribute { type_id: PKCS7_MESSAGE_DIGEST_OID, values: common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new([ - asn1::parse_single(digest).unwrap(), + asn1::parse_single(digest_wrapped).unwrap(), ])), }); diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 64c6ee2a66bb..97b18bb20bae 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -74,13 +74,15 @@ pub(crate) static HASH_NAME_TO_ALGORITHM_IDENTIFIERS: Lazy< pub(crate) fn certid_new<'p>( py: pyo3::Python<'p>, + ka: &'p cryptography_keepalive::KeepAlive, cert: &'p Certificate, issuer: &'p Certificate, hash_algorithm: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { let issuer_der = asn1::write_single(&cert.raw.borrow_dependent().tbs_cert.issuer)?; - let issuer_name_hash = hash_data(py, hash_algorithm, &issuer_der)?; - let issuer_key_hash = hash_data( + let issuer_name_hash = + pyo3::pybacked::PyBackedBytes::from(hash_data(py, hash_algorithm, &issuer_der)?); + let issuer_key_hash = pyo3::pybacked::PyBackedBytes::from(hash_data( py, hash_algorithm, issuer @@ -90,15 +92,15 @@ pub(crate) fn certid_new<'p>( .spki .subject_public_key .as_bytes(), - )?; + )?); Ok(CertID { hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm .getattr(pyo3::intern!(py, "name"))? .extract::<&str>()?] .clone(), - issuer_name_hash, - issuer_key_hash, + issuer_name_hash: ka.add(issuer_name_hash), + issuer_key_hash: ka.add(issuer_key_hash), serial_number: cert.raw.borrow_dependent().tbs_cert.serial, }) } @@ -125,8 +127,8 @@ pub(crate) fn hash_data<'p>( py: pyo3::Python<'p>, py_hash_alg: &pyo3::Bound<'p, pyo3::PyAny>, data: &[u8], -) -> pyo3::PyResult<&'p [u8]> { +) -> pyo3::PyResult> { let mut h = Hash::new(py, py_hash_alg, None)?; h.update_bytes(data)?; - Ok(h.finalize(py)?.into_gil_ref().as_bytes()) + Ok(h.finalize(py)?) } diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index 218939dfca75..dd4e5f77eb4d 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -173,6 +173,9 @@ fn create_ocsp_request( let builder_request = builder.getattr(pyo3::intern!(py, "_request"))?; let serial_number_bytes; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + // Declare outside the if-block so the lifetimes are right. let (py_cert, py_issuer, py_hash, issuer_name_hash, issuer_key_hash): ( pyo3::PyRef<'_, x509::certificate::Certificate>, @@ -183,7 +186,7 @@ fn create_ocsp_request( ); let req_cert = if !builder_request.is_none() { (py_cert, py_issuer, py_hash) = builder_request.extract()?; - ocsp::certid_new(py, &py_cert, &py_issuer, &py_hash)? + ocsp::certid_new(py, &ka_bytes, &py_cert, &py_issuer, &py_hash)? } else { let py_serial: pyo3::Bound<'_, pyo3::types::PyLong>; (issuer_name_hash, issuer_key_hash, py_serial, py_hash) = builder @@ -200,9 +203,6 @@ fn create_ocsp_request( )? }; - let ka_vec = cryptography_keepalive::KeepAlive::new(); - let ka_bytes = cryptography_keepalive::KeepAlive::new(); - let extensions = x509::common::encode_extensions( py, &ka_vec, diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e4038af1aec0..e5718079bcae 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -669,8 +669,11 @@ fn create_ocsp_response( let py_this_update = py_single_resp.getattr(pyo3::intern!(py, "_this_update"))?; let this_update = asn1::GeneralizedTime::new(py_to_datetime(py, py_this_update)?)?; + let ka_vec = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let responses = vec![SingleResponse { - cert_id: ocsp::certid_new(py, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, + cert_id: ocsp::certid_new(py, &ka_bytes, &py_cert, &py_issuer, &py_cert_hash_algorithm)?, cert_status, next_update, this_update, @@ -678,9 +681,10 @@ fn create_ocsp_response( }]; borrowed_cert = responder_cert.borrow(); + let by_key_hash; let responder_id = if responder_encoding.is(&types::OCSP_RESPONDER_ENCODING_HASH.get(py)?) { let sha1 = types::SHA1.get(py)?.call0()?; - ocsp_resp::ResponderId::ByKey(ocsp::hash_data( + by_key_hash = ocsp::hash_data( py, &sha1, borrowed_cert @@ -690,7 +694,8 @@ fn create_ocsp_response( .spki .subject_public_key .as_bytes(), - )?) + )?; + ocsp_resp::ResponderId::ByKey(by_key_hash.as_bytes()) } else { ocsp_resp::ResponderId::ByName( borrowed_cert @@ -702,9 +707,6 @@ fn create_ocsp_response( ) }; - let ka_vec = cryptography_keepalive::KeepAlive::new(); - let ka_bytes = cryptography_keepalive::KeepAlive::new(); - let tbs_response_data = ocsp_resp::ResponseData { version: 0, produced_at: asn1::GeneralizedTime::new(x509::common::datetime_now(py)?)?, From fa4913e097db602eb73e06e936347206ea3dc9a0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Apr 2024 13:39:06 -0400 Subject: [PATCH 462/868] Remove the final call to `into_gil_ref` (#10819) --- src/rust/src/backend/dsa.rs | 6 ++++-- src/rust/src/backend/ec.rs | 6 ++++-- src/rust/src/backend/rsa.rs | 8 +++++--- src/rust/src/backend/utils.rs | 36 +++++++++++++++++++++++++---------- 4 files changed, 39 insertions(+), 17 deletions(-) diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 06143428c7e8..7615521c9cb4 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -77,7 +77,7 @@ impl DsaPrivateKey { let mut signer = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; signer.sign_init()?; let mut sig = vec![]; - signer.sign_to_vec(data, &mut sig)?; + signer.sign_to_vec(data.as_bytes(), &mut sig)?; Ok(pyo3::types::PyBytes::new_bound(py, &sig)) } @@ -162,7 +162,9 @@ impl DsaPublicKey { let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; - let valid = verifier.verify(data, signature.as_bytes()).unwrap_or(false); + let valid = verifier + .verify(data.as_bytes(), signature.as_bytes()) + .unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index ccba52857621..57f3fadac97c 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -311,7 +311,7 @@ impl ECPrivateKey { // easily known a priori (if `r` or `s` has a leading 0, the signature // will be a byte or two shorter than the maximum possible length). let mut sig = vec![]; - signer.sign_to_vec(data, &mut sig)?; + signer.sign_to_vec(data.as_bytes(), &mut sig)?; Ok(pyo3::types::PyBytes::new_bound(py, &sig)) } @@ -408,7 +408,9 @@ impl ECPublicKey { let mut verifier = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; verifier.verify_init()?; - let valid = verifier.verify(data, signature.as_bytes()).unwrap_or(false); + let valid = verifier + .verify(data.as_bytes(), signature.as_bytes()) + .unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 0cff56d1efba..448af2536ce3 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -296,9 +296,9 @@ impl RsaPrivateKey { })?; setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), true)?; - let length = ctx.sign(data, None)?; + let length = ctx.sign(data.as_bytes(), None)?; Ok(pyo3::types::PyBytes::new_bound_with(py, length, |b| { - let length = ctx.sign(data, Some(b)).map_err(|_| { + let length = ctx.sign(data.as_bytes(), Some(b)).map_err(|_| { pyo3::exceptions::PyValueError::new_err( "Digest or salt length too long for key size. Use a larger key or shorter salt length if you are specifying a PSS salt", ) @@ -434,7 +434,9 @@ impl RsaPublicKey { ctx.verify_init()?; setup_signature_ctx(py, &mut ctx, padding, &algorithm, self.pkey.size(), false)?; - let valid = ctx.verify(data, signature.as_bytes()).unwrap_or(false); + let valid = ctx + .verify(data.as_bytes(), signature.as_bytes()) + .unwrap_or(false); if !valid { return Err(CryptographyError::from( exceptions::InvalidSignature::new_err(()), diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index a583a71f196d..21b47a044a67 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -5,7 +5,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; -use pyo3::prelude::PyAnyMethods; +use pyo3::prelude::{PyAnyMethods, PyBytesMethods}; use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( @@ -354,23 +354,39 @@ pub(crate) fn pkey_public_bytes<'p>( )) } +pub(crate) enum BytesOrPyBytes<'a> { + Bytes(&'a [u8]), + PyBytes(pyo3::Bound<'a, pyo3::types::PyBytes>), +} + +impl BytesOrPyBytes<'_> { + pub(crate) fn as_bytes(&self) -> &[u8] { + match self { + BytesOrPyBytes::Bytes(v) => v, + BytesOrPyBytes::PyBytes(v) => v.as_bytes(), + } + } +} + pub(crate) fn calculate_digest_and_algorithm<'p>( py: pyo3::Python<'p>, - mut data: &'p [u8], + data: &'p [u8], algorithm: &pyo3::Bound<'p, pyo3::PyAny>, -) -> CryptographyResult<(&'p [u8], pyo3::Bound<'p, pyo3::PyAny>)> { - let mut algorithm_result = algorithm.clone(); - if algorithm.is_instance(&types::PREHASHED.get(py)?)? { - algorithm_result = algorithm.getattr("_algorithm")?; +) -> CryptographyResult<(BytesOrPyBytes<'p>, pyo3::Bound<'p, pyo3::PyAny>)> { + let (algorithm, data) = if algorithm.is_instance(&types::PREHASHED.get(py)?)? { + ( + algorithm.getattr("_algorithm")?, + BytesOrPyBytes::Bytes(data), + ) } else { // Potential optimization: rather than allocate a PyBytes in // `h.finalize()`, have a way to get the `DigestBytes` directly. let mut h = Hash::new(py, algorithm, None)?; h.update_bytes(data)?; - data = h.finalize(py)?.into_gil_ref().as_bytes(); - } + (algorithm.clone(), BytesOrPyBytes::PyBytes(h.finalize(py)?)) + }; - if data.len() != algorithm.getattr("digest_size")?.extract()? { + if data.as_bytes().len() != algorithm.getattr("digest_size")?.extract()? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "The provided data must be the same length as the hash algorithm's digest size.", @@ -378,7 +394,7 @@ pub(crate) fn calculate_digest_and_algorithm<'p>( )); } - Ok((data, algorithm_result)) + Ok((data, algorithm)) } pub(crate) enum PasswordCallbackStatus { From 2334fc0fe9f4055d402a221237fab1d6fd6ee871 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Apr 2024 14:39:20 -0400 Subject: [PATCH 463/868] Fix things for the removal of `gil-refs` on Python <3.10 (#10820) --- src/rust/src/backend/ec.rs | 2 +- src/rust/src/oid.rs | 2 +- src/rust/src/pkcs12.rs | 7 +++++-- src/rust/src/pkcs7.rs | 6 +++--- src/rust/src/x509/common.rs | 2 +- src/rust/src/x509/ocsp.rs | 6 +++--- src/rust/src/x509/sign.rs | 4 ++-- 7 files changed, 16 insertions(+), 13 deletions(-) diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 57f3fadac97c..237a57033dfe 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -45,7 +45,7 @@ fn curve_from_py_curve( } let py_curve_name = py_curve.getattr(pyo3::intern!(py, "name"))?; - let nid = match py_curve_name.extract()? { + let nid = match &*py_curve_name.extract::()? { "secp192r1" => openssl::nid::Nid::X9_62_PRIME192V1, "secp224r1" => openssl::nid::Nid::SECP224R1, "secp256r1" => openssl::nid::Nid::X9_62_PRIME256V1, diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 0932dbc7935c..66aef8a882ab 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -46,7 +46,7 @@ impl ObjectIdentifier { Ok(format!( "", slf.get().oid, - name.extract::<&str>()? + name.extract::()? )) } diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 225b929864e4..ec2552425576 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -60,8 +60,11 @@ impl PKCS12Certificate { let py_friendly_name_repr; let friendly_name_repr = match &self.friendly_name { Some(v) => { - py_friendly_name_repr = v.bind(py).repr()?; - py_friendly_name_repr.extract()? + py_friendly_name_repr = v + .bind(py) + .repr()? + .extract::()?; + &*py_friendly_name_repr } None => "None", }; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 88714e7b4994..4cfa3067ac20 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -195,10 +195,10 @@ fn sign_and_serialize<'p>( ) }; - let digest_alg = x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[py_hash_alg + let digest_alg = x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS[&*py_hash_alg .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?] - .clone(); + .extract::()?] + .clone(); // Technically O(n^2), but no one will have that many signers. if !digest_algs.contains(&digest_alg) { digest_algs.push(digest_alg.clone()); diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 548c810a8db8..896788a0c079 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -340,7 +340,7 @@ fn create_ip_network( let net = format!( "{}/{}", base.getattr(pyo3::intern!(py, "exploded"))? - .extract::<&str>()?, + .extract::()?, prefix? ); let addr = types::IPADDRESS_IPNETWORK.get(py)?.call1((net,))?; diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 97b18bb20bae..4588c41aef39 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -95,10 +95,10 @@ pub(crate) fn certid_new<'p>( )?); Ok(CertID { - hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[hash_algorithm + hash_algorithm: HASH_NAME_TO_ALGORITHM_IDENTIFIERS[&*hash_algorithm .getattr(pyo3::intern!(py, "name"))? - .extract::<&str>()?] - .clone(), + .extract::()?] + .clone(), issuer_name_hash: ka.add(issuer_name_hash), issuer_key_hash: ka.add(issuer_key_hash), serial_number: cert.raw.borrow_dependent().tbs_cert.serial, diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index b0acbfa39763..f8068c9835dc 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -85,9 +85,9 @@ fn identify_hash_type( )); } - match hash_algorithm + match &*hash_algorithm .getattr(pyo3::intern!(py, "name"))? - .extract()? + .extract::()? { "sha224" => Ok(HashType::Sha224), "sha256" => Ok(HashType::Sha256), From 194570150d1d83c8b3e30dff4f2bf38c7fbecff8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Apr 2024 14:52:15 -0400 Subject: [PATCH 464/868] Finish removal of `gil-refs` feature from pyo3 (#10812) --- src/rust/Cargo.toml | 2 +- src/rust/src/x509/common.rs | 30 +++++++++--------- src/rust/src/x509/extensions.rs | 55 ++++++++++++++++++++++----------- 3 files changed, 54 insertions(+), 33 deletions(-) diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index a9229587b1ef..8fafedd8e136 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.65.0" [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.21.1", features = ["abi3", "gil-refs"] } +pyo3 = { version = "0.21.1", features = ["abi3"] } asn1 = { version = "0.16.1", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 896788a0c079..820bf91b69c6 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -101,12 +101,13 @@ fn encode_name_bytes<'p>( pub(crate) fn encode_general_names<'a>( py: pyo3::Python<'_>, - ka: &'a cryptography_keepalive::KeepAlive, + ka_bytes: &'a cryptography_keepalive::KeepAlive, + ka_str: &'a cryptography_keepalive::KeepAlive, py_gns: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { let mut gns = vec![]; for el in py_gns.iter()? { - let gn = encode_general_name(py, ka, &el?)?; + let gn = encode_general_name(py, ka_bytes, ka_str, &el?)?; gns.push(gn); } Ok(gns) @@ -114,7 +115,8 @@ pub(crate) fn encode_general_names<'a>( pub(crate) fn encode_general_name<'a>( py: pyo3::Python<'_>, - ka: &'a cryptography_keepalive::KeepAlive, + ka_bytes: &'a cryptography_keepalive::KeepAlive, + ka_str: &'a cryptography_keepalive::KeepAlive, gn: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result, CryptographyError> { let gn_type = gn.get_type(); @@ -122,20 +124,20 @@ pub(crate) fn encode_general_name<'a>( if gn_type.is(&types::DNS_NAME.get(py)?) { Ok(GeneralName::DNSName(UnvalidatedIA5String( - gn_value.extract::<&str>()?, + ka_str.add(gn_value.extract()?), ))) } else if gn_type.is(&types::RFC822_NAME.get(py)?) { Ok(GeneralName::RFC822Name(UnvalidatedIA5String( - gn_value.extract::<&str>()?, + ka_str.add(gn_value.extract()?), ))) } else if gn_type.is(&types::DIRECTORY_NAME.get(py)?) { - let name = encode_name(py, ka, &gn_value)?; + let name = encode_name(py, ka_bytes, &gn_value)?; Ok(GeneralName::DirectoryName(name)) } else if gn_type.is(&types::OTHER_NAME.get(py)?) { let py_oid = gn.getattr(pyo3::intern!(py, "type_id"))?; Ok(GeneralName::OtherName(OtherName { type_id: py_oid_to_oid(py_oid)?, - value: asn1::parse_single(gn_value.extract::<&[u8]>()?).map_err(|e| { + value: asn1::parse_single(ka_bytes.add(gn_value.extract()?)).map_err(|e| { pyo3::exceptions::PyValueError::new_err(format!( "OtherName value must be valid DER: {e:?}" )) @@ -143,13 +145,12 @@ pub(crate) fn encode_general_name<'a>( })) } else if gn_type.is(&types::UNIFORM_RESOURCE_IDENTIFIER.get(py)?) { Ok(GeneralName::UniformResourceIdentifier( - UnvalidatedIA5String(gn_value.extract::<&str>()?), + UnvalidatedIA5String(ka_str.add(gn_value.extract()?)), )) } else if gn_type.is(&types::IP_ADDRESS.get(py)?) { - Ok(GeneralName::IPAddress( - gn.call_method0(pyo3::intern!(py, "_packed"))? - .extract::<&[u8]>()?, - )) + Ok(GeneralName::IPAddress(ka_bytes.add( + gn.call_method0(pyo3::intern!(py, "_packed"))?.extract()?, + ))) } else if gn_type.is(&types::REGISTERED_ID.get(py)?) { let oid = py_oid_to_oid(gn_value)?; Ok(GeneralName::RegisteredID(oid)) @@ -165,13 +166,14 @@ pub(crate) fn encode_access_descriptions<'a>( py_ads: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { let mut ads = vec![]; - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); for py_ad in py_ads.iter()? { let py_ad = py_ad?; let py_oid = py_ad.getattr(pyo3::intern!(py, "access_method"))?; let access_method = py_oid_to_oid(py_oid)?; let py_access_location = py_ad.getattr(pyo3::intern!(py, "access_location"))?; - let access_location = encode_general_name(py, &ka, &py_access_location)?; + let access_location = encode_general_name(py, &ka_bytes, &ka_str, &py_access_location)?; ads.push(AccessDescription { access_method, access_location, diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index ab5f6d06b847..2e9f3d174eca 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -13,7 +13,8 @@ use pyo3::pybacked::PyBackedStr; fn encode_general_subtrees<'a>( py: pyo3::Python<'_>, - ka: &'a cryptography_keepalive::KeepAlive, + ka_bytes: &'a cryptography_keepalive::KeepAlive, + ka_str: &'a cryptography_keepalive::KeepAlive, subtrees: &pyo3::Bound<'a, pyo3::PyAny>, ) -> Result>, CryptographyError> { if subtrees.is_none() { @@ -21,7 +22,7 @@ fn encode_general_subtrees<'a>( } else { let mut subtree_seq = vec![]; for name in subtrees.iter()? { - let gn = x509::common::encode_general_name(py, ka, &name?)?; + let gn = x509::common::encode_general_name(py, ka_bytes, ka_str, &name?)?; subtree_seq.push(extensions::GeneralSubtree { base: gn, minimum: 0, @@ -46,9 +47,11 @@ pub(crate) fn encode_authority_key_identifier<'a>( } let aki = py_aki.extract::>()?; - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); let authority_cert_issuer = if let Some(authority_cert_issuer) = aki.authority_cert_issuer { - let gns = x509::common::encode_general_names(py, &ka, &authority_cert_issuer)?; + let gns = + x509::common::encode_general_names(py, &ka_bytes, &ka_str, &authority_cert_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -82,13 +85,14 @@ pub(crate) fn encode_distribution_points<'p>( reasons: Option>, } - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); let mut dps = vec![]; for py_dp in py_dps.iter()? { let py_dp = py_dp?.extract::>()?; let crl_issuer = if let Some(py_crl_issuer) = py_dp.crl_issuer { - let gns = x509::common::encode_general_names(py, &ka, &py_crl_issuer)?; + let gns = x509::common::encode_general_names(py, &ka_bytes, &ka_str, &py_crl_issuer)?; Some(common::Asn1ReadableOrWritable::new_write( asn1::SequenceOfWriter::new(gns), )) @@ -96,14 +100,15 @@ pub(crate) fn encode_distribution_points<'p>( None }; let distribution_point = if let Some(py_full_name) = py_dp.full_name { - let gns = x509::common::encode_general_names(py, &ka, &py_full_name)?; + let gns = x509::common::encode_general_names(py, &ka_bytes, &ka_str, &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) } else if let Some(py_relative_name) = py_dp.relative_name { let mut name_entries = vec![]; for py_name_entry in py_relative_name.iter()? { - name_entries.push(x509::common::encode_name_entry(py, &ka, &py_name_entry?)?); + let ne = x509::common::encode_name_entry(py, &ka_bytes, &py_name_entry?)?; + name_entries.push(ne); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( common::Asn1ReadableOrWritable::new_write(asn1::SetOfWriter::new(name_entries)), @@ -317,7 +322,8 @@ fn encode_issuing_distribution_point( py: pyo3::Python<'_>, ext: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); let only_some_reasons = if ext .getattr(pyo3::intern!(py, "only_some_reasons"))? @@ -331,7 +337,7 @@ fn encode_issuing_distribution_point( }; let distribution_point = if ext.getattr(pyo3::intern!(py, "full_name"))?.is_truthy()? { let py_full_name = ext.getattr(pyo3::intern!(py, "full_name"))?; - let gns = x509::common::encode_general_names(ext.py(), &ka, &py_full_name)?; + let gns = x509::common::encode_general_names(ext.py(), &ka_bytes, &ka_str, &py_full_name)?; Some(extensions::DistributionPointName::FullName( common::Asn1ReadableOrWritable::new_write(asn1::SequenceOfWriter::new(gns)), )) @@ -341,7 +347,7 @@ fn encode_issuing_distribution_point( { let mut name_entries = vec![]; for py_name_entry in ext.getattr(pyo3::intern!(py, "relative_name"))?.iter()? { - let name_entry = x509::common::encode_name_entry(ext.py(), &ka, &py_name_entry?)?; + let name_entry = x509::common::encode_name_entry(ext.py(), &ka_bytes, &py_name_entry?)?; name_entries.push(name_entry); } Some(extensions::DistributionPointName::NameRelativeToCRLIssuer( @@ -454,13 +460,24 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&pc)?)) } &oid::NAME_CONSTRAINTS_OID => { - let ka = cryptography_keepalive::KeepAlive::new(); + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); let permitted = ext.getattr(pyo3::intern!(py, "permitted_subtrees"))?; let excluded = ext.getattr(pyo3::intern!(py, "excluded_subtrees"))?; let nc = extensions::NameConstraints { - permitted_subtrees: encode_general_subtrees(ext.py(), &ka, &permitted)?, - excluded_subtrees: encode_general_subtrees(ext.py(), &ka, &excluded)?, + permitted_subtrees: encode_general_subtrees( + ext.py(), + &ka_bytes, + &ka_str, + &permitted, + )?, + excluded_subtrees: encode_general_subtrees( + ext.py(), + &ka_bytes, + &ka_str, + &excluded, + )?, }; Ok(Some(asn1::write_single(&nc)?)) } @@ -475,8 +492,9 @@ pub(crate) fn encode_extension( )?)) } &oid::ISSUER_ALTERNATIVE_NAME_OID | &oid::SUBJECT_ALTERNATIVE_NAME_OID => { - let ka = cryptography_keepalive::KeepAlive::new(); - let gns = x509::common::encode_general_names(ext.py(), &ka, ext)?; + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); + let gns = x509::common::encode_general_names(ext.py(), &ka_bytes, &ka_str, ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::AUTHORITY_KEY_IDENTIFIER_OID => { @@ -506,8 +524,9 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::Enumerated::new(value))?)) } &oid::CERTIFICATE_ISSUER_OID => { - let ka = cryptography_keepalive::KeepAlive::new(); - let gns = x509::common::encode_general_names(ext.py(), &ka, ext)?; + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + let ka_str = cryptography_keepalive::KeepAlive::new(); + let gns = x509::common::encode_general_names(ext.py(), &ka_bytes, &ka_str, ext)?; Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { From ce03d928e0ece36c6f9a898117fa36377b0b1c91 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Apr 2024 15:37:49 -0400 Subject: [PATCH 465/868] Consistently use `wrap_pyfunction_bound` (#10821) --- src/rust/src/backend/ciphers.rs | 10 +++++----- src/rust/src/backend/rsa.rs | 2 +- src/rust/src/pkcs12.rs | 7 +++++-- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 9fe9550b34c9..bfcd91096b3b 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -559,12 +559,12 @@ pub(crate) fn create_module( py: pyo3::Python<'_>, ) -> pyo3::PyResult> { let m = pyo3::prelude::PyModule::new_bound(py, "ciphers")?; - m.add_function(pyo3::wrap_pyfunction!(create_encryption_ctx, &m)?)?; - m.add_function(pyo3::wrap_pyfunction!(create_decryption_ctx, &m)?)?; - m.add_function(pyo3::wrap_pyfunction!(cipher_supported, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(create_encryption_ctx, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(create_decryption_ctx, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(cipher_supported, &m)?)?; - m.add_function(pyo3::wrap_pyfunction!(_advance, &m)?)?; - m.add_function(pyo3::wrap_pyfunction!(_advance_aad, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(_advance, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(_advance_aad, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 448af2536ce3..20b61c718ff0 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -817,7 +817,7 @@ pub(crate) fn create_module( py: pyo3::Python<'_>, ) -> pyo3::PyResult> { let m = pyo3::prelude::PyModule::new_bound(py, "rsa")?; - m.add_function(pyo3::wrap_pyfunction!(generate_private_key, &m)?)?; + m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index ec2552425576..51116c52557e 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -318,8 +318,11 @@ pub(crate) fn create_submodule( ) -> pyo3::PyResult> { let submod = pyo3::prelude::PyModule::new_bound(py, "pkcs12")?; - submod.add_function(pyo3::wrap_pyfunction!(load_key_and_certificates, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction!(load_pkcs12, &submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!( + load_key_and_certificates, + &submod + )?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!(load_pkcs12, &submod)?)?; submod.add_class::()?; From 4ad307c5f5dc282cc28c1f2b0c5d5b3cb3be15e6 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 00:13:48 +0000 Subject: [PATCH 466/868] Bump BoringSSL and/or OpenSSL in CI (#10822) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f8f19263872b..50431840a02a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,8 +46,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 13, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1c6e10495e4f69cf9e5fd4e363d580ff1fdb1a96"}} - # Latest commit on the OpenSSL master branch, as of Apr 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d4188f24866f88b4269110ce86f9545edd44c846"}} + # Latest commit on the OpenSSL master branch, as of Apr 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bd73e1e62c4103e0faffb79cb3d34a2a92a95439"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From b2c893d9cb5ce0cf0a42a30509aef048d123f61f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 00:58:47 +0000 Subject: [PATCH 467/868] Bump x509-limbo and/or wycheproof in CI (#10823) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c7d18e3acb39..c383fd9d02fc 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 10, 2024. - ref: "7861a8249dcce920d887e6e27adc9657c1be8319" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 16, 2024. + ref: "de8f18fe4f00b67b3a3d1e50a1ef4ec6ff817ed2" # x509-limbo-ref From f3213354c70da0b96a75c737f1f998e0371a106c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 02:19:59 +0000 Subject: [PATCH 468/868] Bump nox from 2024.3.2 to 2024.4.15 (#10824) Bumps [nox](https://github.com/wntrblm/nox) from 2024.3.2 to 2024.4.15. - [Release notes](https://github.com/wntrblm/nox/releases) - [Changelog](https://github.com/wntrblm/nox/blob/main/CHANGELOG.md) - [Commits](https://github.com/wntrblm/nox/compare/2024.03.02...2024.04.15) --- updated-dependencies: - dependency-name: nox dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d8981f7e7d19..cf251904bb54 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -58,7 +58,7 @@ mypy-extensions==1.0.0 # via mypy nh3==0.2.17 # via readme-renderer -nox==2024.3.2 +nox==2024.4.15 # via cryptography (pyproject.toml) packaging==24.0 # via From a2354879d7c68f117770fb5a9cdcfef98873d6fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 02:23:20 +0000 Subject: [PATCH 469/868] Bump syn from 2.0.58 to 2.0.59 in /src/rust (#10825) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.58 to 2.0.59. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.58...2.0.59) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fa232467a975..5d3128cf7bc0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -385,9 +385,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.58" +version = "2.0.59" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44cfb93f38070beee36b3fef7d4f5a16f27751d94b187b666a5cc5e9b0d30687" +checksum = "4a6531ffc7b071655e4ce2e04bd464c4830bb585a61cabb96cf808f05172615a" dependencies = [ "proc-macro2", "quote", From 48751c89c1ef95eab79ddb2aa4d7b043abe4ab65 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 06:41:43 -0400 Subject: [PATCH 470/868] Bump pyo3 from 0.21.1 to 0.21.2 in /src/rust (#10827) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.21.1 to 0.21.2. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.21.2/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.21.1...v0.21.2) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5d3128cf7bc0..b5419a3642f6 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -286,9 +286,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7a8b1990bd018761768d5e608a13df8bd1ac5f678456e0f301bb93e5f3ea16b" +checksum = "a5e00b96a521718e08e03b1a622f01c8a8deb50719335de3f60b3b3950f069d8" dependencies = [ "cfg-if", "indoc", @@ -304,9 +304,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "650dca34d463b6cdbdb02b1d71bfd6eb6b6816afc708faebb3bac1380ff4aef7" +checksum = "7883df5835fafdad87c0d888b266c8ec0f4c9ca48a5bed6bbb592e8dedee1b50" dependencies = [ "once_cell", "target-lexicon", @@ -314,9 +314,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09a7da8fc04a8a2084909b59f29e1b8474decac98b951d77b80b26dc45f046ad" +checksum = "01be5843dc60b916ab4dad1dca6d20b9b4e6ddc8e15f50c47fe6d85f1fb97403" dependencies = [ "libc", "pyo3-build-config", @@ -324,9 +324,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4b8a199fce11ebb28e3569387228836ea98110e43a804a530a9fd83ade36d513" +checksum = "77b34069fc0682e11b31dbd10321cbf94808394c56fd996796ce45217dfac53c" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -336,9 +336,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93fbbfd7eb553d10036513cb122b888dcd362a945a00b06c165f2ab480d4cc3b" +checksum = "08260721f32db5e1a5beae69a55553f56b99bd0e1c3e6e0a5e8851a9d0f5a85c" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 8fafedd8e136..c3a006aff3e6 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -10,7 +10,7 @@ rust-version = "1.65.0" [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.21.1", features = ["abi3"] } +pyo3 = { version = "0.21.2", features = ["abi3"] } asn1 = { version = "0.16.1", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 405fb7dc4836..0cdf9d949082 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -pyo3 = { version = "0.21.1", features = ["abi3"] } +pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index d37e8fa4fe9d..c3a1c24e912d 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] -pyo3 = { version = "0.21.1", features = ["abi3"] } +pyo3 = { version = "0.21.2", features = ["abi3"] } From 3130e8d5c0891b40a69fde5b22cfad36cc2f9616 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 16 Apr 2024 08:13:48 -0400 Subject: [PATCH 471/868] Drop explicit OpenSSL 1.1.1, rely on distros (#10828) Distro is the only reason we care about 1.1.1 at this point, it's EOL from upstream --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50431840a02a..a73a60763d59 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,7 +32,6 @@ jobs: - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} From 126c144aeece8de9b9715932371d2cf220452ad4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 16 Apr 2024 07:23:40 -0500 Subject: [PATCH 472/868] Update testing docs (#10829) --- docs/installation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/installation.rst b/docs/installation.rst index c97dfaeab41c..2d74b158c61d 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -31,10 +31,10 @@ We test compiling with ``clang`` as well as ``gcc`` and use the following OpenSSL releases in addition to distribution provided releases from the above supported platforms: -* ``OpenSSL 1.1.1-latest`` * ``OpenSSL 3.0-latest`` * ``OpenSSL 3.1-latest`` * ``OpenSSL 3.2-latest`` +* ``OpenSSL 3.3-latest`` We also test against the latest commit of BoringSSL as well as versions of LibreSSL that are receiving security support at the time of a given From 29494e96ccfd54bbd4a2e9ab77a9c2d2a29d2626 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 16 Apr 2024 08:28:54 -0400 Subject: [PATCH 473/868] Add testing with Ubuntu 24.04 in advance of its release (#10830) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a73a60763d59..dad2c1c050d5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,6 +157,7 @@ jobs: - {IMAGE: "sid", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "ubuntu-focal", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "ubuntu-jammy", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} + - {IMAGE: "ubuntu-noble", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "ubuntu-rolling", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "fedora", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "alpine", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} From 368e3505d583a358c4c52f43d19ed861493a8e5d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 16 Apr 2024 09:40:29 -0400 Subject: [PATCH 474/868] Document that we test with ubuntu 24.04 (#10831) --- docs/installation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/installation.rst b/docs/installation.rst index 2d74b158c61d..979ae344332a 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -20,7 +20,7 @@ operating systems. * x86-64 CentOS 9 Stream * x86-64 Fedora (latest) * x86-64 macOS 13 Ventura and ARM64 macOS 14 Sonoma -* x86-64 Ubuntu 20.04, 22.04, rolling +* x86-64 Ubuntu 20.04, 22.04, 24.04, rolling * ARM64 Ubuntu 22.04 * x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x), Trixie (13.x), and Sid (unstable) From c48f2be91ff0240af4a62086381ec2d479bc9400 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 16 Apr 2024 18:17:25 -0400 Subject: [PATCH 475/868] Allow triggering benchmark job to compare against a different base (#10832) --- .github/workflows/benchmark.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 91de604df56f..3508b40bace5 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -5,6 +5,11 @@ on: - '.github/workflows/benchmark.yml' - 'src/**' - 'tests/**' + workflow_dispatch: + inputs: + base_commit: + description: The base commit to compare against + permissions: contents: read @@ -31,7 +36,7 @@ jobs: with: repository: "pyca/cryptography" path: "cryptography-base" - ref: "${{ github.base_ref }}" + ref: "${{ github.event.inputs.version || github.base_ref }}" - name: Clone test vectors timeout-minutes: 2 uses: ./cryptography-base/.github/actions/fetch-vectors From 3297ff9a728190668bdfd3d1a13cfe797e8d46e9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 16 Apr 2024 18:24:43 -0400 Subject: [PATCH 476/868] fix typo in benchmark.yml (#10833) --- .github/workflows/benchmark.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 3508b40bace5..b731d9188e1c 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -36,7 +36,7 @@ jobs: with: repository: "pyca/cryptography" path: "cryptography-base" - ref: "${{ github.event.inputs.version || github.base_ref }}" + ref: "${{ github.event.inputs.base_commit || github.base_ref }}" - name: Clone test vectors timeout-minutes: 2 uses: ./cryptography-base/.github/actions/fetch-vectors From 6ea3663381466acdfde45f0ce2fe28cd92c39b69 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 20:25:55 -0400 Subject: [PATCH 477/868] Bump BoringSSL and/or OpenSSL in CI (#10834) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dad2c1c050d5..d3650608393a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 13, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1c6e10495e4f69cf9e5fd4e363d580ff1fdb1a96"}} - # Latest commit on the OpenSSL master branch, as of Apr 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "bd73e1e62c4103e0faffb79cb3d34a2a92a95439"}} + # Latest commit on the OpenSSL master branch, as of Apr 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c062403abd71550057b3647b01cc8af4cc2fc18c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From ff79c37f07b32b6a285a7c2c19f3b38c0e9f97cc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 00:52:37 +0000 Subject: [PATCH 478/868] Bump x509-limbo and/or wycheproof in CI (#10835) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c383fd9d02fc..ee4c29fa9d19 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 16, 2024. - ref: "de8f18fe4f00b67b3a3d1e50a1ef4ec6ff817ed2" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 17, 2024. + ref: "77e23f751aae6c914a906eface407ffd9762111a" # x509-limbo-ref From 782517b7df2da6fd06b36ad095464901f6401eba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 10:37:01 +0000 Subject: [PATCH 479/868] Bump virtualenv from 20.25.1 to 20.25.2 (#10837) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.25.1 to 20.25.2. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.25.1...20.25.2) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cf251904bb54..435032cca9ec 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.25.1 +virtualenv==20.25.2 # via nox # The following packages are considered to be unsafe in a requirements file: From bde2876a431253d53db9913dcb228ebb40f17f45 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 10:39:26 +0000 Subject: [PATCH 480/868] Bump sphinx from 7.2.6 to 7.3.5 (#10838) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.2.6 to 7.3.5. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.2.6...v7.3.5) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 435032cca9ec..ca8591dea974 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.3.7 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.2.6 +sphinx==7.3.5 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From c1aadae92e40183a6ab7824e2a4ec466fe8d2c0c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 11:06:09 +0000 Subject: [PATCH 481/868] Bump proc-macro2 from 1.0.80 to 1.0.81 in /src/rust (#10840) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.80 to 1.0.81. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.80...1.0.81) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index b5419a3642f6..57fbe1f0d435 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -277,9 +277,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.80" +version = "1.0.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a56dea16b0a29e94408b9aa5e2940a4eedbd128a1ba20e8f7ae60fd3d465af0e" +checksum = "3d1597b0c024618f09a9c3b8655b7e430397a36d23fdafec26d6965e9eec3eba" dependencies = [ "unicode-ident", ] From 7bd2f635ca3552d054b7205f75bd35e4caefd00b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 10:42:00 -0600 Subject: [PATCH 482/868] Bump backports-tarfile from 1.0.0 to 1.1.0 in /.github/requirements (#10839) * Bump backports-tarfile from 1.0.0 to 1.1.0 in /.github/requirements Bumps [backports-tarfile](https://github.com/jaraco/backports.tarfile) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/jaraco/backports.tarfile/releases) - [Changelog](https://github.com/jaraco/backports.tarfile/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/backports.tarfile/compare/v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: backports-tarfile dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 28107d1f36bb..b1247f45be04 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -12,9 +12,9 @@ appdirs==1.4.4 \ --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 # via sigstore -backports-tarfile==1.0.0 \ - --hash=sha256:2688f159c21afd56a07b75f01306f9f52c79aebcc5f4a117fb8fbb4445352c75 \ - --hash=sha256:bcd36290d9684beb524d3fe74f4a2db056824c47746583f090b8e55daf0776e4 +backports-tarfile==1.1.0 \ + --hash=sha256:91d59138ea401ee2a95e8b839c1e2f51f3e9ca76bdba8b6a29f8d773564686a8 \ + --hash=sha256:b2f4df351db942d094db94588bbf2c6938697a5f190f44c934acc697da56008b # via jaraco-context betterproto==2.0.0b6 \ --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ From d4c3058e9cd4077d980edce1fa12ccf0a055035e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 20:23:41 +0000 Subject: [PATCH 483/868] Bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 (#10842) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.3 to 6.0.4. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/c55203cfde3e5c11a452d352b4393e68b85b4533...9153d834b60caba6d51c9b9510b087acf9f33f83) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index c496f81f3d15..50e3a35a8ab8 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3 + uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index fb3f532f5e85..a3e3ff51f608 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3 + uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From 2f315bac4d2bed807369646389b21a9e5d6cb943 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 20:24:22 +0000 Subject: [PATCH 484/868] Bump syn from 2.0.59 to 2.0.60 in /src/rust (#10843) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.59 to 2.0.60. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.59...2.0.60) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 57fbe1f0d435..aff8763bc601 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -385,9 +385,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.59" +version = "2.0.60" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a6531ffc7b071655e4ce2e04bd464c4830bb585a61cabb96cf808f05172615a" +checksum = "909518bc7b1c9b779f1bbf07f2929d35af9f0f37e47c6e9ef7f9dddc1e1821f3" dependencies = [ "proc-macro2", "quote", From d4f58e52191a78ef879c8686c075aa3457803aee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Apr 2024 20:31:38 +0000 Subject: [PATCH 485/868] Bump virtualenv from 20.25.2 to 20.25.3 (#10844) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.25.2 to 20.25.3. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.25.2...20.25.3) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ca8591dea974..e8edcd9d9fbc 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.25.2 +virtualenv==20.25.3 # via nox # The following packages are considered to be unsafe in a requirements file: From 7e1b6e854a9e4ae69d43dacc1f02330813094864 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 00:35:10 +0000 Subject: [PATCH 486/868] Bump BoringSSL and/or OpenSSL in CI (#10846) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d3650608393a..183194242c82 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 13, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "1c6e10495e4f69cf9e5fd4e363d580ff1fdb1a96"}} - # Latest commit on the OpenSSL master branch, as of Apr 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c062403abd71550057b3647b01cc8af4cc2fc18c"}} + # Latest commit on the BoringSSL master branch, as of Apr 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f374e1af18c25700923985f6613417847e8f6ab1"}} + # Latest commit on the OpenSSL master branch, as of Apr 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e1fd043ad7fa865a8ef9160c892b49a098d23c71"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 56cd2a2cfa9cfe698e1d4c7d6538b8fa4857f040 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 06:19:20 -0400 Subject: [PATCH 487/868] Bump sphinx from 7.3.5 to 7.3.6 (#10847) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.3.5 to 7.3.6. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.3.5...v7.3.6) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e8edcd9d9fbc..546d05971bd8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.3.7 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.3.5 +sphinx==7.3.6 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From cc7101372a7388a8a43417bce7580a8062c37fed Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 18 Apr 2024 20:52:17 -0400 Subject: [PATCH 488/868] Bump BoringSSL and/or OpenSSL in CI (#10849) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 183194242c82..8a0abbd0db7f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "f374e1af18c25700923985f6613417847e8f6ab1"}} - # Latest commit on the OpenSSL master branch, as of Apr 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e1fd043ad7fa865a8ef9160c892b49a098d23c71"}} + # Latest commit on the BoringSSL master branch, as of Apr 19, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0aa300b9ba9d66b914793ad18c5b469163e58905"}} + # Latest commit on the OpenSSL master branch, as of Apr 19, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4e3c1e6206251c59855362d6d2edab4621c31dec"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 80f31c4a63bbb03a269b00d4be433ffa740ba40c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 07:48:50 -0400 Subject: [PATCH 489/868] Bump ruff from 0.3.7 to 0.4.0 (#10850) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.3.7 to 0.4.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.3.7...v0.4.0) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 546d05971bd8..30c36ad9c654 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.3.7 +ruff==0.4.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From db0f93460a708e4b1810aa29829c89886212de51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 07:49:28 -0400 Subject: [PATCH 490/868] Bump sphinx from 7.3.6 to 7.3.7 (#10851) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.3.6 to 7.3.7. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.3.6...v7.3.7) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 30c36ad9c654..0ea359e91126 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.4.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.3.6 +sphinx==7.3.7 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From f8076daf75b045c7136477b0b8aed8103ef52f34 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 07:50:19 -0400 Subject: [PATCH 491/868] Bump exceptiongroup from 1.2.0 to 1.2.1 (#10852) Bumps [exceptiongroup](https://github.com/agronholm/exceptiongroup) from 1.2.0 to 1.2.1. - [Release notes](https://github.com/agronholm/exceptiongroup/releases) - [Changelog](https://github.com/agronholm/exceptiongroup/blob/main/CHANGES.rst) - [Commits](https://github.com/agronholm/exceptiongroup/compare/1.2.0...1.2.1) --- updated-dependencies: - dependency-name: exceptiongroup dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0ea359e91126..bc89f2044108 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -36,7 +36,7 @@ docutils==0.20.1 # readme-renderer # sphinx # sphinx-rtd-theme -exceptiongroup==1.2.0 +exceptiongroup==1.2.1 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist From 8c3445cf703a5a1069e33fb89102f67b8a848ad5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 07:51:15 -0400 Subject: [PATCH 492/868] Bump actions/upload-artifact in /.github/actions/upload-coverage (#10854) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.1 to 4.3.2. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/5d5d22a31266ced268874388b861e4b58bb5c2f3...1746f4ab65b179e0ea60a494b83293b640dd5bba) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 720cf904f821..4a331fd659d0 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From 885865ec2c43a892a124766f6ad05dde6eca43d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 06:30:30 -0700 Subject: [PATCH 493/868] Bump jaraco-functools from 4.0.0 to 4.0.1 in /.github/requirements (#10853) * Bump jaraco-functools from 4.0.0 to 4.0.1 in /.github/requirements Bumps [jaraco-functools](https://github.com/jaraco/jaraco.functools) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/jaraco/jaraco.functools/releases) - [Changelog](https://github.com/jaraco/jaraco.functools/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/jaraco.functools/compare/v4.0.0...v4.0.1) --- updated-dependencies: - dependency-name: jaraco-functools dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b1247f45be04..87c6eeed2f95 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -258,9 +258,9 @@ jaraco-context==5.3.0 \ --hash=sha256:3e16388f7da43d384a1a7cd3452e72e14732ac9fe459678773a3608a812bf266 \ --hash=sha256:c2f67165ce1f9be20f32f650f25d8edfc1646a8aeee48ae06fb35f90763576d2 # via keyring -jaraco-functools==4.0.0 \ - --hash=sha256:c279cb24c93d694ef7270f970d499cab4d3813f4e08273f95398651a634f0925 \ - --hash=sha256:daf276ddf234bea897ef14f43c4e1bf9eefeac7b7a82a4dd69228ac20acff68d +jaraco-functools==4.0.1 \ + --hash=sha256:3b24ccb921d6b593bdceb56ce14799204f473976e2a9d4b15b04d0f2c2326664 \ + --hash=sha256:d33fa765374c0611b52f8b3a795f8900869aa88c84769d4d1746cd68fb28c3e8 # via keyring jeepney==0.8.0 \ --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ From 7c1b5121d0a905d85b27c2f7a43438ef0b098feb Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 20 Apr 2024 14:29:23 +0000 Subject: [PATCH 494/868] Bump BoringSSL and/or OpenSSL in CI (#10858) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a0abbd0db7f..0607c648f9b8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 19, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0aa300b9ba9d66b914793ad18c5b469163e58905"}} - # Latest commit on the OpenSSL master branch, as of Apr 19, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4e3c1e6206251c59855362d6d2edab4621c31dec"}} + # Latest commit on the OpenSSL master branch, as of Apr 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6594baf6457c64f6fce3ec60cb2617f75d98d159"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 3a23052240677366d9e5296ebf53868eb9ef1e68 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Apr 2024 14:31:47 +0000 Subject: [PATCH 495/868] Bump ruff from 0.4.0 to 0.4.1 (#10862) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.0 to 0.4.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.0...v0.4.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bc89f2044108..ba106e064cde 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.4.0 +ruff==0.4.1 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 67c33213785ed5df2b098f6a8376408e03d34b33 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Apr 2024 14:33:51 +0000 Subject: [PATCH 496/868] Bump actions/checkout in /.github/actions/fetch-vectors (#10859) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...1d96c772d19495a3b5c517cd2bc0cb401ea0529f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index ee4c29fa9d19..f66fd9c98a8b 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From ad2427d43170a6df9774059eb6abf96fe3ff408a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Apr 2024 14:34:23 +0000 Subject: [PATCH 497/868] Bump cc from 1.0.94 to 1.0.95 in /src/rust (#10861) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.94 to 1.0.95. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.94...1.0.95) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index aff8763bc601..8dee9516b660 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -48,9 +48,9 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.94" +version = "1.0.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17f6e324229dc011159fcc089755d1e2e216a90d43a7dea6853ca740b84f35e7" +checksum = "d32a725bc159af97c3e629873bb9f88fb8cf8a4867175f76dc987815ea07c83b" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 0cdf9d949082..34d16fb493a6 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.94" +cc = "1.0.95" From 83d90df3df4b3e858119348d06ffffd3c4cbd706 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Sun, 21 Apr 2024 21:09:12 +0200 Subject: [PATCH 498/868] Add timezone-aware API variant for `x509.InvalidityDate.invalidity_date` (#10848) --- CHANGELOG.rst | 3 +++ docs/x509/reference.rst | 8 ++++++++ src/cryptography/x509/extensions.py | 7 +++++++ src/rust/src/x509/extensions.rs | 2 +- tests/x509/test_x509_ext.py | 20 ++++++++++++++++++++ 5 files changed, 39 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 8a97f7d7da1a..e7153b215514 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -41,6 +41,9 @@ Changelog :attr:`~cryptography.x509.CertificateSigningRequest.public_key_algorithm_oid` to determine the :class:`~cryptography.hazmat._oid.PublicKeyAlgorithmOID` Object Identifier of the public key found inside the certificate. +* Added :attr:`~cryptography.x509.InvalidityDate.invalidity_date_utc`, a + timezone-aware alternative to the naïve ``datetime`` attribute + :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. .. _v42-0-5: diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 0d0db19fdee4..6aa0f6667ba2 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -3148,6 +3148,14 @@ These extensions are only valid within a :class:`RevokedCertificate` object. :type: :class:`datetime.datetime` + .. attribute:: invalidity_date_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + The invalidity date in UTC as a timezone-aware datetime object. + OCSP Extensions ~~~~~~~~~~~~~~~ diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 1842a9e2b0c6..5e7486a594ed 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -1788,6 +1788,13 @@ def __hash__(self) -> int: def invalidity_date(self) -> datetime.datetime: return self._invalidity_date + @property + def invalidity_date_utc(self) -> datetime.datetime: + if self._invalidity_date.tzinfo is None: + return self._invalidity_date.replace(tzinfo=datetime.timezone.utc) + else: + return self._invalidity_date.astimezone(tz=datetime.timezone.utc) + def public_bytes(self) -> bytes: return rust_x509.encode_extension_value(self) diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index 2e9f3d174eca..bb8e9a55cb95 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -530,7 +530,7 @@ pub(crate) fn encode_extension( Ok(Some(asn1::write_single(&asn1::SequenceOfWriter::new(gns))?)) } &oid::INVALIDITY_DATE_OID => { - let py_dt = ext.getattr(pyo3::intern!(py, "invalidity_date"))?; + let py_dt = ext.getattr(pyo3::intern!(py, "invalidity_date_utc"))?; let dt = x509::py_to_datetime(py, py_dt)?; Ok(Some(asn1::write_single(&asn1::GeneralizedTime::new(dt)?)?)) } diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 491271ade526..44e8299046dc 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -444,6 +444,26 @@ def test_public_bytes(self): ext = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1)) assert ext.public_bytes() == b"\x18\x0f20150101010100Z" + def test_timezone_aware_api(self): + naive_date = datetime.datetime(2015, 1, 1, 1, 1) + ext_naive = x509.InvalidityDate(invalidity_date=naive_date) + assert ext_naive.invalidity_date_utc == datetime.datetime( + 2015, 1, 1, 1, 1, tzinfo=datetime.timezone.utc + ) + + tz_aware_date = datetime.datetime( + 2015, + 1, + 1, + 1, + 1, + tzinfo=datetime.timezone(datetime.timedelta(hours=-8)), + ) + ext_aware = x509.InvalidityDate(invalidity_date=tz_aware_date) + assert ext_aware.invalidity_date_utc == datetime.datetime( + 2015, 1, 1, 9, 1, tzinfo=datetime.timezone.utc + ) + class TestNoticeReference: def test_notice_numbers_not_all_int(self): From d5e1321ad50f2f7897f8293ecd98f5a5f1544e6d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 08:39:39 -0400 Subject: [PATCH 499/868] Bump pluggy from 1.4.0 to 1.5.0 (#10866) Bumps [pluggy](https://github.com/pytest-dev/pluggy) from 1.4.0 to 1.5.0. - [Changelog](https://github.com/pytest-dev/pluggy/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pluggy/compare/1.4.0...1.5.0) --- updated-dependencies: - dependency-name: pluggy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ba106e064cde..d2654466890a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -70,7 +70,7 @@ pathspec==0.12.1 # via check-sdist platformdirs==4.2.0; python_version >= "3.8" # via virtualenv -pluggy==1.4.0; python_version >= "3.8" +pluggy==1.5.0; python_version >= "3.8" # via pytest pretend==1.0.9 # via cryptography (pyproject.toml) From 7b3b882775b02b773b151316a0cd2b62fe252542 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 00:16:33 +0000 Subject: [PATCH 500/868] Bump BoringSSL and/or OpenSSL in CI (#10867) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0607c648f9b8..18607325fe08 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 19, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0aa300b9ba9d66b914793ad18c5b469163e58905"}} - # Latest commit on the OpenSSL master branch, as of Apr 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6594baf6457c64f6fce3ec60cb2617f75d98d159"}} + # Latest commit on the BoringSSL master branch, as of Apr 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d8d1c6a2d034df2a62bcf75604a4824f0e20e19e"}} + # Latest commit on the OpenSSL master branch, as of Apr 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "98161274636dca12e3bfafab7d2d2ac28f4d7c30"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 85f444a722ab46079aff332939990d1e002c5471 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 21:50:10 -0400 Subject: [PATCH 501/868] Bump x509-limbo and/or wycheproof in CI (#10868) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index f66fd9c98a8b..2f49f2db3127 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 17, 2024. - ref: "77e23f751aae6c914a906eface407ffd9762111a" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 23, 2024. + ref: "b372833b8ce29da36ced2aec91e46bd157008a7d" # x509-limbo-ref From fa381af5c92fac06495a211bd67f41a4d32ec213 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 09:38:00 -0400 Subject: [PATCH 502/868] Bump actions/upload-artifact in /.github/actions/upload-coverage (#10871) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.2 to 4.3.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/1746f4ab65b179e0ea60a494b83293b640dd5bba...65462800fd760344b1a7b4382951275a0abb4808) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 4a331fd659d0..227cac821f33 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From ecc9ef8377ddd92d74d7713aab2989937c5ba7cf Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 21:02:29 -0400 Subject: [PATCH 503/868] Bump BoringSSL and/or OpenSSL in CI (#10874) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 18607325fe08..65fc5511c821 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d8d1c6a2d034df2a62bcf75604a4824f0e20e19e"}} - # Latest commit on the OpenSSL master branch, as of Apr 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "98161274636dca12e3bfafab7d2d2ac28f4d7c30"}} + # Latest commit on the BoringSSL master branch, as of Apr 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54821d806d574dd8f2869a8c7f5725b65a67af42"}} + # Latest commit on the OpenSSL master branch, as of Apr 24, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "264ff64b9443e60c7c93af0ced2b22fdf622d179"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From b915cc7b9e86c7e66d5ea3211161bc8b93edc30e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 20:25:32 -0700 Subject: [PATCH 504/868] Bump backports-tarfile from 1.1.0 to 1.1.1 in /.github/requirements (#10872) * Bump backports-tarfile from 1.1.0 to 1.1.1 in /.github/requirements Bumps [backports-tarfile](https://github.com/jaraco/backports.tarfile) from 1.1.0 to 1.1.1. - [Release notes](https://github.com/jaraco/backports.tarfile/releases) - [Changelog](https://github.com/jaraco/backports.tarfile/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/backports.tarfile/compare/v1.1.0...v1.1.1) --- updated-dependencies: - dependency-name: backports-tarfile dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 87c6eeed2f95..695a394d49f6 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -12,9 +12,9 @@ appdirs==1.4.4 \ --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 # via sigstore -backports-tarfile==1.1.0 \ - --hash=sha256:91d59138ea401ee2a95e8b839c1e2f51f3e9ca76bdba8b6a29f8d773564686a8 \ - --hash=sha256:b2f4df351db942d094db94588bbf2c6938697a5f190f44c934acc697da56008b +backports-tarfile==1.1.1 \ + --hash=sha256:73e0179647803d3726d82e76089d01d8549ceca9bace469953fcb4d97cf2d417 \ + --hash=sha256:9c2ef9696cb73374f7164e17fc761389393ca76777036f5aad42e8b93fcd8009 # via jaraco-context betterproto==2.0.0b6 \ --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ From ed1f1f00e19c943dd6fee3f0709cace0d014566d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Apr 2024 03:35:42 +0000 Subject: [PATCH 505/868] Bump platformdirs from 4.2.0 to 4.2.1 (#10875) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 4.2.0 to 4.2.1. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/4.2.0...4.2.1) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d2654466890a..b1708aeefec7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ packaging==24.0 # sphinx pathspec==0.12.1 # via check-sdist -platformdirs==4.2.0; python_version >= "3.8" +platformdirs==4.2.1; python_version >= "3.8" # via virtualenv pluggy==1.5.0; python_version >= "3.8" # via pytest From f159765f83bc61343e0208a764c3cb1f4ad7084c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Apr 2024 03:58:38 +0000 Subject: [PATCH 506/868] Bump virtualenv from 20.25.3 to 20.26.0 (#10878) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.25.3 to 20.26.0. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.25.3...20.26.0) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b1708aeefec7..6a6d8576e941 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.25.3 +virtualenv==20.26.0 # via nox # The following packages are considered to be unsafe in a requirements file: From 41ca4109076236a562b3e0ddeb523e1d3745935b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Apr 2024 04:04:15 +0000 Subject: [PATCH 507/868] Bump coverage from 7.4.4 to 7.5.0 (#10879) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.4.4 to 7.5.0. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.4...7.5.0) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6a6d8576e941..546703b8930f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.4.4; python_version >= "3.8" +coverage==7.5.0; python_version >= "3.8" # via # coverage # pytest-cov From 645931ca6e615d1e7212055d99644b77725e2b53 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 00:15:00 +0000 Subject: [PATCH 508/868] Bump BoringSSL and/or OpenSSL in CI (#10882) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 65fc5511c821..c3e3dc282152 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 24, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54821d806d574dd8f2869a8c7f5725b65a67af42"}} - # Latest commit on the OpenSSL master branch, as of Apr 24, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "264ff64b9443e60c7c93af0ced2b22fdf622d179"}} + # Latest commit on the OpenSSL master branch, as of Apr 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c81b7b059f614a6c43ad6a6907b1a740b783fbfd"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 85815cac668ad975f079aa14f0f420043b8218da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 07:11:36 -0400 Subject: [PATCH 509/868] Bump actions/checkout in /.github/actions/fetch-vectors (#10888) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.3 to 4.1.4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/1d96c772d19495a3b5c517cd2bc0cb401ea0529f...0ad4b8fadaa221de15dcec353f45205ec38ea70b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 2f49f2db3127..390bff761eb2 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From 246b1df2a5575166bc231b4586bfae97d8835b3f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 11:12:07 +0000 Subject: [PATCH 510/868] Bump mypy from 1.9.0 to 1.10.0 (#10883) Bumps [mypy](https://github.com/python/mypy) from 1.9.0 to 1.10.0. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 546703b8930f..93f60289b6dc 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.3 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.9.0 +mypy==1.10.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From 2018f689cc9041a9986a33b82451c8dc9bad48a4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 11:18:37 +0000 Subject: [PATCH 511/868] Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#10886) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.4 to 6.0.5. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/9153d834b60caba6d51c9b9510b087acf9f33f83...6d6857d36972b65feb161a90e484f2984215f83e) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 50e3a35a8ab8..63c5fbe6e7cc 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4 + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index a3e3ff51f608..9b48b09eedfd 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4 + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From daca5c3e926b511d31a23d797f15b97627e0169f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 25 Apr 2024 18:12:36 -0400 Subject: [PATCH 512/868] Handle errors on failing to import cffi module properly (#10890) --- src/rust/cryptography-cffi/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rust/cryptography-cffi/src/lib.rs b/src/rust/cryptography-cffi/src/lib.rs index 17d63c44c43f..b927fae370ac 100644 --- a/src/rust/cryptography-cffi/src/lib.rs +++ b/src/rust/cryptography-cffi/src/lib.rs @@ -26,7 +26,7 @@ pub fn create_module( // SAFETY: `PyInit__openssl` returns an owned reference. let openssl_mod = unsafe { let ptr = PyInit__openssl(); - pyo3::Py::from_owned_ptr(py, ptr).bind(py).clone() + pyo3::Py::from_owned_ptr_or_err(py, ptr)?.bind(py).clone() }; Ok(openssl_mod) From c65975377eb22d52ec58ad600f12fe0108048718 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 25 Apr 2024 18:51:24 -0400 Subject: [PATCH 513/868] fix for upcoming ruff lint (#10891) --- tests/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/utils.py b/tests/utils.py index c1aa34ef4d30..3a8a768cf115 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -620,7 +620,7 @@ def load_kasvs_ecdh_vectors(vector_data): if len(parm) == 2: names = parm[1].strip().split() for n in names: - tags.append("[%s]" % n) + tags.append(f"[{n}]") break # Sets Metadata From 7905cce3e425b5105fec20e83089f8096c8a1d1e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 16:00:51 -0700 Subject: [PATCH 514/868] Bump docutils from 0.21.1 to 0.21.2 in /.github/requirements (#10877) * Bump docutils from 0.21.1 to 0.21.2 in /.github/requirements Bumps [docutils](https://docutils.sourceforge.io) from 0.21.1 to 0.21.2. --- updated-dependencies: - dependency-name: docutils dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 695a394d49f6..9da1adf5e7e5 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -211,9 +211,9 @@ dnspython==2.6.1 \ --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc # via email-validator -docutils==0.21.1 \ - --hash=sha256:14c8d34a55b46c88f9f714adb29cefbdd69fb82f3fef825e59c5faab935390d8 \ - --hash=sha256:65249d8a5345bc95e0f40f280ba63c98eb24de35c6c8f5b662e3e8948adea83f +docutils==0.21.2 \ + --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ + --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 # via readme-renderer email-validator==2.1.1 \ --hash=sha256:200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84 \ From dc657ba865d0d280230c8323387efbce611a3d91 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 16:01:36 -0700 Subject: [PATCH 515/868] Bump id from 1.3.0 to 1.4.0 in /.github/requirements (#10887) * Bump id from 1.3.0 to 1.4.0 in /.github/requirements Bumps [id](https://github.com/di/id) from 1.3.0 to 1.4.0. - [Release notes](https://github.com/di/id/releases) - [Changelog](https://github.com/di/id/blob/main/CHANGELOG.md) - [Commits](https://github.com/di/id/compare/v1.3.0...v1.4.0) --- updated-dependencies: - dependency-name: id dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 9da1adf5e7e5..34634da4b077 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -234,9 +234,9 @@ hyperframe==6.0.1 \ --hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \ --hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914 # via h2 -id==1.3.0 \ - --hash=sha256:c5dbb6048a469466054f065e92dba9b202a57d718cf12a0f24a082d0df988e18 \ - --hash=sha256:da320bc6d6e612a2c16364ca95bb905e87c74332d4fc9b34850a26c304790694 +id==1.4.0 \ + --hash=sha256:23c06772e8bd3e3a44ee3f167868bf5a8e385b0c1e2cc707ad36eb7486b4765b \ + --hash=sha256:a0391117c98fa9851ebd2b22df0dc6fd6aacbd89a4ec95c173f1311ca9bb7329 # via sigstore idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ From 2c9a484ee759572931f0b983676a07c4f0bb2b84 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 00:14:52 +0000 Subject: [PATCH 516/868] Bump BoringSSL and/or OpenSSL in CI (#10892) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c3e3dc282152..a5c56aae2827 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "54821d806d574dd8f2869a8c7f5725b65a67af42"}} - # Latest commit on the OpenSSL master branch, as of Apr 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c81b7b059f614a6c43ad6a6907b1a740b783fbfd"}} + # Latest commit on the BoringSSL master branch, as of Apr 26, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9eab28fb27dc90e0913bb82c62cfc49741bc494c"}} + # Latest commit on the OpenSSL master branch, as of Apr 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "15d6114d99d93468876697b62d543b0e2efd45d5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 5b3dd286057435e4fdd1b8c408b1e76a1bdf8627 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 02:42:23 +0000 Subject: [PATCH 517/868] Bump parking_lot from 0.12.1 to 0.12.2 in /src/rust (#10893) Bumps [parking_lot](https://github.com/Amanieu/parking_lot) from 0.12.1 to 0.12.2. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/0.12.1...0.12.2) --- updated-dependencies: - dependency-name: parking_lot dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 8dee9516b660..31f49252337d 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -233,9 +233,9 @@ dependencies = [ [[package]] name = "parking_lot" -version = "0.12.1" +version = "0.12.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" +checksum = "7e4af0ca4f6caed20e900d564c242b8e5d4903fdacf31d3daf527b66fe6f42fb" dependencies = [ "lock_api", "parking_lot_core", From ff35c1a840edf0609778687d87ac270402b5dd1c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 02:57:53 +0000 Subject: [PATCH 518/868] Bump ruff from 0.4.1 to 0.4.2 (#10895) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.1 to 0.4.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.1...v0.4.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 93f60289b6dc..028036766da7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.4.1 +ruff==0.4.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From cbb9193560d13ea2a30eb99ca9cfbb913a21631a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 03:01:29 +0000 Subject: [PATCH 519/868] Bump parking_lot_core from 0.9.9 to 0.9.10 in /src/rust (#10896) Bumps [parking_lot_core](https://github.com/Amanieu/parking_lot) from 0.9.9 to 0.9.10. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/core-0.9.9...core-0.9.10) --- updated-dependencies: - dependency-name: parking_lot_core dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 57 +++++++++++++++++++++++---------------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 31f49252337d..05eddd2f97d8 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -34,12 +34,6 @@ version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51" -[[package]] -name = "bitflags" -version = "1.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" - [[package]] name = "bitflags" version = "2.4.2" @@ -199,7 +193,7 @@ version = "0.10.64" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" dependencies = [ - "bitflags 2.4.2", + "bitflags", "cfg-if", "foreign-types", "libc", @@ -243,9 +237,9 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.9" +version = "0.9.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e" +checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" dependencies = [ "cfg-if", "libc", @@ -358,11 +352,11 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.4.1" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" +checksum = "469052894dcb553421e483e4209ee581a45100d31b4018de03e5a7ad86374a7e" dependencies = [ - "bitflags 1.3.2", + "bitflags", ] [[package]] @@ -420,13 +414,14 @@ checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" [[package]] name = "windows-targets" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c" +checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb" dependencies = [ "windows_aarch64_gnullvm", "windows_aarch64_msvc", "windows_i686_gnu", + "windows_i686_gnullvm", "windows_i686_msvc", "windows_x86_64_gnu", "windows_x86_64_gnullvm", @@ -435,42 +430,48 @@ dependencies = [ [[package]] name = "windows_aarch64_gnullvm" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" +checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263" [[package]] name = "windows_aarch64_msvc" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" +checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6" [[package]] name = "windows_i686_gnu" -version = "0.48.5" +version = "0.52.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88ba073cf16d5372720ec942a8ccbf61626074c6d4dd2e745299726ce8b89670" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" +checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9" [[package]] name = "windows_i686_msvc" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" +checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf" [[package]] name = "windows_x86_64_gnu" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" +checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9" [[package]] name = "windows_x86_64_gnullvm" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" +checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596" [[package]] name = "windows_x86_64_msvc" -version = "0.48.5" +version = "0.52.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" +checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" From c11c3d2a7f2a037b020895d812453900b182207d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 23:04:45 -0400 Subject: [PATCH 520/868] Bump lock_api from 0.4.11 to 0.4.12 in /src/rust (#10894) Bumps [lock_api](https://github.com/Amanieu/parking_lot) from 0.4.11 to 0.4.12. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/lock_api-0.4.11...lock_api-0.4.12) --- updated-dependencies: - dependency-name: lock_api dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 05eddd2f97d8..c92e518b8a5c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -164,9 +164,9 @@ checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" [[package]] name = "lock_api" -version = "0.4.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45" +checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17" dependencies = [ "autocfg", "scopeguard", From 0b2b5f9df3d074bb36a8e6d216d321968b57afd2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Apr 2024 03:15:15 +0000 Subject: [PATCH 521/868] Bump bitflags from 2.4.2 to 2.5.0 in /src/rust (#10898) Bumps [bitflags](https://github.com/bitflags/bitflags) from 2.4.2 to 2.5.0. - [Release notes](https://github.com/bitflags/bitflags/releases) - [Changelog](https://github.com/bitflags/bitflags/blob/main/CHANGELOG.md) - [Commits](https://github.com/bitflags/bitflags/compare/2.4.2...2.5.0) --- updated-dependencies: - dependency-name: bitflags dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index c92e518b8a5c..010ebe1b4ff0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -36,9 +36,9 @@ checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51" [[package]] name = "bitflags" -version = "2.4.2" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" +checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" From 07642cfe48aa0940be9ad7ef77dd27b1cc48d8d5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 25 Apr 2024 23:32:32 -0400 Subject: [PATCH 522/868] Test on rolling for arm64 (#10897) * Test on rolling for arm64 * Update installation.rst --- .github/workflows/ci.yml | 2 +- docs/installation.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a5c56aae2827..b1333e53dcc8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -164,7 +164,7 @@ jobs: - {IMAGE: "centos-stream9", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "centos-stream9-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - - {IMAGE: "ubuntu-jammy:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} + - {IMAGE: "ubuntu-rolling:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} - {IMAGE: "alpine:aarch64", NOXSESSION: "tests", RUNNER: [self-hosted, Linux, ARM64]} timeout-minutes: 15 env: diff --git a/docs/installation.rst b/docs/installation.rst index 979ae344332a..cc6e32beafe4 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -21,7 +21,7 @@ operating systems. * x86-64 Fedora (latest) * x86-64 macOS 13 Ventura and ARM64 macOS 14 Sonoma * x86-64 Ubuntu 20.04, 22.04, 24.04, rolling -* ARM64 Ubuntu 22.04 +* ARM64 Ubuntu rolling * x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x), Trixie (13.x), and Sid (unstable) * x86-64 and ARM64 Alpine (latest) From 56fcdb3ac4a574aadf61a7338d010751333d00eb Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 27 Apr 2024 00:15:04 +0000 Subject: [PATCH 523/868] Bump BoringSSL and/or OpenSSL in CI (#10900) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b1333e53dcc8..f4227d1451d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 26, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9eab28fb27dc90e0913bb82c62cfc49741bc494c"}} - # Latest commit on the OpenSSL master branch, as of Apr 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "15d6114d99d93468876697b62d543b0e2efd45d5"}} + # Latest commit on the BoringSSL master branch, as of Apr 27, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d69e8b46184b6fd844a4a92b4a6f4347d08ee439"}} + # Latest commit on the OpenSSL master branch, as of Apr 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "933f57dfe21657f7aba8f13e0cdb3b02dd64fcc3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 66cf834fadae8d1353c5322014b4d3a64361b36b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 28 Apr 2024 12:44:04 -0400 Subject: [PATCH 524/868] Begin migrating PKCS#12 serialization to Rust (#10616) For now, only handle unencrypted cert-only PKCS#12. --- .../hazmat/bindings/_rust/pkcs12.pyi | 5 + .../hazmat/primitives/serialization/pkcs12.py | 5 + src/rust/cryptography-x509/src/common.rs | 19 ++ src/rust/cryptography-x509/src/pkcs12.rs | 37 ++-- src/rust/cryptography-x509/src/pkcs7.rs | 2 +- src/rust/src/pkcs12.rs | 169 +++++++++++++++++- src/rust/src/types.rs | 2 + tests/hazmat/primitives/test_pkcs12.py | 3 - 8 files changed, 216 insertions(+), 26 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi index 109ae4fce5d8..76dd0194c40a 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi @@ -33,3 +33,8 @@ def load_pkcs12( password: bytes | None, backend: typing.Any = None, ) -> PKCS12KeyAndCertificates: ... +def serialize_key_and_certificates( + name: bytes | None, + cert: x509.Certificate | None, + cas: typing.Iterable[x509.Certificate | PKCS12Certificate] | None, +) -> bytes: ... diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 8ed5f1e0872b..0d37145eb943 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -167,6 +167,11 @@ def serialize_key_and_certificates( if key is None and cert is None and not cas: raise ValueError("You must supply at least one of key, cert, or cas") + if key is None and isinstance( + encryption_algorithm, serialization.NoEncryption + ): + return rust_pkcs12.serialize_key_and_certificates(name, cert, cas) + from cryptography.hazmat.backends.openssl.backend import backend return backend.serialize_key_and_certificates_to_pkcs12( diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 77cebc30464e..9eea5ff7bca8 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -414,6 +414,25 @@ impl<'a> asn1::SimpleAsn1Writable for UnvalidatedVisibleString<'a> { } } +/// A BMPString ASN.1 element, where it is stored as a UTF-8 string in memory. +pub struct Utf8StoredBMPString<'a>(pub &'a str); + +impl<'a> Utf8StoredBMPString<'a> { + pub fn new(s: &'a str) -> Self { + Utf8StoredBMPString(s) + } +} + +impl<'a> asn1::SimpleAsn1Writable for Utf8StoredBMPString<'a> { + const TAG: asn1::Tag = asn1::BMPString::TAG; + fn write_data(&self, writer: &mut asn1::WriteBuf) -> asn1::WriteResult { + for ch in self.0.encode_utf16() { + writer.push_slice(&ch.to_be_bytes())?; + } + Ok(()) + } +} + #[derive(Clone)] pub struct WithTlv<'a, T> { tlv: asn1::Tlv<'a>, diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index 328961fce053..4fea62179846 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -2,6 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::common::Utf8StoredBMPString; use crate::pkcs7; pub const CERT_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 3); @@ -9,60 +10,60 @@ pub const KEY_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, pub const X509_CERTIFICATE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 22, 1); pub const FRIENDLY_NAME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 20); -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct Pfx<'a> { pub version: u8, pub auth_safe: pkcs7::ContentInfo<'a>, pub mac_data: Option>, } -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct MacData<'a> { pub mac: pkcs7::DigestInfo<'a>, pub salt: &'a [u8], - // #[default(1u64)] + #[default(1u64)] pub iterations: u64, } -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct SafeBag<'a> { pub _bag_id: asn1::DefinedByMarker, - // #[defined_by(_bag_id)] + #[defined_by(_bag_id)] pub bag_value: asn1::Explicit, 0>, - // pub attributes: Option>>, + pub attributes: Option, Vec>>>, } -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct Attribute<'a> { pub _attr_id: asn1::DefinedByMarker, - // #[defined_by(_attr_id)] + #[defined_by(_attr_id)] pub attr_values: AttributeSet<'a>, } -// #[derive(asn1::Asn1DefinedByWrite)] +#[derive(asn1::Asn1DefinedByWrite)] pub enum AttributeSet<'a> { - // #[defined_by(FRIENDLY_NAME_OID)] - FriendlyName(asn1::SetOfWriter<'a, asn1::BMPString<'a>>), + #[defined_by(FRIENDLY_NAME_OID)] + FriendlyName(asn1::SetOfWriter<'a, Utf8StoredBMPString<'a>, [Utf8StoredBMPString<'a>; 1]>), } -// #[derive(asn1::Asn1DefinedByWrite)] +#[derive(asn1::Asn1DefinedByWrite)] pub enum BagValue<'a> { - // #[defined_by(CERT_BAG_OID)] + #[defined_by(CERT_BAG_OID)] CertBag(CertBag<'a>), - // #[defined_by(KEY_BAG_OID)] + #[defined_by(KEY_BAG_OID)] KeyBag(asn1::Tlv<'a>), } -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct CertBag<'a> { pub _cert_id: asn1::DefinedByMarker, - // #[defined_by(_cert_id)] + #[defined_by(_cert_id)] pub cert_value: asn1::Explicit, 0>, } -// #[derive(asn1::Asn1DefinedByWrite)] +#[derive(asn1::Asn1DefinedByWrite)] pub enum CertType<'a> { - // #[defined_by(X509_CERTIFICATE_OID)] + #[defined_by(X509_CERTIFICATE_OID)] X509(asn1::OctetStringEncoded>), } diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index e1581a0e069a..9df323696ac3 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -59,7 +59,7 @@ pub struct IssuerAndSerialNumber<'a> { pub serial_number: asn1::BigInt<'a>, } -// #[derive(asn1::Asn1Write)] +#[derive(asn1::Asn1Write)] pub struct DigestInfo<'a> { pub algorithm: common::AlgorithmIdentifier<'a>, pub digest: &'a [u8], diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 51116c52557e..1b1b6ceb9f28 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -2,12 +2,13 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::backend::keys; +use crate::backend::{hashes, hmac, keys}; use crate::buf::CffiBuf; use crate::error::CryptographyResult; use crate::x509::certificate::Certificate; use crate::{types, x509}; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use cryptography_x509::common::Utf8StoredBMPString; +use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -80,9 +81,8 @@ impl PKCS12Certificate { const KDF_ENCRYPTION_KEY_ID: u8 = 1; #[allow(dead_code)] const KDF_IV_ID: u8 = 2; -#[allow(dead_code)] const KDF_MAC_KEY_ID: u8 = 3; -#[allow(dead_code)] + fn pkcs12_kdf( pass: &[u8], salt: &[u8], @@ -183,6 +183,163 @@ fn pkcs12_kdf( Ok(result) } +fn friendly_name_attributes( + friendly_name: Option<&[u8]>, +) -> CryptographyResult< + Option< + asn1::SetOfWriter< + '_, + cryptography_x509::pkcs12::Attribute<'_>, + Vec>, + >, + >, +> { + if let Some(name) = friendly_name { + let name_str = std::str::from_utf8(name).map_err(|_| { + pyo3::exceptions::PyValueError::new_err("friendly_name must be valid UTF-8") + })?; + + Ok(Some(asn1::SetOfWriter::new(vec![ + cryptography_x509::pkcs12::Attribute { + _attr_id: asn1::DefinedByMarker::marker(), + attr_values: cryptography_x509::pkcs12::AttributeSet::FriendlyName( + asn1::SetOfWriter::new([Utf8StoredBMPString::new(name_str)]), + ), + }, + ]))) + } else { + Ok(None) + } +} + +fn cert_to_bag<'a>( + cert: &'a Certificate, + friendly_name: Option<&'a [u8]>, +) -> CryptographyResult> { + Ok(cryptography_x509::pkcs12::SafeBag { + _bag_id: asn1::DefinedByMarker::marker(), + bag_value: asn1::Explicit::new(cryptography_x509::pkcs12::BagValue::CertBag( + cryptography_x509::pkcs12::CertBag { + _cert_id: asn1::DefinedByMarker::marker(), + cert_value: asn1::Explicit::new(cryptography_x509::pkcs12::CertType::X509( + asn1::OctetStringEncoded::new(cert.raw.borrow_dependent().clone()), + )), + }, + )), + attributes: friendly_name_attributes(friendly_name)?, + }) +} + +fn decode_encryption_algorithm( + py: pyo3::Python<'_>, +) -> CryptographyResult<(&[u8], pyo3::Bound<'_, pyo3::PyAny>, u64)> { + let default_hmac_alg = types::SHA256.get(py)?.call0()?; + let default_hmac_kdf_iter = 2048; + + Ok((b"", default_hmac_alg, default_hmac_kdf_iter)) +} + +#[derive(pyo3::FromPyObject)] +enum CertificateOrPKCS12Certificate { + Certificate(pyo3::Py), + PKCS12Certificate(pyo3::Py), +} + +#[pyo3::prelude::pyfunction] +#[pyo3(signature = (name, cert, cas))] +fn serialize_key_and_certificates<'p>( + py: pyo3::Python<'p>, + name: Option<&[u8]>, + cert: Option<&Certificate>, + cas: Option>, +) -> CryptographyResult> { + let (password, mac_algorithm, mac_kdf_iter) = decode_encryption_algorithm(py)?; + + let mut auth_safe_contents = vec![]; + let cert_bag_contents; + let mut ca_certs = vec![]; + assert!(cert.is_some() || cas.is_some()); + { + let mut cert_bags = vec![]; + + if let Some(cert) = cert { + cert_bags.push(cert_to_bag(cert, name)?); + } + + if let Some(cas) = cas { + for cert in cas.iter()? { + ca_certs.push(cert?.extract::()?); + } + + for cert in &ca_certs { + let bag = match cert { + CertificateOrPKCS12Certificate::Certificate(c) => cert_to_bag(c.get(), None)?, + CertificateOrPKCS12Certificate::PKCS12Certificate(c) => cert_to_bag( + c.get().certificate.get(), + c.get().friendly_name.as_ref().map(|v| v.as_bytes(py)), + )?, + }; + cert_bags.push(bag); + } + } + + cert_bag_contents = asn1::write_single(&asn1::SequenceOfWriter::new(cert_bags))?; + auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new( + &cert_bag_contents, + ))), + }); + } + let auth_safe_content = asn1::write_single(&asn1::SequenceOfWriter::new(auth_safe_contents))?; + + let salt = types::OS_URANDOM + .get(py)? + .call1((8,))? + .extract::()?; + let mac_algorithm_md = hashes::message_digest_from_algorithm(py, &mac_algorithm)?; + let mac_key = pkcs12_kdf( + password, + &salt, + KDF_MAC_KEY_ID, + mac_kdf_iter, + mac_algorithm_md.size(), + mac_algorithm_md, + )?; + let mac_digest = { + let mut h = hmac::Hmac::new_bytes(py, &mac_key, &mac_algorithm)?; + h.update_bytes(&auth_safe_content)?; + h.finalize(py)? + }; + let mac_algorithm_identifier = crate::x509::ocsp::HASH_NAME_TO_ALGORITHM_IDENTIFIERS + [&*mac_algorithm + .getattr(pyo3::intern!(py, "name"))? + .extract::()?] + .clone(); + + let p12 = cryptography_x509::pkcs12::Pfx { + version: 3, + auth_safe: cryptography_x509::pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new( + &auth_safe_content, + ))), + }, + mac_data: Some(cryptography_x509::pkcs12::MacData { + mac: cryptography_x509::pkcs7::DigestInfo { + algorithm: mac_algorithm_identifier, + digest: mac_digest.as_bytes(), + }, + salt: &salt, + iterations: mac_kdf_iter, + }), + }; + Ok(pyo3::types::PyBytes::new_bound( + py, + &asn1::write_single(&p12)?, + )) +} + fn decode_p12( data: CffiBuf<'_>, password: Option>, @@ -323,6 +480,10 @@ pub(crate) fn create_submodule( &submod )?)?; submod.add_function(pyo3::wrap_pyfunction_bound!(load_pkcs12, &submod)?)?; + submod.add_function(pyo3::wrap_pyfunction_bound!( + serialize_key_and_certificates, + &submod + )?)?; submod.add_class::()?; diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index d60c50ea6960..3b21ec1f1ad3 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -345,6 +345,8 @@ pub static EXTENDABLE_OUTPUT_FUNCTION: LazyPyImport = LazyPyImport::new( ); pub static SHA1: LazyPyImport = LazyPyImport::new("cryptography.hazmat.primitives.hashes", &["SHA1"]); +pub static SHA256: LazyPyImport = + LazyPyImport::new("cryptography.hazmat.primitives.hashes", &["SHA256"]); pub static PREHASHED: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.asymmetric.utils", diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 9217e4eca5f2..3230718c4120 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -544,9 +544,6 @@ def test_generate_cert_only_none_cas(self, backend): assert parsed_more_certs == [cert] def test_invalid_utf8_friendly_name(self, backend): - if rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL: - pytest.skip("Temporarily doesn't work on LibreSSL") - cert, _ = _load_ca(backend) with pytest.raises(ValueError): serialize_key_and_certificates( From 46db48e54cfdef50596e0cc003e43d2dddf04493 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 11:32:12 +0000 Subject: [PATCH 525/868] Bump pytest from 8.1.1 to 8.2.0 (#10903) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.1.1 to 8.2.0. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.1.1...8.2.0) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 028036766da7..4440df9fb998 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.17.2 # sphinx pyproject-hooks==1.0.0 # via build -pytest==8.1.1; python_version >= "3.8" +pytest==8.2.0; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From 091bae8cbd9ec18406ed3b054452d8217fa2a941 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 11:32:52 +0000 Subject: [PATCH 526/868] Bump pyproject-hooks from 1.0.0 to 1.1.0 (#10904) Bumps [pyproject-hooks](https://github.com/pypa/pyproject-hooks) from 1.0.0 to 1.1.0. - [Changelog](https://github.com/pypa/pyproject-hooks/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/pyproject-hooks/compare/v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: pyproject-hooks dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4440df9fb998..7dcf5295dfda 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -84,7 +84,7 @@ pygments==2.17.2 # via # readme-renderer # sphinx -pyproject-hooks==1.0.0 +pyproject-hooks==1.1.0 # via build pytest==8.2.0; python_version >= "3.8" # via From 8e7a10487c5db87d61156455367691a2137e34ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 05:50:21 -0700 Subject: [PATCH 527/868] Bump pytest-xdist from 3.5.0 to 3.6.1 (#10905) * Bump pytest-xdist from 3.5.0 to 3.6.1 Bumps [pytest-xdist](https://github.com/pytest-dev/pytest-xdist) from 3.5.0 to 3.6.1. - [Release notes](https://github.com/pytest-dev/pytest-xdist/releases) - [Changelog](https://github.com/pytest-dev/pytest-xdist/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-xdist/compare/v3.5.0...v3.6.1) --- updated-dependencies: - dependency-name: pytest-xdist dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update ci-constraints-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 7dcf5295dfda..cd9556013ac4 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -99,7 +99,7 @@ pytest-cov==5.0.0; python_version >= "3.8" # via cryptography (pyproject.toml) pytest-randomly==3.15.0 # via cryptography (pyproject.toml) -pytest-xdist==3.5.0 +pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) readme-renderer==43.0 # via cryptography (pyproject.toml) From 13fbef6d520f728660d63cc039be745333b24574 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 05:50:44 -0700 Subject: [PATCH 528/868] Bump keyring from 25.1.0 to 25.2.0 in /.github/requirements (#10906) * Bump keyring from 25.1.0 to 25.2.0 in /.github/requirements Bumps [keyring](https://github.com/jaraco/keyring) from 25.1.0 to 25.2.0. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v25.1.0...v25.2.0) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update publish-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 34634da4b077..5076db558de1 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -268,9 +268,9 @@ jeepney==0.8.0 \ # via # keyring # secretstorage -keyring==25.1.0 \ - --hash=sha256:26fc12e6a329d61d24aa47b22a7c5c3f35753df7d8f2860973cf94f4e1fb3427 \ - --hash=sha256:7230ea690525133f6ad536a9b5def74a4bd52642abe594761028fc044d7c7893 +keyring==25.2.0 \ + --hash=sha256:19f17d40335444aab84b19a0d16a77ec0758a9c384e3446ae2ed8bd6d53b67a5 \ + --hash=sha256:7045f367268ce42dba44745050164b431e46f6e92f99ef2937dfadaef368d8cf # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ From d5a3984a9a4f80d547a18ff06180864ff39ab9b5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 29 Apr 2024 11:04:56 -0400 Subject: [PATCH 529/868] Added additional PKCS#12 tests (#10902) --- tests/hazmat/primitives/test_pkcs12.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 3230718c4120..5b97121b2c1e 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -419,12 +419,20 @@ def test_generate_cas_friendly_names(self, backend): assert cas[1].certificate == cert3 assert cas[1].friendly_name is None - def test_generate_cas_friendly_names_no_key(self, backend): + @pytest.mark.parametrize( + ("encryption_algorithm", "password"), + [ + (serialization.BestAvailableEncryption(b"password"), b"password"), + (serialization.NoEncryption(), None), + ], + ) + def test_generate_cas_friendly_names_no_key( + self, backend, encryption_algorithm, password + ): cert2 = _load_cert( backend, os.path.join("x509", "custom", "dsa_selfsigned_ca.pem") ) cert3 = _load_cert(backend, os.path.join("x509", "letsencryptx3.pem")) - encryption = serialization.NoEncryption() p12 = serialize_key_and_certificates( None, None, @@ -433,10 +441,10 @@ def test_generate_cas_friendly_names_no_key(self, backend): PKCS12Certificate(cert2, b"cert2"), PKCS12Certificate(cert3, None), ], - encryption, + encryption_algorithm, ) - p12_cert = load_pkcs12(p12, None, backend) + p12_cert = load_pkcs12(p12, password, backend) cas = p12_cert.additional_certs assert cas[0].certificate == cert2 assert cas[0].friendly_name == b"cert2" From c46cc3ec5372289d5d0fee742244d3ddcf274f58 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 22:44:14 +0000 Subject: [PATCH 530/868] Bump libc from 0.2.153 to 0.2.154 in /src/rust (#10907) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.153 to 0.2.154. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.153...0.2.154) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 010ebe1b4ff0..59ffe141ab1a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -158,9 +158,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.153" +version = "0.2.154" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" +checksum = "ae743338b92ff9146ce83992f766a31066a91a8c84a45e0e9f21e7cf6de6d346" [[package]] name = "lock_api" From 5f50167f81695d6c0ab5e289c647e2afe9634993 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 22:45:51 +0000 Subject: [PATCH 531/868] Bump virtualenv from 20.26.0 to 20.26.1 (#10908) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.0 to 20.26.1. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.26.0...20.26.1) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index cd9556013ac4..d8d8347bb92a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.26.0 +virtualenv==20.26.1 # via nox # The following packages are considered to be unsafe in a requirements file: From 8e33035d0e4ff6595094562775407794d8b89b8b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 22:46:10 +0000 Subject: [PATCH 532/868] Bump filelock from 3.13.4 to 3.14.0 (#10909) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.13.4 to 3.14.0. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.13.4...3.14.0) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d8d8347bb92a..f448ab641f04 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.1 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist -filelock==3.13.4; python_version >= "3.8" +filelock==3.14.0; python_version >= "3.8" # via virtualenv idna==3.7 # via requests From 071d9942397861d30d9d32edba261fe05c8aa76f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Apr 2024 00:15:24 +0000 Subject: [PATCH 533/868] Bump BoringSSL and/or OpenSSL in CI (#10910) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f4227d1451d8..5313d5190cca 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 27, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d69e8b46184b6fd844a4a92b4a6f4347d08ee439"}} - # Latest commit on the OpenSSL master branch, as of Apr 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "933f57dfe21657f7aba8f13e0cdb3b02dd64fcc3"}} + # Latest commit on the BoringSSL master branch, as of Apr 30, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2db0eb3f96a5756298dcd7f9319e56a98585bd10"}} + # Latest commit on the OpenSSL master branch, as of Apr 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6a4a714045415be6720f4165c4d70a0ff229a26a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From d796f447b4f5259ceae7186ab9f77ae9f609e063 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 30 Apr 2024 00:29:28 +0000 Subject: [PATCH 534/868] Bump x509-limbo and/or wycheproof in CI (#10911) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 390bff761eb2..c5ab5577bdfb 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 23, 2024. - ref: "b372833b8ce29da36ced2aec91e46bd157008a7d" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Apr 30, 2024. + ref: "4b12b2196d770bb0f7c312c51a1bfbda13d49a57" # x509-limbo-ref From 302372be4f82e9615baca05e824484f532448d19 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 30 Apr 2024 10:17:14 -0400 Subject: [PATCH 535/868] Fixes for ruff in preview mode (#10912) --- src/cryptography/__about__.py | 2 +- src/cryptography/__init__.py | 2 +- .../bindings/_rust/openssl/__init__.pyi | 12 +- .../hazmat/primitives/ciphers/__init__.py | 8 +- .../hazmat/primitives/ciphers/aead.py | 2 +- src/cryptography/hazmat/primitives/hashes.py | 24 ++-- .../primitives/serialization/__init__.py | 30 ++-- .../hazmat/primitives/serialization/pkcs12.py | 2 +- .../hazmat/primitives/serialization/ssh.py | 4 +- src/cryptography/x509/__init__.py | 134 +++++++++--------- src/cryptography/x509/verification.py | 8 +- 11 files changed, 114 insertions(+), 114 deletions(-) diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 5d65d977a08a..0087b1720f0e 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -5,9 +5,9 @@ from __future__ import annotations __all__ = [ - "__version__", "__author__", "__copyright__", + "__version__", ] __version__ = "43.0.0.dev1" diff --git a/src/cryptography/__init__.py b/src/cryptography/__init__.py index 86b9a25726d1..d374f752dfd5 100644 --- a/src/cryptography/__init__.py +++ b/src/cryptography/__init__.py @@ -7,7 +7,7 @@ from cryptography.__about__ import __author__, __copyright__, __version__ __all__ = [ - "__version__", "__author__", "__copyright__", + "__version__", ] diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index e4e742bdfedf..1e66d3331030 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -24,23 +24,23 @@ from cryptography.hazmat.bindings._rust.openssl import ( ) __all__ = [ - "openssl_version", - "openssl_version_text", - "raise_openssl_error", "aead", "ciphers", "cmac", "dh", "dsa", "ec", + "ed448", + "ed25519", "hashes", "hmac", "kdf", "keys", - "ed448", - "ed25519", - "rsa", + "openssl_version", + "openssl_version_text", "poly1305", + "raise_openssl_error", + "rsa", "x448", "x25519", ] diff --git a/src/cryptography/hazmat/primitives/ciphers/__init__.py b/src/cryptography/hazmat/primitives/ciphers/__init__.py index cc88fbf2c4c3..10c15d0f5cb3 100644 --- a/src/cryptography/hazmat/primitives/ciphers/__init__.py +++ b/src/cryptography/hazmat/primitives/ciphers/__init__.py @@ -17,11 +17,11 @@ ) __all__ = [ - "Cipher", - "CipherAlgorithm", - "BlockCipherAlgorithm", - "CipherContext", "AEADCipherContext", "AEADDecryptionContext", "AEADEncryptionContext", + "BlockCipherAlgorithm", + "Cipher", + "CipherAlgorithm", + "CipherContext", ] diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index f82a05685e02..c8a582d7844d 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -7,12 +7,12 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl __all__ = [ - "ChaCha20Poly1305", "AESCCM", "AESGCM", "AESGCMSIV", "AESOCB3", "AESSIV", + "ChaCha20Poly1305", ] AESGCM = rust_openssl.aead.AESGCM diff --git a/src/cryptography/hazmat/primitives/hashes.py b/src/cryptography/hazmat/primitives/hashes.py index c5be0c8eadc0..b819e399287e 100644 --- a/src/cryptography/hazmat/primitives/hashes.py +++ b/src/cryptography/hazmat/primitives/hashes.py @@ -9,27 +9,27 @@ from cryptography.hazmat.bindings._rust import openssl as rust_openssl __all__ = [ - "HashAlgorithm", - "HashContext", - "Hash", - "ExtendableOutputFunction", + "MD5", "SHA1", - "SHA512_224", - "SHA512_256", - "SHA224", - "SHA256", - "SHA384", - "SHA512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512", + "SHA224", + "SHA256", + "SHA384", + "SHA512", + "SHA512_224", + "SHA512_256", "SHAKE128", "SHAKE256", - "MD5", + "SM3", "BLAKE2b", "BLAKE2s", - "SM3", + "ExtendableOutputFunction", + "Hash", + "HashAlgorithm", + "HashContext", ] diff --git a/src/cryptography/hazmat/primitives/serialization/__init__.py b/src/cryptography/hazmat/primitives/serialization/__init__.py index b6c9a5cdc520..07b2264b9a51 100644 --- a/src/cryptography/hazmat/primitives/serialization/__init__.py +++ b/src/cryptography/hazmat/primitives/serialization/__init__.py @@ -36,6 +36,21 @@ ) __all__ = [ + "BestAvailableEncryption", + "Encoding", + "KeySerializationEncryption", + "NoEncryption", + "ParameterFormat", + "PrivateFormat", + "PublicFormat", + "SSHCertPrivateKeyTypes", + "SSHCertPublicKeyTypes", + "SSHCertificate", + "SSHCertificateBuilder", + "SSHCertificateType", + "SSHPrivateKeyTypes", + "SSHPublicKeyTypes", + "_KeySerializationEncryption", "load_der_parameters", "load_der_private_key", "load_der_public_key", @@ -45,19 +60,4 @@ "load_ssh_private_key", "load_ssh_public_identity", "load_ssh_public_key", - "Encoding", - "PrivateFormat", - "PublicFormat", - "ParameterFormat", - "KeySerializationEncryption", - "BestAvailableEncryption", - "NoEncryption", - "_KeySerializationEncryption", - "SSHCertificateBuilder", - "SSHCertificate", - "SSHCertificateType", - "SSHCertPublicKeyTypes", - "SSHCertPrivateKeyTypes", - "SSHPrivateKeyTypes", - "SSHPublicKeyTypes", ] diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 0d37145eb943..17e03fbbe15c 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -21,9 +21,9 @@ __all__ = [ "PBES", - "PKCS12PrivateKeyTypes", "PKCS12Certificate", "PKCS12KeyAndCertificates", + "PKCS12PrivateKeyTypes", "load_key_and_certificates", "load_pkcs12", "serialize_key_and_certificates", diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index fc9fbf42584f..51cddab47377 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -603,7 +603,7 @@ def load_public( ) -> tuple[ed25519.Ed25519PublicKey, memoryview]: """Make Ed25519 public key from data.""" public_key, data = _lookup_kformat(_SSH_ED25519).load_public(data) - application, data = load_application(data) + _, data = load_application(data) return public_key, data @@ -622,7 +622,7 @@ def load_public( ) -> tuple[ec.EllipticCurvePublicKey, memoryview]: """Make Ed25519 public key from data.""" public_key, data = _lookup_kformat(_ECDSA_NISTP256).load_public(data) - application, data = load_application(data) + _, data = load_application(data) return public_key, data diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index e73e527fc4a0..26c6444c511f 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -171,89 +171,89 @@ OID_OCSP = AuthorityInformationAccessOID.OCSP __all__ = [ - "certificate_transparency", - "verification", - "load_pem_x509_certificate", - "load_pem_x509_certificates", - "load_der_x509_certificate", - "load_pem_x509_csr", - "load_der_x509_csr", - "load_pem_x509_crl", - "load_der_x509_crl", - "random_serial_number", - "verification", + "OID_CA_ISSUERS", + "OID_OCSP", + "AccessDescription", "Attribute", "AttributeNotFound", "Attributes", - "InvalidVersion", + "AuthorityInformationAccess", + "AuthorityKeyIdentifier", + "BasicConstraints", + "CRLDistributionPoints", + "CRLNumber", + "CRLReason", + "Certificate", + "CertificateBuilder", + "CertificateIssuer", + "CertificatePolicies", + "CertificateRevocationList", + "CertificateRevocationListBuilder", + "CertificateSigningRequest", + "CertificateSigningRequestBuilder", + "DNSName", "DeltaCRLIndicator", + "DirectoryName", + "DistributionPoint", "DuplicateExtension", + "ExtendedKeyUsage", + "Extension", "ExtensionNotFound", - "UnsupportedGeneralNameType", - "NameAttribute", - "Name", - "RelativeDistinguishedName", - "ObjectIdentifier", "ExtensionType", "Extensions", - "Extension", - "ExtendedKeyUsage", "FreshestCRL", + "GeneralName", + "GeneralNames", + "IPAddress", + "InhibitAnyPolicy", + "InvalidVersion", + "InvalidityDate", + "IssuerAlternativeName", "IssuingDistributionPoint", - "TLSFeature", - "TLSFeatureType", + "KeyUsage", + "MSCertificateTemplate", + "Name", + "NameAttribute", + "NameConstraints", + "NameOID", + "NoticeReference", "OCSPAcceptableResponses", "OCSPNoCheck", - "BasicConstraints", - "CRLNumber", - "KeyUsage", - "AuthorityInformationAccess", - "SubjectInformationAccess", - "AccessDescription", - "CertificatePolicies", + "OCSPNonce", + "ObjectIdentifier", + "OtherName", + "PolicyConstraints", "PolicyInformation", - "UserNotice", - "NoticeReference", - "SubjectKeyIdentifier", - "NameConstraints", - "CRLDistributionPoints", - "DistributionPoint", - "ReasonFlags", - "InhibitAnyPolicy", - "SubjectAlternativeName", - "IssuerAlternativeName", - "AuthorityKeyIdentifier", - "GeneralNames", - "GeneralName", + "PrecertPoison", + "PrecertificateSignedCertificateTimestamps", + "PublicKeyAlgorithmOID", "RFC822Name", - "DNSName", - "UniformResourceIdentifier", + "ReasonFlags", "RegisteredID", - "DirectoryName", - "IPAddress", - "OtherName", - "Certificate", - "CertificateRevocationList", - "CertificateRevocationListBuilder", - "CertificateSigningRequest", + "RelativeDistinguishedName", "RevokedCertificate", "RevokedCertificateBuilder", - "CertificateSigningRequestBuilder", - "CertificateBuilder", - "Version", - "OID_CA_ISSUERS", - "OID_OCSP", - "CertificateIssuer", - "CRLReason", - "InvalidityDate", - "UnrecognizedExtension", - "PolicyConstraints", - "PrecertificateSignedCertificateTimestamps", - "PrecertPoison", - "OCSPNonce", - "PublicKeyAlgorithmOID", - "SignedCertificateTimestamps", "SignatureAlgorithmOID", - "NameOID", - "MSCertificateTemplate", + "SignedCertificateTimestamps", + "SubjectAlternativeName", + "SubjectInformationAccess", + "SubjectKeyIdentifier", + "TLSFeature", + "TLSFeatureType", + "UniformResourceIdentifier", + "UnrecognizedExtension", + "UnsupportedGeneralNameType", + "UserNotice", + "Version", + "certificate_transparency", + "load_der_x509_certificate", + "load_der_x509_crl", + "load_der_x509_csr", + "load_pem_x509_certificate", + "load_pem_x509_certificates", + "load_pem_x509_crl", + "load_pem_x509_csr", + "random_serial_number", + "verification", + "verification", ] diff --git a/src/cryptography/x509/verification.py b/src/cryptography/x509/verification.py index 191705e8352b..b83650681237 100644 --- a/src/cryptography/x509/verification.py +++ b/src/cryptography/x509/verification.py @@ -10,13 +10,13 @@ from cryptography.x509.general_name import DNSName, IPAddress __all__ = [ - "Store", - "Subject", - "VerifiedClient", "ClientVerifier", - "ServerVerifier", "PolicyBuilder", + "ServerVerifier", + "Store", + "Subject", "VerificationError", + "VerifiedClient", ] Store = rust_x509.Store From ec4be85c8901faf310eebb02ff1ce9b0f4251852 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 00:21:35 +0000 Subject: [PATCH 536/868] Bump BoringSSL and/or OpenSSL in CI (#10913) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5313d5190cca..28204d64c1f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Apr 30, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2db0eb3f96a5756298dcd7f9319e56a98585bd10"}} - # Latest commit on the OpenSSL master branch, as of Apr 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6a4a714045415be6720f4165c4d70a0ff229a26a"}} + # Latest commit on the OpenSSL master branch, as of May 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "af75373eeab6040aba243dd7629fb6f8244f2f5d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 05d44a8d9d8eedf4d1278cdff67ddc32b2af45c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 11:15:08 +0000 Subject: [PATCH 537/868] Bump base64 from 0.22.0 to 0.22.1 in /src/rust (#10914) Bumps [base64](https://github.com/marshallpierce/rust-base64) from 0.22.0 to 0.22.1. - [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.22.0...v0.22.1) --- updated-dependencies: - dependency-name: base64 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 59ffe141ab1a..1048af74dad3 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -30,9 +30,9 @@ checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80" [[package]] name = "base64" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51" +checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" [[package]] name = "bitflags" From b4ca965b0f8186b95e7c3f1389205628a0cf2502 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 2 May 2024 00:55:41 -0400 Subject: [PATCH 538/868] Ensure curves are supported in determinisic ECDSA tests (#10917) * Ensure curves are supported in determinisic ECDSA tests * x25519/x448 isnt fips anymore i guess --- .../hazmat/backends/openssl/backend.py | 12 ++--------- tests/hazmat/primitives/test_ec.py | 20 +++++++++++++++++++ tests/utils.py | 1 + 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 42ec1a2c9519..d00d1e4b072a 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -325,20 +325,12 @@ def dh_x942_serialization_supported(self) -> bool: return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1 def x25519_supported(self) -> bool: - # Beginning with OpenSSL 3.2.0, X25519 is considered FIPS. - if ( - self._fips_enabled - and not rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER - ): + if self._fips_enabled: return False return True def x448_supported(self) -> bool: - # Beginning with OpenSSL 3.2.0, X448 is considered FIPS. - if ( - self._fips_enabled - and not rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER - ): + if self._fips_enabled: return False return ( not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index b0e29b3803e6..08178c232466 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -535,6 +535,23 @@ def test_deterministic_nonce(self, backend, subtests): "SHA384": hashes.SHA384(), "SHA512": hashes.SHA512(), } + curves = { + "B-163": ec.SECT163R2(), + "B-233": ec.SECT233R1(), + "B-283": ec.SECT283R1(), + "B-409": ec.SECT409R1(), + "B-571": ec.SECT571R1(), + "K-163": ec.SECT163K1(), + "K-233": ec.SECT233K1(), + "K-283": ec.SECT283K1(), + "K-409": ec.SECT409K1(), + "K-571": ec.SECT571K1(), + "P-192": ec.SECP192R1(), + "P-224": ec.SECP224R1(), + "P-256": ec.SECP256R1(), + "P-384": ec.SECP384R1(), + "P-521": ec.SECP521R1(), + } vectors = load_vectors_from_file( os.path.join( "asymmetric", "ECDSA", "RFC6979", "evppkey_ecdsa_rfc6979.txt" @@ -547,6 +564,9 @@ def test_deterministic_nonce(self, backend, subtests): input = bytes(vector["input"], "utf-8") output = bytes.fromhex(vector["output"]) key = bytes("\n".join(vector["key"]), "utf-8") + curve = curves[vector["key_name"].split("_")[0]] + _skip_curve_unsupported(backend, curve) + if "digest_sign" in vector: algorithm = vector["digest_sign"] hash_algorithm = supported_hash_algorithms[algorithm] diff --git a/tests/utils.py b/tests/utils.py index 3a8a768cf115..b9734a6dc5ac 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -734,6 +734,7 @@ def load_rfc6979_vectors(vector_data): key_name = line.split("=")[1].strip() assert key_name in keys data["key"] = keys[key_name] + data["key_name"] = key_name elif line.startswith("NonceType = "): nonce_type = line.split("=")[1].strip() data["deterministic_nonce"] = nonce_type == "deterministic" From 30722682e60f3a337b2751d158a8e262e2d63d14 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 2 May 2024 11:01:04 +0000 Subject: [PATCH 539/868] Bump BoringSSL and/or OpenSSL in CI (#10916) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 28204d64c1f5..b54636424373 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Apr 30, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2db0eb3f96a5756298dcd7f9319e56a98585bd10"}} - # Latest commit on the OpenSSL master branch, as of May 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "af75373eeab6040aba243dd7629fb6f8244f2f5d"}} + # Latest commit on the BoringSSL master branch, as of May 02, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "783ae722ed307a3b3782cd253fd4ffb387f38767"}} + # Latest commit on the OpenSSL master branch, as of May 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a380ae85be287045b1eaa64d23942101a426c080"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 7a5d7e6df83e1dee7eca48ec3cd5a0011322c356 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 May 2024 11:02:57 +0000 Subject: [PATCH 540/868] Bump cc from 1.0.95 to 1.0.96 in /src/rust (#10915) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.95 to 1.0.96. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.95...1.0.96) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1048af74dad3..048fe7ee095b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" -version = "1.0.95" +version = "1.0.96" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d32a725bc159af97c3e629873bb9f88fb8cf8a4867175f76dc987815ea07c83b" +checksum = "065a29261d53ba54260972629f9ca6bffa69bac13cd1fed61420f7fa68b9f8bd" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 34d16fb493a6..41783da0d891 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.95" +cc = "1.0.96" From 8fff982138b5b82bbc94e3182a088564414b6b78 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 3 May 2024 00:17:04 +0000 Subject: [PATCH 541/868] Bump BoringSSL and/or OpenSSL in CI (#10920) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b54636424373..72639afa13f2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 02, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "783ae722ed307a3b3782cd253fd4ffb387f38767"}} - # Latest commit on the OpenSSL master branch, as of May 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a380ae85be287045b1eaa64d23942101a426c080"}} + # Latest commit on the BoringSSL master branch, as of May 03, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d2e3212de29bac1ceed33ca8ab8bbff3f41a2459"}} + # Latest commit on the OpenSSL master branch, as of May 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "067fbc01b9e867b31c71091d62f0f9012dc9e41a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 00491bef0da413246a5a55d47018dcc1506aeb35 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 3 May 2024 16:19:12 -0400 Subject: [PATCH 542/868] Consolidate dependabot configuration with multi-directory (#10921) --- .github/dependabot.yml | 43 ++++++++---------------------------------- 1 file changed, 8 insertions(+), 35 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 225922bd21a6..1678833c2a9b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,29 +1,11 @@ version: 2 updates: - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - time: "06:00" - timezone: "America/New_York" - open-pull-requests-limit: 1024 - - - package-ecosystem: "github-actions" - directory: "/.github/actions/cache/" - schedule: - interval: "daily" - time: "06:00" - timezone: "America/New_York" - open-pull-requests-limit: 1024 - - package-ecosystem: "github-actions" - directory: "/.github/actions/upload-coverage/" - schedule: - interval: "daily" - time: "06:00" - timezone: "America/New_York" - open-pull-requests-limit: 1024 - - package-ecosystem: "github-actions" - directory: "/.github/actions/fetch-vectors/" + directories: + - "/" + - "/.github/actions/cache/" + - "/.github/actions/upload-coverage/" + - "/.github/actions/fetch-vectors/" schedule: interval: "daily" time: "06:00" @@ -42,18 +24,9 @@ updates: open-pull-requests-limit: 1024 - package-ecosystem: pip - directory: "/" - schedule: - interval: daily - time: "06:00" - timezone: "America/New_York" - allow: - # Also update indirect dependencies - - dependency-type: all - open-pull-requests-limit: 1024 - - - package-ecosystem: pip - directory: "/.github/requirements/" + directories: + - "/" + - "/.github/requirements/" schedule: interval: daily time: "06:00" From 192c69aff76bd9e77cb7aef7f9378394b1495c54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 May 2024 20:36:33 +0000 Subject: [PATCH 543/868] Bump autocfg from 1.2.0 to 1.3.0 in /src/rust (#10926) Bumps [autocfg](https://github.com/cuviper/autocfg) from 1.2.0 to 1.3.0. - [Commits](https://github.com/cuviper/autocfg/commits) --- updated-dependencies: - dependency-name: autocfg dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 048fe7ee095b..f3cb40009983 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -24,9 +24,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.2.0" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1fdabc7756949593fe60f30ec81974b613357de856987752631dea1e3394c80" +checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" [[package]] name = "base64" From d06bb7089a84889b3cd8f9ae84748e95afb455b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 May 2024 20:39:12 +0000 Subject: [PATCH 544/868] Bump self_cell from 1.0.3 to 1.0.4 in /src/rust (#10927) Bumps [self_cell](https://github.com/Voultapher/self_cell) from 1.0.3 to 1.0.4. - [Release notes](https://github.com/Voultapher/self_cell/releases) - [Commits](https://github.com/Voultapher/self_cell/compare/v1.0.3...v1.0.4) --- updated-dependencies: - dependency-name: self_cell dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f3cb40009983..1a0583fd051f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -367,9 +367,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "self_cell" -version = "1.0.3" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "58bf37232d3bb9a2c4e641ca2a11d83b5062066f88df7fed36c28772046d65ba" +checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "smallvec" From 39aee4f8b7bd14fd44542cb84dd45d75a86026cd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 4 May 2024 01:09:25 +0000 Subject: [PATCH 545/868] Bump BoringSSL and/or OpenSSL in CI (#10928) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72639afa13f2..9df593888083 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 03, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d2e3212de29bac1ceed33ca8ab8bbff3f41a2459"}} + # Latest commit on the BoringSSL master branch, as of May 04, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "3e89a7e8db8139db356b892ca9993172346c80cf"}} # Latest commit on the OpenSSL master branch, as of May 03, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "067fbc01b9e867b31c71091d62f0f9012dc9e41a"}} # Builds with various Rust versions. Includes MSRV and next From 95131abed8f3cf0a45ed8b8ff948a36926c6c6b3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 May 2024 11:38:10 -0400 Subject: [PATCH 546/868] forward port 42.0.6 changelog (#10930) --- CHANGELOG.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index e7153b215514..c78e05bb3249 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -45,6 +45,13 @@ Changelog timezone-aware alternative to the naïve ``datetime`` attribute :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. +.. _v42-0-6: + +42.0.6 - 2024-05-04 +~~~~~~~~~~~~~~~~~~~ + +* Fixed compilation when using LibreSSL 3.9.1. + .. _v42-0-5: 42.0.5 - 2024-02-23 From 49711bab0a6e511b0e5ae0814185fd17d5696abe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 5 May 2024 11:34:26 -0400 Subject: [PATCH 547/868] Fix build with Rust nightly (#10936) --- src/rust/build.rs | 6 ++++++ src/rust/cryptography-cffi/build.rs | 2 ++ src/rust/cryptography-key-parsing/build.rs | 3 +++ src/rust/cryptography-openssl/build.rs | 5 +++++ 4 files changed, 16 insertions(+) diff --git a/src/rust/build.rs b/src/rust/build.rs index d4dca24c4566..5abe0ce3e536 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -6,6 +6,12 @@ use std::env; #[allow(clippy::unusual_byte_groupings)] fn main() { + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_LIBRESSL)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_BORINGSSL)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OSSLCONF, values(\"OPENSSL_NO_IDEA\", \"OPENSSL_NO_CAST\", \"OPENSSL_NO_BF\", \"OPENSSL_NO_CAMELLIA\", \"OPENSSL_NO_SEED\", \"OPENSSL_NO_SM4\"))"); + if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") { let version = u64::from_str_radix(&version, 16).unwrap(); diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 13eae0f49df4..8a2c968e2b68 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -7,6 +7,8 @@ use std::path::Path; use std::process::Command; fn main() { + println!("cargo:rustc-check-cfg=cfg(python_implementation, values(\"CPython\", \"PyPy\"))"); + let target = env::var("TARGET").unwrap(); let openssl_static = env::var("OPENSSL_STATIC") .map(|x| x == "1") diff --git a/src/rust/cryptography-key-parsing/build.rs b/src/rust/cryptography-key-parsing/build.rs index cd318b35ff35..15f34f38b4dd 100644 --- a/src/rust/cryptography-key-parsing/build.rs +++ b/src/rust/cryptography-key-parsing/build.rs @@ -5,6 +5,9 @@ use std::env; fn main() { + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_LIBRESSL)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_BORINGSSL)"); + if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL"); } diff --git a/src/rust/cryptography-openssl/build.rs b/src/rust/cryptography-openssl/build.rs index 87e1fa528b22..00e1df1326d1 100644 --- a/src/rust/cryptography-openssl/build.rs +++ b/src/rust/cryptography-openssl/build.rs @@ -6,6 +6,11 @@ use std::env; #[allow(clippy::unusual_byte_groupings)] fn main() { + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_LIBRESSL)"); + println!("cargo:rustc-check-cfg=cfg(CRYPTOGRAPHY_IS_BORINGSSL)"); + if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") { let version = u64::from_str_radix(&version, 16).unwrap(); From 43e905b5254176ebecb1e33a318abd24e9c6367b Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos Orfanos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Sun, 5 May 2024 18:04:32 +0200 Subject: [PATCH 548/868] Use raw string for literal backslashes (#10934) --- src/_cffi_src/openssl/cryptography.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 11afbdc182f0..fc23960613b0 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -4,7 +4,7 @@ from __future__ import annotations -INCLUDES = """ +INCLUDES = r""" /* define our OpenSSL API compatibility level to 1.1.0. Any symbols older than that will raise an error during compilation. */ #define OPENSSL_API_COMPAT 0x10100000L From 9321740c2aaab4e07d7c028cef014dc410424047 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos Orfanos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Sun, 5 May 2024 18:11:26 +0200 Subject: [PATCH 549/868] Apply ruff/flake8-implicit-str-concat rule ISC001 (#10932) ISC001 Implicitly concatenated string literals on one line This rule is currently disabled because it conflicts with the formatter: https://github.com/astral-sh/ruff/issues/8272 --- src/cryptography/hazmat/primitives/kdf/kbkdf.py | 2 +- src/cryptography/x509/base.py | 10 +++++----- tests/test_utils.py | 8 ++++---- tests/x509/test_ocsp.py | 4 ++-- tests/x509/test_x509_ext.py | 2 +- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py index 2f41db9260ec..9ae817d4e6ae 100644 --- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py +++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py @@ -75,7 +75,7 @@ def __init__( if (label or context) and fixed: raise ValueError( - "When supplying fixed data, " "label and context are ignored." + "When supplying fixed data, label and context are ignored." ) if rlen is None or not self._valid_byte_length(rlen): diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index c035cbb70b4b..6ed41e6694c6 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -869,7 +869,7 @@ def serial_number(self, number: int) -> CertificateBuilder: # zero. if number.bit_length() >= 160: # As defined in RFC 5280 raise ValueError( - "The serial number should not be more than 159 " "bits." + "The serial number should not be more than 159 bits." ) return CertificateBuilder( self._issuer_name, @@ -1047,7 +1047,7 @@ def last_update( last_update = _convert_to_naive_utc_time(last_update) if last_update < _EARLIEST_UTC_TIME: raise ValueError( - "The last update date must be on or after" " 1950 January 1." + "The last update date must be on or after 1950 January 1." ) if self._next_update is not None and last_update > self._next_update: raise ValueError( @@ -1071,7 +1071,7 @@ def next_update( next_update = _convert_to_naive_utc_time(next_update) if next_update < _EARLIEST_UTC_TIME: raise ValueError( - "The last update date must be on or after" " 1950 January 1." + "The last update date must be on or after 1950 January 1." ) if self._last_update is not None and next_update < self._last_update: raise ValueError( @@ -1172,7 +1172,7 @@ def serial_number(self, number: int) -> RevokedCertificateBuilder: # zero. if number.bit_length() >= 160: # As defined in RFC 5280 raise ValueError( - "The serial number should not be more than 159 " "bits." + "The serial number should not be more than 159 bits." ) return RevokedCertificateBuilder( number, self._revocation_date, self._extensions @@ -1188,7 +1188,7 @@ def revocation_date( time = _convert_to_naive_utc_time(time) if time < _EARLIEST_UTC_TIME: raise ValueError( - "The revocation date must be on or after" " 1950 January 1." + "The revocation date must be on or after 1950 January 1." ) return RevokedCertificateBuilder( self._serial_number, time, self._extensions diff --git a/tests/test_utils.py b/tests/test_utils.py index 9f6e271500cc..191cc913a472 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -2721,7 +2721,7 @@ def test_load_fips_ecdsa_key_pair_vectors(): { "curve": "sect233k1", "d": int( - "1da7422b50e3ff051f2aaaed10acea6cbf6110c517da2f4e" "aca8b5b87", + "1da7422b50e3ff051f2aaaed10acea6cbf6110c517da2f4eaca8b5b87", 16, ), "x": int( @@ -2738,7 +2738,7 @@ def test_load_fips_ecdsa_key_pair_vectors(): { "curve": "sect233k1", "d": int( - "530951158f7b1586978c196603c12d25607d2cb0557efadb" "23cd0ce8", + "530951158f7b1586978c196603c12d25607d2cb0557efadb23cd0ce8", 16, ), "x": int( @@ -3776,7 +3776,7 @@ def test_load_kasvs_ecdh_vectors(): ), }, "Z": int( - "b1259ceedfb663d9515089cf727e7024fb3d86cbcec611b4" "ba0b4ab6", + "b1259ceedfb663d9515089cf727e7024fb3d86cbcec611b4ba0b4ab6", 16, ), "curve": "secp224r1", @@ -4015,7 +4015,7 @@ def test_load_kasvs_ecdh_kdf_vectors(): 16, ), "Z": int( - "43f23b2c760d686fc99cc008b63aea92f866e224265af60d" "2d8ae540", + "43f23b2c760d686fc99cc008b63aea92f866e224265af60d2d8ae540", 16, ), "DKM": int("ad65fa2d12541c3a21f3cd223efb", 16), diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 335694c7f9a9..8f5948bc171b 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -79,10 +79,10 @@ def test_load_request(self): ocsp.load_der_ocsp_request, ) assert req.issuer_name_hash == ( - b"8\xcaF\x8c\x07D\x8d\xf4\x81\x96" b"\xc7mmLpQ\x9e`\xa7\xbd" + b"8\xcaF\x8c\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd" ) assert req.issuer_key_hash == ( - b"yu\xbb\x84:\xcb,\xdez\t\xbe1" b"\x1bC\xbc\x1c*MSX" + b"yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX" ) assert isinstance(req.hash_algorithm, hashes.SHA1) assert req.serial_number == int( diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 44e8299046dc..d11225fb3077 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -2520,7 +2520,7 @@ def test_uri(self, backend): assert ext is not None uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier) assert uri == [ - "gopher://xn--80ato2c.cryptography:70/path?q=s#hel" "lo", + "gopher://xn--80ato2c.cryptography:70/path?q=s#hello", "http://someregulardomain.com", ] From 1ce23d008ac445116649a0af4769885d3f522571 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos Orfanos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Sun, 5 May 2024 18:12:27 +0200 Subject: [PATCH 550/868] Fix more misspellings (#10933) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix more misspellings * Apply codespell suggestion: implementor → implementer This is not exactly a misspelling, but: * From Garner's Modern English Usage (4 ed.) Although the variant spelling ✳implementor predominated for much of the late 20th century, today implementer is considered standard. * The Google Ngram Viewer shows a ratio of almost 10:1 in 2019. --- docs/glossary.rst | 2 +- docs/spelling_wordlist.txt | 1 - src/rust/cryptography-keepalive/src/lib.rs | 2 +- src/rust/src/backend/cipher_registry.rs | 2 +- 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/glossary.rst b/docs/glossary.rst index 86718cc0d675..3c2272a4da7c 100644 --- a/docs/glossary.rst +++ b/docs/glossary.rst @@ -94,7 +94,7 @@ Glossary A bytes-like object contains binary data and supports the `buffer protocol`_. This includes ``bytes``, ``bytearray``, and ``memoryview`` objects. It is :term:`unsafe` to pass a mutable object - (e.g., a ``bytearray`` or other implementor of the buffer protocol) + (e.g., a ``bytearray`` or other implementer of the buffer protocol) and to `mutate it concurrently`_ with the operation it has been provided for. diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 9be4a107a70d..e7e9afd1cbaf 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -62,7 +62,6 @@ hazmat Homebrew hostname hostnames -implementor incrementing indistinguishability initialisms diff --git a/src/rust/cryptography-keepalive/src/lib.rs b/src/rust/cryptography-keepalive/src/lib.rs index 46e9f3260d67..9542f9efc24c 100644 --- a/src/rust/cryptography-keepalive/src/lib.rs +++ b/src/rust/cryptography-keepalive/src/lib.rs @@ -13,7 +13,7 @@ pub struct KeepAlive { } /// # Safety -/// Implementors of this trait must ensure that the value returned by +/// Implementers of this trait must ensure that the value returned by /// `deref()` must remain valid, even if `self` is moved. pub unsafe trait StableDeref: Deref {} // SAFETY: `Vec`'s data is on the heap, so as long as it's not mutated, the diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 40ae826014b4..fb829c093731 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -262,7 +262,7 @@ fn get_cipher_registry( m.add(&chacha20, none_type.as_any(), None, Cipher::chacha20())?; // Don't register legacy ciphers if they're unavailable. In theory - // this should't be necessary but OpenSSL 3 will return an EVP_CIPHER + // this shouldn't be necessary but OpenSSL 3 will return an EVP_CIPHER // even when the cipher is unavailable. if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) || types::LEGACY_PROVIDER_LOADED.get(py)?.is_truthy()? From a140fc334742dcbc1190fb5b92ad0354629f22ae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 5 May 2024 13:20:27 -0400 Subject: [PATCH 551/868] Switch from sigstore to github's attestations (#10931) --- .github/requirements/publish-requirements.in | 1 - .github/requirements/publish-requirements.txt | 257 ------------------ .github/workflows/pypi-publish.yml | 12 +- 3 files changed, 7 insertions(+), 263 deletions(-) diff --git a/.github/requirements/publish-requirements.in b/.github/requirements/publish-requirements.in index dd98b8990e7b..1b92e685d4ab 100644 --- a/.github/requirements/publish-requirements.in +++ b/.github/requirements/publish-requirements.in @@ -1,6 +1,5 @@ twine requests -sigstore # WARN: changing the requirements here DOES NOT update the dependencies used for publishing at the github workflow, as the process used publish-requirements.txt # To update publish-requirements.txt according to the dependencies here, run pip-compile --allow-unsafe --generate-hashes publish-requirements.in \ No newline at end of file diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 5076db558de1..e951e6874d72 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -4,22 +4,10 @@ # # pip-compile --generate-hashes publish-requirements.in # -annotated-types==0.6.0 \ - --hash=sha256:0641064de18ba7a25dee8f96403ebc39113d0cb953a01429249d5c7564666a43 \ - --hash=sha256:563339e807e53ffd9c267e99fc6d9ea23eb8443c08f112651963e24e22f84a5d - # via pydantic -appdirs==1.4.4 \ - --hash=sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41 \ - --hash=sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128 - # via sigstore backports-tarfile==1.1.1 \ --hash=sha256:73e0179647803d3726d82e76089d01d8549ceca9bace469953fcb4d97cf2d417 \ --hash=sha256:9c2ef9696cb73374f7164e17fc761389393ca76777036f5aad42e8b93fcd8009 # via jaraco-context -betterproto==2.0.0b6 \ - --hash=sha256:720ae92697000f6fcf049c69267d957f0871654c8b0d7458906607685daee784 \ - --hash=sha256:a0839ec165d110a69d0d116f4d0e2bec8d186af4db826257931f0831dab73fcf - # via sigstore-protobuf-specs certifi==2024.2.2 \ --hash=sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f \ --hash=sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1 @@ -204,9 +192,7 @@ cryptography==42.0.5 \ --hash=sha256:f12764b8fffc7a123f641d7d049d382b73f96a34117e0b637b80643169cec8ac \ --hash=sha256:f8837fe1d6ac4a8052a9a8ddab256bc006242696f03368a4009be7ee3075cdb7 # via - # pyopenssl # secretstorage - # sigstore dnspython==2.6.1 \ --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc @@ -215,17 +201,6 @@ docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 # via readme-renderer -email-validator==2.1.1 \ - --hash=sha256:200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84 \ - --hash=sha256:97d882d174e2a65732fb43bfce81a3a834cbc1bde8bf419e30ef5ea976370a05 - # via pydantic -grpclib==0.4.7 \ - --hash=sha256:2988ef57c02b22b7a2e8e961792c41ccf97efc2ace91ae7a5b0de03c363823c3 - # via betterproto -h2==4.1.0 \ - --hash=sha256:03a46bcf682256c95b5fd9e9a99c1323584c3eec6440d379b9903d709476bc6d \ - --hash=sha256:a83aca08fbe7aacb79fec788c9c0bac936343560ed9ec18b82a13a12c28d2abb - # via grpclib hpack==4.0.0 \ --hash=sha256:84a076fad3dc9a9f8063ccb8041ef100867b1878b25ef0ee63847a5d53818a6c \ --hash=sha256:fc41de0c63e687ebffde81187a948221294896f6bdc0ae2312708df339430095 @@ -234,10 +209,6 @@ hyperframe==6.0.1 \ --hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \ --hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914 # via h2 -id==1.4.0 \ - --hash=sha256:23c06772e8bd3e3a44ee3f167868bf5a8e385b0c1e2cc707ad36eb7486b4765b \ - --hash=sha256:a0391117c98fa9851ebd2b22df0dc6fd6aacbd89a4ec95c173f1311ca9bb7329 - # via sigstore idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 @@ -286,98 +257,6 @@ more-itertools==10.2.0 \ # via # jaraco-classes # jaraco-functools -multidict==6.0.5 \ - --hash=sha256:01265f5e40f5a17f8241d52656ed27192be03bfa8764d88e8220141d1e4b3556 \ - --hash=sha256:0275e35209c27a3f7951e1ce7aaf93ce0d163b28948444bec61dd7badc6d3f8c \ - --hash=sha256:04bde7a7b3de05732a4eb39c94574db1ec99abb56162d6c520ad26f83267de29 \ - --hash=sha256:04da1bb8c8dbadf2a18a452639771951c662c5ad03aefe4884775454be322c9b \ - --hash=sha256:09a892e4a9fb47331da06948690ae38eaa2426de97b4ccbfafbdcbe5c8f37ff8 \ - --hash=sha256:0d63c74e3d7ab26de115c49bffc92cc77ed23395303d496eae515d4204a625e7 \ - --hash=sha256:107c0cdefe028703fb5dafe640a409cb146d44a6ae201e55b35a4af8e95457dd \ - --hash=sha256:141b43360bfd3bdd75f15ed811850763555a251e38b2405967f8e25fb43f7d40 \ - --hash=sha256:14c2976aa9038c2629efa2c148022ed5eb4cb939e15ec7aace7ca932f48f9ba6 \ - --hash=sha256:19fe01cea168585ba0f678cad6f58133db2aa14eccaf22f88e4a6dccadfad8b3 \ - --hash=sha256:1d147090048129ce3c453f0292e7697d333db95e52616b3793922945804a433c \ - --hash=sha256:1d9ea7a7e779d7a3561aade7d596649fbecfa5c08a7674b11b423783217933f9 \ - --hash=sha256:215ed703caf15f578dca76ee6f6b21b7603791ae090fbf1ef9d865571039ade5 \ - --hash=sha256:21fd81c4ebdb4f214161be351eb5bcf385426bf023041da2fd9e60681f3cebae \ - --hash=sha256:220dd781e3f7af2c2c1053da9fa96d9cf3072ca58f057f4c5adaaa1cab8fc442 \ - --hash=sha256:228b644ae063c10e7f324ab1ab6b548bdf6f8b47f3ec234fef1093bc2735e5f9 \ - --hash=sha256:29bfeb0dff5cb5fdab2023a7a9947b3b4af63e9c47cae2a10ad58394b517fddc \ - --hash=sha256:2f4848aa3baa109e6ab81fe2006c77ed4d3cd1e0ac2c1fbddb7b1277c168788c \ - --hash=sha256:2faa5ae9376faba05f630d7e5e6be05be22913782b927b19d12b8145968a85ea \ - --hash=sha256:2ffc42c922dbfddb4a4c3b438eb056828719f07608af27d163191cb3e3aa6cc5 \ - --hash=sha256:37b15024f864916b4951adb95d3a80c9431299080341ab9544ed148091b53f50 \ - --hash=sha256:3cc2ad10255f903656017363cd59436f2111443a76f996584d1077e43ee51182 \ - --hash=sha256:3d25f19500588cbc47dc19081d78131c32637c25804df8414463ec908631e453 \ - --hash=sha256:403c0911cd5d5791605808b942c88a8155c2592e05332d2bf78f18697a5fa15e \ - --hash=sha256:411bf8515f3be9813d06004cac41ccf7d1cd46dfe233705933dd163b60e37600 \ - --hash=sha256:425bf820055005bfc8aa9a0b99ccb52cc2f4070153e34b701acc98d201693733 \ - --hash=sha256:435a0984199d81ca178b9ae2c26ec3d49692d20ee29bc4c11a2a8d4514c67eda \ - --hash=sha256:4a6a4f196f08c58c59e0b8ef8ec441d12aee4125a7d4f4fef000ccb22f8d7241 \ - --hash=sha256:4cc0ef8b962ac7a5e62b9e826bd0cd5040e7d401bc45a6835910ed699037a461 \ - --hash=sha256:51d035609b86722963404f711db441cf7134f1889107fb171a970c9701f92e1e \ - --hash=sha256:53689bb4e102200a4fafa9de9c7c3c212ab40a7ab2c8e474491914d2305f187e \ - --hash=sha256:55205d03e8a598cfc688c71ca8ea5f66447164efff8869517f175ea632c7cb7b \ - --hash=sha256:5c0631926c4f58e9a5ccce555ad7747d9a9f8b10619621f22f9635f069f6233e \ - --hash=sha256:5cb241881eefd96b46f89b1a056187ea8e9ba14ab88ba632e68d7a2ecb7aadf7 \ - --hash=sha256:60d698e8179a42ec85172d12f50b1668254628425a6bd611aba022257cac1386 \ - --hash=sha256:612d1156111ae11d14afaf3a0669ebf6c170dbb735e510a7438ffe2369a847fd \ - --hash=sha256:6214c5a5571802c33f80e6c84713b2c79e024995b9c5897f794b43e714daeec9 \ - --hash=sha256:6939c95381e003f54cd4c5516740faba40cf5ad3eeff460c3ad1d3e0ea2549bf \ - --hash=sha256:69db76c09796b313331bb7048229e3bee7928eb62bab5e071e9f7fcc4879caee \ - --hash=sha256:6bf7a982604375a8d49b6cc1b781c1747f243d91b81035a9b43a2126c04766f5 \ - --hash=sha256:766c8f7511df26d9f11cd3a8be623e59cca73d44643abab3f8c8c07620524e4a \ - --hash=sha256:76c0de87358b192de7ea9649beb392f107dcad9ad27276324c24c91774ca5271 \ - --hash=sha256:76f067f5121dcecf0d63a67f29080b26c43c71a98b10c701b0677e4a065fbd54 \ - --hash=sha256:7901c05ead4b3fb75113fb1dd33eb1253c6d3ee37ce93305acd9d38e0b5f21a4 \ - --hash=sha256:79660376075cfd4b2c80f295528aa6beb2058fd289f4c9252f986751a4cd0496 \ - --hash=sha256:79a6d2ba910adb2cbafc95dad936f8b9386e77c84c35bc0add315b856d7c3abb \ - --hash=sha256:7afcdd1fc07befad18ec4523a782cde4e93e0a2bf71239894b8d61ee578c1319 \ - --hash=sha256:7be7047bd08accdb7487737631d25735c9a04327911de89ff1b26b81745bd4e3 \ - --hash=sha256:7c6390cf87ff6234643428991b7359b5f59cc15155695deb4eda5c777d2b880f \ - --hash=sha256:7df704ca8cf4a073334e0427ae2345323613e4df18cc224f647f251e5e75a527 \ - --hash=sha256:85f67aed7bb647f93e7520633d8f51d3cbc6ab96957c71272b286b2f30dc70ed \ - --hash=sha256:896ebdcf62683551312c30e20614305f53125750803b614e9e6ce74a96232604 \ - --hash=sha256:92d16a3e275e38293623ebf639c471d3e03bb20b8ebb845237e0d3664914caef \ - --hash=sha256:99f60d34c048c5c2fabc766108c103612344c46e35d4ed9ae0673d33c8fb26e8 \ - --hash=sha256:9fe7b0653ba3d9d65cbe7698cca585bf0f8c83dbbcc710db9c90f478e175f2d5 \ - --hash=sha256:a3145cb08d8625b2d3fee1b2d596a8766352979c9bffe5d7833e0503d0f0b5e5 \ - --hash=sha256:aeaf541ddbad8311a87dd695ed9642401131ea39ad7bc8cf3ef3967fd093b626 \ - --hash=sha256:b55358304d7a73d7bdf5de62494aaf70bd33015831ffd98bc498b433dfe5b10c \ - --hash=sha256:b82cc8ace10ab5bd93235dfaab2021c70637005e1ac787031f4d1da63d493c1d \ - --hash=sha256:c0868d64af83169e4d4152ec612637a543f7a336e4a307b119e98042e852ad9c \ - --hash=sha256:c1c1496e73051918fcd4f58ff2e0f2f3066d1c76a0c6aeffd9b45d53243702cc \ - --hash=sha256:c9bf56195c6bbd293340ea82eafd0071cb3d450c703d2c93afb89f93b8386ccc \ - --hash=sha256:cbebcd5bcaf1eaf302617c114aa67569dd3f090dd0ce8ba9e35e9985b41ac35b \ - --hash=sha256:cd6c8fca38178e12c00418de737aef1261576bd1b6e8c6134d3e729a4e858b38 \ - --hash=sha256:ceb3b7e6a0135e092de86110c5a74e46bda4bd4fbfeeb3a3bcec79c0f861e450 \ - --hash=sha256:cf590b134eb70629e350691ecca88eac3e3b8b3c86992042fb82e3cb1830d5e1 \ - --hash=sha256:d3eb1ceec286eba8220c26f3b0096cf189aea7057b6e7b7a2e60ed36b373b77f \ - --hash=sha256:d65f25da8e248202bd47445cec78e0025c0fe7582b23ec69c3b27a640dd7a8e3 \ - --hash=sha256:d6f6d4f185481c9669b9447bf9d9cf3b95a0e9df9d169bbc17e363b7d5487755 \ - --hash=sha256:d84a5c3a5f7ce6db1f999fb9438f686bc2e09d38143f2d93d8406ed2dd6b9226 \ - --hash=sha256:d946b0a9eb8aaa590df1fe082cee553ceab173e6cb5b03239716338629c50c7a \ - --hash=sha256:dce1c6912ab9ff5f179eaf6efe7365c1f425ed690b03341911bf4939ef2f3046 \ - --hash=sha256:de170c7b4fe6859beb8926e84f7d7d6c693dfe8e27372ce3b76f01c46e489fcf \ - --hash=sha256:e02021f87a5b6932fa6ce916ca004c4d441509d33bbdbeca70d05dff5e9d2479 \ - --hash=sha256:e030047e85cbcedbfc073f71836d62dd5dadfbe7531cae27789ff66bc551bd5e \ - --hash=sha256:e0e79d91e71b9867c73323a3444724d496c037e578a0e1755ae159ba14f4f3d1 \ - --hash=sha256:e4428b29611e989719874670fd152b6625500ad6c686d464e99f5aaeeaca175a \ - --hash=sha256:e4972624066095e52b569e02b5ca97dbd7a7ddd4294bf4e7247d52635630dd83 \ - --hash=sha256:e7be68734bd8c9a513f2b0cfd508802d6609da068f40dc57d4e3494cefc92929 \ - --hash=sha256:e8e94e6912639a02ce173341ff62cc1201232ab86b8a8fcc05572741a5dc7d93 \ - --hash=sha256:ea1456df2a27c73ce51120fa2f519f1bea2f4a03a917f4a43c8707cf4cbbae1a \ - --hash=sha256:ebd8d160f91a764652d3e51ce0d2956b38efe37c9231cd82cfc0bed2e40b581c \ - --hash=sha256:eca2e9d0cc5a889850e9bbd68e98314ada174ff6ccd1129500103df7a94a7a44 \ - --hash=sha256:edd08e6f2f1a390bf137080507e44ccc086353c8e98c657e666c017718561b89 \ - --hash=sha256:f285e862d2f153a70586579c15c44656f888806ed0e5b56b64489afe4a2dbfba \ - --hash=sha256:f2a1dee728b52b33eebff5072817176c172050d44d67befd681609b4746e1c2e \ - --hash=sha256:f7e301075edaf50500f0b341543c41194d8df3ae5caf4702f2095f3ca73dd8da \ - --hash=sha256:fb616be3538599e797a2017cccca78e354c767165e8858ab5116813146041a24 \ - --hash=sha256:fce28b3c8a81b6b36dfac9feb1de115bab619b3c13905b419ec71d03a3fc1423 \ - --hash=sha256:fe5d7785250541f7f5019ab9cba2c71169dc7d74d0f45253f8313f436458a4ef - # via grpclib nh3==0.2.17 \ --hash=sha256:0316c25b76289cf23be6b66c77d3608a4fdf537b35426280032f432f14291b9a \ --hash=sha256:1a814dd7bba1cb0aba5bcb9bebcc88fd801b63e21e2450ae6c52d3b3336bc911 \ @@ -404,112 +283,12 @@ pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi -pydantic[email]==2.6.4 \ - --hash=sha256:b1704e0847db01817624a6b86766967f552dd9dbf3afba4004409f908dcc84e6 \ - --hash=sha256:cc46fce86607580867bdc3361ad462bab9c222ef042d3da86f2fb333e1d916c5 - # via - # id - # sigstore - # sigstore-rekor-types -pydantic-core==2.16.3 \ - --hash=sha256:00ee1c97b5364b84cb0bd82e9bbf645d5e2871fb8c58059d158412fee2d33d8a \ - --hash=sha256:0d32576b1de5a30d9a97f300cc6a3f4694c428d956adbc7e6e2f9cad279e45ed \ - --hash=sha256:0df446663464884297c793874573549229f9eca73b59360878f382a0fc085979 \ - --hash=sha256:0f56ae86b60ea987ae8bcd6654a887238fd53d1384f9b222ac457070b7ac4cff \ - --hash=sha256:13dcc4802961b5f843a9385fc821a0b0135e8c07fc3d9949fd49627c1a5e6ae5 \ - --hash=sha256:162e498303d2b1c036b957a1278fa0899d02b2842f1ff901b6395104c5554a45 \ - --hash=sha256:1b662180108c55dfbf1280d865b2d116633d436cfc0bba82323554873967b340 \ - --hash=sha256:1cac689f80a3abab2d3c0048b29eea5751114054f032a941a32de4c852c59cad \ - --hash=sha256:21b888c973e4f26b7a96491c0965a8a312e13be108022ee510248fe379a5fa23 \ - --hash=sha256:287073c66748f624be4cef893ef9174e3eb88fe0b8a78dc22e88eca4bc357ca6 \ - --hash=sha256:2a1ef6a36fdbf71538142ed604ad19b82f67b05749512e47f247a6ddd06afdc7 \ - --hash=sha256:2a72fb9963cba4cd5793854fd12f4cfee731e86df140f59ff52a49b3552db241 \ - --hash=sha256:2acca2be4bb2f2147ada8cac612f8a98fc09f41c89f87add7256ad27332c2fda \ - --hash=sha256:2f583bd01bbfbff4eaee0868e6fc607efdfcc2b03c1c766b06a707abbc856187 \ - --hash=sha256:33809aebac276089b78db106ee692bdc9044710e26f24a9a2eaa35a0f9fa70ba \ - --hash=sha256:36fa178aacbc277bc6b62a2c3da95226520da4f4e9e206fdf076484363895d2c \ - --hash=sha256:4204e773b4b408062960e65468d5346bdfe139247ee5f1ca2a378983e11388a2 \ - --hash=sha256:4384a8f68ddb31a0b0c3deae88765f5868a1b9148939c3f4121233314ad5532c \ - --hash=sha256:456855f57b413f077dff513a5a28ed838dbbb15082ba00f80750377eed23d132 \ - --hash=sha256:49d5d58abd4b83fb8ce763be7794d09b2f50f10aa65c0f0c1696c677edeb7cbf \ - --hash=sha256:4ac6b4ce1e7283d715c4b729d8f9dab9627586dafce81d9eaa009dd7f25dd972 \ - --hash=sha256:4df8a199d9f6afc5ae9a65f8f95ee52cae389a8c6b20163762bde0426275b7db \ - --hash=sha256:500960cb3a0543a724a81ba859da816e8cf01b0e6aaeedf2c3775d12ee49cade \ - --hash=sha256:519ae0312616026bf4cedc0fe459e982734f3ca82ee8c7246c19b650b60a5ee4 \ - --hash=sha256:578114bc803a4c1ff9946d977c221e4376620a46cf78da267d946397dc9514a8 \ - --hash=sha256:5c5cbc703168d1b7a838668998308018a2718c2130595e8e190220238addc96f \ - --hash=sha256:6162f8d2dc27ba21027f261e4fa26f8bcb3cf9784b7f9499466a311ac284b5b9 \ - --hash=sha256:704d35ecc7e9c31d48926150afada60401c55efa3b46cd1ded5a01bdffaf1d48 \ - --hash=sha256:716b542728d4c742353448765aa7cdaa519a7b82f9564130e2b3f6766018c9ec \ - --hash=sha256:72282ad4892a9fb2da25defeac8c2e84352c108705c972db82ab121d15f14e6d \ - --hash=sha256:7233d65d9d651242a68801159763d09e9ec96e8a158dbf118dc090cd77a104c9 \ - --hash=sha256:732da3243e1b8d3eab8c6ae23ae6a58548849d2e4a4e03a1924c8ddf71a387cb \ - --hash=sha256:75b81e678d1c1ede0785c7f46690621e4c6e63ccd9192af1f0bd9d504bbb6bf4 \ - --hash=sha256:75f76ee558751746d6a38f89d60b6228fa174e5172d143886af0f85aa306fd89 \ - --hash=sha256:7ee8d5f878dccb6d499ba4d30d757111847b6849ae07acdd1205fffa1fc1253c \ - --hash=sha256:7f752826b5b8361193df55afcdf8ca6a57d0232653494ba473630a83ba50d8c9 \ - --hash=sha256:86b3d0033580bd6bbe07590152007275bd7af95f98eaa5bd36f3da219dcd93da \ - --hash=sha256:8d62da299c6ecb04df729e4b5c52dc0d53f4f8430b4492b93aa8de1f541c4aac \ - --hash=sha256:8e47755d8152c1ab5b55928ab422a76e2e7b22b5ed8e90a7d584268dd49e9c6b \ - --hash=sha256:9091632a25b8b87b9a605ec0e61f241c456e9248bfdcf7abdf344fdb169c81cf \ - --hash=sha256:936e5db01dd49476fa8f4383c259b8b1303d5dd5fb34c97de194560698cc2c5e \ - --hash=sha256:99b6add4c0b39a513d323d3b93bc173dac663c27b99860dd5bf491b240d26137 \ - --hash=sha256:9c865a7ee6f93783bd5d781af5a4c43dadc37053a5b42f7d18dc019f8c9d2bd1 \ - --hash=sha256:a425479ee40ff021f8216c9d07a6a3b54b31c8267c6e17aa88b70d7ebd0e5e5b \ - --hash=sha256:a4b2bf78342c40b3dc830880106f54328928ff03e357935ad26c7128bbd66ce8 \ - --hash=sha256:a6b1bb0827f56654b4437955555dc3aeeebeddc47c2d7ed575477f082622c49e \ - --hash=sha256:aaf09e615a0bf98d406657e0008e4a8701b11481840be7d31755dc9f97c44053 \ - --hash=sha256:b1f6f5938d63c6139860f044e2538baeee6f0b251a1816e7adb6cbce106a1f01 \ - --hash=sha256:b29eeb887aa931c2fcef5aa515d9d176d25006794610c264ddc114c053bf96fe \ - --hash=sha256:b3992a322a5617ded0a9f23fd06dbc1e4bd7cf39bc4ccf344b10f80af58beacd \ - --hash=sha256:b5b6079cc452a7c53dd378c6f881ac528246b3ac9aae0f8eef98498a75657805 \ - --hash=sha256:b60cc1a081f80a2105a59385b92d82278b15d80ebb3adb200542ae165cd7d183 \ - --hash=sha256:b926dd38db1519ed3043a4de50214e0d600d404099c3392f098a7f9d75029ff8 \ - --hash=sha256:bd87f48924f360e5d1c5f770d6155ce0e7d83f7b4e10c2f9ec001c73cf475c99 \ - --hash=sha256:bda1ee3e08252b8d41fa5537413ffdddd58fa73107171a126d3b9ff001b9b820 \ - --hash=sha256:be0ec334369316fa73448cc8c982c01e5d2a81c95969d58b8f6e272884df0074 \ - --hash=sha256:c6119dc90483a5cb50a1306adb8d52c66e447da88ea44f323e0ae1a5fcb14256 \ - --hash=sha256:c9803edf8e29bd825f43481f19c37f50d2b01899448273b3a7758441b512acf8 \ - --hash=sha256:c9bd22a2a639e26171068f8ebb5400ce2c1bc7d17959f60a3b753ae13c632975 \ - --hash=sha256:cbcc558401de90a746d02ef330c528f2e668c83350f045833543cd57ecead1ad \ - --hash=sha256:cf6204fe865da605285c34cf1172879d0314ff267b1c35ff59de7154f35fdc2e \ - --hash=sha256:d33dd21f572545649f90c38c227cc8631268ba25c460b5569abebdd0ec5974ca \ - --hash=sha256:d89ca19cdd0dd5f31606a9329e309d4fcbb3df860960acec32630297d61820df \ - --hash=sha256:d8f99b147ff3fcf6b3cc60cb0c39ea443884d5559a30b1481e92495f2310ff2b \ - --hash=sha256:d937653a696465677ed583124b94a4b2d79f5e30b2c46115a68e482c6a591c8a \ - --hash=sha256:dcca5d2bf65c6fb591fff92da03f94cd4f315972f97c21975398bd4bd046854a \ - --hash=sha256:ded1c35f15c9dea16ead9bffcde9bb5c7c031bff076355dc58dcb1cb436c4721 \ - --hash=sha256:e3e70c94a0c3841e6aa831edab1619ad5c511199be94d0c11ba75fe06efe107a \ - --hash=sha256:e56f8186d6210ac7ece503193ec84104da7ceb98f68ce18c07282fcc2452e76f \ - --hash=sha256:e7774b570e61cb998490c5235740d475413a1f6de823169b4cf94e2fe9e9f6b2 \ - --hash=sha256:e7c6ed0dc9d8e65f24f5824291550139fe6f37fac03788d4580da0d33bc00c97 \ - --hash=sha256:ec08be75bb268473677edb83ba71e7e74b43c008e4a7b1907c6d57e940bf34b6 \ - --hash=sha256:ecdf6bf5f578615f2e985a5e1f6572e23aa632c4bd1dc67f8f406d445ac115ed \ - --hash=sha256:ed25e1835c00a332cb10c683cd39da96a719ab1dfc08427d476bce41b92531fc \ - --hash=sha256:f4cb85f693044e0f71f394ff76c98ddc1bc0953e48c061725e540396d5c8a2e1 \ - --hash=sha256:f53aace168a2a10582e570b7736cc5bef12cae9cf21775e3eafac597e8551fbe \ - --hash=sha256:f651dd19363c632f4abe3480a7c87a9773be27cfe1341aef06e8759599454120 \ - --hash=sha256:fc4ad7f7ee1a13d9cb49d8198cd7d7e3aa93e425f371a68235f784e99741561f \ - --hash=sha256:fee427241c2d9fb7192b658190f9f5fd6dfe41e02f3c1489d2ec1e6a5ab1e04a - # via pydantic pygments==2.17.2 \ --hash=sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c \ --hash=sha256:da46cec9fd2de5be3a8a784f434e4c4ab670b4ff54d605c4c2717e9d49c4c367 # via # readme-renderer # rich -pyjwt==2.8.0 \ - --hash=sha256:57e28d156e3d5c10088e0c68abb90bfac3df82b40a71bd0daa20c65ccd5c23de \ - --hash=sha256:59127c392cc44c2da5bb3192169a91f429924e17aff6534d70fdc02ab3e04320 - # via sigstore -pyopenssl==24.1.0 \ - --hash=sha256:17ed5be5936449c5418d1cd269a1a9e9081bc54c17aed272b45856a3d3dc86ad \ - --hash=sha256:cabed4bfaa5df9f1a16c0ef64a0cb65318b5cd077a7eda7d6970131ca2f41a6f - # via sigstore -python-dateutil==2.9.0.post0 \ - --hash=sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3 \ - --hash=sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427 - # via betterproto readme-renderer==43.0 \ --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ --hash=sha256:19db308d86ecd60e5affa3b2a98f017af384678c63c88e5d4556a380e674f3f9 @@ -519,10 +298,7 @@ requests==2.31.0 \ --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1 # via # -r publish-requirements.in - # id # requests-toolbelt - # sigstore - # tuf # twine requests-toolbelt==1.0.0 \ --hash=sha256:7681a0a3d047012b5bdc0ee37d7f8f07ebe76ab08caeccfc3921ce23c88d5bc6 \ @@ -536,48 +312,15 @@ rich==13.7.1 \ --hash=sha256:4edbae314f59eb482f54e9e30bf00d33350aaa94f4bfcd4e9e3110e64d0d7222 \ --hash=sha256:9be308cb1fe2f1f57d67ce99e95af38a1e2bc71ad9813b0e247cf7ffbcc3a432 # via - # sigstore # twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 # via keyring -securesystemslib==0.31.0 \ - --hash=sha256:549d70f7be6460252d016f03edc5ec0128fee56af55d2b863a5db14541ddbf18 \ - --hash=sha256:c1594afbcd5db198ec90c487e1720154afb71743d9f4bccf3dfda84de650c478 - # via - # sigstore - # tuf -sigstore==2.1.5 \ - --hash=sha256:7771153c5ac5a51d6556481f4680dfb602cb5c32c94fe56f87ff1801b8a8f243 \ - --hash=sha256:86d3ba41135004818c20d09d120140d59d4bd535a092690ff46478047bb8df5b - # via -r publish-requirements.in -sigstore-protobuf-specs==0.3.1 \ - --hash=sha256:c40b61975b957ae906eb29a5bc7040ec015b68b6b46005cc5805e629493e8dec \ - --hash=sha256:ea6d7325af70019b6639e0fd16ef6f78511645d46dd3f9876fb008641d80a125 - # via sigstore -sigstore-rekor-types==0.0.11 \ - --hash=sha256:791a696eccd5d07c933cc11d46dea22983efedaf5f1068734263ce0f25695bba \ - --hash=sha256:b63b4dc6dd70a3f69b236575146a18c357a3743172a03e8ceb18bbc25ef2563b - # via sigstore -six==1.16.0 \ - --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ - --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 - # via python-dateutil -tuf==3.1.1 \ - --hash=sha256:73b3c89a0acdfe90434bba3118c90c584ef1c56bc0c4565852e917408b774130 \ - --hash=sha256:d6441d11bc9a928cb82cf571519bb99e70ed3ea6fd5a52ce116a8e121023f7ef - # via sigstore twine==5.0.0 \ --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ --hash=sha256:a262933de0b484c53408f9edae2e7821c1c45a3314ff2df9bdd343aa7ab8edc0 # via -r publish-requirements.in -typing-extensions==4.11.0 \ - --hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \ - --hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a - # via - # pydantic - # pydantic-core urllib3==2.2.1 \ --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \ --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19 diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 90e3ad79608f..62fcc4bcd468 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -30,6 +30,7 @@ jobs: if: github.event_name == 'workflow_dispatch' || (github.event.workflow_run.event == 'push' && github.event.workflow_run.conclusion == 'success') permissions: id-token: "write" + attestations: "write" steps: - run: echo "$EVENT_CONTEXT" env: @@ -89,9 +90,10 @@ jobs: - run: twine upload --skip-existing $(find dist/ -type f -name 'cryptography*') - # Do not perform sigstore signatures for things for TestPyPI. This is - # because there's nothing that would prevent a malicious PyPI from - # serving a signed TestPyPI asset in place of a release intended for - # PyPI. - - run: sigstore sign $(find dist/ -type f -name 'cryptography*') + # Do not perform attestation for things for TestPyPI. This is because + # there's nothing that would prevent a malicious PyPI from serving a + # signed TestPyPI asset in place of a release intended for PyPI. + - uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + with: + subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From e519e6b5a6457e5974b843bbdaba7e17267e01f6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 5 May 2024 13:36:53 -0400 Subject: [PATCH 552/868] trim a few more deps from publish-requirements.txt (#10937) --- .github/requirements/publish-requirements.txt | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e951e6874d72..f142d90bfeb1 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -193,27 +193,14 @@ cryptography==42.0.5 \ --hash=sha256:f8837fe1d6ac4a8052a9a8ddab256bc006242696f03368a4009be7ee3075cdb7 # via # secretstorage -dnspython==2.6.1 \ - --hash=sha256:5ef3b9680161f6fa89daf8ad451b5f1a33b18ae8a1c6778cdf4b43f08c0a6e50 \ - --hash=sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc - # via email-validator docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 # via readme-renderer -hpack==4.0.0 \ - --hash=sha256:84a076fad3dc9a9f8063ccb8041ef100867b1878b25ef0ee63847a5d53818a6c \ - --hash=sha256:fc41de0c63e687ebffde81187a948221294896f6bdc0ae2312708df339430095 - # via h2 -hyperframe==6.0.1 \ - --hash=sha256:0ec6bafd80d8ad2195c4f03aacba3a8265e57bc4cff261e802bf39970ed02a15 \ - --hash=sha256:ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914 - # via h2 idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via - # email-validator # requests importlib-metadata==7.1.0 \ --hash=sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570 \ From 4d796867daf67a8c249eaf768d7b371c65a19fcb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 14:03:45 -0400 Subject: [PATCH 553/868] Bump ruff from 0.4.2 to 0.4.3 (#10941) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.2 to 0.4.3. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.2...v0.4.3) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f448ab641f04..d05f9dc9c337 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.4.2 +ruff==0.4.3 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 617d82242415447f5e80caa2ebc29f46c58d9d93 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 14:05:28 -0400 Subject: [PATCH 554/868] Bump babel from 2.14.0 to 2.15.0 (#10940) Bumps [babel](https://github.com/python-babel/babel) from 2.14.0 to 2.15.0. - [Release notes](https://github.com/python-babel/babel/releases) - [Changelog](https://github.com/python-babel/babel/blob/master/CHANGES.rst) - [Commits](https://github.com/python-babel/babel/compare/v2.14.0...v2.15.0) --- updated-dependencies: - dependency-name: babel dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d05f9dc9c337..315047435fa8 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -9,7 +9,7 @@ alabaster==0.7.16 # via sphinx argcomplete==3.3.0; python_version >= "3.8" # via nox -babel==2.14.0 +babel==2.15.0 # via sphinx build==1.2.1 # via From 7694ff08a9a1401c64873568162271a90f70b437 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 14:06:20 -0400 Subject: [PATCH 555/868] Bump coverage from 7.5.0 to 7.5.1 (#10939) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.5.0 to 7.5.1. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.5.0...7.5.1) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 315047435fa8..959d7d3d0217 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.5.0; python_version >= "3.8" +coverage==7.5.1; python_version >= "3.8" # via # coverage # pytest-cov From b22aa88d3a169682896bdd9e963a5c63b98a79b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 18:16:35 +0000 Subject: [PATCH 556/868] Bump pygments from 2.17.2 to 2.18.0 (#10938) Bumps [pygments](https://github.com/pygments/pygments) from 2.17.2 to 2.18.0. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.17.2...2.18.0) --- updated-dependencies: - dependency-name: pygments dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 959d7d3d0217..69039d31c576 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -80,7 +80,7 @@ pyenchant==3.2.2 # via # cryptography (pyproject.toml) # sphinxcontrib-spelling -pygments==2.17.2 +pygments==2.18.0 # via # readme-renderer # sphinx From 9e3043504aa0289d1b41a66760746c3b6d0b78bc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 18:22:29 +0000 Subject: [PATCH 557/868] Bump cryptography from 42.0.5 to 42.0.6 in /.github/requirements (#10942) Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.5 to 42.0.6. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.5...42.0.6) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 75 +++++++++---------- 1 file changed, 36 insertions(+), 39 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index f142d90bfeb1..e8d42e5e086a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -158,41 +158,40 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.5 \ - --hash=sha256:0270572b8bd2c833c3981724b8ee9747b3ec96f699a9665470018594301439ee \ - --hash=sha256:111a0d8553afcf8eb02a4fea6ca4f59d48ddb34497aa8706a6cf536f1a5ec576 \ - --hash=sha256:16a48c23a62a2f4a285699dba2e4ff2d1cff3115b9df052cdd976a18856d8e3d \ - --hash=sha256:1b95b98b0d2af784078fa69f637135e3c317091b615cd0905f8b8a087e86fa30 \ - --hash=sha256:1f71c10d1e88467126f0efd484bd44bca5e14c664ec2ede64c32f20875c0d413 \ - --hash=sha256:2424ff4c4ac7f6b8177b53c17ed5d8fa74ae5955656867f5a8affaca36a27abb \ - --hash=sha256:2bce03af1ce5a5567ab89bd90d11e7bbdff56b8af3acbbec1faded8f44cb06da \ - --hash=sha256:329906dcc7b20ff3cad13c069a78124ed8247adcac44b10bea1130e36caae0b4 \ - --hash=sha256:37dd623507659e08be98eec89323469e8c7b4c1407c85112634ae3dbdb926fdd \ - --hash=sha256:3eaafe47ec0d0ffcc9349e1708be2aaea4c6dd4978d76bf6eb0cb2c13636c6fc \ - --hash=sha256:5e6275c09d2badf57aea3afa80d975444f4be8d3bc58f7f80d2a484c6f9485c8 \ - --hash=sha256:6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1 \ - --hash=sha256:7367d7b2eca6513681127ebad53b2582911d1736dc2ffc19f2c3ae49997496bc \ - --hash=sha256:7cde5f38e614f55e28d831754e8a3bacf9ace5d1566235e39d91b35502d6936e \ - --hash=sha256:9481ffe3cf013b71b2428b905c4f7a9a4f76ec03065b05ff499bb5682a8d9ad8 \ - --hash=sha256:98d8dc6d012b82287f2c3d26ce1d2dd130ec200c8679b6213b3c73c08b2b7940 \ - --hash=sha256:a011a644f6d7d03736214d38832e030d8268bcff4a41f728e6030325fea3e400 \ - --hash=sha256:a2913c5375154b6ef2e91c10b5720ea6e21007412f6437504ffea2109b5a33d7 \ - --hash=sha256:a30596bae9403a342c978fb47d9b0ee277699fa53bbafad14706af51fe543d16 \ - --hash=sha256:b03c2ae5d2f0fc05f9a2c0c997e1bc18c8229f392234e8a0194f202169ccd278 \ - --hash=sha256:b6cd2203306b63e41acdf39aa93b86fb566049aeb6dc489b70e34bcd07adca74 \ - --hash=sha256:b7ffe927ee6531c78f81aa17e684e2ff617daeba7f189f911065b2ea2d526dec \ - --hash=sha256:b8cac287fafc4ad485b8a9b67d0ee80c66bf3574f655d3b97ef2e1082360faf1 \ - --hash=sha256:ba334e6e4b1d92442b75ddacc615c5476d4ad55cc29b15d590cc6b86efa487e2 \ - --hash=sha256:ba3e4a42397c25b7ff88cdec6e2a16c2be18720f317506ee25210f6d31925f9c \ - --hash=sha256:c41fb5e6a5fe9ebcd58ca3abfeb51dffb5d83d6775405305bfa8715b76521922 \ - --hash=sha256:cd2030f6650c089aeb304cf093f3244d34745ce0cfcc39f20c6fbfe030102e2a \ - --hash=sha256:cd65d75953847815962c84a4654a84850b2bb4aed3f26fadcc1c13892e1e29f6 \ - --hash=sha256:e4985a790f921508f36f81831817cbc03b102d643b5fcb81cd33df3fa291a1a1 \ - --hash=sha256:e807b3188f9eb0eaa7bbb579b462c5ace579f1cedb28107ce8b48a9f7ad3679e \ - --hash=sha256:f12764b8fffc7a123f641d7d049d382b73f96a34117e0b637b80643169cec8ac \ - --hash=sha256:f8837fe1d6ac4a8052a9a8ddab256bc006242696f03368a4009be7ee3075cdb7 - # via - # secretstorage +cryptography==42.0.6 \ + --hash=sha256:00c0faa5b021457848d031ecff041262211cc1e2bce5f6e6e6c8108018f6b44a \ + --hash=sha256:073104df012fc815eed976cd7d0a386c8725d0d0947cf9c37f6c36a6c20feb1b \ + --hash=sha256:076c92b08dd1ab88108bc84545187e10d3693a9299c593f98c4ea195a0b0ead7 \ + --hash=sha256:089aeb297ff89615934b22c7631448598495ffd775b7d540a55cfee35a677bf4 \ + --hash=sha256:3b750279f3e7715df6f68050707a0cee7cbe81ba2eeb2f21d081bd205885ffed \ + --hash=sha256:43e521f21c2458038d72e8cdfd4d4d9f1d00906a7b6636c4272e35f650d1699b \ + --hash=sha256:4bdb39ecbf05626e4bfa1efd773bb10346af297af14fb3f4c7cb91a1d2f34a46 \ + --hash=sha256:5967e3632f42b0c0f9dc2c9da88c79eabdda317860b246d1fbbde4a8bbbc3b44 \ + --hash=sha256:65d529c31bd65d54ce6b926a01e1b66eacf770b7e87c0622516a840e400ec732 \ + --hash=sha256:6981acac509cc9415344cb5bfea8130096ea6ebcc917e75503143a1e9e829160 \ + --hash=sha256:81dbe47e28b703bc4711ac74a64ef8b758a0cf056ce81d08e39116ab4bc126fa \ + --hash=sha256:8b90c57b3cd6128e0863b894ce77bd36fcb5f430bf2377bc3678c2f56e232316 \ + --hash=sha256:9184aff0856261ecb566a3eb26a05dfe13a292c85ce5c59b04e4aa09e5814187 \ + --hash=sha256:945a43ebf036dd4b43ebfbbd6b0f2db29ad3d39df824fb77476ca5777a9dde33 \ + --hash=sha256:97eeacae9aa526ddafe68b9202a535f581e21d78f16688a84c8dcc063618e121 \ + --hash=sha256:9f1a3bc2747166b0643b00e0b56cd9b661afc9d5ff963acaac7a9c7b2b1ef638 \ + --hash=sha256:9ff75b88a4d273c06d968ad535e6cb6a039dd32db54fe36f05ed62ac3ef64a44 \ + --hash=sha256:aeb6f56b004e898df5530fa873e598ec78eb338ba35f6fa1449970800b1d97c2 \ + --hash=sha256:b16b90605c62bcb3aa7755d62cf5e746828cfc3f965a65211849e00c46f8348d \ + --hash=sha256:b99831397fdc6e6e0aa088b060c278c6e635d25c0d4d14bdf045bf81792fda0a \ + --hash=sha256:bc954251edcd8a952eeaec8ae989fec7fe48109ab343138d537b7ea5bb41071a \ + --hash=sha256:c05230d8aaaa6b8ab3ab41394dc06eb3d916131df1c9dcb4c94e8f041f704b74 \ + --hash=sha256:d16a310c770cc49908c500c2ceb011f2840674101a587d39fa3ea828915b7e83 \ + --hash=sha256:d93080d2b01b292e7ee4d247bf93ed802b0100f5baa3fa5fd6d374716fa480d4 \ + --hash=sha256:e1f5f15c5ddadf6ee4d1d624a2ae940f14bd74536230b0056ccb28bb6248e42a \ + --hash=sha256:e3442601d276bd9e961d618b799761b4e5d892f938e8a4fe1efbe2752be90455 \ + --hash=sha256:e85f433230add2aa26b66d018e21134000067d210c9c68ef7544ba65fc52e3eb \ + --hash=sha256:eecca86813c6a923cabff284b82ff4d73d9e91241dc176250192c3a9b9902a54 \ + --hash=sha256:f1e933b238978ccfa77b1fee0a297b3c04983f4cb84ae1c33b0ea4ae08266cc9 \ + --hash=sha256:f4cece02478d73dacd52be57a521d168af64ae03d2a567c0c4eb6f189c3b9d79 \ + --hash=sha256:f567a82b7c2b99257cca2a1c902c1b129787278ff67148f188784245c7ed5495 \ + --hash=sha256:f987a244dfb0333fbd74a691c36000a2569eaf7c7cc2ac838f85f59f0588ddc9 + # via secretstorage docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ --hash=sha256:dafca5b9e384f0e419294eb4d2ff9fa826435bf15f15b7bd45723e8ad76811b2 @@ -200,8 +199,7 @@ docutils==0.21.2 \ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 - # via - # requests + # via requests importlib-metadata==7.1.0 \ --hash=sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570 \ --hash=sha256:b78938b926ee8d5f020fc4772d487045805a55ddbad2ecf21c6d60938dc7fcd2 @@ -298,8 +296,7 @@ rfc3986==2.0.0 \ rich==13.7.1 \ --hash=sha256:4edbae314f59eb482f54e9e30bf00d33350aaa94f4bfcd4e9e3110e64d0d7222 \ --hash=sha256:9be308cb1fe2f1f57d67ce99e95af38a1e2bc71ad9813b0e247cf7ffbcc3a432 - # via - # twine + # via twine secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 From 115719d2d1fdc717e1e7302829a7588e9055b1ca Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 00:19:28 +0000 Subject: [PATCH 558/868] Bump BoringSSL and/or OpenSSL in CI (#10943) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9df593888083..8dec8d62990e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of May 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "3e89a7e8db8139db356b892ca9993172346c80cf"}} - # Latest commit on the OpenSSL master branch, as of May 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "067fbc01b9e867b31c71091d62f0f9012dc9e41a"}} + # Latest commit on the OpenSSL master branch, as of May 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fedbfff42d790c7b7824351c35b4823c75da6417"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 9c2fdaa919d8c8adbe4724b5dea550b33f8cb0b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 11:13:35 +0000 Subject: [PATCH 559/868] Bump jinja2 from 3.1.3 to 3.1.4 (#10946) Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/jinja/compare/3.1.3...3.1.4) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 69039d31c576..267e87cfa6dd 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -48,7 +48,7 @@ imagesize==1.4.1 # via sphinx iniconfig==2.0.0 # via pytest -jinja2==3.1.3 +jinja2==3.1.4 # via sphinx markupsafe==2.1.5 # via jinja2 From 611e408ba6ca3161f45d5920a9c942708aecc3bd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 11:15:33 +0000 Subject: [PATCH 560/868] Bump cc from 1.0.96 to 1.0.97 in /src/rust (#10945) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.96 to 1.0.97. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.96...1.0.97) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 1a0583fd051f..a561aaefb76e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" -version = "1.0.96" +version = "1.0.97" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "065a29261d53ba54260972629f9ca6bffa69bac13cd1fed61420f7fa68b9f8bd" +checksum = "099a5357d84c4c61eb35fc8eafa9a79a902c2f76911e5747ced4e032edd8d9b4" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 41783da0d891..75ebabb72847 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.96" +cc = "1.0.97" From f1ab35bd702ceeaf6e02b13f37f9a1f3d77eaa3c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 07:21:56 -0400 Subject: [PATCH 561/868] Bump pygments from 2.17.2 to 2.18.0 in /.github/requirements (#10947) Bumps [pygments](https://github.com/pygments/pygments) from 2.17.2 to 2.18.0. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](https://github.com/pygments/pygments/compare/2.17.2...2.18.0) --- updated-dependencies: - dependency-name: pygments dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e8d42e5e086a..cbeb323ddf6e 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -268,9 +268,9 @@ pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi -pygments==2.17.2 \ - --hash=sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c \ - --hash=sha256:da46cec9fd2de5be3a8a784f434e4c4ab670b4ff54d605c4c2717e9d49c4c367 +pygments==2.18.0 \ + --hash=sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199 \ + --hash=sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a # via # readme-renderer # rich From 26e7d9e042fdec8cd60a0edb44ea37992a008575 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 6 May 2024 10:00:13 -0700 Subject: [PATCH 562/868] forward port 42.0.7 changelog (#10950) --- CHANGELOG.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c78e05bb3249..600da955f8e7 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -45,6 +45,16 @@ Changelog timezone-aware alternative to the naïve ``datetime`` attribute :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. +.. _v42-0-7: + +42.0.7 - 2024-05-06 +~~~~~~~~~~~~~~~~~~~ + +* Restored Windows 7 compatibility for our pre-built wheels. Note that we do + not test on Windows 7 and wheels for our next release will not support it. + Microsoft no longer provides support for Windows 7 and users are encouraged + to upgrade. + .. _v42-0-6: 42.0.6 - 2024-05-04 From 34c17bfc983d6b21c1b5c773bd453e6999d59315 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 15:49:07 -0400 Subject: [PATCH 563/868] Bump actions/attest-build-provenance from 1.0.0 to 1.1.0 (#10951) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/897ed5eab6ed058a474202017ada7f40bfa52940...f8d5ea8082b0d9f5ab855907be308fbd7eefb155) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 62fcc4bcd468..4d1436f79170 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + - uses: actions/attest-build-provenance@f8d5ea8082b0d9f5ab855907be308fbd7eefb155 # v1.1.0 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From da1b66ade61f14f75649d6dbfdc4b7a74fcbf01a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 16:03:06 -0400 Subject: [PATCH 564/868] Bump cryptography from 42.0.6 to 42.0.7 in /.github/requirements (#10953) Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.6 to 42.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.6...42.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index cbeb323ddf6e..64e29237ce54 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -158,39 +158,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.6 \ - --hash=sha256:00c0faa5b021457848d031ecff041262211cc1e2bce5f6e6e6c8108018f6b44a \ - --hash=sha256:073104df012fc815eed976cd7d0a386c8725d0d0947cf9c37f6c36a6c20feb1b \ - --hash=sha256:076c92b08dd1ab88108bc84545187e10d3693a9299c593f98c4ea195a0b0ead7 \ - --hash=sha256:089aeb297ff89615934b22c7631448598495ffd775b7d540a55cfee35a677bf4 \ - --hash=sha256:3b750279f3e7715df6f68050707a0cee7cbe81ba2eeb2f21d081bd205885ffed \ - --hash=sha256:43e521f21c2458038d72e8cdfd4d4d9f1d00906a7b6636c4272e35f650d1699b \ - --hash=sha256:4bdb39ecbf05626e4bfa1efd773bb10346af297af14fb3f4c7cb91a1d2f34a46 \ - --hash=sha256:5967e3632f42b0c0f9dc2c9da88c79eabdda317860b246d1fbbde4a8bbbc3b44 \ - --hash=sha256:65d529c31bd65d54ce6b926a01e1b66eacf770b7e87c0622516a840e400ec732 \ - --hash=sha256:6981acac509cc9415344cb5bfea8130096ea6ebcc917e75503143a1e9e829160 \ - --hash=sha256:81dbe47e28b703bc4711ac74a64ef8b758a0cf056ce81d08e39116ab4bc126fa \ - --hash=sha256:8b90c57b3cd6128e0863b894ce77bd36fcb5f430bf2377bc3678c2f56e232316 \ - --hash=sha256:9184aff0856261ecb566a3eb26a05dfe13a292c85ce5c59b04e4aa09e5814187 \ - --hash=sha256:945a43ebf036dd4b43ebfbbd6b0f2db29ad3d39df824fb77476ca5777a9dde33 \ - --hash=sha256:97eeacae9aa526ddafe68b9202a535f581e21d78f16688a84c8dcc063618e121 \ - --hash=sha256:9f1a3bc2747166b0643b00e0b56cd9b661afc9d5ff963acaac7a9c7b2b1ef638 \ - --hash=sha256:9ff75b88a4d273c06d968ad535e6cb6a039dd32db54fe36f05ed62ac3ef64a44 \ - --hash=sha256:aeb6f56b004e898df5530fa873e598ec78eb338ba35f6fa1449970800b1d97c2 \ - --hash=sha256:b16b90605c62bcb3aa7755d62cf5e746828cfc3f965a65211849e00c46f8348d \ - --hash=sha256:b99831397fdc6e6e0aa088b060c278c6e635d25c0d4d14bdf045bf81792fda0a \ - --hash=sha256:bc954251edcd8a952eeaec8ae989fec7fe48109ab343138d537b7ea5bb41071a \ - --hash=sha256:c05230d8aaaa6b8ab3ab41394dc06eb3d916131df1c9dcb4c94e8f041f704b74 \ - --hash=sha256:d16a310c770cc49908c500c2ceb011f2840674101a587d39fa3ea828915b7e83 \ - --hash=sha256:d93080d2b01b292e7ee4d247bf93ed802b0100f5baa3fa5fd6d374716fa480d4 \ - --hash=sha256:e1f5f15c5ddadf6ee4d1d624a2ae940f14bd74536230b0056ccb28bb6248e42a \ - --hash=sha256:e3442601d276bd9e961d618b799761b4e5d892f938e8a4fe1efbe2752be90455 \ - --hash=sha256:e85f433230add2aa26b66d018e21134000067d210c9c68ef7544ba65fc52e3eb \ - --hash=sha256:eecca86813c6a923cabff284b82ff4d73d9e91241dc176250192c3a9b9902a54 \ - --hash=sha256:f1e933b238978ccfa77b1fee0a297b3c04983f4cb84ae1c33b0ea4ae08266cc9 \ - --hash=sha256:f4cece02478d73dacd52be57a521d168af64ae03d2a567c0c4eb6f189c3b9d79 \ - --hash=sha256:f567a82b7c2b99257cca2a1c902c1b129787278ff67148f188784245c7ed5495 \ - --hash=sha256:f987a244dfb0333fbd74a691c36000a2569eaf7c7cc2ac838f85f59f0588ddc9 +cryptography==42.0.7 \ + --hash=sha256:02c0eee2d7133bdbbc5e24441258d5d2244beb31da5ed19fbb80315f4bbbff55 \ + --hash=sha256:0d563795db98b4cd57742a78a288cdbdc9daedac29f2239793071fe114f13785 \ + --hash=sha256:16268d46086bb8ad5bf0a2b5544d8a9ed87a0e33f5e77dd3c3301e63d941a83b \ + --hash=sha256:1a58839984d9cb34c855197043eaae2c187d930ca6d644612843b4fe8513c886 \ + --hash=sha256:2954fccea107026512b15afb4aa664a5640cd0af630e2ee3962f2602693f0c82 \ + --hash=sha256:2e47577f9b18723fa294b0ea9a17d5e53a227867a0a4904a1a076d1646d45ca1 \ + --hash=sha256:31adb7d06fe4383226c3e963471f6837742889b3c4caa55aac20ad951bc8ffda \ + --hash=sha256:3577d029bc3f4827dd5bf8bf7710cac13527b470bbf1820a3f394adb38ed7d5f \ + --hash=sha256:36017400817987670037fbb0324d71489b6ead6231c9604f8fc1f7d008087c68 \ + --hash=sha256:362e7197754c231797ec45ee081f3088a27a47c6c01eff2ac83f60f85a50fe60 \ + --hash=sha256:3de9a45d3b2b7d8088c3fbf1ed4395dfeff79d07842217b38df14ef09ce1d8d7 \ + --hash=sha256:4f698edacf9c9e0371112792558d2f705b5645076cc0aaae02f816a0171770fd \ + --hash=sha256:5482e789294854c28237bba77c4c83be698be740e31a3ae5e879ee5444166582 \ + --hash=sha256:5e44507bf8d14b36b8389b226665d597bc0f18ea035d75b4e53c7b1ea84583cc \ + --hash=sha256:779245e13b9a6638df14641d029add5dc17edbef6ec915688f3acb9e720a5858 \ + --hash=sha256:789caea816c6704f63f6241a519bfa347f72fbd67ba28d04636b7c6b7da94b0b \ + --hash=sha256:7f8b25fa616d8b846aef64b15c606bb0828dbc35faf90566eb139aa9cff67af2 \ + --hash=sha256:8cb8ce7c3347fcf9446f201dc30e2d5a3c898d009126010cbd1f443f28b52678 \ + --hash=sha256:93a3209f6bb2b33e725ed08ee0991b92976dfdcf4e8b38646540674fc7508e13 \ + --hash=sha256:a3a5ac8b56fe37f3125e5b72b61dcde43283e5370827f5233893d461b7360cd4 \ + --hash=sha256:a47787a5e3649008a1102d3df55424e86606c9bae6fb77ac59afe06d234605f8 \ + --hash=sha256:a79165431551042cc9d1d90e6145d5d0d3ab0f2d66326c201d9b0e7f5bf43604 \ + --hash=sha256:a987f840718078212fdf4504d0fd4c6effe34a7e4740378e59d47696e8dfb477 \ + --hash=sha256:a9bc127cdc4ecf87a5ea22a2556cab6c7eda2923f84e4f3cc588e8470ce4e42e \ + --hash=sha256:bd13b5e9b543532453de08bcdc3cc7cebec6f9883e886fd20a92f26940fd3e7a \ + --hash=sha256:c65f96dad14f8528a447414125e1fc8feb2ad5a272b8f68477abbcc1ea7d94b9 \ + --hash=sha256:d8e3098721b84392ee45af2dd554c947c32cc52f862b6a3ae982dbb90f577f14 \ + --hash=sha256:e6b79d0adb01aae87e8a44c2b64bc3f3fe59515280e00fb6d57a7267a2583cda \ + --hash=sha256:e6b8f1881dac458c34778d0a424ae5769de30544fc678eac51c1c8bb2183e9da \ + --hash=sha256:e9b2a6309f14c0497f348d08a065d52f3020656f675819fc405fb63bbcd26562 \ + --hash=sha256:ecbfbc00bf55888edda9868a4cf927205de8499e7fabe6c050322298382953f2 \ + --hash=sha256:efd0bf5205240182e0f13bcaea41be4fdf5c22c5129fc7ced4a0282ac86998c9 # via secretstorage docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ From 54725c1120114e47cb552ef9f324d50908f43bac Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 00:16:47 +0000 Subject: [PATCH 565/868] Bump BoringSSL and/or OpenSSL in CI (#10954) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8dec8d62990e..abdbb1f6e925 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of May 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "3e89a7e8db8139db356b892ca9993172346c80cf"}} - # Latest commit on the OpenSSL master branch, as of May 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fedbfff42d790c7b7824351c35b4823c75da6417"}} + # Latest commit on the OpenSSL master branch, as of May 07, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1c4f9684696bad3a602b388a414f2051f0365b3d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 0a044fd23e04a5fb7d88f19d9b7a63e29cf7bc87 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 18:53:28 -0700 Subject: [PATCH 566/868] Bump x509-limbo and/or wycheproof in CI (#10955) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index c5ab5577bdfb..0ce8ea05913c 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Apr 30, 2024. - ref: "4b12b2196d770bb0f7c312c51a1bfbda13d49a57" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 07, 2024. + ref: "64ef92fe6f3655776e1381b6d2fe5a455dae41df" # x509-limbo-ref From 9a2babd2f96794410733495a9a2fe647fe71733a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 07:19:18 -0400 Subject: [PATCH 567/868] Bump proc-macro2 from 1.0.81 to 1.0.82 in /src/rust (#10956) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.81 to 1.0.82. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.81...1.0.82) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a561aaefb76e..60dfea8255cb 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.81" +version = "1.0.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d1597b0c024618f09a9c3b8655b7e430397a36d23fdafec26d6965e9eec3eba" +checksum = "8ad3d49ab951a01fbaafe34f2ec74122942fe18a3f9814c3268f1bb72042131b" dependencies = [ "unicode-ident", ] From 4434939c372245a02f9ec4539b7eeadba6f24d1c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 11:22:00 +0000 Subject: [PATCH 568/868] Bump syn from 2.0.60 to 2.0.61 in /src/rust (#10957) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.60 to 2.0.61. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.60...2.0.61) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 60dfea8255cb..bc07f4a0b0d0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.60" +version = "2.0.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "909518bc7b1c9b779f1bbf07f2929d35af9f0f37e47c6e9ef7f9dddc1e1821f3" +checksum = "c993ed8ccba56ae856363b1845da7266a7cb78e1d146c8a32d54b45a8b831fc9" dependencies = [ "proc-macro2", "quote", From 233ca1c05c48071698fe89a5cb1c4c9ac3d037fd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 21:37:50 -0400 Subject: [PATCH 569/868] Bump BoringSSL and/or OpenSSL in CI (#10959) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index abdbb1f6e925..4f23174581d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 04, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "3e89a7e8db8139db356b892ca9993172346c80cf"}} - # Latest commit on the OpenSSL master branch, as of May 07, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1c4f9684696bad3a602b388a414f2051f0365b3d"}} + # Latest commit on the BoringSSL master branch, as of May 08, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "6ab7c1482bf4cdc91c87bc512aaf68ffb18975ec"}} + # Latest commit on the OpenSSL master branch, as of May 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "deaa83af700113c99835a1db7d45d33baba05bd3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From f03d2df1160b8c26275a32364956675b791d9b17 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 21:38:11 -0400 Subject: [PATCH 570/868] Bump x509-limbo and/or wycheproof in CI (#10960) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 0ce8ea05913c..5a71365209ab 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 07, 2024. - ref: "64ef92fe6f3655776e1381b6d2fe5a455dae41df" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 08, 2024. + ref: "57a33f504fec127823985c8d394beaca77920e4d" # x509-limbo-ref From 8a9709e8c15068f742646264a88d7c5def6f66af Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 9 May 2024 00:15:41 +0000 Subject: [PATCH 571/868] Bump BoringSSL and/or OpenSSL in CI (#10963) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f23174581d8..c8729ac5a87a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 08, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "6ab7c1482bf4cdc91c87bc512aaf68ffb18975ec"}} - # Latest commit on the OpenSSL master branch, as of May 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "deaa83af700113c99835a1db7d45d33baba05bd3"}} + # Latest commit on the BoringSSL master branch, as of May 09, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "8e6aa7f39f4357a6ad15944884f72db8d25b9dff"}} + # Latest commit on the OpenSSL master branch, as of May 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6ce48f5b8ad4d8d748ea87d2490cbed08db9936"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From acc3226faabfad4ce1036722b88871171bd03439 Mon Sep 17 00:00:00 2001 From: Marti Raudsepp Date: Thu, 9 May 2024 16:54:49 +0300 Subject: [PATCH 572/868] Support empty string in `Name.from_rfc4514_string()` (#10964) Empty string is a valid result from RFC4514 serialization, and should parse successfully. According to https://datatracker.ietf.org/doc/html/rfc4514#section-2.1 > If the RDNSequence is an empty sequence, the result is the empty or zero-length string. --- CHANGELOG.rst | 2 ++ src/cryptography/x509/name.py | 4 ++++ tests/x509/test_name.py | 1 + tests/x509/test_x509.py | 3 +++ 4 files changed, 10 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 600da955f8e7..524262e120bf 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -44,6 +44,8 @@ Changelog * Added :attr:`~cryptography.x509.InvalidityDate.invalidity_date_utc`, a timezone-aware alternative to the naïve ``datetime`` attribute :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. +* Added support for parsing empty DN string in + :meth:`~cryptography.x509.Name.from_rfc4514_string`. .. _v42-0-7: diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py index 1edfc2b4f598..451338a3a930 100644 --- a/src/cryptography/x509/name.py +++ b/src/cryptography/x509/name.py @@ -414,6 +414,10 @@ def parse(self) -> Name: we parse it, we need to reverse again to get the RDNs on the correct order. """ + + if not self._has_data(): + return Name([]) + rdns = [self._parse_rdn()] while self._has_data(): diff --git a/tests/x509/test_name.py b/tests/x509/test_name.py index 4c9ccc3b791c..a1ceffce6556 100644 --- a/tests/x509/test_name.py +++ b/tests/x509/test_name.py @@ -159,6 +159,7 @@ def test_valid(self, subtests): "2.5.4.10=abc", Name([NameAttribute(NameOID.ORGANIZATION_NAME, "abc")]), ), + ("", Name([])), ]: with subtests.test(): result = Name.from_rfc4514_string(value) diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 40686e4eb7c2..29e611d72901 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -5885,6 +5885,9 @@ def test_distinguished_name_custom_attrs(self): {NameOID.COMMON_NAME: "CommonName", NameOID.EMAIL_ADDRESS: "E"} ) == ("CommonName=Santa Claus,E=santa@north.pole") + def test_empty_name(self): + assert x509.Name([]).rfc4514_string() == "" + def test_empty_value(self): na = x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "") assert na.rfc4514_string() == r"ST=" From 75b1de3bbb0ae7d8977f161696ba4ead4c82f88a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 10 May 2024 00:16:13 +0000 Subject: [PATCH 573/868] Bump BoringSSL and/or OpenSSL in CI (#10965) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c8729ac5a87a..58d3e48bfd8f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 09, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "8e6aa7f39f4357a6ad15944884f72db8d25b9dff"}} - # Latest commit on the OpenSSL master branch, as of May 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6ce48f5b8ad4d8d748ea87d2490cbed08db9936"}} + # Latest commit on the BoringSSL master branch, as of May 10, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "4d50a595b49a2e7b7017060a4d402c4ee9fe28a2"}} + # Latest commit on the OpenSSL master branch, as of May 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d3184110196b690d314424ac55404278d98eda32"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 8a37c1c6d064cebba10fe86281b2719d5144e77a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 May 2024 07:34:00 -0400 Subject: [PATCH 574/868] Bump ruff from 0.4.3 to 0.4.4 (#10966) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.3 to 0.4.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.3...v0.4.4) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 267e87cfa6dd..3071970a0d73 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.31.0 # via sphinx -ruff==0.4.3 +ruff==0.4.4 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 0e5de8607f354cf8371fe1083c2a28124b2e8d02 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 11 May 2024 00:17:08 +0000 Subject: [PATCH 575/868] Bump BoringSSL and/or OpenSSL in CI (#10967) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58d3e48bfd8f..1faaae0c64f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 10, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "4d50a595b49a2e7b7017060a4d402c4ee9fe28a2"}} - # Latest commit on the OpenSSL master branch, as of May 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d3184110196b690d314424ac55404278d98eda32"}} + # Latest commit on the BoringSSL master branch, as of May 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "03d1b7c544851d9f44df1e9ff21839742e08c819"}} + # Latest commit on the OpenSSL master branch, as of May 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "87314d24c4f025df1ebf47dc527cc8a96bef354a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 2077a54146e8c2ee6e2128ab02384752e43d6681 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 12 May 2024 00:16:46 +0000 Subject: [PATCH 576/868] Bump BoringSSL and/or OpenSSL in CI (#10968) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1faaae0c64f3..5f207b12312f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "03d1b7c544851d9f44df1e9ff21839742e08c819"}} + # Latest commit on the BoringSSL master branch, as of May 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6bca9c6dde177f641137d2991aa677997c54c67"}} # Latest commit on the OpenSSL master branch, as of May 11, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "87314d24c4f025df1ebf47dc527cc8a96bef354a"}} # Builds with various Rust versions. Includes MSRV and next From 17d0bcf5345df768b34f2429d24d3fc5346295d0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 12 May 2024 23:05:32 -0400 Subject: [PATCH 577/868] remove a comment that barely makes sense (#10971) --- .readthedocs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.readthedocs.yml b/.readthedocs.yml index 8a37ec36404d..7ef04db29181 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -11,7 +11,6 @@ formats: - pdf build: - # readdocs master now includes a rust toolchain os: "ubuntu-22.04" tools: python: "3.11" From 3954d93c5d410cbbbf2e48de94be39cf3c96968d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 12 May 2024 23:07:08 -0400 Subject: [PATCH 578/868] libressl 3.9.2 (#10970) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5f207b12312f..363c54ddbf4c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,7 +41,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of May 12, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6bca9c6dde177f641137d2991aa677997c54c67"}} From cd7a4d0683043880b979634168546cd0a30790d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 07:15:14 -0400 Subject: [PATCH 579/868] Bump syn from 2.0.61 to 2.0.63 in /src/rust (#10973) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.61 to 2.0.63. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.61...2.0.63) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index bc07f4a0b0d0..656c1ba058f2 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.61" +version = "2.0.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c993ed8ccba56ae856363b1845da7266a7cb78e1d146c8a32d54b45a8b831fc9" +checksum = "bf5be731623ca1a1fb7d8be6f261a3be6d3e2337b8a1f97be944d020c8fcb704" dependencies = [ "proc-macro2", "quote", From ea71c070d275e7f9dbeddadbe3121701cc8d5c95 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 11:18:40 +0000 Subject: [PATCH 580/868] Bump actions/attest-build-provenance from 1.1.0 to 1.1.1 (#10972) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.1.0 to 1.1.1. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/f8d5ea8082b0d9f5ab855907be308fbd7eefb155...951c0c5f8e375ad4efad33405ab77f7ded2358e4) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 4d1436f79170..54cb62784a75 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@f8d5ea8082b0d9f5ab855907be308fbd7eefb155 # v1.1.0 + - uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 34095d0f472d560a7f0227f0c1e9d69902e5ee0e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 20:53:09 -0400 Subject: [PATCH 581/868] Bump x509-limbo and/or wycheproof in CI (#10975) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 5a71365209ab..4535120cf3c8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 08, 2024. - ref: "57a33f504fec127823985c8d394beaca77920e4d" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 14, 2024. + ref: "b8282def2c03640ecdd62759c5466bb1d27b9641" # x509-limbo-ref From 1167f0c03d1b43dadddc920229e44a7870f65ebc Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 20:53:21 -0400 Subject: [PATCH 582/868] Bump BoringSSL and/or OpenSSL in CI (#10974) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 363c54ddbf4c..f5626a6e5561 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of May 12, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6bca9c6dde177f641137d2991aa677997c54c67"}} - # Latest commit on the OpenSSL master branch, as of May 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "87314d24c4f025df1ebf47dc527cc8a96bef354a"}} + # Latest commit on the OpenSSL master branch, as of May 14, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fa338aa7cd1e893679c3e1c47465dcb11f90abfb"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From f7108871a0029b0828dd9bd7dcf57f40c284c7b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 18:51:44 -0400 Subject: [PATCH 583/868] Bump virtualenv from 20.26.1 to 20.26.2 (#10977) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.1 to 20.26.2. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.26.1...20.26.2) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3071970a0d73..88f303a0175c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.11.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests -virtualenv==20.26.1 +virtualenv==20.26.2 # via nox # The following packages are considered to be unsafe in a requirements file: From 3d6ab4dc35e970b8d91319154fc9bf6c99817f4e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 18:52:06 -0400 Subject: [PATCH 584/868] Bump keyring from 25.2.0 to 25.2.1 in /.github/requirements (#10978) Bumps [keyring](https://github.com/jaraco/keyring) from 25.2.0 to 25.2.1. - [Release notes](https://github.com/jaraco/keyring/releases) - [Changelog](https://github.com/jaraco/keyring/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/keyring/compare/v25.2.0...v25.2.1) --- updated-dependencies: - dependency-name: keyring dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 64e29237ce54..ee9ad52829d4 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -224,9 +224,9 @@ jeepney==0.8.0 \ # via # keyring # secretstorage -keyring==25.2.0 \ - --hash=sha256:19f17d40335444aab84b19a0d16a77ec0758a9c384e3446ae2ed8bd6d53b67a5 \ - --hash=sha256:7045f367268ce42dba44745050164b431e46f6e92f99ef2937dfadaef368d8cf +keyring==25.2.1 \ + --hash=sha256:2458681cdefc0dbc0b7eb6cf75d0b98e59f9ad9b2d4edd319d18f68bdca95e50 \ + --hash=sha256:daaffd42dbda25ddafb1ad5fec4024e5bbcfe424597ca1ca452b299861e49f1b # via twine markdown-it-py==3.0.0 \ --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ From e8ea275aa8f696438dffe180ed3760f3a0404034 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 20:24:27 -0400 Subject: [PATCH 585/868] Bump BoringSSL and/or OpenSSL in CI (#10979) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f5626a6e5561..12861cd46df5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b6bca9c6dde177f641137d2991aa677997c54c67"}} - # Latest commit on the OpenSSL master branch, as of May 14, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fa338aa7cd1e893679c3e1c47465dcb11f90abfb"}} + # Latest commit on the BoringSSL master branch, as of May 15, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b8912d713cb82a748bbe63f28f28b17632c70964"}} + # Latest commit on the OpenSSL master branch, as of May 15, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6e469808501f52c7e8f8679d6c3290cf1c258b3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From df45ea2fc4a8934f75eb51fd5a64f79154d947db Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 20:33:12 -0400 Subject: [PATCH 586/868] Bump x509-limbo and/or wycheproof in CI (#10980) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 4535120cf3c8..79c7a27cce07 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 14, 2024. - ref: "b8282def2c03640ecdd62759c5466bb1d27b9641" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 15, 2024. + ref: "fed2bc2b3901c737cb125f62d571a613d502916c" # x509-limbo-ref From 45f2ce8dbbf2170a3d89a6be3c99c916eabd8616 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 May 2024 07:03:49 -0400 Subject: [PATCH 587/868] Bump platformdirs from 4.2.1 to 4.2.2 (#10982) Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 4.2.1 to 4.2.2. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](https://github.com/platformdirs/platformdirs/compare/4.2.1...4.2.2) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 88f303a0175c..f408bfb405d9 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -68,7 +68,7 @@ packaging==24.0 # sphinx pathspec==0.12.1 # via check-sdist -platformdirs==4.2.1; python_version >= "3.8" +platformdirs==4.2.2; python_version >= "3.8" # via virtualenv pluggy==1.5.0; python_version >= "3.8" # via pytest From f082cb135cf6b8935459d853e536604c603562d3 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 15 May 2024 20:24:39 -0400 Subject: [PATCH 588/868] Bump BoringSSL and/or OpenSSL in CI (#10983) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 12861cd46df5..725feea0823c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 15, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b8912d713cb82a748bbe63f28f28b17632c70964"}} - # Latest commit on the OpenSSL master branch, as of May 15, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6e469808501f52c7e8f8679d6c3290cf1c258b3"}} + # Latest commit on the BoringSSL master branch, as of May 16, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0355048ce0302fdeb4744dae4b8a156a38496150"}} + # Latest commit on the OpenSSL master branch, as of May 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a6afe2b29a7b77956ef888653849f8cc38e39106"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e862b71c2c7b3f884eae12ab05a247a14e96cae1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 16 May 2024 13:59:24 +0200 Subject: [PATCH 589/868] use statically linked nodejs in manylinux builders (#10986) * use statically linked nodejs in manylinux builders * word ordering * guessing, need sleep * make mac/win work too --- .github/workflows/wheel-builder.yml | 33 +++++++++++++++++------------ 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 18579f6c60fc..3dbae90b96ca 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -40,11 +40,11 @@ jobs: run: .venv/bin/python -m build --sdist - name: Make sdist and wheel (vectors) run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -52,7 +52,11 @@ jobs: manylinux: needs: [sdist] runs-on: ${{ matrix.MANYLINUX.RUNNER }} - container: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }} + container: + image: ghcr.io/pyca/${{ matrix.MANYLINUX.CONTAINER }} + volumes: + - /staticnodehost:/staticnodecontainer:rw,rshared + - /staticnodehost:/__e/node20:ro,rshared strategy: fail-fast: false matrix: @@ -102,6 +106,9 @@ jobs: MANYLINUX: { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64]} name: "${{ matrix.PYTHON.VERSION }} for ${{ matrix.MANYLINUX.NAME }}" steps: + - name: Ridiculous-er workaround for static node20 + run: | + cp -R /staticnode/* /staticnodecontainer/ - name: Ridiculous alpine workaround for actions support on arm64 run: | # This modifies /etc/os-release so the JS actions @@ -112,7 +119,7 @@ jobs: if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -124,7 +131,7 @@ jobs: - name: Install Python dependencies run: .venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: cryptography-sdist - run: mkdir tmpwheelhouse @@ -153,7 +160,7 @@ jobs: .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - run: mkdir cryptography-wheelhouse - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse/ @@ -212,7 +219,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -250,7 +257,7 @@ jobs: - name: Install Python dependencies run: venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: cryptography-sdist - run: mkdir wheelhouse @@ -278,7 +285,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: cryptography-wheelhouse/ @@ -306,7 +313,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -315,7 +322,7 @@ jobs: ${{ env.BUILD_REQUIREMENTS_PATH }} sparse-checkout-cone-mode: false - - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: cryptography-sdist @@ -360,7 +367,7 @@ jobs: - run: mkdir cryptography-wheelhouse - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse\ From bada526017f9bf31cb3c3d8eab8c3b9dacf0cd81 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 08:19:49 -0400 Subject: [PATCH 590/868] Bump zipp from 3.18.1 to 3.18.2 in /.github/requirements (#10985) Bumps [zipp](https://github.com/jaraco/zipp) from 3.18.1 to 3.18.2. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.18.1...v3.18.2) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index ee9ad52829d4..18bcc3eb4f18 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -311,7 +311,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.18.1 \ - --hash=sha256:206f5a15f2af3dbaee80769fb7dc6f249695e940acca08dfb2a4769fe61e538b \ - --hash=sha256:2884ed22e7d8961de1c9a05142eb69a247f120291bc0206a00a7642f09b5b715 +zipp==3.18.2 \ + --hash=sha256:6278d9ddbcfb1f1089a88fde84481528b07b0e10474e09dcfe53dad4069fa059 \ + --hash=sha256:dce197b859eb796242b0622af1b8beb0a722d52aa2f57133ead08edd5bf5374e # via importlib-metadata From 34c8808112322f103e673c16697b70d51adbcacd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 08:28:34 -0400 Subject: [PATCH 591/868] Bump actions/upload-artifact from 3.1.3 to 4.3.3 (#10922) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.3 to 4.3.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3.1.3...65462800fd760344b1a7b4382951275a0abb4808) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 725feea0823c..6da76d9ddc97 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -475,14 +475,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: _html-rust-report path: rust-coverage From 3529e6196f1f431d6fb0adac06d1a6cf964c7379 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 08:28:49 -0400 Subject: [PATCH 592/868] Bump actions/checkout from 3.6.0 to 4.1.5 (#10952) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.6.0...44c2b7a8a4ea60a981eaca3cf939b5f4305c123b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index b731d9188e1c..70ffe107a071 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: repository: "pyca/cryptography" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 63c5fbe6e7cc..b88d1f789ea6 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6da76d9ddc97..531f841356b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false @@ -179,7 +179,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false @@ -230,7 +230,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false @@ -294,7 +294,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false @@ -368,7 +368,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false @@ -412,7 +412,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index b06da096537f..ec684fbe053c 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 54cb62784a75..7277c5abfe41 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -39,7 +39,7 @@ jobs: with: python-version: "3.11" - name: Get publish-requirements.txt from repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: sparse-checkout: | ${{ env.PUBLISH_REQUIREMENTS_PATH }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 9b48b09eedfd..af42930dbdeb 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - id: check-sha-x509-limbo run: | SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) From aed6fefbe614881f7ddb396c93209c62b9acce48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 May 2024 08:29:49 -0400 Subject: [PATCH 593/868] Bump actions/download-artifact from 3.0.2 to 4.1.7 (#10924) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.2 to 4.1.7. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v3.0.2...65a9edc5881444af0b9093a5e628f2fe47ea3b2e) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 531f841356b4..06509cb526d7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -432,7 +432,7 @@ jobs: if: ${{ always() }} - name: Download coverage data if: ${{ always() }} - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: pattern: coverage-data-* merge-multiple: true From 38852224f455af1915a628542b930ad11d2a884c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 00:18:09 +0000 Subject: [PATCH 594/868] Bump BoringSSL and/or OpenSSL in CI (#10987) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 06509cb526d7..d120106f76c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 16, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "0355048ce0302fdeb4744dae4b8a156a38496150"}} - # Latest commit on the OpenSSL master branch, as of May 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a6afe2b29a7b77956ef888653849f8cc38e39106"}} + # Latest commit on the BoringSSL master branch, as of May 17, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2fb5f9cb8feec2234952f6999af941ac48555710"}} + # Latest commit on the OpenSSL master branch, as of May 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "85ccbab216da245cf9a6503dd327072f21950d9b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 92696eceab23a87e90ca7c82161a9874540e796b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 07:05:23 -0400 Subject: [PATCH 595/868] Bump twine from 5.0.0 to 5.1.0 in /.github/requirements (#10992) Bumps [twine](https://github.com/pypa/twine) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/pypa/twine/releases) - [Changelog](https://github.com/pypa/twine/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/twine/compare/5.0.0...5.1.0) --- updated-dependencies: - dependency-name: twine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 18bcc3eb4f18..205e63929cc3 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -301,9 +301,9 @@ secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 # via keyring -twine==5.0.0 \ - --hash=sha256:89b0cc7d370a4b66421cc6102f269aa910fe0f1861c124f573cf2ddedbc10cf4 \ - --hash=sha256:a262933de0b484c53408f9edae2e7821c1c45a3314ff2df9bdd343aa7ab8edc0 +twine==5.1.0 \ + --hash=sha256:4d74770c88c4fcaf8134d2a6a9d863e40f08255ff7d8e2acb3cbbd57d25f6e9d \ + --hash=sha256:fe1d814395bfe50cfbe27783cb74efe93abeac3f66deaeb6c8390e4e92bacb43 # via -r publish-requirements.in urllib3==2.2.1 \ --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \ From bc29d67490523be0fb8792bf677ff5c1e72e19a0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 07:05:40 -0400 Subject: [PATCH 596/868] Bump actions/checkout from 4.1.5 to 4.1.6 (#10991) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.5 to 4.1.6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/44c2b7a8a4ea60a981eaca3cf939b5f4305c123b...a5ac7e51b41094c92402da3b24376905380afc29) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 8 ++++---- .github/workflows/x509-limbo-version-bump.yml | 2 +- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 70ffe107a071..83f0fd24e59a 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: repository: "pyca/cryptography" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index b88d1f789ea6..84d260c3cc32 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d120106f76c4..15fc938c1cf4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false @@ -179,7 +179,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false @@ -230,7 +230,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false @@ -294,7 +294,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false @@ -368,7 +368,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false @@ -412,7 +412,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index ec684fbe053c..cb6261e988f8 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 7277c5abfe41..63b9313e38be 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -39,7 +39,7 @@ jobs: with: python-version: "3.11" - name: Get publish-requirements.txt from repository - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: sparse-checkout: | ${{ env.PUBLISH_REQUIREMENTS_PATH }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 3dbae90b96ca..b69a7a94a312 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -119,7 +119,7 @@ jobs: if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -219,7 +219,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -313,7 +313,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index af42930dbdeb..424dae0c46b5 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - id: check-sha-x509-limbo run: | SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) From cddacf3f97421da99e2c5a2c612f70c27d21424b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 07:06:00 -0400 Subject: [PATCH 597/868] Bump actions/attest-build-provenance from 1.1.1 to 1.1.2 (#10990) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.1.1 to 1.1.2. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/951c0c5f8e375ad4efad33405ab77f7ded2358e4...173725a1209d09b31f9d30a3890cf2757ebbff0d) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 63b9313e38be..77524b95cdf0 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1 + - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 844c4099d7b0d6e7b4cf03c2a9140e3efc1afdd2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 07:06:28 -0400 Subject: [PATCH 598/868] Bump syn from 2.0.63 to 2.0.64 in /src/rust (#10989) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.63 to 2.0.64. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.63...2.0.64) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 656c1ba058f2..9a96e96544ac 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.63" +version = "2.0.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf5be731623ca1a1fb7d8be6f261a3be6d3e2337b8a1f97be944d020c8fcb704" +checksum = "7ad3dee41f36859875573074334c200d1add8e4a87bb37113ebd31d926b7b11f" dependencies = [ "proc-macro2", "quote", From 0b2a62f77db6ad1c2d9297ec3c4569aea4712a43 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 17 May 2024 21:12:06 -0400 Subject: [PATCH 599/868] Bump BoringSSL and/or OpenSSL in CI (#10993) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 15fc938c1cf4..377912a5387a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 17, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "2fb5f9cb8feec2234952f6999af941ac48555710"}} - # Latest commit on the OpenSSL master branch, as of May 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "85ccbab216da245cf9a6503dd327072f21950d9b"}} + # Latest commit on the BoringSSL master branch, as of May 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba62c812f01fb379f49f94a08a2d1282ce46e678"}} + # Latest commit on the OpenSSL master branch, as of May 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "45f5d51b72a262bf85c4461fbded91485ce6b9da"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 83a74a8a49508b312771e8329a626af4c1607b69 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 18 May 2024 18:31:23 +0000 Subject: [PATCH 600/868] Bump actions/checkout in /.github/actions/fetch-vectors (#10994) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.4 to 4.1.6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/0ad4b8fadaa221de15dcec353f45205ec38ea70b...a5ac7e51b41094c92402da3b24376905380afc29) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 79c7a27cce07..cfd5d62dd7b2 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From 0885eb3038c2efc96ddcc9bce28f653f7ed72121 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 18 May 2024 18:32:58 +0000 Subject: [PATCH 601/868] Bump libc from 0.2.154 to 0.2.155 in /src/rust (#10995) Bumps [libc](https://github.com/rust-lang/libc) from 0.2.154 to 0.2.155. - [Release notes](https://github.com/rust-lang/libc/releases) - [Commits](https://github.com/rust-lang/libc/compare/0.2.154...0.2.155) --- updated-dependencies: - dependency-name: libc dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9a96e96544ac..fc2501a58051 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -158,9 +158,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "libc" -version = "0.2.154" +version = "0.2.155" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae743338b92ff9146ce83992f766a31066a91a8c84a45e0e9f21e7cf6de6d346" +checksum = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c" [[package]] name = "lock_api" From 80467e70ff87fd4e61a25c44d7ce5deaa3bef499 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 19 May 2024 17:50:29 +0000 Subject: [PATCH 602/868] Bump cc from 1.0.97 to 1.0.98 in /src/rust (#10997) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.97 to 1.0.98. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.97...1.0.98) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fc2501a58051..716834fcb2dd 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" -version = "1.0.97" +version = "1.0.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "099a5357d84c4c61eb35fc8eafa9a79a902c2f76911e5747ced4e032edd8d9b4" +checksum = "41c270e7540d725e65ac7f1b212ac8ce349719624d7bcff99f8e2e488e8cf03f" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 75ebabb72847..1d1e059d4e73 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.97" +cc = "1.0.98" From 3becd183df8b3ef18da252d20e5657776f9fa464 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 May 2024 11:25:02 +0000 Subject: [PATCH 603/868] Bump syn from 2.0.64 to 2.0.65 in /src/rust (#10998) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.64 to 2.0.65. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.64...2.0.65) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 716834fcb2dd..6c115698b298 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.64" +version = "2.0.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ad3dee41f36859875573074334c200d1add8e4a87bb37113ebd31d926b7b11f" +checksum = "d2863d96a84c6439701d7a38f9de935ec562c8832cc55d1dde0f513b52fad106" dependencies = [ "proc-macro2", "quote", From 52f6487d7b62a89412fdf1bb32ddc517f864ef3c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 May 2024 11:25:20 +0000 Subject: [PATCH 604/868] Bump proc-macro2 from 1.0.82 to 1.0.83 in /src/rust (#10999) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.82 to 1.0.83. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.82...1.0.83) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6c115698b298..4eb8d766431f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.82" +version = "1.0.83" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ad3d49ab951a01fbaafe34f2ec74122942fe18a3f9814c3268f1bb72042131b" +checksum = "0b33eb56c327dec362a9e55b3ad14f9d2f0904fb5a5b03b513ab5465399e9f43" dependencies = [ "unicode-ident", ] From fa34f9b62e8a44e274cc3bba6e3e537674bcc305 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 May 2024 11:25:50 +0000 Subject: [PATCH 605/868] Bump pytest from 8.2.0 to 8.2.1 (#11000) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.2.0 to 8.2.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.2.0...8.2.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f408bfb405d9..6b544b7f8d67 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.18.0 # sphinx pyproject-hooks==1.1.0 # via build -pytest==8.2.0; python_version >= "3.8" +pytest==8.2.1; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From 8642d4e7db432a2bda4b57336a406370715ae0d8 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 00:15:06 +0000 Subject: [PATCH 606/868] Bump BoringSSL and/or OpenSSL in CI (#11001) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 377912a5387a..48d17989fe86 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "ba62c812f01fb379f49f94a08a2d1282ce46e678"}} + # Latest commit on the BoringSSL master branch, as of May 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "58745d61afe244a37941d391f5dec3ab08f5cf2c"}} # Latest commit on the OpenSSL master branch, as of May 18, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "45f5d51b72a262bf85c4461fbded91485ce6b9da"}} # Builds with various Rust versions. Includes MSRV and next From 6e66965a1fa65a81efc9c6a3222738d0b855a764 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 May 2024 21:09:49 -0400 Subject: [PATCH 607/868] --- (#11002) updated-dependencies: - dependency-name: requests dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6b544b7f8d67..bd9f4bf692e6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -103,7 +103,7 @@ pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) readme-renderer==43.0 # via cryptography (pyproject.toml) -requests==2.31.0 +requests==2.32.0 # via sphinx ruff==0.4.4 # via cryptography (pyproject.toml) From 7229c02e63c6715f60b19058abe2a1f2b23e683f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 11:05:16 +0000 Subject: [PATCH 608/868] --- (#11003) updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bd9f4bf692e6..d49cc1fa0f27 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -103,7 +103,7 @@ pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) readme-renderer==43.0 # via cryptography (pyproject.toml) -requests==2.32.0 +requests==2.32.1 # via sphinx ruff==0.4.4 # via cryptography (pyproject.toml) From 55ab336921f59ea3cb4a00f06022e900dd8185df Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 00:04:49 +0000 Subject: [PATCH 609/868] --- (#11004) updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d49cc1fa0f27..f832649c94b6 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -103,7 +103,7 @@ pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) readme-renderer==43.0 # via cryptography (pyproject.toml) -requests==2.32.1 +requests==2.32.2 # via sphinx ruff==0.4.4 # via cryptography (pyproject.toml) From 6eb66960a05da2ac4aef1f4eaca9abfa5e5558fe Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 00:14:22 +0000 Subject: [PATCH 610/868] Bump BoringSSL and/or OpenSSL in CI (#11006) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 48d17989fe86..fc3f61c658ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "58745d61afe244a37941d391f5dec3ab08f5cf2c"}} + # Latest commit on the BoringSSL master branch, as of May 22, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "bfcab2aa518899ce71e7ffbc23bb22c4ef51858f"}} # Latest commit on the OpenSSL master branch, as of May 18, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "45f5d51b72a262bf85c4461fbded91485ce6b9da"}} # Builds with various Rust versions. Includes MSRV and next From f9ee70a1556bc834f0b31edf533ad0a055e85c7f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 20:16:59 -0400 Subject: [PATCH 611/868] --- (#11005) updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 1d3feb3e1960..6474acf80afd 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.43.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==69.5.1 \ - --hash=sha256:6c1fccdac05a97e598fb0ae3bbed5904ccb317337a51139dcd51453611bbb987 \ - --hash=sha256:c636ac361bc47580504644275c9ad802c50415c7522212252c033bd15f301f32 +setuptools==70.0.0 \ + --hash=sha256:54faa7f2e8d2d11bcd2c07bed282eef1046b5c080d1c32add737d7b5817b1ad4 \ + --hash=sha256:f211a66637b8fa059bb28183da127d4e86396c991a942b028c6650d4319c3fd0 # via # -r build-requirements.in # setuptools-rust From 2dca2003b87b0d02d65feb65331fc9c12ceb219a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 00:29:42 +0000 Subject: [PATCH 612/868] Bump x509-limbo and/or wycheproof in CI (#11007) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index cfd5d62dd7b2..1cb4b84f45a1 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 15, 2024. - ref: "fed2bc2b3901c737cb125f62d571a613d502916c" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 22, 2024. + ref: "713f7425c115d360111ddfe1cb35348a804cc3b8" # x509-limbo-ref From ef03fd949572c3551cfc2cf2bdd1f7513971bc2c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 07:35:34 -0400 Subject: [PATCH 613/868] --- (#11010) updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 205e63929cc3..d4b74ff445a0 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -278,9 +278,9 @@ readme-renderer==43.0 \ --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ --hash=sha256:19db308d86ecd60e5affa3b2a98f017af384678c63c88e5d4556a380e674f3f9 # via twine -requests==2.31.0 \ - --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \ - --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1 +requests==2.32.2 \ + --hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \ + --hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c # via # -r publish-requirements.in # requests-toolbelt From 6ebed7589db5be40e153ac44bd19ffa107488183 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 22 May 2024 07:45:07 -0400 Subject: [PATCH 614/868] Stop building x86-64 macOS wheels, only build universal2 (#11011) The original motivation for building both universal and x86-64 wheels was for metrics. I can now report that universal2 are about 99% of the wheel downloads for 42.0.5 --- .github/workflows/wheel-builder.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index b69a7a94a312..cb99a4ee5351 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -196,16 +196,6 @@ jobs: # This will change in the future as we change the base Python we # build against _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - - VERSION: '3.11' - ABI_VERSION: 'cp37' - DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' - BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' - DEPLOYMENT_TARGET: '10.12' - # We continue to build a non-universal2 for a bit to see metrics on - # download counts (this is a proxy for pip version since universal2 - # requires a 21.x pip) - ARCHFLAGS: '-arch x86_64' - _PYTHON_HOST_PLATFORM: 'macosx-10.9-x86_64' - VERSION: 'pypy-3.9' BIN_PATH: 'pypy3' DEPLOYMENT_TARGET: '10.12' From 760bc828245220b7d4f4cacf2dac5a1f50f9cb7b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 22 May 2024 09:26:30 -0400 Subject: [PATCH 615/868] Stop building musllinux 1.1 wheels, only build 1.2 (#11012) Over 96% of our musl downloads are 1.2. The last version of alpine linux that shipped 1.1 was alpine 3.12, which has been EOL for 2 years. --- .github/workflows/wheel-builder.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index cb99a4ee5351..0f16ae6be96f 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -68,24 +68,13 @@ jobs: MANYLINUX: - { NAME: "manylinux2014_x86_64", CONTAINER: "cryptography-manylinux2014:x86_64", RUNNER: "ubuntu-latest" } - { NAME: "manylinux_2_28_x86_64", CONTAINER: "cryptography-manylinux_2_28:x86_64", RUNNER: "ubuntu-latest"} - - { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - { NAME: "manylinux2014_aarch64", CONTAINER: "cryptography-manylinux2014_aarch64", RUNNER: [self-hosted, Linux, ARM64] } - { NAME: "manylinux_2_28_aarch64", CONTAINER: "cryptography-manylinux_2_28:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - { NAME: "musllinux_1_2_aarch64", CONTAINER: "cryptography-musllinux_1_2:aarch64", RUNNER: [self-hosted, Linux, ARM64]} exclude: # There are no readily available musllinux PyPy distributions - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_x86_64", CONTAINER: "cryptography-musllinux_1_1:x86_64", RUNNER: "ubuntu-latest"} - - PYTHON: { VERSION: "pp39-pypy39_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - PYTHON: { VERSION: "pp310-pypy310_pp73" } - MANYLINUX: { NAME: "musllinux_1_1_aarch64", CONTAINER: "cryptography-musllinux_1_1:aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - PYTHON: { VERSION: "pp39-pypy39_pp73" } MANYLINUX: { NAME: "musllinux_1_2_x86_64", CONTAINER: "cryptography-musllinux_1_2:x86_64", RUNNER: "ubuntu-latest"} - PYTHON: { VERSION: "pp310-pypy310_pp73" } From 916ddfc2990ca339b95da158c16ec40f2ac191f7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 23 May 2024 00:16:04 +0000 Subject: [PATCH 616/868] Bump BoringSSL and/or OpenSSL in CI (#11013) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fc3f61c658ac..a9577a9bd0e8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 22, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "bfcab2aa518899ce71e7ffbc23bb22c4ef51858f"}} - # Latest commit on the OpenSSL master branch, as of May 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "45f5d51b72a262bf85c4461fbded91485ce6b9da"}} + # Latest commit on the BoringSSL master branch, as of May 23, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d7278cebad5b8eda0901246f2215344cffece4f4"}} + # Latest commit on the OpenSSL master branch, as of May 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b9e084f139c53ce133e66aba2f523c680141c0e6"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From f914ccfe992156ba99d9b01d1f39dfe3634398b0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 21:16:11 -0400 Subject: [PATCH 617/868] Bump x509-limbo and/or wycheproof in CI (#11014) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 1cb4b84f45a1..671b966a3833 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 22, 2024. - ref: "713f7425c115d360111ddfe1cb35348a804cc3b8" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of May 23, 2024. + ref: "d879dc2a91836aebe9f558f4cc5bf183e3d19552" # x509-limbo-ref From 63ab0d402ce2ff9a1877174927ddec26b0141312 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 23 May 2024 06:50:36 -0400 Subject: [PATCH 618/868] Bump ruff from 0.4.4 to 0.4.5 (#11015) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.4 to 0.4.5. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.4...v0.4.5) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index f832649c94b6..9a85d944b6db 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.2 # via sphinx -ruff==0.4.4 +ruff==0.4.5 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 5c1aab37f149eb8891837abc9641a64139cf65c1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 24 May 2024 00:21:57 +0000 Subject: [PATCH 619/868] Bump BoringSSL and/or OpenSSL in CI (#11016) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a9577a9bd0e8..e343d4beb693 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 23, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d7278cebad5b8eda0901246f2215344cffece4f4"}} + # Latest commit on the BoringSSL master branch, as of May 24, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "03982b4cfadca0e650b384c9539b2fdb5f8aa012"}} # Latest commit on the OpenSSL master branch, as of May 23, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b9e084f139c53ce133e66aba2f523c680141c0e6"}} # Builds with various Rust versions. Includes MSRV and next From b15b9013dc25cdad83ca19d654c4f12d394e9058 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 24 May 2024 00:37:51 -0400 Subject: [PATCH 620/868] Remove various pointless to_object calls (#11017) --- src/rust/src/asn1.rs | 3 +-- src/rust/src/backend/ec.rs | 4 +--- src/rust/src/x509/certificate.rs | 14 +++++--------- src/rust/src/x509/common.rs | 21 ++++++++------------- 4 files changed, 15 insertions(+), 27 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 98f0190d6a6e..07fcf72c46c2 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -75,8 +75,7 @@ pub(crate) fn py_uint_to_big_endian_bytes<'p>( py: pyo3::Python<'p>, v: pyo3::Bound<'p, pyo3::types::PyLong>, ) -> pyo3::PyResult { - let zero = (0).to_object(py); - if v.lt(zero)? { + if v.lt(0)? { return Err(pyo3::exceptions::PyValueError::new_err( "Negative integers are not supported", )); diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 237a57033dfe..d808a275eb06 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -6,7 +6,6 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; use pyo3::prelude::{PyAnyMethods, PyDictMethods, PyModuleMethods}; -use pyo3::ToPyObject; use crate::backend::utils; use crate::buf::CffiBuf; @@ -482,8 +481,7 @@ fn public_key_from_numbers( numbers: &EllipticCurvePublicNumbers, curve: &openssl::ec::EcGroupRef, ) -> CryptographyResult> { - let zero = (0).to_object(py); - if numbers.x.bind(py).lt(&zero)? || numbers.y.bind(py).lt(&zero)? { + if numbers.x.bind(py).lt(0)? || numbers.y.bind(py).lt(0)? { return Err(CryptographyError::from( pyo3::exceptions::PyValueError::new_err( "Invalid EC key. Both x and y must be non-negative.", diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 79f1e72732bf..88eb15e637d1 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -527,7 +527,7 @@ fn parse_user_notice( let org = parse_display_text(py, data.organization)?; let numbers = pyo3::types::PyList::empty_bound(py); for num in data.notice_numbers.unwrap_read().clone() { - numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?.to_object(py))?; + numbers.append(big_byte_slice_to_py_int(py, num.as_bytes())?)?; } types::NOTICE_REFERENCE .get(py)? @@ -580,7 +580,7 @@ fn parse_cp( let cp = ext.value::>>()?; let certificate_policies = pyo3::types::PyList::empty_bound(py); for policyinfo in cp { - let pi_oid = oid_to_py_oid(py, &policyinfo.policy_identifier)?.to_object(py); + let pi_oid = oid_to_py_oid(py, &policyinfo.policy_identifier)?; let py_pqis = match policyinfo.policy_qualifiers { Some(policy_qualifiers) => { parse_policy_qualifiers(py, policy_qualifiers.unwrap_read())? @@ -589,8 +589,7 @@ fn parse_cp( }; let pi = types::POLICY_INFORMATION .get(py)? - .call1((pi_oid, py_pqis))? - .to_object(py); + .call1((pi_oid, py_pqis))?; certificate_policies.append(pi)?; } Ok(certificate_policies.to_object(py)) @@ -722,10 +721,7 @@ pub(crate) fn parse_access_descriptions( for access in parsed.unwrap_read().clone() { let py_oid = oid_to_py_oid(py, &access.access_method)?.to_object(py); let gn = x509::parse_general_name(py, access.access_location)?; - let ad = types::ACCESS_DESCRIPTION - .get(py)? - .call1((py_oid, gn))? - .to_object(py); + let ad = types::ACCESS_DESCRIPTION.get(py)?.call1((py_oid, gn))?; ads.append(ad)?; } Ok(ads.to_object(py)) @@ -755,7 +751,7 @@ pub fn parse_cert_ext<'p>( let features = pyo3::types::PyList::empty_bound(py); for feature in ext.value::>()? { - let py_feature = tls_feature_type_to_enum.get_item(feature.to_object(py))?; + let py_feature = tls_feature_type_to_enum.get_item(feature)?; features.append(py_feature)?; } Ok(Some(types::TLS_FEATURE.get(py)?.call1((features,))?)) diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 820bf91b69c6..89baee082673 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -198,17 +198,12 @@ fn parse_name_attribute( py: pyo3::Python<'_>, attribute: AttributeTypeValue<'_>, ) -> Result { - let oid = oid_to_py_oid(py, &attribute.type_id)?.to_object(py); - let tag_val = attribute - .value - .tag() - .as_u8() - .ok_or_else(|| { - CryptographyError::from(pyo3::exceptions::PyValueError::new_err( - "Long-form tags are not supported in NameAttribute values", - )) - })? - .to_object(py); + let oid = oid_to_py_oid(py, &attribute.type_id)?; + let tag_val = attribute.value.tag().as_u8().ok_or_else(|| { + CryptographyError::from(pyo3::exceptions::PyValueError::new_err( + "Long-form tags are not supported in NameAttribute values", + )) + })?; let py_tag = types::ASN1_TYPE_TO_ENUM.get(py)?.get_item(tag_val)?; let py_data = match attribute.value.tag().as_u8() { // BitString tag value @@ -257,7 +252,7 @@ pub(crate) fn parse_general_name( ) -> Result { let py_gn = match gn { GeneralName::OtherName(data) => { - let oid = oid_to_py_oid(py, &data.type_id)?.to_object(py); + let oid = oid_to_py_oid(py, &data.type_id)?; types::OTHER_NAME .get(py)? .call1((oid, data.value.full_data()))? @@ -293,7 +288,7 @@ pub(crate) fn parse_general_name( } } GeneralName::RegisteredID(data) => { - let oid = oid_to_py_oid(py, &data)?.to_object(py); + let oid = oid_to_py_oid(py, &data)?; types::REGISTERED_ID.get(py)?.call1((oid,))?.to_object(py) } _ => { From 8da12c89d8ba8d1442181b408c75339cf43dc14a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 24 May 2024 13:37:28 +0300 Subject: [PATCH 621/868] Bump syn from 2.0.65 to 2.0.66 in /src/rust (#11018) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.65 to 2.0.66. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.65...2.0.66) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4eb8d766431f..6098d7e1d606 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.65" +version = "2.0.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2863d96a84c6439701d7a38f9de935ec562c8832cc55d1dde0f513b52fad106" +checksum = "c42f3f41a2de00b01c0aaad383c5a45241efc8b2d1eda5661812fda5f3cdcff5" dependencies = [ "proc-macro2", "quote", From 6a95dbbb358f2942c283b996c112f9c833dca319 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 24 May 2024 07:15:38 -0400 Subject: [PATCH 622/868] Bump typing-extensions from 4.11.0 to 4.12.0 (#11019) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.11.0 to 4.12.0. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.11.0...4.12.0) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9a85d944b6db..0d20b76fa087 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -typing-extensions==4.11.0; python_version >= "3.8" +typing-extensions==4.12.0; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests From 8d41b3227b09068d088e8e2668f6249ca68150f1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 24 May 2024 20:49:01 -0400 Subject: [PATCH 623/868] Bump BoringSSL and/or OpenSSL in CI (#11020) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e343d4beb693..662299f022f1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 24, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "03982b4cfadca0e650b384c9539b2fdb5f8aa012"}} - # Latest commit on the OpenSSL master branch, as of May 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b9e084f139c53ce133e66aba2f523c680141c0e6"}} + # Latest commit on the BoringSSL master branch, as of May 25, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "afd52e91dfed27ab7193be040f067900947b14ac"}} + # Latest commit on the OpenSSL master branch, as of May 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "05faa4ffee7f20fcee129f77d153f2dcc609bdc8"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 84c489db9a4576379ad61d6dc022d6c8a2eb6a0b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 25 May 2024 12:48:43 +0000 Subject: [PATCH 624/868] Bump parking_lot from 0.12.2 to 0.12.3 in /src/rust (#11021) Bumps [parking_lot](https://github.com/Amanieu/parking_lot) from 0.12.2 to 0.12.3. - [Changelog](https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md) - [Commits](https://github.com/Amanieu/parking_lot/compare/0.12.2...0.12.3) --- updated-dependencies: - dependency-name: parking_lot dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 6098d7e1d606..2ebf6fda979e 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -227,9 +227,9 @@ dependencies = [ [[package]] name = "parking_lot" -version = "0.12.2" +version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e4af0ca4f6caed20e900d564c242b8e5d4903fdacf31d3daf527b66fe6f42fb" +checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27" dependencies = [ "lock_api", "parking_lot_core", From 0e003c58ea4247f9599072cebeb5d7d28c207560 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 May 2024 00:10:47 +0000 Subject: [PATCH 625/868] Bump proc-macro2 from 1.0.83 to 1.0.84 in /src/rust (#11024) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.83 to 1.0.84. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.83...1.0.84) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 2ebf6fda979e..03d6df0e2415 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.83" +version = "1.0.84" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b33eb56c327dec362a9e55b3ad14f9d2f0904fb5a5b03b513ab5465399e9f43" +checksum = "ec96c6a92621310b51366f1e28d05ef11489516e93be030060e5fc12024a49d6" dependencies = [ "unicode-ident", ] From 3d4f58c5f5016a98f6855f301914c2c0e18f1383 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 May 2024 11:16:53 +0000 Subject: [PATCH 626/868] Bump coverage from 7.5.1 to 7.5.2 (#11028) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.5.1 to 7.5.2. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.5.1...7.5.2) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 0d20b76fa087..959f26831fbd 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.5.1; python_version >= "3.8" +coverage==7.5.2; python_version >= "3.8" # via # coverage # pytest-cov From a7444220875afd1ff7e83e3adb5366ba6853c2ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 May 2024 11:19:26 +0000 Subject: [PATCH 627/868] Bump zipp from 3.18.2 to 3.19.0 in /.github/requirements (#11029) Bumps [zipp](https://github.com/jaraco/zipp) from 3.18.2 to 3.19.0. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.18.2...v3.19.0) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index d4b74ff445a0..df9c95e55004 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -311,7 +311,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.18.2 \ - --hash=sha256:6278d9ddbcfb1f1089a88fde84481528b07b0e10474e09dcfe53dad4069fa059 \ - --hash=sha256:dce197b859eb796242b0622af1b8beb0a722d52aa2f57133ead08edd5bf5374e +zipp==3.19.0 \ + --hash=sha256:952df858fb3164426c976d9338d3961e8e8b3758e2e059e0f754b8c4262625ee \ + --hash=sha256:96dc6ad62f1441bcaccef23b274ec471518daf4fbbc580341204936a5a3dddec # via importlib-metadata From 5dc620daa44a084e5b0d025c9472abec6047487f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 27 May 2024 16:00:44 +0300 Subject: [PATCH 628/868] document creating a CA hierarchy: root -> int -> ee (#11031) * document creating a CA hierarchy: root -> int -> ee * fix things --- docs/x509/tutorial.rst | 192 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst index 45729f28ce15..a71ed1e64f79 100644 --- a/docs/x509/tutorial.rst +++ b/docs/x509/tutorial.rst @@ -150,6 +150,198 @@ Then we generate the certificate itself: And now we have a private key and certificate that can be used for local testing. +Creating a CA hierarchy +----------------------- + +When building your own root hierarchy you need to generate a CA and then +issue certificates (typically intermediates) using it. This example shows +how to generate a root CA, a signing intermediate, and issues a leaf +certificate off that intermediate. X.509 is a complex specification so +this example will require adaptation (typically different extensions) +for specific operating environments. + +Note that this example does not add CRL distribution point or OCSP AIA +extensions, nor does it save the key/certs to persistent storage. + +.. doctest:: + + >>> import datetime + >>> from cryptography.hazmat.primitives.asymmetric import ec + >>> from cryptography.hazmat.primitives import hashes + >>> from cryptography.x509.oid import NameOID + >>> from cryptography import x509 + >>> # Generate our key + >>> root_key = ec.generate_private_key(ec.SECP256R1()) + >>> subject = issuer = x509.Name([ + ... x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "California"), + ... x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"), + ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Company"), + ... x509.NameAttribute(NameOID.COMMON_NAME, "PyCA Docs Root CA"), + ... ]) + >>> root_cert = x509.CertificateBuilder().subject_name( + ... subject + ... ).issuer_name( + ... issuer + ... ).public_key( + ... root_key.public_key() + ... ).serial_number( + ... x509.random_serial_number() + ... ).not_valid_before( + ... datetime.datetime.now(datetime.timezone.utc) + ... ).not_valid_after( + ... # Our certificate will be valid for ~10 years + ... datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=365*10) + ... ).add_extension( + ... x509.BasicConstraints(ca=True, path_length=None), + ... critical=True, + ... ).add_extension( + ... x509.KeyUsage( + ... digital_signature=True, + ... content_commitment=False, + ... key_encipherment=False, + ... data_encipherment=False, + ... key_agreement=False, + ... key_cert_sign=True, + ... crl_sign=True, + ... encipher_only=False, + ... decipher_only=False, + ... ), + ... critical=True, + ... ).add_extension( + ... x509.SubjectKeyIdentifier.from_public_key(root_key.public_key()), + ... critical=False, + ... ).sign(root_key, hashes.SHA256()) + +With a root certificate created we now want to create our intermediate. + +.. doctest:: + + >>> # Generate our intermediate key + >>> int_key = ec.generate_private_key(ec.SECP256R1()) + >>> subject = x509.Name([ + ... x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "California"), + ... x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"), + ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Company"), + ... x509.NameAttribute(NameOID.COMMON_NAME, "PyCA Docs Intermediate CA"), + ... ]) + >>> int_cert = x509.CertificateBuilder().subject_name( + ... subject + ... ).issuer_name( + ... root_cert.subject + ... ).public_key( + ... int_key.public_key() + ... ).serial_number( + ... x509.random_serial_number() + ... ).not_valid_before( + ... datetime.datetime.now(datetime.timezone.utc) + ... ).not_valid_after( + ... # Our intermediate will be valid for ~3 years + ... datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=365*3) + ... ).add_extension( + ... # Allow no further intermediates (path length 0) + ... x509.BasicConstraints(ca=True, path_length=0), + ... critical=True, + ... ).add_extension( + ... x509.KeyUsage( + ... digital_signature=True, + ... content_commitment=False, + ... key_encipherment=False, + ... data_encipherment=False, + ... key_agreement=False, + ... key_cert_sign=True, + ... crl_sign=True, + ... encipher_only=False, + ... decipher_only=False, + ... ), + ... critical=True, + ... ).add_extension( + ... x509.SubjectKeyIdentifier.from_public_key(int_key.public_key()), + ... critical=False, + ... ).add_extension( + ... x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + ... root_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ... ), + ... critical=False, + ... ).sign(root_key, hashes.SHA256()) + +Now we can issue an end entity certificate off this chain. + +.. doctest:: + + >>> ee_key = ec.generate_private_key(ec.SECP256R1()) + >>> subject = x509.Name([ + ... x509.NameAttribute(NameOID.COUNTRY_NAME, "US"), + ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "California"), + ... x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"), + ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Company"), + ... ]) + >>> ee_cert = x509.CertificateBuilder().subject_name( + ... subject + ... ).issuer_name( + ... int_cert.subject + ... ).public_key( + ... ee_key.public_key() + ... ).serial_number( + ... x509.random_serial_number() + ... ).not_valid_before( + ... datetime.datetime.now(datetime.timezone.utc) + ... ).not_valid_after( + ... # Our cert will be valid for 10 days + ... datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10) + ... ).add_extension( + ... x509.SubjectAlternativeName([ + ... # Describe what sites we want this certificate for. + ... x509.DNSName("cryptography.io"), + ... x509.DNSName("www.cryptography.io"), + ... ]), + ... critical=False, + ... ).add_extension( + ... x509.BasicConstraints(ca=False, path_length=None), + ... critical=True, + ... ).add_extension( + ... x509.KeyUsage( + ... digital_signature=True, + ... content_commitment=False, + ... key_encipherment=True, + ... data_encipherment=False, + ... key_agreement=False, + ... key_cert_sign=False, + ... crl_sign=True, + ... encipher_only=False, + ... decipher_only=False, + ... ), + ... critical=True, + ... ).add_extension( + ... x509.ExtendedKeyUsage([ + ... x509.ExtendedKeyUsageOID.CLIENT_AUTH, + ... x509.ExtendedKeyUsageOID.SERVER_AUTH, + ... ]), + ... critical=False, + ... ).add_extension( + ... x509.SubjectKeyIdentifier.from_public_key(ee_key.public_key()), + ... critical=False, + ... ).add_extension( + ... x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + ... int_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value + ... ), + ... critical=False, + ... ).sign(int_key, hashes.SHA256()) + +And finally we use the verification APIs to validate the chain. + +.. doctest:: + + >>> from cryptography.x509 import DNSName + >>> from cryptography.x509.verification import PolicyBuilder, Store + >>> store = Store([root_cert]) + >>> builder = PolicyBuilder().store(store) + >>> verifier = builder.build_server_verifier(DNSName("cryptography.io")) + >>> chain = verifier.verify(ee_cert, [int_cert]) + >>> len(chain) + 3 + Determining Certificate or Certificate Signing Request Key Type --------------------------------------------------------------- From 7f515fc43cbd59c0b55cea3f0aa90cb00de972e1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 27 May 2024 16:09:56 +0300 Subject: [PATCH 629/868] re-add branch we dropped in the past (#11030) * re-add branch we dropped in the past * add the test * test all key types * Update src/rust/src/backend/utils.rs Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- src/rust/src/backend/utils.rs | 7 +++++++ tests/hazmat/primitives/test_ec.py | 18 ++++++++++++++++++ tests/hazmat/primitives/test_rsa.py | 15 +++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 21b47a044a67..264ccf67053b 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -145,6 +145,13 @@ pub(crate) fn pkey_private_bytes<'p>( } if format.is(&types::PRIVATE_FORMAT_TRADITIONAL_OPENSSL.get(py)?) { + if cryptography_openssl::fips::is_enabled() && !password.is_empty() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Encrypted traditional OpenSSL format is not supported in FIPS mode", + ), + )); + } if let Ok(rsa) = pkey.rsa() { if encoding.is(&types::ENCODING_PEM.get(py)?) { let pem_bytes = if password.is_empty() { diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 08178c232466..d33fd104cd53 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -773,6 +773,24 @@ def test_private_bytes_encrypted_pem(self, backend, fmt, password): priv_num = key.private_numbers() assert loaded_priv_num == priv_num + @pytest.mark.supported( + only_if=lambda backend: backend._fips_enabled, + skip_message="Requires FIPS", + ) + def test_traditional_serialization_fips(self, backend): + key_bytes = load_vectors_from_file( + os.path.join("asymmetric", "PKCS8", "ec_private_key.pem"), + lambda pemfile: pemfile.read().encode(), + ) + key = serialization.load_pem_private_key(key_bytes, None, backend) + assert isinstance(key, ec.EllipticCurvePrivateKey) + with pytest.raises(ValueError): + key.private_bytes( + serialization.Encoding.PEM, + serialization.PrivateFormat.TraditionalOpenSSL, + serialization.BestAvailableEncryption(b"password"), + ) + @pytest.mark.parametrize( ("encoding", "fmt"), [ diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 3ce55b48c10c..ddd1dad5c41f 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -2432,6 +2432,21 @@ def test_private_bytes_encrypted_pem( priv_num = key.private_numbers() assert loaded_priv_num == priv_num + @pytest.mark.supported( + only_if=lambda backend: backend._fips_enabled, + skip_message="Requires FIPS", + ) + def test_traditional_serialization_fips( + self, rsa_key_2048: rsa.RSAPrivateKey, backend + ): + key = rsa_key_2048 + with pytest.raises(ValueError): + key.private_bytes( + serialization.Encoding.PEM, + serialization.PrivateFormat.TraditionalOpenSSL, + serialization.BestAvailableEncryption(b"password"), + ) + @pytest.mark.parametrize( ("encoding", "fmt"), [ From 97e7d54ecd6b3f51c226eaf54507dedd0478b325 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 29 May 2024 00:16:22 +0000 Subject: [PATCH 630/868] Bump BoringSSL and/or OpenSSL in CI (#11032) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 662299f022f1..67c394c3e82f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 25, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "afd52e91dfed27ab7193be040f067900947b14ac"}} - # Latest commit on the OpenSSL master branch, as of May 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "05faa4ffee7f20fcee129f77d153f2dcc609bdc8"}} + # Latest commit on the BoringSSL master branch, as of May 29, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e09fcf8302f75dc50afcfe40f0d59a92b40a3c2e"}} + # Latest commit on the OpenSSL master branch, as of May 29, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36ba419286843bcaeb497b3451540ab7587cf9d2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 00588efa0c56283e848a3aa1131a6dce4c5dc638 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 May 2024 02:59:27 +0000 Subject: [PATCH 631/868] Bump ruff from 0.4.5 to 0.4.6 (#11033) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.5 to 0.4.6. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.5...v0.4.6) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 959f26831fbd..a739015a4a8c 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.2 # via sphinx -ruff==0.4.5 +ruff==0.4.6 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From da5d6e73d82e6a3acb682399e7049ca6f0af9eaa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 May 2024 03:00:02 +0000 Subject: [PATCH 632/868] Bump coverage from 7.5.2 to 7.5.3 (#11034) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.5.2 to 7.5.3. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.5.2...7.5.3) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a739015a4a8c..27e66e3aec3f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.5.2; python_version >= "3.8" +coverage==7.5.3; python_version >= "3.8" # via # coverage # pytest-cov From 34f394b6811371da8fec4260062492148f46be5e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 23:04:54 -0400 Subject: [PATCH 633/868] Bump backports-tarfile from 1.1.1 to 1.2.0 in /.github/requirements (#11035) Bumps [backports-tarfile](https://github.com/jaraco/backports.tarfile) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/jaraco/backports.tarfile/releases) - [Changelog](https://github.com/jaraco/backports.tarfile/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/backports.tarfile/compare/v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: backports-tarfile dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index df9c95e55004..23b7a6e46721 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -4,9 +4,9 @@ # # pip-compile --generate-hashes publish-requirements.in # -backports-tarfile==1.1.1 \ - --hash=sha256:73e0179647803d3726d82e76089d01d8549ceca9bace469953fcb4d97cf2d417 \ - --hash=sha256:9c2ef9696cb73374f7164e17fc761389393ca76777036f5aad42e8b93fcd8009 +backports-tarfile==1.2.0 \ + --hash=sha256:77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34 \ + --hash=sha256:d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991 # via jaraco-context certifi==2024.2.2 \ --hash=sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f \ From fac1188ea8e27cce98d6d555cc2a5a00aaaa1e42 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 30 May 2024 00:18:08 +0000 Subject: [PATCH 634/868] Bump BoringSSL and/or OpenSSL in CI (#11039) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 67c394c3e82f..519439a5de1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 29, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e09fcf8302f75dc50afcfe40f0d59a92b40a3c2e"}} - # Latest commit on the OpenSSL master branch, as of May 29, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36ba419286843bcaeb497b3451540ab7587cf9d2"}} + # Latest commit on the BoringSSL master branch, as of May 30, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9540c0452343e684f94515288880b6b35655f792"}} + # Latest commit on the OpenSSL master branch, as of May 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6b307d860832d3a76be20a693b92a71c83a3055"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From fdfc524dd8c94a65d75a7033eb96ee992b7bd6ab Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 29 May 2024 22:18:36 -0400 Subject: [PATCH 635/868] Fixes #11037 -- work around RFC 4055's inane notions of DER (#11038) --- .../src/policy/mod.rs | 6 +++--- src/rust/cryptography-x509/src/common.rs | 13 +++++++++++-- src/rust/src/x509/sign.rs | 2 +- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 22f5a13dc0aa..5616a83a8ceb 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -97,7 +97,7 @@ static RSASSA_PSS_SHA256: Lazy> = Lazy::new(|| Algorithm hash_algorithm: PSS_SHA256_HASH_ALG, mask_gen_algorithm: PSS_SHA256_MASK_GEN_ALG, salt_length: 32, - _trailer_field: 1, + _trailer_field: None, }))), }); @@ -108,7 +108,7 @@ static RSASSA_PSS_SHA384: Lazy> = Lazy::new(|| Algorithm hash_algorithm: PSS_SHA384_HASH_ALG, mask_gen_algorithm: PSS_SHA384_MASK_GEN_ALG, salt_length: 48, - _trailer_field: 1, + _trailer_field: None, }))), }); @@ -119,7 +119,7 @@ static RSASSA_PSS_SHA512: Lazy> = Lazy::new(|| Algorithm hash_algorithm: PSS_SHA512_HASH_ALG, mask_gen_algorithm: PSS_SHA512_MASK_GEN_ALG, salt_length: 64, - _trailer_field: 1, + _trailer_field: None, }))), }); diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 9eea5ff7bca8..fa7e3ec77098 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -367,9 +367,18 @@ pub struct RsaPssParameters<'a> { #[explicit(2)] #[default(20u16)] pub salt_length: u16, + // While the RFC describes this field as `DEFAULT 1`, it also states that + // parsers must accept this field being encoded with a value of 1, in + // conflict with DER's requirement that field DEFAULT values not be + // encoded. Thus we just treat this as an optional field. + // + // Users of this struct should supply `None` to indicate the DEFAULT value + // of 1, or `Some` to indicate a different value. Note that if you supply + // `Some(1)` this will result in encoding a violation of the DER rules, + // thus this should never be done except to round-trip an existing + // structure. #[explicit(3)] - #[default(1u8)] - pub _trailer_field: u8, + pub _trailer_field: Option, } // https://datatracker.ietf.org/doc/html/rfc3279#section-2.3.2 diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index f8068c9835dc..a97627cd215e 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -163,7 +163,7 @@ pub(crate) fn compute_signature_algorithm<'p>( params: mgf_alg, }, salt_length, - _trailer_field: 1, + _trailer_field: None, }))); return Ok(common::AlgorithmIdentifier { From 300f48352b774827b52ba3d14819fa1876d9c2e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 30 May 2024 11:22:29 +0000 Subject: [PATCH 636/868] Bump requests from 2.32.2 to 2.32.3 (#11040) Bumps [requests](https://github.com/psf/requests) from 2.32.2 to 2.32.3. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.32.2...v2.32.3) --- updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 27e66e3aec3f..891e51475b79 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -103,7 +103,7 @@ pytest-xdist==3.6.1; python_version >= "3.8" # via cryptography (pyproject.toml) readme-renderer==43.0 # via cryptography (pyproject.toml) -requests==2.32.2 +requests==2.32.3 # via sphinx ruff==0.4.6 # via cryptography (pyproject.toml) From ee4b371eeb6819fc8c6a8233afd8904d33dbb479 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 30 May 2024 19:38:22 -0700 Subject: [PATCH 637/868] Bump BoringSSL and/or OpenSSL in CI (#11041) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 519439a5de1a..5b93e6ab4a7b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 30, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9540c0452343e684f94515288880b6b35655f792"}} - # Latest commit on the OpenSSL master branch, as of May 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f6b307d860832d3a76be20a693b92a71c83a3055"}} + # Latest commit on the BoringSSL master branch, as of May 31, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "261579f08b2f8aa7959670df1e928c1c305a632c"}} + # Latest commit on the OpenSSL master branch, as of May 31, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9fcf57b45985336b04579dd317d0dc990a9c062b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 5cefe95cb74b2a38c1fd2836c5d4dbe60ad2f738 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 31 May 2024 14:43:09 +0200 Subject: [PATCH 638/868] Bump requests from 2.32.2 to 2.32.3 in /.github/requirements (#11043) Bumps [requests](https://github.com/psf/requests) from 2.32.2 to 2.32.3. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.32.2...v2.32.3) --- updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 23b7a6e46721..e6eeabbb09ec 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -278,9 +278,9 @@ readme-renderer==43.0 \ --hash=sha256:1818dd28140813509eeed8d62687f7cd4f7bad90d4db586001c5dc09d4fde311 \ --hash=sha256:19db308d86ecd60e5affa3b2a98f017af384678c63c88e5d4556a380e674f3f9 # via twine -requests==2.32.2 \ - --hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \ - --hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c +requests==2.32.3 \ + --hash=sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 \ + --hash=sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6 # via # -r publish-requirements.in # requests-toolbelt From bac21b3fbfe3ff5d70e3a103cfedf7d05bc32187 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 31 May 2024 07:19:00 -0700 Subject: [PATCH 639/868] Migrate PKCS#12 serialization with keys to Rust (#10901) --- .../hazmat/backends/openssl/backend.py | 10 +---- .../hazmat/bindings/_rust/pkcs12.pyi | 2 + .../hazmat/primitives/serialization/pkcs12.py | 6 +-- src/rust/src/pkcs12.rs | 37 +++++++++++++++++-- 4 files changed, 39 insertions(+), 16 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index d00d1e4b072a..0da03896974f 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -398,14 +398,8 @@ def serialize_key_and_certificates_to_pkcs12( if name is not None: utils._check_bytes("name", name) - if isinstance(encryption_algorithm, serialization.NoEncryption): - nid_cert = -1 - nid_key = -1 - pkcs12_iter = 0 - # mac_iter of 0 uses OpenSSL's default value - mac_iter = 0 - mac_alg = self._ffi.NULL - elif isinstance( + assert not isinstance(encryption_algorithm, serialization.NoEncryption) + if isinstance( encryption_algorithm, serialization.BestAvailableEncryption ): # PKCS12 encryption is hopeless trash and can never be fixed. diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi index 76dd0194c40a..dcb3fca8cf1b 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi @@ -8,6 +8,7 @@ from cryptography import x509 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes from cryptography.hazmat.primitives.serialization.pkcs12 import ( PKCS12KeyAndCertificates, + PKCS12PrivateKeyTypes, ) class PKCS12Certificate: @@ -35,6 +36,7 @@ def load_pkcs12( ) -> PKCS12KeyAndCertificates: ... def serialize_key_and_certificates( name: bytes | None, + key: PKCS12PrivateKeyTypes | None, cert: x509.Certificate | None, cas: typing.Iterable[x509.Certificate | PKCS12Certificate] | None, ) -> bytes: ... diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 17e03fbbe15c..2294b54322f9 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -167,10 +167,8 @@ def serialize_key_and_certificates( if key is None and cert is None and not cas: raise ValueError("You must supply at least one of key, cert, or cas") - if key is None and isinstance( - encryption_algorithm, serialization.NoEncryption - ): - return rust_pkcs12.serialize_key_and_certificates(name, cert, cas) + if isinstance(encryption_algorithm, serialization.NoEncryption): + return rust_pkcs12.serialize_key_and_certificates(name, key, cert, cas) from cryptography.hazmat.backends.openssl.backend import backend diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 1b1b6ceb9f28..919c40c2ad19 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -246,20 +246,20 @@ enum CertificateOrPKCS12Certificate { } #[pyo3::prelude::pyfunction] -#[pyo3(signature = (name, cert, cas))] +#[pyo3(signature = (name, key, cert, cas))] fn serialize_key_and_certificates<'p>( py: pyo3::Python<'p>, name: Option<&[u8]>, + key: Option>, cert: Option<&Certificate>, cas: Option>, ) -> CryptographyResult> { let (password, mac_algorithm, mac_kdf_iter) = decode_encryption_algorithm(py)?; let mut auth_safe_contents = vec![]; - let cert_bag_contents; + let (cert_bag_contents, key_bag_contents); let mut ca_certs = vec![]; - assert!(cert.is_some() || cas.is_some()); - { + if cert.is_some() || cas.is_some() { let mut cert_bags = vec![]; if let Some(cert) = cert { @@ -291,6 +291,35 @@ fn serialize_key_and_certificates<'p>( ))), }); } + + if let Some(key) = key { + let der = types::ENCODING_DER.get(py)?; + let pkcs8 = types::PRIVATE_FORMAT_PKCS8.get(py)?; + let no_encryption = types::NO_ENCRYPTION.get(py)?.call0()?; + + let pkcs8_bytes = key + .call_method1( + pyo3::intern!(py, "private_bytes"), + (der, pkcs8, no_encryption), + )? + .extract::()?; + let pkcs8_tlv = asn1::parse_single(&pkcs8_bytes)?; + + let key_bag = cryptography_x509::pkcs12::SafeBag { + _bag_id: asn1::DefinedByMarker::marker(), + bag_value: asn1::Explicit::new(cryptography_x509::pkcs12::BagValue::KeyBag(pkcs8_tlv)), + attributes: friendly_name_attributes(name)?, + }; + + key_bag_contents = asn1::write_single(&asn1::SequenceOfWriter::new([key_bag]))?; + auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new( + &key_bag_contents, + ))), + }); + } + let auth_safe_content = asn1::write_single(&asn1::SequenceOfWriter::new(auth_safe_contents))?; let salt = types::OS_URANDOM From 5fbb323a1050b8f37a6348072b1b0c15be6cbd63 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 31 May 2024 22:19:25 -0400 Subject: [PATCH 640/868] Bump BoringSSL and/or OpenSSL in CI (#11044) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5b93e6ab4a7b..8a650b899ab2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of May 31, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "261579f08b2f8aa7959670df1e928c1c305a632c"}} - # Latest commit on the OpenSSL master branch, as of May 31, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "9fcf57b45985336b04579dd317d0dc990a9c062b"}} + # Latest commit on the BoringSSL master branch, as of Jun 01, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c8100f0f0d05c5185d58113e12a867ae0771a6c9"}} + # Latest commit on the OpenSSL master branch, as of Jun 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0285160ffa3b8c2b5491222243042593808298c4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From b154a1bdf14069d13d3b085157b7807a4fd8d7d6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 1 Jun 2024 09:15:45 -0700 Subject: [PATCH 641/868] Added OID for PKCS7 encrypted data (#11047) --- src/rust/cryptography-x509/src/pkcs7.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index 9df323696ac3..bd553cb89def 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -6,6 +6,7 @@ use crate::{certificate, common, csr, name}; pub const PKCS7_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 1); pub const PKCS7_SIGNED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 2); +pub const PKCS7_ENCRYPTED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 6); #[derive(asn1::Asn1Write)] pub struct ContentInfo<'a> { From 654be3419721a4db02150255bbe58654aa64a912 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 1 Jun 2024 09:32:58 -0700 Subject: [PATCH 642/868] Fix a few typos (#11048) --- src/rust/cryptography-x509/src/extensions.rs | 4 ++-- src/rust/src/x509/certificate.rs | 2 +- src/rust/src/x509/ocsp_resp.rs | 10 +++++----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index 1a1e13484272..f674b965144c 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -253,7 +253,7 @@ impl KeyUsage<'_> { self.0.has_bit_set(0) } - pub fn content_comitment(&self) -> bool { + pub fn content_commitment(&self) -> bool { self.0.has_bit_set(1) } @@ -364,7 +364,7 @@ mod tests { let ku: KeyUsage<'_> = asn1::parse_single(&asn1).unwrap(); assert!(!ku.is_zeroed()); assert!(ku.digital_signature()); - assert!(ku.content_comitment()); + assert!(ku.content_commitment()); assert!(ku.key_encipherment()); assert!(ku.data_encipherment()); assert!(ku.key_agreement()); diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 88eb15e637d1..0ac0e4d8e0ff 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -777,7 +777,7 @@ pub fn parse_cert_ext<'p>( Ok(Some(types::KEY_USAGE.get(py)?.call1(( kus.digital_signature(), - kus.content_comitment(), + kus.content_commitment(), kus.key_encipherment(), kus.data_encipherment(), kus.key_agreement(), diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e5718079bcae..e9af29054466 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -46,7 +46,7 @@ fn load_der_ocsp_response( )) } }, - MALFORMED_REQUEST_RESPOSNE + MALFORMED_REQUEST_RESPONSE | INTERNAL_ERROR_RESPONSE | TRY_LATER_RESPONSE | SIG_REQUIRED_RESPONSE @@ -92,7 +92,7 @@ impl OCSPResponse { } const SUCCESSFUL_RESPONSE: u32 = 0; -const MALFORMED_REQUEST_RESPOSNE: u32 = 1; +const MALFORMED_REQUEST_RESPONSE: u32 = 1; const INTERNAL_ERROR_RESPONSE: u32 = 2; const TRY_LATER_RESPONSE: u32 = 3; // 4 is unused @@ -131,7 +131,7 @@ impl OCSPResponse { let status = self.raw.borrow_dependent().response_status.value(); let attr = if status == SUCCESSFUL_RESPONSE { "SUCCESSFUL" - } else if status == MALFORMED_REQUEST_RESPOSNE { + } else if status == MALFORMED_REQUEST_RESPONSE { "MALFORMED_REQUEST" } else if status == INTERNAL_ERROR_RESPONSE { "INTERNAL_ERROR" @@ -203,14 +203,14 @@ impl OCSPResponse { match hash_alg { Ok(data) => Ok(data), Err(_) => { - let exc_messsage = format!( + let exc_message = format!( "Signature algorithm OID: {} not recognized", self.requires_successful_response()? .signature_algorithm .oid() ); Err(CryptographyError::from( - exceptions::UnsupportedAlgorithm::new_err(exc_messsage), + exceptions::UnsupportedAlgorithm::new_err(exc_message), )) } } From 8844b2781db29e54cc314b2857220c9352e16947 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 02:56:47 +0000 Subject: [PATCH 643/868] Bump certifi from 2024.2.2 to 2024.6.2 (#11049) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.2.2 to 2024.6.2. - [Commits](https://github.com/certifi/python-certifi/compare/2024.02.02...2024.06.02) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 891e51475b79..11135dd04507 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -15,7 +15,7 @@ build==1.2.1 # via # check-sdist # cryptography (pyproject.toml) -certifi==2024.2.2 +certifi==2024.6.2 # via requests charset-normalizer==3.3.2 # via requests From b06aaa1689f66636d4a83fbad7e5475584167e9f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 02:57:04 +0000 Subject: [PATCH 644/868] Bump typing-extensions from 4.12.0 to 4.12.1 (#11050) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.12.0 to 4.12.1. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.12.0...4.12.1) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 11135dd04507..965940a44de5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -typing-extensions==4.12.0; python_version >= "3.8" +typing-extensions==4.12.1; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests From 940bb658adc3c2da434a1a9570ae73d6e011fce3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 03:01:23 +0000 Subject: [PATCH 645/868] Bump ruff from 0.4.6 to 0.4.7 (#11051) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.6 to 0.4.7. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.6...v0.4.7) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 965940a44de5..b70e9ae52c8f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.4.6 +ruff==0.4.7 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 46a2c210818de202347a983d6df59042a0d8da80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 1 Jun 2024 23:02:08 -0400 Subject: [PATCH 646/868] Bump zipp from 3.19.0 to 3.19.1 in /.github/requirements (#11052) Bumps [zipp](https://github.com/jaraco/zipp) from 3.19.0 to 3.19.1. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.19.0...v3.19.1) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e6eeabbb09ec..5f6974c8076f 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -311,7 +311,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.19.0 \ - --hash=sha256:952df858fb3164426c976d9338d3961e8e8b3758e2e059e0f754b8c4262625ee \ - --hash=sha256:96dc6ad62f1441bcaccef23b274ec471518daf4fbbc580341204936a5a3dddec +zipp==3.19.1 \ + --hash=sha256:2828e64edb5386ea6a52e7ba7cdb17bb30a73a858f5eb6eb93d8d36f5ea26091 \ + --hash=sha256:35427f6d5594f4acf82d25541438348c26736fa9b3afa2754bcd63cdb99d8e8f # via importlib-metadata From 88541546d182e8e27d279e94384115d600d87d31 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 1 Jun 2024 23:07:08 -0400 Subject: [PATCH 647/868] Bump pkginfo from 1.10.0 to 1.11.0 in /.github/requirements (#11053) Bumps [pkginfo](https://code.launchpad.net/~tseaver/pkginfo/trunk) from 1.10.0 to 1.11.0. --- updated-dependencies: - dependency-name: pkginfo dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 5f6974c8076f..b1a8064b0dd8 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -260,9 +260,9 @@ nh3==0.2.17 \ --hash=sha256:c790769152308421283679a142dbdb3d1c46c79c823008ecea8e8141db1a2062 \ --hash=sha256:d7a25fd8c86657f5d9d576268e3b3767c5cd4f42867c9383618be8517f0f022a # via readme-renderer -pkginfo==1.10.0 \ - --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ - --hash=sha256:889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097 +pkginfo==1.11.0 \ + --hash=sha256:6d4998d1cd42c297af72cc0eab5f5bab1d356fb8a55b828fa914173f8bc1ba05 \ + --hash=sha256:dba885aa82e31e80d615119874384923f4e011c2a39b0c4b7104359e36cb7087 # via twine pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ From b6623ea110142845a7e91fad06e39f47549eb121 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 13:16:10 +0000 Subject: [PATCH 648/868] Bump proc-macro2 from 1.0.84 to 1.0.85 in /src/rust (#11055) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.84 to 1.0.85. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.84...1.0.85) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 03d6df0e2415..f3d6193e9e34 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.84" +version = "1.0.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec96c6a92621310b51366f1e28d05ef11489516e93be030060e5fc12024a49d6" +checksum = "22244ce15aa966053a896d1accb3a6e68469b97c7f33f284b99f0d576879fc23" dependencies = [ "unicode-ident", ] From 49de9e9491d2aab3f8dc2ccb8ed8118b559d3d14 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:23:45 -0400 Subject: [PATCH 649/868] Bump certifi from 2024.2.2 to 2024.6.2 in /.github/requirements (#11056) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.2.2 to 2024.6.2. - [Commits](https://github.com/certifi/python-certifi/compare/2024.02.02...2024.06.02) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b1a8064b0dd8..bf14501bfc6e 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -8,9 +8,9 @@ backports-tarfile==1.2.0 \ --hash=sha256:77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34 \ --hash=sha256:d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991 # via jaraco-context -certifi==2024.2.2 \ - --hash=sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f \ - --hash=sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1 +certifi==2024.6.2 \ + --hash=sha256:3cd43f1c6fa7dedc5899d69d3ad0398fd018ad1a17fba83ddaf78aa46c747516 \ + --hash=sha256:ddc6c8ce995e6987e7faf5e3f1b02b302836a0e5d98ece18392cb1a36c72ad56 # via requests cffi==1.16.0 \ --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ From 4bd89e4ace7bf57855fdb16a461d90a2572dd276 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 19:21:43 +0000 Subject: [PATCH 650/868] Bump asn1 from 0.16.1 to 0.16.2 in /src/rust (#11057) Bumps [asn1](https://github.com/alex/rust-asn1) from 0.16.1 to 0.16.2. - [Commits](https://github.com/alex/rust-asn1/compare/0.16.1...0.16.2) --- updated-dependencies: - dependency-name: asn1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 8 ++++---- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-x509-verification/Cargo.toml | 2 +- src/rust/cryptography-x509/Cargo.toml | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index f3d6193e9e34..14bba00dc40b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -4,18 +4,18 @@ version = 3 [[package]] name = "asn1" -version = "0.16.1" +version = "0.16.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "889adc8fd6c1344619926529e605cccad1f832b3a2a5a3fe6d7c8557c8f05368" +checksum = "532ceda058281b62096b2add4ab00ab3a453d30dee28b8890f62461a0109ebbd" dependencies = [ "asn1_derive", ] [[package]] name = "asn1_derive" -version = "0.16.1" +version = "0.16.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2271cec9b830009b9c3b9e21767083c553f51f996b690c476c27f541199aa99" +checksum = "56e6076d38cc17cc22b0f65f31170a2ee1975e6b07f0012893aefd86ce19c987" dependencies = [ "proc-macro2", "quote", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index c3a006aff3e6..9f49dc9c6e92 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -11,7 +11,7 @@ rust-version = "1.65.0" once_cell = "1" cfg-if = "1" pyo3 = { version = "0.21.2", features = ["abi3"] } -asn1 = { version = "0.16.1", default-features = false } +asn1 = { version = "0.16.2", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } cryptography-key-parsing = { path = "cryptography-key-parsing" } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 2b2313453269..9d4e5d00fbdf 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.1", default-features = false } +asn1 = { version = "0.16.2", default-features = false } cfg-if = "1" openssl = "0.10.64" openssl-sys = "0.9.102" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 2ffa8e3d273e..086332bd4529 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -8,7 +8,7 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.1", default-features = false } +asn1 = { version = "0.16.2", default-features = false } cryptography-x509 = { path = "../cryptography-x509" } cryptography-key-parsing = { path = "../cryptography-key-parsing" } once_cell = "1" diff --git a/src/rust/cryptography-x509/Cargo.toml b/src/rust/cryptography-x509/Cargo.toml index 2332756b2275..8da775c34647 100644 --- a/src/rust/cryptography-x509/Cargo.toml +++ b/src/rust/cryptography-x509/Cargo.toml @@ -8,4 +8,4 @@ publish = false rust-version = "1.65.0" [dependencies] -asn1 = { version = "0.16.1", default-features = false } +asn1 = { version = "0.16.2", default-features = false } From 9fc01fdbadcfe3e19a63ba51003b07c3d314dc33 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Jun 2024 19:22:08 +0000 Subject: [PATCH 651/868] Bump asn1_derive from 0.16.1 to 0.16.2 in /src/rust (#11058) Bumps [asn1_derive](https://github.com/alex/rust-asn1) from 0.16.1 to 0.16.2. - [Commits](https://github.com/alex/rust-asn1/compare/0.16.1...0.16.2) --- updated-dependencies: - dependency-name: asn1_derive dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> From 78c9fcbac6814f42d30538db71abe44357ebb908 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 2 Jun 2024 23:30:50 -0400 Subject: [PATCH 652/868] Added several OIDs that are used in PBESv2 encoding (#11046) --- src/rust/cryptography-x509/src/oid.rs | 10 ++++++++++ src/rust/src/pkcs7.rs | 10 +++------- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/src/rust/cryptography-x509/src/oid.rs b/src/rust/cryptography-x509/src/oid.rs index bf5d0ba29689..85fb543e6e85 100644 --- a/src/rust/cryptography-x509/src/oid.rs +++ b/src/rust/cryptography-x509/src/oid.rs @@ -147,3 +147,13 @@ pub const EKU_OCSP_SIGNING_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, pub const EKU_ANY_KEY_USAGE_OID: asn1::ObjectIdentifier = asn1::oid!(2, 5, 29, 37, 0); pub const EKU_CERTIFICATE_TRANSPARENCY_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 4, 1, 11129, 2, 4, 4); + +pub const PBES2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 13); +pub const PBKDF2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 12); + +pub const AES_256_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 42); +pub const AES_192_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 22); +pub const AES_128_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 2); + +pub const HMAC_WITH_SHA1_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 2, 7); +pub const HMAC_WITH_SHA256_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 2, 9); diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 4cfa3067ac20..c2dcbc94974f 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -27,10 +27,6 @@ const PKCS7_MESSAGE_DIGEST_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 1 const PKCS7_SIGNING_TIME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 5); const PKCS7_SMIME_CAP_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 15); -const AES_256_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 42); -const AES_192_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 22); -const AES_128_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 2); - static OIDS_TO_MIC_NAME: Lazy> = Lazy::new(|| { let mut h = HashMap::new(); h.insert(&oid::SHA224_OID, "sha-224"); @@ -105,9 +101,9 @@ fn sign_and_serialize<'p>( // Subset of values OpenSSL provides: // https://github.com/openssl/openssl/blob/667a8501f0b6e5705fd611d5bb3ca24848b07154/crypto/pkcs7/pk7_smime.c#L150 // removing all the ones that are bad cryptography - &asn1::SequenceOfWriter::new([AES_256_CBC_OID]), - &asn1::SequenceOfWriter::new([AES_192_CBC_OID]), - &asn1::SequenceOfWriter::new([AES_128_CBC_OID]), + &asn1::SequenceOfWriter::new([oid::AES_256_CBC_OID]), + &asn1::SequenceOfWriter::new([oid::AES_192_CBC_OID]), + &asn1::SequenceOfWriter::new([oid::AES_128_CBC_OID]), ]))?; #[allow(clippy::type_complexity)] From 99de528c1229363f4435eac25f54abac4ba65072 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 08:08:11 -0400 Subject: [PATCH 653/868] fixes #11062 -- register OCSP implementations with interfaces (#11063) --- .../hazmat/bindings/_rust/ocsp.pyi | 25 +++++++++--------- src/cryptography/x509/ocsp.py | 4 +++ src/rust/src/x509/ocsp_req.rs | 2 ++ src/rust/src/x509/ocsp_resp.rs | 26 ++++++++++--------- tests/x509/test_ocsp.py | 2 ++ 5 files changed, 34 insertions(+), 25 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi index b15628f8d46b..29c4372bcfb5 100644 --- a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi +++ b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi @@ -4,20 +4,19 @@ from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes -from cryptography.x509.ocsp import ( - OCSPRequest, - OCSPRequestBuilder, - OCSPResponse, - OCSPResponseBuilder, - OCSPResponseStatus, -) +from cryptography.x509 import ocsp -def load_der_ocsp_request(data: bytes) -> OCSPRequest: ... -def load_der_ocsp_response(data: bytes) -> OCSPResponse: ... -def create_ocsp_request(builder: OCSPRequestBuilder) -> OCSPRequest: ... +class OCSPRequest: ... +class OCSPResponse: ... + +def load_der_ocsp_request(data: bytes) -> ocsp.OCSPRequest: ... +def load_der_ocsp_response(data: bytes) -> ocsp.OCSPResponse: ... +def create_ocsp_request( + builder: ocsp.OCSPRequestBuilder, +) -> ocsp.OCSPRequest: ... def create_ocsp_response( - status: OCSPResponseStatus, - builder: OCSPResponseBuilder | None, + status: ocsp.OCSPResponseStatus, + builder: ocsp.OCSPResponseBuilder | None, private_key: PrivateKeyTypes | None, hash_algorithm: hashes.HashAlgorithm | None, -) -> OCSPResponse: ... +) -> ocsp.OCSPResponse: ... diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index 9751ceaf9655..ec2f2dab9e11 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -402,6 +402,10 @@ def public_bytes(self, encoding: serialization.Encoding) -> bytes: """ +OCSPRequest.register(ocsp.OCSPRequest) +OCSPResponse.register(ocsp.OCSPResponse) + + class OCSPRequestBuilder: def __init__( self, diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index dd4e5f77eb4d..a411904b2588 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -235,5 +235,7 @@ pub(crate) fn add_to_module( module.add_function(pyo3::wrap_pyfunction_bound!(load_der_ocsp_request, module)?)?; module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_request, module)?)?; + module.add_class::()?; + Ok(()) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e9af29054466..99cbe582ab98 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -778,18 +778,6 @@ fn create_ocsp_response( load_der_ocsp_response(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } -pub(crate) fn add_to_module( - module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, -) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!( - load_der_ocsp_response, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_response, module)?)?; - - Ok(()) -} - type RawOCSPResponseIterator<'a> = asn1::SequenceOf<'a, SingleResponse<'a>>; self_cell::self_cell!( @@ -919,3 +907,17 @@ impl OCSPSingleResponse { singleresp_py_next_update(single_resp, py) } } + +pub(crate) fn add_to_module( + module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, +) -> pyo3::PyResult<()> { + module.add_function(pyo3::wrap_pyfunction_bound!( + load_der_ocsp_response, + module + )?)?; + module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_response, module)?)?; + + module.add_class::()?; + + Ok(()) +} diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 8f5948bc171b..31e04f6d75ed 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -78,6 +78,7 @@ def test_load_request(self): os.path.join("x509", "ocsp", "req-sha1.der"), ocsp.load_der_ocsp_request, ) + assert isinstance(req, ocsp.OCSPRequest) assert req.issuer_name_hash == ( b"8\xcaF\x8c\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd" ) @@ -1120,6 +1121,7 @@ def test_load_response(self): os.path.join("x509", "letsencryptx3.pem"), x509.load_pem_x509_certificate, ) + assert isinstance(resp, ocsp.OCSPResponse) assert resp.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL assert ( resp.signature_algorithm_oid From 064a463eae1a67d4a4fcdc5305fc115c98f207f9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 08:23:51 -0400 Subject: [PATCH 654/868] added tests for PKCS12Certificate with encryption builder (#11060) --- tests/hazmat/primitives/test_pkcs12.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 5b97121b2c1e..8397750ec264 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -423,6 +423,12 @@ def test_generate_cas_friendly_names(self, backend): ("encryption_algorithm", "password"), [ (serialization.BestAvailableEncryption(b"password"), b"password"), + ( + serialization.PrivateFormat.PKCS12.encryption_builder().build( + b"not a password" + ), + b"not a password", + ), (serialization.NoEncryption(), None), ], ) From 4184b80ab6385b7987d047b8f4948f2a2f32c705 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 08:28:15 -0400 Subject: [PATCH 655/868] Added shrouded key bag oid (#11061) --- src/rust/cryptography-x509/src/pkcs12.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index 4fea62179846..dce1c41726eb 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -7,6 +7,8 @@ use crate::pkcs7; pub const CERT_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 3); pub const KEY_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 1); +pub const SHROUDED_KEY_BAG_OID: asn1::ObjectIdentifier = + asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 2); pub const X509_CERTIFICATE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 22, 1); pub const FRIENDLY_NAME_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 9, 20); From fe1f9f48039197637e5e4ec1bb42bda856f53796 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 08:46:21 -0400 Subject: [PATCH 656/868] Pass encryption algorithm to Rust in PKCS#12 (#11064) Extracted from #11059 --- .../hazmat/bindings/_rust/pkcs12.pyi | 4 +++ .../hazmat/primitives/serialization/pkcs12.py | 4 ++- src/rust/src/pkcs12.rs | 26 ++++++++++++++----- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi index dcb3fca8cf1b..40514c4623d5 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs12.pyi @@ -6,6 +6,9 @@ import typing from cryptography import x509 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes +from cryptography.hazmat.primitives.serialization import ( + KeySerializationEncryption, +) from cryptography.hazmat.primitives.serialization.pkcs12 import ( PKCS12KeyAndCertificates, PKCS12PrivateKeyTypes, @@ -39,4 +42,5 @@ def serialize_key_and_certificates( key: PKCS12PrivateKeyTypes | None, cert: x509.Certificate | None, cas: typing.Iterable[x509.Certificate | PKCS12Certificate] | None, + encryption_algorithm: KeySerializationEncryption, ) -> bytes: ... diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 2294b54322f9..d1fc460d7296 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -168,7 +168,9 @@ def serialize_key_and_certificates( raise ValueError("You must supply at least one of key, cert, or cas") if isinstance(encryption_algorithm, serialization.NoEncryption): - return rust_pkcs12.serialize_key_and_certificates(name, key, cert, cas) + return rust_pkcs12.serialize_key_and_certificates( + name, key, cert, cas, encryption_algorithm + ) from cryptography.hazmat.backends.openssl.backend import backend diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 919c40c2ad19..4663b91c4e8a 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -230,13 +230,23 @@ fn cert_to_bag<'a>( }) } -fn decode_encryption_algorithm( - py: pyo3::Python<'_>, -) -> CryptographyResult<(&[u8], pyo3::Bound<'_, pyo3::PyAny>, u64)> { +fn decode_encryption_algorithm<'a>( + py: pyo3::Python<'a>, + encryption_algorithm: pyo3::Bound<'a, pyo3::PyAny>, +) -> CryptographyResult<( + pyo3::pybacked::PyBackedBytes, + pyo3::Bound<'a, pyo3::PyAny>, + u64, +)> { let default_hmac_alg = types::SHA256.get(py)?.call0()?; let default_hmac_kdf_iter = 2048; - Ok((b"", default_hmac_alg, default_hmac_kdf_iter)) + assert!(encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)?); + Ok(( + pyo3::types::PyBytes::new_bound(py, b"").extract()?, + default_hmac_alg, + default_hmac_kdf_iter, + )) } #[derive(pyo3::FromPyObject)] @@ -246,15 +256,17 @@ enum CertificateOrPKCS12Certificate { } #[pyo3::prelude::pyfunction] -#[pyo3(signature = (name, key, cert, cas))] +#[pyo3(signature = (name, key, cert, cas, encryption_algorithm))] fn serialize_key_and_certificates<'p>( py: pyo3::Python<'p>, name: Option<&[u8]>, key: Option>, cert: Option<&Certificate>, cas: Option>, + encryption_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - let (password, mac_algorithm, mac_kdf_iter) = decode_encryption_algorithm(py)?; + let (password, mac_algorithm, mac_kdf_iter) = + decode_encryption_algorithm(py, encryption_algorithm)?; let mut auth_safe_contents = vec![]; let (cert_bag_contents, key_bag_contents); @@ -328,7 +340,7 @@ fn serialize_key_and_certificates<'p>( .extract::()?; let mac_algorithm_md = hashes::message_digest_from_algorithm(py, &mac_algorithm)?; let mac_key = pkcs12_kdf( - password, + &password, &salt, KDF_MAC_KEY_ID, mac_kdf_iter, From 0419242d00a1ffbbf7ea0ee0135a9a3e60ef2298 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 09:32:07 -0400 Subject: [PATCH 657/868] Added a few new AlgorithmParameter types (#11065) split out from #11059 --- src/rust/cryptography-x509/src/common.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index fa7e3ec77098..84608c870123 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -125,6 +125,14 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::DH_KEY_AGREEMENT_OID)] DhKeyAgreement(BasicDHParams<'a>), + #[defined_by(oid::HMAC_WITH_SHA1_OID)] + HmacWithSha1(asn1::Null), + #[defined_by(oid::HMAC_WITH_SHA256_OID)] + HmacWithSha256(asn1::Null), + + #[defined_by(oid::AES_256_CBC_OID)] + Aes256Cbc([u8; 16]), + #[default] Other(asn1::ObjectIdentifier, Option>), } From d54d67353b5384bee303024cbc55b1392a87ee6d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 3 Jun 2024 09:32:28 -0400 Subject: [PATCH 658/868] Register OCSPSingleResponse implementation with interface (#11066) --- src/cryptography/hazmat/bindings/_rust/ocsp.pyi | 1 + src/cryptography/x509/ocsp.py | 1 + src/rust/src/x509/ocsp_resp.rs | 1 + tests/x509/test_ocsp.py | 1 + 4 files changed, 4 insertions(+) diff --git a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi index 29c4372bcfb5..5e02145d86a5 100644 --- a/src/cryptography/hazmat/bindings/_rust/ocsp.pyi +++ b/src/cryptography/hazmat/bindings/_rust/ocsp.pyi @@ -8,6 +8,7 @@ from cryptography.x509 import ocsp class OCSPRequest: ... class OCSPResponse: ... +class OCSPSingleResponse: ... def load_der_ocsp_request(data: bytes) -> ocsp.OCSPRequest: ... def load_der_ocsp_response(data: bytes) -> ocsp.OCSPResponse: ... diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index ec2f2dab9e11..9b2adc8601cc 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -404,6 +404,7 @@ def public_bytes(self, encoding: serialization.Encoding) -> bytes: OCSPRequest.register(ocsp.OCSPRequest) OCSPResponse.register(ocsp.OCSPResponse) +OCSPSingleResponse.register(ocsp.OCSPSingleResponse) class OCSPRequestBuilder: diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 99cbe582ab98..3233d0b4d9a1 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -918,6 +918,7 @@ pub(crate) fn add_to_module( module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_response, module)?)?; module.add_class::()?; + module.add_class::()?; Ok(()) } diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 31e04f6d75ed..1d155bb97029 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -1179,6 +1179,7 @@ def test_load_multi_valued_response(self): with pytest.raises(ValueError): resp.serial_number + assert isinstance(next(resp.responses), ocsp.OCSPSingleResponse) assert len(list(resp.responses)) == 20 def test_multi_valued_responses(self): From e2b5c513aa90a127d6e86d7c2b77d1b4251e035d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Jun 2024 06:59:09 -0400 Subject: [PATCH 659/868] Bump dawidd6/action-download-artifact from 3.1.4 to 5 (#11069) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 3.1.4 to 5. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/09f2f74827fd3a8607589e5ad7f9398816f540fe...deb3bb83256a78589fef6a7b942e5f2573ad7c13) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a650b899ab2..d7beaa8f0c38 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -255,7 +255,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 + - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -315,7 +315,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 + - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 77524b95cdf0..281e17d43044 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -48,7 +48,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 + - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 0f16ae6be96f..97f5dc0879ec 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -218,7 +218,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 + - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -315,7 +315,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3.1.4 + - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 with: repo: pyca/infra workflow: build-windows-openssl.yml From 73526a338c04959f5c47e008ee296f1a6acaa0d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Jun 2024 06:59:34 -0400 Subject: [PATCH 660/868] Bump actions/attest-build-provenance from 1.1.2 to 1.2.0 (#11068) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/173725a1209d09b31f9d30a3890cf2757ebbff0d...49df96e17e918a15956db358890b08e61c704919) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 281e17d43044..29f678a4369c 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 98c63e3fd912bff9f3bcde377a315cd1dee7b38b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 4 Jun 2024 09:16:33 -0700 Subject: [PATCH 661/868] update openssl in CI (#11071) --- .github/workflows/ci.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d7beaa8f0c38..8902cb9a9bb7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,17 +29,17 @@ jobs: PYTHON: - {VERSION: "3.12", NOXSESSION: "flake"} - {VERSION: "3.12", NOXSESSION: "rust"} - - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} + - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2"}} - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.13"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.5"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1"}} - - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.0"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.5"}} - - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.14"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.6"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2"}} + - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.3.1"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.2", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.6"}} + - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.2"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} From 16da190cac22722c96ca3714d57351c02c56d265 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 4 Jun 2024 14:02:41 -0700 Subject: [PATCH 662/868] port 42.0.8 changelog (#11073) * port 42.0.8 changelog * Update build_openssl.sh --- .github/workflows/build_openssl.sh | 4 ++-- CHANGELOG.rst | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_openssl.sh b/.github/workflows/build_openssl.sh index abdd09cf3e55..9b4cd2a29782 100755 --- a/.github/workflows/build_openssl.sh +++ b/.github/workflows/build_openssl.sh @@ -20,7 +20,7 @@ if [[ "${TYPE}" == "openssl" ]]; then pushd openssl git checkout "${VERSION}" else - curl -O "https://www.openssl.org/source/openssl-${VERSION}.tar.gz" + curl -LO "https://www.openssl.org/source/openssl-${VERSION}.tar.gz" tar zxf "openssl-${VERSION}.tar.gz" pushd "openssl-${VERSION}" fi @@ -57,7 +57,7 @@ if [[ "${TYPE}" == "openssl" ]]; then fi popd elif [[ "${TYPE}" == "libressl" ]]; then - curl -O "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz" + curl -LO "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${VERSION}.tar.gz" tar zxf "libressl-${VERSION}.tar.gz" pushd "libressl-${VERSION}" cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}" diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 524262e120bf..d543896aed28 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -47,6 +47,13 @@ Changelog * Added support for parsing empty DN string in :meth:`~cryptography.x509.Name.from_rfc4514_string`. +.. _v42-0-8: + +42.0.8 - 2024-06-04 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.2. + .. _v42-0-7: 42.0.7 - 2024-05-06 From 007c28fd60a8a4c5ba2453e11190908fa94c6cf4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 00:17:43 +0000 Subject: [PATCH 663/868] Bump BoringSSL and/or OpenSSL in CI (#11074) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8902cb9a9bb7..0ce50283f95d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 01, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c8100f0f0d05c5185d58113e12a867ae0771a6c9"}} - # Latest commit on the OpenSSL master branch, as of Jun 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0285160ffa3b8c2b5491222243042593808298c4"}} + # Latest commit on the BoringSSL master branch, as of Jun 05, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fb1c75caf8ba5d45a0f2c52facd36e4ad9289549"}} + # Latest commit on the OpenSSL master branch, as of Jun 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0e2567d7293d3204de66acca0ed55bda4f0c0768"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From acf51227246d8a6d2ef6ca5de322b2833fcf4668 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 07:02:59 -0400 Subject: [PATCH 664/868] Bump pytest from 8.2.1 to 8.2.2 (#11075) Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.2.1 to 8.2.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.2.1...8.2.2) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b70e9ae52c8f..a11c924c2fd5 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -86,7 +86,7 @@ pygments==2.18.0 # sphinx pyproject-hooks==1.1.0 # via build -pytest==8.2.1; python_version >= "3.8" +pytest==8.2.2; python_version >= "3.8" # via # cryptography (pyproject.toml) # pytest-benchmark From f4753533b4f199545a1661e4c05290c9eab99888 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 07:03:29 -0400 Subject: [PATCH 665/868] Bump zipp from 3.19.1 to 3.19.2 in /.github/requirements (#11076) Bumps [zipp](https://github.com/jaraco/zipp) from 3.19.1 to 3.19.2. - [Release notes](https://github.com/jaraco/zipp/releases) - [Changelog](https://github.com/jaraco/zipp/blob/main/NEWS.rst) - [Commits](https://github.com/jaraco/zipp/compare/v3.19.1...v3.19.2) --- updated-dependencies: - dependency-name: zipp dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index bf14501bfc6e..3a07eaa4b224 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -311,7 +311,7 @@ urllib3==2.2.1 \ # via # requests # twine -zipp==3.19.1 \ - --hash=sha256:2828e64edb5386ea6a52e7ba7cdb17bb30a73a858f5eb6eb93d8d36f5ea26091 \ - --hash=sha256:35427f6d5594f4acf82d25541438348c26736fa9b3afa2754bcd63cdb99d8e8f +zipp==3.19.2 \ + --hash=sha256:bf1dcf6450f873a13e952a29504887c89e6de7506209e5b1bcc3460135d4de19 \ + --hash=sha256:f091755f667055f2d02b32c53771a7a6c8b47e1fdbc4b72a8b9072b3eef8015c # via importlib-metadata From 21f129af73b1e3e5a9452891ce46cba1a8c9025b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 07:29:35 -0400 Subject: [PATCH 666/868] Bump cryptography from 42.0.7 to 42.0.8 in /.github/requirements (#11077) Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.7 to 42.0.8. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/42.0.7...42.0.8) --- updated-dependencies: - dependency-name: cryptography dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 3a07eaa4b224..7ad866adab4a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -158,39 +158,39 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests -cryptography==42.0.7 \ - --hash=sha256:02c0eee2d7133bdbbc5e24441258d5d2244beb31da5ed19fbb80315f4bbbff55 \ - --hash=sha256:0d563795db98b4cd57742a78a288cdbdc9daedac29f2239793071fe114f13785 \ - --hash=sha256:16268d46086bb8ad5bf0a2b5544d8a9ed87a0e33f5e77dd3c3301e63d941a83b \ - --hash=sha256:1a58839984d9cb34c855197043eaae2c187d930ca6d644612843b4fe8513c886 \ - --hash=sha256:2954fccea107026512b15afb4aa664a5640cd0af630e2ee3962f2602693f0c82 \ - --hash=sha256:2e47577f9b18723fa294b0ea9a17d5e53a227867a0a4904a1a076d1646d45ca1 \ - --hash=sha256:31adb7d06fe4383226c3e963471f6837742889b3c4caa55aac20ad951bc8ffda \ - --hash=sha256:3577d029bc3f4827dd5bf8bf7710cac13527b470bbf1820a3f394adb38ed7d5f \ - --hash=sha256:36017400817987670037fbb0324d71489b6ead6231c9604f8fc1f7d008087c68 \ - --hash=sha256:362e7197754c231797ec45ee081f3088a27a47c6c01eff2ac83f60f85a50fe60 \ - --hash=sha256:3de9a45d3b2b7d8088c3fbf1ed4395dfeff79d07842217b38df14ef09ce1d8d7 \ - --hash=sha256:4f698edacf9c9e0371112792558d2f705b5645076cc0aaae02f816a0171770fd \ - --hash=sha256:5482e789294854c28237bba77c4c83be698be740e31a3ae5e879ee5444166582 \ - --hash=sha256:5e44507bf8d14b36b8389b226665d597bc0f18ea035d75b4e53c7b1ea84583cc \ - --hash=sha256:779245e13b9a6638df14641d029add5dc17edbef6ec915688f3acb9e720a5858 \ - --hash=sha256:789caea816c6704f63f6241a519bfa347f72fbd67ba28d04636b7c6b7da94b0b \ - --hash=sha256:7f8b25fa616d8b846aef64b15c606bb0828dbc35faf90566eb139aa9cff67af2 \ - --hash=sha256:8cb8ce7c3347fcf9446f201dc30e2d5a3c898d009126010cbd1f443f28b52678 \ - --hash=sha256:93a3209f6bb2b33e725ed08ee0991b92976dfdcf4e8b38646540674fc7508e13 \ - --hash=sha256:a3a5ac8b56fe37f3125e5b72b61dcde43283e5370827f5233893d461b7360cd4 \ - --hash=sha256:a47787a5e3649008a1102d3df55424e86606c9bae6fb77ac59afe06d234605f8 \ - --hash=sha256:a79165431551042cc9d1d90e6145d5d0d3ab0f2d66326c201d9b0e7f5bf43604 \ - --hash=sha256:a987f840718078212fdf4504d0fd4c6effe34a7e4740378e59d47696e8dfb477 \ - --hash=sha256:a9bc127cdc4ecf87a5ea22a2556cab6c7eda2923f84e4f3cc588e8470ce4e42e \ - --hash=sha256:bd13b5e9b543532453de08bcdc3cc7cebec6f9883e886fd20a92f26940fd3e7a \ - --hash=sha256:c65f96dad14f8528a447414125e1fc8feb2ad5a272b8f68477abbcc1ea7d94b9 \ - --hash=sha256:d8e3098721b84392ee45af2dd554c947c32cc52f862b6a3ae982dbb90f577f14 \ - --hash=sha256:e6b79d0adb01aae87e8a44c2b64bc3f3fe59515280e00fb6d57a7267a2583cda \ - --hash=sha256:e6b8f1881dac458c34778d0a424ae5769de30544fc678eac51c1c8bb2183e9da \ - --hash=sha256:e9b2a6309f14c0497f348d08a065d52f3020656f675819fc405fb63bbcd26562 \ - --hash=sha256:ecbfbc00bf55888edda9868a4cf927205de8499e7fabe6c050322298382953f2 \ - --hash=sha256:efd0bf5205240182e0f13bcaea41be4fdf5c22c5129fc7ced4a0282ac86998c9 +cryptography==42.0.8 \ + --hash=sha256:013629ae70b40af70c9a7a5db40abe5d9054e6f4380e50ce769947b73bf3caad \ + --hash=sha256:2346b911eb349ab547076f47f2e035fc8ff2c02380a7cbbf8d87114fa0f1c583 \ + --hash=sha256:2f66d9cd9147ee495a8374a45ca445819f8929a3efcd2e3df6428e46c3cbb10b \ + --hash=sha256:2f88d197e66c65be5e42cd72e5c18afbfae3f741742070e3019ac8f4ac57262c \ + --hash=sha256:31f721658a29331f895a5a54e7e82075554ccfb8b163a18719d342f5ffe5ecb1 \ + --hash=sha256:343728aac38decfdeecf55ecab3264b015be68fc2816ca800db649607aeee648 \ + --hash=sha256:5226d5d21ab681f432a9c1cf8b658c0cb02533eece706b155e5fbd8a0cdd3949 \ + --hash=sha256:57080dee41209e556a9a4ce60d229244f7a66ef52750f813bfbe18959770cfba \ + --hash=sha256:5a94eccb2a81a309806027e1670a358b99b8fe8bfe9f8d329f27d72c094dde8c \ + --hash=sha256:6b7c4f03ce01afd3b76cf69a5455caa9cfa3de8c8f493e0d3ab7d20611c8dae9 \ + --hash=sha256:7016f837e15b0a1c119d27ecd89b3515f01f90a8615ed5e9427e30d9cdbfed3d \ + --hash=sha256:81884c4d096c272f00aeb1f11cf62ccd39763581645b0812e99a91505fa48e0c \ + --hash=sha256:81d8a521705787afe7a18d5bfb47ea9d9cc068206270aad0b96a725022e18d2e \ + --hash=sha256:8d09d05439ce7baa8e9e95b07ec5b6c886f548deb7e0f69ef25f64b3bce842f2 \ + --hash=sha256:961e61cefdcb06e0c6d7e3a1b22ebe8b996eb2bf50614e89384be54c48c6b63d \ + --hash=sha256:9c0c1716c8447ee7dbf08d6db2e5c41c688544c61074b54fc4564196f55c25a7 \ + --hash=sha256:a0608251135d0e03111152e41f0cc2392d1e74e35703960d4190b2e0f4ca9c70 \ + --hash=sha256:a0c5b2b0585b6af82d7e385f55a8bc568abff8923af147ee3c07bd8b42cda8b2 \ + --hash=sha256:ad803773e9df0b92e0a817d22fd8a3675493f690b96130a5e24f1b8fabbea9c7 \ + --hash=sha256:b297f90c5723d04bcc8265fc2a0f86d4ea2e0f7ab4b6994459548d3a6b992a14 \ + --hash=sha256:ba4f0a211697362e89ad822e667d8d340b4d8d55fae72cdd619389fb5912eefe \ + --hash=sha256:c4783183f7cb757b73b2ae9aed6599b96338eb957233c58ca8f49a49cc32fd5e \ + --hash=sha256:c9bb2ae11bfbab395bdd072985abde58ea9860ed84e59dbc0463a5d0159f5b71 \ + --hash=sha256:cafb92b2bc622cd1aa6a1dce4b93307792633f4c5fe1f46c6b97cf67073ec961 \ + --hash=sha256:d45b940883a03e19e944456a558b67a41160e367a719833c53de6911cabba2b7 \ + --hash=sha256:dc0fdf6787f37b1c6b08e6dfc892d9d068b5bdb671198c72072828b80bd5fe4c \ + --hash=sha256:dea567d1b0e8bc5764b9443858b673b734100c2871dc93163f58c46a97a83d28 \ + --hash=sha256:dec9b018df185f08483f294cae6ccac29e7a6e0678996587363dc352dc65c842 \ + --hash=sha256:e3ec3672626e1b9e55afd0df6d774ff0e953452886e06e0f1eb7eb0c832e8902 \ + --hash=sha256:e599b53fd95357d92304510fb7bda8523ed1f79ca98dce2f43c115950aa78801 \ + --hash=sha256:fa76fbb7596cc5839320000cdd5d0955313696d9511debab7ee7278fc8b5c84a \ + --hash=sha256:fff12c88a672ab9c9c1cf7b0c80e3ad9e2ebd9d828d955c126be4fd3e5578c9e # via secretstorage docutils==0.21.2 \ --hash=sha256:3a6b18732edf182daa3cd12775bbb338cf5691468f91eeeb109deff6ebfa986f \ From 2d4241870d1cd41707dbd777ed81581bd8b8dabe Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 5 Jun 2024 20:28:35 -0400 Subject: [PATCH 667/868] Bump BoringSSL and/or OpenSSL in CI (#11078) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0ce50283f95d..18cba060801d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 05, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "fb1c75caf8ba5d45a0f2c52facd36e4ad9289549"}} - # Latest commit on the OpenSSL master branch, as of Jun 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "0e2567d7293d3204de66acca0ed55bda4f0c0768"}} + # Latest commit on the BoringSSL master branch, as of Jun 06, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c1d9ac02514a138129872a036e3f8a1074dcb8bd"}} + # Latest commit on the OpenSSL master branch, as of Jun 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5bbdbce856c7ca132e039a24a315618484874c81"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 22802f855adaa449c76f30d9a9a5449c0d7f91b1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 00:31:12 +0000 Subject: [PATCH 668/868] Bump x509-limbo and/or wycheproof in CI (#11079) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 671b966a3833..ef19150b79e7 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of May 23, 2024. - ref: "d879dc2a91836aebe9f558f4cc5bf183e3d19552" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jun 06, 2024. + ref: "b29820ae7ebe3280d2efcaae7d77222dc8101967" # x509-limbo-ref From 3b333d5b537297062a07b4702ba9385c6346324d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 07:11:15 -0400 Subject: [PATCH 669/868] Bump ruff from 0.4.7 to 0.4.8 (#11081) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.7 to 0.4.8. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.7...v0.4.8) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a11c924c2fd5..df8e8926b040 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.4.7 +ruff==0.4.8 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 749d2638368e2365a9243a5adda8d3e228cf86c2 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 7 Jun 2024 00:16:24 +0000 Subject: [PATCH 670/868] Bump BoringSSL and/or OpenSSL in CI (#11082) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 18cba060801d..d57796b47954 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 06, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c1d9ac02514a138129872a036e3f8a1074dcb8bd"}} - # Latest commit on the OpenSSL master branch, as of Jun 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5bbdbce856c7ca132e039a24a315618484874c81"}} + # Latest commit on the BoringSSL master branch, as of Jun 07, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "dec5989b793c56ad4dd32173bd2d8595ca78b398"}} + # Latest commit on the OpenSSL master branch, as of Jun 07, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "417dad1e370b19f94682d1006cb54d10ac90b8ec"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 5c44374056f7f07318153a1685d3980785d1bbc9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 7 Jun 2024 11:43:28 +0000 Subject: [PATCH 671/868] Bump cc from 1.0.98 to 1.0.99 in /src/rust (#11084) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.98 to 1.0.99. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.98...1.0.99) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 14bba00dc40b..4cac2c7fc3e3 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" -version = "1.0.98" +version = "1.0.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "41c270e7540d725e65ac7f1b212ac8ce349719624d7bcff99f8e2e488e8cf03f" +checksum = "96c51067fd44124faa7f870b4b1c969379ad32b2ba805aa959430ceaa384f695" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 1d1e059d4e73..b0794661054f 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -12,4 +12,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.98" +cc = "1.0.99" From 1f02723e70b356a1efd0f303d6cb44f79a272210 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 8 Jun 2024 00:17:33 +0000 Subject: [PATCH 672/868] Bump BoringSSL and/or OpenSSL in CI (#11086) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d57796b47954..37d6cd7ad3a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 07, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "dec5989b793c56ad4dd32173bd2d8595ca78b398"}} - # Latest commit on the OpenSSL master branch, as of Jun 07, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "417dad1e370b19f94682d1006cb54d10ac90b8ec"}} + # Latest commit on the BoringSSL master branch, as of Jun 08, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "29223ac349c144a4d0babc281644c0410dd1e313"}} + # Latest commit on the OpenSSL master branch, as of Jun 08, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d4700c0b237c05315e3bf14fc416abcbdfe51ff2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 77f880246c1532a796fb146b13cfee7f54a5ce84 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 7 Jun 2024 17:33:27 -0700 Subject: [PATCH 673/868] Bump x509-limbo and/or wycheproof in CI (#11087) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index ef19150b79e7..cd53f58cc4c8 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jun 06, 2024. - ref: "b29820ae7ebe3280d2efcaae7d77222dc8101967" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jun 08, 2024. + ref: "8b32fa5893b1ebb30f7bb085ed39318177563e99" # x509-limbo-ref From f3b0e165f00c061f2151da23cd3973d5cd0d2e01 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 8 Jun 2024 10:52:13 -0400 Subject: [PATCH 674/868] Added a benchmark for fernet (#11088) This tests many different primitives --- tests/bench/test_fernet.py | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tests/bench/test_fernet.py diff --git a/tests/bench/test_fernet.py b/tests/bench/test_fernet.py new file mode 100644 index 000000000000..c550aa78920c --- /dev/null +++ b/tests/bench/test_fernet.py @@ -0,0 +1,10 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from cryptography import fernet + + +def test_fernet_encrypt(benchmark): + f = fernet.Fernet(fernet.Fernet.generate_key()) + benchmark(f.encrypt, b"\x00" * 256) From 5e99c52bb2087022bae7194b95aff20ebf6df948 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 8 Jun 2024 20:25:55 -0400 Subject: [PATCH 675/868] Bump BoringSSL and/or OpenSSL in CI (#11090) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 37d6cd7ad3a6..4e5457fe8f51 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 08, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "29223ac349c144a4d0babc281644c0410dd1e313"}} + # Latest commit on the BoringSSL master branch, as of Jun 09, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "56fb43a204e57af68e00f4561c108a7004381aa3"}} # Latest commit on the OpenSSL master branch, as of Jun 08, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d4700c0b237c05315e3bf14fc416abcbdfe51ff2"}} # Builds with various Rust versions. Includes MSRV and next From c27084e34736a6db491f06909f183a9b1153ad2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 07:18:54 -0400 Subject: [PATCH 676/868] Bump typing-extensions from 4.12.1 to 4.12.2 (#11091) Bumps [typing-extensions](https://github.com/python/typing_extensions) from 4.12.1 to 4.12.2. - [Release notes](https://github.com/python/typing_extensions/releases) - [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md) - [Commits](https://github.com/python/typing_extensions/compare/4.12.1...4.12.2) --- updated-dependencies: - dependency-name: typing-extensions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index df8e8926b040..ad9451795c16 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -146,7 +146,7 @@ tomli==2.0.1 # mypy # pyproject-hooks # pytest -typing-extensions==4.12.1; python_version >= "3.8" +typing-extensions==4.12.2; python_version >= "3.8" # via mypy urllib3==2.2.1 # via requests From 2a12c65219af5b116e98846f7362ee0473c54363 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 07:29:02 -0400 Subject: [PATCH 677/868] Bump pkginfo from 1.11.0 to 1.11.1 in /.github/requirements (#11093) Bumps [pkginfo](https://code.launchpad.net/~tseaver/pkginfo/trunk) from 1.11.0 to 1.11.1. --- updated-dependencies: - dependency-name: pkginfo dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 7ad866adab4a..e4d52c8b1801 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -260,9 +260,9 @@ nh3==0.2.17 \ --hash=sha256:c790769152308421283679a142dbdb3d1c46c79c823008ecea8e8141db1a2062 \ --hash=sha256:d7a25fd8c86657f5d9d576268e3b3767c5cd4f42867c9383618be8517f0f022a # via readme-renderer -pkginfo==1.11.0 \ - --hash=sha256:6d4998d1cd42c297af72cc0eab5f5bab1d356fb8a55b828fa914173f8bc1ba05 \ - --hash=sha256:dba885aa82e31e80d615119874384923f4e011c2a39b0c4b7104359e36cb7087 +pkginfo==1.11.1 \ + --hash=sha256:2e0dca1cf4c8e39644eed32408ea9966ee15e0d324c62ba899a393b3c6b467aa \ + --hash=sha256:bfa76a714fdfc18a045fcd684dbfc3816b603d9d075febef17cb6582bea29573 # via twine pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ From 92b8aff88dd44601c071d02837e5f9576debe064 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 06:51:58 -0500 Subject: [PATCH 678/868] Bump packaging from 24.0 to 24.1 (#11092) * Bump packaging from 24.0 to 24.1 Bumps [packaging](https://github.com/pypa/packaging) from 24.0 to 24.1. - [Release notes](https://github.com/pypa/packaging/releases) - [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/packaging/compare/24.0...24.1) --- updated-dependencies: - dependency-name: packaging dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Update ci-constraints-requirements.txt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Gaynor --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ad9451795c16..9a92c2b44218 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -60,7 +60,7 @@ nh3==0.2.17 # via readme-renderer nox==2024.4.15 # via cryptography (pyproject.toml) -packaging==24.0 +packaging==24.1; python_version >= "3.8" # via # build # nox From da45641e462cae84ea21aae936a8b280f339b664 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 10 Jun 2024 12:22:36 -0400 Subject: [PATCH 679/868] Convert `PKCS7PaddingContext` to Rust (#11089) --- docs/hazmat/primitives/padding.rst | 10 +--- .../hazmat/bindings/_rust/__init__.pyi | 7 +++ src/cryptography/hazmat/primitives/padding.py | 31 ++---------- src/rust/src/buf.rs | 10 ++-- src/rust/src/lib.rs | 1 + src/rust/src/padding.rs | 49 +++++++++++++++++++ tests/hazmat/primitives/test_padding.py | 4 +- 7 files changed, 73 insertions(+), 39 deletions(-) diff --git a/docs/hazmat/primitives/padding.rst b/docs/hazmat/primitives/padding.rst index ecd70e6d5084..a1be2abf968f 100644 --- a/docs/hazmat/primitives/padding.rst +++ b/docs/hazmat/primitives/padding.rst @@ -24,16 +24,13 @@ multiple of the block size. >>> from cryptography.hazmat.primitives import padding >>> padder = padding.PKCS7(128).padder() >>> padded_data = padder.update(b"11111111111111112222222222") - >>> padded_data - b'1111111111111111' >>> padded_data += padder.finalize() >>> padded_data b'11111111111111112222222222\x06\x06\x06\x06\x06\x06' >>> unpadder = padding.PKCS7(128).unpadder() >>> data = unpadder.update(padded_data) + >>> data += unpadder.finalize() >>> data - b'1111111111111111' - >>> data + unpadder.finalize() b'11111111111111112222222222' :param block_size: The size of the block in :term:`bits` that the data is @@ -67,16 +64,13 @@ multiple of the block size. >>> padder = padding.ANSIX923(128).padder() >>> padded_data = padder.update(b"11111111111111112222222222") - >>> padded_data - b'1111111111111111' >>> padded_data += padder.finalize() >>> padded_data b'11111111111111112222222222\x00\x00\x00\x00\x00\x06' >>> unpadder = padding.ANSIX923(128).unpadder() >>> data = unpadder.update(padded_data) + >>> data += unpadder.finalize() >>> data - b'1111111111111111' - >>> data + unpadder.finalize() b'11111111111111112222222222' :param block_size: The size of the block in :term:`bits` that the data is diff --git a/src/cryptography/hazmat/bindings/_rust/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/__init__.pyi index 18a6fb87b628..c0ea0a5405ca 100644 --- a/src/cryptography/hazmat/bindings/_rust/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/__init__.pyi @@ -4,9 +4,16 @@ import typing +from cryptography.hazmat.primitives import padding + def check_pkcs7_padding(data: bytes) -> bool: ... def check_ansix923_padding(data: bytes) -> bool: ... +class PKCS7PaddingContext(padding.PaddingContext): + def __init__(self, block_size: int) -> None: ... + def update(self, data: bytes) -> bytes: ... + def finalize(self) -> bytes: ... + class ObjectIdentifier: def __init__(self, val: str) -> None: ... @property diff --git a/src/cryptography/hazmat/primitives/padding.py b/src/cryptography/hazmat/primitives/padding.py index baceaf381880..d1ca775f33d0 100644 --- a/src/cryptography/hazmat/primitives/padding.py +++ b/src/cryptography/hazmat/primitives/padding.py @@ -10,6 +10,7 @@ from cryptography import utils from cryptography.exceptions import AlreadyFinalized from cryptography.hazmat.bindings._rust import ( + PKCS7PaddingContext, check_ansix923_padding, check_pkcs7_padding, ) @@ -111,37 +112,12 @@ def __init__(self, block_size: int): self.block_size = block_size def padder(self) -> PaddingContext: - return _PKCS7PaddingContext(self.block_size) + return PKCS7PaddingContext(self.block_size) def unpadder(self) -> PaddingContext: return _PKCS7UnpaddingContext(self.block_size) -class _PKCS7PaddingContext(PaddingContext): - _buffer: bytes | None - - def __init__(self, block_size: int): - self.block_size = block_size - # TODO: more copies than necessary, we should use zero-buffer (#193) - self._buffer = b"" - - def update(self, data: bytes) -> bytes: - self._buffer, result = _byte_padding_update( - self._buffer, data, self.block_size - ) - return result - - def _padding(self, size: int) -> bytes: - return bytes([size]) * size - - def finalize(self) -> bytes: - result = _byte_padding_pad( - self._buffer, self.block_size, self._padding - ) - self._buffer = None - return result - - class _PKCS7UnpaddingContext(PaddingContext): _buffer: bytes | None @@ -164,6 +140,9 @@ def finalize(self) -> bytes: return result +PaddingContext.register(PKCS7PaddingContext) + + class ANSIX923: def __init__(self, block_size: int): _byte_padding_check(block_size) diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index e07793257496..ff9ca0c3d7e5 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -8,7 +8,7 @@ use pyo3::types::IntoPyDict; use std::slice; pub(crate) struct CffiBuf<'p> { - _pyobj: pyo3::Bound<'p, pyo3::PyAny>, + pyobj: pyo3::Bound<'p, pyo3::PyAny>, _bufobj: pyo3::Bound<'p, pyo3::PyAny>, buf: &'p [u8], } @@ -34,10 +34,14 @@ fn _extract_buffer_length<'p>( Ok((bufobj, ptrval)) } -impl CffiBuf<'_> { +impl<'a> CffiBuf<'a> { pub(crate) fn as_bytes(&self) -> &[u8] { self.buf } + + pub(crate) fn into_pyobj(self) -> pyo3::Bound<'a, pyo3::PyAny> { + self.pyobj + } } impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { @@ -59,7 +63,7 @@ impl<'a> pyo3::conversion::FromPyObject<'a> for CffiBuf<'a> { }; Ok(CffiBuf { - _pyobj: pyobj.clone(), + pyobj: pyobj.clone(), _bufobj: bufobj, buf, }) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index ac076e667f4e..da929fee603f 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -100,6 +100,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> py padding::check_ansix923_padding, m )?)?; + m.add_class::()?; m.add_class::()?; m.add_submodule(&asn1::create_submodule(py)?)?; diff --git a/src/rust/src/padding.rs b/src/rust/src/padding.rs index 523fe85a5718..c4396c26f258 100644 --- a/src/rust/src/padding.rs +++ b/src/rust/src/padding.rs @@ -2,6 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +use crate::buf::CffiBuf; +use crate::error::{CryptographyError, CryptographyResult}; +use crate::exceptions; + /// Returns the value of the input with the most-significant-bit copied to all /// of the bits. fn duplicate_msb_to_all(a: u8) -> u8 { @@ -63,6 +67,51 @@ pub(crate) fn check_ansix923_padding(data: &[u8]) -> bool { (mismatch & 1) == 0 } +#[pyo3::prelude::pyclass] +pub(crate) struct PKCS7PaddingContext { + block_size: usize, + length_seen: Option, +} + +#[pyo3::prelude::pymethods] +impl PKCS7PaddingContext { + #[new] + fn new(block_size: usize) -> PKCS7PaddingContext { + PKCS7PaddingContext { + block_size: block_size / 8, + length_seen: Some(0), + } + } + + fn update<'a>(&mut self, buf: CffiBuf<'a>) -> CryptographyResult> { + match self.length_seen.as_mut() { + Some(v) => { + *v += buf.as_bytes().len(); + Ok(buf.into_pyobj()) + } + None => Err(CryptographyError::from( + exceptions::AlreadyFinalized::new_err("Context was already finalized."), + )), + } + } + + fn finalize<'p>( + &mut self, + py: pyo3::Python<'p>, + ) -> CryptographyResult> { + match self.length_seen.take() { + Some(v) => { + let pad_size = self.block_size - (v % self.block_size); + let pad = vec![pad_size as u8; pad_size]; + Ok(pyo3::types::PyBytes::new_bound(py, &pad)) + } + None => Err(CryptographyError::from( + exceptions::AlreadyFinalized::new_err("Context was already finalized."), + )), + } + } +} + #[cfg(test)] mod tests { use super::constant_time_lt; diff --git a/tests/hazmat/primitives/test_padding.py b/tests/hazmat/primitives/test_padding.py index 2e20363f6f75..0ab1125f5bfb 100644 --- a/tests/hazmat/primitives/test_padding.py +++ b/tests/hazmat/primitives/test_padding.py @@ -47,9 +47,9 @@ def __str__(self): str(mybytes()) padder = padding.PKCS7(128).padder() - padder.update(mybytes(b"abc")) + data = padder.update(mybytes(b"abc")) + padder.finalize() unpadder = padding.PKCS7(128).unpadder() - unpadder.update(mybytes(padder.finalize())) + unpadder.update(mybytes(data)) assert unpadder.finalize() == b"abc" @pytest.mark.parametrize( From 4df6c01ac3c6243f04e6d10433f689191f7aec4d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 11 Jun 2024 00:15:41 +0000 Subject: [PATCH 680/868] Bump BoringSSL and/or OpenSSL in CI (#11094) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4e5457fe8f51..076425e8bdd4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 09, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "56fb43a204e57af68e00f4561c108a7004381aa3"}} - # Latest commit on the OpenSSL master branch, as of Jun 08, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d4700c0b237c05315e3bf14fc416abcbdfe51ff2"}} + # Latest commit on the BoringSSL master branch, as of Jun 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a220a6024f66c123019b5c080f6bd8bcaf75448c"}} + # Latest commit on the OpenSSL master branch, as of Jun 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1977c00f00ad0546421a5ec0b40c1326aee4cddb"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 71976f6f7806ad7a7ebfcd3bce32d843df5a2303 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 11 Jun 2024 00:30:44 +0000 Subject: [PATCH 681/868] Bump x509-limbo and/or wycheproof in CI (#11095) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index cd53f58cc4c8..7a12ecdd7875 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jun 08, 2024. - ref: "8b32fa5893b1ebb30f7bb085ed39318177563e99" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jun 11, 2024. + ref: "257adafb03cd4023e6f273a0337444982d344eda" # x509-limbo-ref From 372ca87896becd029daa86ac0d758380ebfef083 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 11 Jun 2024 07:07:52 -0400 Subject: [PATCH 682/868] Bump more-itertools from 10.2.0 to 10.3.0 in /.github/requirements (#11096) Bumps [more-itertools](https://github.com/more-itertools/more-itertools) from 10.2.0 to 10.3.0. - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/compare/v10.2.0...v10.3.0) --- updated-dependencies: - dependency-name: more-itertools dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index e4d52c8b1801..b6c5b7baaf1d 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -236,9 +236,9 @@ mdurl==0.1.2 \ --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba # via markdown-it-py -more-itertools==10.2.0 \ - --hash=sha256:686b06abe565edfab151cb8fd385a05651e1fdf8f0a14191e4439283421f8684 \ - --hash=sha256:8fccb480c43d3e99a00087634c06dd02b0d50fbf088b380de5a41a015ec239e1 +more-itertools==10.3.0 \ + --hash=sha256:e5d93ef411224fbcef366a6e8ddc4c5781bc6359d43412a65dd5964e46111463 \ + --hash=sha256:ea6a02e24a9161e51faad17a8782b92a0df82c12c1c8886fec7f0c3fa1a1b320 # via # jaraco-classes # jaraco-functools From 3720c39e59e1954a1bcd3ca8578244d527cefeb7 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 12 Jun 2024 00:16:25 +0000 Subject: [PATCH 683/868] Bump BoringSSL and/or OpenSSL in CI (#11098) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 076425e8bdd4..195d7fe4a6d0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "a220a6024f66c123019b5c080f6bd8bcaf75448c"}} + # Latest commit on the BoringSSL master branch, as of Jun 12, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "962432c687f67f8df1aa6e3dd364fbc88fea4ed8"}} # Latest commit on the OpenSSL master branch, as of Jun 11, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1977c00f00ad0546421a5ec0b40c1326aee4cddb"}} # Builds with various Rust versions. Includes MSRV and next From ae5d3a2c068868b6e824a5eec0c455d32da8aa1a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 00:15:30 +0000 Subject: [PATCH 684/868] Bump BoringSSL and/or OpenSSL in CI (#11100) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 195d7fe4a6d0..f8dfb609afc5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,8 +43,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 12, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "962432c687f67f8df1aa6e3dd364fbc88fea4ed8"}} + # Latest commit on the BoringSSL master branch, as of Jun 13, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9cac8a6b38c1cbd45c77aee108411d588da006fe"}} # Latest commit on the OpenSSL master branch, as of Jun 11, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1977c00f00ad0546421a5ec0b40c1326aee4cddb"}} # Builds with various Rust versions. Includes MSRV and next From f44f5ffd72891e1aa0be995639254829cd8bb35f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 07:03:20 -0400 Subject: [PATCH 685/868] Bump filelock from 3.14.0 to 3.15.1 (#11101) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.14.0 to 3.15.1. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.14.0...3.15.1) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 9a92c2b44218..e65c95b57f37 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.1 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist -filelock==3.14.0; python_version >= "3.8" +filelock==3.15.1; python_version >= "3.8" # via virtualenv idna==3.7 # via requests From 8a44ae6fa2e6520e090c8ce55f046a538e75a6e4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 07:29:33 -0400 Subject: [PATCH 686/868] Bump actions/checkout from 4.1.6 to 4.1.7 (#11103) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 4 ++-- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 8 ++++---- .github/workflows/x509-limbo-version-bump.yml | 2 +- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 83f0fd24e59a..f1b963c366b2 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false path: "cryptography-pr" - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: repository: "pyca/cryptography" diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index 84d260c3cc32..e2897ad02df4 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: check-sha-boring run: | SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/master | cut -f1) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f8dfb609afc5..f08a9aa5f431 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "nightly"} timeout-minutes: 15 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false @@ -179,7 +179,7 @@ jobs: sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false @@ -230,7 +230,7 @@ jobs: RUNNER: {OS: 'macos-14', ARCH: 'arm64'} timeout-minutes: 15 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false @@ -294,7 +294,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests"} timeout-minutes: 15 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false @@ -368,7 +368,7 @@ jobs: name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false @@ -412,7 +412,7 @@ jobs: if: ${{ always() }} timeout-minutes: 3 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 timeout-minutes: 3 with: persist-credentials: false diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index cb6261e988f8..d33ee2097787 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -20,7 +20,7 @@ jobs: name: "linkcheck" timeout-minutes: 10 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: persist-credentials: false - name: Setup python diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 29f678a4369c..9b417d4f7d7f 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -39,7 +39,7 @@ jobs: with: python-version: "3.11" - name: Get publish-requirements.txt from repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: sparse-checkout: | ${{ env.PUBLISH_REQUIREMENTS_PATH }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 97f5dc0879ec..f414af96b72d 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -108,7 +108,7 @@ jobs: if: startsWith(matrix.MANYLINUX.NAME, 'musllinux') && endsWith(matrix.MANYLINUX.NAME, 'aarch64') - name: Get build-requirements.txt from repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -198,7 +198,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ABI ${{ matrix.PYTHON.ABI_VERSION }} macOS ${{ matrix.PYTHON.ARCHFLAGS }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -292,7 +292,7 @@ jobs: name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION }}" steps: - name: Get build-requirements.txt from repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 424dae0c46b5..45a4835050f9 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -13,7 +13,7 @@ jobs: if: github.repository_owner == 'pyca' runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: check-sha-x509-limbo run: | SHA=$(git ls-remote https://github.com/C2SP/x509-limbo refs/heads/main | cut -f1) From ffd613217d7e58b84a47148a3d2687eaaf143413 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 07:30:24 -0400 Subject: [PATCH 687/868] Bump dawidd6/action-download-artifact from 5 to 6 (#11102) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 5 to 6. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/deb3bb83256a78589fef6a7b942e5f2573ad7c13...bf251b5aa9c2f7eeb574a96ee720e24f801b7c11) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f08a9aa5f431..905111a22dc6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -255,7 +255,7 @@ jobs: timeout-minutes: 2 uses: ./.github/actions/fetch-vectors - - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -315,7 +315,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.WINDOWS.ARCH }}-${{ steps.setup-python.outputs.python-version }} - run: python -m pip install -c ci-constraints-requirements.txt "nox" "tomli; python_version < '3.11'" - - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: repo: pyca/infra workflow: build-windows-openssl.yml diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 9b417d4f7d7f..c2821fb627bc 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -48,7 +48,7 @@ jobs: - name: Install Python dependencies run: pip install --require-hashes -r ${{ env.PUBLISH_REQUIREMENTS_PATH }} - - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: path: dist/ run_id: ${{ github.event.inputs.run_id || github.event.workflow_run.id }} diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index f414af96b72d..b7627cb438cd 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -218,7 +218,7 @@ jobs: with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') - - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: repo: pyca/infra workflow: build-macos-openssl.yml @@ -315,7 +315,7 @@ jobs: toolchain: stable target: ${{ matrix.WINDOWS.RUST_TRIPLE }} - - uses: dawidd6/action-download-artifact@deb3bb83256a78589fef6a7b942e5f2573ad7c13 # v5 + - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: repo: pyca/infra workflow: build-windows-openssl.yml From a12db35a0a8e8d265fd6fd310192c5447a694f2e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 23:30:59 +0000 Subject: [PATCH 688/868] Bump actions/attest-build-provenance from 1.2.0 to 1.3.1 (#11104) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.2.0 to 1.3.1. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/49df96e17e918a15956db358890b08e61c704919...534b352d658f90498fd148d231fdbf88f3886a3a) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index c2821fb627bc..4a51a1eb5a0b 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + - uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 120158c08d152bef48db16a9d2778891efc7f666 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 23:31:24 +0000 Subject: [PATCH 689/868] Bump actions/checkout in /.github/actions/fetch-vectors (#11105) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 7a12ecdd7875..70fbf4593f6c 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -5,14 +5,14 @@ runs: using: "composite" steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: "C2SP/wycheproof" path: "wycheproof" # Latest commit on the wycheproof master branch, as of Apr 09, 2024. ref: "cd27d6419bedd83cbd24611ec54b6d4bfdb0cdca" # wycheproof-ref - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: "C2SP/x509-limbo" path: "x509-limbo" From 6e6ad6ef98cd5b4f99498bafc1d067399a764514 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Jun 2024 14:35:12 +0000 Subject: [PATCH 690/868] Bump redox_syscall from 0.5.1 to 0.5.2 in /src/rust (#11106) Bumps redox_syscall from 0.5.1 to 0.5.2. --- updated-dependencies: - dependency-name: redox_syscall dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4cac2c7fc3e3..7e5c989cbdfe 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -352,9 +352,9 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.5.1" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "469052894dcb553421e483e4209ee581a45100d31b4018de03e5a7ad86374a7e" +checksum = "c82cf8cff14456045f55ec4241383baeff27af886adb72ffb2162f99911de0fd" dependencies = [ "bitflags", ] From 3c08dd5b1142c0c96afa6f3f589ff8ee6a751a3e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 16 Jun 2024 00:16:09 +0000 Subject: [PATCH 691/868] Bump BoringSSL and/or OpenSSL in CI (#11108) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 905111a22dc6..598f50f8df7b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 13, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9cac8a6b38c1cbd45c77aee108411d588da006fe"}} - # Latest commit on the OpenSSL master branch, as of Jun 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1977c00f00ad0546421a5ec0b40c1326aee4cddb"}} + # Latest commit on the OpenSSL master branch, as of Jun 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6e01d3114b77c82cf83a2bfe53f7ba97840fbe36"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 2c62bdc432d7a8bd3bb637091e1bcc226a96feb4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Jun 2024 00:29:04 +0000 Subject: [PATCH 692/868] Bump ruff from 0.4.8 to 0.4.9 (#11109) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.8 to 0.4.9. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.8...v0.4.9) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index e65c95b57f37..3630e62548a2 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.4.8 +ruff==0.4.9 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 5c5dae906ec1f330f7a4e83563324fb7451f18f6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Jun 2024 11:54:10 +0000 Subject: [PATCH 693/868] Bump argcomplete from 3.3.0 to 3.4.0 (#11110) Bumps [argcomplete](https://github.com/kislyuk/argcomplete) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/kislyuk/argcomplete/releases) - [Changelog](https://github.com/kislyuk/argcomplete/blob/develop/Changes.rst) - [Commits](https://github.com/kislyuk/argcomplete/compare/v3.3.0...v3.4.0) --- updated-dependencies: - dependency-name: argcomplete dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3630e62548a2..81ff1f52ca6a 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -7,7 +7,7 @@ alabaster==0.7.16 # via sphinx -argcomplete==3.3.0; python_version >= "3.8" +argcomplete==3.4.0; python_version >= "3.8" # via nox babel==2.15.0 # via sphinx From 056f488bca57f22ead49d74629b8bb6ff249b6cc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jun 2024 22:59:35 +0000 Subject: [PATCH 694/868] Bump urllib3 from 2.2.1 to 2.2.2 (#11112) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.1 to 2.2.2. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.2.1...2.2.2) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 81ff1f52ca6a..6cc890454abd 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -148,7 +148,7 @@ tomli==2.0.1 # pytest typing-extensions==4.12.2; python_version >= "3.8" # via mypy -urllib3==2.2.1 +urllib3==2.2.2 # via requests virtualenv==20.26.2 # via nox From 28aefb2fa04bd083cd9bbc51312f612595a73296 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 00:15:58 +0000 Subject: [PATCH 695/868] Bump BoringSSL and/or OpenSSL in CI (#11113) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 598f50f8df7b..4b50a23f0cc7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 13, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "9cac8a6b38c1cbd45c77aee108411d588da006fe"}} - # Latest commit on the OpenSSL master branch, as of Jun 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "6e01d3114b77c82cf83a2bfe53f7ba97840fbe36"}} + # Latest commit on the BoringSSL master branch, as of Jun 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e1d209d4432846d28c31d84f269f4edcb9a63509"}} + # Latest commit on the OpenSSL master branch, as of Jun 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "58301e24f66aa74b13b85a171dd14e6088c35662"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From fd171b1ba04e29f53c16069e6b96b6b53f09c964 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 00:31:33 +0000 Subject: [PATCH 696/868] Bump x509-limbo and/or wycheproof in CI (#11114) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 70fbf4593f6c..95e11dbdfde4 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jun 11, 2024. - ref: "257adafb03cd4023e6f273a0337444982d344eda" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jun 18, 2024. + ref: "bd88042508ccfde351b2fee293aebda8971fbebb" # x509-limbo-ref From adc74b3a82f8429259218b6a47443bb6b81456cd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 13:07:11 +0200 Subject: [PATCH 697/868] Bump actions/attest-build-provenance from 1.3.1 to 1.3.2 (#11115) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.3.1 to 1.3.2. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/534b352d658f90498fd148d231fdbf88f3886a3a...bdd51370e0416ac948727f861e03c2f05d32d78e) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 4a51a1eb5a0b..1a6fec6c988b 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1 + - uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From c91352e3dde465f56dba67d4709ceaf5012637fd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 20:23:18 -0400 Subject: [PATCH 698/868] Bump BoringSSL and/or OpenSSL in CI (#11116) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4b50a23f0cc7..cd02df5b8ea5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 18, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "e1d209d4432846d28c31d84f269f4edcb9a63509"}} - # Latest commit on the OpenSSL master branch, as of Jun 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "58301e24f66aa74b13b85a171dd14e6088c35662"}} + # Latest commit on the BoringSSL master branch, as of Jun 19, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c6c0b650091e90e6206a361c14a73223f54d42c1"}} + # Latest commit on the OpenSSL master branch, as of Jun 19, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5aec3f4a72604d76970581f1ea445b331beda608"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From d3ff595cccb610753c2cf947197748a8b05cdcbe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 20:37:00 -0400 Subject: [PATCH 699/868] Bump urllib3 from 2.2.1 to 2.2.2 in /.github/requirements (#11117) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.1 to 2.2.2. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.2.1...2.2.2) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index b6c5b7baaf1d..a43cf0a7c1d9 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -305,9 +305,9 @@ twine==5.1.0 \ --hash=sha256:4d74770c88c4fcaf8134d2a6a9d863e40f08255ff7d8e2acb3cbbd57d25f6e9d \ --hash=sha256:fe1d814395bfe50cfbe27783cb74efe93abeac3f66deaeb6c8390e4e92bacb43 # via -r publish-requirements.in -urllib3==2.2.1 \ - --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \ - --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19 +urllib3==2.2.2 \ + --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ + --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168 # via # requests # twine From c161a6892a17796624926b97a7cc27ffb9efdaa8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Jun 2024 07:14:38 -0400 Subject: [PATCH 700/868] Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#11119) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.5 to 6.1.0. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/6d6857d36972b65feb161a90e484f2984215f83e...c5a7806660adbe173f04e3e038b0ccdcd758773c) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/boring-open-version-bump.yml | 2 +- .github/workflows/x509-limbo-version-bump.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/boring-open-version-bump.yml b/.github/workflows/boring-open-version-bump.yml index e2897ad02df4..64925545d1a4 100644 --- a/.github/workflows/boring-open-version-bump.yml +++ b/.github/workflows/boring-open-version-bump.yml @@ -58,7 +58,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: branch: "bump-openssl-boringssl" commit-message: "Bump BoringSSL and/or OpenSSL in CI" diff --git a/.github/workflows/x509-limbo-version-bump.yml b/.github/workflows/x509-limbo-version-bump.yml index 45a4835050f9..eb2114e7e873 100644 --- a/.github/workflows/x509-limbo-version-bump.yml +++ b/.github/workflows/x509-limbo-version-bump.yml @@ -57,7 +57,7 @@ jobs: private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }} if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA - name: Create Pull Request - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: branch: "bump-vectors" commit-message: "Bump x509-limbo and/or wycheproof in CI" From fc6cc42e4f1bc308481c3538ce57d0d8e208ecb2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Jun 2024 10:53:21 -0400 Subject: [PATCH 701/868] pin python version for downstream tests due to twisted/python bug (#11121) --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd02df5b8ea5..58dc04617521 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -364,7 +364,7 @@ jobs: - mitmproxy - scapy PYTHON: - - '3.12' + - '3.12.3' name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: From cb6587df388a59d449a3dbda9a153744bdb5a621 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Jun 2024 11:11:45 -0400 Subject: [PATCH 702/868] Bump setuptools from 70.0.0 to 70.1.0 in /.github/requirements (#11120) Bumps [setuptools](https://github.com/pypa/setuptools) from 70.0.0 to 70.1.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.0.0...v70.1.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 6474acf80afd..2e3ccf055388 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -80,9 +80,9 @@ wheel==0.43.0 \ # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: -setuptools==70.0.0 \ - --hash=sha256:54faa7f2e8d2d11bcd2c07bed282eef1046b5c080d1c32add737d7b5817b1ad4 \ - --hash=sha256:f211a66637b8fa059bb28183da127d4e86396c991a942b028c6650d4319c3fd0 +setuptools==70.1.0 \ + --hash=sha256:01a1e793faa5bd89abc851fa15d0a0db26f160890c7102cd8dce643e886b47f5 \ + --hash=sha256:d9b8b771455a97c8a9f3ab3448ebe0b29b5e105f1228bba41028be116985a267 # via # -r build-requirements.in # setuptools-rust From 51970d4e0b11d8ed4615485c0fc5cfd82fb04ff4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 19 Jun 2024 14:43:32 -0400 Subject: [PATCH 703/868] =?UTF-8?q?Revert=20"pin=20python=20version=20for?= =?UTF-8?q?=20downstream=20tests=20due=20to=20twisted/python=20bug=20(#1?= =?UTF-8?q?=E2=80=A6"=20(#11124)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit fc6cc42e4f1bc308481c3538ce57d0d8e208ecb2. --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58dc04617521..cd02df5b8ea5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -364,7 +364,7 @@ jobs: - mitmproxy - scapy PYTHON: - - '3.12.3' + - '3.12' name: "Downstream tests for ${{ matrix.DOWNSTREAM }}" timeout-minutes: 15 steps: From 1c013650e7eadb99b62490b6b8a30310ceb5ce7e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 19 Jun 2024 20:49:39 +0000 Subject: [PATCH 704/868] Bump filelock from 3.15.1 to 3.15.3 (#11125) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.15.1 to 3.15.3. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.15.1...3.15.3) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6cc890454abd..df49bb53059f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.1 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist -filelock==3.15.1; python_version >= "3.8" +filelock==3.15.3; python_version >= "3.8" # via virtualenv idna==3.7 # via requests From 8f7db777136efe9b31c4c4b1168f7efdb79087bd Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 20 Jun 2024 00:16:23 +0000 Subject: [PATCH 705/868] Bump BoringSSL and/or OpenSSL in CI (#11127) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd02df5b8ea5..3201afba82fc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 19, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "c6c0b650091e90e6206a361c14a73223f54d42c1"}} - # Latest commit on the OpenSSL master branch, as of Jun 19, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5aec3f4a72604d76970581f1ea445b331beda608"}} + # Latest commit on the BoringSSL master branch, as of Jun 20, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "84dc9bb624b47bda0bf802ae9e04a6eecb40865c"}} + # Latest commit on the OpenSSL master branch, as of Jun 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d5412c94a399d3923b2dec2431ead60288d857c8"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 604594fc123ce0797ee45417ed315871922562fe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Jun 2024 03:23:19 -0400 Subject: [PATCH 706/868] Use workspace inheritance to reduce duplication (#11126) This relies on Rust 1.65 --- src/rust/Cargo.toml | 11 +++++++++-- src/rust/cryptography-cffi/Cargo.toml | 11 +++++------ src/rust/cryptography-keepalive/Cargo.toml | 11 +++++------ src/rust/cryptography-key-parsing/Cargo.toml | 11 +++++------ src/rust/cryptography-openssl/Cargo.toml | 11 +++++------ src/rust/cryptography-x509-verification/Cargo.toml | 11 +++++------ 6 files changed, 34 insertions(+), 32 deletions(-) diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 9f49dc9c6e92..86f93db552c0 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -1,5 +1,4 @@ -[package] -name = "cryptography-rust" +[workspace.package] version = "0.1.0" authors = ["The cryptography developers "] edition = "2021" @@ -7,6 +6,14 @@ publish = false # This specifies the MSRV rust-version = "1.65.0" +[package] +name = "cryptography-rust" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true + [dependencies] once_cell = "1" cfg-if = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index b0794661054f..e019d4029dd4 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -1,11 +1,10 @@ [package] name = "cryptography-cffi" -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true [dependencies] pyo3 = { version = "0.21.2", features = ["abi3"] } diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index c3a1c24e912d..18a214e9a744 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -1,11 +1,10 @@ [package] name = "cryptography-keepalive" -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true [dependencies] pyo3 = { version = "0.21.2", features = ["abi3"] } diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 9d4e5d00fbdf..6a9d6797b982 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -1,11 +1,10 @@ [package] name = "cryptography-key-parsing" -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true [dependencies] asn1 = { version = "0.16.2", default-features = false } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 04bef373ca35..f2dc5100e6fd 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -1,11 +1,10 @@ [package] name = "cryptography-openssl" -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true [dependencies] cfg-if = "1" diff --git a/src/rust/cryptography-x509-verification/Cargo.toml b/src/rust/cryptography-x509-verification/Cargo.toml index 086332bd4529..2e1e7495af0a 100644 --- a/src/rust/cryptography-x509-verification/Cargo.toml +++ b/src/rust/cryptography-x509-verification/Cargo.toml @@ -1,11 +1,10 @@ [package] name = "cryptography-x509-verification" -version = "0.1.0" -authors = ["The cryptography developers "] -edition = "2021" -publish = false -# This specifies the MSRV -rust-version = "1.65.0" +version.workspace = true +authors.workspace = true +edition.workspace = true +publish.workspace = true +rust-version.workspace = true [dependencies] asn1 = { version = "0.16.2", default-features = false } From 320314cc4a35a22a2ec95a6fa95edea8b017cb54 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 20 Jun 2024 03:27:42 -0400 Subject: [PATCH 707/868] See if wheel dep is required (#11122) The setuptools changelog sort of implies its not anymore --- .github/requirements/build-requirements.in | 1 - .github/requirements/build-requirements.txt | 4 ---- pyproject.toml | 1 - 3 files changed, 6 deletions(-) diff --git a/.github/requirements/build-requirements.in b/.github/requirements/build-requirements.in index 564eacec8d48..4b916ef1ca97 100644 --- a/.github/requirements/build-requirements.in +++ b/.github/requirements/build-requirements.in @@ -1,6 +1,5 @@ # Must be kept sync with build-system.requires at pyproject.toml setuptools>=61.0.0 -wheel cffi>=1.12; platform_python_implementation != 'PyPy' setuptools-rust>=1.7.0 diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 2e3ccf055388..fbf31d477a47 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -74,10 +74,6 @@ tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f # via setuptools-rust -wheel==0.43.0 \ - --hash=sha256:465ef92c69fa5c5da2d1cf8ac40559a8c940886afcef87dcf14b9470862f1d85 \ - --hash=sha256:55c570405f142630c6b9f72fe09d9b67cf1477fcf543ae5b8dcb1f5b7377da81 - # via -r build-requirements.in # The following packages are considered to be unsafe in a requirements file: setuptools==70.1.0 \ diff --git a/pyproject.toml b/pyproject.toml index 64e33aac8aca..186ca1d6b27c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,6 @@ requires = [ # First version of setuptools to support pyproject.toml configuration "setuptools>=61.0.0", - "wheel", # Must be kept in sync with `project.dependencies` "cffi>=1.12; platform_python_implementation != 'PyPy'", "setuptools-rust>=1.7.0", From ca6597c448ece36bbd368b9ea7a587ec1a5357c4 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 21 Jun 2024 00:16:11 +0000 Subject: [PATCH 708/868] Bump BoringSSL and/or OpenSSL in CI (#11130) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3201afba82fc..ebf914c3b549 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 20, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "84dc9bb624b47bda0bf802ae9e04a6eecb40865c"}} - # Latest commit on the OpenSSL master branch, as of Jun 20, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d5412c94a399d3923b2dec2431ead60288d857c8"}} + # Latest commit on the BoringSSL master branch, as of Jun 21, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d1e6d3b4af50c9490cc6210e2763b3c45ba14b07"}} + # Latest commit on the OpenSSL master branch, as of Jun 21, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a7ed61ce8b0565483e6b0e44ed9b13682305e609"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 737de4377cb133f11a60ae75ac20d708f7a7d83b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Jun 2024 03:56:59 +0000 Subject: [PATCH 709/868] Bump ruff from 0.4.9 to 0.4.10 (#11131) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.9 to 0.4.10. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.9...v0.4.10) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index df49bb53059f..c2f2fd40a40b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.4.9 +ruff==0.4.10 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 60e81c1d73d235519e1c558b1be093dbb57d8bd7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Jun 2024 03:59:52 +0000 Subject: [PATCH 710/868] Bump proc-macro2 from 1.0.85 to 1.0.86 in /src/rust (#11132) Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.85 to 1.0.86. - [Release notes](https://github.com/dtolnay/proc-macro2/releases) - [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.85...1.0.86) --- updated-dependencies: - dependency-name: proc-macro2 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 7e5c989cbdfe..0c6459c89a7a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -271,9 +271,9 @@ checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" [[package]] name = "proc-macro2" -version = "1.0.85" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22244ce15aa966053a896d1accb3a6e68469b97c7f33f284b99f0d576879fc23" +checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" dependencies = [ "unicode-ident", ] From 2d69b8634055489d5246ab9b4c38704bf66b6fdb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Jun 2024 04:00:01 +0000 Subject: [PATCH 711/868] Bump syn from 2.0.66 to 2.0.67 in /src/rust (#11133) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.66 to 2.0.67. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.66...2.0.67) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0c6459c89a7a..81d38c1975a8 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.66" +version = "2.0.67" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c42f3f41a2de00b01c0aaad383c5a45241efc8b2d1eda5661812fda5f3cdcff5" +checksum = "ff8655ed1d86f3af4ee3fd3263786bc14245ad17c4c7e85ba7187fb3ae028c90" dependencies = [ "proc-macro2", "quote", From b8dc9ddddcca12a0eab2caf6a4d3bd7f1b78b135 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Jun 2024 00:02:31 -0400 Subject: [PATCH 712/868] Bump importlib-metadata from 7.1.0 to 7.2.0 in /.github/requirements (#11134) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.1.0 to 7.2.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.1.0...v7.2.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index a43cf0a7c1d9..6a1a5ff2a41a 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -200,9 +200,9 @@ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via requests -importlib-metadata==7.1.0 \ - --hash=sha256:30962b96c0c223483ed6cc7280e7f0199feb01a0e40cfae4d4450fc6fab1f570 \ - --hash=sha256:b78938b926ee8d5f020fc4772d487045805a55ddbad2ecf21c6d60938dc7fcd2 +importlib-metadata==7.2.0 \ + --hash=sha256:04e4aad329b8b948a5711d394fa8759cb80f009225441b4f2a02bd4d8e5f426c \ + --hash=sha256:3ff4519071ed42740522d494d04819b666541b9752c43012f85afb2cc220fcc6 # via # keyring # twine From 5440f1dfec3845ec16db4eaa6e360181ccba6f80 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Thu, 20 Jun 2024 22:33:19 -0700 Subject: [PATCH 713/868] Fix docstring for _SSHFormatSKECDSA.load_public (#11135) Correct a small mistake from copy-pasting the docstring of `_SSHFormatSKEd25519.load_public` as noted in https://github.com/pyca/cryptography/commit/51a6dd28ccbb7587fff9e951299b17aac39ee5cc#r143361696. --- src/cryptography/hazmat/primitives/serialization/ssh.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index 51cddab47377..321519f3e596 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -620,7 +620,7 @@ class _SSHFormatSKECDSA: def load_public( self, data: memoryview ) -> tuple[ec.EllipticCurvePublicKey, memoryview]: - """Make Ed25519 public key from data.""" + """Make ECDSA public key from data.""" public_key, data = _lookup_kformat(_ECDSA_NISTP256).load_public(data) _, data = load_application(data) return public_key, data From ebbfd84dc8709f1d8c5283d1350a8d9127596931 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 22 Jun 2024 00:16:03 +0000 Subject: [PATCH 714/868] Bump BoringSSL and/or OpenSSL in CI (#11136) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ebf914c3b549..4b0271579b94 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 21, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d1e6d3b4af50c9490cc6210e2763b3c45ba14b07"}} - # Latest commit on the OpenSSL master branch, as of Jun 21, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "a7ed61ce8b0565483e6b0e44ed9b13682305e609"}} + # Latest commit on the BoringSSL master branch, as of Jun 22, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "45db24b36a030ec54464ea7a26c362f3c82305ee"}} + # Latest commit on the OpenSSL master branch, as of Jun 22, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7d2c0a4b1feb152ee1190dfedc65dfd1c928f9e5"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 73717542c4153e8fb845a62db478a7bc0b310d29 Mon Sep 17 00:00:00 2001 From: Nathan Easton Date: Sat, 22 Jun 2024 09:16:50 -0400 Subject: [PATCH 715/868] Update reference.rst (#11137) * Update reference.rst This code snippet works when importing the extension oid * Apply suggestions from code review Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- docs/x509/reference.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 6aa0f6667ba2..c3de5e6dcb58 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -2405,6 +2405,7 @@ X.509 Extensions >>> from cryptography import x509 >>> from cryptography.hazmat.primitives import hashes + >>> from cryptography.x509.oid import ExtensionOID >>> cert = x509.load_pem_x509_certificate(cryptography_cert_pem) >>> # Get the subjectAltName extension from the certificate >>> ext = cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME) From 77e9c04f972a60b8aa76c279ffdbe77acc37cee8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 22 Jun 2024 21:05:24 +0000 Subject: [PATCH 716/868] Bump filelock from 3.15.3 to 3.15.4 (#11138) Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.15.3 to 3.15.4. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](https://github.com/tox-dev/py-filelock/compare/3.15.3...3.15.4) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c2f2fd40a40b..3d57deaaa8a7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -40,7 +40,7 @@ exceptiongroup==1.2.1 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist -filelock==3.15.3; python_version >= "3.8" +filelock==3.15.4; python_version >= "3.8" # via virtualenv idna==3.7 # via requests From 1288fec3618d8239b1aed7000efc67101ceb9427 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 22 Jun 2024 21:12:42 +0000 Subject: [PATCH 717/868] Bump virtualenv from 20.26.2 to 20.26.3 (#11139) Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.2 to 20.26.3. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/virtualenv/compare/20.26.2...20.26.3) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 3d57deaaa8a7..bbc3ee3ddc89 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -150,7 +150,7 @@ typing-extensions==4.12.2; python_version >= "3.8" # via mypy urllib3==2.2.2 # via requests -virtualenv==20.26.2 +virtualenv==20.26.3 # via nox # The following packages are considered to be unsafe in a requirements file: From a728550819df356bb39c92c2253c08d41dfcb663 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 22 Jun 2024 22:06:29 -0400 Subject: [PATCH 718/868] Bump BoringSSL and/or OpenSSL in CI (#11140) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4b0271579b94..1e83f463206e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 22, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "45db24b36a030ec54464ea7a26c362f3c82305ee"}} - # Latest commit on the OpenSSL master branch, as of Jun 22, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7d2c0a4b1feb152ee1190dfedc65dfd1c928f9e5"}} + # Latest commit on the OpenSSL master branch, as of Jun 23, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b23cd39f0a4e3cfe142694402a5246a498a3574f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From fbf6a9da0f4267c520677f7d8f7650202b0a28f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Jun 2024 15:40:52 +0000 Subject: [PATCH 719/868] Bump cc from 1.0.99 to 1.0.100 in /src/rust (#11141) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.99 to 1.0.100. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/1.0.99...cc-v1.0.100) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 81d38c1975a8..54b2f879f112 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" [[package]] name = "cc" -version = "1.0.99" +version = "1.0.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "96c51067fd44124faa7f870b4b1c969379ad32b2ba805aa959430ceaa384f695" +checksum = "c891175c3fb232128f48de6590095e59198bbeb8620c310be349bfc3afd12c7b" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index e019d4029dd4..64f4bb63f7da 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.21.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.99" +cc = "1.0.100" From e93978ed8786ae4337bee4901b31be6765af3d25 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Jun 2024 15:41:35 +0000 Subject: [PATCH 720/868] Bump coverage from 7.5.3 to 7.5.4 (#11142) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.5.3 to 7.5.4. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.5.3...7.5.4) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index bbc3ee3ddc89..b61efa28b051 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.5.3; python_version >= "3.8" +coverage==7.5.4; python_version >= "3.8" # via # coverage # pytest-cov From e0b7e77039d940f5872308551b67c110c3fbeeec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Jun 2024 11:49:56 -0400 Subject: [PATCH 721/868] Bump importlib-metadata from 7.2.0 to 7.2.1 in /.github/requirements (#11143) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.2.0 to 7.2.1. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.2.0...v7.2.1) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 6a1a5ff2a41a..688680a343a2 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -200,9 +200,9 @@ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via requests -importlib-metadata==7.2.0 \ - --hash=sha256:04e4aad329b8b948a5711d394fa8759cb80f009225441b4f2a02bd4d8e5f426c \ - --hash=sha256:3ff4519071ed42740522d494d04819b666541b9752c43012f85afb2cc220fcc6 +importlib-metadata==7.2.1 \ + --hash=sha256:509ecb2ab77071db5137c655e24ceb3eee66e7bbc6574165d0d114d9fc4bbe68 \ + --hash=sha256:ffef94b0b66046dd8ea2d619b701fe978d9264d38f3998bc4c27ec3b146a87c8 # via # keyring # twine From 0095293a49a479c62dfbd49bfc05216ef096588c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 24 Jun 2024 00:17:23 +0000 Subject: [PATCH 722/868] Bump BoringSSL and/or OpenSSL in CI (#11144) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1e83f463206e..9aeb7f4cbb78 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 22, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "45db24b36a030ec54464ea7a26c362f3c82305ee"}} - # Latest commit on the OpenSSL master branch, as of Jun 23, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b23cd39f0a4e3cfe142694402a5246a498a3574f"}} + # Latest commit on the OpenSSL master branch, as of Jun 24, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "89c9c3b857b5d68d835c3c3d371dc74a26f568fd"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 94aeb6cbaee6fa2178e398b622a61e23373be6c9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Jun 2024 01:13:14 +0000 Subject: [PATCH 723/868] Bump syn from 2.0.67 to 2.0.68 in /src/rust (#11145) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.67 to 2.0.68. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.67...2.0.68) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 54b2f879f112..bb06e38a5950 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -379,9 +379,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "syn" -version = "2.0.67" +version = "2.0.68" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ff8655ed1d86f3af4ee3fd3263786bc14245ad17c4c7e85ba7187fb3ae028c90" +checksum = "901fa70d88b9d6c98022e23b4136f9f3e54e4662c3bc1bd1d84a42a9a0f0c1e9" dependencies = [ "proc-macro2", "quote", From 428b384c5096d0e2730bee580a3189adf1cd2962 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 00:16:06 +0000 Subject: [PATCH 724/868] Bump BoringSSL and/or OpenSSL in CI (#11151) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9aeb7f4cbb78..8b6da567ba3f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 22, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "45db24b36a030ec54464ea7a26c362f3c82305ee"}} - # Latest commit on the OpenSSL master branch, as of Jun 24, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "89c9c3b857b5d68d835c3c3d371dc74a26f568fd"}} + # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} + # Latest commit on the OpenSSL master branch, as of Jun 25, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "42a8ef844e5fca55abb608beb62695abe80c6b6d"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 8b9a316af64d9b5ba25f5b4523c24ad9353c3c99 Mon Sep 17 00:00:00 2001 From: Peter Gessler Date: Mon, 24 Jun 2024 22:27:23 -0500 Subject: [PATCH 725/868] Align `cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates` ASN.1 structure to `openssl crl2pkcs7 -nocrl -certfile ...` (#11123) * align PKCS7 serialize certificates with openssl behavior * replace pkcs7 test vectors --- CHANGELOG.rst | 2 + src/rust/src/pkcs7.rs | 2 +- .../pkcs7/amazon-roots.der | Bin 1842 -> 1838 bytes vectors/cryptography_vectors/pkcs7/isrg.pem | 61 +++++++++--------- 4 files changed, 33 insertions(+), 32 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index d543896aed28..4218ab776d02 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -15,6 +15,8 @@ Changelog * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. +* :func:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates` + now has consistent ASN.1 structure to ``openssl crl2pkcs7 -nocrl -certfile ...``. * Added new :doc:`/hazmat/decrepit/index` module which contains outdated and insecure cryptographic primitives. :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index c2dcbc94974f..e08a67e73a2f 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -59,7 +59,7 @@ fn serialize_certificates<'p>( digest_algorithms: asn1::SetOfWriter::new(&[]), content_info: pkcs7::ContentInfo { _content_type: asn1::DefinedByMarker::marker(), - content: pkcs7::Content::Data(Some(asn1::Explicit::new(b""))), + content: pkcs7::Content::Data(None), }, certificates: Some(asn1::SetOfWriter::new(&raw_certs)), crls: None, diff --git a/vectors/cryptography_vectors/pkcs7/amazon-roots.der b/vectors/cryptography_vectors/pkcs7/amazon-roots.der index f9eab5c17771f5745d68d2098b920e07b344e442..cba6154224c6f631850aa39e2bb20e580df09ab8 100644 GIT binary patch delta 50 wcmdnQw~kNKpov|JjZ>@5qwPB{BRkWACU$9{kT??~qalL@5qwPB{BRkWACU$wCkTeq`qalLvf A;s5{u diff --git a/vectors/cryptography_vectors/pkcs7/isrg.pem b/vectors/cryptography_vectors/pkcs7/isrg.pem index 63698aa11348..3f7d54956644 100644 --- a/vectors/cryptography_vectors/pkcs7/isrg.pem +++ b/vectors/cryptography_vectors/pkcs7/isrg.pem @@ -1,33 +1,32 @@ -----BEGIN PKCS7----- -MIIFngYJKoZIhvcNAQcCoIIFjzCCBYsCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIF -bzCCBWswggNToAMCAQICEQCCEM+w0kDjWURj4LtjgosAMA0GCSqGSIb3DQEBCwUA -ME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBTZWN1cml0eSBSZXNl -YXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgxMB4XDTE1MDYwNDExMDQz -OFoXDTM1MDYwNDExMDQzOFowTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVy -bmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3Qg -WDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1co -HIe+3LffOJCMbjzmV6B493XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZsh -ftEzPLpI9d1537O4/xLxIZpLwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+ -lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vr -Fk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6s -hweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98fl -AgeYjzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81 -LygXbNKYwagJZHduRze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1 -pzpRboY7nn1ypxIFeFntPlF4FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0 -544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K2 -8Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdw -iK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD -VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJ -KoZIhvcNAQELBQADggIBAFUfWKm8sqhQ0Ayx2BppICcpCKxhdVyKbviC5Wkv1fZW -S7m4cxBZ0yGXfudMcfuy0mCtOagL6hchVoXxUA5Z687gWem6yRXvhp2PhID25OmR -kNwXm2IbRfBmldJ8b8LqO+8fz8vWrifxqbDIrv19fpr6IgTr/9l/6pErIrEXDo/y -ijRbWNj8AclUubgmzIqIM4lMLYQ8gt/ullcFuiy798S3x047gr4xyCJzc5LRwoCk -OTkQMyOCTDyfhrJVmB2+KYaMIpue4ms7VzqCcE3cCceJywoHTWzoXY7J786rx7u1 -K05F1krQJszlcsoIaqWV4xWh96TtySxfpfv/rCgCLr7Xe7vjcXuQFtMHXkZTfDcH -QozTxJac1Zm1KuCVGoBIrkw5B87MR6RSlSu6uPut0jNTfeUdTW3VobHHQm/mQCc1 -XKMotweN540zkOcjn/tQnHlsRtW0FbOWbn6bDJY6uFItP9Zb4fsIwoT+JKijidqs -auEYKrGoQ2Fb0x/cO4128i3ojXXfFzNsPVP7e8tBX//cotBhOOGWuKxdizfXddUz -wJkRrp1BwXJ1hL4CQUJfZyRIlNGbJ74HP7m4T4F0UeF6t+2dI+K+4NUoBBM8MQOe -3Xpsj8YHGMZ/3keOPyieBAbPpVQ0d73siZvpF0PfW9tf/o4eV6LNQJ1+YiLa3hgn -MQA= +MIIFmgYJKoZIhvcNAQcCoIIFizCCBYcCAQExADALBgkqhkiG9w0BBwGgggVvMIIF +azCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAwTzEL +MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo +IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4WhcN +MzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQg +U2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygch77c +t984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+0TM8 +ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6UA5/T +R5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sWT8KO +EUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyHB5T0 +Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UCB5iP +NgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUvKBds +0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWnOlFu +hjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTnjh8B +CNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbwqHyG +O0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CIrU7m +2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB +Af8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkqhkiG +9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZLubhz +EFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ3Beb +YhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KKNFtY +2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5ORAz +I4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7UrTkXW +StAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdCjNPE +lpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVcoyi3 +B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq4Rgq +sahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPAmRGu +nUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57demyP +xgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCcxAA== -----END PKCS7----- From 4a25070cc91cc6f5540b225c5cdd781b90fc004f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 25 Jun 2024 00:49:53 -0400 Subject: [PATCH 726/868] Remove the requirement for VerificationCertificate to be Clone (#11149) This is done by passing around references, rather than owned copies. Necessary for the pyo3 0.22 upgrade. --- .../cryptography-x509-verification/src/lib.rs | 38 ++++++++-------- .../cryptography-x509-verification/src/ops.rs | 7 +-- .../src/trust_store.rs | 9 ++-- src/rust/src/x509/verify.rs | 44 +++++++++++++------ 4 files changed, 55 insertions(+), 43 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 169226c908ea..3649890c8cd1 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -213,22 +213,22 @@ impl<'a, 'chain> NameChain<'a, 'chain> { } } -pub type Chain<'c, B> = Vec>; +pub type Chain<'a, 'c, B> = Vec<&'a VerificationCertificate<'c, B>>; -pub fn verify<'chain, B: CryptoOps>( - leaf: &VerificationCertificate<'chain, B>, - intermediates: impl IntoIterator>, - policy: &Policy<'_, B>, - store: &Store<'chain, B>, -) -> Result, ValidationError> { - let builder = ChainBuilder::new(intermediates.into_iter().collect(), policy, store); +pub fn verify<'a, 'chain: 'a, B: CryptoOps>( + leaf: &'a VerificationCertificate<'chain, B>, + intermediates: &'a [&'a VerificationCertificate<'chain, B>], + policy: &'a Policy<'_, B>, + store: &'a Store<'chain, B>, +) -> Result, ValidationError> { + let builder = ChainBuilder::new(intermediates, policy, store); let mut budget = Budget::new(); builder.build_chain(leaf, &mut budget) } struct ChainBuilder<'a, 'chain, B: CryptoOps> { - intermediates: Vec>, + intermediates: &'a [&'a VerificationCertificate<'chain, B>], policy: &'a Policy<'a, B>, store: &'a Store<'chain, B>, } @@ -252,9 +252,9 @@ impl ApplyNameConstraintStatus { } } -impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { +impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn new( - intermediates: Vec>, + intermediates: &'a [&'a VerificationCertificate<'chain, B>], policy: &'a Policy<'a, B>, store: &'a Store<'chain, B>, ) -> Self { @@ -266,7 +266,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { } fn potential_issuers( - &'a self, + &self, cert: &'a VerificationCertificate<'chain, B>, ) -> impl Iterator> + '_ { // TODO: Optimizations: @@ -274,19 +274,19 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { self.store .get_by_subject(&cert.certificate().tbs_cert.issuer) .iter() - .chain(self.intermediates.iter().filter(|&candidate| { + .chain(self.intermediates.iter().copied().filter(|&candidate| { candidate.certificate().subject() == cert.certificate().issuer() })) } fn build_chain_inner( &self, - working_cert: &VerificationCertificate<'chain, B>, + working_cert: &'a VerificationCertificate<'chain, B>, current_depth: u8, working_cert_extensions: &Extensions<'chain>, name_chain: NameChain<'_, 'chain>, budget: &mut Budget, - ) -> Result, ValidationError> { + ) -> Result, ValidationError> { if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { name_chain.evaluate_constraints(&nc.value()?, budget)?; } @@ -294,7 +294,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // Look in the store's root set to see if the working cert is listed. // If it is, we've reached the end. if self.store.contains(working_cert) { - return Ok(vec![working_cert.clone()]); + return Ok(vec![working_cert]); } // Check that our current depth does not exceed our policy-configured @@ -357,7 +357,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { budget, ) { Ok(mut chain) => { - chain.push(working_cert.clone()); + chain.push(working_cert); return Ok(chain); } // Immediately return on fatal error. @@ -387,9 +387,9 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn build_chain( &self, - leaf: &VerificationCertificate<'chain, B>, + leaf: &'a VerificationCertificate<'chain, B>, budget: &mut Budget, - ) -> Result, ValidationError> { + ) -> Result, ValidationError> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying // certificate profile). diff --git a/src/rust/cryptography-x509-verification/src/ops.rs b/src/rust/cryptography-x509-verification/src/ops.rs index 807bce5dff93..1b2f593ccc0b 100644 --- a/src/rust/cryptography-x509-verification/src/ops.rs +++ b/src/rust/cryptography-x509-verification/src/ops.rs @@ -39,11 +39,6 @@ impl PartialEq for VerificationCertificate<'_, B> { } } impl Eq for VerificationCertificate<'_, B> {} -impl Clone for VerificationCertificate<'_, B> { - fn clone(&self) -> Self { - VerificationCertificate::new(self.cert.clone(), self.extra.clone()) - } -} pub trait CryptoOps { /// A public key type for this cryptographic backend. @@ -53,7 +48,7 @@ pub trait CryptoOps { type Err; /// Extra data that's passed around with the certificate. - type CertificateExtra: Clone; + type CertificateExtra; /// Extracts the public key from the given `Certificate` in /// a `Key` format known by the cryptographic backend, or `None` diff --git a/src/rust/cryptography-x509-verification/src/trust_store.rs b/src/rust/cryptography-x509-verification/src/trust_store.rs index 462b81965df4..1d76bd584a5a 100644 --- a/src/rust/cryptography-x509-verification/src/trust_store.rs +++ b/src/rust/cryptography-x509-verification/src/trust_store.rs @@ -22,7 +22,7 @@ impl<'a, B: CryptoOps> Store<'a, B> { by_subject .entry(cert.certificate().tbs_cert.subject.clone()) .or_default() - .push(cert.clone()); + .push(cert); } Store { by_subject } } @@ -51,9 +51,10 @@ mod tests { #[test] fn test_store() { let cert_pem = v1_cert_pem(); - let cert = VerificationCertificate::new(cert(&cert_pem), ()); - let store = Store::<'_, PublicKeyErrorOps>::new([cert.clone()]); + let cert1 = VerificationCertificate::new(cert(&cert_pem), ()); + let cert2 = VerificationCertificate::new(cert(&cert_pem), ()); + let store = Store::<'_, PublicKeyErrorOps>::new([cert1]); - assert!(store.contains(&cert)); + assert!(store.contains(&cert2)); } } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 9b1db24a5790..284809525794 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -260,17 +260,25 @@ impl PyClientVerifier { let policy = self.as_policy(); let store = self.store.get(); - let chain = cryptography_x509_verification::verify( - &VerificationCertificate::new( - leaf.get().raw.borrow_dependent().clone(), - leaf.clone_ref(py), - ), - intermediates.iter().map(|i| { + let intermediates = intermediates + .iter() + .map(|i| { VerificationCertificate::new( i.get().raw.borrow_dependent().clone(), i.clone_ref(py), ) - }), + }) + .collect::>(); + let intermediate_refs = intermediates.iter().collect::>(); + + let v = VerificationCertificate::new( + leaf.get().raw.borrow_dependent().clone(), + leaf.clone_ref(py), + ); + + let chain = cryptography_x509_verification::verify( + &v, + &intermediate_refs, policy, store.raw.borrow_dependent(), ) @@ -344,17 +352,25 @@ impl PyServerVerifier { let policy = self.as_policy(); let store = self.store.get(); - let chain = cryptography_x509_verification::verify( - &VerificationCertificate::new( - leaf.get().raw.borrow_dependent().clone(), - leaf.clone_ref(py), - ), - intermediates.iter().map(|i| { + let intermediates = intermediates + .iter() + .map(|i| { VerificationCertificate::new( i.get().raw.borrow_dependent().clone(), i.clone_ref(py), ) - }), + }) + .collect::>(); + let intermediate_refs = intermediates.iter().collect::>(); + + let v = VerificationCertificate::new( + leaf.get().raw.borrow_dependent().clone(), + leaf.clone_ref(py), + ); + + let chain = cryptography_x509_verification::verify( + &v, + &intermediate_refs, policy, store.raw.borrow_dependent(), ) From 61a5e672e6f0ed9e0159e9a20512b03539f79314 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 25 Jun 2024 01:00:12 -0400 Subject: [PATCH 727/868] fixed rst syntax in test-vectors.rst (#11153) --- docs/development/test-vectors.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index e0746ab792b2..3605c06af9eb 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -780,7 +780,7 @@ Custom PKCS12 Test Vectors * ``pkcs12/name-2-3-pwd.p12`` - A PKCS12 file containing a cert (``pkcs12/ca/ca.pem``) and key (``pkcs12/ca/ca_key.pem``), as well as two additional certificates (``x509/cryptography.io.pem`` - and ``x509/letsencryptx3.pem``) with friendly names ``name2` and + and ``x509/letsencryptx3.pem``) with friendly names ``name2`` and ``name3`` respectively, encrypted via AES 256 CBC with the password ``cryptography``. * ``pkcs12/name-2-pwd.p12`` - A PKCS12 file containing a cert From 70d808e3d9ced4884bd2833a125be2d30155bcb8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 25 Jun 2024 01:00:32 -0400 Subject: [PATCH 728/868] Cleanup changelog grammar (#11152) --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4218ab776d02..3a1ea97886a2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,7 +16,7 @@ Changelog now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still considered insecure, users should generally use a key size of 2048-bits. * :func:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates` - now has consistent ASN.1 structure to ``openssl crl2pkcs7 -nocrl -certfile ...``. + now emits ASN.1 that more closely follows the recommendations in :rfc:`2315`. * Added new :doc:`/hazmat/decrepit/index` module which contains outdated and insecure cryptographic primitives. :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, From 3cc725df5addae2f86ac75c8ec0a17a7f3c4c449 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 06:44:11 -0400 Subject: [PATCH 729/868] Bump bitflags from 2.5.0 to 2.6.0 in /src/rust (#11154) Bumps [bitflags](https://github.com/bitflags/bitflags) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/bitflags/bitflags/releases) - [Changelog](https://github.com/bitflags/bitflags/blob/main/CHANGELOG.md) - [Commits](https://github.com/bitflags/bitflags/compare/2.5.0...2.6.0) --- updated-dependencies: - dependency-name: bitflags dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index bb06e38a5950..fb028defc5e9 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -36,9 +36,9 @@ checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" [[package]] name = "bitflags" -version = "2.5.0" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1" +checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" From cf7ce65b7ad90a5e32bf3e3b60eb8b6d245e509d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 11:12:10 +0000 Subject: [PATCH 730/868] Bump mypy from 1.10.0 to 1.10.1 (#11155) Bumps [mypy](https://github.com/python/mypy) from 1.10.0 to 1.10.1. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.10.0...v1.10.1) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index b61efa28b051..60df244084bb 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.4 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.10.0 +mypy==1.10.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From afc90a805c6ed995fb146cda37cbdd2cb2427ee1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 07:18:45 -0400 Subject: [PATCH 731/868] Bump setuptools from 70.1.0 to 70.1.1 in /.github/requirements (#11156) Bumps [setuptools](https://github.com/pypa/setuptools) from 70.1.0 to 70.1.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.1.0...v70.1.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index fbf31d477a47..c56db6aefcfa 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -76,9 +76,9 @@ tomli==2.0.1 \ # via setuptools-rust # The following packages are considered to be unsafe in a requirements file: -setuptools==70.1.0 \ - --hash=sha256:01a1e793faa5bd89abc851fa15d0a0db26f160890c7102cd8dce643e886b47f5 \ - --hash=sha256:d9b8b771455a97c8a9f3ab3448ebe0b29b5e105f1228bba41028be116985a267 +setuptools==70.1.1 \ + --hash=sha256:937a48c7cdb7a21eb53cd7f9b59e525503aa8abaf3584c730dc5f7a5bec3a650 \ + --hash=sha256:a58a8fde0541dab0419750bcc521fbdf8585f6e5cb41909df3a472ef7b81ca95 # via # -r build-requirements.in # setuptools-rust From 47aced28c8f27b4dbb61f4fc79af444a18279463 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 25 Jun 2024 13:40:46 -0400 Subject: [PATCH 732/868] Bump pyo3 to 0.22 (#11150) * Bump pyo3 from 0.21.2 to 0.22.0 in /src/rust Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.21.2 to 0.22.0. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.21.2...v0.22.0) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Fix compilation errors in building for pyo3 0.22 --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 144 ++------------------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- src/rust/src/backend/aead.rs | 7 + src/rust/src/backend/cmac.rs | 1 + src/rust/src/backend/dh.rs | 7 + src/rust/src/backend/dsa.rs | 3 + src/rust/src/backend/ec.rs | 3 + src/rust/src/backend/keys.rs | 2 + src/rust/src/backend/rsa.rs | 1 + src/rust/src/exceptions.rs | 2 + src/rust/src/lib.rs | 1 + src/rust/src/pkcs12.rs | 5 +- src/rust/src/types.rs | 2 +- src/rust/src/x509/certificate.rs | 2 + src/rust/src/x509/crl.rs | 2 + src/rust/src/x509/csr.rs | 2 + src/rust/src/x509/sct.rs | 2 +- 19 files changed, 55 insertions(+), 137 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fb028defc5e9..495d8f72e002 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -146,9 +146,9 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" [[package]] name = "heck" -version = "0.4.1" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" +checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" [[package]] name = "indoc" @@ -162,16 +162,6 @@ version = "0.2.155" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c" -[[package]] -name = "lock_api" -version = "0.4.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17" -dependencies = [ - "autocfg", - "scopeguard", -] - [[package]] name = "memoffset" version = "0.9.1" @@ -225,29 +215,6 @@ dependencies = [ "vcpkg", ] -[[package]] -name = "parking_lot" -version = "0.12.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27" -dependencies = [ - "lock_api", - "parking_lot_core", -] - -[[package]] -name = "parking_lot_core" -version = "0.9.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" -dependencies = [ - "cfg-if", - "libc", - "redox_syscall", - "smallvec", - "windows-targets", -] - [[package]] name = "pem" version = "3.0.4" @@ -280,15 +247,15 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.21.2" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a5e00b96a521718e08e03b1a622f01c8a8deb50719335de3f60b3b3950f069d8" +checksum = "1962a33ed2a201c637fc14a4e0fd4e06e6edfdeee6a5fede0dab55507ad74cf7" dependencies = [ "cfg-if", "indoc", "libc", "memoffset", - "parking_lot", + "once_cell", "portable-atomic", "pyo3-build-config", "pyo3-ffi", @@ -298,9 +265,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.21.2" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7883df5835fafdad87c0d888b266c8ec0f4c9ca48a5bed6bbb592e8dedee1b50" +checksum = "ab7164b2202753bd33afc7f90a10355a719aa973d1f94502c50d06f3488bc420" dependencies = [ "once_cell", "target-lexicon", @@ -308,9 +275,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.21.2" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01be5843dc60b916ab4dad1dca6d20b9b4e6ddc8e15f50c47fe6d85f1fb97403" +checksum = "c6424906ca49013c0829c5c1ed405e20e2da2dc78b82d198564880a704e6a7b7" dependencies = [ "libc", "pyo3-build-config", @@ -318,9 +285,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.21.2" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77b34069fc0682e11b31dbd10321cbf94808394c56fd996796ce45217dfac53c" +checksum = "82b2f19e153122d64afd8ce7aaa72f06a00f52e34e1d1e74b6d71baea396460a" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -330,9 +297,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.21.2" +version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08260721f32db5e1a5beae69a55553f56b99bd0e1c3e6e0a5e8851a9d0f5a85c" +checksum = "dd698c04cac17cf0fe63d47790ab311b8b25542f5cb976b65c374035c50f1eef" dependencies = [ "heck", "proc-macro2", @@ -350,33 +317,12 @@ dependencies = [ "proc-macro2", ] -[[package]] -name = "redox_syscall" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c82cf8cff14456045f55ec4241383baeff27af886adb72ffb2162f99911de0fd" -dependencies = [ - "bitflags", -] - -[[package]] -name = "scopeguard" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" - [[package]] name = "self_cell" version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" -[[package]] -name = "smallvec" -version = "1.13.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" - [[package]] name = "syn" version = "2.0.68" @@ -411,67 +357,3 @@ name = "vcpkg" version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" - -[[package]] -name = "windows-targets" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb" -dependencies = [ - "windows_aarch64_gnullvm", - "windows_aarch64_msvc", - "windows_i686_gnu", - "windows_i686_gnullvm", - "windows_i686_msvc", - "windows_x86_64_gnu", - "windows_x86_64_gnullvm", - "windows_x86_64_msvc", -] - -[[package]] -name = "windows_aarch64_gnullvm" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263" - -[[package]] -name = "windows_aarch64_msvc" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6" - -[[package]] -name = "windows_i686_gnu" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "88ba073cf16d5372720ec942a8ccbf61626074c6d4dd2e745299726ce8b89670" - -[[package]] -name = "windows_i686_gnullvm" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9" - -[[package]] -name = "windows_i686_msvc" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf" - -[[package]] -name = "windows_x86_64_gnu" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9" - -[[package]] -name = "windows_x86_64_gnullvm" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596" - -[[package]] -name = "windows_x86_64_msvc" -version = "0.52.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 86f93db552c0..49c0b73dd100 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.21.2", features = ["abi3"] } +pyo3 = { version = "0.22.0", features = ["abi3"] } asn1 = { version = "0.16.2", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 64f4bb63f7da..5a16a12c355e 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.21.2", features = ["abi3"] } +pyo3 = { version = "0.22.0", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index 18a214e9a744..9c5e92c8e683 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.21.2", features = ["abi3"] } +pyo3 = { version = "0.22.0", features = ["abi3"] } diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index e9dbcab652bd..ab011c206470 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -536,6 +536,7 @@ impl ChaCha20Poly1305 { Ok(types::OS_URANDOM.get(py)?.call1((32,))?) } + #[pyo3(signature = (nonce, data, associated_data))] fn encrypt<'p>( &self, py: pyo3::Python<'p>, @@ -556,6 +557,7 @@ impl ChaCha20Poly1305 { .encrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) } + #[pyo3(signature = (nonce, data, associated_data))] fn decrypt<'p>( &self, py: pyo3::Python<'p>, @@ -651,6 +653,7 @@ impl AesGcm { Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } + #[pyo3(signature = (nonce, data, associated_data))] fn encrypt<'p>( &self, py: pyo3::Python<'p>, @@ -671,6 +674,7 @@ impl AesGcm { .encrypt(py, data.as_bytes(), aad, Some(nonce_bytes)) } + #[pyo3(signature = (nonce, data, associated_data))] fn decrypt<'p>( &self, py: pyo3::Python<'p>, @@ -704,6 +708,7 @@ struct AesCcm { #[pyo3::prelude::pymethods] impl AesCcm { #[new] + #[pyo3(signature = (key, tag_length=None))] fn new( py: pyo3::Python<'_>, key: pyo3::Py, @@ -762,6 +767,7 @@ impl AesCcm { Ok(types::OS_URANDOM.get(py)?.call1((bit_length / 8,))?) } + #[pyo3(signature = (nonce, data, associated_data))] fn encrypt<'p>( &self, py: pyo3::Python<'p>, @@ -795,6 +801,7 @@ impl AesCcm { self.ctx.encrypt(py, data_bytes, aad, Some(nonce_bytes)) } + #[pyo3(signature = (nonce, data, associated_data))] fn decrypt<'p>( &self, py: pyo3::Python<'p>, diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 0d9d9ec0fdf4..646394cd67f5 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -36,6 +36,7 @@ impl Cmac { #[pyo3::pymethods] impl Cmac { #[new] + #[pyo3(signature = (algorithm, backend=None))] fn new( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 008f0674a07b..afa5a3a1c69f 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -28,6 +28,7 @@ struct DHParameters { } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (generator, key_size, backend=None))] fn generate_parameters( generator: u32, key_size: u32, @@ -87,6 +88,7 @@ fn pkey_from_dh( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn from_der_parameters( data: &[u8], backend: Option>, @@ -107,6 +109,7 @@ fn from_der_parameters( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn from_pem_parameters( data: &[u8], backend: Option>, @@ -410,6 +413,7 @@ impl DHPrivateNumbers { } #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + #[pyo3(signature = (backend=None))] fn private_key( &self, py: pyo3::Python<'_>, @@ -462,6 +466,7 @@ impl DHPublicNumbers { } #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + #[pyo3(signature = (backend=None))] fn public_key( &self, py: pyo3::Python<'_>, @@ -494,6 +499,7 @@ impl DHPublicNumbers { #[pyo3::prelude::pymethods] impl DHParameterNumbers { #[new] + #[pyo3(signature = (p, g, q=None))] fn new( py: pyo3::Python<'_>, p: pyo3::Py, @@ -520,6 +526,7 @@ impl DHParameterNumbers { Ok(DHParameterNumbers { p, g, q }) } + #[pyo3(signature = (backend=None))] fn parameters( &self, py: pyo3::Python<'_>, diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 7615521c9cb4..4e82bbdd45ac 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -356,6 +356,7 @@ impl DsaPrivateNumbers { DsaPrivateNumbers { x, public_numbers } } + #[pyo3(signature = (backend=None))] fn private_key( &self, py: pyo3::Python<'_>, @@ -406,6 +407,7 @@ impl DsaPublicNumbers { } } + #[pyo3(signature = (backend=None))] fn public_key( &self, py: pyo3::Python<'_>, @@ -460,6 +462,7 @@ impl DsaParameterNumbers { DsaParameterNumbers { p, q, g } } + #[pyo3(signature = (backend=None))] fn parameters( &self, py: pyo3::Python<'_>, diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index d808a275eb06..c83943539cc0 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -155,6 +155,7 @@ pub(crate) fn public_key_from_pkey( }) } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (curve, backend=None))] fn generate_private_key( py: pyo3::Python<'_>, curve: pyo3::Bound<'_, pyo3::PyAny>, @@ -518,6 +519,7 @@ impl EllipticCurvePrivateNumbers { } } + #[pyo3(signature = (backend=None))] fn private_key( &self, py: pyo3::Python<'_>, @@ -600,6 +602,7 @@ impl EllipticCurvePublicNumbers { Ok(EllipticCurvePublicNumbers { x, y, curve }) } + #[pyo3(signature = (backend=None))] fn public_key( &self, py: pyo3::Python<'_>, diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 2113ecec3cac..974f07bb22f1 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -117,6 +117,7 @@ pub(crate) fn private_key_from_pkey( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_der_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, @@ -145,6 +146,7 @@ pub(crate) fn load_der_public_key_bytes( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_pem_public_key( py: pyo3::Python<'_>, data: CffiBuf<'_>, diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 20b61c718ff0..461e6a7a345e 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -773,6 +773,7 @@ impl RsaPublicNumbers { RsaPublicNumbers { e, n } } + #[pyo3(signature = (backend=None))] fn public_key( &self, py: pyo3::Python<'_>, diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index 95600faf08bd..d6d7afb060a0 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -6,10 +6,12 @@ use pyo3::prelude::PyModuleMethods; #[pyo3::prelude::pyclass( frozen, + eq, module = "cryptography.hazmat.bindings._rust.exceptions", name = "_Reasons" )] #[allow(non_camel_case_types)] +#[derive(PartialEq)] pub(crate) enum Reasons { BACKEND_MISSING_INTERFACE, UNSUPPORTED_HASH, diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index da929fee603f..383716764961 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -9,6 +9,7 @@ use crate::error::CryptographyResult; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use openssl::provider; +use pyo3::prelude::PyModuleMethods; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use std::env; diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 4663b91c4e8a..1ccf21377402 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -24,6 +24,7 @@ struct PKCS12Certificate { #[pyo3::prelude::pymethods] impl PKCS12Certificate { #[new] + #[pyo3(signature = (cert, friendly_name=None))] fn new( cert: pyo3::Py, friendly_name: Option>, @@ -40,7 +41,7 @@ impl PKCS12Certificate { other: pyo3::PyRef<'_, Self>, ) -> CryptographyResult { let friendly_name_eq = match (&self.friendly_name, &other.friendly_name) { - (Some(a), Some(b)) => a.bind(py).eq(b.bind(py))?, + (Some(a), Some(b)) => a.bind(py).as_bytes() == b.bind(py).as_bytes(), (None, None) => true, _ => false, }; @@ -406,6 +407,7 @@ fn decode_p12( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, password, backend=None))] fn load_key_and_certificates<'p>( py: pyo3::Python<'p>, data: CffiBuf<'_>, @@ -456,6 +458,7 @@ fn load_key_and_certificates<'p>( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, password, backend=None))] fn load_pkcs12<'p>( py: pyo3::Python<'p>, data: CffiBuf<'_>, diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 3b21ec1f1ad3..d64b521a1887 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -28,7 +28,7 @@ impl LazyPyImport { Ok::<_, pyo3::PyErr>(obj.unbind()) })?; - Ok(p.clone().into_bound(py)) + Ok(p.clone_ref(py).into_bound(py)) } } diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 0ac0e4d8e0ff..0b5e89bd37bf 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -365,6 +365,7 @@ fn cert_version( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_pem_x509_certificate( py: pyo3::Python<'_>, data: &[u8], @@ -411,6 +412,7 @@ fn load_pem_x509_certificates( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] pub(crate) fn load_der_x509_certificate( py: pyo3::Python<'_>, data: pyo3::Py, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 2d00c308de9a..52cadde0e24c 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -25,6 +25,7 @@ use crate::x509::{certificate, extensions, sign}; use crate::{exceptions, types, x509}; #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_der_x509_crl( py: pyo3::Python<'_>, data: pyo3::Py, @@ -54,6 +55,7 @@ fn load_der_x509_crl( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_pem_x509_crl( py: pyo3::Python<'_>, data: &[u8], diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 03f49b5420b1..a9823f2c2fc5 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -236,6 +236,7 @@ impl CertificateSigningRequest { } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_pem_x509_csr( py: pyo3::Python<'_>, data: &[u8], @@ -258,6 +259,7 @@ fn load_pem_x509_csr( } #[pyo3::prelude::pyfunction] +#[pyo3(signature = (data, backend=None))] fn load_der_x509_csr( py: pyo3::Python<'_>, data: pyo3::Py, diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index 0cc8c4644690..a5b2d920a84c 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -169,7 +169,7 @@ impl Sct { let kwargs = pyo3::types::PyDict::new_bound(py); kwargs.set_item("microsecond", self.timestamp % 1000 * 1000)?; - kwargs.set_item("tzinfo", None::>)?; + kwargs.set_item("tzinfo", None::>)?; types::DATETIME_DATETIME .get(py)? From ae3b2a07e2f92288d5029b1de49bf340d0617c90 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 26 Jun 2024 00:15:34 +0000 Subject: [PATCH 733/868] Bump BoringSSL and/or OpenSSL in CI (#11164) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8b6da567ba3f..6da1473a348d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 25, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "42a8ef844e5fca55abb608beb62695abe80c6b6d"}} + # Latest commit on the OpenSSL master branch, as of Jun 26, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "30dc37d798a0428fd477d3763086e7e97b3d596f"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From f370b0981099adf6b267e31015b202c72f9782ea Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 25 Jun 2024 21:51:24 -0400 Subject: [PATCH 734/868] policy/extension: improve extension policy errors (#11162) * policy/extension: improve extension policy errors * verification: ValidationError::ExtensionError variant Begin cleaning things up. * policy/extension: remove redundant clone * ensure that we render the ext OID * lib: coverage for other display arms * relocate custom vector * test-vectors: typo --- docs/development/test-vectors.rst | 2 + .../cryptography-x509-verification/src/lib.rs | 76 ++++++++++++++++--- .../src/policy/extension.rs | 40 +++++----- src/rust/src/x509/verify.rs | 2 +- tests/x509/verification/test_verification.py | 32 +++++++- .../x509/custom/ekucrit-testuser-cert.pem | 23 ++++++ 6 files changed, 143 insertions(+), 32 deletions(-) create mode 100644 vectors/cryptography_vectors/x509/custom/ekucrit-testuser-cert.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 3605c06af9eb..4f564d79b24f 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -528,6 +528,8 @@ Custom X.509 Vectors algorithm parameters. This encoding is invalid, but was generated by Java 11. * ``dsa_null_alg_params.pem`` - A certificate with a DSA signature with ``NULL`` algorithm parameters. This encoding is invalid, but was generated by Java 20. +* ``ekucrit-testuser-cert.pem`` - A leaf certificate containing a critical EKU. + This is an invalid certificate per CA/B 7.1.2.7.6. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 3649890c8cd1..d21827ce9695 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -12,8 +12,10 @@ pub mod policy; pub mod trust_store; pub mod types; +use std::fmt::Display; use std::vec; +use asn1::ObjectIdentifier; use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions}; use cryptography_x509::{ extensions::{NameConstraints, SubjectAlternativeName}, @@ -35,10 +37,45 @@ pub enum ValidationError { CandidatesExhausted(Box), Malformed(asn1::ParseError), DuplicateExtension(DuplicateExtensionsError), + ExtensionError { + oid: ObjectIdentifier, + reason: &'static str, + }, FatalError(&'static str), Other(String), } +impl From for ValidationError { + fn from(value: asn1::ParseError) -> Self { + Self::Malformed(value) + } +} + +impl From for ValidationError { + fn from(value: DuplicateExtensionsError) -> Self { + Self::DuplicateExtension(value) + } +} + +impl Display for ValidationError { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + match self { + ValidationError::CandidatesExhausted(inner) => { + write!(f, "candidates exhausted: {inner}") + } + ValidationError::Malformed(err) => err.fmt(f), + ValidationError::DuplicateExtension(DuplicateExtensionsError(oid)) => { + write!(f, "malformed certificate: duplicate extension: {oid}") + } + ValidationError::ExtensionError { oid, reason } => { + write!(f, "invalid extension: {oid}: {reason}") + } + ValidationError::FatalError(err) => write!(f, "fatal error: {err}"), + ValidationError::Other(err) => write!(f, "{err}"), + } + } +} + struct Budget { name_constraint_checks: usize, } @@ -64,18 +101,6 @@ impl Budget { } } -impl From for ValidationError { - fn from(value: asn1::ParseError) -> Self { - Self::Malformed(value) - } -} - -impl From for ValidationError { - fn from(value: DuplicateExtensionsError) -> Self { - Self::DuplicateExtension(value) - } -} - struct NameChain<'a, 'chain> { child: Option<&'a NameChain<'a, 'chain>>, sans: SubjectAlternativeName<'chain>, @@ -412,3 +437,30 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { Ok(chain) } } + +#[cfg(test)] +mod tests { + use asn1::ParseError; + use cryptography_x509::{ + extensions::DuplicateExtensionsError, oid::SUBJECT_ALTERNATIVE_NAME_OID, + }; + + use crate::ValidationError; + + #[test] + fn test_validationerror_display() { + let err = ValidationError::Malformed(ParseError::new(asn1::ParseErrorKind::InvalidLength)); + assert_eq!(err.to_string(), "ASN.1 parsing error: invalid length"); + + let err = ValidationError::DuplicateExtension(DuplicateExtensionsError( + SUBJECT_ALTERNATIVE_NAME_OID, + )); + assert_eq!( + err.to_string(), + "malformed certificate: duplicate extension: 2.5.29.17" + ); + + let err = ValidationError::FatalError("oops"); + assert_eq!(err.to_string(), "fatal error: oops"); + } +} diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index a707b0d8d65f..1c8ae00679e1 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -81,10 +81,10 @@ impl ExtensionPolicy { self.extended_key_usage.permits(policy, cert, Some(&ext))?; } _ if ext.critical => { - return Err(ValidationError::Other(format!( - "certificate contains unaccounted-for critical extensions: {}", - ext.extn_id - ))); + return Err(ValidationError::ExtensionError { + oid: ext.extn_id, + reason: "certificate contains unaccounted-for critical extensions", + }); } _ => {} } @@ -205,9 +205,10 @@ impl ExtensionValidator { // Extension MUST NOT be present and isn't; OK. (ExtensionValidator::NotPresent, None) => Ok(()), // Extension MUST NOT be present but is; NOT OK. - (ExtensionValidator::NotPresent, Some(_)) => Err(ValidationError::Other( - "Certificate contains prohibited extension".to_string(), - )), + (ExtensionValidator::NotPresent, Some(extn)) => Err(ValidationError::ExtensionError { + oid: extn.extn_id.clone(), + reason: "Certificate contains prohibited extension", + }), // Extension MUST be present but is not; NOT OK. (ExtensionValidator::Present { .. }, None) => Err(ValidationError::Other( "Certificate is missing required extension".to_string(), @@ -221,9 +222,10 @@ impl ExtensionValidator { Some(extn), ) => { if !criticality.permits(extn.critical) { - return Err(ValidationError::Other( - "Certificate extension has incorrect criticality".to_string(), - )); + return Err(ValidationError::ExtensionError { + oid: extn.extn_id.clone(), + reason: "Certificate extension has incorrect criticality", + }); } // If a custom validator is supplied, apply it. @@ -237,15 +239,17 @@ impl ExtensionValidator { }, extn, ) => { - // If the extension is present, apply our criticality check. - if extn.map_or(false, |extn| !criticality.permits(extn.critical)) { - return Err(ValidationError::Other( - "Certificate extension has incorrect criticality".to_string(), - )); + match extn { + // If the extension is present, apply our criticality check. + Some(extn) if !criticality.permits(extn.critical) => { + Err(ValidationError::ExtensionError { + oid: extn.extn_id.clone(), + reason: "Certificate extension has incorrect criticality", + }) + } + // If a custom validator is supplied, apply it. + _ => validator.map_or(Ok(()), |v| v(policy, cert, extn)), } - - // If a custom validator is supplied, apply it. - validator.map_or(Ok(()), |v| v(policy, cert, extn)) } } } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 284809525794..73f354544685 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -282,7 +282,7 @@ impl PyClientVerifier { policy, store.raw.borrow_dependent(), ) - .map_err(|e| VerificationError::new_err(format!("validation failed: {e:?}")))?; + .map_err(|e| VerificationError::new_err(format!("validation failed: {e}")))?; let py_chain = pyo3::types::PyList::empty_bound(py); for c in &chain { diff --git a/tests/x509/verification/test_verification.py b/tests/x509/verification/test_verification.py index 409f6f9b6408..f5e70bab3538 100644 --- a/tests/x509/verification/test_verification.py +++ b/tests/x509/verification/test_verification.py @@ -11,7 +11,11 @@ from cryptography import x509 from cryptography.x509.general_name import DNSName, IPAddress -from cryptography.x509.verification import PolicyBuilder, Store +from cryptography.x509.verification import ( + PolicyBuilder, + Store, + VerificationError, +) from tests.x509.test_x509 import _load_cert @@ -139,6 +143,32 @@ def test_verify(self): assert x509.DNSName("cryptography.io") in verified_client.subjects assert len(verified_client.subjects) == 2 + def test_verify_fails_renders_oid(self): + leaf = _load_cert( + os.path.join("x509", "custom", "ekucrit-testuser-cert.pem"), + x509.load_pem_x509_certificate, + ) + + store = Store([leaf]) + + validation_time = datetime.datetime.fromisoformat( + "2024-06-26T00:00:00+00:00" + ) + + builder = PolicyBuilder().store(store) + builder = builder.time(validation_time) + verifier = builder.build_client_verifier() + + pattern = ( + r"invalid extension: 2\.5\.29\.37: " + r"Certificate extension has incorrect criticality" + ) + with pytest.raises( + VerificationError, + match=pattern, + ): + verifier.verify(leaf, []) + class TestServerVerifier: @pytest.mark.parametrize( diff --git a/vectors/cryptography_vectors/x509/custom/ekucrit-testuser-cert.pem b/vectors/cryptography_vectors/x509/custom/ekucrit-testuser-cert.pem new file mode 100644 index 000000000000..907fc7bc3fd2 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/ekucrit-testuser-cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDyTCCArGgAwIBAgIUQWZSqoDvybWdo39pxRgeN0bLh8QwDQYJKoZIhvcNAQEL +BQAwLDEUMBIGA1UECgwLVGVzdCBJc3N1ZXIxFDASBgNVBAMMC2V4YW1wbGUubmV0 +MB4XDTI0MDYyNTIyNTY0MFoXDTI0MDkyMzIyNTY0MFowLzEtMCsGA1UEAwwkZTBk +Y2JmNTEtMDIyNC00MzYzLWI3NWUtYjZjZmIxODE3NzUzMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAwq9wRSIpDGjEfRSOHxcfaOQmi1QR2AV0m1Exu8RW +WwE+SycflSQOcPxNWn1B0dvVAIAmp5fSBram+6fdB+qgP/fz9/mHBBvP1+J7lLue +1CUUDkci6P136HQ+kSsEDqrwMXzPESVNJk6b0FusF0gCEGTe01pgHKd82mpXK62W +tSYFOYEFV4kB7u0ckkWEhiKGTKQ+zI5GSeApy23ao8q+oHDdBcD91ViYwgoWwKMY +mYhZyLFZHh4D7axi275HjqVZZ1AmCy0bSLMgxwgHKEeFRmR3Yaoz3TkTi0fAUs4e +w6Rdtor/PMecunp6atiHVUj9FWraAafGzVrM8Wfj6t88FwIDAQABo4HfMIHcMGQG +A1UdEQRdMFuGKnVybjpwdWJsaWNpZDpJRE4rZXhhbXBsZS5uZXQrdXNlcit0ZXN0 +dXNlcoYtdXJuOnV1aWQ6ZTBkY2JmNTEtMDIyNC00MzYzLWI3NWUtYjZjZmIxODE3 +NzUzMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjAMBgNV +HRMBAf8EAjAAMB0GA1UdDgQWBBQOeL5d5FUOQeZD99n1nxTvFMmN6DAfBgNVHSME +GDAWgBQOeL5d5FUOQeZD99n1nxTvFMmN6DANBgkqhkiG9w0BAQsFAAOCAQEAjL4c +TUCEYWDWW03AWskf7GGeUb2wehWOoH7cw5dtZa4UC1JghuPs+HbMLxRvy6/NsnrV +7ZzzXiutTQEbE5EBQBhJAjuh34uogNe1itRvCFq8xUTQ+e8xP1nXCfZ2UMD0rb1F +kvpqm4cFpX9AizjhnwOi4X7/svnv79yovfwGKPgUMfVb3Vbnd6aMeZbBh34hSSBn +Emigl7tmS2KOs/eD+O2zQFu4NgUe4HH+jdE0+FDBkYwIOhLPGL2pCmdb7kM60Oo4 +W4yvwiQSJkfn1u4xvBoONsp8lNVkpYfFHWotuwCrHchVgCyaXcp7fEFUrl6mb+CY +s4x++eieNDpxzcFsuw== +-----END CERTIFICATE----- From 887ed1b33c96fa3a57adff80d12b8977db09b908 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Jun 2024 07:11:57 -0400 Subject: [PATCH 735/868] Bump cc from 1.0.100 to 1.0.101 in /src/rust (#11166) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.100 to 1.0.101. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.100...cc-v1.0.101) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 495d8f72e002..ba5223e54c0f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.100" +version = "1.0.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c891175c3fb232128f48de6590095e59198bbeb8620c310be349bfc3afd12c7b" +checksum = "ac367972e516d45567c7eafc73d24e1c193dcf200a8d94e9db7b3d38b349572d" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 5a16a12c355e..e06baab70c05 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.0", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.100" +cc = "1.0.101" From 84d14143fdab1ba8d01fe2612fd313323c013809 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 26 Jun 2024 08:36:08 -0400 Subject: [PATCH 736/868] Stop importing things from prelude (#11168) import them from teh right places --- src/rust/src/asn1.rs | 18 ++++++------- src/rust/src/backend/aead.rs | 30 ++++++++++----------- src/rust/src/backend/cipher_registry.rs | 2 +- src/rust/src/backend/ciphers.rs | 28 +++++++++---------- src/rust/src/backend/cmac.rs | 8 +++--- src/rust/src/backend/dh.rs | 36 ++++++++++++------------- src/rust/src/backend/dsa.rs | 34 +++++++++++------------ src/rust/src/backend/ec.rs | 30 ++++++++++----------- src/rust/src/backend/ed25519.rs | 20 +++++++------- src/rust/src/backend/ed448.rs | 20 +++++++------- src/rust/src/backend/hashes.rs | 8 +++--- src/rust/src/backend/hmac.rs | 8 +++--- src/rust/src/backend/kdf.rs | 10 +++---- src/rust/src/backend/keys.rs | 14 +++++----- src/rust/src/backend/mod.rs | 6 ++--- src/rust/src/backend/poly1305.rs | 8 +++--- src/rust/src/backend/rsa.rs | 24 ++++++++--------- src/rust/src/backend/utils.rs | 2 +- src/rust/src/backend/x25519.rs | 20 +++++++------- src/rust/src/backend/x448.rs | 20 +++++++------- src/rust/src/buf.rs | 2 +- src/rust/src/error.rs | 8 +++--- src/rust/src/exceptions.rs | 8 +++--- src/rust/src/lib.rs | 20 +++++++------- src/rust/src/oid.rs | 4 +-- src/rust/src/padding.rs | 8 +++--- src/rust/src/pkcs12.rs | 16 +++++------ src/rust/src/pkcs7.rs | 14 +++++----- src/rust/src/types.rs | 2 +- src/rust/src/x509/certificate.rs | 14 +++++----- src/rust/src/x509/common.rs | 6 ++--- src/rust/src/x509/crl.rs | 20 +++++++------- src/rust/src/x509/csr.rs | 12 ++++----- src/rust/src/x509/extensions.rs | 8 +++--- src/rust/src/x509/ocsp.rs | 2 +- src/rust/src/x509/ocsp_req.rs | 14 +++++----- src/rust/src/x509/ocsp_resp.rs | 22 +++++++-------- src/rust/src/x509/sct.rs | 10 +++---- src/rust/src/x509/sign.rs | 2 +- src/rust/src/x509/verify.rs | 2 +- 40 files changed, 266 insertions(+), 274 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 07fcf72c46c2..8a6e86a5141f 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -6,10 +6,10 @@ use asn1::SimpleAsn1Readable; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; use cryptography_x509::name::Name; -use pyo3::prelude::PyAnyMethods; -use pyo3::prelude::PyModuleMethods; use pyo3::pybacked::PyBackedBytes; use pyo3::types::IntoPyDict; +use pyo3::types::PyAnyMethods; +use pyo3::types::PyModuleMethods; use pyo3::ToPyObject; use crate::error::{CryptographyError, CryptographyResult}; @@ -32,7 +32,7 @@ pub(crate) fn oid_to_py_oid<'p>( Ok(pyo3::Bound::new(py, crate::oid::ObjectIdentifier { oid: oid.clone() })?.into_any()) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn parse_spki_for_data<'p>( py: pyo3::Python<'p>, data: &[u8], @@ -57,7 +57,7 @@ pub(crate) fn big_byte_slice_to_py_int<'p>( int_type.call_method(pyo3::intern!(py, "from_bytes"), (v, "big"), Some(&kwargs)) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn decode_dss_signature( py: pyo3::Python<'_>, data: &[u8], @@ -118,7 +118,7 @@ pub(crate) fn encode_der_data<'p>( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn encode_dss_signature<'p>( py: pyo3::Python<'p>, r: pyo3::Bound<'_, pyo3::types::PyLong>, @@ -134,7 +134,7 @@ fn encode_dss_signature<'p>( Ok(pyo3::types::PyBytes::new_bound(py, &result)) } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.asn1")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.asn1")] struct TestCertificate { #[pyo3(get)] not_before_tag: u8, @@ -164,7 +164,7 @@ fn time_tag(t: &Time) -> u8 { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn test_parse_certificate(data: &[u8]) -> Result { let cert = asn1::parse_single::>(data)?; @@ -178,8 +178,8 @@ fn test_parse_certificate(data: &[u8]) -> Result, -) -> pyo3::PyResult> { - let submod = pyo3::prelude::PyModule::new_bound(py, "asn1")?; +) -> pyo3::PyResult> { + let submod = pyo3::types::PyModule::new_bound(py, "asn1")?; submod.add_function(pyo3::wrap_pyfunction_bound!(parse_spki_for_data, &submod)?)?; submod.add_function(pyo3::wrap_pyfunction_bound!(decode_dss_signature, &submod)?)?; diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index ab011c206470..34be02f5efce 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -5,7 +5,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; fn check_length(data: &[u8]) -> CryptographyResult<()> { if data.len() > (i32::MAX as usize) { @@ -444,7 +444,7 @@ impl EvpAead { } } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead")] struct ChaCha20Poly1305 { #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] ctx: EvpAead, @@ -466,7 +466,7 @@ struct ChaCha20Poly1305 { ctx: LazyEvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl ChaCha20Poly1305 { #[new] fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { @@ -579,7 +579,7 @@ impl ChaCha20Poly1305 { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", name = "AESGCM" @@ -602,7 +602,7 @@ struct AesGcm { ctx: LazyEvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl AesGcm { #[new] fn new(py: pyo3::Python<'_>, key: pyo3::Py) -> CryptographyResult { @@ -696,7 +696,7 @@ impl AesGcm { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", name = "AESCCM" @@ -705,7 +705,7 @@ struct AesCcm { ctx: LazyEvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl AesCcm { #[new] #[pyo3(signature = (key, tag_length=None))] @@ -834,7 +834,7 @@ impl AesCcm { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", name = "AESSIV" @@ -843,7 +843,7 @@ struct AesSiv { ctx: EvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl AesSiv { #[new] fn new(key: CffiBuf<'_>) -> CryptographyResult { @@ -932,7 +932,7 @@ impl AesSiv { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", name = "AESOCB3" @@ -941,7 +941,7 @@ struct AesOcb3 { ctx: EvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl AesOcb3 { #[new] fn new(key: CffiBuf<'_>) -> CryptographyResult { @@ -1042,7 +1042,7 @@ impl AesOcb3 { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.aead", name = "AESGCMSIV" @@ -1051,7 +1051,7 @@ struct AesGcmSiv { ctx: EvpCipherAead, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl AesGcmSiv { #[new] fn new(key: CffiBuf<'_>) -> CryptographyResult { @@ -1155,8 +1155,8 @@ impl AesGcmSiv { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "aead")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "aead")?; m.add_class::()?; m.add_class::()?; diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index fb829c093731..6157010c0652 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -5,7 +5,7 @@ use std::collections::HashMap; use openssl::cipher::Cipher; -use pyo3::prelude::PyAnyMethods; +use pyo3::types::PyAnyMethods; use crate::error::CryptographyResult; use crate::types; diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index bfcd91096b3b..2d5501835640 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -7,7 +7,7 @@ use crate::buf::{CffiBuf, CffiMutBuf}; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use crate::types; -use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyModuleMethods}; use pyo3::IntoPy; struct CipherContext { @@ -191,7 +191,7 @@ impl CipherContext { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.ciphers", name = "CipherContext" )] @@ -199,7 +199,7 @@ struct PyCipherContext { ctx: Option, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.ciphers", name = "AEADEncryptionContext" )] @@ -211,7 +211,7 @@ struct PyAEADEncryptionContext { aad_bytes_remaining: u64, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.ciphers", name = "AEADDecryptionContext" )] @@ -226,7 +226,7 @@ fn get_mut_ctx(ctx: Option<&mut CipherContext>) -> pyo3::PyResult<&mut CipherCon ctx.ok_or_else(|| exceptions::AlreadyFinalized::new_err("Context was already finalized.")) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl PyCipherContext { fn update<'p>( &mut self, @@ -255,7 +255,7 @@ impl PyCipherContext { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl PyAEADEncryptionContext { fn update<'p>( &mut self, @@ -342,7 +342,7 @@ impl PyAEADEncryptionContext { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl PyAEADDecryptionContext { fn update<'p>( &mut self, @@ -470,7 +470,7 @@ impl PyAEADDecryptionContext { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_encryption_ctx( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, @@ -496,7 +496,7 @@ fn create_encryption_ctx( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_decryption_ctx( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, @@ -528,7 +528,7 @@ fn create_decryption_ctx( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn cipher_supported( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, @@ -537,7 +537,7 @@ fn cipher_supported( Ok(cipher_registry::get_cipher(py, algorithm, mode.get_type().into_any())?.is_some()) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn _advance(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { if let Ok(c) = ctx.downcast::() { c.borrow_mut().bytes_remaining -= n; @@ -546,7 +546,7 @@ fn _advance(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn _advance_aad(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { if let Ok(c) = ctx.downcast::() { c.borrow_mut().aad_bytes_remaining -= n; @@ -557,8 +557,8 @@ fn _advance_aad(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "ciphers")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "ciphers")?; m.add_function(pyo3::wrap_pyfunction_bound!(create_encryption_ctx, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(create_decryption_ctx, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(cipher_supported, &m)?)?; diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index 646394cd67f5..dd30be2bec68 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -7,9 +7,9 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyModuleMethods}; -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.cmac", name = "CMAC" )] @@ -102,8 +102,8 @@ impl Cmac { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "cmac")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "cmac")?; m.add_class::()?; diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index afa5a3a1c69f..e615d623ffa3 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -8,26 +8,26 @@ use crate::asn1::encode_der_data; use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{types, x509}; -use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyModuleMethods}; const MIN_MODULUS_SIZE: u32 = 512; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] pub(crate) struct DHPrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] pub(crate) struct DHPublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.dh")] struct DHParameters { dh: openssl::dh::Dh, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (generator, key_size, backend=None))] fn generate_parameters( generator: u32, @@ -87,7 +87,7 @@ fn pkey_from_dh( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn from_der_parameters( data: &[u8], @@ -108,7 +108,7 @@ fn from_der_parameters( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn from_pem_parameters( data: &[u8], @@ -148,7 +148,7 @@ fn clone_dh( Ok(openssl::dh::Dh::from_pqg(p, q, g)?) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHPrivateKey { #[getter] fn key_size(&self) -> i32 { @@ -253,7 +253,7 @@ impl DHPrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHPublicKey { #[getter] fn key_size(&self) -> i32 { @@ -316,7 +316,7 @@ impl DHPublicKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHParameters { #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn generate_private_key(&self) -> CryptographyResult { @@ -376,7 +376,7 @@ impl DHParameters { } } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] struct DHPrivateNumbers { #[pyo3(get)] x: pyo3::Py, @@ -384,7 +384,7 @@ struct DHPrivateNumbers { public_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] struct DHPublicNumbers { #[pyo3(get)] y: pyo3::Py, @@ -392,7 +392,7 @@ struct DHPublicNumbers { parameter_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.dh")] struct DHParameterNumbers { #[pyo3(get)] p: pyo3::Py, @@ -402,7 +402,7 @@ struct DHParameterNumbers { q: Option>, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHPrivateNumbers { #[new] fn new( @@ -452,7 +452,7 @@ impl DHPrivateNumbers { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHPublicNumbers { #[new] fn new( @@ -496,7 +496,7 @@ impl DHPublicNumbers { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DHParameterNumbers { #[new] #[pyo3(signature = (p, g, q=None))] @@ -556,8 +556,8 @@ impl DHParameterNumbers { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "dh")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "dh")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_der_parameters, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_pem_parameters, &m)?)?; diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index 4e82bbdd45ac..d0218d45ba98 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -6,10 +6,10 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::prelude::PyAnyMethods; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyAnyMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAPrivateKey" @@ -18,7 +18,7 @@ pub(crate) struct DsaPrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAPublicKey" @@ -27,7 +27,7 @@ pub(crate) struct DsaPublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.dsa", name = "DSAParameters" @@ -52,7 +52,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_parameters(key_size: u32) -> CryptographyResult { let dsa = openssl::dsa::Dsa::generate_params(key_size)?; Ok(DsaParameters { dsa }) @@ -64,7 +64,7 @@ fn clone_dsa_params( openssl::dsa::Dsa::from_pqg(d.p().to_owned()?, d.q().to_owned()?, d.g().to_owned()?) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaPrivateKey { fn sign<'p>( &self, @@ -149,7 +149,7 @@ impl DsaPrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaPublicKey { fn verify( &self, @@ -222,7 +222,7 @@ impl DsaPublicKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaParameters { fn generate_private_key(&self) -> CryptographyResult { let dsa = clone_dsa_params(&self.dsa)?.generate_key()?; @@ -308,7 +308,7 @@ fn check_dsa_private_numbers( Ok(()) } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.primitives.asymmetric.dsa", name = "DSAPrivateNumbers" @@ -320,7 +320,7 @@ struct DsaPrivateNumbers { public_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.primitives.asymmetric.dsa", name = "DSAPublicNumbers" @@ -332,7 +332,7 @@ struct DsaPublicNumbers { parameter_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.primitives.asymmetric.dsa", name = "DSAParameterNumbers" @@ -346,7 +346,7 @@ struct DsaParameterNumbers { g: pyo3::Py, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaPrivateNumbers { #[new] fn new( @@ -394,7 +394,7 @@ impl DsaPrivateNumbers { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaPublicNumbers { #[new] fn new( @@ -451,7 +451,7 @@ impl DsaPublicNumbers { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl DsaParameterNumbers { #[new] fn new( @@ -501,8 +501,8 @@ impl DsaParameterNumbers { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "dsa")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "dsa")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; m.add_class::()?; diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index c83943539cc0..6410add35cbe 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,21 +5,21 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::prelude::{PyAnyMethods, PyDictMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyDictMethods, PyModuleMethods}; use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] pub(crate) struct ECPrivateKey { pkey: openssl::pkey::PKey, #[pyo3(get)] curve: pyo3::Py, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ec")] pub(crate) struct ECPublicKey { pkey: openssl::pkey::PKey, #[pyo3(get)] @@ -125,7 +125,7 @@ fn check_key_infinity( Ok(()) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn curve_supported(py: pyo3::Python<'_>, py_curve: pyo3::Bound<'_, pyo3::PyAny>) -> bool { curve_from_py_curve(py, py_curve, false).is_ok() } @@ -154,7 +154,7 @@ pub(crate) fn public_key_from_pkey( curve: curve.into(), }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (curve, backend=None))] fn generate_private_key( py: pyo3::Python<'_>, @@ -172,7 +172,7 @@ fn generate_private_key( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn derive_private_key( py: pyo3::Python<'_>, py_private_value: &pyo3::Bound<'_, pyo3::types::PyLong>, @@ -195,7 +195,7 @@ fn derive_private_key( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_public_bytes( py: pyo3::Python<'_>, py_curve: pyo3::Bound<'_, pyo3::PyAny>, @@ -215,7 +215,7 @@ fn from_public_bytes( }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl ECPrivateKey { #[getter] fn key_size<'p>( @@ -374,7 +374,7 @@ impl ECPrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl ECPublicKey { #[getter] fn key_size<'p>( @@ -459,7 +459,7 @@ impl ECPublicKey { } } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] struct EllipticCurvePrivateNumbers { #[pyo3(get)] private_value: pyo3::Py, @@ -467,7 +467,7 @@ struct EllipticCurvePrivateNumbers { public_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.primitives.asymmetric.ec")] struct EllipticCurvePublicNumbers { #[pyo3(get)] x: pyo3::Py, @@ -506,7 +506,7 @@ fn public_key_from_numbers( Ok(openssl::ec::EcKey::from_public_key(curve, &point)?) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl EllipticCurvePrivateNumbers { #[new] fn new( @@ -579,7 +579,7 @@ impl EllipticCurvePrivateNumbers { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl EllipticCurvePublicNumbers { #[new] fn new( @@ -672,8 +672,8 @@ impl EllipticCurvePublicNumbers { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "ec")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "ec")?; m.add_function(pyo3::wrap_pyfunction_bound!(curve_supported, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(derive_private_key, &m)?)?; diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 565f839f7096..ab800d637af8 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -6,19 +6,19 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] pub(crate) struct Ed25519PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] pub(crate) struct Ed25519PublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_key() -> CryptographyResult { Ok(Ed25519PrivateKey { pkey: openssl::pkey::PKey::generate_ed25519()?, @@ -41,7 +41,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::private_key_from_raw_bytes( data.as_bytes(), @@ -53,7 +53,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { Ok(Ed25519PrivateKey { pkey }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::public_key_from_raw_bytes(data, openssl::pkey::Id::ED25519) .map_err(|_| { @@ -62,7 +62,7 @@ fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { Ok(Ed25519PublicKey { pkey }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Ed25519PrivateKey { fn sign<'p>( &self, @@ -118,7 +118,7 @@ impl Ed25519PrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Ed25519PublicKey { fn verify(&self, signature: CffiBuf<'_>, data: CffiBuf<'_>) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? @@ -162,8 +162,8 @@ impl Ed25519PublicKey { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "ed25519")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "ed25519")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index ef6c193e1fa7..27b716ee5f2e 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -6,19 +6,19 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] pub(crate) struct Ed448PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] pub(crate) struct Ed448PublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_key() -> CryptographyResult { Ok(Ed448PrivateKey { pkey: openssl::pkey::PKey::generate_ed448()?, @@ -41,7 +41,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::private_key_from_raw_bytes(data.as_bytes(), openssl::pkey::Id::ED448) @@ -51,7 +51,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { Ok(Ed448PrivateKey { pkey }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::public_key_from_raw_bytes(data, openssl::pkey::Id::ED448) .map_err(|_| { @@ -60,7 +60,7 @@ fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { Ok(Ed448PublicKey { pkey }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Ed448PrivateKey { fn sign<'p>( &self, @@ -116,7 +116,7 @@ impl Ed448PrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Ed448PublicKey { fn verify(&self, signature: CffiBuf<'_>, data: CffiBuf<'_>) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? @@ -159,8 +159,8 @@ impl Ed448PublicKey { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "ed448")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "ed448")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index bc2c42016de3..4b33e024fc27 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyModuleMethods}; use pyo3::IntoPy; use std::borrow::Cow; @@ -10,7 +10,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.hashes")] +#[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.hashes")] pub(crate) struct Hash { #[pyo3(get)] algorithm: pyo3::Py, @@ -140,8 +140,8 @@ impl Hash { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "hashes")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "hashes")?; m.add_class::()?; Ok(m) diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index 5f08ff117167..4488753b91e0 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -6,9 +6,9 @@ use crate::backend::hashes::{already_finalized_error, message_digest_from_algori use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::prelude::{PyBytesMethods, PyModuleMethods}; +use pyo3::types::{PyBytesMethods, PyModuleMethods}; -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.hmac", name = "HMAC" )] @@ -108,8 +108,8 @@ impl Hmac { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "hmac")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "hmac")?; m.add_class::()?; Ok(m) diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index efdd89804f20..52ccd10e9e3d 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -5,9 +5,9 @@ use crate::backend::hashes; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn derive_pbkdf2_hmac<'p>( py: pyo3::Python<'p>, key_material: CffiBuf<'_>, @@ -25,7 +25,7 @@ fn derive_pbkdf2_hmac<'p>( } #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[allow(clippy::too_many_arguments)] fn derive_scrypt<'p>( py: pyo3::Python<'p>, @@ -51,8 +51,8 @@ fn derive_scrypt<'p>( pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "kdf")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "kdf")?; m.add_function(pyo3::wrap_pyfunction_bound!(derive_pbkdf2_hmac, &m)?)?; #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 974f07bb22f1..7240f98c1c3e 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; use pyo3::IntoPy; use crate::backend::utils; @@ -10,7 +10,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, password, backend=None, *, unsafe_skip_rsa_key_validation=false))] fn load_der_private_key( py: pyo3::Python<'_>, @@ -41,7 +41,7 @@ fn load_der_private_key( private_key_from_pkey(py, &pkey, unsafe_skip_rsa_key_validation) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, password, backend=None, *, unsafe_skip_rsa_key_validation=false))] fn load_pem_private_key( py: pyo3::Python<'_>, @@ -116,7 +116,7 @@ pub(crate) fn private_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_der_public_key( py: pyo3::Python<'_>, @@ -145,7 +145,7 @@ pub(crate) fn load_der_public_key_bytes( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_pem_public_key( py: pyo3::Python<'_>, @@ -221,8 +221,8 @@ fn public_key_from_pkey( pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "keys")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "keys")?; m.add_function(pyo3::wrap_pyfunction_bound!(load_pem_private_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(load_der_private_key, &m)?)?; diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index dd7620c19e2c..1f703485b970 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; pub(crate) mod aead; pub(crate) mod cipher_registry; @@ -25,9 +25,7 @@ pub(crate) mod x25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] pub(crate) mod x448; -pub(crate) fn add_to_module( - module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, -) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { module.add_submodule(&aead::create_module(module.py())?)?; module.add_submodule(&ciphers::create_module(module.py())?)?; module.add_submodule(&cmac::create_module(module.py())?)?; diff --git a/src/rust/src/backend/poly1305.rs b/src/rust/src/backend/poly1305.rs index b1c3698700a4..4d07985407af 100644 --- a/src/rust/src/backend/poly1305.rs +++ b/src/rust/src/backend/poly1305.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::prelude::{PyBytesMethods, PyModuleMethods}; +use pyo3::types::{PyBytesMethods, PyModuleMethods}; #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] struct Poly1305Boring { @@ -88,7 +88,7 @@ impl Poly1305Open { } } -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.poly1305")] +#[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust.openssl.poly1305")] struct Poly1305 { #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] inner: Option, @@ -167,8 +167,8 @@ impl Poly1305 { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "poly1305")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "poly1305")?; m.add_class::()?; diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 461e6a7a345e..6636ab695a7c 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -9,9 +9,9 @@ use crate::backend::{hashes, utils}; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::prelude::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyModuleMethods}; -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.rsa", name = "RSAPrivateKey" @@ -20,7 +20,7 @@ pub(crate) struct RsaPrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.bindings._rust.openssl.rsa", name = "RSAPublicKey" @@ -61,7 +61,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResult { let e = openssl::bn::BigNum::from_u32(public_exponent)?; let rsa = openssl::rsa::Rsa::generate_with_e(key_size, &e)?; @@ -278,7 +278,7 @@ fn setup_signature_ctx( Ok(()) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl RsaPrivateKey { fn sign<'p>( &self, @@ -417,7 +417,7 @@ impl RsaPrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl RsaPublicKey { fn verify( &self, @@ -530,7 +530,7 @@ impl RsaPublicKey { } } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.primitives.asymmetric.rsa", name = "RSAPrivateNumbers" @@ -552,7 +552,7 @@ struct RsaPrivateNumbers { public_numbers: pyo3::Py, } -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, module = "cryptography.hazmat.primitives.asymmetric.rsa", name = "RSAPublicNumbers" @@ -650,7 +650,7 @@ fn check_private_key_components( Ok(()) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl RsaPrivateNumbers { #[new] fn new( @@ -766,7 +766,7 @@ fn check_public_key_components( Ok(()) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl RsaPublicNumbers { #[new] fn new(e: pyo3::Py, n: pyo3::Py) -> RsaPublicNumbers { @@ -816,8 +816,8 @@ impl RsaPublicNumbers { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "rsa")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "rsa")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; m.add_class::()?; diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 264ccf67053b..616ace7cb0d4 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -5,7 +5,7 @@ use crate::backend::hashes::Hash; use crate::error::{CryptographyError, CryptographyResult}; use crate::{error, types}; -use pyo3::prelude::{PyAnyMethods, PyBytesMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods}; use pyo3::ToPyObject; pub(crate) fn py_int_to_bn( diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 045aa909596c..9e22c0ab998d 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -5,19 +5,19 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] pub(crate) struct X25519PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] pub(crate) struct X25519PublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_key() -> CryptographyResult { Ok(X25519PrivateKey { pkey: openssl::pkey::PKey::generate_x25519()?, @@ -40,7 +40,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::private_key_from_raw_bytes(data.as_bytes(), openssl::pkey::Id::X25519) @@ -52,7 +52,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { Ok(X25519PrivateKey { pkey }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::public_key_from_raw_bytes(data, openssl::pkey::Id::X25519) .map_err(|_| { @@ -61,7 +61,7 @@ fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { Ok(X25519PublicKey { pkey }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl X25519PrivateKey { fn exchange<'p>( &self, @@ -122,7 +122,7 @@ impl X25519PrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl X25519PublicKey { fn public_bytes_raw<'p>( &self, @@ -152,8 +152,8 @@ impl X25519PublicKey { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "x25519")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "x25519")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 1d8d9e5837cc..4b88035d3226 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -5,19 +5,19 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] pub(crate) struct X448PrivateKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] pub(crate) struct X448PublicKey { pkey: openssl::pkey::PKey, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn generate_key() -> CryptographyResult { Ok(X448PrivateKey { pkey: openssl::pkey::PKey::generate_x448()?, @@ -40,7 +40,7 @@ pub(crate) fn public_key_from_pkey( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::private_key_from_raw_bytes(data.as_bytes(), openssl::pkey::Id::X448) @@ -51,7 +51,7 @@ fn from_private_bytes(data: CffiBuf<'_>) -> pyo3::PyResult { })?; Ok(X448PrivateKey { pkey }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { let pkey = openssl::pkey::PKey::public_key_from_raw_bytes(data, openssl::pkey::Id::X448) .map_err(|_| { @@ -60,7 +60,7 @@ fn from_public_bytes(data: &[u8]) -> pyo3::PyResult { Ok(X448PublicKey { pkey }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl X448PrivateKey { fn exchange<'p>( &self, @@ -121,7 +121,7 @@ impl X448PrivateKey { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl X448PublicKey { fn public_bytes_raw<'p>( &self, @@ -151,8 +151,8 @@ impl X448PublicKey { pub(crate) fn create_module( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::prelude::PyModule::new_bound(py, "x448")?; +) -> pyo3::PyResult> { + let m = pyo3::types::PyModule::new_bound(py, "x448")?; m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index ff9ca0c3d7e5..15ace0442bbc 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -3,8 +3,8 @@ // for complete details. use crate::types; -use pyo3::prelude::PyAnyMethods; use pyo3::types::IntoPyDict; +use pyo3::types::PyAnyMethods; use std::slice; pub(crate) struct CffiBuf<'p> { diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs index 380531c65509..81901e1ad91e 100644 --- a/src/rust/src/error.rs +++ b/src/rust/src/error.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::PyListMethods; +use pyo3::types::PyListMethods; use pyo3::ToPyObject; use crate::exceptions; @@ -148,12 +148,12 @@ impl CryptographyError { // https://github.com/pyca/cryptography/pull/6173 pub(crate) type CryptographyResult = Result; -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] pub(crate) fn raise_openssl_error() -> crate::error::CryptographyResult<()> { Err(openssl::error::ErrorStack::get().into()) } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl")] pub(crate) struct OpenSSLError { e: openssl::error::Error, } @@ -186,7 +186,7 @@ impl OpenSSLError { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] pub(crate) fn capture_error_stack( py: pyo3::Python<'_>, ) -> pyo3::PyResult> { diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index d6d7afb060a0..ff789105447b 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -2,9 +2,9 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; -#[pyo3::prelude::pyclass( +#[pyo3::pyclass( frozen, eq, module = "cryptography.hazmat.bindings._rust.exceptions", @@ -41,8 +41,8 @@ pyo3::import_exception_bound!(cryptography.x509, InvalidVersion); pub(crate) fn create_submodule( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::prelude::PyModule::new_bound(py, "exceptions")?; +) -> pyo3::PyResult> { + let submod = pyo3::types::PyModule::new_bound(py, "exceptions")?; submod.add_class::()?; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 383716764961..bed02d09e235 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -9,7 +9,7 @@ use crate::error::CryptographyResult; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use openssl::provider; -use pyo3::prelude::PyModuleMethods; +use pyo3::types::PyModuleMethods; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use std::env; @@ -26,7 +26,7 @@ pub(crate) mod types; mod x509; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust")] +#[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust")] struct LoadedProviders { legacy: Option, _default: provider::Provider, @@ -34,17 +34,17 @@ struct LoadedProviders { fips: Option, } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn openssl_version() -> i64 { openssl::version::number() } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn openssl_version_text() -> &'static str { openssl::version::version() } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn is_fips_enabled() -> bool { cryptography_openssl::fips::is_enabled() } @@ -84,14 +84,14 @@ fn _legacy_provider_error(success: bool) -> pyo3::PyResult<()> { } #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { providers.fips = Some(provider::Provider::load(None, "fips")?); cryptography_openssl::fips::enable()?; Ok(()) } -#[pyo3::prelude::pymodule] +#[pyo3::pymodule] fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { m.add_function(pyo3::wrap_pyfunction_bound!( padding::check_pkcs7_padding, @@ -109,7 +109,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> py m.add_submodule(&pkcs12::create_submodule(py)?)?; m.add_submodule(&exceptions::create_submodule(py)?)?; - let x509_mod = pyo3::prelude::PyModule::new_bound(py, "x509")?; + let x509_mod = pyo3::types::PyModule::new_bound(py, "x509")?; crate::x509::certificate::add_to_module(&x509_mod)?; crate::x509::common::add_to_module(&x509_mod)?; crate::x509::crl::add_to_module(&x509_mod)?; @@ -118,14 +118,14 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> py crate::x509::verify::add_to_module(&x509_mod)?; m.add_submodule(&x509_mod)?; - let ocsp_mod = pyo3::prelude::PyModule::new_bound(py, "ocsp")?; + let ocsp_mod = pyo3::types::PyModule::new_bound(py, "ocsp")?; crate::x509::ocsp_req::add_to_module(&ocsp_mod)?; crate::x509::ocsp_resp::add_to_module(&ocsp_mod)?; m.add_submodule(&ocsp_mod)?; m.add_submodule(&cryptography_cffi::create_module(py)?)?; - let openssl_mod = pyo3::prelude::PyModule::new_bound(py, "openssl")?; + let openssl_mod = pyo3::types::PyModule::new_bound(py, "openssl")?; openssl_mod.add( "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), diff --git a/src/rust/src/oid.rs b/src/rust/src/oid.rs index 66aef8a882ab..fb64837b6bff 100644 --- a/src/rust/src/oid.rs +++ b/src/rust/src/oid.rs @@ -4,11 +4,11 @@ use crate::error::CryptographyResult; use crate::types; -use pyo3::prelude::PyAnyMethods; +use pyo3::types::PyAnyMethods; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust")] pub(crate) struct ObjectIdentifier { pub(crate) oid: asn1::ObjectIdentifier, } diff --git a/src/rust/src/padding.rs b/src/rust/src/padding.rs index c4396c26f258..f6a13572f622 100644 --- a/src/rust/src/padding.rs +++ b/src/rust/src/padding.rs @@ -20,7 +20,7 @@ fn constant_time_lt(a: u8, b: u8) -> u8 { duplicate_msb_to_all(a ^ ((a ^ b) | (a.wrapping_sub(b) ^ b))) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] pub(crate) fn check_pkcs7_padding(data: &[u8]) -> bool { let mut mismatch = 0; let pad_size = *data.last().unwrap(); @@ -43,7 +43,7 @@ pub(crate) fn check_pkcs7_padding(data: &[u8]) -> bool { (mismatch & 1) == 0 } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] pub(crate) fn check_ansix923_padding(data: &[u8]) -> bool { let mut mismatch = 0; let pad_size = *data.last().unwrap(); @@ -67,13 +67,13 @@ pub(crate) fn check_ansix923_padding(data: &[u8]) -> bool { (mismatch & 1) == 0 } -#[pyo3::prelude::pyclass] +#[pyo3::pyclass] pub(crate) struct PKCS7PaddingContext { block_size: usize, length_seen: Option, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl PKCS7PaddingContext { #[new] fn new(block_size: usize) -> PKCS7PaddingContext { diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 1ccf21377402..7436146bcacb 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -8,12 +8,12 @@ use crate::error::CryptographyResult; use crate::x509::certificate::Certificate; use crate::{types, x509}; use cryptography_x509::common::Utf8StoredBMPString; -use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -#[pyo3::prelude::pyclass(frozen)] +#[pyo3::pyclass(frozen)] struct PKCS12Certificate { #[pyo3(get)] certificate: pyo3::Py, @@ -21,7 +21,7 @@ struct PKCS12Certificate { friendly_name: Option>, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl PKCS12Certificate { #[new] #[pyo3(signature = (cert, friendly_name=None))] @@ -256,7 +256,7 @@ enum CertificateOrPKCS12Certificate { PKCS12Certificate(pyo3::Py), } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (name, key, cert, cas, encryption_algorithm))] fn serialize_key_and_certificates<'p>( py: pyo3::Python<'p>, @@ -406,7 +406,7 @@ fn decode_p12( Ok(parsed) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, password, backend=None))] fn load_key_and_certificates<'p>( py: pyo3::Python<'p>, @@ -457,7 +457,7 @@ fn load_key_and_certificates<'p>( Ok((private_key, cert, additional_certs)) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, password, backend=None))] fn load_pkcs12<'p>( py: pyo3::Python<'p>, @@ -516,8 +516,8 @@ fn load_pkcs12<'p>( pub(crate) fn create_submodule( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::prelude::PyModule::new_bound(py, "pkcs12")?; +) -> pyo3::PyResult> { + let submod = pyo3::types::PyModule::new_bound(py, "pkcs12")?; submod.add_function(pyo3::wrap_pyfunction_bound!( load_key_and_certificates, diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index e08a67e73a2f..86ef48cc4de4 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -11,7 +11,7 @@ use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use openssl::pkcs7::Pkcs7; -use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; @@ -36,7 +36,7 @@ static OIDS_TO_MIC_NAME: Lazy> = Lazy::ne h }); -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn serialize_certificates<'p>( py: pyo3::Python<'p>, py_certs: Vec>, @@ -75,7 +75,7 @@ fn serialize_certificates<'p>( encode_der_data(py, "PKCS7".to_string(), content_info_bytes, encoding) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn sign_and_serialize<'p>( py: pyo3::Python<'p>, builder: &pyo3::Bound<'p, pyo3::PyAny>, @@ -355,7 +355,7 @@ fn load_pkcs7_certificates( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn load_pem_pkcs7_certificates<'p>( py: pyo3::Python<'p>, data: &[u8], @@ -381,7 +381,7 @@ fn load_pem_pkcs7_certificates<'p>( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn load_der_pkcs7_certificates<'p>( py: pyo3::Python<'p>, data: &[u8], @@ -409,8 +409,8 @@ fn load_der_pkcs7_certificates<'p>( pub(crate) fn create_submodule( py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::prelude::PyModule::new_bound(py, "pkcs7")?; +) -> pyo3::PyResult> { + let submod = pyo3::types::PyModule::new_bound(py, "pkcs7")?; submod.add_function(pyo3::wrap_pyfunction_bound!( serialize_certificates, diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index d64b521a1887..7b3fb35392e2 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::prelude::PyAnyMethods; +use pyo3::types::PyAnyMethods; pub struct LazyPyImport { module: &'static str, diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 0b5e89bd37bf..2bf3b4406fe3 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,7 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{ @@ -38,13 +38,13 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] pub(crate) struct Certificate { pub(crate) raw: OwnedCertificate, pub(crate) cached_extensions: pyo3::sync::GILOnceCell, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Certificate { fn __hash__(&self) -> u64 { let mut hasher = DefaultHasher::new(); @@ -364,7 +364,7 @@ fn cert_version( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_pem_x509_certificate( py: pyo3::Python<'_>, @@ -387,7 +387,7 @@ fn load_pem_x509_certificate( ) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn load_pem_x509_certificates( py: pyo3::Python<'_>, data: &[u8], @@ -411,7 +411,7 @@ fn load_pem_x509_certificates( Ok(certs) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] pub(crate) fn load_der_x509_certificate( py: pyo3::Python<'_>, @@ -885,7 +885,7 @@ pub(crate) fn time_from_datetime(dt: asn1::DateTime) -> CryptographyResult, builder: &pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 89baee082673..98d4b2e71bfb 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -7,8 +7,8 @@ use cryptography_x509::extensions::{ AccessDescription, DuplicateExtensionsError, Extension, Extensions, RawExtensions, }; use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::types::IntoPyDict; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; @@ -88,7 +88,7 @@ pub(crate) fn encode_name_entry<'p>( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn encode_name_bytes<'p>( py: pyo3::Python<'p>, py_name: &pyo3::Bound<'p, pyo3::PyAny>, @@ -457,7 +457,7 @@ pub(crate) fn encode_extensions< ))) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn encode_extension_value<'p>( py: pyo3::Python<'p>, py_ext: pyo3::Bound<'p, pyo3::PyAny>, diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index 52cadde0e24c..c4d683ba1c1b 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -13,7 +13,7 @@ use cryptography_x509::{ }, name, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods, PySliceMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods, PySliceMethods}; use pyo3::ToPyObject; use crate::asn1::{ @@ -24,7 +24,7 @@ use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, extensions, sign}; use crate::{exceptions, types, x509}; -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_der_x509_crl( py: pyo3::Python<'_>, @@ -54,7 +54,7 @@ fn load_der_x509_crl( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_pem_x509_crl( py: pyo3::Python<'_>, @@ -83,7 +83,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateRevocationList { owned: Arc, @@ -113,7 +113,7 @@ impl CertificateRevocationList { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl CertificateRevocationList { fn __eq__(&self, other: pyo3::PyRef<'_, CertificateRevocationList>) -> bool { self.owned.borrow_dependent() == other.owned.borrow_dependent() @@ -455,7 +455,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust.x509")] struct CRLIterator { contents: OwnedCRLIteratorData, } @@ -485,7 +485,7 @@ fn try_map_arc_data_mut_crl_iterator( }) } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl CRLIterator { fn __len__(&self) -> usize { self.contents @@ -534,13 +534,13 @@ impl Clone for OwnedRevokedCertificate { } } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct RevokedCertificate { owned: OwnedRevokedCertificate, cached_extensions: pyo3::sync::GILOnceCell, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl RevokedCertificate { #[getter] fn serial_number<'p>( @@ -642,7 +642,7 @@ pub fn parse_crl_entry_ext<'p>( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_x509_crl( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index a9823f2c2fc5..61d0809d404d 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -8,7 +8,7 @@ use std::hash::{Hash, Hasher}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; use pyo3::IntoPy; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; @@ -26,13 +26,13 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] struct CertificateSigningRequest { raw: OwnedCsr, cached_extensions: pyo3::sync::GILOnceCell, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl CertificateSigningRequest { fn __hash__(&self, py: pyo3::Python<'_>) -> u64 { let mut hasher = DefaultHasher::new(); @@ -235,7 +235,7 @@ impl CertificateSigningRequest { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_pem_x509_csr( py: pyo3::Python<'_>, @@ -258,7 +258,7 @@ fn load_pem_x509_csr( ) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn load_der_x509_csr( py: pyo3::Python<'_>, @@ -285,7 +285,7 @@ fn load_der_x509_csr( }) } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_x509_csr( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs index bb8e9a55cb95..9bd942542393 100644 --- a/src/rust/src/x509/extensions.rs +++ b/src/rust/src/x509/extensions.rs @@ -8,8 +8,8 @@ use crate::asn1::{py_oid_to_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; use crate::x509::{certificate, sct}; use crate::{types, x509}; -use pyo3::prelude::PyAnyMethods; use pyo3::pybacked::PyBackedStr; +use pyo3::types::PyAnyMethods; fn encode_general_subtrees<'a>( py: pyo3::Python<'_>, @@ -39,7 +39,7 @@ pub(crate) fn encode_authority_key_identifier<'a>( py: pyo3::Python<'a>, py_aki: &pyo3::Bound<'a, pyo3::PyAny>, ) -> CryptographyResult> { - #[derive(pyo3::prelude::FromPyObject)] + #[derive(pyo3::FromPyObject)] struct PyAuthorityKeyIdentifier<'a> { key_identifier: Option, authority_cert_issuer: Option>, @@ -77,7 +77,7 @@ pub(crate) fn encode_distribution_points<'p>( py: pyo3::Python<'p>, py_dps: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { - #[derive(pyo3::prelude::FromPyObject)] + #[derive(pyo3::FromPyObject)] struct PyDistributionPoint<'a> { crl_issuer: Option>, full_name: Option>, @@ -132,7 +132,7 @@ pub(crate) fn encode_distribution_points<'p>( } fn encode_basic_constraints(ext: &pyo3::Bound<'_, pyo3::PyAny>) -> CryptographyResult> { - #[derive(pyo3::prelude::FromPyObject)] + #[derive(pyo3::FromPyObject)] struct PyBasicConstraints { ca: bool, path_length: Option, diff --git a/src/rust/src/x509/ocsp.rs b/src/rust/src/x509/ocsp.rs index 4588c41aef39..b632532f1573 100644 --- a/src/rust/src/x509/ocsp.rs +++ b/src/rust/src/x509/ocsp.rs @@ -7,7 +7,7 @@ use std::collections::HashMap; use cryptography_x509::common; use cryptography_x509::ocsp_req::CertID; use once_cell::sync::Lazy; -use pyo3::prelude::PyAnyMethods; +use pyo3::types::PyAnyMethods; use crate::backend::hashes::Hash; use crate::error::CryptographyResult; diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index a411904b2588..d56ed0823ee9 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -7,7 +7,7 @@ use cryptography_x509::{ ocsp_req::{self, OCSPRequest as RawOCSPRequest}, oid, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -22,7 +22,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn load_der_ocsp_request( py: pyo3::Python<'_>, data: pyo3::Py, @@ -50,7 +50,7 @@ fn load_der_ocsp_request( }) } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPRequest { raw: OwnedOCSPRequest, @@ -71,7 +71,7 @@ impl OCSPRequest { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl OCSPRequest { #[getter] fn issuer_name_hash(&self) -> &[u8] { @@ -165,7 +165,7 @@ impl OCSPRequest { } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_ocsp_request( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, @@ -229,9 +229,7 @@ fn create_ocsp_request( load_der_ocsp_request(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } -pub(crate) fn add_to_module( - module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, -) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { module.add_function(pyo3::wrap_pyfunction_bound!(load_der_ocsp_request, module)?)?; module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_request, module)?)?; diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 3233d0b4d9a1..2250decae428 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::prelude::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -19,7 +19,7 @@ use crate::{exceptions, types, x509}; const BASIC_RESPONSE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 1); -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn load_der_ocsp_response( py: pyo3::Python<'_>, data: pyo3::Py, @@ -72,7 +72,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPResponse { raw: Arc, @@ -99,7 +99,7 @@ const TRY_LATER_RESPONSE: u32 = 3; const SIG_REQUIRED_RESPONSE: u32 = 5; const UNAUTHORIZED_RESPONSE: u32 = 6; -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl OCSPResponse { #[getter] fn responses(&self) -> Result { @@ -588,7 +588,7 @@ fn singleresp_py_revocation_time<'p>( } } -#[pyo3::prelude::pyfunction] +#[pyo3::pyfunction] fn create_ocsp_response( py: pyo3::Python<'_>, status: &pyo3::Bound<'_, pyo3::PyAny>, @@ -788,12 +788,12 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPResponseIterator { contents: OwnedOCSPResponseIteratorData, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl OCSPResponseIterator { fn __iter__(slf: pyo3::PyRef<'_, Self>) -> pyo3::PyRef<'_, Self> { slf @@ -820,7 +820,7 @@ self_cell::self_cell!( } ); -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] struct OCSPSingleResponse { raw: OwnedSingleResponse, } @@ -831,7 +831,7 @@ impl OCSPSingleResponse { } } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl OCSPSingleResponse { #[getter] fn serial_number<'p>( @@ -908,9 +908,7 @@ impl OCSPSingleResponse { } } -pub(crate) fn add_to_module( - module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, -) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { module.add_function(pyo3::wrap_pyfunction_bound!( load_der_ocsp_response, module diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index a5b2d920a84c..54315cdcc412 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -5,7 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::prelude::{PyAnyMethods, PyDictMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyDictMethods, PyListMethods, PyModuleMethods}; use pyo3::ToPyObject; use crate::error::CryptographyError; @@ -128,7 +128,7 @@ impl TryFrom for SignatureAlgorithm { } } -#[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] pub(crate) struct Sct { log_id: [u8; 32], timestamp: u64, @@ -141,7 +141,7 @@ pub(crate) struct Sct { pub(crate) sct_data: Vec, } -#[pyo3::prelude::pymethods] +#[pyo3::pymethods] impl Sct { fn __eq__(&self, other: pyo3::PyRef<'_, Sct>) -> bool { self.sct_data == other.sct_data @@ -259,9 +259,7 @@ pub(crate) fn parse_scts( Ok(py_scts.to_object(py)) } -pub(crate) fn add_to_module( - module: &pyo3::Bound<'_, pyo3::prelude::PyModule>, -) -> pyo3::PyResult<()> { +pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { module.add_class::()?; Ok(()) diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs index a97627cd215e..4e96b8a8e02d 100644 --- a/src/rust/src/x509/sign.rs +++ b/src/rust/src/x509/sign.rs @@ -6,8 +6,8 @@ use std::collections::HashMap; use cryptography_x509::{common, oid}; use once_cell::sync::Lazy; -use pyo3::prelude::PyAnyMethods; use pyo3::pybacked::PyBackedBytes; +use pyo3::types::PyAnyMethods; use crate::asn1::oid_to_py_oid; use crate::error::{CryptographyError, CryptographyResult}; diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 73f354544685..0b3a83552a06 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -11,7 +11,7 @@ use cryptography_x509_verification::{ trust_store::Store, types::{DNSName, IPAddress}, }; -use pyo3::prelude::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; From 986a6c22231bc5f587e9aab89d5a564b0aa80c63 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 27 Jun 2024 00:16:10 +0000 Subject: [PATCH 737/868] Bump BoringSSL and/or OpenSSL in CI (#11169) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6da1473a348d..30284deabd22 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 26, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "30dc37d798a0428fd477d3763086e7e97b3d596f"}} + # Latest commit on the OpenSSL master branch, as of Jun 27, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b76a6c26a254b4cc428275fc0ced56759dd5088a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From c7b7c627c8717f3628664071cdb0c38f6bfcb1ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 27 Jun 2024 07:15:24 -0400 Subject: [PATCH 738/868] Bump twine from 5.1.0 to 5.1.1 in /.github/requirements (#11171) Bumps [twine](https://github.com/pypa/twine) from 5.1.0 to 5.1.1. - [Release notes](https://github.com/pypa/twine/releases) - [Changelog](https://github.com/pypa/twine/blob/main/docs/changelog.rst) - [Commits](https://github.com/pypa/twine/compare/5.1.0...v5.1.1) --- updated-dependencies: - dependency-name: twine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 688680a343a2..0f49d56e0404 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -260,9 +260,9 @@ nh3==0.2.17 \ --hash=sha256:c790769152308421283679a142dbdb3d1c46c79c823008ecea8e8141db1a2062 \ --hash=sha256:d7a25fd8c86657f5d9d576268e3b3767c5cd4f42867c9383618be8517f0f022a # via readme-renderer -pkginfo==1.11.1 \ - --hash=sha256:2e0dca1cf4c8e39644eed32408ea9966ee15e0d324c62ba899a393b3c6b467aa \ - --hash=sha256:bfa76a714fdfc18a045fcd684dbfc3816b603d9d075febef17cb6582bea29573 +pkginfo==1.10.0 \ + --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ + --hash=sha256:889a6da2ed7ffc58ab5b900d888ddce90bce912f2d2de1dc1c26f4cb9fe65097 # via twine pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ @@ -301,9 +301,9 @@ secretstorage==3.3.3 \ --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 # via keyring -twine==5.1.0 \ - --hash=sha256:4d74770c88c4fcaf8134d2a6a9d863e40f08255ff7d8e2acb3cbbd57d25f6e9d \ - --hash=sha256:fe1d814395bfe50cfbe27783cb74efe93abeac3f66deaeb6c8390e4e92bacb43 +twine==5.1.1 \ + --hash=sha256:215dbe7b4b94c2c50a7315c0275d2258399280fbb7d04182c7e55e24b5f93997 \ + --hash=sha256:9aa0825139c02b3434d913545c7b847a21c835e11597f5255842d457da2322db # via -r publish-requirements.in urllib3==2.2.2 \ --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ From 541beda62fde26ee16f98092e553a17cac8e8943 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 27 Jun 2024 07:15:37 -0400 Subject: [PATCH 739/868] Bump importlib-metadata from 7.2.1 to 8.0.0 in /.github/requirements (#11167) Bumps [importlib-metadata](https://github.com/python/importlib_metadata) from 7.2.1 to 8.0.0. - [Release notes](https://github.com/python/importlib_metadata/releases) - [Changelog](https://github.com/python/importlib_metadata/blob/main/NEWS.rst) - [Commits](https://github.com/python/importlib_metadata/compare/v7.2.1...v8.0.0) --- updated-dependencies: - dependency-name: importlib-metadata dependency-type: indirect update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 0f49d56e0404..72c2c1b5f011 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -200,9 +200,9 @@ idna==3.7 \ --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 # via requests -importlib-metadata==7.2.1 \ - --hash=sha256:509ecb2ab77071db5137c655e24ceb3eee66e7bbc6574165d0d114d9fc4bbe68 \ - --hash=sha256:ffef94b0b66046dd8ea2d619b701fe978d9264d38f3998bc4c27ec3b146a87c8 +importlib-metadata==8.0.0 \ + --hash=sha256:15584cf2b1bf449d98ff8a6ff1abef57bf20f3ac6454f431736cd3e660921b2f \ + --hash=sha256:188bd24e4c346d3f0a933f275c2fec67050326a856b9a359881d7c2a697e8812 # via # keyring # twine From 3288b9a1667c89ce7dc327c03911b379ae8f9a7f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 28 Jun 2024 04:32:21 +0300 Subject: [PATCH 740/868] Bump BoringSSL and/or OpenSSL in CI (#11174) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30284deabd22..e079452ff2c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 27, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b76a6c26a254b4cc428275fc0ced56759dd5088a"}} + # Latest commit on the OpenSSL master branch, as of Jun 28, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fbd6609bb21b125c9454d07c484d166a33b4815b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 4a1dcfa8b584d17b19d4bb3084b5c87e4c1038ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 28 Jun 2024 07:02:49 -0400 Subject: [PATCH 741/868] Bump ruff from 0.4.10 to 0.5.0 (#11176) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.4.10 to 0.5.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/v0.4.10...0.5.0) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 60df244084bb..ae6896d7daac 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.4.10 +ruff==0.5.0 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 17711c14aec0ac76276d986b2f40ccae89ad96ef Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 29 Jun 2024 00:15:22 +0000 Subject: [PATCH 742/868] Bump BoringSSL and/or OpenSSL in CI (#11179) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e079452ff2c6..d30e1a1c7eed 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 28, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fbd6609bb21b125c9454d07c484d166a33b4815b"}} + # Latest commit on the OpenSSL master branch, as of Jun 29, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7afa7731e924d5ac10fc992d8cd777f407d33af9"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 56933bf61a4539a1306534a196e67e40c5084719 Mon Sep 17 00:00:00 2001 From: David Buchanan Date: Sat, 29 Jun 2024 16:23:57 +0100 Subject: [PATCH 743/868] utils.int_to_bytes: guard against zero-length (#11173) * utils: guard against zero-length int_to_bytes * add tests for HBKDF with llen=0 * kbkdf: guard against llen==0 * test that kbkdf rejects llen==0 at __init__ * add standalone test for zero-length int_to_bytes * Update src/cryptography/hazmat/primitives/kdf/kbkdf.py typo Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- .../hazmat/primitives/kdf/kbkdf.py | 3 ++ src/cryptography/utils.py | 2 ++ tests/hazmat/primitives/test_kbkdf.py | 30 +++++++++++++++++++ tests/test_utils.py | 7 +++++ 4 files changed, 42 insertions(+) diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py index 9ae817d4e6ae..802b484c72ae 100644 --- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py +++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py @@ -87,6 +87,9 @@ def __init__( if llen is not None and not isinstance(llen, int): raise TypeError("llen must be an integer") + if llen == 0: + raise ValueError("llen must be non-zero") + if label is None: label = b"" diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index b3f6e736918a..706d0ae4cbd7 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -41,6 +41,8 @@ def _check_byteslike(name: str, value: bytes) -> None: def int_to_bytes(integer: int, length: int | None = None) -> bytes: + if length == 0: + raise ValueError("length argument can't be 0") return integer.to_bytes( length or (integer.bit_length() + 7) // 8 or 1, "big" ) diff --git a/tests/hazmat/primitives/test_kbkdf.py b/tests/hazmat/primitives/test_kbkdf.py index 965075d2ce2d..e812b464ce93 100644 --- a/tests/hazmat/primitives/test_kbkdf.py +++ b/tests/hazmat/primitives/test_kbkdf.py @@ -159,6 +159,21 @@ def test_r_type(self, backend): backend=backend, ) + def test_zero_llen(self, backend): + with pytest.raises(ValueError): + KBKDFHMAC( + hashes.SHA256(), + Mode.CounterMode, + 32, + 4, + 0, + CounterLocation.BeforeFixed, + b"label", + b"context", + None, + backend=backend, + ) + def test_l_type(self, backend): with pytest.raises(TypeError): KBKDFHMAC( @@ -615,6 +630,21 @@ def test_r_type(self, backend): backend=backend, ) + def test_zero_llen(self, backend): + with pytest.raises(ValueError): + KBKDFCMAC( + algorithms.AES, + Mode.CounterMode, + 32, + 4, + 0, + CounterLocation.BeforeFixed, + b"label", + b"context", + None, + backend=backend, + ) + def test_l_type(self, backend): with pytest.raises(TypeError): KBKDFCMAC( diff --git a/tests/test_utils.py b/tests/test_utils.py index 191cc913a472..5e5f506f82b1 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -39,6 +39,13 @@ ) +def test_int_to_bytes_rejects_zero_length(): + with pytest.raises(ValueError): + cryptography.utils.int_to_bytes(123, 0) + with pytest.raises(ValueError): + cryptography.utils.int_to_bytes(0, 0) + + def test_check_backend_support_skip(): supported = pretend.stub( kwargs={"only_if": lambda backend: False, "skip_message": "Nope"} From 564c7980adee96bc691ce598ddbeee6f7d372e9a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 29 Jun 2024 20:09:01 +0000 Subject: [PATCH 744/868] Bump cc from 1.0.101 to 1.0.102 in /src/rust (#11180) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.101 to 1.0.102. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.101...cc-v1.0.102) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index ba5223e54c0f..9db12395438b 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.101" +version = "1.0.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac367972e516d45567c7eafc73d24e1c193dcf200a8d94e9db7b3d38b349572d" +checksum = "779e6b7d17797c0b42023d417228c02889300190e700cb074c3438d9c541d332" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index e06baab70c05..4942aca6c77a 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.0", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.101" +cc = "1.0.102" From 6d2d8c2e37e0ea8843b77e3e34f767a960165e74 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 30 Jun 2024 00:22:08 +0000 Subject: [PATCH 745/868] Bump BoringSSL and/or OpenSSL in CI (#11181) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d30e1a1c7eed..4c87d60ac77f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 29, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "7afa7731e924d5ac10fc992d8cd777f407d33af9"}} + # Latest commit on the OpenSSL master branch, as of Jun 30, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5a9c90b1e59b2c368876229862fbff29f2bcf006"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 95e57bf5c5763cf9f700ef339cad3aa7bb5799a4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 30 Jun 2024 07:06:05 -0400 Subject: [PATCH 746/868] fixes #11175 -- improve error message when loading PEM public key with no BEGIN PUBLIC KEY (#11177) --- src/rust/src/backend/keys.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 7240f98c1c3e..649bea38cbeb 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -176,7 +176,9 @@ fn load_pem_public_key( } } "PUBLIC KEY" => cryptography_key_parsing::spki::parse_public_key(p.contents())?, - _ => return Err(CryptographyError::from(pem::PemError::MalformedFraming)), + _ => return Err(CryptographyError::from(pyo3::exceptions::PyValueError::new_err( + "Valid PEM but no BEGIN PUBLIC KEY/END PUBLIC KEY delimiters. Are you sure this is a public key?" + ))), }; public_key_from_pkey(py, &pkey, pkey.id()) } From 85fba50add6b7129898f69d69a2338475de2aae5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 30 Jun 2024 07:07:09 -0400 Subject: [PATCH 747/868] Remove buster from CI (#11182) * Remove buster from CI It is EOL * Update installation.rst --- .github/workflows/ci.yml | 1 - docs/installation.rst | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4c87d60ac77f..ee445d30f623 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -150,7 +150,6 @@ jobs: IMAGE: - {IMAGE: "rhel8", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "rhel8-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - - {IMAGE: "buster", NOXSESSION: "tests-nocoverage", RUNNER: "ubuntu-latest"} - {IMAGE: "bullseye", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "bookworm", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "trixie", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} diff --git a/docs/installation.rst b/docs/installation.rst index cc6e32beafe4..8e5af7dd54c3 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -22,8 +22,8 @@ operating systems. * x86-64 macOS 13 Ventura and ARM64 macOS 14 Sonoma * x86-64 Ubuntu 20.04, 22.04, 24.04, rolling * ARM64 Ubuntu rolling -* x86-64 Debian Buster (10.x), Bullseye (11.x), Bookworm (12.x), - Trixie (13.x), and Sid (unstable) +* x86-64 Debian Bullseye (11.x), Bookworm (12.x), Trixie (13.x), and + Sid (unstable) * x86-64 and ARM64 Alpine (latest) * 32-bit and 64-bit Python on 64-bit Windows Server 2022 From eae331491c53ce99be8eb8da40cbedf244fa3390 Mon Sep 17 00:00:00 2001 From: Magnus Watn Date: Sun, 30 Jun 2024 18:08:56 +0200 Subject: [PATCH 748/868] Add _utc datetime methods to x509.ocsp (#11183) Fixes #11170. --- CHANGELOG.rst | 10 ++ docs/x509/ocsp.rst | 122 ++++++++++++++++++++++++ src/cryptography/x509/ocsp.py | 58 +++++++++++ src/rust/src/types.rs | 2 + src/rust/src/x509/ocsp_resp.rs | 146 ++++++++++++++++++++++++++++ tests/x509/test_ocsp.py | 169 +++++++++++++++++++++++++-------- 6 files changed, 470 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 3a1ea97886a2..58a827719e65 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -48,6 +48,16 @@ Changelog :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. * Added support for parsing empty DN string in :meth:`~cryptography.x509.Name.from_rfc4514_string`. +* Added the following properties that return timezone-aware ``datetime`` objects: + :meth:`~cryptography.x509.ocsp.OCSPResponse.produced_at_utc`, + :meth:`~cryptography.x509.ocsp.OCSPResponse.revocation_time_utc`, + :meth:`~cryptography.x509.ocsp.OCSPResponse.this_update_utc`, + :meth:`~cryptography.x509.ocsp.OCSPResponse.next_update_utc`, + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.revocation_time_utc`, + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.this_update_utc`, + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.next_update_utc`, + These are timezone-aware variants of existing properties that return naïve + ``datetime`` objects. .. _v42-0-8: diff --git a/docs/x509/ocsp.rst b/docs/x509/ocsp.rst index 94605c2e499f..beaa3537cc2c 100644 --- a/docs/x509/ocsp.rst +++ b/docs/x509/ocsp.rst @@ -539,11 +539,28 @@ Interfaces :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPResponse.produced_at_utc`. + A naïve datetime representing the time when the response was produced. :raises ValueError: If ``response_status`` is not :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. + .. attribute:: produced_at_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the time when the response was produced. + + :raises ValueError: If ``response_status`` is not + :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. + .. attribute:: certificate_status :type: :class:`~cryptography.x509.ocsp.OCSPCertStatus` @@ -558,6 +575,12 @@ Interfaces :type: :class:`datetime.datetime` or None + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPResponse.revocation_time_utc`. + A naïve datetime representing the time when the certificate was revoked or ``None`` if the certificate has not been revoked. @@ -565,6 +588,20 @@ Interfaces :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or if multiple SINGLERESPs are present. + .. attribute:: revocation_time_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` or None + + A timezone-aware datetime representing the time when the certificate was + revoked or ``None`` if the certificate has not been revoked. + + :raises ValueError: If ``response_status`` is not + :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or + if multiple SINGLERESPs are present. + + .. attribute:: revocation_reason :type: :class:`~cryptography.x509.ReasonFlags` or None @@ -580,6 +617,12 @@ Interfaces :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPResponse.this_update_utc`. + A naïve datetime representing the most recent time at which the status being indicated is known by the responder to have been correct. @@ -587,10 +630,29 @@ Interfaces :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or if multiple SINGLERESPs are present. + .. attribute:: this_update_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the most recent time at which the status + being indicated is known by the responder to have been correct. + + :raises ValueError: If ``response_status`` is not + :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or + if multiple SINGLERESPs are present. + .. attribute:: next_update :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPResponse.next_update_utc`. + A naïve datetime representing the time when newer information will be available. @@ -598,6 +660,21 @@ Interfaces :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or if multiple SINGLERESPs are present. + + .. attribute:: next_update_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the time when newer information will + be available. + + :raises ValueError: If ``response_status`` is not + :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or + if multiple SINGLERESPs are present. + + .. attribute:: issuer_key_hash :type: bytes @@ -759,9 +836,24 @@ Interfaces :type: :class:`datetime.datetime` or None + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.revocation_time_utc`. + A naïve datetime representing the time when the certificate was revoked or ``None`` if the certificate has not been revoked. + .. attribute:: revocation_time_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` or None + + A timezone-aware datetime representing the time when the certificate was revoked + or ``None`` if the certificate has not been revoked. + .. attribute:: revocation_reason :type: :class:`~cryptography.x509.ReasonFlags` or None @@ -773,16 +865,46 @@ Interfaces :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.this_update_utc`. + A naïve datetime representing the most recent time at which the status being indicated is known by the responder to have been correct. + .. attribute:: this_update_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the most recent time at which the status + being indicated is known by the responder to have been correct. + .. attribute:: next_update :type: :class:`datetime.datetime` + .. warning:: + + This property is deprecated and will be removed in a future + version. Please switch to the timezone-aware variant + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.next_update_utc`. + A naïve datetime representing the time when newer information will be available. + .. attribute:: next_update_utc + + .. versionadded:: 43.0.0 + + :type: :class:`datetime.datetime` + + A timezone-aware datetime representing the time when newer information will + be available. + .. attribute:: issuer_key_hash :type: bytes diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index 9b2adc8601cc..dbb475db2ab2 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -186,6 +186,14 @@ def revocation_time(self) -> datetime.datetime | None: revoked. """ + @property + @abc.abstractmethod + def revocation_time_utc(self) -> datetime.datetime | None: + """ + The date of when the certificate was revoked or None if not + revoked. Represented as a non-naive UTC datetime. + """ + @property @abc.abstractmethod def revocation_reason(self) -> x509.ReasonFlags | None: @@ -202,6 +210,15 @@ def this_update(self) -> datetime.datetime: the responder to have been correct """ + @property + @abc.abstractmethod + def this_update_utc(self) -> datetime.datetime: + """ + The most recent time at which the status being indicated is known by + the responder to have been correct. Represented as a non-naive UTC + datetime. + """ + @property @abc.abstractmethod def next_update(self) -> datetime.datetime | None: @@ -209,6 +226,14 @@ def next_update(self) -> datetime.datetime | None: The time when newer information will be available """ + @property + @abc.abstractmethod + def next_update_utc(self) -> datetime.datetime | None: + """ + The time when newer information will be available. Represented as a + non-naive UTC datetime. + """ + @property @abc.abstractmethod def issuer_key_hash(self) -> bytes: @@ -315,6 +340,14 @@ def produced_at(self) -> datetime.datetime: The time the response was produced """ + @property + @abc.abstractmethod + def produced_at_utc(self) -> datetime.datetime: + """ + The time the response was produced. Represented as a non-naive UTC + datetime. + """ + @property @abc.abstractmethod def certificate_status(self) -> OCSPCertStatus: @@ -330,6 +363,14 @@ def revocation_time(self) -> datetime.datetime | None: revoked. """ + @property + @abc.abstractmethod + def revocation_time_utc(self) -> datetime.datetime | None: + """ + The date of when the certificate was revoked or None if not + revoked. Represented as a non-naive UTC datetime. + """ + @property @abc.abstractmethod def revocation_reason(self) -> x509.ReasonFlags | None: @@ -346,6 +387,15 @@ def this_update(self) -> datetime.datetime: the responder to have been correct """ + @property + @abc.abstractmethod + def this_update_utc(self) -> datetime.datetime: + """ + The most recent time at which the status being indicated is known by + the responder to have been correct. Represented as a non-naive UTC + datetime. + """ + @property @abc.abstractmethod def next_update(self) -> datetime.datetime | None: @@ -353,6 +403,14 @@ def next_update(self) -> datetime.datetime | None: The time when newer information will be available """ + @property + @abc.abstractmethod + def next_update_utc(self) -> datetime.datetime | None: + """ + The time when newer information will be available. Represented as a + non-naive UTC datetime. + """ + @property @abc.abstractmethod def issuer_key_hash(self) -> bytes: diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 7b3fb35392e2..95ab3c7cea64 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -45,6 +45,8 @@ pub static DEPRECATED_IN_41: LazyPyImport = LazyPyImport::new("cryptography.utils", &["DeprecatedIn41"]); pub static DEPRECATED_IN_42: LazyPyImport = LazyPyImport::new("cryptography.utils", &["DeprecatedIn42"]); +pub static DEPRECATED_IN_43: LazyPyImport = + LazyPyImport::new("cryptography.utils", &["DeprecatedIn43"]); pub static ENCODING: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization", diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 2250decae428..302f3b333762 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -179,10 +179,26 @@ impl OCSPResponse { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to produced_at_utc.", + 1, + )?; let resp = self.requires_successful_response()?; x509::datetime_to_py(py, resp.tbs_response_data.produced_at.as_datetime()) } + #[getter] + fn produced_at_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let resp = self.requires_successful_response()?; + x509::datetime_to_py_utc(py, resp.tbs_response_data.produced_at.as_datetime()) + } + #[getter] fn signature_algorithm_oid<'p>( &self, @@ -325,11 +341,28 @@ impl OCSPResponse { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_time_utc.", + 1, + )?; let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_revocation_time(&single_resp, py) } + #[getter] + fn revocation_time_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let resp = self.requires_successful_response()?; + let single_resp = single_response(resp)?; + singleresp_py_revocation_time_utc(&single_resp, py) + } + #[getter] fn revocation_reason<'p>( &self, @@ -345,21 +378,55 @@ impl OCSPResponse { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.", + 1, + )?; let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_this_update(&single_resp, py) } + #[getter] + fn this_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let resp = self.requires_successful_response()?; + let single_resp = single_response(resp)?; + singleresp_py_this_update_utc(&single_resp, py) + } + #[getter] fn next_update<'p>( &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.", + 1, + )?; let resp = self.requires_successful_response()?; let single_resp = single_response(resp)?; singleresp_py_next_update(&single_resp, py) } + #[getter] + fn next_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let resp = self.requires_successful_response()?; + let single_resp = single_response(resp)?; + singleresp_py_next_update_utc(&single_resp, py) + } + #[getter] fn extensions(&self, py: pyo3::Python<'_>) -> pyo3::PyResult { self.requires_successful_response()?; @@ -549,6 +616,13 @@ fn singleresp_py_this_update<'p>( x509::datetime_to_py(py, resp.this_update.as_datetime()) } +fn singleresp_py_this_update_utc<'p>( + resp: &ocsp_resp::SingleResponse<'_>, + py: pyo3::Python<'p>, +) -> pyo3::PyResult> { + x509::datetime_to_py_utc(py, resp.this_update.as_datetime()) +} + fn singleresp_py_next_update<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, @@ -559,6 +633,16 @@ fn singleresp_py_next_update<'p>( } } +fn singleresp_py_next_update_utc<'p>( + resp: &ocsp_resp::SingleResponse<'_>, + py: pyo3::Python<'p>, +) -> pyo3::PyResult> { + match &resp.next_update { + Some(v) => x509::datetime_to_py_utc(py, v.as_datetime()), + None => Ok(py.None().into_bound(py)), + } +} + fn singleresp_py_revocation_reason<'p>( resp: &ocsp_resp::SingleResponse<'_>, py: pyo3::Python<'p>, @@ -588,6 +672,20 @@ fn singleresp_py_revocation_time<'p>( } } +fn singleresp_py_revocation_time_utc<'p>( + resp: &ocsp_resp::SingleResponse<'_>, + py: pyo3::Python<'p>, +) -> pyo3::PyResult> { + match &resp.cert_status { + ocsp_resp::CertStatus::Revoked(revoked_info) => { + x509::datetime_to_py_utc(py, revoked_info.revocation_time.as_datetime()) + } + ocsp_resp::CertStatus::Good(_) | ocsp_resp::CertStatus::Unknown(_) => { + Ok(py.None().into_bound(py)) + } + } +} + #[pyo3::pyfunction] fn create_ocsp_response( py: pyo3::Python<'_>, @@ -876,10 +974,26 @@ impl OCSPSingleResponse { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to revocation_time_utc.", + 1, + )?; let single_resp = self.single_response(); singleresp_py_revocation_time(single_resp, py) } + #[getter] + fn revocation_time_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let single_resp = self.single_response(); + singleresp_py_revocation_time_utc(single_resp, py) + } + #[getter] fn revocation_reason<'p>( &self, @@ -894,18 +1008,50 @@ impl OCSPSingleResponse { &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.", + 1, + )?; let single_resp = self.single_response(); singleresp_py_this_update(single_resp, py) } + #[getter] + fn this_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let single_resp = self.single_response(); + singleresp_py_this_update_utc(single_resp, py) + } + #[getter] fn next_update<'p>( &self, py: pyo3::Python<'p>, ) -> pyo3::PyResult> { + let warning_cls = types::DEPRECATED_IN_43.get(py)?; + pyo3::PyErr::warn_bound( + py, + &warning_cls, + "Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.", + 1, + )?; let single_resp = self.single_response(); singleresp_py_next_update(single_resp, py) } + + #[getter] + fn next_update_utc<'p>( + &self, + py: pyo3::Python<'p>, + ) -> pyo3::PyResult> { + let single_resp = self.single_response(); + singleresp_py_next_update_utc(single_resp, py) + } } pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 1d155bb97029..d7723b288cf5 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -6,10 +6,11 @@ import base64 import datetime import os +from typing import Optional import pytest -from cryptography import x509 +from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec, ed448, ed25519, rsa @@ -68,6 +69,35 @@ def _generate_root(private_key=None, algorithm=hashes.SHA256()): return cert, private_key +def _check_ocsp_response_times( + ocsp_resp: ocsp.OCSPResponse, + this_update: datetime.datetime, + next_update: Optional[datetime.datetime], + revocation_time: Optional[datetime.datetime], +) -> None: + with pytest.warns(utils.DeprecatedIn43): + assert ocsp_resp.this_update == this_update + assert ocsp_resp.this_update_utc == this_update.replace( + tzinfo=datetime.timezone.utc + ) + + with pytest.warns(utils.DeprecatedIn43): + assert ocsp_resp.next_update == next_update + assert ocsp_resp.next_update_utc == ( + next_update.replace(tzinfo=datetime.timezone.utc) + if next_update is not None + else None + ) + + with pytest.warns(utils.DeprecatedIn43): + assert ocsp_resp.revocation_time == revocation_time + assert ocsp_resp.revocation_time_utc == ( + revocation_time.replace(tzinfo=datetime.timezone.utc) + if revocation_time is not None + else None + ) + + class TestOCSPRequest: def test_bad_request(self): with pytest.raises(ValueError): @@ -634,16 +664,26 @@ def test_sign_good_cert(self): resp = builder.sign(private_key, hashes.SHA256()) assert resp.responder_name == root_cert.subject assert resp.responder_key_hash is None - assert (current_time - resp.produced_at).total_seconds() < 10 + with pytest.warns(utils.DeprecatedIn43): + assert (current_time - resp.produced_at).total_seconds() < 10 + assert ( + current_time.replace(tzinfo=datetime.timezone.utc) + - resp.produced_at_utc + ).total_seconds() < 10 assert ( resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.ECDSA_WITH_SHA256 ) assert resp.certificate_status == ocsp.OCSPCertStatus.GOOD - assert resp.revocation_time is None assert resp.revocation_reason is None - assert resp.this_update == this_update - assert resp.next_update == next_update + + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=None, + ) + private_key.public_key().verify( resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA256()) ) @@ -674,10 +714,13 @@ def test_sign_revoked_cert(self): ) resp = builder.sign(private_key, hashes.SHA256()) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == revoked_date assert resp.revocation_reason is None - assert resp.this_update == this_update - assert resp.next_update == next_update + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=revoked_date, + ) private_key.public_key().verify( resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA256()) ) @@ -707,8 +750,12 @@ def test_sign_unknown_cert(self): ) resp = builder.sign(private_key, hashes.SHA384()) assert resp.certificate_status == ocsp.OCSPCertStatus.UNKNOWN - assert resp.this_update == this_update - assert resp.next_update == next_update + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=None, + ) private_key.public_key().verify( resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA384()) ) @@ -766,10 +813,13 @@ def test_sign_revoked_no_next_update(self): ) resp = builder.sign(private_key, hashes.SHA256()) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == revoked_date assert resp.revocation_reason is None - assert resp.this_update == this_update - assert resp.next_update is None + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=None, + revocation_time=revoked_date, + ) private_key.public_key().verify( resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA256()) ) @@ -800,10 +850,13 @@ def test_sign_revoked_with_reason(self): ) resp = builder.sign(private_key, hashes.SHA256()) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == revoked_date assert resp.revocation_reason is x509.ReasonFlags.key_compromise - assert resp.this_update == this_update - assert resp.next_update == next_update + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=revoked_date, + ) private_key.public_key().verify( resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA256()) ) @@ -1154,12 +1207,19 @@ def test_load_response(self): assert resp.certificates == [] assert resp.responder_key_hash is None assert resp.responder_name == issuer.subject - assert resp.produced_at == datetime.datetime(2018, 8, 30, 11, 15) + with pytest.warns(utils.DeprecatedIn43): + assert resp.produced_at == datetime.datetime(2018, 8, 30, 11, 15) + assert resp.produced_at_utc == datetime.datetime( + 2018, 8, 30, 11, 15, tzinfo=datetime.timezone.utc + ) assert resp.certificate_status == ocsp.OCSPCertStatus.GOOD - assert resp.revocation_time is None assert resp.revocation_reason is None - assert resp.this_update == datetime.datetime(2018, 8, 30, 11, 0) - assert resp.next_update == datetime.datetime(2018, 9, 6, 11, 0) + _check_ocsp_response_times( + resp, + this_update=datetime.datetime(2018, 8, 30, 11, 0), + next_update=datetime.datetime(2018, 9, 6, 11, 0), + revocation_time=None, + ) assert resp.issuer_key_hash == ( b"\xa8Jjc\x04}\xdd\xba\xe6\xd19\xb7\xa6Ee\xef\xf3\xa8\xec\xa1" ) @@ -1215,9 +1275,20 @@ def test_multi_valued_responses(self): ) assert elem.certificate_status == ocsp.OCSPCertStatus.GOOD - - assert elem.this_update == datetime.datetime(2020, 2, 22, 0, 0) - assert elem.next_update == datetime.datetime(2020, 2, 29, 1, 0) + with pytest.warns(utils.DeprecatedIn43): + assert elem.this_update == datetime.datetime( + 2020, 2, 22, 0, 0 + ) + assert elem.this_update_utc == datetime.datetime( + 2020, 2, 22, 0, 0, tzinfo=datetime.timezone.utc + ) + with pytest.warns(utils.DeprecatedIn43): + assert elem.next_update == datetime.datetime( + 2020, 2, 29, 1, 0 + ) + assert elem.next_update_utc == datetime.datetime( + 2020, 2, 29, 1, 0, tzinfo=datetime.timezone.utc + ) elif req_revoked.serial_number == serial: assert elem.certificate_status == ocsp.OCSPCertStatus.REVOKED @@ -1225,8 +1296,12 @@ def test_multi_valued_responses(self): elem.revocation_reason == x509.ReasonFlags.cessation_of_operation ) - assert elem.revocation_time == datetime.datetime( - 2018, 5, 30, 14, 1, 39 + with pytest.warns(utils.DeprecatedIn43): + assert elem.revocation_time == datetime.datetime( + 2018, 5, 30, 14, 1, 39 + ) + assert elem.revocation_time_utc == datetime.datetime( + 2018, 5, 30, 14, 1, 39, tzinfo=datetime.timezone.utc ) def test_load_unauthorized(self): @@ -1249,18 +1324,26 @@ def test_load_unauthorized(self): resp.responder_key_hash with pytest.raises(ValueError): resp.responder_name - with pytest.raises(ValueError): + with pytest.raises(ValueError), pytest.warns(utils.DeprecatedIn43): resp.produced_at with pytest.raises(ValueError): - resp.certificate_status + resp.produced_at_utc with pytest.raises(ValueError): + resp.certificate_status + with pytest.raises(ValueError), pytest.warns(utils.DeprecatedIn43): resp.revocation_time with pytest.raises(ValueError): - resp.revocation_reason + resp.revocation_time_utc with pytest.raises(ValueError): + resp.revocation_reason + with pytest.raises(ValueError), pytest.warns(utils.DeprecatedIn43): resp.this_update with pytest.raises(ValueError): + resp.this_update_utc + with pytest.raises(ValueError), pytest.warns(utils.DeprecatedIn43): resp.next_update + with pytest.raises(ValueError): + resp.next_update_utc with pytest.raises(ValueError): resp.issuer_key_hash with pytest.raises(ValueError): @@ -1278,8 +1361,12 @@ def test_load_revoked(self): ocsp.load_der_ocsp_response, ) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == datetime.datetime( - 2016, 9, 2, 21, 28, 48 + with pytest.warns(utils.DeprecatedIn43): + assert resp.revocation_time == datetime.datetime( + 2016, 9, 2, 21, 28, 48 + ) + assert resp.revocation_time_utc == datetime.datetime( + 2016, 9, 2, 21, 28, 48, tzinfo=datetime.timezone.utc ) assert resp.revocation_reason is None @@ -1334,7 +1421,9 @@ def test_load_revoked_no_next_update(self): ocsp.load_der_ocsp_response, ) assert resp.serial_number == 16160 - assert resp.next_update is None + with pytest.warns(utils.DeprecatedIn43): + assert resp.next_update is None + assert resp.next_update_utc is None def test_response_extensions(self): resp = _load_data( @@ -1499,10 +1588,13 @@ def test_sign_ed25519(self, backend): ) resp = builder.sign(private_key, None) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == revoked_date assert resp.revocation_reason is x509.ReasonFlags.key_compromise - assert resp.this_update == this_update - assert resp.next_update == next_update + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=revoked_date, + ) assert resp.signature_hash_algorithm is None assert ( resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.ED25519 @@ -1542,10 +1634,13 @@ def test_sign_ed448(self, backend): ) resp = builder.sign(private_key, None) assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED - assert resp.revocation_time == revoked_date assert resp.revocation_reason is x509.ReasonFlags.key_compromise - assert resp.this_update == this_update - assert resp.next_update == next_update + _check_ocsp_response_times( + resp, + this_update=this_update, + next_update=next_update, + revocation_time=revoked_date, + ) assert resp.signature_hash_algorithm is None assert resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.ED448 private_key.public_key().verify( From 7bc172ab09a6f19ee4b1b457910051737191fa74 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 30 Jun 2024 17:14:18 +0000 Subject: [PATCH 749/868] Bump cc from 1.0.102 to 1.0.103 in /src/rust (#11184) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.102 to 1.0.103. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.102...cc-v1.0.103) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 9db12395438b..23bd21c3247f 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.102" +version = "1.0.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "779e6b7d17797c0b42023d417228c02889300190e700cb074c3438d9c541d332" +checksum = "2755ff20a1d93490d26ba33a6f092a38a508398a5320df5d4b3014fcccce9410" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 4942aca6c77a..4e9f2d9fffd9 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.0", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.102" +cc = "1.0.103" From cb306615f8b44050f055267c27aa2d949d8a993d Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sun, 30 Jun 2024 20:22:42 -0400 Subject: [PATCH 750/868] Bump BoringSSL and/or OpenSSL in CI (#11186) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee445d30f623..922c62723094 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jun 30, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5a9c90b1e59b2c368876229862fbff29f2bcf006"}} + # Latest commit on the OpenSSL master branch, as of Jul 01, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f96563297ee04d57efd45f56bd6b897d809214b4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 5cea5004c82690d03c3faa2d977d1bb305a376b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Jul 2024 07:06:46 -0400 Subject: [PATCH 751/868] Bump cc from 1.0.103 to 1.0.104 in /src/rust (#11187) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.103 to 1.0.104. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.103...cc-v1.0.104) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 23bd21c3247f..acbfb1764207 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.103" +version = "1.0.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2755ff20a1d93490d26ba33a6f092a38a508398a5320df5d4b3014fcccce9410" +checksum = "74b6a57f98764a267ff415d50a25e6e166f3831a5071af4995296ea97d210490" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 4e9f2d9fffd9..414236180a65 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.0", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.103" +cc = "1.0.104" From 6de3533c98acfbf0b491c358a293e78d6076b34b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Mon, 1 Jul 2024 20:22:25 -0400 Subject: [PATCH 752/868] Bump BoringSSL and/or OpenSSL in CI (#11188) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 922c62723094..766305b014aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jul 01, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "f96563297ee04d57efd45f56bd6b897d809214b4"}} + # Latest commit on the OpenSSL master branch, as of Jul 02, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "16311dbf53c464726d73b76d77ecf6275c9f9d08"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e0de37cad019193640c741d5a6dc9950c02175af Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 2 Jul 2024 00:32:02 +0000 Subject: [PATCH 753/868] Bump x509-limbo and/or wycheproof in CI (#11189) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 95e11dbdfde4..fe3fcaedcfab 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jun 18, 2024. - ref: "bd88042508ccfde351b2fee293aebda8971fbebb" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 02, 2024. + ref: "e75d8a9e2b75fe603282e19b90d585bb3d62ba9c" # x509-limbo-ref From d356d7e25c09856b2c36bdcbf9b31956529bcea6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Jul 2024 07:05:12 -0400 Subject: [PATCH 754/868] Bump setuptools from 70.1.1 to 70.2.0 in /.github/requirements (#11190) Bumps [setuptools](https://github.com/pypa/setuptools) from 70.1.1 to 70.2.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.1.1...v70.2.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index c56db6aefcfa..2c2b48c6e2ef 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -76,9 +76,9 @@ tomli==2.0.1 \ # via setuptools-rust # The following packages are considered to be unsafe in a requirements file: -setuptools==70.1.1 \ - --hash=sha256:937a48c7cdb7a21eb53cd7f9b59e525503aa8abaf3584c730dc5f7a5bec3a650 \ - --hash=sha256:a58a8fde0541dab0419750bcc521fbdf8585f6e5cb41909df3a472ef7b81ca95 +setuptools==70.2.0 \ + --hash=sha256:b8b8060bb426838fbe942479c90296ce976249451118ef566a5a0b7d8b78fb05 \ + --hash=sha256:bd63e505105011b25c3c11f753f7e3b8465ea739efddaccef8f0efac2137bac1 # via # -r build-requirements.in # setuptools-rust From ba177e9bd4df88df99d9fca26bf703637c3ddafa Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 3 Jul 2024 00:16:54 +0000 Subject: [PATCH 755/868] Bump BoringSSL and/or OpenSSL in CI (#11191) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 766305b014aa..240387812ac3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jul 02, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "16311dbf53c464726d73b76d77ecf6275c9f9d08"}} + # Latest commit on the OpenSSL master branch, as of Jul 03, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b1e7bc5bdfc73ef841afa30ac321975b0d63219a"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 2021ed21a4c17a8c6a1adf9a7158fa315d931b33 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 3 Jul 2024 00:31:33 +0000 Subject: [PATCH 756/868] Bump x509-limbo and/or wycheproof in CI (#11192) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index fe3fcaedcfab..306ca460a02e 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 02, 2024. - ref: "e75d8a9e2b75fe603282e19b90d585bb3d62ba9c" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 03, 2024. + ref: "74e0b06dc4c5ee3707fa7f45ea0adb11ddb8de33" # x509-limbo-ref From 5dbf9bab261470f00f856ddb1c7317e84e899c8f Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 4 Jul 2024 00:15:04 +0000 Subject: [PATCH 757/868] Bump BoringSSL and/or OpenSSL in CI (#11194) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 240387812ac3..6589803f5c1b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jun 25, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "12f0f4bec2a6db53a53748dd6001d1aacaae26ba"}} - # Latest commit on the OpenSSL master branch, as of Jul 03, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b1e7bc5bdfc73ef841afa30ac321975b0d63219a"}} + # Latest commit on the BoringSSL master branch, as of Jul 04, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c2b62e93487b772990fddc1905f22d4cfaee4a4"}} + # Latest commit on the OpenSSL master branch, as of Jul 04, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3f4da93678497fe64d262d03c388932f7ecfe74e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 9a1c4007bf873b372c0d1504268e8afff4ff8473 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jul 2024 08:05:52 -0400 Subject: [PATCH 758/868] Bump certifi from 2024.6.2 to 2024.7.4 (#11196) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.6.2 to 2024.7.4. - [Commits](https://github.com/certifi/python-certifi/compare/2024.06.02...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index ae6896d7daac..5c2f1a63fa97 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -15,7 +15,7 @@ build==1.2.1 # via # check-sdist # cryptography (pyproject.toml) -certifi==2024.6.2 +certifi==2024.7.4 # via requests charset-normalizer==3.3.2 # via requests From 41033b491462722119ff8c92b35670be5c8d4a69 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 4 Jul 2024 10:22:27 -0400 Subject: [PATCH 759/868] Use wildcard in dependabot.yml (#11185) --- .github/dependabot.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1678833c2a9b..1634f6e54726 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,9 +3,7 @@ updates: - package-ecosystem: "github-actions" directories: - "/" - - "/.github/actions/cache/" - - "/.github/actions/upload-coverage/" - - "/.github/actions/fetch-vectors/" + - "/.github/actions/*/" schedule: interval: "daily" time: "06:00" From 6d9e324dde0b6867186cca0c2c6a5ef71cd2c83a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jul 2024 10:33:38 -0400 Subject: [PATCH 760/868] Bump certifi from 2024.6.2 to 2024.7.4 in /.github/requirements (#11197) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.6.2 to 2024.7.4. - [Commits](https://github.com/certifi/python-certifi/compare/2024.06.02...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index 72c2c1b5f011..ae5b3ff3c2b4 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -8,9 +8,9 @@ backports-tarfile==1.2.0 \ --hash=sha256:77e284d754527b01fb1e6fa8a1afe577858ebe4e9dad8919e34c862cb399bc34 \ --hash=sha256:d75e02c268746e1b8144c278978b6e98e85de6ad16f8e4b0844a154557eca991 # via jaraco-context -certifi==2024.6.2 \ - --hash=sha256:3cd43f1c6fa7dedc5899d69d3ad0398fd018ad1a17fba83ddaf78aa46c747516 \ - --hash=sha256:ddc6c8ce995e6987e7faf5e3f1b02b302836a0e5d98ece18392cb1a36c72ad56 +certifi==2024.7.4 \ + --hash=sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b \ + --hash=sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90 # via requests cffi==1.16.0 \ --hash=sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc \ From ed136bd720ab27e297d8f6f1c525f1a4bd84d9e0 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 4 Jul 2024 17:27:50 -0700 Subject: [PATCH 761/868] Bump BoringSSL and/or OpenSSL in CI (#11198) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6589803f5c1b..51398eebb299 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c2b62e93487b772990fddc1905f22d4cfaee4a4"}} - # Latest commit on the OpenSSL master branch, as of Jul 04, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3f4da93678497fe64d262d03c388932f7ecfe74e"}} + # Latest commit on the OpenSSL master branch, as of Jul 05, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "59c415a45f47cb34147427e46c78d945919b1da2"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 124dca5d69e73a0edb2b26869e45d7d985a2ba8a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jul 2024 13:45:59 -0400 Subject: [PATCH 762/868] Implement encrypted PKCS#12 serialization in Rust (#11059) --- .../hazmat/backends/openssl/backend.py | 21 +- .../hazmat/primitives/serialization/pkcs12.py | 5 +- src/rust/cryptography-x509/src/common.rs | 28 +++ src/rust/cryptography-x509/src/pkcs12.rs | 11 +- src/rust/cryptography-x509/src/pkcs7.rs | 16 ++ src/rust/src/backend/ciphers.rs | 8 +- src/rust/src/backend/kdf.rs | 2 +- src/rust/src/buf.rs | 8 + src/rust/src/padding.rs | 9 +- src/rust/src/pkcs12.rs | 206 ++++++++++++++++-- 10 files changed, 264 insertions(+), 50 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 0da03896974f..88d01f93b3ad 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -398,26 +398,7 @@ def serialize_key_and_certificates_to_pkcs12( if name is not None: utils._check_bytes("name", name) - assert not isinstance(encryption_algorithm, serialization.NoEncryption) - if isinstance( - encryption_algorithm, serialization.BestAvailableEncryption - ): - # PKCS12 encryption is hopeless trash and can never be fixed. - # OpenSSL 3 supports PBESv2, but Libre and Boring do not, so - # we use PBESv1 with 3DES on the older paths. - if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - nid_cert = self._lib.NID_aes_256_cbc - nid_key = self._lib.NID_aes_256_cbc - else: - nid_cert = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC - nid_key = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC - # At least we can set this higher than OpenSSL's default - pkcs12_iter = 20000 - mac_iter = 0 - # MAC algorithm can only be set on OpenSSL 3.0.0+ - mac_alg = self._ffi.NULL - password = encryption_algorithm.password - elif ( + if ( isinstance( encryption_algorithm, serialization._KeySerializationEncryption ) diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index d1fc460d7296..28fab3ca6f61 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -167,7 +167,10 @@ def serialize_key_and_certificates( if key is None and cert is None and not cas: raise ValueError("You must supply at least one of key, cert, or cas") - if isinstance(encryption_algorithm, serialization.NoEncryption): + if isinstance( + encryption_algorithm, + (serialization.NoEncryption, serialization.BestAvailableEncryption), + ): return rust_pkcs12.serialize_key_and_certificates( name, key, cert, cas, encryption_algorithm ) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 84608c870123..b0827a74501a 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -125,6 +125,12 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::DH_KEY_AGREEMENT_OID)] DhKeyAgreement(BasicDHParams<'a>), + #[defined_by(oid::PBES2_OID)] + Pbes2(PBES2Params<'a>), + + #[defined_by(oid::PBKDF2_OID)] + Pbkdf2(PBKDF2Params<'a>), + #[defined_by(oid::HMAC_WITH_SHA1_OID)] HmacWithSha1(asn1::Null), #[defined_by(oid::HMAC_WITH_SHA256_OID)] @@ -403,6 +409,28 @@ pub struct DssParams<'a> { pub g: asn1::BigUint<'a>, } +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone, Debug)] +pub struct PBES2Params<'a> { + pub key_derivation_func: Box>, + pub encryption_scheme: Box>, +} + +const HMAC_SHA1_ALG: AlgorithmIdentifier<'static> = AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::HmacWithSha1(()), +}; + +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone, Debug)] +pub struct PBKDF2Params<'a> { + // This is technically a CHOICE that can be an otherSource. We don't + // support that. + pub salt: &'a [u8], + pub iteration_count: u64, + pub key_length: Option, + #[default(HMAC_SHA1_ALG)] + pub prf: Box>, +} + /// A VisibleString ASN.1 element whose contents is not validated as meeting the /// requirements (visible characters of IA5), and instead is only known to be /// valid UTF-8. diff --git a/src/rust/cryptography-x509/src/pkcs12.rs b/src/rust/cryptography-x509/src/pkcs12.rs index dce1c41726eb..fdcbc91ef802 100644 --- a/src/rust/cryptography-x509/src/pkcs12.rs +++ b/src/rust/cryptography-x509/src/pkcs12.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::common::Utf8StoredBMPString; +use crate::common::{AlgorithmIdentifier, Utf8StoredBMPString}; use crate::pkcs7; pub const CERT_BAG_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 12, 10, 1, 3); @@ -55,6 +55,9 @@ pub enum BagValue<'a> { #[defined_by(KEY_BAG_OID)] KeyBag(asn1::Tlv<'a>), + + #[defined_by(SHROUDED_KEY_BAG_OID)] + ShroudedKeyBag(EncryptedPrivateKeyInfo<'a>), } #[derive(asn1::Asn1Write)] @@ -69,3 +72,9 @@ pub enum CertType<'a> { #[defined_by(X509_CERTIFICATE_OID)] X509(asn1::OctetStringEncoded>), } + +#[derive(asn1::Asn1Write)] +pub struct EncryptedPrivateKeyInfo<'a> { + pub encryption_algorithm: AlgorithmIdentifier<'a>, + pub encrypted_data: &'a [u8], +} diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index bd553cb89def..31c7d097bab2 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -22,6 +22,8 @@ pub enum Content<'a> { SignedData(asn1::Explicit>, 0>), #[defined_by(PKCS7_DATA_OID)] Data(Option>), + #[defined_by(PKCS7_ENCRYPTED_DATA_OID)] + EncryptedData(asn1::Explicit, 0>), } #[derive(asn1::Asn1Write)] @@ -60,6 +62,20 @@ pub struct IssuerAndSerialNumber<'a> { pub serial_number: asn1::BigInt<'a>, } +#[derive(asn1::Asn1Write)] +pub struct EncryptedData<'a> { + pub version: u8, + pub encrypted_content_info: EncryptedContentInfo<'a>, +} + +#[derive(asn1::Asn1Write)] +pub struct EncryptedContentInfo<'a> { + pub content_type: asn1::ObjectIdentifier, + pub content_encryption_algorithm: common::AlgorithmIdentifier<'a>, + #[implicit(0)] + pub encrypted_content: Option<&'a [u8]>, +} + #[derive(asn1::Asn1Write)] pub struct DigestInfo<'a> { pub algorithm: common::AlgorithmIdentifier<'a>, diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 2d5501835640..83d222256fbd 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -10,13 +10,13 @@ use crate::types; use pyo3::types::{PyAnyMethods, PyModuleMethods}; use pyo3::IntoPy; -struct CipherContext { +pub(crate) struct CipherContext { ctx: openssl::cipher_ctx::CipherCtx, py_mode: pyo3::PyObject, } impl CipherContext { - fn new( + pub(crate) fn new( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, mode: pyo3::Bound<'_, pyo3::PyAny>, @@ -126,7 +126,7 @@ impl CipherContext { Ok(pyo3::types::PyBytes::new_bound(py, &out_buf[..n])) } - fn update_into( + pub(crate) fn update_into( &mut self, py: pyo3::Python<'_>, buf: &[u8], @@ -167,7 +167,7 @@ impl CipherContext { Ok(()) } - fn finalize<'p>( + pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, ) -> CryptographyResult> { diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index 52ccd10e9e3d..d8c3858a6331 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -8,7 +8,7 @@ use crate::error::CryptographyResult; use pyo3::types::PyModuleMethods; #[pyo3::pyfunction] -fn derive_pbkdf2_hmac<'p>( +pub(crate) fn derive_pbkdf2_hmac<'p>( py: pyo3::Python<'p>, key_material: CffiBuf<'_>, algorithm: &pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs index 15ace0442bbc..303e5ff86fe7 100644 --- a/src/rust/src/buf.rs +++ b/src/rust/src/buf.rs @@ -35,6 +35,14 @@ fn _extract_buffer_length<'p>( } impl<'a> CffiBuf<'a> { + pub(crate) fn from_bytes(py: pyo3::Python<'a>, buf: &'a [u8]) -> Self { + CffiBuf { + pyobj: py.None().into_bound(py), + _bufobj: py.None().into_bound(py), + buf, + } + } + pub(crate) fn as_bytes(&self) -> &[u8] { self.buf } diff --git a/src/rust/src/padding.rs b/src/rust/src/padding.rs index f6a13572f622..92da0a65af40 100644 --- a/src/rust/src/padding.rs +++ b/src/rust/src/padding.rs @@ -76,14 +76,17 @@ pub(crate) struct PKCS7PaddingContext { #[pyo3::pymethods] impl PKCS7PaddingContext { #[new] - fn new(block_size: usize) -> PKCS7PaddingContext { + pub(crate) fn new(block_size: usize) -> PKCS7PaddingContext { PKCS7PaddingContext { block_size: block_size / 8, length_seen: Some(0), } } - fn update<'a>(&mut self, buf: CffiBuf<'a>) -> CryptographyResult> { + pub(crate) fn update<'a>( + &mut self, + buf: CffiBuf<'a>, + ) -> CryptographyResult> { match self.length_seen.as_mut() { Some(v) => { *v += buf.as_bytes().len(); @@ -95,7 +98,7 @@ impl PKCS7PaddingContext { } } - fn finalize<'p>( + pub(crate) fn finalize<'p>( &mut self, py: pyo3::Python<'p>, ) -> CryptographyResult> { diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 7436146bcacb..153c2a6d0cfd 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -2,9 +2,10 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use crate::backend::{hashes, hmac, keys}; +use crate::backend::{ciphers, hashes, hmac, kdf, keys}; use crate::buf::CffiBuf; use crate::error::CryptographyResult; +use crate::padding::PKCS7PaddingContext; use crate::x509::certificate::Certificate; use crate::{types, x509}; use cryptography_x509::common::Utf8StoredBMPString; @@ -78,6 +79,94 @@ impl PKCS12Certificate { } } +enum EncryptionAlgorithm { + PBESv2SHA256AndAES256CBC, +} + +impl EncryptionAlgorithm { + fn algorithm_identifier<'a>( + &self, + salt: &'a [u8], + iv: &'a [u8], + ) -> cryptography_x509::common::AlgorithmIdentifier<'a> { + match self { + EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => { + let kdf_algorithm_identifier = cryptography_x509::common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: cryptography_x509::common::AlgorithmParameters::Pbkdf2( + cryptography_x509::common::PBKDF2Params { + salt, + iteration_count: 20000, + key_length: None, + prf: Box::new(cryptography_x509::common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: + cryptography_x509::common::AlgorithmParameters::HmacWithSha256( + (), + ), + }), + }, + ), + }; + let encryption_algorithm_identifier = + cryptography_x509::common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: cryptography_x509::common::AlgorithmParameters::Aes256Cbc( + iv[..16].try_into().unwrap(), + ), + }; + + cryptography_x509::common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: cryptography_x509::common::AlgorithmParameters::Pbes2( + cryptography_x509::common::PBES2Params { + key_derivation_func: Box::new(kdf_algorithm_identifier), + encryption_scheme: Box::new(encryption_algorithm_identifier), + }, + ), + } + } + } + } + + fn encrypt( + &self, + py: pyo3::Python<'_>, + password: &[u8], + salt: &[u8], + iv: &[u8], + data: &[u8], + ) -> CryptographyResult> { + match self { + EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => { + let pass_buf = CffiBuf::from_bytes(py, password); + let sha256 = types::SHA256.get(py)?.call0()?; + + let key = kdf::derive_pbkdf2_hmac(py, pass_buf, &sha256, salt, 20000, 32)?; + + let aes256 = types::AES256.get(py)?.call1((key,))?; + let cbc = types::CBC.get(py)?.call1((iv,))?; + let mut cipher = + ciphers::CipherContext::new(py, aes256, cbc, openssl::symm::Mode::Encrypt)?; + + let mut ciphertext = vec![0; data.len() + 32]; + let n = cipher.update_into(py, data, &mut ciphertext)?; + + let mut padder = PKCS7PaddingContext::new(128); + assert!(padder.update(CffiBuf::from_bytes(py, data))?.is_none()); + let padding = padder.finalize(py)?; + + let pad_n = cipher.update_into(py, padding.as_bytes(), &mut ciphertext[n..])?; + let final_block = cipher.finalize(py)?; + assert!(final_block.as_bytes().is_empty()); + ciphertext.truncate(n + pad_n); + + Ok(ciphertext) + } + } + } +} + #[allow(dead_code)] const KDF_ENCRYPTION_KEY_ID: u8 = 1; #[allow(dead_code)] @@ -238,16 +327,29 @@ fn decode_encryption_algorithm<'a>( pyo3::pybacked::PyBackedBytes, pyo3::Bound<'a, pyo3::PyAny>, u64, + Option, )> { let default_hmac_alg = types::SHA256.get(py)?.call0()?; let default_hmac_kdf_iter = 2048; - assert!(encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)?); - Ok(( - pyo3::types::PyBytes::new_bound(py, b"").extract()?, - default_hmac_alg, - default_hmac_kdf_iter, - )) + if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)? { + Ok(( + pyo3::types::PyBytes::new_bound(py, b"").extract()?, + default_hmac_alg, + default_hmac_kdf_iter, + None, + )) + } else { + assert!(encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get(py)?)?); + Ok(( + encryption_algorithm + .getattr(pyo3::intern!(py, "password"))? + .extract()?, + default_hmac_alg, + default_hmac_kdf_iter, + Some(EncryptionAlgorithm::PBESv2SHA256AndAES256CBC), + )) + } } #[derive(pyo3::FromPyObject)] @@ -266,11 +368,20 @@ fn serialize_key_and_certificates<'p>( cas: Option>, encryption_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - let (password, mac_algorithm, mac_kdf_iter) = + let (password, mac_algorithm, mac_kdf_iter, encryption_algorithm) = decode_encryption_algorithm(py, encryption_algorithm)?; let mut auth_safe_contents = vec![]; - let (cert_bag_contents, key_bag_contents); + let ( + cert_bag_contents, + cert_salt, + cert_iv, + cert_ciphertext, + key_bag_contents, + key_salt, + key_iv, + key_ciphertext, + ); let mut ca_certs = vec![]; if cert.is_some() || cas.is_some() { let mut cert_bags = vec![]; @@ -297,12 +408,39 @@ fn serialize_key_and_certificates<'p>( } cert_bag_contents = asn1::write_single(&asn1::SequenceOfWriter::new(cert_bags))?; - auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { - _content_type: asn1::DefinedByMarker::marker(), - content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new( - &cert_bag_contents, - ))), - }); + if let Some(e) = &encryption_algorithm { + cert_salt = types::OS_URANDOM + .get(py)? + .call1((16,))? + .extract::()?; + cert_iv = types::OS_URANDOM + .get(py)? + .call1((16,))? + .extract::()?; + cert_ciphertext = e.encrypt(py, &password, &cert_salt, &cert_iv, &cert_bag_contents)?; + + auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: cryptography_x509::pkcs7::Content::EncryptedData(asn1::Explicit::new( + cryptography_x509::pkcs7::EncryptedData { + version: 0, + encrypted_content_info: cryptography_x509::pkcs7::EncryptedContentInfo { + content_type: cryptography_x509::pkcs7::PKCS7_DATA_OID, + content_encryption_algorithm: e + .algorithm_identifier(&cert_salt, &cert_iv), + encrypted_content: Some(&cert_ciphertext), + }, + }, + )), + }) + } else { + auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: cryptography_x509::pkcs7::Content::Data(Some(asn1::Explicit::new( + &cert_bag_contents, + ))), + }); + } } if let Some(key) = key { @@ -316,12 +454,40 @@ fn serialize_key_and_certificates<'p>( (der, pkcs8, no_encryption), )? .extract::()?; - let pkcs8_tlv = asn1::parse_single(&pkcs8_bytes)?; - let key_bag = cryptography_x509::pkcs12::SafeBag { - _bag_id: asn1::DefinedByMarker::marker(), - bag_value: asn1::Explicit::new(cryptography_x509::pkcs12::BagValue::KeyBag(pkcs8_tlv)), - attributes: friendly_name_attributes(name)?, + let key_bag = if let Some(e) = encryption_algorithm { + key_salt = types::OS_URANDOM + .get(py)? + .call1((16,))? + .extract::()?; + key_iv = types::OS_URANDOM + .get(py)? + .call1((16,))? + .extract::()?; + key_ciphertext = e.encrypt(py, &password, &key_salt, &key_iv, &pkcs8_bytes)?; + + cryptography_x509::pkcs12::SafeBag { + _bag_id: asn1::DefinedByMarker::marker(), + bag_value: asn1::Explicit::new( + cryptography_x509::pkcs12::BagValue::ShroudedKeyBag( + cryptography_x509::pkcs12::EncryptedPrivateKeyInfo { + encryption_algorithm: e.algorithm_identifier(&key_salt, &key_iv), + encrypted_data: &key_ciphertext, + }, + ), + ), + attributes: friendly_name_attributes(name)?, + } + } else { + let pkcs8_tlv = asn1::parse_single(&pkcs8_bytes)?; + + cryptography_x509::pkcs12::SafeBag { + _bag_id: asn1::DefinedByMarker::marker(), + bag_value: asn1::Explicit::new(cryptography_x509::pkcs12::BagValue::KeyBag( + pkcs8_tlv, + )), + attributes: friendly_name_attributes(name)?, + } }; key_bag_contents = asn1::write_single(&asn1::SequenceOfWriter::new([key_bag]))?; From a5fb2d42d4c2b5f970427867379052f9e0722d4a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jul 2024 14:32:09 -0400 Subject: [PATCH 763/868] Convert the remainder of PKCS#12 encryption to Rust (#11200) --- .../hazmat/backends/openssl/backend.py | 210 +----------------- .../hazmat/primitives/serialization/pkcs12.py | 12 +- src/rust/cryptography-x509/src/common.rs | 9 + src/rust/cryptography-x509/src/oid.rs | 3 + src/rust/src/pkcs12.rs | 179 +++++++++++++-- src/rust/src/types.rs | 13 ++ src/rust/src/x509/certificate.rs | 2 +- tests/hazmat/primitives/test_pkcs12.py | 58 ----- tests/hazmat/primitives/test_pkcs7.py | 2 + 9 files changed, 196 insertions(+), 292 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 88d01f93b3ad..e4cfe6216f8d 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -5,11 +5,9 @@ from __future__ import annotations import collections -import contextlib import typing -from cryptography import utils, x509 -from cryptography.exceptions import UnsupportedAlgorithm +from cryptography import x509 from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding from cryptography.hazmat.primitives import hashes, serialization @@ -32,12 +30,6 @@ CBC, Mode, ) -from cryptography.hazmat.primitives.serialization.pkcs12 import ( - PBES, - PKCS12Certificate, - PKCS12PrivateKeyTypes, - _PKCS12CATypes, -) _MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"]) @@ -126,11 +118,6 @@ def _evp_md_from_algorithm(self, algorithm: hashes.HashAlgorithm): evp_md = self._lib.EVP_get_digestbyname(alg) return evp_md - def _evp_md_non_null_from_algorithm(self, algorithm: hashes.HashAlgorithm): - evp_md = self._evp_md_from_algorithm(algorithm) - self.openssl_assert(evp_md != self._ffi.NULL) - return evp_md - def hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and not isinstance(algorithm, self._fips_hashes): return False @@ -199,17 +186,6 @@ def _create_mem_bio_gc(self): bio = self._ffi.gc(bio, self._lib.BIO_free) return bio - def _read_mem_bio(self, bio) -> bytes: - """ - Reads a memory BIO. This only works on memory BIOs. - """ - buf = self._ffi.new("char **") - buf_len = self._lib.BIO_get_mem_data(bio, buf) - self.openssl_assert(buf_len > 0) - self.openssl_assert(buf[0] != self._ffi.NULL) - bio_data = self._ffi.buffer(buf[0], buf_len)[:] - return bio_data - def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and isinstance(algorithm, hashes.SHA1): return False @@ -274,21 +250,6 @@ def _cert2ossl(self, cert: x509.Certificate) -> typing.Any: x509 = self._ffi.gc(x509, self._lib.X509_free) return x509 - def _key2ossl(self, key: PKCS12PrivateKeyTypes) -> typing.Any: - data = key.private_bytes( - serialization.Encoding.DER, - serialization.PrivateFormat.PKCS8, - serialization.NoEncryption(), - ) - mem_bio = self._bytes_to_bio(data) - - evp_pkey = self._lib.d2i_PrivateKey_bio( - mem_bio.bio, - self._ffi.NULL, - ) - self.openssl_assert(evp_pkey != self._ffi.NULL) - return self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool: if self._fips_enabled and not isinstance( curve, self._fips_ecdh_curves @@ -356,175 +317,6 @@ def ecdsa_deterministic_supported(self) -> bool: and not self._fips_enabled ) - def _zero_data(self, data, length: int) -> None: - # We clear things this way because at the moment we're not - # sure of a better way that can guarantee it overwrites the - # memory of a bytearray and doesn't just replace the underlying char *. - for i in range(length): - data[i] = 0 - - @contextlib.contextmanager - def _zeroed_null_terminated_buf(self, data): - """ - This method takes bytes, which can be a bytestring or a mutable - buffer like a bytearray, and yields a null-terminated version of that - data. This is required because PKCS12_parse doesn't take a length with - its password char * and ffi.from_buffer doesn't provide null - termination. So, to support zeroing the data via bytearray we - need to build this ridiculous construct that copies the memory, but - zeroes it after use. - """ - if data is None: - yield self._ffi.NULL - else: - data_len = len(data) - buf = self._ffi.new("char[]", data_len + 1) - self._ffi.memmove(buf, data, data_len) - try: - yield buf - finally: - # Cast to a uint8_t * so we can assign by integer - self._zero_data(self._ffi.cast("uint8_t *", buf), data_len) - - def serialize_key_and_certificates_to_pkcs12( - self, - name: bytes | None, - key: PKCS12PrivateKeyTypes | None, - cert: x509.Certificate | None, - cas: list[_PKCS12CATypes] | None, - encryption_algorithm: serialization.KeySerializationEncryption, - ) -> bytes: - password = None - if name is not None: - utils._check_bytes("name", name) - - if ( - isinstance( - encryption_algorithm, serialization._KeySerializationEncryption - ) - and encryption_algorithm._format - is serialization.PrivateFormat.PKCS12 - ): - # Default to OpenSSL's defaults. Behavior will vary based on the - # version of OpenSSL cryptography is compiled against. - nid_cert = 0 - nid_key = 0 - # Use the default iters we use in best available - pkcs12_iter = 20000 - mac_iter = 0 - password = encryption_algorithm.password - keycertalg = encryption_algorithm._key_cert_algorithm - if keycertalg is PBES.PBESv1SHA1And3KeyTripleDESCBC: - nid_cert = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC - nid_key = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC - elif keycertalg is PBES.PBESv2SHA256AndAES256CBC: - if not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - raise UnsupportedAlgorithm( - "PBESv2 is not supported by this version of OpenSSL" - ) - nid_cert = self._lib.NID_aes_256_cbc - nid_key = self._lib.NID_aes_256_cbc - else: - assert keycertalg is None - # We use OpenSSL's defaults - - if encryption_algorithm._hmac_hash is not None: - if not self._lib.Cryptography_HAS_PKCS12_SET_MAC: - raise UnsupportedAlgorithm( - "Setting MAC algorithm is not supported by this " - "version of OpenSSL." - ) - mac_alg = self._evp_md_non_null_from_algorithm( - encryption_algorithm._hmac_hash - ) - self.openssl_assert(mac_alg != self._ffi.NULL) - else: - mac_alg = self._ffi.NULL - - if encryption_algorithm._kdf_rounds is not None: - pkcs12_iter = encryption_algorithm._kdf_rounds - - else: - raise ValueError("Unsupported key encryption type") - - if cas is None or len(cas) == 0: - sk_x509 = self._ffi.NULL - else: - sk_x509 = self._lib.sk_X509_new_null() - sk_x509 = self._ffi.gc(sk_x509, self._lib.sk_X509_free) - - # This list is to keep the x509 values alive until end of function - ossl_cas = [] - for ca in cas: - if isinstance(ca, PKCS12Certificate): - ca_alias = ca.friendly_name - ossl_ca = self._cert2ossl(ca.certificate) - if ca_alias is None: - res = self._lib.X509_alias_set1( - ossl_ca, self._ffi.NULL, -1 - ) - else: - res = self._lib.X509_alias_set1( - ossl_ca, ca_alias, len(ca_alias) - ) - self.openssl_assert(res == 1) - else: - ossl_ca = self._cert2ossl(ca) - ossl_cas.append(ossl_ca) - res = self._lib.sk_X509_push(sk_x509, ossl_ca) - backend.openssl_assert(res >= 1) - - with self._zeroed_null_terminated_buf(password) as password_buf: - with self._zeroed_null_terminated_buf(name) as name_buf: - ossl_cert = self._cert2ossl(cert) if cert else self._ffi.NULL - ossl_pkey = ( - self._key2ossl(key) if key is not None else self._ffi.NULL - ) - - p12 = self._lib.PKCS12_create( - password_buf, - name_buf, - ossl_pkey, - ossl_cert, - sk_x509, - nid_key, - nid_cert, - pkcs12_iter, - mac_iter, - 0, - ) - if p12 == self._ffi.NULL: - errors = self._consume_errors() - raise ValueError( - ( - "Failed to create PKCS12 (does the key match the " - "certificate?)" - ), - errors, - ) - - if ( - self._lib.Cryptography_HAS_PKCS12_SET_MAC - and mac_alg != self._ffi.NULL - ): - self._lib.PKCS12_set_mac( - p12, - password_buf, - -1, - self._ffi.NULL, - 0, - mac_iter, - mac_alg, - ) - - self.openssl_assert(p12 != self._ffi.NULL) - p12 = self._ffi.gc(p12, self._lib.PKCS12_free) - - bio = self._create_mem_bio_gc() - res = self._lib.i2d_PKCS12_bio(bio, p12) - self.openssl_assert(res > 0) - return self._read_mem_bio(bio) - def poly1305_supported(self) -> bool: if self._fips_enabled: return False diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index 28fab3ca6f61..a104986bf9ec 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -167,16 +167,6 @@ def serialize_key_and_certificates( if key is None and cert is None and not cas: raise ValueError("You must supply at least one of key, cert, or cas") - if isinstance( - encryption_algorithm, - (serialization.NoEncryption, serialization.BestAvailableEncryption), - ): - return rust_pkcs12.serialize_key_and_certificates( - name, key, cert, cas, encryption_algorithm - ) - - from cryptography.hazmat.backends.openssl.backend import backend - - return backend.serialize_key_and_certificates_to_pkcs12( + return rust_pkcs12.serialize_key_and_certificates( name, key, cert, cas, encryption_algorithm ) diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index b0827a74501a..1816e07896b6 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -139,6 +139,9 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::AES_256_CBC_OID)] Aes256Cbc([u8; 16]), + #[defined_by(oid::PBES1_WITH_SHA_AND_3KEY_TRIPLEDES_CBC)] + Pbes1WithShaAnd3KeyTripleDesCbc(PBES1Params), + #[default] Other(asn1::ObjectIdentifier, Option>), } @@ -431,6 +434,12 @@ pub struct PBKDF2Params<'a> { pub prf: Box>, } +#[derive(asn1::Asn1Read, asn1::Asn1Write, PartialEq, Eq, Hash, Clone, Debug)] +pub struct PBES1Params { + pub salt: [u8; 8], + pub iterations: u64, +} + /// A VisibleString ASN.1 element whose contents is not validated as meeting the /// requirements (visible characters of IA5), and instead is only known to be /// valid UTF-8. diff --git a/src/rust/cryptography-x509/src/oid.rs b/src/rust/cryptography-x509/src/oid.rs index 85fb543e6e85..fbc440eea122 100644 --- a/src/rust/cryptography-x509/src/oid.rs +++ b/src/rust/cryptography-x509/src/oid.rs @@ -151,6 +151,9 @@ pub const EKU_CERTIFICATE_TRANSPARENCY_OID: asn1::ObjectIdentifier = pub const PBES2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 13); pub const PBKDF2_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 5, 12); +pub const PBES1_WITH_SHA_AND_3KEY_TRIPLEDES_CBC: asn1::ObjectIdentifier = + asn1::oid!(1, 2, 840, 113549, 1, 12, 1, 3); + pub const AES_256_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 42); pub const AES_192_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 22); pub const AES_128_CBC_OID: asn1::ObjectIdentifier = asn1::oid!(2, 16, 840, 1, 101, 3, 4, 1, 2); diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 153c2a6d0cfd..cdae36138e0a 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -4,7 +4,7 @@ use crate::backend::{ciphers, hashes, hmac, kdf, keys}; use crate::buf::CffiBuf; -use crate::error::CryptographyResult; +use crate::error::{CryptographyError, CryptographyResult}; use crate::padding::PKCS7PaddingContext; use crate::x509::certificate::Certificate; use crate::{types, x509}; @@ -80,23 +80,41 @@ impl PKCS12Certificate { } enum EncryptionAlgorithm { + PBESv1SHA1And3KeyTripleDESCBC, PBESv2SHA256AndAES256CBC, } impl EncryptionAlgorithm { + fn salt_length(&self) -> usize { + match self { + EncryptionAlgorithm::PBESv1SHA1And3KeyTripleDESCBC => 8, + EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => 16, + } + } + fn algorithm_identifier<'a>( &self, + cipher_kdf_iter: u64, salt: &'a [u8], iv: &'a [u8], ) -> cryptography_x509::common::AlgorithmIdentifier<'a> { match self { + EncryptionAlgorithm::PBESv1SHA1And3KeyTripleDESCBC => { + cryptography_x509::common::AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: cryptography_x509::common::AlgorithmParameters::Pbes1WithShaAnd3KeyTripleDesCbc(cryptography_x509::common::PBES1Params{ + salt: salt[..8].try_into().unwrap(), + iterations: cipher_kdf_iter, + }), + } + } EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => { let kdf_algorithm_identifier = cryptography_x509::common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), params: cryptography_x509::common::AlgorithmParameters::Pbkdf2( cryptography_x509::common::PBKDF2Params { salt, - iteration_count: 20000, + iteration_count: cipher_kdf_iter, key_length: None, prf: Box::new(cryptography_x509::common::AlgorithmIdentifier { oid: asn1::DefinedByMarker::marker(), @@ -133,16 +151,65 @@ impl EncryptionAlgorithm { &self, py: pyo3::Python<'_>, password: &[u8], + cipher_kdf_iter: u64, salt: &[u8], iv: &[u8], data: &[u8], ) -> CryptographyResult> { match self { + EncryptionAlgorithm::PBESv1SHA1And3KeyTripleDESCBC => { + let key = pkcs12_kdf( + password, + salt, + KDF_ENCRYPTION_KEY_ID, + cipher_kdf_iter, + 24, + openssl::hash::MessageDigest::sha1(), + )?; + let iv = pkcs12_kdf( + password, + salt, + KDF_IV_ID, + cipher_kdf_iter, + 8, + openssl::hash::MessageDigest::sha1(), + )?; + + let triple_des = types::TRIPLE_DES + .get(py)? + .call1((pyo3::types::PyBytes::new_bound(py, &key),))?; + let cbc = types::CBC + .get(py)? + .call1((pyo3::types::PyBytes::new_bound(py, &iv),))?; + let mut cipher = + ciphers::CipherContext::new(py, triple_des, cbc, openssl::symm::Mode::Encrypt)?; + + let mut ciphertext = vec![0; data.len() + 16]; + let n = cipher.update_into(py, data, &mut ciphertext)?; + + let mut padder = PKCS7PaddingContext::new(64); + assert!(padder.update(CffiBuf::from_bytes(py, data))?.is_none()); + let padding = padder.finalize(py)?; + + let pad_n = cipher.update_into(py, padding.as_bytes(), &mut ciphertext[n..])?; + let final_block = cipher.finalize(py)?; + assert!(final_block.as_bytes().is_empty()); + ciphertext.truncate(n + pad_n); + + Ok(ciphertext) + } EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => { let pass_buf = CffiBuf::from_bytes(py, password); let sha256 = types::SHA256.get(py)?.call0()?; - let key = kdf::derive_pbkdf2_hmac(py, pass_buf, &sha256, salt, 20000, 32)?; + let key = kdf::derive_pbkdf2_hmac( + py, + pass_buf, + &sha256, + salt, + cipher_kdf_iter.try_into().unwrap(), + 32, + )?; let aes256 = types::AES256.get(py)?.call1((key,))?; let cbc = types::CBC.get(py)?.call1((iv,))?; @@ -320,6 +387,7 @@ fn cert_to_bag<'a>( }) } +#[allow(clippy::type_complexity)] fn decode_encryption_algorithm<'a>( py: pyo3::Python<'a>, encryption_algorithm: pyo3::Bound<'a, pyo3::PyAny>, @@ -327,28 +395,78 @@ fn decode_encryption_algorithm<'a>( pyo3::pybacked::PyBackedBytes, pyo3::Bound<'a, pyo3::PyAny>, u64, + u64, Option, )> { let default_hmac_alg = types::SHA256.get(py)?.call0()?; let default_hmac_kdf_iter = 2048; + let default_cipher_kdf_iter = 20000; if encryption_algorithm.is_instance(&types::NO_ENCRYPTION.get(py)?)? { Ok(( pyo3::types::PyBytes::new_bound(py, b"").extract()?, default_hmac_alg, default_hmac_kdf_iter, + default_cipher_kdf_iter, None, )) - } else { - assert!(encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get(py)?)?); + } else if encryption_algorithm.is_instance(&types::ENCRYPTION_BUILDER.get(py)?)? + && encryption_algorithm + .getattr(pyo3::intern!(py, "_format"))? + .is(&types::PRIVATE_FORMAT_PKCS12.get(py)?) + { + let key_cert_alg = + encryption_algorithm.getattr(pyo3::intern!(py, "_key_cert_algorithm"))?; + let cipher = if key_cert_alg.is(&types::PBES_PBESV1SHA1AND3KEYTRIPLEDESCBC.get(py)?) { + EncryptionAlgorithm::PBESv1SHA1And3KeyTripleDESCBC + } else if key_cert_alg.is(&types::PBES_PBESV2SHA256ANDAES256CBC.get(py)?) { + EncryptionAlgorithm::PBESv2SHA256AndAES256CBC + } else { + assert!(key_cert_alg.is_none()); + EncryptionAlgorithm::PBESv2SHA256AndAES256CBC + }; + + let hmac_alg = if let Some(v) = encryption_algorithm + .getattr(pyo3::intern!(py, "_hmac_hash"))? + .extract()? + { + v + } else { + default_hmac_alg + }; + + let cipher_kdf_iter = if let Some(v) = encryption_algorithm + .getattr(pyo3::intern!(py, "_kdf_rounds"))? + .extract()? + { + v + } else { + default_cipher_kdf_iter + }; + + Ok(( + encryption_algorithm + .getattr(pyo3::intern!(py, "password"))? + .extract()?, + hmac_alg, + default_hmac_kdf_iter, + cipher_kdf_iter, + Some(cipher), + )) + } else if encryption_algorithm.is_instance(&types::BEST_AVAILABLE_ENCRYPTION.get(py)?)? { Ok(( encryption_algorithm .getattr(pyo3::intern!(py, "password"))? .extract()?, default_hmac_alg, default_hmac_kdf_iter, + default_cipher_kdf_iter, Some(EncryptionAlgorithm::PBESv2SHA256AndAES256CBC), )) + } else { + Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err("Unsupported key encryption type"), + )) } } @@ -368,7 +486,7 @@ fn serialize_key_and_certificates<'p>( cas: Option>, encryption_algorithm: pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult> { - let (password, mac_algorithm, mac_kdf_iter, encryption_algorithm) = + let (password, mac_algorithm, mac_kdf_iter, cipher_kdf_iter, encryption_algorithm) = decode_encryption_algorithm(py, encryption_algorithm)?; let mut auth_safe_contents = vec![]; @@ -387,6 +505,20 @@ fn serialize_key_and_certificates<'p>( let mut cert_bags = vec![]; if let Some(cert) = cert { + if let Some(ref key) = key { + if !cert + .public_key(py)? + .into_bound(py) + .eq(key.call_method0(pyo3::intern!(py, "public_key"))?)? + { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err( + "Certificate public key and provided private key do not match", + ), + )); + } + } + cert_bags.push(cert_to_bag(cert, name)?); } @@ -411,13 +543,20 @@ fn serialize_key_and_certificates<'p>( if let Some(e) = &encryption_algorithm { cert_salt = types::OS_URANDOM .get(py)? - .call1((16,))? + .call1((e.salt_length(),))? .extract::()?; cert_iv = types::OS_URANDOM .get(py)? .call1((16,))? .extract::()?; - cert_ciphertext = e.encrypt(py, &password, &cert_salt, &cert_iv, &cert_bag_contents)?; + cert_ciphertext = e.encrypt( + py, + &password, + cipher_kdf_iter, + &cert_salt, + &cert_iv, + &cert_bag_contents, + )?; auth_safe_contents.push(cryptography_x509::pkcs7::ContentInfo { _content_type: asn1::DefinedByMarker::marker(), @@ -426,8 +565,11 @@ fn serialize_key_and_certificates<'p>( version: 0, encrypted_content_info: cryptography_x509::pkcs7::EncryptedContentInfo { content_type: cryptography_x509::pkcs7::PKCS7_DATA_OID, - content_encryption_algorithm: e - .algorithm_identifier(&cert_salt, &cert_iv), + content_encryption_algorithm: e.algorithm_identifier( + cipher_kdf_iter, + &cert_salt, + &cert_iv, + ), encrypted_content: Some(&cert_ciphertext), }, }, @@ -458,20 +600,31 @@ fn serialize_key_and_certificates<'p>( let key_bag = if let Some(e) = encryption_algorithm { key_salt = types::OS_URANDOM .get(py)? - .call1((16,))? + .call1((e.salt_length(),))? .extract::()?; key_iv = types::OS_URANDOM .get(py)? .call1((16,))? .extract::()?; - key_ciphertext = e.encrypt(py, &password, &key_salt, &key_iv, &pkcs8_bytes)?; + key_ciphertext = e.encrypt( + py, + &password, + cipher_kdf_iter, + &key_salt, + &key_iv, + &pkcs8_bytes, + )?; cryptography_x509::pkcs12::SafeBag { _bag_id: asn1::DefinedByMarker::marker(), bag_value: asn1::Explicit::new( cryptography_x509::pkcs12::BagValue::ShroudedKeyBag( cryptography_x509::pkcs12::EncryptedPrivateKeyInfo { - encryption_algorithm: e.algorithm_identifier(&key_salt, &key_iv), + encryption_algorithm: e.algorithm_identifier( + cipher_kdf_iter, + &key_salt, + &key_iv, + ), encrypted_data: &key_ciphertext, }, ), diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index 95ab3c7cea64..a6904398dfe8 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -89,6 +89,10 @@ pub static PRIVATE_FORMAT_PKCS8: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization", &["PrivateFormat", "PKCS8"], ); +pub static PRIVATE_FORMAT_PKCS12: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization", + &["PrivateFormat", "PKCS12"], +); pub static PRIVATE_FORMAT_RAW: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization", &["PrivateFormat", "Raw"], @@ -149,6 +153,15 @@ pub static ENCRYPTION_BUILDER: LazyPyImport = LazyPyImport::new( &["_KeySerializationEncryption"], ); +pub static PBES_PBESV1SHA1AND3KEYTRIPLEDESCBC: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs12", + &["PBES", "PBESv1SHA1And3KeyTripleDESCBC"], +); +pub static PBES_PBESV2SHA256ANDAES256CBC: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs12", + &["PBES", "PBESv2SHA256AndAES256CBC"], +); + pub static SERIALIZE_SSH_PRIVATE_KEY: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization.ssh", &["_serialize_ssh_private_key"], diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 2bf3b4406fe3..2fb5d5af272e 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -66,7 +66,7 @@ impl Certificate { slf } - fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { + pub(crate) fn public_key(&self, py: pyo3::Python<'_>) -> CryptographyResult { keys::load_der_public_key_bytes( py, self.raw.borrow_dependent().tbs_cert.spki.tlv().full_data(), diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 8397750ec264..67a68152eb8f 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -9,7 +9,6 @@ import pytest from cryptography import x509 -from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.decrepit.ciphers.algorithms import RC2 from cryptography.hazmat.primitives import hashes, serialization @@ -636,12 +635,6 @@ def test_key_serialization_encryption( ) and not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: pytest.skip("PBESv2 is not supported on OpenSSL < 3.0") - if ( - mac_alg is not None - and not backend._lib.Cryptography_HAS_PKCS12_SET_MAC - ): - pytest.skip("PKCS12_set_mac is not supported (boring)") - builder = serialization.PrivateFormat.PKCS12.encryption_builder() if enc_alg is not None: builder = builder.key_cert_algorithm(enc_alg) @@ -688,57 +681,6 @@ def test_key_serialization_encryption( ) assert parsed_more_certs == [cacert] - @pytest.mark.supported( - only_if=lambda backend: ( - not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - ), - skip_message="Requires OpenSSL < 3.0.0 (or Libre/Boring)", - ) - @pytest.mark.parametrize( - ("algorithm"), - [ - serialization.PrivateFormat.PKCS12.encryption_builder() - .key_cert_algorithm(PBES.PBESv2SHA256AndAES256CBC) - .build(b"password"), - ], - ) - def test_key_serialization_encryption_unsupported( - self, algorithm, backend - ): - cacert, cakey = _load_ca(backend) - with pytest.raises(UnsupportedAlgorithm): - serialize_key_and_certificates( - b"name", cakey, cacert, [], algorithm - ) - - @pytest.mark.supported( - only_if=lambda backend: ( - not backend._lib.Cryptography_HAS_PKCS12_SET_MAC - ), - skip_message="Requires OpenSSL without PKCS12_set_mac (boring only)", - ) - @pytest.mark.parametrize( - "algorithm", - [ - serialization.PrivateFormat.PKCS12.encryption_builder() - .key_cert_algorithm(PBES.PBESv1SHA1And3KeyTripleDESCBC) - .hmac_hash(hashes.SHA256()) - .build(b"password"), - ], - ) - def test_key_serialization_encryption_set_mac_unsupported( - self, algorithm, backend - ): - cacert, cakey = _load_ca(backend) - with pytest.raises(UnsupportedAlgorithm): - serialize_key_and_certificates( - b"name", cakey, cacert, [], algorithm - ) - - @pytest.mark.supported( - only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, - skip_message="Requires OpenSSL with PKCS12_set_mac", - ) def test_set_mac_key_certificate_mismatch(self, backend): cacert, _ = _load_ca(backend) key = ec.generate_private_key(ec.SECP256R1()) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 36abfae9c052..4c4c0aa7dd50 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -100,6 +100,8 @@ def test_load_pkcs7_empty_certificates(self): # We have no public verification API and won't be adding one until we get # some requirements from users so this function exists to give us basic # verification for the signing tests. +# +# This relies on a number of bindings that we'd otherwise like to remove. def _pkcs7_verify(encoding, sig, msg, certs, options, backend): sig_bio = backend._bytes_to_bio(sig) if encoding is serialization.Encoding.DER: From 5b23baae7e1a59ab16630e6f8eae13e2b8822ded Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jul 2024 14:57:08 -0400 Subject: [PATCH 764/868] Switch to maturin. (#8815) It seems to be much faster at doing things locally. --- .github/requirements/build-requirements.in | 2 +- .github/requirements/build-requirements.txt | 26 +++++---- .github/workflows/wheel-builder.yml | 25 +++++---- MANIFEST.in | 24 --------- pyproject.toml | 60 ++++++++++++++------- 5 files changed, 75 insertions(+), 62 deletions(-) delete mode 100644 MANIFEST.in diff --git a/.github/requirements/build-requirements.in b/.github/requirements/build-requirements.in index 4b916ef1ca97..17c93da02a92 100644 --- a/.github/requirements/build-requirements.in +++ b/.github/requirements/build-requirements.in @@ -1,7 +1,7 @@ # Must be kept sync with build-system.requires at pyproject.toml setuptools>=61.0.0 cffi>=1.12; platform_python_implementation != 'PyPy' -setuptools-rust>=1.7.0 +maturin>=1,<2 # WARN: changing the requirements here DOES NOT update the dependencies used for building at the github workflow, as the build process used build-requirements.txt # To update build-requirements.txt according to the dependencies here, run pip-compile --allow-unsafe --generate-hashes build-requirements.in diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 2c2b48c6e2ef..8728b8600471 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -58,22 +58,29 @@ cffi==1.16.0 ; platform_python_implementation != "PyPy" \ --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via -r build-requirements.in +maturin==1.5.0 \ + --hash=sha256:0b976116b7cfaafbc8c3f0acfaec6702520c49e86e48ea80e2c282b7f8118c1a \ + --hash=sha256:1b29bf8771f27d2e6b2685c82de952b5732ee79e5c0030ffd5dab5ccb99137a1 \ + --hash=sha256:2e4c01370a5c10b6c4887bee66d3582bdb38c3805168c1393f072bd266da08d4 \ + --hash=sha256:76e3270ff87b5484976d23e3d88475cd64acf41b54f561263f253d8fca0baab3 \ + --hash=sha256:9cba3737cb92ce5c1bd82cbb9b1fde412b2aac8882ac38b8340980f5eb858d8c \ + --hash=sha256:a5c038ded82c7595d99e94a208aa8af2b5c94eef4c8fcf5ef6e841957e506201 \ + --hash=sha256:b3a499ff5960e46115488e68011809ce99857864ce3a91cf5d0fff3adbd89e8c \ + --hash=sha256:d277adf9b27143627ba7be7ea254513d3e85008fb16a94638b56884a41b4e5a2 \ + --hash=sha256:d6a314472e07b6bdfa4cdf97d24cda1defe008d36d4b75de2efd3383e7a2d7bf \ + --hash=sha256:e046ea2aed687991d58c42f6276dfcc0c037092934654f538b5877fd57dd3a9c \ + --hash=sha256:eb35dfe5994ad2c34d2874a73720847ecc2adb28f934e9a7cbcdb8826b240e60 \ + --hash=sha256:f271f315fb78d2ff5fdf60f8d3ada2a04a66ac6fbd3cbb318c4eb4e9766449bc \ + --hash=sha256:faa0d099a8045afc9977284cb3a1c26e5ebc9a7f0fe4d53b7ee17f62fd279f4a + # via -r build-requirements.in pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc # via cffi -semantic-version==2.10.0 \ - --hash=sha256:bdabb6d336998cbb378d4b9db3a4b56a1e3235701dc05ea2690d9a997ed5041c \ - --hash=sha256:de78a3b8e0feda74cabc54aab2da702113e33ac9d9eb9d2389bcf1f58b7d9177 - # via setuptools-rust -setuptools-rust==1.9.0 \ - --hash=sha256:409caf49dcf7ad9bd510b4bf4011fbad504e745fae98f57fe1c06f3a97719638 \ - --hash=sha256:704df0948f2e4cc60c2596ad6e840ea679f4f43e58ed4ad0c1857807240eab96 - # via -r build-requirements.in tomli==2.0.1 \ --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f - # via setuptools-rust + # via maturin # The following packages are considered to be unsafe in a requirements file: setuptools==70.2.0 \ @@ -81,4 +88,3 @@ setuptools==70.2.0 \ --hash=sha256:bd63e505105011b25c3c11f753f7e3b8465ea739efddaccef8f0efac2137bac1 # via # -r build-requirements.in - # setuptools-rust diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index b7627cb438cd..7ef8930fdfc5 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -61,8 +61,8 @@ jobs: fail-fast: false matrix: PYTHON: - - { VERSION: "cp311-cp311", ABI_VERSION: 'cp37' } - - { VERSION: "cp311-cp311", ABI_VERSION: 'cp39' } + - { VERSION: "cp311-cp311", ABI_VERSION: 'py37' } + - { VERSION: "cp311-cp311", ABI_VERSION: 'py39' } - { VERSION: "pp39-pypy39_pp73" } - { VERSION: "pp310-pypy310_pp73" } MANYLINUX: @@ -127,8 +127,12 @@ jobs: - name: Build the wheel run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" + PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" fi + + # `maturin` has a binary that needs to be on the $PATH, so we + # activate the venv. + source .venv/bin/activate OPENSSL_DIR="/opt/pyca/cryptography/openssl" \ OPENSSL_STATIC=1 \ .venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl tmpwheelhouse @@ -162,7 +166,7 @@ jobs: matrix: PYTHON: - VERSION: '3.11' - ABI_VERSION: 'cp37' + ABI_VERSION: 'py37' # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' @@ -174,7 +178,7 @@ jobs: # build against _PYTHON_HOST_PLATFORM: 'macosx-10.9-universal2' - VERSION: '3.11' - ABI_VERSION: 'cp39' + ABI_VERSION: 'py39' # Despite the name, this is built for the macOS 11 SDK on arm64 and 10.9+ on intel DOWNLOAD_URL: 'https://www.python.org/ftp/python/3.11.3/python-3.11.3-macos11.pkg' BIN_PATH: '/Library/Frameworks/Python.framework/Versions/3.11/bin/python3' @@ -243,9 +247,12 @@ jobs: - name: Build the wheel run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" + PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" fi + # `maturin` has a binary that needs to be on the $PATH, so we + # activate the venv. + source venv/bin/activate OPENSSL_DIR="$(readlink -f ../openssl-macos-universal2/)" \ OPENSSL_STATIC=1 \ venv/bin/python -m pip wheel -v --no-deps $PY_LIMITED_API cryptograph*.tar.gz -w dist/ && mv dist/cryptography*.whl wheelhouse @@ -279,8 +286,8 @@ jobs: - {ARCH: 'x86', WINDOWS: 'win32', RUST_TRIPLE: 'i686-pc-windows-msvc'} - {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc'} PYTHON: - - {VERSION: "3.11", "ABI_VERSION": "cp37"} - - {VERSION: "3.11", "ABI_VERSION": "cp39"} + - {VERSION: "3.11", "ABI_VERSION": "py37"} + - {VERSION: "3.11", "ABI_VERSION": "py39"} - {VERSION: "pypy-3.9"} - {VERSION: "pypy-3.10"} exclude: @@ -334,7 +341,7 @@ jobs: - run: mkdir wheelhouse - run: | if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then - PY_LIMITED_API="--config-settings=--build-option=--py-limited-api=${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" + PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }} --no-build-isolation" fi python -m pip wheel -v --no-deps cryptography*.tar.gz $PY_LIMITED_API -w dist/ && mv dist/cryptography*.whl wheelhouse/ diff --git a/MANIFEST.in b/MANIFEST.in deleted file mode 100644 index dcffd6024d1c..000000000000 --- a/MANIFEST.in +++ /dev/null @@ -1,24 +0,0 @@ -include CHANGELOG.rst -include CONTRIBUTING.rst -include LICENSE -include LICENSE.APACHE -include LICENSE.BSD -include README.rst -include noxfile.py - -include pyproject.toml -recursive-include src py.typed *.pyi - -recursive-include docs * -recursive-include src/_cffi_src *.py *.c *.h -recursive-include src/rust Cargo.toml Cargo.lock *.rs -prune docs/_build -recursive-include tests *.py -exclude vectors -recursive-exclude vectors * -exclude src/rust/target -recursive-exclude src/rust/target * - -recursive-exclude .github * - -exclude release.py .readthedocs.yml ci-constraints-requirements.txt mypy.ini diff --git a/pyproject.toml b/pyproject.toml index 186ca1d6b27c..4cfc675e2556 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -2,13 +2,15 @@ # These requirements must be kept sync with the requirements in # ./github/requirements/build-requirements.{in,txt} requires = [ - # First version of setuptools to support pyproject.toml configuration - "setuptools>=61.0.0", + "maturin>=1,<2", + # Must be kept in sync with `project.dependencies` "cffi>=1.12; platform_python_implementation != 'PyPy'", - "setuptools-rust>=1.7.0", + # Needed because cffi imports distutils, and in Python 3.12, distutils has + # been removed from the stdlib, but installing setuptools puts it back. + "setuptools", ] -build-backend = "setuptools.build_meta" +build-backend = "maturin" [project] name = "cryptography" @@ -56,14 +58,6 @@ source = "https://github.com/pyca/cryptography/" issues = "https://github.com/pyca/cryptography/issues" changelog = "https://cryptography.io/en/latest/changelog/" -[tool.setuptools] -zip-safe = false -package-dir = {"" = "src"} - -[tool.setuptools.packages.find] -where = ["src"] -include = ["cryptography*"] - [project.optional-dependencies] ssh = ["bcrypt >=3.1.5"] @@ -85,12 +79,42 @@ sdist = ["build"] # `click` included because its needed to type check `release.py` pep8test = ["ruff", "mypy", "check-sdist", "click"] -[[tool.setuptools-rust.ext-modules]] -target = "cryptography.hazmat.bindings._rust" -path = "src/rust/Cargo.toml" -py-limited-api = "auto" -rust-version = ">=1.65.0" - +[tool.maturin] +python-source = "src" +python-packages = ["cryptography"] +manifest-path = "src/rust/Cargo.toml" +module-name = "cryptography.hazmat.bindings._rust" +locked = true +sdist-generator = "git" +features = ["pyo3/abi3-py37"] +include = [ + "CHANGELOG.rst", + "CONTRIBUTING.rst", + "LICENSE", + "LICENSE.APACHE", + "LICENSE.BSD", + + "docs/**/*", + + "src/_cffi_src/**/*.py", + "src/_cffi_src/**/*.c", + "src/_cffi_src/**/*.h", + + "src/rust/**/Cargo.toml", + "src/rust/**/Cargo.lock", + "src/rust/**/*.rs", + + "tests/**/*.py", +] +exclude = [ + "vectors/**/*", + "src/rust/target/**/*", + "docs/_build/**/*", + ".github/**/*", + ".readthedocs.yml", + "ci-constraints-requirements.txt", + "mypy.ini", +] [tool.pytest.ini_options] addopts = "-r s --capture=no --strict-markers --benchmark-disable" From 8a7f27be3dbf76dcf624ffb550bdbd13554acab0 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Fri, 5 Jul 2024 15:14:04 -0700 Subject: [PATCH 765/868] Add rsa_recover_private_exponent function (#11193) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Given the RSA public exponent (`e`), and the RSA primes (`p`, `q`), it is possible to calculate the corresponding private exponent `d = e⁻¹ mod λ(n)` where `λ(n) = lcm(p-1, q-1)`. With this function added, it becomes possible to use the library to reconstruct an RSA private key given *only* `p`, `q`, and `e`: from cryptography.hazmat.primitives.asymmetric import rsa n = p * q d = rsa.rsa_recover_private_exponent(e, p, q) # newly-added piece iqmp = rsa.rsa_crt_iqmp(p, q) # preexisting dmp1 = rsa.rsa_crt_dmp1(d, p) # preexisting dmq1 = rsa.rsa_crt_dmq1(d, q) # preexisting assert rsa.rsa_recover_prime_factors(n, e, d) in ((p, q), (q, p)) # verify consistency privk = rsa.RSAPrivateNumbers(p, q, d, dmp1, dmq1, iqmp, rsa.RSAPublicNumbers(e, n)).private_key() Older RSA implementations, including the original RSA paper, often used the Euler totient function `ɸ(n) = (p-1) * (q-1)` instead of `λ(n)`. The private exponents generated by that method work equally well, but may be larger than strictly necessary (`λ(n)` always divides `ɸ(n)`). This commit additionally implements `_rsa_recover_euler_private_exponent`, so that tests of the internal structure of RSA private keys can allow for either the Euler or the Carmichael versions of the private exponents. It makes sense to expose only the more modern version (using the Carmichael totient function) for public usage, given that it is slightly more computationally efficient to use the keys in this form, and that some standards like FIPS 186-4 require this form. (See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf#page=63) --- CHANGELOG.rst | 2 ++ docs/hazmat/primitives/asymmetric/rsa.rst | 17 ++++++++++ docs/spelling_wordlist.txt | 3 ++ .../hazmat/primitives/asymmetric/rsa.py | 21 +++++++++++++ tests/hazmat/primitives/utils.py | 31 ++++++++++++++++++- 5 files changed, 73 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 58a827719e65..ea4210277567 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -58,6 +58,8 @@ Changelog :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.next_update_utc`, These are timezone-aware variants of existing properties that return naïve ``datetime`` objects. +* Added + :func:`~cryptography.hazmat.primitives.asymmetric.rsa.rsa_recover_private_exponent` .. _v42-0-8: diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index 35230f7e982d..d712b2226459 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -554,6 +554,23 @@ this without having to do the math themselves. Computes the ``dmq1`` parameter from the RSA private exponent (``d``) and prime ``q``. +.. function:: rsa_recover_private_exponent(e, p, q) + + .. versionadded:: 43.0.0 + + Computes the RSA private_exponent (``d``) given the public exponent (``e``) + and the RSA primes ``p`` and ``q``. + + .. note:: + + This implementation uses the Carmichael totient function to return the + smallest working value of ``d``. Older RSA implementations, including the + original RSA paper, often used the Euler totient function, which results + in larger but equally functional private exponents. The private exponents + resulting from the Carmichael totient function, as returned here, are + slightly more computationally efficient to use, and some modern standards + require them. + .. function:: rsa_recover_prime_factors(n, e, d) .. versionadded:: 0.8 diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index e7e9afd1cbaf..2cf3167b1dbc 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -15,6 +15,7 @@ Botan Brainpool Bullseye Capitan +Carmichael CentOS changelog Changelog @@ -51,6 +52,7 @@ Docstrings El Encodings endian +Euler extendable facto fallback @@ -128,6 +130,7 @@ Thawte timestamp timestamps toolchain +totient Trixie tunable Ubuntu diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py index 49c76af0de94..7a387b5ea55d 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/src/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -190,6 +190,27 @@ def rsa_crt_dmq1(private_exponent: int, q: int) -> int: return private_exponent % (q - 1) +def rsa_recover_private_exponent(e: int, p: int, q: int) -> int: + """ + Compute the RSA private_exponent (d) given the public exponent (e) + and the RSA primes p and q. + + This uses the Carmichael totient function to generate the + smallest possible working value of the private exponent. + """ + # This lambda_n is the Carmichael totient function. + # The original RSA paper uses the Euler totient function + # here: phi_n = (p - 1) * (q - 1) + # Either version of the private exponent will work, but the + # one generated by the older formulation may be larger + # than necessary. (lambda_n always divides phi_n) + # + # TODO: Replace with lcm(p - 1, q - 1) once the minimum + # supported Python version is >= 3.9. + lambda_n = (p - 1) * (q - 1) // gcd(p - 1, q - 1) + return _modinv(e, lambda_n) + + # Controls the number of iterations rsa_recover_prime_factors will perform # to obtain the prime factors. Each iteration increments by 2 so the actual # maximum attempts is half this number. diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 9e119f0b636b..16dc612e528e 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -522,13 +522,42 @@ def rsa_verification_test(backend, params, hash_alg, pad_factory): public_key.verify(signature, msg, pad, hash_alg) +def _rsa_recover_euler_private_exponent(e: int, p: int, q: int) -> int: + """ + Compute the RSA private_exponent (d) given the public exponent (e) + and the RSA primes p and q, following the usage of the original + RSA paper. + + As in the original RSA paper, this uses the Euler totient function + instead of the Carmichael totient function, and thus may generate a + larger value of the private exponent than necessary. + + See cryptography.hazmat.primitives.asymmetric.rsa_recover_private_exponent + for the public-facing version of this function, which uses the + preferred Carmichael totient function. + """ + phi_n = (p - 1) * (q - 1) + return rsa._modinv(e, phi_n) + + def _check_rsa_private_numbers(skey): assert skey pkey = skey.public_numbers assert pkey assert pkey.e assert pkey.n - assert skey.d + + # Historically there have been two ways to calculate valid values of the + # private_exponent (d) given the public exponent (e): + # - using the Carmichael totient function (gives smaller and more + # computationally-efficient values, and is required by some standards) + # - using the Euler totient function (matching the original RSA paper) + # Allow for either here. + assert skey.d in ( + rsa.rsa_recover_private_exponent(pkey.e, skey.p, skey.q), + _rsa_recover_euler_private_exponent(pkey.e, skey.p, skey.q), + ) + assert skey.p * skey.q == pkey.n assert skey.dmp1 == rsa.rsa_crt_dmp1(skey.d, skey.p) assert skey.dmq1 == rsa.rsa_crt_dmq1(skey.d, skey.q) From 2b371f418b523369424dbd1de61900eb35cf90b1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 5 Jul 2024 17:54:12 -0500 Subject: [PATCH 766/868] add support for CipherContext.update_nonce (#10437) * add support for CipherContext.reset_nonce This only supports ChaCha20 and ciphers in CTR mode. * expand tests to reset to different nonces --- CHANGELOG.rst | 3 + .../primitives/symmetric-encryption.rst | 21 +++++++ .../hazmat/primitives/ciphers/base.py | 8 +++ src/rust/src/backend/ciphers.rs | 49 +++++++++++++++ tests/hazmat/primitives/test_aes.py | 61 ++++++++++++++++++- tests/hazmat/primitives/test_aes_gcm.py | 16 ++++- tests/hazmat/primitives/test_chacha20.py | 49 +++++++++++++++ 7 files changed, 205 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ea4210277567..aae8c9fc305c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -60,6 +60,9 @@ Changelog ``datetime`` objects. * Added :func:`~cryptography.hazmat.primitives.asymmetric.rsa.rsa_recover_private_exponent` +* Added :meth:`~cryptography.hazmat.primitives.ciphers.CipherContext.reset_nonce` + for altering the ``nonce`` of a cipher context without initializing a new + instance. See the docs for additional restrictions. .. _v42-0-8: diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 6eb769bb23b1..dd32c913a7dd 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -693,6 +693,27 @@ Interfaces :meth:`update` and :meth:`finalize` will raise an :class:`~cryptography.exceptions.AlreadyFinalized` exception. + .. method:: reset_nonce(nonce) + + .. versionadded:: 43.0.0 + + This method allows changing the nonce for an already existing context. + Normally the nonce is set when the context is created and internally + incremented as data as passed. However, in some scenarios the same key + is used repeatedly but the nonce changes non-sequentially (e.g. ``QUIC``), + which requires updating the context with the new nonce. + + This method only works for contexts using + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20` or + :class:`~cryptography.hazmat.primitives.ciphers.modes.CTR` mode. + + :param nonce: The nonce to update the context with. + :type data: :term:`bytes-like` + :raises cryptography.exceptions.UnsupportedAlgorithm: If the + algorithm does not support updating the nonce. + :raises ValueError: If the nonce is not the correct length for the + algorithm. + .. class:: AEADCipherContext When calling ``encryptor`` or ``decryptor`` on a ``Cipher`` object diff --git a/src/cryptography/hazmat/primitives/ciphers/base.py b/src/cryptography/hazmat/primitives/ciphers/base.py index a9fa2bf07b9d..ebfa8052c8da 100644 --- a/src/cryptography/hazmat/primitives/ciphers/base.py +++ b/src/cryptography/hazmat/primitives/ciphers/base.py @@ -33,6 +33,14 @@ def finalize(self) -> bytes: Returns the results of processing the final block as bytes. """ + @abc.abstractmethod + def reset_nonce(self, nonce: bytes) -> None: + """ + Resets the nonce for the cipher context to the provided value. + Raises an exception if it does not support reset or if the + provided nonce does not have a valid length. + """ + class AEADCipherContext(CipherContext, metaclass=abc.ABCMeta): @abc.abstractmethod diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 83d222256fbd..14ac3d13c758 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -13,6 +13,8 @@ use pyo3::IntoPy; pub(crate) struct CipherContext { ctx: openssl::cipher_ctx::CipherCtx, py_mode: pyo3::PyObject, + py_algorithm: pyo3::PyObject, + side: openssl::symm::Mode, } impl CipherContext { @@ -113,9 +115,44 @@ impl CipherContext { Ok(CipherContext { ctx, py_mode: mode.into(), + py_algorithm: algorithm.into(), + side, }) } + fn reset_nonce(&mut self, py: pyo3::Python<'_>, nonce: CffiBuf<'_>) -> CryptographyResult<()> { + if !self + .py_mode + .bind(py) + .is_instance(&types::MODE_WITH_NONCE.get(py)?)? + && !self + .py_algorithm + .bind(py) + .is_instance(&types::CHACHA20.get(py)?)? + { + return Err(CryptographyError::from( + exceptions::UnsupportedAlgorithm::new_err(( + "This algorithm or mode does not support resetting the nonce.", + exceptions::Reasons::UNSUPPORTED_CIPHER, + )), + )); + } + if nonce.as_bytes().len() != self.ctx.iv_length() { + return Err(CryptographyError::from( + pyo3::exceptions::PyValueError::new_err(format!( + "Nonce must be {} bytes long", + self.ctx.iv_length() + )), + )); + } + let init_op = match self.side { + openssl::symm::Mode::Encrypt => openssl::cipher_ctx::CipherCtxRef::encrypt_init, + openssl::symm::Mode::Decrypt => openssl::cipher_ctx::CipherCtxRef::decrypt_init, + }; + init_op(&mut self.ctx, None, None, Some(nonce.as_bytes()))?; + Ok(()) + } + fn update<'p>( &mut self, py: pyo3::Python<'p>, @@ -236,6 +273,10 @@ impl PyCipherContext { get_mut_ctx(self.ctx.as_mut())?.update(py, buf.as_bytes()) } + fn reset_nonce(&mut self, py: pyo3::Python<'_>, nonce: CffiBuf<'_>) -> CryptographyResult<()> { + get_mut_ctx(self.ctx.as_mut())?.reset_nonce(py, nonce) + } + fn update_into( &mut self, py: pyo3::Python<'_>, @@ -340,6 +381,10 @@ impl PyAEADEncryptionContext { })? .clone_ref(py)) } + + fn reset_nonce(&mut self, py: pyo3::Python<'_>, nonce: CffiBuf<'_>) -> CryptographyResult<()> { + get_mut_ctx(self.ctx.as_mut())?.reset_nonce(py, nonce) + } } #[pyo3::pymethods] @@ -468,6 +513,10 @@ impl PyAEADDecryptionContext { self.ctx = None; Ok(result) } + + fn reset_nonce(&mut self, py: pyo3::Python<'_>, nonce: CffiBuf<'_>) -> CryptographyResult<()> { + get_mut_ctx(self.ctx.as_mut())?.reset_nonce(py, nonce) + } } #[pyo3::pyfunction] diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index 7b4b065cb2ce..64ec26687952 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -8,11 +8,12 @@ import pytest +from cryptography.exceptions import AlreadyFinalized, _Reasons from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives.ciphers import algorithms, base, modes from ...doubles import DummyMode -from ...utils import load_nist_vectors +from ...utils import load_nist_vectors, raises_unsupported_algorithm from .utils import _load_all_params, generate_encrypt_test @@ -305,3 +306,61 @@ def test_alternate_aes_classes(mode, alg_cls, backend): dec = cipher.decryptor() pt = dec.update(ct) + dec.finalize() assert pt == data + + +def test_reset_nonce(backend): + data = b"helloworld" * 10 + nonce = b"\x00" * 16 + nonce_alt = b"\xee" * 16 + cipher = base.Cipher( + algorithms.AES(b"\x00" * 16), + modes.CTR(nonce), + ) + cipher_alt = base.Cipher( + algorithms.AES(b"\x00" * 16), + modes.CTR(nonce_alt), + ) + enc = cipher.encryptor() + ct1 = enc.update(data) + assert len(ct1) == len(data) + for _ in range(2): + enc.reset_nonce(nonce) + assert enc.update(data) == ct1 + # Reset the nonce to a different value + # and check it matches with a different context + enc_alt = cipher_alt.encryptor() + ct2 = enc_alt.update(data) + enc.reset_nonce(nonce_alt) + assert enc.update(data) == ct2 + enc_alt.finalize() + enc.finalize() + with pytest.raises(AlreadyFinalized): + enc.reset_nonce(nonce) + dec = cipher.decryptor() + assert dec.update(ct1) == data + for _ in range(2): + dec.reset_nonce(nonce) + assert dec.update(ct1) == data + # Reset the nonce to a different value + # and check it matches with a different context + dec_alt = cipher_alt.decryptor() + dec.reset_nonce(nonce_alt) + assert dec.update(ct2) == dec_alt.update(ct2) + dec_alt.finalize() + dec.finalize() + with pytest.raises(AlreadyFinalized): + dec.reset_nonce(nonce) + + +def test_reset_nonce_invalid_mode(backend): + iv = b"\x00" * 16 + c = base.Cipher( + algorithms.AES(b"\x00" * 16), + modes.CBC(iv), + ) + enc = c.encryptor() + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + enc.reset_nonce(iv) + dec = c.decryptor() + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + dec.reset_nonce(iv) diff --git a/tests/hazmat/primitives/test_aes_gcm.py b/tests/hazmat/primitives/test_aes_gcm.py index 054327041358..30cf9ca07b36 100644 --- a/tests/hazmat/primitives/test_aes_gcm.py +++ b/tests/hazmat/primitives/test_aes_gcm.py @@ -8,10 +8,11 @@ import pytest +from cryptography.exceptions import _Reasons from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives.ciphers import algorithms, base, modes -from ...utils import load_nist_vectors +from ...utils import load_nist_vectors, raises_unsupported_algorithm from .utils import generate_aead_test @@ -230,3 +231,16 @@ def test_alternate_aes_classes(self, alg, backend): dec = cipher.decryptor() pt = dec.update(ct) + dec.finalize_with_tag(enc.tag) assert pt == data + + def test_reset_nonce_invalid_mode(self, backend): + nonce = b"\x00" * 12 + c = base.Cipher( + algorithms.AES(b"\x00" * 16), + modes.GCM(nonce), + ) + enc = c.encryptor() + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + enc.reset_nonce(nonce) + dec = c.decryptor() + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): + dec.reset_nonce(nonce) diff --git a/tests/hazmat/primitives/test_chacha20.py b/tests/hazmat/primitives/test_chacha20.py index 7c52ad598d3c..3ade8b9e2eb1 100644 --- a/tests/hazmat/primitives/test_chacha20.py +++ b/tests/hazmat/primitives/test_chacha20.py @@ -9,6 +9,7 @@ import pytest +from cryptography.exceptions import AlreadyFinalized from cryptography.hazmat.primitives.ciphers import Cipher, algorithms from ...utils import load_nist_vectors @@ -90,3 +91,51 @@ def test_partial_blocks(self, backend): ct_partial_3 = enc_partial.update(pt[len_partial * 2 :]) assert ct_full == ct_partial_1 + ct_partial_2 + ct_partial_3 + + def test_reset_nonce(self, backend): + data = b"helloworld" * 10 + key = b"\x00" * 32 + nonce = b"\x00" * 16 + nonce_alt = b"\xee" * 16 + cipher = Cipher(algorithms.ChaCha20(key, nonce), None) + cipher_alt = Cipher(algorithms.ChaCha20(key, nonce_alt), None) + enc = cipher.encryptor() + ct1 = enc.update(data) + assert len(ct1) == len(data) + for _ in range(2): + enc.reset_nonce(nonce) + assert enc.update(data) == ct1 + # Reset the nonce to a different value + # and check it matches with a different context + enc_alt = cipher_alt.encryptor() + ct2 = enc_alt.update(data) + enc.reset_nonce(nonce_alt) + assert enc.update(data) == ct2 + enc_alt.finalize() + enc.finalize() + with pytest.raises(AlreadyFinalized): + enc.reset_nonce(nonce) + dec = cipher.decryptor() + assert dec.update(ct1) == data + for _ in range(2): + dec.reset_nonce(nonce) + assert dec.update(ct1) == data + # Reset the nonce to a different value + # and check it matches with a different context + dec_alt = cipher_alt.decryptor() + dec.reset_nonce(nonce_alt) + assert dec.update(ct2) == dec_alt.update(ct2) + dec_alt.finalize() + dec.finalize() + with pytest.raises(AlreadyFinalized): + dec.reset_nonce(nonce) + + def test_nonce_reset_invalid_length(self, backend): + key = b"\x00" * 32 + nonce = b"\x00" * 16 + cipher = Cipher(algorithms.ChaCha20(key, nonce), None) + enc = cipher.encryptor() + with pytest.raises(ValueError): + enc.reset_nonce(nonce[:-1]) + with pytest.raises(ValueError): + enc.reset_nonce(nonce + b"\x00") From 2c45811dab82df7d20c6f71c68758f30df0a02fb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 5 Jul 2024 19:27:40 -0400 Subject: [PATCH 767/868] Enforce length for CommonName (#11201) fixes #10553 --- CHANGELOG.rst | 3 +++ src/cryptography/x509/name.py | 27 +++++++++++++++++---------- tests/x509/test_x509.py | 9 ++++++++- 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index aae8c9fc305c..90af3bba7286 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -63,6 +63,9 @@ Changelog * Added :meth:`~cryptography.hazmat.primitives.ciphers.CipherContext.reset_nonce` for altering the ``nonce`` of a cipher context without initializing a new instance. See the docs for additional restrictions. +* :class:`~cryptography.x509.NameAttribute` now raises an exception when + attempting to create a common name whose length is shorter or longer than + :rfc:`5280` permits. .. _v42-0-8: diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py index 451338a3a930..1b6b89d12a97 100644 --- a/src/cryptography/x509/name.py +++ b/src/cryptography/x509/name.py @@ -59,6 +59,12 @@ class _ASN1Type(utils.Enum): } _NAME_TO_NAMEOID = {v: k for k, v in _NAMEOID_TO_NAME.items()} +_NAMEOID_LENGTH_LIMIT = { + NameOID.COUNTRY_NAME: (2, 2), + NameOID.JURISDICTION_COUNTRY_NAME: (2, 2), + NameOID.COMMON_NAME: (1, 64), +} + def _escape_dn_value(val: str | bytes) -> str: """Escape special characters in RFC4514 Distinguished Name value.""" @@ -132,19 +138,20 @@ def __init__( if not isinstance(value, str): raise TypeError("value argument must be a str") - if oid in (NameOID.COUNTRY_NAME, NameOID.JURISDICTION_COUNTRY_NAME): + length_limits = _NAMEOID_LENGTH_LIMIT.get(oid) + if length_limits is not None: + min_length, max_length = length_limits assert isinstance(value, str) c_len = len(value.encode("utf8")) - if c_len != 2 and _validate is True: - raise ValueError( - "Country name must be a 2 character country code" - ) - elif c_len != 2: - warnings.warn( - "Country names should be two characters, but the " - f"attribute is {c_len} characters in length.", - stacklevel=2, + if c_len < min_length or c_len > max_length: + msg = ( + f"Attribute's length must be >= {min_length} and " + f"<= {max_length}, but it was {c_len}" ) + if _validate is True: + raise ValueError(msg) + else: + warnings.warn(msg, stacklevel=2) # The appropriate ASN1 string type varies by OID and is defined across # multiple RFCs including 2459, 3280, and 5280. In general UTF8String diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 29e611d72901..a4368833ca3f 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -5809,7 +5809,7 @@ def test_init_none_value(self): None, # type:ignore[arg-type] ) - def test_init_bad_country_code_value(self): + def test_init_bad_length(self): with pytest.raises(ValueError): x509.NameAttribute(NameOID.COUNTRY_NAME, "United States") @@ -5817,6 +5817,13 @@ def test_init_bad_country_code_value(self): with pytest.raises(ValueError): x509.NameAttribute(NameOID.COUNTRY_NAME, "\U0001f37a\U0001f37a") + with pytest.raises(ValueError): + x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, "Too Long") + with pytest.raises(ValueError): + x509.NameAttribute(NameOID.COMMON_NAME, "Too Long" * 10) + with pytest.raises(ValueError): + x509.NameAttribute(NameOID.COMMON_NAME, "") + def test_invalid_type(self): with pytest.raises(TypeError): x509.NameAttribute( From 5039dba01ca2bda98d70ed79f657b1621da3cff1 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:30:58 -0700 Subject: [PATCH 768/868] Bump BoringSSL and/or OpenSSL in CI (#11202) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51398eebb299..3f3e93088ff7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c2b62e93487b772990fddc1905f22d4cfaee4a4"}} - # Latest commit on the OpenSSL master branch, as of Jul 05, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "59c415a45f47cb34147427e46c78d945919b1da2"}} + # Latest commit on the OpenSSL master branch, as of Jul 06, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "29696af689df734cae05181d85ee04470c3839d3"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From fe5b0240b887b4ef1bf8f01f0cb1c4d452ab5625 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 6 Jul 2024 12:26:37 -0400 Subject: [PATCH 769/868] Special case nox -e local for maturin (#11203) This is way faster. --- noxfile.py | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/noxfile.py b/noxfile.py index c254b5e3685e..03f7b0d8aefe 100644 --- a/noxfile.py +++ b/noxfile.py @@ -294,14 +294,11 @@ def local(session): "noxfile.py", ) - install( - session, - # Needed until https://github.com/astral-sh/uv/issues/2152 is fixed - "--reinstall-package", - "cryptography", - "--refresh-package", - "cryptography", - ".", + session.run( + "maturin", + "develop", + "--release", + "--uv", ) if session.posargs: From cf14d750644d604f1e0fd3c6387870d29e86e0e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jul 2024 03:07:36 +0000 Subject: [PATCH 770/868] Bump syn from 2.0.68 to 2.0.69 in /src/rust (#11206) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.68 to 2.0.69. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.68...2.0.69) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index acbfb1764207..59f0c3fa2840 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -325,9 +325,9 @@ checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "syn" -version = "2.0.68" +version = "2.0.69" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "901fa70d88b9d6c98022e23b4136f9f3e54e4662c3bc1bd1d84a42a9a0f0c1e9" +checksum = "201fcda3845c23e8212cd466bfebf0bd20694490fc0356ae8e428e0824a915a6" dependencies = [ "proc-macro2", "quote", From e1d50a27e0a9296128f82de77cca0076389e284a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 6 Jul 2024 23:08:36 -0400 Subject: [PATCH 771/868] Bump actions/download-artifact from 4.1.7 to 4.1.8 (#11204) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.7 to 4.1.8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/65a9edc5881444af0b9093a5e628f2fe47ea3b2e...fa0a91b85d4f404e444e00e005971372dc801d16) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/wheel-builder.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f3e93088ff7..577afae9cdef 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -431,7 +431,7 @@ jobs: if: ${{ always() }} - name: Download coverage data if: ${{ always() }} - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: pattern: coverage-data-* merge-multiple: true diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 7ef8930fdfc5..38540f1edf02 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -120,7 +120,7 @@ jobs: - name: Install Python dependencies run: .venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: cryptography-sdist - run: mkdir tmpwheelhouse @@ -240,7 +240,7 @@ jobs: - name: Install Python dependencies run: venv/bin/pip install --require-hashes -r ${{ env.BUILD_REQUIREMENTS_PATH }} - - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: cryptography-sdist - run: mkdir wheelhouse @@ -308,7 +308,7 @@ jobs: ${{ env.BUILD_REQUIREMENTS_PATH }} sparse-checkout-cone-mode: false - - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: cryptography-sdist From 6e44c1ae31c93fc0f70e7de97d457762a6ce0679 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jul 2024 03:09:59 +0000 Subject: [PATCH 772/868] Bump ruff from 0.5.0 to 0.5.1 (#11207) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.0...0.5.1) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 5c2f1a63fa97..d801a0a3ee80 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.0 +ruff==0.5.1 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 1e99364f8bdfc79c796a0a8bdefae814fa281e9c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 6 Jul 2024 23:11:41 -0400 Subject: [PATCH 773/868] Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#11205) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.3 to 4.3.4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/65462800fd760344b1a7b4382951275a0abb4808...0b2256b8c012f0828dc542b3febcab082c67f72b) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/wheel-builder.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 577afae9cdef..3dcc30758ddc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -474,14 +474,14 @@ jobs: run: python -m coverage html if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload HTML report. - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: _html-report path: htmlcov if-no-files-found: ignore if: ${{ failure() && steps.combinecoverage.outcome == 'failure' }} - name: Upload rust HTML report. - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: _html-rust-report path: rust-coverage diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 38540f1edf02..4366432495ce 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -40,11 +40,11 @@ jobs: run: .venv/bin/python -m build --sdist - name: Make sdist and wheel (vectors) run: cd vectors/ && ../.venv/bin/python -m build - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "cryptography-sdist" path: dist/cryptography* - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "vectors-sdist-wheel" path: vectors/dist/cryptography* @@ -153,7 +153,7 @@ jobs: .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" - run: mkdir cryptography-wheelhouse - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.MANYLINUX.NAME }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse/ @@ -271,7 +271,7 @@ jobs: - run: mv wheelhouse/cryptography*.whl cryptography-wheelhouse/ - run: | echo "CRYPTOGRAPHY_WHEEL_NAME=$(basename $(ls cryptography-wheelhouse/cryptography*.whl))" >> $GITHUB_ENV - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "${{ env.CRYPTOGRAPHY_WHEEL_NAME }}" path: cryptography-wheelhouse/ @@ -353,7 +353,7 @@ jobs: - run: mkdir cryptography-wheelhouse - run: move wheelhouse\cryptography*.whl cryptography-wheelhouse\ - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: "cryptography-${{ github.event.inputs.version }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION }}" path: cryptography-wheelhouse\ From 84a016833e2e1cc1159b7e5c63ee3eb64c614513 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 6 Jul 2024 23:24:10 -0400 Subject: [PATCH 774/868] Bump maturin from 1.5.0 to 1.7.0 in /.github/requirements (#11208) Bumps [maturin](https://github.com/pyo3/maturin) from 1.5.0 to 1.7.0. - [Release notes](https://github.com/pyo3/maturin/releases) - [Changelog](https://github.com/PyO3/maturin/blob/main/Changelog.md) - [Commits](https://github.com/pyo3/maturin/compare/v1.5.0...v1.7.0) --- updated-dependencies: - dependency-name: maturin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 31 ++++++++++----------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 8728b8600471..9371021df44b 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -58,20 +58,20 @@ cffi==1.16.0 ; platform_python_implementation != "PyPy" \ --hash=sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956 \ --hash=sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357 # via -r build-requirements.in -maturin==1.5.0 \ - --hash=sha256:0b976116b7cfaafbc8c3f0acfaec6702520c49e86e48ea80e2c282b7f8118c1a \ - --hash=sha256:1b29bf8771f27d2e6b2685c82de952b5732ee79e5c0030ffd5dab5ccb99137a1 \ - --hash=sha256:2e4c01370a5c10b6c4887bee66d3582bdb38c3805168c1393f072bd266da08d4 \ - --hash=sha256:76e3270ff87b5484976d23e3d88475cd64acf41b54f561263f253d8fca0baab3 \ - --hash=sha256:9cba3737cb92ce5c1bd82cbb9b1fde412b2aac8882ac38b8340980f5eb858d8c \ - --hash=sha256:a5c038ded82c7595d99e94a208aa8af2b5c94eef4c8fcf5ef6e841957e506201 \ - --hash=sha256:b3a499ff5960e46115488e68011809ce99857864ce3a91cf5d0fff3adbd89e8c \ - --hash=sha256:d277adf9b27143627ba7be7ea254513d3e85008fb16a94638b56884a41b4e5a2 \ - --hash=sha256:d6a314472e07b6bdfa4cdf97d24cda1defe008d36d4b75de2efd3383e7a2d7bf \ - --hash=sha256:e046ea2aed687991d58c42f6276dfcc0c037092934654f538b5877fd57dd3a9c \ - --hash=sha256:eb35dfe5994ad2c34d2874a73720847ecc2adb28f934e9a7cbcdb8826b240e60 \ - --hash=sha256:f271f315fb78d2ff5fdf60f8d3ada2a04a66ac6fbd3cbb318c4eb4e9766449bc \ - --hash=sha256:faa0d099a8045afc9977284cb3a1c26e5ebc9a7f0fe4d53b7ee17f62fd279f4a +maturin==1.7.0 \ + --hash=sha256:0af4f2a4cfb99206d414dec138dd3aac3f506eb8928b7e38dfac570461b393d6 \ + --hash=sha256:15fe7920391a128897714f6ed38ebbc771150410b795a55cefca73f089d5aecb \ + --hash=sha256:1ba5277dd7832dc6181d69a005182b97b3520945825058484ffd9296f2efb59c \ + --hash=sha256:1f521ebe0344db8260df0d12779aefc06c1f763cd654151cf4a238fe14f65dc1 \ + --hash=sha256:29187d5c3e1e166c14eaadc63a8adc25b6bbb3e5b055d1bc87f6ca92b4b6e331 \ + --hash=sha256:2bd8227e020a9308c076253f29224c53b08b2a4ed41fcd94b4eb9349684fcfe7 \ + --hash=sha256:6fd312c56846d3cafa7c45e362d96b526170e79b9adb5b8ea02a10c88906069c \ + --hash=sha256:7460122333971b2492154c102d2981ae337ae0486dde7f4df7e645d724de59a5 \ + --hash=sha256:7c05226547778f31b73d48a19d11f57792bcc44f4047b84c73ea66cae2e62473 \ + --hash=sha256:87a1fae70f1a6ad694832c735abf9f010edc4971c5cf89d2e7a54651a1a3792a \ + --hash=sha256:928b82ceba924b1642c53f6684271e814b5ce5049cb4d35ff36bed078837eb83 \ + --hash=sha256:c1ae0b4162fb1152aea83098bf1b66a7bf6dd73fd1b108e6c4e22160118a997c \ + --hash=sha256:e9cd5b992b6c131c5f47c85e7bc266bf5bf94f29720856678431ce6c91b726df # via -r build-requirements.in pycparser==2.22 \ --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ @@ -86,5 +86,4 @@ tomli==2.0.1 \ setuptools==70.2.0 \ --hash=sha256:b8b8060bb426838fbe942479c90296ce976249451118ef566a5a0b7d8b78fb05 \ --hash=sha256:bd63e505105011b25c3c11f753f7e3b8465ea739efddaccef8f0efac2137bac1 - # via - # -r build-requirements.in + # via -r build-requirements.in From 6e1df4dff53b9d5e5f14e967db433ae1faa5504d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jul 2024 12:04:44 +0000 Subject: [PATCH 775/868] Bump actions/upload-artifact in /.github/actions/upload-coverage (#11209) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.3 to 4.3.4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/65462800fd760344b1a7b4382951275a0abb4808...0b2256b8c012f0828dc542b3febcab082c67f72b) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/upload-coverage/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/upload-coverage/action.yml b/.github/actions/upload-coverage/action.yml index 227cac821f33..196487d65970 100644 --- a/.github/actions/upload-coverage/action.yml +++ b/.github/actions/upload-coverage/action.yml @@ -13,7 +13,7 @@ runs: fi id: coverage-uuid shell: bash - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }} path: | From 80750e24fca0946c10dc36374158040a55804c24 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jul 2024 12:06:48 +0000 Subject: [PATCH 776/868] Bump pyo3 from 0.22.0 to 0.22.1 in /src/rust (#11210) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.22.0 to 0.22.1. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.22.0...v0.22.1) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 59f0c3fa2840..3da49cb21f16 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -247,9 +247,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1962a33ed2a201c637fc14a4e0fd4e06e6edfdeee6a5fede0dab55507ad74cf7" +checksum = "4e99090d12f6182924499253aaa1e73bf15c69cea8d2774c3c781e35badc3548" dependencies = [ "cfg-if", "indoc", @@ -265,9 +265,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab7164b2202753bd33afc7f90a10355a719aa973d1f94502c50d06f3488bc420" +checksum = "7879eb018ac754bba32cb0eec7526391c02c14a093121857ed09fbf1d1057d41" dependencies = [ "once_cell", "target-lexicon", @@ -275,9 +275,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c6424906ca49013c0829c5c1ed405e20e2da2dc78b82d198564880a704e6a7b7" +checksum = "ce2baa5559a411fc1cf519295f24c34b53d5d725818bc96b5abf94762da09041" dependencies = [ "libc", "pyo3-build-config", @@ -285,9 +285,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "82b2f19e153122d64afd8ce7aaa72f06a00f52e34e1d1e74b6d71baea396460a" +checksum = "049621c20a23f2def20f4fe67978d1da8d8a883d64b9c21362f3b776e254edc7" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -297,9 +297,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.22.0" +version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd698c04cac17cf0fe63d47790ab311b8b25542f5cb976b65c374035c50f1eef" +checksum = "0e969ee2e025435f1819d31a275ba4bb9cbbdf3ac535227fdbd85b9322ffe144" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index 49c0b73dd100..fc0ab7e11edf 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.22.0", features = ["abi3"] } +pyo3 = { version = "0.22.1", features = ["abi3"] } asn1 = { version = "0.16.2", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 414236180a65..4aa01a438897 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.0", features = ["abi3"] } +pyo3 = { version = "0.22.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index 9c5e92c8e683..d2f503bbf209 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.0", features = ["abi3"] } +pyo3 = { version = "0.22.1", features = ["abi3"] } From 82aed4a6cfb23f50cc2c36f2ebc54c65826b5e51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Jul 2024 12:07:10 +0000 Subject: [PATCH 777/868] Bump nh3 from 0.2.17 to 0.2.18 (#11211) Bumps [nh3](https://github.com/messense/nh3) from 0.2.17 to 0.2.18. - [Release notes](https://github.com/messense/nh3/releases) - [Commits](https://github.com/messense/nh3/compare/v0.2.17...v0.2.18) --- updated-dependencies: - dependency-name: nh3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index d801a0a3ee80..faee77b4d774 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -56,7 +56,7 @@ mypy==1.10.1 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy -nh3==0.2.17 +nh3==0.2.18 # via readme-renderer nox==2024.4.15 # via cryptography (pyproject.toml) From 7c4a2e13bd8475b127e16e2b66f195cca986a386 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 7 Jul 2024 08:53:46 -0400 Subject: [PATCH 778/868] Remove typechecking that pyo3 does automatically (#11212) --- .../hazmat/primitives/serialization/pkcs12.py | 16 ---------------- tests/hazmat/primitives/test_pkcs12.py | 6 ++++-- 2 files changed, 4 insertions(+), 18 deletions(-) diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs12.py b/src/cryptography/hazmat/primitives/serialization/pkcs12.py index a104986bf9ec..549e1f992d39 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs12.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs12.py @@ -139,22 +139,6 @@ def serialize_key_and_certificates( "Key must be RSA, DSA, EllipticCurve, ED25519, or ED448" " private key, or None." ) - if cert is not None and not isinstance(cert, x509.Certificate): - raise TypeError("cert must be a certificate or None") - - if cas is not None: - cas = list(cas) - if not all( - isinstance( - val, - ( - x509.Certificate, - PKCS12Certificate, - ), - ) - for val in cas - ): - raise TypeError("all values in cas must be certificates") if not isinstance( encryption_algorithm, serialization.KeySerializationEncryption diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index 67a68152eb8f..d0645d9e9941 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -470,7 +470,7 @@ def test_generate_wrong_types(self, backend): ) with pytest.raises(TypeError) as exc: serialize_key_and_certificates(b"name", key, key, None, encryption) - assert str(exc.value) == "cert must be a certificate or None" + assert "object cannot be converted to 'Certificate'" in str(exc.value) with pytest.raises(TypeError) as exc: serialize_key_and_certificates(b"name", key, cert, None, key) @@ -484,7 +484,9 @@ def test_generate_wrong_types(self, backend): with pytest.raises(TypeError) as exc: serialize_key_and_certificates(None, key, cert, [key], encryption) - assert str(exc.value) == "all values in cas must be certificates" + assert "failed to extract enum CertificateOrPKCS12Certificate" in str( + exc.value + ) def test_generate_no_cert(self, backend): _, key = _load_ca(backend) From 5acef953c11313500c030c575e51993e9efd518b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 7 Jul 2024 10:46:25 -0400 Subject: [PATCH 779/868] Make type signatures more explicit in internals (#11213) --- .../hazmat/primitives/serialization/ssh.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py index 321519f3e596..c01afb0ccdc9 100644 --- a/src/cryptography/hazmat/primitives/serialization/ssh.py +++ b/src/cryptography/hazmat/primitives/serialization/ssh.py @@ -311,7 +311,9 @@ class _SSHFormatRSA: mpint n, e, d, iqmp, p, q """ - def get_public(self, data: memoryview): + def get_public( + self, data: memoryview + ) -> tuple[tuple[int, int], memoryview]: """RSA public fields""" e, data = _get_mpint(data) n, data = _get_mpint(data) @@ -458,7 +460,9 @@ def __init__(self, ssh_curve_name: bytes, curve: ec.EllipticCurve): self.ssh_curve_name = ssh_curve_name self.curve = curve - def get_public(self, data: memoryview) -> tuple[tuple, memoryview]: + def get_public( + self, data: memoryview + ) -> tuple[tuple[memoryview, memoryview], memoryview]: """ECDSA public fields""" curve, data = _get_sshstr(data) point, data = _get_sshstr(data) @@ -521,7 +525,9 @@ class _SSHFormatEd25519: bytes secret_and_point """ - def get_public(self, data: memoryview) -> tuple[tuple, memoryview]: + def get_public( + self, data: memoryview + ) -> tuple[tuple[memoryview], memoryview]: """Ed25519 public fields""" point, data = _get_sshstr(data) return (point,), data From e8af858bcab19f34fa48b4f267fe2243fe8c099b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Sun, 7 Jul 2024 15:22:19 -0400 Subject: [PATCH 780/868] verification: remove an error variant (#11214) * verification: remove an error variant * lib: fix tests * lib: remove tests mod entirely Now redundant. * lib: re-add tests noxfile: mark vectors as an editable install * extensions: remove Debug impl ...requires an `ok()` in verify. --- noxfile.py | 1 + .../cryptography-x509-verification/src/lib.rs | 22 +++++++++---------- src/rust/cryptography-x509/src/extensions.rs | 1 - src/rust/src/x509/verify.rs | 1 + 4 files changed, 12 insertions(+), 13 deletions(-) diff --git a/noxfile.py b/noxfile.py index 03f7b0d8aefe..91fcb8710eb3 100644 --- a/noxfile.py +++ b/noxfile.py @@ -265,6 +265,7 @@ def local(session): *test_dependencies, *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], + "-e", "./vectors/", verbose=False, ) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index d21827ce9695..5ae8ef90fe12 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -36,7 +36,6 @@ use crate::ApplyNameConstraintStatus::{Applied, Skipped}; pub enum ValidationError { CandidatesExhausted(Box), Malformed(asn1::ParseError), - DuplicateExtension(DuplicateExtensionsError), ExtensionError { oid: ObjectIdentifier, reason: &'static str, @@ -53,7 +52,10 @@ impl From for ValidationError { impl From for ValidationError { fn from(value: DuplicateExtensionsError) -> Self { - Self::DuplicateExtension(value) + Self::ExtensionError { + oid: value.0, + reason: "duplicate extension", + } } } @@ -64,9 +66,6 @@ impl Display for ValidationError { write!(f, "candidates exhausted: {inner}") } ValidationError::Malformed(err) => err.fmt(f), - ValidationError::DuplicateExtension(DuplicateExtensionsError(oid)) => { - write!(f, "malformed certificate: duplicate extension: {oid}") - } ValidationError::ExtensionError { oid, reason } => { write!(f, "invalid extension: {oid}: {reason}") } @@ -441,9 +440,7 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { #[cfg(test)] mod tests { use asn1::ParseError; - use cryptography_x509::{ - extensions::DuplicateExtensionsError, oid::SUBJECT_ALTERNATIVE_NAME_OID, - }; + use cryptography_x509::oid::SUBJECT_ALTERNATIVE_NAME_OID; use crate::ValidationError; @@ -452,12 +449,13 @@ mod tests { let err = ValidationError::Malformed(ParseError::new(asn1::ParseErrorKind::InvalidLength)); assert_eq!(err.to_string(), "ASN.1 parsing error: invalid length"); - let err = ValidationError::DuplicateExtension(DuplicateExtensionsError( - SUBJECT_ALTERNATIVE_NAME_OID, - )); + let err = ValidationError::ExtensionError { + oid: SUBJECT_ALTERNATIVE_NAME_OID, + reason: "duplicate extension", + }; assert_eq!( err.to_string(), - "malformed certificate: duplicate extension: 2.5.29.17" + "invalid extension: 2.5.29.17: duplicate extension" ); let err = ValidationError::FatalError("oops"); diff --git a/src/rust/cryptography-x509/src/extensions.rs b/src/rust/cryptography-x509/src/extensions.rs index f674b965144c..51df9fb0646b 100644 --- a/src/rust/cryptography-x509/src/extensions.rs +++ b/src/rust/cryptography-x509/src/extensions.rs @@ -8,7 +8,6 @@ use crate::common; use crate::crl; use crate::name; -#[derive(Debug)] pub struct DuplicateExtensionsError(pub asn1::ObjectIdentifier); pub type RawExtensions<'a> = common::Asn1ReadableOrWritable< diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 0b3a83552a06..52f179b871c5 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -295,6 +295,7 @@ impl PyClientVerifier { let leaf_san = &chain[0] .certificate() .extensions() + .ok() .unwrap() .get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) .unwrap(); From ccab692da0cdbfb94bfb05f280a653262cbe8fe9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 07:03:35 -0400 Subject: [PATCH 781/868] Bump cc from 1.0.104 to 1.0.105 in /src/rust (#11215) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.104 to 1.0.105. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.104...cc-v1.0.105) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3da49cb21f16..e67735a85f16 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.104" +version = "1.0.105" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74b6a57f98764a267ff415d50a25e6e166f3831a5071af4995296ea97d210490" +checksum = "5208975e568d83b6b05cc0a063c8e7e9acc2b43bee6da15616a5b73e109d7437" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 4aa01a438897..ffdf71df0d73 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.104" +cc = "1.0.105" From 48df2eb8092dc5b51088ae53ab9c2d7a14c9f251 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 07:04:02 -0400 Subject: [PATCH 782/868] Bump nh3 from 0.2.17 to 0.2.18 in /.github/requirements (#11216) Bumps [nh3](https://github.com/messense/nh3) from 0.2.17 to 0.2.18. - [Release notes](https://github.com/messense/nh3/releases) - [Commits](https://github.com/messense/nh3/compare/v0.2.17...v0.2.18) --- updated-dependencies: - dependency-name: nh3 dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/publish-requirements.txt | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt index ae5b3ff3c2b4..3b6ecfbc46cd 100644 --- a/.github/requirements/publish-requirements.txt +++ b/.github/requirements/publish-requirements.txt @@ -242,23 +242,23 @@ more-itertools==10.3.0 \ # via # jaraco-classes # jaraco-functools -nh3==0.2.17 \ - --hash=sha256:0316c25b76289cf23be6b66c77d3608a4fdf537b35426280032f432f14291b9a \ - --hash=sha256:1a814dd7bba1cb0aba5bcb9bebcc88fd801b63e21e2450ae6c52d3b3336bc911 \ - --hash=sha256:1aa52a7def528297f256de0844e8dd680ee279e79583c76d6fa73a978186ddfb \ - --hash=sha256:22c26e20acbb253a5bdd33d432a326d18508a910e4dcf9a3316179860d53345a \ - --hash=sha256:40015514022af31975c0b3bca4014634fa13cb5dc4dbcbc00570acc781316dcc \ - --hash=sha256:40d0741a19c3d645e54efba71cb0d8c475b59135c1e3c580f879ad5514cbf028 \ - --hash=sha256:551672fd71d06cd828e282abdb810d1be24e1abb7ae2543a8fa36a71c1006fe9 \ - --hash=sha256:66f17d78826096291bd264f260213d2b3905e3c7fae6dfc5337d49429f1dc9f3 \ - --hash=sha256:85cdbcca8ef10733bd31f931956f7fbb85145a4d11ab9e6742bbf44d88b7e351 \ - --hash=sha256:a3f55fabe29164ba6026b5ad5c3151c314d136fd67415a17660b4aaddacf1b10 \ - --hash=sha256:b4427ef0d2dfdec10b641ed0bdaf17957eb625b2ec0ea9329b3d28806c153d71 \ - --hash=sha256:ba73a2f8d3a1b966e9cdba7b211779ad8a2561d2dba9674b8a19ed817923f65f \ - --hash=sha256:c21bac1a7245cbd88c0b0e4a420221b7bfa838a2814ee5bb924e9c2f10a1120b \ - --hash=sha256:c551eb2a3876e8ff2ac63dff1585236ed5dfec5ffd82216a7a174f7c5082a78a \ - --hash=sha256:c790769152308421283679a142dbdb3d1c46c79c823008ecea8e8141db1a2062 \ - --hash=sha256:d7a25fd8c86657f5d9d576268e3b3767c5cd4f42867c9383618be8517f0f022a +nh3==0.2.18 \ + --hash=sha256:0411beb0589eacb6734f28d5497ca2ed379eafab8ad8c84b31bb5c34072b7164 \ + --hash=sha256:14c5a72e9fe82aea5fe3072116ad4661af5cf8e8ff8fc5ad3450f123e4925e86 \ + --hash=sha256:19aaba96e0f795bd0a6c56291495ff59364f4300d4a39b29a0abc9cb3774a84b \ + --hash=sha256:34c03fa78e328c691f982b7c03d4423bdfd7da69cd707fe572f544cf74ac23ad \ + --hash=sha256:36c95d4b70530b320b365659bb5034341316e6a9b30f0b25fa9c9eff4c27a204 \ + --hash=sha256:3a157ab149e591bb638a55c8c6bcb8cdb559c8b12c13a8affaba6cedfe51713a \ + --hash=sha256:42c64511469005058cd17cc1537578eac40ae9f7200bedcfd1fc1a05f4f8c200 \ + --hash=sha256:5f36b271dae35c465ef5e9090e1fdaba4a60a56f0bb0ba03e0932a66f28b9189 \ + --hash=sha256:6955369e4d9f48f41e3f238a9e60f9410645db7e07435e62c6a9ea6135a4907f \ + --hash=sha256:7b7c2a3c9eb1a827d42539aa64091640bd275b81e097cd1d8d82ef91ffa2e811 \ + --hash=sha256:8ce0f819d2f1933953fca255db2471ad58184a60508f03e6285e5114b6254844 \ + --hash=sha256:94a166927e53972a9698af9542ace4e38b9de50c34352b962f4d9a7d4c927af4 \ + --hash=sha256:a7f1b5b2c15866f2db413a3649a8fe4fd7b428ae58be2c0f6bca5eefd53ca2be \ + --hash=sha256:c8b3a1cebcba9b3669ed1a84cc65bf005728d2f0bc1ed2a6594a992e817f3a50 \ + --hash=sha256:de3ceed6e661954871d6cd78b410213bdcb136f79aafe22aa7182e028b8c7307 \ + --hash=sha256:f0eca9ca8628dbb4e916ae2491d72957fdd35f7a5d326b7032a345f111ac07fe # via readme-renderer pkginfo==1.10.0 \ --hash=sha256:5df73835398d10db79f8eecd5cd86b1f6d29317589ea70796994d49399af6297 \ From 204cba13369e280cf8a89063b8b1a5cf664d8d5c Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 00:16:23 +0000 Subject: [PATCH 783/868] Bump BoringSSL and/or OpenSSL in CI (#11219) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3dcc30758ddc..bc8efebe79e8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 04, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c2b62e93487b772990fddc1905f22d4cfaee4a4"}} - # Latest commit on the OpenSSL master branch, as of Jul 06, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "29696af689df734cae05181d85ee04470c3839d3"}} + # Latest commit on the OpenSSL master branch, as of Jul 09, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c215d75f94fcaa598817e739221f33b71b53fb39"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 1d3f7adc5d9f23167ea15a6660fd487f1b90426f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 8 Jul 2024 20:22:54 -0400 Subject: [PATCH 784/868] Begin migrating to declarative modules (#11159) Refs #11158 --- src/rust/src/lib.rs | 164 +++++++++++++++++++++++--------------------- 1 file changed, 87 insertions(+), 77 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index bed02d09e235..eb27632328c5 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -9,7 +9,6 @@ use crate::error::CryptographyResult; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use openssl::provider; -use pyo3::types::PyModuleMethods; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use std::env; @@ -92,87 +91,98 @@ fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { } #[pyo3::pymodule] -fn _rust(py: pyo3::Python<'_>, m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - m.add_function(pyo3::wrap_pyfunction_bound!( - padding::check_pkcs7_padding, - m - )?)?; - m.add_function(pyo3::wrap_pyfunction_bound!( - padding::check_ansix923_padding, - m - )?)?; - m.add_class::()?; - m.add_class::()?; - - m.add_submodule(&asn1::create_submodule(py)?)?; - m.add_submodule(&pkcs7::create_submodule(py)?)?; - m.add_submodule(&pkcs12::create_submodule(py)?)?; - m.add_submodule(&exceptions::create_submodule(py)?)?; - - let x509_mod = pyo3::types::PyModule::new_bound(py, "x509")?; - crate::x509::certificate::add_to_module(&x509_mod)?; - crate::x509::common::add_to_module(&x509_mod)?; - crate::x509::crl::add_to_module(&x509_mod)?; - crate::x509::csr::add_to_module(&x509_mod)?; - crate::x509::sct::add_to_module(&x509_mod)?; - crate::x509::verify::add_to_module(&x509_mod)?; - m.add_submodule(&x509_mod)?; - - let ocsp_mod = pyo3::types::PyModule::new_bound(py, "ocsp")?; - crate::x509::ocsp_req::add_to_module(&ocsp_mod)?; - crate::x509::ocsp_resp::add_to_module(&ocsp_mod)?; - m.add_submodule(&ocsp_mod)?; - - m.add_submodule(&cryptography_cffi::create_module(py)?)?; - - let openssl_mod = pyo3::types::PyModule::new_bound(py, "openssl")?; - openssl_mod.add( - "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", - cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), - )?; - openssl_mod.add( - "CRYPTOGRAPHY_OPENSSL_320_OR_GREATER", - cfg!(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER), - )?; - - openssl_mod.add("CRYPTOGRAPHY_IS_LIBRESSL", cfg!(CRYPTOGRAPHY_IS_LIBRESSL))?; - openssl_mod.add("CRYPTOGRAPHY_IS_BORINGSSL", cfg!(CRYPTOGRAPHY_IS_BORINGSSL))?; - - cfg_if::cfg_if! { - if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { - let providers = _initialize_providers()?; - if providers.legacy.is_some() { - openssl_mod.add("_legacy_provider_loaded", true)?; - } else { - openssl_mod.add("_legacy_provider_loaded", false)?; +mod _rust { + use pyo3::types::PyModuleMethods; + + #[pymodule_export] + use crate::oid::ObjectIdentifier; + #[pymodule_export] + use crate::padding::{check_ansix923_padding, check_pkcs7_padding, PKCS7PaddingContext}; + + #[pyo3::pymodule] + mod x509 { + #[pymodule_init] + fn init(x509_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + crate::x509::certificate::add_to_module(x509_mod)?; + crate::x509::common::add_to_module(x509_mod)?; + crate::x509::crl::add_to_module(x509_mod)?; + crate::x509::csr::add_to_module(x509_mod)?; + crate::x509::sct::add_to_module(x509_mod)?; + crate::x509::verify::add_to_module(x509_mod)?; + + Ok(()) + } + } + + #[pyo3::pymodule] + mod ocsp { + #[pymodule_init] + fn init(ocsp_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + crate::x509::ocsp_req::add_to_module(ocsp_mod)?; + crate::x509::ocsp_resp::add_to_module(ocsp_mod)?; + + Ok(()) + } + } + + #[pyo3::pymodule] + mod openssl { + use pyo3::prelude::PyModuleMethods; + + #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] + #[pymodule_export] + use super::super::enable_fips; + #[pymodule_export] + use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; + #[pymodule_export] + use crate::error::{capture_error_stack, raise_openssl_error, OpenSSLError}; + + #[pymodule_init] + fn init(openssl_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + openssl_mod.add( + "CRYPTOGRAPHY_OPENSSL_300_OR_GREATER", + cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + )?; + openssl_mod.add( + "CRYPTOGRAPHY_OPENSSL_320_OR_GREATER", + cfg!(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER), + )?; + + openssl_mod.add("CRYPTOGRAPHY_IS_LIBRESSL", cfg!(CRYPTOGRAPHY_IS_LIBRESSL))?; + openssl_mod.add("CRYPTOGRAPHY_IS_BORINGSSL", cfg!(CRYPTOGRAPHY_IS_BORINGSSL))?; + + cfg_if::cfg_if! { + if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + let providers = super::super::_initialize_providers()?; + if providers.legacy.is_some() { + openssl_mod.add("_legacy_provider_loaded", true)?; + } else { + openssl_mod.add("_legacy_provider_loaded", false)?; + } + openssl_mod.add("_providers", providers)?; + } else { + // default value for non-openssl 3+ + openssl_mod.add("_legacy_provider_loaded", false)?; + } } - openssl_mod.add("_providers", providers)?; - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(enable_fips, &openssl_mod)?)?; - } else { - // default value for non-openssl 3+ - openssl_mod.add("_legacy_provider_loaded", false)?; + crate::backend::add_to_module(openssl_mod)?; + + Ok(()) } } - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(openssl_version, &openssl_mod)?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( - openssl_version_text, - &openssl_mod - )?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( - error::raise_openssl_error, - &openssl_mod - )?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!( - error::capture_error_stack, - &openssl_mod - )?)?; - openssl_mod.add_function(pyo3::wrap_pyfunction_bound!(is_fips_enabled, &openssl_mod)?)?; - openssl_mod.add_class::()?; - crate::backend::add_to_module(&openssl_mod)?; - m.add_submodule(&openssl_mod)?; - Ok(()) + #[pymodule_init] + fn init(m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { + m.add_submodule(&crate::asn1::create_submodule(m.py())?)?; + m.add_submodule(&crate::pkcs7::create_submodule(m.py())?)?; + m.add_submodule(&crate::pkcs12::create_submodule(m.py())?)?; + m.add_submodule(&crate::exceptions::create_submodule(m.py())?)?; + + m.add_submodule(&cryptography_cffi::create_module(m.py())?)?; + + Ok(()) + } } #[cfg(test)] From 48accf36231cc1998ad395bc2de95fd77b05d201 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 00:31:03 +0000 Subject: [PATCH 785/868] Bump x509-limbo and/or wycheproof in CI (#11220) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 306ca460a02e..cc952ebeac71 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 03, 2024. - ref: "74e0b06dc4c5ee3707fa7f45ea0adb11ddb8de33" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 09, 2024. + ref: "c2cc9e19c5e9060054431cdabd64f603e4d79d6a" # x509-limbo-ref From 9913313dbe1ca9a900c3d476240979dd63335c3d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 8 Jul 2024 20:33:24 -0400 Subject: [PATCH 786/868] Migrate `exceptions` to declrative modules API (#11221) refs #11158 --- src/rust/src/exceptions.rs | 14 ++++---------- src/rust/src/lib.rs | 3 ++- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/src/rust/src/exceptions.rs b/src/rust/src/exceptions.rs index ff789105447b..91824ef0422e 100644 --- a/src/rust/src/exceptions.rs +++ b/src/rust/src/exceptions.rs @@ -2,8 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::types::PyModuleMethods; - #[pyo3::pyclass( frozen, eq, @@ -39,12 +37,8 @@ pyo3::import_exception_bound!(cryptography.x509, DuplicateExtension); pyo3::import_exception_bound!(cryptography.x509, UnsupportedGeneralNameType); pyo3::import_exception_bound!(cryptography.x509, InvalidVersion); -pub(crate) fn create_submodule( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::types::PyModule::new_bound(py, "exceptions")?; - - submod.add_class::()?; - - Ok(submod) +#[pyo3::pymodule] +pub(crate) mod exceptions { + #[pymodule_export] + use super::Reasons; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index eb27632328c5..ce9c8ca4cc46 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -94,6 +94,8 @@ fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { mod _rust { use pyo3::types::PyModuleMethods; + #[pymodule_export] + use crate::exceptions::exceptions; #[pymodule_export] use crate::oid::ObjectIdentifier; #[pymodule_export] @@ -177,7 +179,6 @@ mod _rust { m.add_submodule(&crate::asn1::create_submodule(m.py())?)?; m.add_submodule(&crate::pkcs7::create_submodule(m.py())?)?; m.add_submodule(&crate::pkcs12::create_submodule(m.py())?)?; - m.add_submodule(&crate::exceptions::create_submodule(m.py())?)?; m.add_submodule(&cryptography_cffi::create_module(m.py())?)?; From 8c7a560df74923540271a21e84762e976e1e642e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 8 Jul 2024 20:45:00 -0400 Subject: [PATCH 787/868] Migrate `pkcs12` to declrative modules API (#11222) refs #11158 --- src/rust/src/lib.rs | 3 ++- src/rust/src/pkcs12.rs | 26 +++++++------------------- 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index ce9c8ca4cc46..1e5ca7eaebaa 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -100,6 +100,8 @@ mod _rust { use crate::oid::ObjectIdentifier; #[pymodule_export] use crate::padding::{check_ansix923_padding, check_pkcs7_padding, PKCS7PaddingContext}; + #[pymodule_export] + use crate::pkcs12::pkcs12; #[pyo3::pymodule] mod x509 { @@ -178,7 +180,6 @@ mod _rust { fn init(m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { m.add_submodule(&crate::asn1::create_submodule(m.py())?)?; m.add_submodule(&crate::pkcs7::create_submodule(m.py())?)?; - m.add_submodule(&crate::pkcs12::create_submodule(m.py())?)?; m.add_submodule(&cryptography_cffi::create_module(m.py())?)?; diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index cdae36138e0a..ba3c230b565f 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -9,7 +9,7 @@ use crate::padding::PKCS7PaddingContext; use crate::x509::certificate::Certificate; use crate::{types, x509}; use cryptography_x509::common::Utf8StoredBMPString; -use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods}; use pyo3::IntoPy; use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; @@ -833,24 +833,12 @@ fn load_pkcs12<'p>( .call1((private_key, cert, additional_certs))?) } -pub(crate) fn create_submodule( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::types::PyModule::new_bound(py, "pkcs12")?; - - submod.add_function(pyo3::wrap_pyfunction_bound!( - load_key_and_certificates, - &submod - )?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!(load_pkcs12, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!( - serialize_key_and_certificates, - &submod - )?)?; - - submod.add_class::()?; - - Ok(submod) +#[pyo3::pymodule] +pub(crate) mod pkcs12 { + #[pymodule_export] + use super::{ + load_key_and_certificates, load_pkcs12, serialize_key_and_certificates, PKCS12Certificate, + }; } #[cfg(test)] From 6329ed06cfb3383c70fc287a6da6b4575ed80b87 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 07:13:53 -0400 Subject: [PATCH 788/868] Bump syn from 2.0.69 to 2.0.70 in /src/rust (#11229) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.69 to 2.0.70. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.69...2.0.70) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index e67735a85f16..99395185e792 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -325,9 +325,9 @@ checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "syn" -version = "2.0.69" +version = "2.0.70" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "201fcda3845c23e8212cd466bfebf0bd20694490fc0356ae8e428e0824a915a6" +checksum = "2f0209b68b3613b093e0ec905354eccaedcfe83b8cb37cbdeae64026c3064c16" dependencies = [ "proc-macro2", "quote", From 3c4b6de42fbca0d2b84283d115b8e76f0b7c0df6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:19:20 +0000 Subject: [PATCH 789/868] Bump target-lexicon from 0.12.14 to 0.12.15 in /src/rust (#11227) Bumps [target-lexicon](https://github.com/bytecodealliance/target-lexicon) from 0.12.14 to 0.12.15. - [Commits](https://github.com/bytecodealliance/target-lexicon/compare/v0.12.14...v0.12.15) --- updated-dependencies: - dependency-name: target-lexicon dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 99395185e792..2586a0e4ddbb 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -336,9 +336,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.14" +version = "0.12.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e1fc403891a21bcfb7c37834ba66a547a8f402146eba7265b5a6d88059c9ff2f" +checksum = "4873307b7c257eddcb50c9bedf158eb669578359fb28428bef438fec8e6ba7c2" [[package]] name = "unicode-ident" From be74177c9eacf4886b16814ce044c8c0d747fbff Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 9 Jul 2024 12:15:17 -0400 Subject: [PATCH 790/868] Migrate `verify` to declarative modules API (#11231) refs #11158 --- src/rust/src/lib.rs | 7 ++++++- src/rust/src/x509/verify.rs | 26 ++++++-------------------- 2 files changed, 12 insertions(+), 21 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 1e5ca7eaebaa..d5997764b9d5 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -105,6 +105,12 @@ mod _rust { #[pyo3::pymodule] mod x509 { + #[pymodule_export] + use crate::x509::verify::{ + PolicyBuilder, PyClientVerifier, PyServerVerifier, PyStore, PyVerifiedClient, + VerificationError, + }; + #[pymodule_init] fn init(x509_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { crate::x509::certificate::add_to_module(x509_mod)?; @@ -112,7 +118,6 @@ mod _rust { crate::x509::crl::add_to_module(x509_mod)?; crate::x509::csr::add_to_module(x509_mod)?; crate::x509::sct::add_to_module(x509_mod)?; - crate::x509::verify::add_to_module(x509_mod)?; Ok(()) } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 52f179b871c5..dbc9f18770af 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -11,7 +11,7 @@ use cryptography_x509_verification::{ trust_store::Store, types::{DNSName, IPAddress}, }; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; use crate::backend::keys; use crate::error::{CryptographyError, CryptographyResult}; @@ -55,7 +55,7 @@ pyo3::create_exception!( ); #[pyo3::pyclass(frozen, module = "cryptography.x509.verification")] -struct PolicyBuilder { +pub(crate) struct PolicyBuilder { time: Option, store: Option>, max_chain_depth: Option, @@ -212,7 +212,7 @@ self_cell::self_cell!( name = "VerifiedClient", module = "cryptography.hazmat.bindings._rust.x509" )] -struct PyVerifiedClient { +pub(crate) struct PyVerifiedClient { #[pyo3(get)] subjects: pyo3::Py, #[pyo3(get)] @@ -224,7 +224,7 @@ struct PyVerifiedClient { name = "ClientVerifier", module = "cryptography.hazmat.bindings._rust.x509" )] -struct PyClientVerifier { +pub(crate) struct PyClientVerifier { policy: PyCryptoPolicy<'static>, #[pyo3(get)] store: pyo3::Py, @@ -315,7 +315,7 @@ impl PyClientVerifier { name = "ServerVerifier", module = "cryptography.hazmat.bindings._rust.x509" )] -struct PyServerVerifier { +pub(crate) struct PyServerVerifier { #[pyo3(get, name = "subject")] py_subject: pyo3::Py, policy: OwnedPolicy, @@ -448,7 +448,7 @@ self_cell::self_cell!( name = "Store", module = "cryptography.hazmat.bindings._rust.x509" )] -struct PyStore { +pub(crate) struct PyStore { raw: RawPyStore, } @@ -473,17 +473,3 @@ impl PyStore { }) } } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_class::()?; - module.add_class::()?; - module.add_class::()?; - module.add_class::()?; - module.add_class::()?; - module.add( - "VerificationError", - module.py().get_type_bound::(), - )?; - - Ok(()) -} From 55e81de228df1dd63f97fa00484fc9ae051a1b44 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 9 Jul 2024 12:16:18 -0400 Subject: [PATCH 791/868] Migrate `ocsp_req` to declrative modules API (#11230) refs #11158 --- src/rust/src/lib.rs | 4 +++- src/rust/src/x509/ocsp_req.rs | 17 ++++------------- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index d5997764b9d5..11dd2362c465 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -125,9 +125,11 @@ mod _rust { #[pyo3::pymodule] mod ocsp { + #[pymodule_export] + use crate::x509::ocsp_req::{create_ocsp_request, load_der_ocsp_request, OCSPRequest}; + #[pymodule_init] fn init(ocsp_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - crate::x509::ocsp_req::add_to_module(ocsp_mod)?; crate::x509::ocsp_resp::add_to_module(ocsp_mod)?; Ok(()) diff --git a/src/rust/src/x509/ocsp_req.rs b/src/rust/src/x509/ocsp_req.rs index d56ed0823ee9..7770fb9d6f40 100644 --- a/src/rust/src/x509/ocsp_req.rs +++ b/src/rust/src/x509/ocsp_req.rs @@ -7,7 +7,7 @@ use cryptography_x509::{ ocsp_req::{self, OCSPRequest as RawOCSPRequest}, oid, }; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid, py_uint_to_big_endian_bytes}; use crate::error::{CryptographyError, CryptographyResult}; @@ -23,7 +23,7 @@ self_cell::self_cell!( ); #[pyo3::pyfunction] -fn load_der_ocsp_request( +pub(crate) fn load_der_ocsp_request( py: pyo3::Python<'_>, data: pyo3::Py, ) -> CryptographyResult { @@ -51,7 +51,7 @@ fn load_der_ocsp_request( } #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] -struct OCSPRequest { +pub(crate) struct OCSPRequest { raw: OwnedOCSPRequest, cached_extensions: pyo3::sync::GILOnceCell, @@ -166,7 +166,7 @@ impl OCSPRequest { } #[pyo3::pyfunction] -fn create_ocsp_request( +pub(crate) fn create_ocsp_request( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, ) -> CryptographyResult { @@ -228,12 +228,3 @@ fn create_ocsp_request( let data = asn1::write_single(&ocsp_req)?; load_der_ocsp_request(py, pyo3::types::PyBytes::new_bound(py, &data).unbind()) } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!(load_der_ocsp_request, module)?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_request, module)?)?; - - module.add_class::()?; - - Ok(()) -} From 67a52154a3f72255cd37b4b6be57b75664389090 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 9 Jul 2024 12:22:55 -0400 Subject: [PATCH 792/868] Migrate `asn1` to declrative modules API (#11224) refs #11158 --- src/rust/src/asn1.rs | 23 +++++++---------------- src/rust/src/lib.rs | 4 ++-- 2 files changed, 9 insertions(+), 18 deletions(-) diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index 8a6e86a5141f..c306104b8585 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -9,7 +9,6 @@ use cryptography_x509::name::Name; use pyo3::pybacked::PyBackedBytes; use pyo3::types::IntoPyDict; use pyo3::types::PyAnyMethods; -use pyo3::types::PyModuleMethods; use pyo3::ToPyObject; use crate::error::{CryptographyError, CryptographyResult}; @@ -176,19 +175,11 @@ fn test_parse_certificate(data: &[u8]) -> Result, -) -> pyo3::PyResult> { - let submod = pyo3::types::PyModule::new_bound(py, "asn1")?; - submod.add_function(pyo3::wrap_pyfunction_bound!(parse_spki_for_data, &submod)?)?; - - submod.add_function(pyo3::wrap_pyfunction_bound!(decode_dss_signature, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!(encode_dss_signature, &submod)?)?; - - submod.add_function(pyo3::wrap_pyfunction_bound!( - test_parse_certificate, - &submod - )?)?; - - Ok(submod) +#[pyo3::pymodule] +#[pyo3(name = "asn1")] +pub(crate) mod asn1_mod { + #[pymodule_export] + use super::{ + decode_dss_signature, encode_dss_signature, parse_spki_for_data, test_parse_certificate, + }; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 11dd2362c465..e4285fce2b98 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -94,6 +94,8 @@ fn enable_fips(providers: &mut LoadedProviders) -> CryptographyResult<()> { mod _rust { use pyo3::types::PyModuleMethods; + #[pymodule_export] + use crate::asn1::asn1_mod; #[pymodule_export] use crate::exceptions::exceptions; #[pymodule_export] @@ -185,9 +187,7 @@ mod _rust { #[pymodule_init] fn init(m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - m.add_submodule(&crate::asn1::create_submodule(m.py())?)?; m.add_submodule(&crate::pkcs7::create_submodule(m.py())?)?; - m.add_submodule(&cryptography_cffi::create_module(m.py())?)?; Ok(()) From e80a2ab7841927747cc42a955a84ba8f30b038eb Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 00:34:11 +0000 Subject: [PATCH 793/868] Bump x509-limbo and/or wycheproof in CI (#11240) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index cc952ebeac71..10594d7b579f 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 09, 2024. - ref: "c2cc9e19c5e9060054431cdabd64f603e4d79d6a" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 10, 2024. + ref: "6e5500061c043941079d677af8e822dfed494fec" # x509-limbo-ref From 598681610fe932f2c89a53b29ca83912a5b9c771 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 19:40:40 -0500 Subject: [PATCH 794/868] Bump BoringSSL and/or OpenSSL in CI (#11238) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bc8efebe79e8..ef242336eeb7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 04, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "7c2b62e93487b772990fddc1905f22d4cfaee4a4"}} - # Latest commit on the OpenSSL master branch, as of Jul 09, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "c215d75f94fcaa598817e739221f33b71b53fb39"}} + # Latest commit on the BoringSSL master branch, as of Jul 10, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "8934b1ef0857bc08626a2206a6f5f718942c14fc"}} + # Latest commit on the OpenSSL master branch, as of Jul 10, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d8def79838cd0d5e7c21d217aa26edb5229f0ab4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 21a65208c8d70b46a0911f6e547a02185f7c6501 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 10:54:42 +0000 Subject: [PATCH 795/868] Bump actions/attest-build-provenance from 1.3.2 to 1.3.3 (#11241) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.3.2 to 1.3.3. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/bdd51370e0416ac948727f861e03c2f05d32d78e...5e9cb68e95676991667494a6a4e59b8a2f13e1d0) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pypi-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index 1a6fec6c988b..f29065e0c54f 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -93,7 +93,7 @@ jobs: # Do not perform attestation for things for TestPyPI. This is because # there's nothing that would prevent a malicious PyPI from serving a # signed TestPyPI asset in place of a release intended for PyPI. - - uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2 + - uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 with: subject-path: 'dist/**/cryptography*' if: env.TWINE_REPOSITORY == 'pypi' From 6169c6f139dd254e9ec411dd9726618fc539cad6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 06:56:12 -0400 Subject: [PATCH 796/868] Bump setuptools from 70.2.0 to 70.3.0 in /.github/requirements (#11242) Bumps [setuptools](https://github.com/pypa/setuptools) from 70.2.0 to 70.3.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.2.0...v70.3.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 9371021df44b..ceabc93499a6 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==70.2.0 \ - --hash=sha256:b8b8060bb426838fbe942479c90296ce976249451118ef566a5a0b7d8b78fb05 \ - --hash=sha256:bd63e505105011b25c3c11f753f7e3b8465ea739efddaccef8f0efac2137bac1 +setuptools==70.3.0 \ + --hash=sha256:f171bab1dfbc86b132997f26a119f6056a57950d058587841a0082e8830f9dc5 \ + --hash=sha256:fe384da74336c398e0d956d1cae0669bc02eed936cdb1d49b57de1990dc11ffc # via -r build-requirements.in From 69429a4642f94baf0fdebd0d18f44fe010fe1f5c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 10:22:27 -0400 Subject: [PATCH 797/868] Migrate `ocsp_resp` to declrative modules API (#11225) refs #11158 --- src/rust/src/lib.rs | 11 ++++------- src/rust/src/x509/ocsp_resp.rs | 23 +++++------------------ 2 files changed, 9 insertions(+), 25 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index e4285fce2b98..d54779e321fc 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -129,13 +129,10 @@ mod _rust { mod ocsp { #[pymodule_export] use crate::x509::ocsp_req::{create_ocsp_request, load_der_ocsp_request, OCSPRequest}; - - #[pymodule_init] - fn init(ocsp_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - crate::x509::ocsp_resp::add_to_module(ocsp_mod)?; - - Ok(()) - } + #[pymodule_export] + use crate::x509::ocsp_resp::{ + create_ocsp_response, load_der_ocsp_response, OCSPResponse, OCSPSingleResponse, + }; } #[pyo3::pymodule] diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index 302f3b333762..955bf35a4c31 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -10,7 +10,7 @@ use cryptography_x509::{ ocsp_resp::{self, OCSPResponse as RawOCSPResponse, SingleResponse as RawSingleResponse}, oid, }; -use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods}; use crate::asn1::{big_byte_slice_to_py_int, oid_to_py_oid}; use crate::error::{CryptographyError, CryptographyResult}; @@ -20,7 +20,7 @@ use crate::{exceptions, types, x509}; const BASIC_RESPONSE_OID: asn1::ObjectIdentifier = asn1::oid!(1, 3, 6, 1, 5, 5, 7, 48, 1, 1); #[pyo3::pyfunction] -fn load_der_ocsp_response( +pub(crate) fn load_der_ocsp_response( py: pyo3::Python<'_>, data: pyo3::Py, ) -> Result { @@ -73,7 +73,7 @@ self_cell::self_cell!( ); #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] -struct OCSPResponse { +pub(crate) struct OCSPResponse { raw: Arc, cached_extensions: pyo3::sync::GILOnceCell, @@ -687,7 +687,7 @@ fn singleresp_py_revocation_time_utc<'p>( } #[pyo3::pyfunction] -fn create_ocsp_response( +pub(crate) fn create_ocsp_response( py: pyo3::Python<'_>, status: &pyo3::Bound<'_, pyo3::PyAny>, builder: &pyo3::Bound<'_, pyo3::PyAny>, @@ -919,7 +919,7 @@ self_cell::self_cell!( ); #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.ocsp")] -struct OCSPSingleResponse { +pub(crate) struct OCSPSingleResponse { raw: OwnedSingleResponse, } @@ -1053,16 +1053,3 @@ impl OCSPSingleResponse { singleresp_py_next_update_utc(single_resp, py) } } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!( - load_der_ocsp_response, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(create_ocsp_response, module)?)?; - - module.add_class::()?; - module.add_class::()?; - - Ok(()) -} From 721ab74912b3e1df41fed6b1014527561954f8ff Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 10:22:52 -0400 Subject: [PATCH 798/868] Migrate `pkcs7` to declrative modules API (#11223) refs #11158 --- src/rust/src/lib.rs | 3 ++- src/rust/src/pkcs7.rs | 30 +++++++++--------------------- 2 files changed, 11 insertions(+), 22 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index d54779e321fc..f520cad4d3c1 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -104,6 +104,8 @@ mod _rust { use crate::padding::{check_ansix923_padding, check_pkcs7_padding, PKCS7PaddingContext}; #[pymodule_export] use crate::pkcs12::pkcs12; + #[pymodule_export] + use crate::pkcs7::pkcs7_mod; #[pyo3::pymodule] mod x509 { @@ -184,7 +186,6 @@ mod _rust { #[pymodule_init] fn init(m: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - m.add_submodule(&crate::pkcs7::create_submodule(m.py())?)?; m.add_submodule(&cryptography_cffi::create_module(m.py())?)?; Ok(()) diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index 86ef48cc4de4..ba6802aa8f71 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -11,7 +11,7 @@ use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use openssl::pkcs7::Pkcs7; -use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods, PyListMethods}; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use pyo3::IntoPy; @@ -407,26 +407,14 @@ fn load_der_pkcs7_certificates<'p>( } } -pub(crate) fn create_submodule( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let submod = pyo3::types::PyModule::new_bound(py, "pkcs7")?; - - submod.add_function(pyo3::wrap_pyfunction_bound!( - serialize_certificates, - &submod - )?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!(sign_and_serialize, &submod)?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!( - load_pem_pkcs7_certificates, - &submod - )?)?; - submod.add_function(pyo3::wrap_pyfunction_bound!( - load_der_pkcs7_certificates, - &submod - )?)?; - - Ok(submod) +#[pyo3::pymodule] +#[pyo3(name = "pkcs7")] +pub(crate) mod pkcs7_mod { + #[pymodule_export] + use super::{ + load_der_pkcs7_certificates, load_pem_pkcs7_certificates, serialize_certificates, + sign_and_serialize, + }; } #[cfg(test)] From f30c2dacab059400db3706c1a95c3cc081306b87 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 10:23:39 -0400 Subject: [PATCH 799/868] Migrate `sct` to declarative modules API (#11234) refs #11158 --- src/rust/src/lib.rs | 3 ++- src/rust/src/x509/sct.rs | 8 +------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index f520cad4d3c1..aad485d1afcc 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -109,6 +109,8 @@ mod _rust { #[pyo3::pymodule] mod x509 { + #[pymodule_export] + use crate::x509::sct::Sct; #[pymodule_export] use crate::x509::verify::{ PolicyBuilder, PyClientVerifier, PyServerVerifier, PyStore, PyVerifiedClient, @@ -121,7 +123,6 @@ mod _rust { crate::x509::common::add_to_module(x509_mod)?; crate::x509::crl::add_to_module(x509_mod)?; crate::x509::csr::add_to_module(x509_mod)?; - crate::x509::sct::add_to_module(x509_mod)?; Ok(()) } diff --git a/src/rust/src/x509/sct.rs b/src/rust/src/x509/sct.rs index 54315cdcc412..78985af4dfc0 100644 --- a/src/rust/src/x509/sct.rs +++ b/src/rust/src/x509/sct.rs @@ -5,7 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::types::{PyAnyMethods, PyDictMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyDictMethods, PyListMethods}; use pyo3::ToPyObject; use crate::error::CryptographyError; @@ -259,12 +259,6 @@ pub(crate) fn parse_scts( Ok(py_scts.to_object(py)) } -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_class::()?; - - Ok(()) -} - #[cfg(test)] mod tests { use super::*; From d67998f125d33d7d409f5a5a8a5db03566b4ec1e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 10:23:55 -0400 Subject: [PATCH 800/868] Remove no longer required dead_code annotations (#11239) The code is not dead --- src/rust/src/pkcs12.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index ba3c230b565f..88b5cea1c8ef 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -234,9 +234,7 @@ impl EncryptionAlgorithm { } } -#[allow(dead_code)] const KDF_ENCRYPTION_KEY_ID: u8 = 1; -#[allow(dead_code)] const KDF_IV_ID: u8 = 2; const KDF_MAC_KEY_ID: u8 = 3; From ccae9efeace2afaf484185689662162e3270cabf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 10:25:30 -0400 Subject: [PATCH 801/868] Migrate `keys` to declarative modules API (#11236) refs #11158 --- src/rust/src/backend/keys.rs | 18 ++++++------------ src/rust/src/backend/mod.rs | 1 - src/rust/src/lib.rs | 2 ++ 3 files changed, 8 insertions(+), 13 deletions(-) diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index 649bea38cbeb..c16ff8628c2c 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -2,7 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::types::PyModuleMethods; use pyo3::IntoPy; use crate::backend::utils; @@ -221,17 +220,12 @@ fn public_key_from_pkey( } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "keys")?; - - m.add_function(pyo3::wrap_pyfunction_bound!(load_pem_private_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(load_der_private_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(load_der_public_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(load_pem_public_key, &m)?)?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod keys { + #[pymodule_export] + use super::{ + load_der_private_key, load_der_public_key, load_pem_private_key, load_pem_public_key, + }; } #[cfg(test)] diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 1f703485b970..5a035ed2c8be 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -32,7 +32,6 @@ pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> module.add_submodule(&dh::create_module(module.py())?)?; module.add_submodule(&dsa::create_module(module.py())?)?; module.add_submodule(&ec::create_module(module.py())?)?; - module.add_submodule(&keys::create_module(module.py())?)?; module.add_submodule(&ed25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index aad485d1afcc..a3f24fac429a 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -148,6 +148,8 @@ mod _rust { #[pymodule_export] use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; #[pymodule_export] + use crate::backend::keys::keys; + #[pymodule_export] use crate::error::{capture_error_stack, raise_openssl_error, OpenSSLError}; #[pymodule_init] From 1ed43fd1b5c115b0ee3578f74668e40bc73b5338 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 10 Jul 2024 11:02:00 -0500 Subject: [PATCH 802/868] move hashes, hmac, and kdf to declarative (#11244) * move hashes, hmac, and kdf to declarative * libre fix * unneeded pub --- src/rust/src/backend/hashes.rs | 13 +++++-------- src/rust/src/backend/hmac.rs | 13 +++++-------- src/rust/src/backend/kdf.rs | 16 ++++++---------- src/rust/src/backend/mod.rs | 3 --- src/rust/src/lib.rs | 6 ++++++ 5 files changed, 22 insertions(+), 29 deletions(-) diff --git a/src/rust/src/backend/hashes.rs b/src/rust/src/backend/hashes.rs index 4b33e024fc27..4226b4b7dbb9 100644 --- a/src/rust/src/backend/hashes.rs +++ b/src/rust/src/backend/hashes.rs @@ -2,7 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::types::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::PyAnyMethods; use pyo3::IntoPy; use std::borrow::Cow; @@ -138,11 +138,8 @@ impl Hash { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "hashes")?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod hashes { + #[pymodule_export] + use super::Hash; } diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs index 4488753b91e0..d70d499565a4 100644 --- a/src/rust/src/backend/hmac.rs +++ b/src/rust/src/backend/hmac.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::{already_finalized_error, message_digest_from_algori use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::types::{PyBytesMethods, PyModuleMethods}; +use pyo3::types::PyBytesMethods; #[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.hmac", @@ -106,11 +106,8 @@ impl Hmac { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "hmac")?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod hmac { + #[pymodule_export] + use super::Hmac; } diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs index d8c3858a6331..8c6a151a17d0 100644 --- a/src/rust/src/backend/kdf.rs +++ b/src/rust/src/backend/kdf.rs @@ -5,7 +5,6 @@ use crate::backend::hashes; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::types::PyModuleMethods; #[pyo3::pyfunction] pub(crate) fn derive_pbkdf2_hmac<'p>( @@ -49,14 +48,11 @@ fn derive_scrypt<'p>( })?) } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "kdf")?; - - m.add_function(pyo3::wrap_pyfunction_bound!(derive_pbkdf2_hmac, &m)?)?; +#[pyo3::pymodule] +pub(crate) mod kdf { + #[pymodule_export] + use super::derive_pbkdf2_hmac; #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] - m.add_function(pyo3::wrap_pyfunction_bound!(derive_scrypt, &m)?)?; - - Ok(m) + #[pymodule_export] + use super::derive_scrypt; } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 5a035ed2c8be..ea1e5f07f72b 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -43,9 +43,6 @@ pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> module.add_submodule(&poly1305::create_module(module.py())?)?; - module.add_submodule(&hashes::create_module(module.py())?)?; - module.add_submodule(&hmac::create_module(module.py())?)?; - module.add_submodule(&kdf::create_module(module.py())?)?; module.add_submodule(&rsa::create_module(module.py())?)?; Ok(()) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index a3f24fac429a..e40331887ef2 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -148,6 +148,12 @@ mod _rust { #[pymodule_export] use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; #[pymodule_export] + use crate::backend::hashes::hashes; + #[pymodule_export] + use crate::backend::hmac::hmac; + #[pymodule_export] + use crate::backend::kdf::kdf; + #[pymodule_export] use crate::backend::keys::keys; #[pymodule_export] use crate::error::{capture_error_stack, raise_openssl_error, OpenSSLError}; From 7611404c510bf60f1a05878ade021a1f5ce5457e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 10 Jul 2024 12:34:55 -0500 Subject: [PATCH 803/868] migrate poly1305, x448/25519, ed448/25519 to declarative (#11245) --- src/rust/src/backend/ed25519.rs | 19 ++++++------------- src/rust/src/backend/ed448.rs | 19 ++++++------------- src/rust/src/backend/mod.rs | 10 ---------- src/rust/src/backend/poly1305.rs | 14 +++++--------- src/rust/src/backend/x25519.rs | 19 ++++++------------- src/rust/src/backend/x448.rs | 19 ++++++------------- src/rust/src/lib.rs | 12 ++++++++++++ 7 files changed, 41 insertions(+), 71 deletions(-) diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index ab800d637af8..3460640a1a53 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -6,7 +6,6 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::types::PyModuleMethods; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed25519")] pub(crate) struct Ed25519PrivateKey { @@ -160,16 +159,10 @@ impl Ed25519PublicKey { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "ed25519")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod ed25519 { + #[pymodule_export] + use super::{ + from_private_bytes, from_public_bytes, generate_key, Ed25519PrivateKey, Ed25519PublicKey, + }; } diff --git a/src/rust/src/backend/ed448.rs b/src/rust/src/backend/ed448.rs index 27b716ee5f2e..d27f6b361df3 100644 --- a/src/rust/src/backend/ed448.rs +++ b/src/rust/src/backend/ed448.rs @@ -6,7 +6,6 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::types::PyModuleMethods; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.ed448")] pub(crate) struct Ed448PrivateKey { @@ -157,16 +156,10 @@ impl Ed448PublicKey { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "ed448")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod ed448 { + #[pymodule_export] + use super::{ + from_private_bytes, from_public_bytes, generate_key, Ed448PrivateKey, Ed448PublicKey, + }; } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index ea1e5f07f72b..4ee5f6bee124 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -33,16 +33,6 @@ pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> module.add_submodule(&dsa::create_module(module.py())?)?; module.add_submodule(&ec::create_module(module.py())?)?; - module.add_submodule(&ed25519::create_module(module.py())?)?; - #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(&ed448::create_module(module.py())?)?; - - module.add_submodule(&x25519::create_module(module.py())?)?; - #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] - module.add_submodule(&x448::create_module(module.py())?)?; - - module.add_submodule(&poly1305::create_module(module.py())?)?; - module.add_submodule(&rsa::create_module(module.py())?)?; Ok(()) diff --git a/src/rust/src/backend/poly1305.rs b/src/rust/src/backend/poly1305.rs index 4d07985407af..e998a43aaff6 100644 --- a/src/rust/src/backend/poly1305.rs +++ b/src/rust/src/backend/poly1305.rs @@ -6,7 +6,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; -use pyo3::types::{PyBytesMethods, PyModuleMethods}; +use pyo3::types::PyBytesMethods; #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL))] struct Poly1305Boring { @@ -165,12 +165,8 @@ impl Poly1305 { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "poly1305")?; - - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod poly1305 { + #[pymodule_export] + use super::Poly1305; } diff --git a/src/rust/src/backend/x25519.rs b/src/rust/src/backend/x25519.rs index 9e22c0ab998d..84f355f49787 100644 --- a/src/rust/src/backend/x25519.rs +++ b/src/rust/src/backend/x25519.rs @@ -5,7 +5,6 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::types::PyModuleMethods; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x25519")] pub(crate) struct X25519PrivateKey { @@ -150,16 +149,10 @@ impl X25519PublicKey { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "x25519")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod x25519 { + #[pymodule_export] + use super::{ + from_private_bytes, from_public_bytes, generate_key, X25519PrivateKey, X25519PublicKey, + }; } diff --git a/src/rust/src/backend/x448.rs b/src/rust/src/backend/x448.rs index 4b88035d3226..0e9aa1c99194 100644 --- a/src/rust/src/backend/x448.rs +++ b/src/rust/src/backend/x448.rs @@ -5,7 +5,6 @@ use crate::backend::utils; use crate::buf::CffiBuf; use crate::error::CryptographyResult; -use pyo3::types::PyModuleMethods; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.openssl.x448")] pub(crate) struct X448PrivateKey { @@ -149,16 +148,10 @@ impl X448PublicKey { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "x448")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_private_bytes, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod x448 { + #[pymodule_export] + use super::{ + from_private_bytes, from_public_bytes, generate_key, X448PrivateKey, X448PublicKey, + }; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index e40331887ef2..738c27f79c58 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -148,6 +148,11 @@ mod _rust { #[pymodule_export] use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; #[pymodule_export] + use crate::backend::ed25519::ed25519; + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + #[pymodule_export] + use crate::backend::ed448::ed448; + #[pymodule_export] use crate::backend::hashes::hashes; #[pymodule_export] use crate::backend::hmac::hmac; @@ -156,6 +161,13 @@ mod _rust { #[pymodule_export] use crate::backend::keys::keys; #[pymodule_export] + use crate::backend::poly1305::poly1305; + #[pymodule_export] + use crate::backend::x25519::x25519; + #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] + #[pymodule_export] + use crate::backend::x448::x448; + #[pymodule_export] use crate::error::{capture_error_stack, raise_openssl_error, OpenSSLError}; #[pymodule_init] From c2cde15cde770e59f71e09429d9e34e597ea617b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 10 Jul 2024 12:36:09 -0500 Subject: [PATCH 804/868] move x509 common/crl/csr to declarative (#11246) --- src/rust/src/lib.rs | 14 +++++++++++--- src/rust/src/x509/common.rs | 16 +++------------- src/rust/src/x509/crl.rs | 23 ++++++----------------- src/rust/src/x509/csr.rs | 20 +++++--------------- 4 files changed, 25 insertions(+), 48 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 738c27f79c58..3f9568126f54 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -109,6 +109,17 @@ mod _rust { #[pyo3::pymodule] mod x509 { + #[pymodule_export] + use crate::x509::common::{encode_extension_value, encode_name_bytes}; + #[pymodule_export] + use crate::x509::crl::{ + create_x509_crl, load_der_x509_crl, load_pem_x509_crl, CertificateRevocationList, + RevokedCertificate, + }; + #[pymodule_export] + use crate::x509::csr::{ + create_x509_csr, load_der_x509_csr, load_pem_x509_csr, CertificateSigningRequest, + }; #[pymodule_export] use crate::x509::sct::Sct; #[pymodule_export] @@ -120,9 +131,6 @@ mod _rust { #[pymodule_init] fn init(x509_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { crate::x509::certificate::add_to_module(x509_mod)?; - crate::x509::common::add_to_module(x509_mod)?; - crate::x509::crl::add_to_module(x509_mod)?; - crate::x509::csr::add_to_module(x509_mod)?; Ok(()) } diff --git a/src/rust/src/x509/common.rs b/src/rust/src/x509/common.rs index 98d4b2e71bfb..cdb53a7b6553 100644 --- a/src/rust/src/x509/common.rs +++ b/src/rust/src/x509/common.rs @@ -8,7 +8,7 @@ use cryptography_x509::extensions::{ }; use cryptography_x509::name::{GeneralName, Name, NameReadable, OtherName, UnvalidatedIA5String}; use pyo3::types::IntoPyDict; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{oid_to_py_oid, py_oid_to_oid}; @@ -89,7 +89,7 @@ pub(crate) fn encode_name_entry<'p>( } #[pyo3::pyfunction] -fn encode_name_bytes<'p>( +pub(crate) fn encode_name_bytes<'p>( py: pyo3::Python<'p>, py_name: &pyo3::Bound<'p, pyo3::PyAny>, ) -> CryptographyResult> { @@ -458,7 +458,7 @@ pub(crate) fn encode_extensions< } #[pyo3::pyfunction] -fn encode_extension_value<'p>( +pub(crate) fn encode_extension_value<'p>( py: pyo3::Python<'p>, py_ext: pyo3::Bound<'p, pyo3::PyAny>, ) -> pyo3::PyResult> { @@ -540,13 +540,3 @@ pub(crate) fn datetime_now(py: pyo3::Python<'_>) -> pyo3::PyResult) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!( - encode_extension_value, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(encode_name_bytes, module)?)?; - - Ok(()) -} diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index c4d683ba1c1b..58c22408557b 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -13,7 +13,7 @@ use cryptography_x509::{ }, name, oid, }; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods, PySliceMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods, PySliceMethods}; use pyo3::ToPyObject; use crate::asn1::{ @@ -26,7 +26,7 @@ use crate::{exceptions, types, x509}; #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_der_x509_crl( +pub(crate) fn load_der_x509_crl( py: pyo3::Python<'_>, data: pyo3::Py, backend: Option>, @@ -56,7 +56,7 @@ fn load_der_x509_crl( #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_pem_x509_crl( +pub(crate) fn load_pem_x509_crl( py: pyo3::Python<'_>, data: &[u8], backend: Option>, @@ -84,7 +84,7 @@ self_cell::self_cell!( ); #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] -struct CertificateRevocationList { +pub(crate) struct CertificateRevocationList { owned: Arc, revoked_certs: pyo3::sync::GILOnceCell>, @@ -535,7 +535,7 @@ impl Clone for OwnedRevokedCertificate { } #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] -struct RevokedCertificate { +pub(crate) struct RevokedCertificate { owned: OwnedRevokedCertificate, cached_extensions: pyo3::sync::GILOnceCell, } @@ -643,7 +643,7 @@ pub fn parse_crl_entry_ext<'p>( } #[pyo3::pyfunction] -fn create_x509_crl( +pub(crate) fn create_x509_crl( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, private_key: &pyo3::Bound<'_, pyo3::PyAny>, @@ -729,14 +729,3 @@ fn create_x509_crl( None, ) } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!(load_der_x509_crl, module)?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(load_pem_x509_crl, module)?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(create_x509_crl, module)?)?; - - module.add_class::()?; - module.add_class::()?; - - Ok(()) -} diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs index 61d0809d404d..9d4f81958c51 100644 --- a/src/rust/src/x509/csr.rs +++ b/src/rust/src/x509/csr.rs @@ -8,7 +8,7 @@ use std::hash::{Hash, Hasher}; use asn1::SimpleAsn1Readable; use cryptography_x509::csr::{check_attribute_length, Attribute, CertificationRequestInfo, Csr}; use cryptography_x509::{common, oid}; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; use pyo3::IntoPy; use crate::asn1::{encode_der_data, oid_to_py_oid, py_oid_to_oid}; @@ -27,7 +27,7 @@ self_cell::self_cell!( ); #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.x509")] -struct CertificateSigningRequest { +pub(crate) struct CertificateSigningRequest { raw: OwnedCsr, cached_extensions: pyo3::sync::GILOnceCell, } @@ -237,7 +237,7 @@ impl CertificateSigningRequest { #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_pem_x509_csr( +pub(crate) fn load_pem_x509_csr( py: pyo3::Python<'_>, data: &[u8], backend: Option>, @@ -260,7 +260,7 @@ fn load_pem_x509_csr( #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_der_x509_csr( +pub(crate) fn load_der_x509_csr( py: pyo3::Python<'_>, data: pyo3::Py, backend: Option>, @@ -286,7 +286,7 @@ fn load_der_x509_csr( } #[pyo3::pyfunction] -fn create_x509_csr( +pub(crate) fn create_x509_csr( py: pyo3::Python<'_>, builder: &pyo3::Bound<'_, pyo3::PyAny>, private_key: &pyo3::Bound<'_, pyo3::PyAny>, @@ -391,13 +391,3 @@ fn create_x509_csr( None, ) } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!(load_der_x509_csr, module)?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(load_pem_x509_csr, module)?)?; - module.add_function(pyo3::wrap_pyfunction_bound!(create_x509_csr, module)?)?; - - module.add_class::()?; - - Ok(()) -} From 6f09c973d9cad0dd897c34045fbf88168ea29717 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 10 Jul 2024 12:46:55 -0500 Subject: [PATCH 805/868] migrate dh, dsa, and ec to declarative (#11247) --- src/rust/src/backend/dh.rs | 25 ++++++++----------------- src/rust/src/backend/dsa.rs | 22 +++++++--------------- src/rust/src/backend/ec.rs | 24 ++++++++---------------- src/rust/src/backend/mod.rs | 3 --- src/rust/src/lib.rs | 6 ++++++ 5 files changed, 29 insertions(+), 51 deletions(-) diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index e615d623ffa3..883277e35017 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -8,7 +8,7 @@ use crate::asn1::encode_der_data; use crate::backend::utils; use crate::error::{CryptographyError, CryptographyResult}; use crate::{types, x509}; -use pyo3::types::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::PyAnyMethods; const MIN_MODULUS_SIZE: u32 = 512; @@ -554,20 +554,11 @@ impl DHParameterNumbers { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "dh")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_der_parameters, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_pem_parameters, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod dh { + #[pymodule_export] + use super::{ + from_der_parameters, from_pem_parameters, generate_parameters, DHParameterNumbers, + DHParameters, DHPrivateKey, DHPrivateNumbers, DHPublicKey, DHPublicNumbers, + }; } diff --git a/src/rust/src/backend/dsa.rs b/src/rust/src/backend/dsa.rs index d0218d45ba98..f46cb2860d33 100644 --- a/src/rust/src/backend/dsa.rs +++ b/src/rust/src/backend/dsa.rs @@ -7,7 +7,6 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use pyo3::types::PyAnyMethods; -use pyo3::types::PyModuleMethods; #[pyo3::pyclass( frozen, @@ -499,18 +498,11 @@ impl DsaParameterNumbers { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "dsa")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_parameters, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod dsa { + #[pymodule_export] + use super::{ + generate_parameters, DsaParameterNumbers, DsaParameters, DsaPrivateKey, DsaPrivateNumbers, + DsaPublicKey, DsaPublicNumbers, + }; } diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index 6410add35cbe..15735458d3a1 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -5,7 +5,7 @@ use std::collections::hash_map::DefaultHasher; use std::hash::{Hash, Hasher}; -use pyo3::types::{PyAnyMethods, PyDictMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyDictMethods}; use crate::backend::utils; use crate::buf::CffiBuf; @@ -670,19 +670,11 @@ impl EllipticCurvePublicNumbers { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "ec")?; - m.add_function(pyo3::wrap_pyfunction_bound!(curve_supported, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(derive_private_key, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(from_public_bytes, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod ec { + #[pymodule_export] + use super::{ + curve_supported, derive_private_key, from_public_bytes, generate_private_key, ECPrivateKey, + ECPublicKey, EllipticCurvePrivateNumbers, EllipticCurvePublicNumbers, + }; } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 4ee5f6bee124..0a36c4c70192 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -29,9 +29,6 @@ pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> module.add_submodule(&aead::create_module(module.py())?)?; module.add_submodule(&ciphers::create_module(module.py())?)?; module.add_submodule(&cmac::create_module(module.py())?)?; - module.add_submodule(&dh::create_module(module.py())?)?; - module.add_submodule(&dsa::create_module(module.py())?)?; - module.add_submodule(&ec::create_module(module.py())?)?; module.add_submodule(&rsa::create_module(module.py())?)?; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 3f9568126f54..dbf497aa73a0 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -156,6 +156,12 @@ mod _rust { #[pymodule_export] use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; #[pymodule_export] + use crate::backend::dh::dh; + #[pymodule_export] + use crate::backend::dsa::dsa; + #[pymodule_export] + use crate::backend::ec::ec; + #[pymodule_export] use crate::backend::ed25519::ed25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] #[pymodule_export] From 56bab5e8f85add4ca278142b582b6b1dbaf9c876 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 10 Jul 2024 13:47:45 -0500 Subject: [PATCH 806/868] migrate aead, ciphers, and cmac to declarative (#11248) --- src/rust/src/backend/aead.rs | 19 +++++-------------- src/rust/src/backend/ciphers.rs | 25 ++++++++----------------- src/rust/src/backend/cmac.rs | 14 +++++--------- src/rust/src/backend/mod.rs | 4 ---- src/rust/src/lib.rs | 6 ++++++ 5 files changed, 24 insertions(+), 44 deletions(-) diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 34be02f5efce..d67bae78b9ba 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -5,7 +5,7 @@ use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; fn check_length(data: &[u8]) -> CryptographyResult<()> { if data.len() > (i32::MAX as usize) { @@ -1153,17 +1153,8 @@ impl AesGcmSiv { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "aead")?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod aead { + #[pymodule_export] + use super::{AesCcm, AesGcm, AesGcmSiv, AesOcb3, AesSiv, ChaCha20Poly1305}; } diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs index 14ac3d13c758..b1a2c2474a0b 100644 --- a/src/rust/src/backend/ciphers.rs +++ b/src/rust/src/backend/ciphers.rs @@ -7,7 +7,7 @@ use crate::buf::{CffiBuf, CffiMutBuf}; use crate::error::{CryptographyError, CryptographyResult}; use crate::exceptions; use crate::types; -use pyo3::types::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::PyAnyMethods; use pyo3::IntoPy; pub(crate) struct CipherContext { @@ -604,20 +604,11 @@ fn _advance_aad(ctx: pyo3::Bound<'_, pyo3::PyAny>, n: u64) { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "ciphers")?; - m.add_function(pyo3::wrap_pyfunction_bound!(create_encryption_ctx, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(create_decryption_ctx, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(cipher_supported, &m)?)?; - - m.add_function(pyo3::wrap_pyfunction_bound!(_advance, &m)?)?; - m.add_function(pyo3::wrap_pyfunction_bound!(_advance_aad, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod ciphers { + #[pymodule_export] + use super::{ + _advance, _advance_aad, cipher_supported, create_decryption_ctx, create_encryption_ctx, + PyAEADDecryptionContext, PyAEADEncryptionContext, PyCipherContext, + }; } diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs index dd30be2bec68..6a8737964643 100644 --- a/src/rust/src/backend/cmac.rs +++ b/src/rust/src/backend/cmac.rs @@ -7,7 +7,7 @@ use crate::backend::hashes::already_finalized_error; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::types::{PyAnyMethods, PyBytesMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyBytesMethods}; #[pyo3::pyclass( module = "cryptography.hazmat.bindings._rust.openssl.cmac", @@ -100,12 +100,8 @@ impl Cmac { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "cmac")?; - - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod cmac { + #[pymodule_export] + use super::Cmac; } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 0a36c4c70192..3cbf2e3b99b6 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -26,10 +26,6 @@ pub(crate) mod x25519; pub(crate) mod x448; pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_submodule(&aead::create_module(module.py())?)?; - module.add_submodule(&ciphers::create_module(module.py())?)?; - module.add_submodule(&cmac::create_module(module.py())?)?; - module.add_submodule(&rsa::create_module(module.py())?)?; Ok(()) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index dbf497aa73a0..766c9ed0d8e9 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -156,6 +156,12 @@ mod _rust { #[pymodule_export] use super::super::{is_fips_enabled, openssl_version, openssl_version_text}; #[pymodule_export] + use crate::backend::aead::aead; + #[pymodule_export] + use crate::backend::ciphers::ciphers; + #[pymodule_export] + use crate::backend::cmac::cmac; + #[pymodule_export] use crate::backend::dh::dh; #[pymodule_export] use crate::backend::dsa::dsa; From 0c2467a7d66f830a54b8d3435dc8b2d44c6b63be Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 18:31:41 -0400 Subject: [PATCH 807/868] Migrate `rsa` to declarative modules API (#11235) refs #11158 --- src/rust/src/backend/mod.rs | 8 -------- src/rust/src/backend/rsa.rs | 20 +++++++------------- src/rust/src/lib.rs | 4 ++-- 3 files changed, 9 insertions(+), 23 deletions(-) diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index 3cbf2e3b99b6..a447565d7229 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -2,8 +2,6 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use pyo3::types::PyModuleMethods; - pub(crate) mod aead; pub(crate) mod cipher_registry; pub(crate) mod ciphers; @@ -24,9 +22,3 @@ pub(crate) mod utils; pub(crate) mod x25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] pub(crate) mod x448; - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_submodule(&rsa::create_module(module.py())?)?; - - Ok(()) -} diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs index 6636ab695a7c..3c01e74219fb 100644 --- a/src/rust/src/backend/rsa.rs +++ b/src/rust/src/backend/rsa.rs @@ -9,7 +9,7 @@ use crate::backend::{hashes, utils}; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; use crate::{exceptions, types}; -use pyo3::types::{PyAnyMethods, PyModuleMethods}; +use pyo3::types::PyAnyMethods; #[pyo3::pyclass( frozen, @@ -814,16 +814,10 @@ impl RsaPublicNumbers { } } -pub(crate) fn create_module( - py: pyo3::Python<'_>, -) -> pyo3::PyResult> { - let m = pyo3::types::PyModule::new_bound(py, "rsa")?; - m.add_function(pyo3::wrap_pyfunction_bound!(generate_private_key, &m)?)?; - - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - m.add_class::()?; - - Ok(m) +#[pyo3::pymodule] +pub(crate) mod rsa { + #[pymodule_export] + use super::{ + generate_private_key, RsaPrivateKey, RsaPrivateNumbers, RsaPublicKey, RsaPublicNumbers, + }; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 766c9ed0d8e9..653df62705b9 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -183,6 +183,8 @@ mod _rust { #[pymodule_export] use crate::backend::poly1305::poly1305; #[pymodule_export] + use crate::backend::rsa::rsa; + #[pymodule_export] use crate::backend::x25519::x25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] #[pymodule_export] @@ -219,8 +221,6 @@ mod _rust { } } - crate::backend::add_to_module(openssl_mod)?; - Ok(()) } } From d3eda718f1fc9fc5510bfb80127f7f2649cbfea2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 10 Jul 2024 18:32:49 -0400 Subject: [PATCH 808/868] Migrate `certificate` to declarative modules API (#11237) refs #11158 --- src/rust/src/lib.rs | 12 +++++------- src/rust/src/x509/certificate.rs | 31 ++++--------------------------- 2 files changed, 9 insertions(+), 34 deletions(-) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 653df62705b9..8f6ecc053fe5 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -109,6 +109,11 @@ mod _rust { #[pyo3::pymodule] mod x509 { + #[pymodule_export] + use crate::x509::certificate::{ + create_x509_certificate, load_der_x509_certificate, load_pem_x509_certificate, + load_pem_x509_certificates, Certificate, + }; #[pymodule_export] use crate::x509::common::{encode_extension_value, encode_name_bytes}; #[pymodule_export] @@ -127,13 +132,6 @@ mod _rust { PolicyBuilder, PyClientVerifier, PyServerVerifier, PyStore, PyVerifiedClient, VerificationError, }; - - #[pymodule_init] - fn init(x509_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - crate::x509::certificate::add_to_module(x509_mod)?; - - Ok(()) - } } #[pyo3::pymodule] diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs index 2fb5d5af272e..810d7aa991c6 100644 --- a/src/rust/src/x509/certificate.rs +++ b/src/rust/src/x509/certificate.rs @@ -17,7 +17,7 @@ use cryptography_x509::extensions::{ use cryptography_x509::extensions::{Extension, SubjectAlternativeName}; use cryptography_x509::{common, oid}; use cryptography_x509_verification::ops::CryptoOps; -use pyo3::types::{PyAnyMethods, PyListMethods, PyModuleMethods}; +use pyo3::types::{PyAnyMethods, PyListMethods}; use pyo3::{IntoPy, ToPyObject}; use crate::asn1::{ @@ -366,7 +366,7 @@ fn cert_version( #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] -fn load_pem_x509_certificate( +pub(crate) fn load_pem_x509_certificate( py: pyo3::Python<'_>, data: &[u8], backend: Option>, @@ -388,7 +388,7 @@ fn load_pem_x509_certificate( } #[pyo3::pyfunction] -fn load_pem_x509_certificates( +pub(crate) fn load_pem_x509_certificates( py: pyo3::Python<'_>, data: &[u8], ) -> CryptographyResult> { @@ -886,7 +886,7 @@ pub(crate) fn time_from_datetime(dt: asn1::DateTime) -> CryptographyResult, builder: &pyo3::Bound<'_, pyo3::PyAny>, private_key: &pyo3::Bound<'_, pyo3::PyAny>, @@ -975,26 +975,3 @@ pub(crate) fn set_bit(vals: &mut [u8], n: usize, set: bool) { vals[idx] |= v; } } - -pub(crate) fn add_to_module(module: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { - module.add_function(pyo3::wrap_pyfunction_bound!( - load_der_x509_certificate, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!( - load_pem_x509_certificate, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!( - load_pem_x509_certificates, - module - )?)?; - module.add_function(pyo3::wrap_pyfunction_bound!( - create_x509_certificate, - module - )?)?; - - module.add_class::()?; - - Ok(()) -} From 869f9bb268277abaa18a9d7e67d0da026188178e Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 11 Jul 2024 00:16:16 +0000 Subject: [PATCH 809/868] Bump BoringSSL and/or OpenSSL in CI (#11250) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ef242336eeb7..ad24081ce8c1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 10, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "8934b1ef0857bc08626a2206a6f5f718942c14fc"}} - # Latest commit on the OpenSSL master branch, as of Jul 10, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "d8def79838cd0d5e7c21d217aa26edb5229f0ab4"}} + # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} + # Latest commit on the OpenSSL master branch, as of Jul 11, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "06da14737369e7c90899aed4bb21cce9a0910d29"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 11a711afd45f2e54cdc0abe39b71105cba74cb07 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jul 2024 11:10:35 +0000 Subject: [PATCH 810/868] Bump actions/setup-python from 5.1.0 to 5.1.1 (#11251) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.0 to 5.1.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/82c7e631bb3cdc910f68e0081d67478d79c6982d...39cd14951b08e74b54015e9e001cdefcf80e669f) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/benchmark.yml | 2 +- .github/workflows/ci.yml | 10 +++++----- .github/workflows/linkcheck.yml | 2 +- .github/workflows/pypi-publish.yml | 2 +- .github/workflows/wheel-builder.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index f1b963c366b2..798a782824ad 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -43,7 +43,7 @@ jobs: - name: Setup python id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad24081ce8c1..00d11006b4b6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,7 +60,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -240,7 +240,7 @@ jobs: key: ${{ matrix.PYTHON.NOXSESSION }}-${{ matrix.PYTHON.VERSION }} - name: Setup python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON.VERSION }} cache: pip @@ -299,7 +299,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} @@ -375,7 +375,7 @@ jobs: uses: ./.github/actions/cache timeout-minutes: 2 - name: Setup python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON }} cache: pip @@ -421,7 +421,7 @@ jobs: jobs: ${{ toJSON(needs) }} - name: Setup python if: ${{ always() }} - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: '3.12' cache: pip diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml index d33ee2097787..c8fa98b0ade9 100644 --- a/.github/workflows/linkcheck.yml +++ b/.github/workflows/linkcheck.yml @@ -25,7 +25,7 @@ jobs: persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: 3.11 - name: Cache rust and pip diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml index f29065e0c54f..58313276fdd2 100644 --- a/.github/workflows/pypi-publish.yml +++ b/.github/workflows/pypi-publish.yml @@ -35,7 +35,7 @@ jobs: - run: echo "$EVENT_CONTEXT" env: EVENT_CONTEXT: ${{ toJson(github.event) }} - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: "3.11" - name: Get publish-requirements.txt from repository diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index 4366432495ce..74702bf9282f 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -218,7 +218,7 @@ jobs: PYTHON_DOWNLOAD_URL: ${{ matrix.PYTHON.DOWNLOAD_URL }} if: contains(matrix.PYTHON.VERSION, 'pypy') == false - name: Setup pypy - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON.VERSION }} if: contains(matrix.PYTHON.VERSION, 'pypy') @@ -313,7 +313,7 @@ jobs: name: cryptography-sdist - name: Setup python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From 49158c360e25417b6bd4775ee3d1fb119e44c5df Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 12 Jul 2024 00:15:51 +0000 Subject: [PATCH 811/868] Bump BoringSSL and/or OpenSSL in CI (#11252) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 00d11006b4b6..f039407f198a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} - # Latest commit on the OpenSSL master branch, as of Jul 11, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "06da14737369e7c90899aed4bb21cce9a0910d29"}} + # Latest commit on the OpenSSL master branch, as of Jul 12, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ad33d62396b7e9db04fdf060481ced394d391688"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a2e87986412ac959386d59f37d81fcf1704e4a06 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jul 2024 07:11:07 -0400 Subject: [PATCH 812/868] Bump coverage from 7.5.4 to 7.6.0 (#11254) Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.5.4 to 7.6.0. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.5.4...7.6.0) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index faee77b4d774..4ecb883c045f 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -25,7 +25,7 @@ click==8.1.7 # via cryptography (pyproject.toml) colorlog==6.8.2 # via nox -coverage==7.5.4; python_version >= "3.8" +coverage==7.6.0; python_version >= "3.8" # via # coverage # pytest-cov From 48dd1d3ba3103d077b845ce16c65b664f8121613 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 13 Jul 2024 00:15:35 +0000 Subject: [PATCH 813/868] Bump BoringSSL and/or OpenSSL in CI (#11255) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f039407f198a..db42ece2733b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} - # Latest commit on the OpenSSL master branch, as of Jul 12, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "ad33d62396b7e9db04fdf060481ced394d391688"}} + # Latest commit on the OpenSSL master branch, as of Jul 13, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e8c7febc8f1b0ef9e5b62b0944748d2830b1a0b4"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From e5d0789faf90fa1aeb60c291c459383bcece21bc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 13 Jul 2024 12:13:49 +0000 Subject: [PATCH 814/868] Bump exceptiongroup from 1.2.1 to 1.2.2 (#11257) Bumps [exceptiongroup](https://github.com/agronholm/exceptiongroup) from 1.2.1 to 1.2.2. - [Release notes](https://github.com/agronholm/exceptiongroup/releases) - [Changelog](https://github.com/agronholm/exceptiongroup/blob/main/CHANGES.rst) - [Commits](https://github.com/agronholm/exceptiongroup/compare/1.2.1...1.2.2) --- updated-dependencies: - dependency-name: exceptiongroup dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 4ecb883c045f..c074b3b49d7d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -36,7 +36,7 @@ docutils==0.20.1 # readme-renderer # sphinx # sphinx-rtd-theme -exceptiongroup==1.2.1 +exceptiongroup==1.2.2 # via pytest execnet==2.1.1; python_version >= "3.8" # via pytest-xdist From 0f8c05a0c8815f0a18c812f0f10b8592459387bb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 13 Jul 2024 12:17:22 +0000 Subject: [PATCH 815/868] Bump syn from 2.0.70 to 2.0.71 in /src/rust (#11258) Bumps [syn](https://github.com/dtolnay/syn) from 2.0.70 to 2.0.71. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](https://github.com/dtolnay/syn/compare/2.0.70...2.0.71) --- updated-dependencies: - dependency-name: syn dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 2586a0e4ddbb..fb2d190de7b9 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -325,9 +325,9 @@ checksum = "d369a96f978623eb3dc28807c4852d6cc617fed53da5d3c400feff1ef34a714a" [[package]] name = "syn" -version = "2.0.70" +version = "2.0.71" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f0209b68b3613b093e0ec905354eccaedcfe83b8cb37cbdeae64026c3064c16" +checksum = "b146dcf730474b4bcd16c311627b31ede9ab149045db4d6088b3becaea046462" dependencies = [ "proc-macro2", "quote", From 61d0b6741030881d7753f6cbd98d3a5d50cce836 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 09:49:04 -0400 Subject: [PATCH 816/868] Remove PKCS#12 bindings (#11259) They're no longer used! --- src/_cffi_src/build_openssl.py | 1 - src/_cffi_src/openssl/pkcs12.py | 38 ------------------- .../hazmat/bindings/openssl/_conditional.py | 5 --- 3 files changed, 44 deletions(-) delete mode 100644 src/_cffi_src/openssl/pkcs12.py diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 642b56ce490f..15ac1848493b 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -35,7 +35,6 @@ "objects", "opensslv", "pem", - "pkcs12", "rand", "rsa", "ssl", diff --git a/src/_cffi_src/openssl/pkcs12.py b/src/_cffi_src/openssl/pkcs12.py deleted file mode 100644 index 234f97b3ea65..000000000000 --- a/src/_cffi_src/openssl/pkcs12.py +++ /dev/null @@ -1,38 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - -from __future__ import annotations - -INCLUDES = """ -#include -""" - -TYPES = """ -static const long Cryptography_HAS_PKCS12_SET_MAC; - -typedef ... PKCS12; -""" - -FUNCTIONS = """ -void PKCS12_free(PKCS12 *); - -PKCS12 *d2i_PKCS12_bio(BIO *, PKCS12 **); -int i2d_PKCS12_bio(BIO *, PKCS12 *); -int PKCS12_parse(PKCS12 *, const char *, EVP_PKEY **, X509 **, - Cryptography_STACK_OF_X509 **); -PKCS12 *PKCS12_create(char *, char *, EVP_PKEY *, X509 *, - Cryptography_STACK_OF_X509 *, int, int, int, int, int); -int PKCS12_set_mac(PKCS12 *, const char *, int, unsigned char *, int, int, - const EVP_MD *); -""" - -CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_BORINGSSL -static const long Cryptography_HAS_PKCS12_SET_MAC = 0; -int (*PKCS12_set_mac)(PKCS12 *, const char *, int, unsigned char *, int, int, - const EVP_MD *) = NULL; -#else -static const long Cryptography_HAS_PKCS12_SET_MAC = 1; -#endif -""" diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 805991c560c3..ee47d1888d80 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -147,10 +147,6 @@ def cryptography_has_unexpected_eof_while_reading() -> list[str]: return ["SSL_R_UNEXPECTED_EOF_WHILE_READING"] -def cryptography_has_pkcs12_set_mac() -> list[str]: - return ["PKCS12_set_mac"] - - def cryptography_has_ssl_op_ignore_unexpected_eof() -> list[str]: return [ "SSL_OP_IGNORE_UNEXPECTED_EOF", @@ -188,7 +184,6 @@ def cryptography_has_get_extms_support() -> list[str]: "Cryptography_HAS_UNEXPECTED_EOF_WHILE_READING": ( cryptography_has_unexpected_eof_while_reading ), - "Cryptography_HAS_PKCS12_SET_MAC": cryptography_has_pkcs12_set_mac, "Cryptography_HAS_SSL_OP_IGNORE_UNEXPECTED_EOF": ( cryptography_has_ssl_op_ignore_unexpected_eof ), From 6b911a8b4d5177a4cbc8177f6c2793202fc56b17 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 09:49:24 -0400 Subject: [PATCH 817/868] Remove unused nid cffi definitions (#11260) --- src/_cffi_src/openssl/nid.py | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/_cffi_src/openssl/nid.py b/src/_cffi_src/openssl/nid.py index fe1cdda10137..9051977f0ab6 100644 --- a/src/_cffi_src/openssl/nid.py +++ b/src/_cffi_src/openssl/nid.py @@ -9,11 +9,7 @@ """ TYPES = """ -static const int Cryptography_HAS_ED448; - static const int NID_undef; -static const int NID_aes_256_cbc; -static const int NID_pbe_WithSHA1And3_Key_TripleDES_CBC; static const int NID_subject_alt_name; static const int NID_crl_reason; @@ -23,9 +19,4 @@ """ CUSTOMIZATIONS = """ -#ifndef NID_ED448 -static const long Cryptography_HAS_ED448 = 0; -#else -static const long Cryptography_HAS_ED448 = 1; -#endif """ From f28072ff88c1e901e754a5d08aae66b44dd8b953 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 09:49:43 -0400 Subject: [PATCH 818/868] Remove more unused cffi type definitions (#11263) --- src/_cffi_src/openssl/x509_vfy.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py index 26eed9974f82..57c8d870011e 100644 --- a/src/_cffi_src/openssl/x509_vfy.py +++ b/src/_cffi_src/openssl/x509_vfy.py @@ -14,12 +14,10 @@ * together with another opaque typedef for the same name in the TYPES section. * Note that the result is an opaque type. */ -typedef STACK_OF(ASN1_OBJECT) Cryptography_STACK_OF_ASN1_OBJECT; typedef STACK_OF(X509_OBJECT) Cryptography_STACK_OF_X509_OBJECT; """ TYPES = """ -typedef ... Cryptography_STACK_OF_ASN1_OBJECT; typedef ... Cryptography_STACK_OF_X509_OBJECT; typedef ... X509_OBJECT; From db3dd51d6d93c567f2ed6f0fe980bce0cdc9524c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 09:50:02 -0400 Subject: [PATCH 819/868] Remove unused cffi type definitions (#11262) --- src/_cffi_src/openssl/x509.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index b43593543cee..140c39708b8c 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -15,17 +15,14 @@ * Note that the result is an opaque type. */ typedef STACK_OF(X509) Cryptography_STACK_OF_X509; -typedef STACK_OF(X509_CRL) Cryptography_STACK_OF_X509_CRL; typedef STACK_OF(X509_REVOKED) Cryptography_STACK_OF_X509_REVOKED; """ TYPES = """ typedef ... Cryptography_STACK_OF_X509; -typedef ... Cryptography_STACK_OF_X509_CRL; typedef ... Cryptography_STACK_OF_X509_REVOKED; typedef ... X509_ALGOR; -typedef ... X509_ATTRIBUTE; typedef ... X509_EXTENSION; typedef ... X509_EXTENSIONS; typedef ... X509_REQ; @@ -35,8 +32,6 @@ typedef ... NETSCAPE_SPKI; -typedef ... PKCS8_PRIV_KEY_INFO; - typedef void (*sk_X509_EXTENSION_freefunc)(X509_EXTENSION *); """ From 5aa51c5a52a139306dae0cb694ff906ae5dcb018 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 10:01:11 -0400 Subject: [PATCH 820/868] Remove NETSCAPE_SPKI cffi defintions (#11261) --- src/_cffi_src/openssl/x509.py | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 140c39708b8c..0c25c5d1aa87 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -30,8 +30,6 @@ typedef ... X509_CRL; typedef ... X509; -typedef ... NETSCAPE_SPKI; - typedef void (*sk_X509_EXTENSION_freefunc)(X509_EXTENSION *); """ @@ -103,14 +101,6 @@ int i2d_X509_CRL_bio(BIO *, X509_CRL *); void X509_CRL_free(X509_CRL *); -int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *, EVP_PKEY *); -int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *); -char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *); -EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *); -int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *, EVP_PKEY *); -NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); -void NETSCAPE_SPKI_free(NETSCAPE_SPKI *); - /* ASN1 serialization */ int i2d_X509_bio(BIO *, X509 *); X509 *d2i_X509_bio(BIO *, X509 **); From 83511f4d37ad9126df4193556ed82f3f9da584ae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 12:05:20 -0400 Subject: [PATCH 821/868] Remove unused cffi bindings from x509v3.py (#11264) --- src/_cffi_src/openssl/x509v3.py | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index 7f04a2cbce35..f110527e0259 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -6,18 +6,9 @@ INCLUDES = """ #include - -/* - * This is part of a work-around for the difficulty cffi has in dealing with - * `STACK_OF(foo)` as the name of a type. We invent a new, simpler name that - * will be an alias for this type and use the alias throughout. This works - * together with another opaque typedef for the same name in the TYPES section. - * Note that the result is an opaque type. - */ """ TYPES = """ -typedef ... EXTENDED_KEY_USAGE; typedef ... CONF; typedef struct { From 0df31f10f7a13d7bfb0669feb1d8bcd1d1e4d78e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 12:05:41 -0400 Subject: [PATCH 822/868] Remove unused cffi bindings from x509name.py (#11265) --- src/_cffi_src/openssl/x509name.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/_cffi_src/openssl/x509name.py b/src/_cffi_src/openssl/x509name.py index 5e0349e4846a..81d897d27255 100644 --- a/src/_cffi_src/openssl/x509name.py +++ b/src/_cffi_src/openssl/x509name.py @@ -11,11 +11,9 @@ * See the comment above Cryptography_STACK_OF_X509 in x509.py */ typedef STACK_OF(X509_NAME) Cryptography_STACK_OF_X509_NAME; -typedef STACK_OF(X509_NAME_ENTRY) Cryptography_STACK_OF_X509_NAME_ENTRY; """ TYPES = """ -typedef ... Cryptography_STACK_OF_X509_NAME_ENTRY; typedef ... X509_NAME; typedef ... X509_NAME_ENTRY; typedef ... Cryptography_STACK_OF_X509_NAME; From 3d968e7d221c23d70b67a30ff087a95e26546c9b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 18:20:12 -0400 Subject: [PATCH 823/868] Remove unused constant (#11266) --- src/_cffi_src/openssl/x509v3.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index f110527e0259..9905982fff44 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -32,8 +32,6 @@ } d; ...; } GENERAL_NAME; - -static const long X509V3_EXT_ERROR_UNKNOWN; """ From 2910b40f0de39eadb45f5e882cb440220791acf6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 18:20:30 -0400 Subject: [PATCH 824/868] Remove unused cffi definition from rand.py (#11270) --- src/_cffi_src/openssl/rand.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/_cffi_src/openssl/rand.py b/src/_cffi_src/openssl/rand.py index ee00fe68d821..50fbeb279e45 100644 --- a/src/_cffi_src/openssl/rand.py +++ b/src/_cffi_src/openssl/rand.py @@ -9,7 +9,6 @@ """ TYPES = """ -typedef ... RAND_METHOD; """ FUNCTIONS = """ From 9b5bd40b49e119f88ec0649351438bd949bf99bf Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 18:21:45 -0400 Subject: [PATCH 825/868] Remove unused cffi definition from asn1.py (#11267) --- src/_cffi_src/openssl/asn1.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/_cffi_src/openssl/asn1.py b/src/_cffi_src/openssl/asn1.py index 16ce6b32f505..b1278f36f025 100644 --- a/src/_cffi_src/openssl/asn1.py +++ b/src/_cffi_src/openssl/asn1.py @@ -25,7 +25,6 @@ typedef struct asn1_string_st ASN1_TIME; typedef ... ASN1_OBJECT; typedef struct asn1_string_st ASN1_STRING; -typedef struct asn1_string_st ASN1_UTF8STRING; typedef ... ASN1_GENERALIZEDTIME; typedef ... ASN1_ENUMERATED; From 6aa829adeeb1163dcf5d8346b1c8a251ac536bd2 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 18:22:06 -0400 Subject: [PATCH 826/868] Remove unused cffi definition from cryptography.py (#11268) --- src/_cffi_src/openssl/cryptography.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index fc23960613b0..e90a71b375ff 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -45,11 +45,6 @@ #if OPENSSL_VERSION_NUMBER < 0x10101050 #error "pyca/cryptography MUST be linked with Openssl 1.1.1e or later" #endif - -#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) -#define CRYPTOGRAPHY_OPENSSL_320_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x30200000 && !CRYPTOGRAPHY_IS_LIBRESSL) """ TYPES = """ From a56254daad3526112097b82fa477231f9b9ed85c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 13 Jul 2024 18:22:26 -0400 Subject: [PATCH 827/868] Remove unused cffi definition from evp.py (#11269) --- src/_cffi_src/openssl/evp.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 141b43ce0b3b..f25c9bb52a66 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -16,12 +16,9 @@ typedef ... EVP_PKEY; typedef ... EVP_PKEY_CTX; static const int EVP_PKEY_RSA; -static const int EVP_PKEY_RSA_PSS; static const int EVP_PKEY_DSA; static const int EVP_PKEY_DH; static const int EVP_PKEY_EC; -static const int EVP_PKEY_X25519; -static const int EVP_PKEY_ED25519; static const int EVP_MAX_MD_SIZE; static const int Cryptography_HAS_EVP_PKEY_DHX; From fbd5b053393d439037a2a94152e09dc3acbe2f37 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 13 Jul 2024 20:27:00 -0400 Subject: [PATCH 828/868] Bump BoringSSL and/or OpenSSL in CI (#11271) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index db42ece2733b..19dfd2679171 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} - # Latest commit on the OpenSSL master branch, as of Jul 13, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "e8c7febc8f1b0ef9e5b62b0944748d2830b1a0b4"}} + # Latest commit on the OpenSSL master branch, as of Jul 14, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "42230f294ae97cbd50052038499e091d0060ba8e"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 8c6d37e0896671f5f92e7d31da2c3ec57795e157 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 14 Jul 2024 03:20:39 +0000 Subject: [PATCH 829/868] Bump cc from 1.0.105 to 1.1.3 in /src/rust (#11272) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.0.105 to 1.1.3. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.0.105...cc-v1.1.3) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fb2d190de7b9..0e71fdec87b0 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.0.105" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5208975e568d83b6b05cc0a063c8e7e9acc2b43bee6da15616a5b73e109d7437" +checksum = "18e2d530f35b40a84124146478cd16f34225306a8441998836466a2e2961c950" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index ffdf71df0d73..d626ae6f6436 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.0.105" +cc = "1.1.3" From 67271cbab226327966582925477ba72bb29a9051 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 14 Jul 2024 22:04:51 -0400 Subject: [PATCH 830/868] Remove workaround for old libressl (#11274) * Remove workaround for old libressl * Update backend.py --- src/cryptography/hazmat/backends/openssl/backend.py | 11 ----------- tests/hazmat/primitives/test_pkcs7.py | 5 +---- 2 files changed, 1 insertion(+), 15 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index e4cfe6216f8d..d30efef650c2 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -175,17 +175,6 @@ def _bytes_to_bio(self, data: bytes) -> _MemoryBIO: return _MemoryBIO(self._ffi.gc(bio, self._lib.BIO_free), data_ptr) - def _create_mem_bio_gc(self): - """ - Creates an empty memory BIO. - """ - bio_method = self._lib.BIO_s_mem() - self.openssl_assert(bio_method != self._ffi.NULL) - bio = self._lib.BIO_new(bio_method) - self.openssl_assert(bio != self._ffi.NULL) - bio = self._ffi.gc(bio, self._lib.BIO_free) - return bio - def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and isinstance(algorithm, hashes.SHA1): return False diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 4c4c0aa7dd50..31eb01c57ed2 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -142,11 +142,8 @@ def _pkcs7_verify(encoding, sig, msg, certs, options, backend): ) else: msg_bio = backend._bytes_to_bio(msg) - # libressl 3.7.0 has a bug when NULL is passed as an `out_bio`. Work - # around it for now. - out_bio = backend._create_mem_bio_gc() res = backend._lib.PKCS7_verify( - p7, backend._ffi.NULL, store, msg_bio.bio, out_bio, flags + p7, backend._ffi.NULL, store, msg_bio.bio, backend._ffi.NULL, flags ) backend.openssl_assert(res == 1) # OpenSSL 3.0 leaves a random bio error on the stack: From 781e5631cf5ff4909368eb1c5bf54faf716a909c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 10:31:44 +0000 Subject: [PATCH 831/868] Bump cc from 1.1.3 to 1.1.5 in /src/rust (#11276) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.3 to 1.1.5. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.3...cc-v1.1.5) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 0e71fdec87b0..4da7c1609040 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.3" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18e2d530f35b40a84124146478cd16f34225306a8441998836466a2e2961c950" +checksum = "324c74f2155653c90b04f25b2a47a8a631360cb908f92a772695f430c7e31052" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index d626ae6f6436..561d070c2276 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.1", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.1.3" +cc = "1.1.5" From e03d65dfd7f6dd758dd81ca8ff1a6595736c98e9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 11:11:24 +0000 Subject: [PATCH 832/868] Bump ruff from 0.5.1 to 0.5.2 (#11277) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.1 to 0.5.2. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.1...0.5.2) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index c074b3b49d7d..6eb190f8d059 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.1 +ruff==0.5.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From b7d81540b146187230528b16080b13c467c7e9ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 07:20:26 -0400 Subject: [PATCH 833/868] Bump sphinx from 7.3.7 to 7.4.2 (#11279) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.3.7 to 7.4.2. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.3.7...v7.4.2) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6eb190f8d059..8b094e9bc8a4 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.5.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.3.7 +sphinx==7.4.2 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From e7935f212836ff0ecfa1fc3fe297b1652858a973 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Jul 2024 15:10:26 -0400 Subject: [PATCH 834/868] Try removing a workaround for old OpenSSL (#11275) * Try removing a workaround for old OpenSSL * Update test_pkcs7.py --- tests/hazmat/primitives/test_pkcs7.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 31eb01c57ed2..96068809c15e 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -11,7 +11,6 @@ from cryptography import x509 from cryptography.exceptions import _Reasons -from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa from cryptography.hazmat.primitives.serialization import pkcs7 @@ -146,10 +145,6 @@ def _pkcs7_verify(encoding, sig, msg, certs, options, backend): p7, backend._ffi.NULL, store, msg_bio.bio, backend._ffi.NULL, flags ) backend.openssl_assert(res == 1) - # OpenSSL 3.0 leaves a random bio error on the stack: - # https://github.com/openssl/openssl/issues/16681 - if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - backend._consume_errors() def _load_cert_key(): From f45462c08cf8111a57daea2fe19bfd935cdf039a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Jul 2024 15:15:08 -0400 Subject: [PATCH 835/868] Remove duplicated code in PKCS#12 symmetric encryption (#11273) --- src/rust/src/pkcs12.rs | 60 +++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 88b5cea1c8ef..d9547edb7f4f 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -79,6 +79,34 @@ impl PKCS12Certificate { } } +fn symmetric_encrypt( + py: pyo3::Python<'_>, + algorithm: pyo3::Bound<'_, pyo3::PyAny>, + mode: pyo3::Bound<'_, pyo3::PyAny>, + data: &[u8], +) -> CryptographyResult> { + let block_size = algorithm + .getattr(pyo3::intern!(py, "block_size"))? + .extract()?; + + let mut cipher = + ciphers::CipherContext::new(py, algorithm, mode, openssl::symm::Mode::Encrypt)?; + + let mut ciphertext = vec![0; data.len() + (block_size / 8 * 2)]; + let n = cipher.update_into(py, data, &mut ciphertext)?; + + let mut padder = PKCS7PaddingContext::new(block_size); + assert!(padder.update(CffiBuf::from_bytes(py, data))?.is_none()); + let padding = padder.finalize(py)?; + + let pad_n = cipher.update_into(py, padding.as_bytes(), &mut ciphertext[n..])?; + let final_block = cipher.finalize(py)?; + assert!(final_block.as_bytes().is_empty()); + ciphertext.truncate(n + pad_n); + + Ok(ciphertext) +} + enum EncryptionAlgorithm { PBESv1SHA1And3KeyTripleDESCBC, PBESv2SHA256AndAES256CBC, @@ -181,22 +209,8 @@ impl EncryptionAlgorithm { let cbc = types::CBC .get(py)? .call1((pyo3::types::PyBytes::new_bound(py, &iv),))?; - let mut cipher = - ciphers::CipherContext::new(py, triple_des, cbc, openssl::symm::Mode::Encrypt)?; - - let mut ciphertext = vec![0; data.len() + 16]; - let n = cipher.update_into(py, data, &mut ciphertext)?; - - let mut padder = PKCS7PaddingContext::new(64); - assert!(padder.update(CffiBuf::from_bytes(py, data))?.is_none()); - let padding = padder.finalize(py)?; - - let pad_n = cipher.update_into(py, padding.as_bytes(), &mut ciphertext[n..])?; - let final_block = cipher.finalize(py)?; - assert!(final_block.as_bytes().is_empty()); - ciphertext.truncate(n + pad_n); - Ok(ciphertext) + symmetric_encrypt(py, triple_des, cbc, data) } EncryptionAlgorithm::PBESv2SHA256AndAES256CBC => { let pass_buf = CffiBuf::from_bytes(py, password); @@ -213,22 +227,8 @@ impl EncryptionAlgorithm { let aes256 = types::AES256.get(py)?.call1((key,))?; let cbc = types::CBC.get(py)?.call1((iv,))?; - let mut cipher = - ciphers::CipherContext::new(py, aes256, cbc, openssl::symm::Mode::Encrypt)?; - - let mut ciphertext = vec![0; data.len() + 32]; - let n = cipher.update_into(py, data, &mut ciphertext)?; - - let mut padder = PKCS7PaddingContext::new(128); - assert!(padder.update(CffiBuf::from_bytes(py, data))?.is_none()); - let padding = padder.finalize(py)?; - - let pad_n = cipher.update_into(py, padding.as_bytes(), &mut ciphertext[n..])?; - let final_block = cipher.finalize(py)?; - assert!(final_block.as_bytes().is_empty()); - ciphertext.truncate(n + pad_n); - Ok(ciphertext) + symmetric_encrypt(py, aes256, cbc, data) } } } From 485432f0bbcff6dceb557315d3a2dd8f96782957 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Jul 2024 18:31:51 -0400 Subject: [PATCH 836/868] Move rust code that exists for our tests to its own module (#11280) * Move rust code that exists for our tests to its own module * Update src/rust/src/test_support.rs Co-authored-by: Paul Kehrer --------- Co-authored-by: Paul Kehrer --- .../hazmat/bindings/_rust/asn1.pyi | 7 --- .../hazmat/bindings/_rust/test_support.pyi | 11 ++++ src/rust/src/asn1.rs | 51 +---------------- src/rust/src/lib.rs | 3 + src/rust/src/test_support.rs | 57 +++++++++++++++++++ tests/x509/test_x509.py | 8 +-- 6 files changed, 77 insertions(+), 60 deletions(-) create mode 100644 src/cryptography/hazmat/bindings/_rust/test_support.pyi create mode 100644 src/rust/src/test_support.rs diff --git a/src/cryptography/hazmat/bindings/_rust/asn1.pyi b/src/cryptography/hazmat/bindings/_rust/asn1.pyi index 35652c6ada1c..3b5f208ecf09 100644 --- a/src/cryptography/hazmat/bindings/_rust/asn1.pyi +++ b/src/cryptography/hazmat/bindings/_rust/asn1.pyi @@ -2,13 +2,6 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -class TestCertificate: - not_after_tag: int - not_before_tag: int - issuer_value_tags: list[int] - subject_value_tags: list[int] - def decode_dss_signature(signature: bytes) -> tuple[int, int]: ... def encode_dss_signature(r: int, s: int) -> bytes: ... def parse_spki_for_data(data: bytes) -> bytes: ... -def test_parse_certificate(data: bytes) -> TestCertificate: ... diff --git a/src/cryptography/hazmat/bindings/_rust/test_support.pyi b/src/cryptography/hazmat/bindings/_rust/test_support.pyi new file mode 100644 index 000000000000..020c5951d2ab --- /dev/null +++ b/src/cryptography/hazmat/bindings/_rust/test_support.pyi @@ -0,0 +1,11 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +class TestCertificate: + not_after_tag: int + not_before_tag: int + issuer_value_tags: list[int] + subject_value_tags: list[int] + +def test_parse_certificate(data: bytes) -> TestCertificate: ... diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs index c306104b8585..366fc69eacd6 100644 --- a/src/rust/src/asn1.rs +++ b/src/rust/src/asn1.rs @@ -2,10 +2,7 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -use asn1::SimpleAsn1Readable; -use cryptography_x509::certificate::Certificate; -use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time}; -use cryptography_x509::name::Name; +use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo}; use pyo3::pybacked::PyBackedBytes; use pyo3::types::IntoPyDict; use pyo3::types::PyAnyMethods; @@ -133,53 +130,9 @@ fn encode_dss_signature<'p>( Ok(pyo3::types::PyBytes::new_bound(py, &result)) } -#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.asn1")] -struct TestCertificate { - #[pyo3(get)] - not_before_tag: u8, - #[pyo3(get)] - not_after_tag: u8, - #[pyo3(get)] - issuer_value_tags: Vec, - #[pyo3(get)] - subject_value_tags: Vec, -} - -fn parse_name_value_tags(rdns: &Name<'_>) -> Vec { - let mut tags = vec![]; - for rdn in rdns.unwrap_read().clone() { - let mut attributes = rdn.collect::>(); - assert_eq!(attributes.len(), 1); - - tags.push(attributes.pop().unwrap().value.tag().as_u8().unwrap()); - } - tags -} - -fn time_tag(t: &Time) -> u8 { - match t { - Time::UtcTime(_) => asn1::UtcTime::TAG.as_u8().unwrap(), - Time::GeneralizedTime(_) => asn1::GeneralizedTime::TAG.as_u8().unwrap(), - } -} - -#[pyo3::pyfunction] -fn test_parse_certificate(data: &[u8]) -> Result { - let cert = asn1::parse_single::>(data)?; - - Ok(TestCertificate { - not_before_tag: time_tag(&cert.tbs_cert.validity.not_before), - not_after_tag: time_tag(&cert.tbs_cert.validity.not_after), - issuer_value_tags: parse_name_value_tags(&cert.tbs_cert.issuer), - subject_value_tags: parse_name_value_tags(&cert.tbs_cert.subject), - }) -} - #[pyo3::pymodule] #[pyo3(name = "asn1")] pub(crate) mod asn1_mod { #[pymodule_export] - use super::{ - decode_dss_signature, encode_dss_signature, parse_spki_for_data, test_parse_certificate, - }; + use super::{decode_dss_signature, encode_dss_signature, parse_spki_for_data}; } diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 8f6ecc053fe5..cd7b99f1570a 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -21,6 +21,7 @@ pub(crate) mod oid; mod padding; mod pkcs12; mod pkcs7; +mod test_support; pub(crate) mod types; mod x509; @@ -106,6 +107,8 @@ mod _rust { use crate::pkcs12::pkcs12; #[pymodule_export] use crate::pkcs7::pkcs7_mod; + #[pymodule_export] + use crate::test_support::test_support; #[pyo3::pymodule] mod x509 { diff --git a/src/rust/src/test_support.rs b/src/rust/src/test_support.rs new file mode 100644 index 000000000000..5b42fec3b304 --- /dev/null +++ b/src/rust/src/test_support.rs @@ -0,0 +1,57 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +use crate::error::CryptographyResult; +use asn1::SimpleAsn1Readable; +use cryptography_x509::certificate::Certificate; +use cryptography_x509::common::Time; +use cryptography_x509::name::Name; + +#[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.test_support")] +struct TestCertificate { + #[pyo3(get)] + not_before_tag: u8, + #[pyo3(get)] + not_after_tag: u8, + #[pyo3(get)] + issuer_value_tags: Vec, + #[pyo3(get)] + subject_value_tags: Vec, +} + +fn parse_name_value_tags(rdns: &Name<'_>) -> Vec { + let mut tags = vec![]; + for rdn in rdns.unwrap_read().clone() { + let mut attributes = rdn.collect::>(); + assert_eq!(attributes.len(), 1); + + tags.push(attributes.pop().unwrap().value.tag().as_u8().unwrap()); + } + tags +} + +fn time_tag(t: &Time) -> u8 { + match t { + Time::UtcTime(_) => asn1::UtcTime::TAG.as_u8().unwrap(), + Time::GeneralizedTime(_) => asn1::GeneralizedTime::TAG.as_u8().unwrap(), + } +} + +#[pyo3::pyfunction] +fn test_parse_certificate(data: &[u8]) -> CryptographyResult { + let cert = asn1::parse_single::>(data)?; + + Ok(TestCertificate { + not_before_tag: time_tag(&cert.tbs_cert.validity.not_before), + not_after_tag: time_tag(&cert.tbs_cert.validity.not_after), + issuer_value_tags: parse_name_value_tags(&cert.tbs_cert.issuer), + subject_value_tags: parse_name_value_tags(&cert.tbs_cert.subject), + }) +} + +#[pyo3::pymodule] +pub(crate) mod test_support { + #[pymodule_export] + use super::test_parse_certificate; +} diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index a4368833ca3f..91251d58c0a3 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -14,7 +14,7 @@ from cryptography import utils, x509 from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm -from cryptography.hazmat.bindings._rust import asn1 +from cryptography.hazmat.bindings._rust import test_support from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( dh, @@ -2429,7 +2429,7 @@ def test_build_cert_printable_string_country_name( cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) - parsed = asn1.test_parse_certificate( + parsed = test_support.test_parse_certificate( cert.public_bytes(serialization.Encoding.DER) ) @@ -2615,7 +2615,7 @@ def test_extreme_times( not_valid_before=not_valid_before, not_valid_after=not_valid_after, ) - parsed = asn1.test_parse_certificate( + parsed = test_support.test_parse_certificate( cert.public_bytes(serialization.Encoding.DER) ) # UTC TIME @@ -3088,7 +3088,7 @@ def test_earliest_time(self, rsa_key_2048: rsa.RSAPrivateKey, backend): ) cert = cert_builder.sign(private_key, hashes.SHA256(), backend) _check_cert_times(cert, not_valid_before=time, not_valid_after=time) - parsed = asn1.test_parse_certificate( + parsed = test_support.test_parse_certificate( cert.public_bytes(serialization.Encoding.DER) ) # UTC TIME From abae201d31e594e13bf10df3c16a099f8020ae1a Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Jul 2024 00:16:00 +0000 Subject: [PATCH 837/868] Bump BoringSSL and/or OpenSSL in CI (#11283) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 19dfd2679171..88cb4d8f6546 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} - # Latest commit on the OpenSSL master branch, as of Jul 14, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "42230f294ae97cbd50052038499e091d0060ba8e"}} + # Latest commit on the OpenSSL master branch, as of Jul 16, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c6975bd44dce4bb342b7bc130de5aaefbe2c35b"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 4616dbe63121cfd419296a1536a3ccc0da410b55 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 15 Jul 2024 20:29:17 -0400 Subject: [PATCH 838/868] Migrate PKCS#7 test_support function to Rust (#11282) --- src/_cffi_src/build_openssl.py | 1 - src/_cffi_src/openssl/pem.py | 4 - src/_cffi_src/openssl/pkcs7.py | 15 --- .../hazmat/backends/openssl/backend.py | 29 +---- .../hazmat/bindings/_rust/test_support.pyi | 11 ++ .../hazmat/bindings/openssl/_conditional.py | 8 -- src/rust/src/test_support.rs | 56 ++++++++++ tests/hazmat/primitives/test_pkcs7.py | 104 ++++-------------- 8 files changed, 87 insertions(+), 141 deletions(-) diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 15ac1848493b..7c3bab20f3a0 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -42,7 +42,6 @@ "x509name", "x509v3", "x509_vfy", - "pkcs7", ], ) diff --git a/src/_cffi_src/openssl/pem.py b/src/_cffi_src/openssl/pem.py index e069d6126999..04badc47af1b 100644 --- a/src/_cffi_src/openssl/pem.py +++ b/src/_cffi_src/openssl/pem.py @@ -22,8 +22,6 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *, EVP_PKEY **, pem_password_cb *, void *); -PKCS7 *d2i_PKCS7_bio(BIO *, PKCS7 **); - int PEM_write_bio_X509_REQ(BIO *, X509_REQ *); X509_REQ *PEM_read_bio_X509_REQ(BIO *, X509_REQ **, pem_password_cb *, void *); @@ -32,8 +30,6 @@ int PEM_write_bio_X509_CRL(BIO *, X509_CRL *); -PKCS7 *PEM_read_bio_PKCS7(BIO *, PKCS7 **, pem_password_cb *, void *); - DH *PEM_read_bio_DHparams(BIO *, DH **, pem_password_cb *, void *); EVP_PKEY *PEM_read_bio_PUBKEY(BIO *, EVP_PKEY **, pem_password_cb *, void *); diff --git a/src/_cffi_src/openssl/pkcs7.py b/src/_cffi_src/openssl/pkcs7.py index 8e93a61b4e60..27631f48c04d 100644 --- a/src/_cffi_src/openssl/pkcs7.py +++ b/src/_cffi_src/openssl/pkcs7.py @@ -9,28 +9,13 @@ """ TYPES = """ -static const long Cryptography_HAS_PKCS7_FUNCS; typedef ... PKCS7; -static const int PKCS7_TEXT; """ FUNCTIONS = """ void PKCS7_free(PKCS7 *); -/* Included verify due to external consumer, see - https://github.com/pyca/cryptography/issues/5433 */ -int PKCS7_verify(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *, - BIO *, int); PKCS7 *SMIME_read_PKCS7(BIO *, BIO **); """ CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_BORINGSSL -static const long Cryptography_HAS_PKCS7_FUNCS = 0; - -int (*PKCS7_verify)(PKCS7 *, Cryptography_STACK_OF_X509 *, X509_STORE *, BIO *, - BIO *, int) = NULL; -PKCS7 *(*SMIME_read_PKCS7)(BIO *, BIO **) = NULL; -#else -static const long Cryptography_HAS_PKCS7_FUNCS = 1; -#endif """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index d30efef650c2..c87d3e848236 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -4,13 +4,9 @@ from __future__ import annotations -import collections -import typing - -from cryptography import x509 from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.bindings.openssl import binding -from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.asymmetric import utils as asym_utils @@ -31,8 +27,6 @@ Mode, ) -_MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"]) - class Backend: """ @@ -162,19 +156,6 @@ def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool: def _consume_errors(self) -> list[rust_openssl.OpenSSLError]: return rust_openssl.capture_error_stack() - def _bytes_to_bio(self, data: bytes) -> _MemoryBIO: - """ - Return a _MemoryBIO namedtuple of (BIO, char*). - - The char* is the storage for the BIO and it must stay alive until the - BIO is finished with. - """ - data_ptr = self._ffi.from_buffer(data) - bio = self._lib.BIO_new_mem_buf(data_ptr, len(data)) - self.openssl_assert(bio != self._ffi.NULL) - - return _MemoryBIO(self._ffi.gc(bio, self._lib.BIO_free), data_ptr) - def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: if self._fips_enabled and isinstance(algorithm, hashes.SHA1): return False @@ -231,14 +212,6 @@ def cmac_algorithm_supported(self, algorithm) -> bool: algorithm, CBC(b"\x00" * algorithm.block_size) ) - def _cert2ossl(self, cert: x509.Certificate) -> typing.Any: - data = cert.public_bytes(serialization.Encoding.DER) - mem_bio = self._bytes_to_bio(data) - x509 = self._lib.d2i_X509_bio(mem_bio.bio, self._ffi.NULL) - self.openssl_assert(x509 != self._ffi.NULL) - x509 = self._ffi.gc(x509, self._lib.X509_free) - return x509 - def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool: if self._fips_enabled and not isinstance( curve, self._fips_ecdh_curves diff --git a/src/cryptography/hazmat/bindings/_rust/test_support.pyi b/src/cryptography/hazmat/bindings/_rust/test_support.pyi index 020c5951d2ab..ef9f779f2ee9 100644 --- a/src/cryptography/hazmat/bindings/_rust/test_support.pyi +++ b/src/cryptography/hazmat/bindings/_rust/test_support.pyi @@ -2,6 +2,10 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. +from cryptography import x509 +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives.serialization import pkcs7 + class TestCertificate: not_after_tag: int not_before_tag: int @@ -9,3 +13,10 @@ class TestCertificate: subject_value_tags: list[int] def test_parse_certificate(data: bytes) -> TestCertificate: ... +def pkcs7_verify( + encoding: serialization.Encoding, + sig: bytes, + msg: bytes | None, + certs: list[x509.Certificate], + options: list[pkcs7.PKCS7Options], +) -> None: ... diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index ee47d1888d80..73c06f7d08ce 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -130,13 +130,6 @@ def cryptography_has_ssl_cookie() -> list[str]: ] -def cryptography_has_pkcs7_funcs() -> list[str]: - return [ - "PKCS7_verify", - "SMIME_read_PKCS7", - ] - - def cryptography_has_prime_checks() -> list[str]: return [ "BN_prime_checks_for_size", @@ -179,7 +172,6 @@ def cryptography_has_get_extms_support() -> list[str]: ), "Cryptography_HAS_DTLS_GET_DATA_MTU": cryptography_has_dtls_get_data_mtu, "Cryptography_HAS_SSL_COOKIE": cryptography_has_ssl_cookie, - "Cryptography_HAS_PKCS7_FUNCS": cryptography_has_pkcs7_funcs, "Cryptography_HAS_PRIME_CHECKS": cryptography_has_prime_checks, "Cryptography_HAS_UNEXPECTED_EOF_WHILE_READING": ( cryptography_has_unexpected_eof_while_reading diff --git a/src/rust/src/test_support.rs b/src/rust/src/test_support.rs index 5b42fec3b304..8f4599723680 100644 --- a/src/rust/src/test_support.rs +++ b/src/rust/src/test_support.rs @@ -2,11 +2,19 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use crate::buf::CffiBuf; use crate::error::CryptographyResult; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use crate::types; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use crate::x509::certificate::Certificate as PyCertificate; use asn1::SimpleAsn1Readable; use cryptography_x509::certificate::Certificate; use cryptography_x509::common::Time; use cryptography_x509::name::Name; +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +use pyo3::prelude::PyAnyMethods; #[pyo3::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.test_support")] struct TestCertificate { @@ -50,8 +58,56 @@ fn test_parse_certificate(data: &[u8]) -> CryptographyResult { }) } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +#[pyo3::pyfunction] +#[pyo3(signature = (encoding, sig, msg, certs, options))] +fn pkcs7_verify( + py: pyo3::Python<'_>, + encoding: pyo3::Bound<'_, pyo3::PyAny>, + sig: &[u8], + msg: Option>, + certs: Vec>, + options: pyo3::Bound<'_, pyo3::types::PyList>, +) -> CryptographyResult<()> { + let p7 = if encoding.is(&types::ENCODING_DER.get(py)?) { + openssl::pkcs7::Pkcs7::from_der(sig)? + } else if encoding.is(&types::ENCODING_PEM.get(py)?) { + openssl::pkcs7::Pkcs7::from_pem(sig)? + } else { + openssl::pkcs7::Pkcs7::from_smime(sig)?.0 + }; + + let mut flags = openssl::pkcs7::Pkcs7Flags::empty(); + if options.contains(types::PKCS7_TEXT.get(py)?)? { + flags |= openssl::pkcs7::Pkcs7Flags::TEXT; + } + + let store = { + let mut b = openssl::x509::store::X509StoreBuilder::new()?; + for cert in &certs { + let der = asn1::write_single(cert.get().raw.borrow_dependent())?; + b.add_cert(openssl::x509::X509::from_der(&der)?)?; + } + b.build() + }; + let certs = openssl::stack::Stack::new()?; + + p7.verify( + &certs, + &store, + msg.as_ref().map(|m| m.as_bytes()), + None, + flags, + )?; + + Ok(()) +} + #[pyo3::pymodule] pub(crate) mod test_support { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + #[pymodule_export] + use super::pkcs7_verify; #[pymodule_export] use super::test_parse_certificate; } diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 96068809c15e..3842fd3ff616 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -11,6 +11,7 @@ from cryptography import x509 from cryptography.exceptions import _Reasons +from cryptography.hazmat.bindings._rust import test_support from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa from cryptography.hazmat.primitives.serialization import pkcs7 @@ -96,57 +97,6 @@ def test_load_pkcs7_empty_certificates(self): pkcs7.load_der_pkcs7_certificates(der) -# We have no public verification API and won't be adding one until we get -# some requirements from users so this function exists to give us basic -# verification for the signing tests. -# -# This relies on a number of bindings that we'd otherwise like to remove. -def _pkcs7_verify(encoding, sig, msg, certs, options, backend): - sig_bio = backend._bytes_to_bio(sig) - if encoding is serialization.Encoding.DER: - p7 = backend._lib.d2i_PKCS7_bio(sig_bio.bio, backend._ffi.NULL) - elif encoding is serialization.Encoding.PEM: - p7 = backend._lib.PEM_read_bio_PKCS7( - sig_bio.bio, - backend._ffi.NULL, - backend._ffi.NULL, - backend._ffi.NULL, - ) - else: - p7 = backend._lib.SMIME_read_PKCS7(sig_bio.bio, backend._ffi.NULL) - backend.openssl_assert(p7 != backend._ffi.NULL) - p7 = backend._ffi.gc(p7, backend._lib.PKCS7_free) - flags = 0 - for option in options: - if option is pkcs7.PKCS7Options.Text: - flags |= backend._lib.PKCS7_TEXT - store = backend._lib.X509_STORE_new() - backend.openssl_assert(store != backend._ffi.NULL) - store = backend._ffi.gc(store, backend._lib.X509_STORE_free) - # This list is to keep the x509 values alive until end of function - ossl_certs = [] - for cert in certs: - ossl_cert = backend._cert2ossl(cert) - ossl_certs.append(ossl_cert) - res = backend._lib.X509_STORE_add_cert(store, ossl_cert) - backend.openssl_assert(res == 1) - if msg is None: - res = backend._lib.PKCS7_verify( - p7, - backend._ffi.NULL, - store, - backend._ffi.NULL, - backend._ffi.NULL, - flags, - ) - else: - msg_bio = backend._bytes_to_bio(msg) - res = backend._lib.PKCS7_verify( - p7, backend._ffi.NULL, store, msg_bio.bio, backend._ffi.NULL, flags - ) - backend.openssl_assert(res == 1) - - def _load_cert_key(): key = load_vectors_from_file( os.path.join("x509", "custom", "ca", "ca_key.pem"), @@ -315,22 +265,20 @@ def test_smime_sign_detached(self, backend): assert isinstance(payload[0], email.message.Message) signed_data = payload[0].get_payload() assert isinstance(signed_data, str) - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.SMIME, sig, signed_data.encode(), [cert], options, - backend, ) assert data not in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, data, [cert], options, - backend, ) def test_sign_byteslike(self, backend): @@ -345,13 +293,12 @@ def test_sign_byteslike(self, backend): sig = builder.sign(serialization.Encoding.SMIME, options) assert bytes(data) in sig - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.SMIME, sig, data, [cert], options, - backend, ) data = bytearray(b"") @@ -362,13 +309,12 @@ def test_sign_byteslike(self, backend): ) sig = builder.sign(serialization.Encoding.SMIME, options) - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.SMIME, sig, data, [cert], options, - backend, ) def test_sign_pem(self, backend): @@ -382,13 +328,12 @@ def test_sign_pem(self, backend): ) sig = builder.sign(serialization.Encoding.PEM, options) - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.PEM, sig, None, [cert], options, - backend, ) @pytest.mark.parametrize( @@ -412,8 +357,8 @@ def test_sign_alternate_digests_der( options: typing.List[pkcs7.PKCS7Options] = [] sig = builder.sign(serialization.Encoding.DER, options) assert expected_value in sig - _pkcs7_verify( - serialization.Encoding.DER, sig, None, [cert], options, backend + test_support.pkcs7_verify( + serialization.Encoding.DER, sig, None, [cert], options ) @pytest.mark.parametrize( @@ -454,13 +399,12 @@ def test_sign_attached(self, backend): # When not passing detached signature the signed data is embedded into # the PKCS7 structure itself assert data in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], options, - backend, ) def test_sign_binary(self, backend): @@ -480,22 +424,20 @@ def test_sign_binary(self, backend): # so data should not be present in sig_no_binary, but should be present # in sig_binary assert data not in sig_no_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_no_binary, None, [cert], options, - backend, ) assert data in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], options, - backend, ) def test_sign_smime_canonicalization(self, backend): @@ -513,13 +455,12 @@ def test_sign_smime_canonicalization(self, backend): # so data should not be present in the sig assert data not in sig_binary assert b"hello\r\nworld" in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], options, - backend, ) def test_sign_text(self, backend): @@ -550,13 +491,12 @@ def test_sign_text(self, backend): signed_data = payload[0].as_bytes( policy=message.policy.clone(linesep="\r\n") ) - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.SMIME, sig_pem, signed_data, [cert], options, - backend, ) def test_smime_capabilities(self, backend): @@ -594,13 +534,12 @@ def test_smime_capabilities(self, backend): len_oid = len(oid).to_bytes(length=1, byteorder="big") assert sequence_identifier + len_oid + oid in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], [], - backend, ) def test_sign_no_capabilities(self, backend): @@ -623,13 +562,12 @@ def test_sign_no_capabilities(self, backend): assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x0f" not in sig_binary # 1.2.840.113549.1.9.5 signingTime as an ASN.1 DER encoded OID assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x05" in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], options, - backend, ) def test_sign_no_attributes(self, backend): @@ -650,13 +588,12 @@ def test_sign_no_attributes(self, backend): assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x0f" not in sig_binary # 1.2.840.113549.1.9.5 signingTime as an ASN.1 DER encoded OID assert b"\x06\t*\x86H\x86\xf7\r\x01\t\x05" not in sig_binary - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig_binary, None, [cert], options, - backend, ) def test_sign_no_certs(self, backend): @@ -733,13 +670,12 @@ def test_rsa_pkcs_padding_options(self, pad, backend): assert ( sig.count(b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01") == 2 ) - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig, None, [rsa_cert], options, - backend, ) def test_not_rsa_key_with_padding(self, backend): @@ -801,13 +737,12 @@ def test_multiple_signers(self, backend): sig = builder.sign(serialization.Encoding.DER, options) # There should be three SHA512 OIDs in this structure assert sig.count(b"\x06\t`\x86H\x01e\x03\x04\x02\x03") == 3 - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig, None, [cert, rsa_cert], options, - backend, ) def test_multiple_signers_different_hash_algs(self, backend): @@ -839,13 +774,12 @@ def test_multiple_signers_different_hash_algs(self, backend): # There should be two SHA384 and two SHA512 OIDs in this structure assert sig.count(b"\x06\t`\x86H\x01e\x03\x04\x02\x02") == 2 assert sig.count(b"\x06\t`\x86H\x01e\x03\x04\x02\x03") == 2 - _pkcs7_verify( + test_support.pkcs7_verify( serialization.Encoding.DER, sig, None, [cert, rsa_cert], options, - backend, ) def test_add_additional_cert_not_a_cert(self, backend): From a4eb4ef99437aac182fe0f542a77bf1d84c93e85 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Tue, 16 Jul 2024 00:32:29 +0000 Subject: [PATCH 839/868] Bump x509-limbo and/or wycheproof in CI (#11284) Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 10594d7b579f..069197d1a1b0 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 10, 2024. - ref: "6e5500061c043941079d677af8e822dfed494fec" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 16, 2024. + ref: "8815322a268ad32918d21c44805e8cb37c9fd7b2" # x509-limbo-ref From 3e65042197dd7d2bb35ac081ee298983e7e1a84a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jul 2024 06:29:41 -0400 Subject: [PATCH 840/868] Bump sphinx from 7.4.2 to 7.4.4 (#11285) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.4.2 to 7.4.4. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.4.2...v7.4.4) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 8b094e9bc8a4..21f0296be5f7 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.5.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.4.2 +sphinx==7.4.4 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From 0787dc5e89b20b8abd351050481a248483a17e40 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 00:16:43 +0000 Subject: [PATCH 841/868] Bump BoringSSL and/or OpenSSL in CI (#11286) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 88cb4d8f6546..6656fedc03c9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 11, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "b34976cae99f8d1b864dbab31e20fc00d06acb09"}} - # Latest commit on the OpenSSL master branch, as of Jul 16, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "5c6975bd44dce4bb342b7bc130de5aaefbe2c35b"}} + # Latest commit on the BoringSSL master branch, as of Jul 17, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d274b1bacdca36f3941bf78e43dc38acf676a1a8"}} + # Latest commit on the OpenSSL master branch, as of Jul 17, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2dd74d3acb9425251a2028504f07623bd97bfe87"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a9bc879d6140ad377bda5159cc196cd3df6bcd58 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 16 Jul 2024 22:27:37 -0400 Subject: [PATCH 842/868] Bump vectors (#11288) * Bump x509-limbo and/or wycheproof in CI * test_limbo: allow build_server_verifier to fail ...in a predictable way. * test_limbo: remove assert * test_limbo: return early when exceptional --------- Co-authored-by: pyca-boringbot[bot] --- .github/actions/fetch-vectors/action.yml | 4 ++-- tests/x509/verification/test_limbo.py | 8 +++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/actions/fetch-vectors/action.yml b/.github/actions/fetch-vectors/action.yml index 069197d1a1b0..bfa92a923487 100644 --- a/.github/actions/fetch-vectors/action.yml +++ b/.github/actions/fetch-vectors/action.yml @@ -16,5 +16,5 @@ runs: with: repository: "C2SP/x509-limbo" path: "x509-limbo" - # Latest commit on the x509-limbo main branch, as of Jul 16, 2024. - ref: "8815322a268ad32918d21c44805e8cb37c9fd7b2" # x509-limbo-ref + # Latest commit on the x509-limbo main branch, as of Jul 17, 2024. + ref: "fb3e03cd0e686ed06a6a118e372df709f480d6a4" # x509-limbo-ref diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py index 2675ca735475..50881eb9410b 100644 --- a/tests/x509/verification/test_limbo.py +++ b/tests/x509/verification/test_limbo.py @@ -133,7 +133,13 @@ def _limbo_testcase(id_, testcase): "extended_key_usage" ] == ["serverAuth"] peer_name = _get_limbo_peer(testcase["expected_peer_name"]) - verifier = builder.build_server_verifier(peer_name) + # Some tests exercise invalid leaf SANs, which get caught before + # validation even begins. + try: + verifier = builder.build_server_verifier(peer_name) + except ValueError: + assert not should_pass + return else: assert testcase["extended_key_usage"] == ["clientAuth"] verifier = builder.build_client_verifier() From 3c7a5e07387434ced26e377994cd1a8553997c53 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 10:59:21 +0000 Subject: [PATCH 843/868] Bump sphinx from 7.4.4 to 7.4.5 (#11289) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.4.4 to 7.4.5. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.4.4...v7.4.5) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 21f0296be5f7..a8103c276da4 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.5.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.4.4 +sphinx==7.4.5 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From 783223f5f65a326d2bea9978300cd81a658c8f00 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Wed, 17 Jul 2024 23:07:37 +0200 Subject: [PATCH 844/868] docs: Add instructions to build the docs (#11290) * docs: Add instructions to build the docs * docs: Fix single backticks * docs: remove troubleshooting section * Update docs/development/getting-started.rst Co-authored-by: Alex Gaynor --------- Co-authored-by: Alex Gaynor --- docs/development/getting-started.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst index 2cb1bb478bff..d074718f4183 100644 --- a/docs/development/getting-started.rst +++ b/docs/development/getting-started.rst @@ -41,6 +41,17 @@ You can also specify a subset of tests to run as positional arguments: $ # run the whole x509 testsuite, plus the fernet tests $ nox -e local -- tests/x509/ tests/test_fernet.py +Building the docs +----------------- + +Building the docs on non-Windows platforms requires manually installing +the C library ``libenchant`` (`installation instructions`_). +The docs can be built using ``nox``: + +.. code-block:: console + + $ nox -e docs + .. _`Homebrew`: https://brew.sh .. _`MacPorts`: https://www.macports.org @@ -50,3 +61,4 @@ You can also specify a subset of tests to run as positional arguments: .. _`virtualenv`: https://pypi.org/project/virtualenv/ .. _`pip`: https://pypi.org/project/pip/ .. _`as documented here`: https://docs.rs/openssl/latest/openssl/#automatic +.. _`installation instructions`: https://pyenchant.github.io/pyenchant/install.html#installing-the-enchant-c-library \ No newline at end of file From df3ed7b71ea8846363e1f72d11d93651869434e9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 21:56:41 +0000 Subject: [PATCH 845/868] Bump pyo3 from 0.22.1 to 0.22.2 in /src/rust (#11292) Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.22.1 to 0.22.2. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/v0.22.2/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.22.1...v0.22.2) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 20 ++++++++++---------- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-keepalive/Cargo.toml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 4da7c1609040..93a0cdd29c5a 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -247,9 +247,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e99090d12f6182924499253aaa1e73bf15c69cea8d2774c3c781e35badc3548" +checksum = "831e8e819a138c36e212f3af3fd9eeffed6bf1510a805af35b0edee5ffa59433" dependencies = [ "cfg-if", "indoc", @@ -265,9 +265,9 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7879eb018ac754bba32cb0eec7526391c02c14a093121857ed09fbf1d1057d41" +checksum = "1e8730e591b14492a8945cdff32f089250b05f5accecf74aeddf9e8272ce1fa8" dependencies = [ "once_cell", "target-lexicon", @@ -275,9 +275,9 @@ dependencies = [ [[package]] name = "pyo3-ffi" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce2baa5559a411fc1cf519295f24c34b53d5d725818bc96b5abf94762da09041" +checksum = "5e97e919d2df92eb88ca80a037969f44e5e70356559654962cbb3316d00300c6" dependencies = [ "libc", "pyo3-build-config", @@ -285,9 +285,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "049621c20a23f2def20f4fe67978d1da8d8a883d64b9c21362f3b776e254edc7" +checksum = "eb57983022ad41f9e683a599f2fd13c3664d7063a3ac5714cae4b7bee7d3f206" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -297,9 +297,9 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.22.1" +version = "0.22.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0e969ee2e025435f1819d31a275ba4bb9cbbdf3ac535227fdbd85b9322ffe144" +checksum = "ec480c0c51ddec81019531705acac51bcdbeae563557c982aa8263bb96880372" dependencies = [ "heck", "proc-macro2", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index fc0ab7e11edf..e3263a9ecbfa 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -17,7 +17,7 @@ rust-version.workspace = true [dependencies] once_cell = "1" cfg-if = "1" -pyo3 = { version = "0.22.1", features = ["abi3"] } +pyo3 = { version = "0.22.2", features = ["abi3"] } asn1 = { version = "0.16.2", default-features = false } cryptography-cffi = { path = "cryptography-cffi" } cryptography-keepalive = { path = "cryptography-keepalive" } diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 561d070c2276..38122b95b75c 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -7,7 +7,7 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.1", features = ["abi3"] } +pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] diff --git a/src/rust/cryptography-keepalive/Cargo.toml b/src/rust/cryptography-keepalive/Cargo.toml index d2f503bbf209..d281a1b0867e 100644 --- a/src/rust/cryptography-keepalive/Cargo.toml +++ b/src/rust/cryptography-keepalive/Cargo.toml @@ -7,4 +7,4 @@ publish.workspace = true rust-version.workspace = true [dependencies] -pyo3 = { version = "0.22.1", features = ["abi3"] } +pyo3 = { version = "0.22.2", features = ["abi3"] } From 7d408e8acc1b9d7e52192abbebbf0af5c20d6bd4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 18:06:57 -0400 Subject: [PATCH 846/868] Bump setuptools from 70.3.0 to 71.0.0 in /.github/requirements (#11293) Bumps [setuptools](https://github.com/pypa/setuptools) from 70.3.0 to 71.0.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.3.0...v71.0.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index ceabc93499a6..85359be67516 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==70.3.0 \ - --hash=sha256:f171bab1dfbc86b132997f26a119f6056a57950d058587841a0082e8830f9dc5 \ - --hash=sha256:fe384da74336c398e0d956d1cae0669bc02eed936cdb1d49b57de1990dc11ffc +setuptools==71.0.0 \ + --hash=sha256:98da3b8aca443b9848a209ae4165e2edede62633219afa493a58fbba57f72e2e \ + --hash=sha256:f06fbe978a91819d250a30e0dc4ca79df713d909e24438a42d0ec300fc52247f # via -r build-requirements.in From 14772c2e5fa312966411ee96b3c2dfc4090e4a23 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Thu, 18 Jul 2024 00:15:20 +0000 Subject: [PATCH 847/868] Bump BoringSSL and/or OpenSSL in CI (#11294) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6656fedc03c9..78fdf4e6c543 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,10 +43,10 @@ jobs: - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.4"}} - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.2"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} - # Latest commit on the BoringSSL master branch, as of Jul 17, 2024. - - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "d274b1bacdca36f3941bf78e43dc38acf676a1a8"}} - # Latest commit on the OpenSSL master branch, as of Jul 17, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "2dd74d3acb9425251a2028504f07623bd97bfe87"}} + # Latest commit on the BoringSSL master branch, as of Jul 18, 2024. + - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "82f9853fc7d7360ae44f1e1357a6422c5244bbd8"}} + # Latest commit on the OpenSSL master branch, as of Jul 18, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cf3d65b8664f11904ad34f21fe78a6694f23ae62"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From ccb3a3277c7f6dafae2ce4bcfaa635693dec39e8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jul 2024 07:07:00 -0400 Subject: [PATCH 848/868] Bump setuptools from 71.0.0 to 71.0.1 in /.github/requirements (#11295) Bumps [setuptools](https://github.com/pypa/setuptools) from 71.0.0 to 71.0.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v71.0.0...v71.0.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 85359be67516..2aebb5ca4e6c 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==71.0.0 \ - --hash=sha256:98da3b8aca443b9848a209ae4165e2edede62633219afa493a58fbba57f72e2e \ - --hash=sha256:f06fbe978a91819d250a30e0dc4ca79df713d909e24438a42d0ec300fc52247f +setuptools==71.0.1 \ + --hash=sha256:1eb8ef012efae7f6acbc53ec0abde4bc6746c43087fd215ee09e1df48998711f \ + --hash=sha256:c51d7fd29843aa18dad362d4b4ecd917022131425438251f4e3d766c964dd1ad # via -r build-requirements.in From 0faaffc2f5844cf55af57b3eccb6bb7ab5c58aae Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Thu, 18 Jul 2024 17:52:09 +0200 Subject: [PATCH 849/868] Add support for encrypting S/MIME messages (#10889) * Add support for encrypting S/MIME messages * Move PKCS7 decrypt test function to Rust * Use symmetric encryption function from PKCS12 * Remove debug file write from tests * Remove unneeded backend parameter * docs and changelog --- CHANGELOG.rst | 2 + .../primitives/asymmetric/serialization.rst | 94 ++++++- .../hazmat/bindings/_rust/pkcs7.pyi | 5 + .../hazmat/bindings/_rust/test_support.pyi | 7 + .../hazmat/primitives/serialization/pkcs7.py | 105 +++++++- src/rust/cryptography-x509/src/common.rs | 10 + src/rust/cryptography-x509/src/pkcs7.rs | 18 ++ src/rust/src/pkcs12.rs | 2 +- src/rust/src/pkcs7.rs | 93 ++++++- src/rust/src/test_support.rs | 47 ++++ src/rust/src/types.rs | 9 +- tests/hazmat/primitives/test_pkcs7.py | 249 +++++++++++++++++- 12 files changed, 632 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 90af3bba7286..ea62a5351efd 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -66,6 +66,8 @@ Changelog * :class:`~cryptography.x509.NameAttribute` now raises an exception when attempting to create a common name whose length is shorter or longer than :rfc:`5280` permits. +* Added basic support for PKCS7 encryption (including SMIME) via + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7EnvelopeBuilder`. .. _v42-0-8: diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst index 402915c45540..42cc83c84687 100644 --- a/docs/hazmat/primitives/asymmetric/serialization.rst +++ b/docs/hazmat/primitives/asymmetric/serialization.rst @@ -1095,6 +1095,37 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``, -----END CERTIFICATE----- """.strip() + ca_cert_rsa = b""" + -----BEGIN CERTIFICATE----- + MIIExzCCAq+gAwIBAgIJAOcS06ClbtbJMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV + BAMMD2NyeXB0b2dyYXBoeSBDQTAeFw0yMDA5MTQyMTQwNDJaFw00ODAxMzEyMTQw + NDJaMBoxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeSBDQTCCAiIwDQYJKoZIhvcNAQEB + BQADggIPADCCAgoCggIBANBIheRc1HT4MzV5GvUbDk9CFU6DTomRApNqRmizriRq + m6OY4Ht3d71BXog6/IBkqAnZ4/XJQ40G4sVDb52k11oPvfJ/F5pc+6UqPBL+QGzY + GkJoubAqXFpI6ow0qayFNQLv0T9o4yh0QQOoGvgCmv91qmitLrZNXu4U9S76G+Di + GST+QyMkMxj+VsGRsRRBufV1urcnvFWjU6Q2+cr2cp0mMAG96NTyIskYiJ8vL03W + z4DX4klO4X47fPmDnU/OMn4SbvMZ896j1L0J04S+uVThTkxQWcFcqXhX5qM8kzcj + JUmybFlbf150j3WiucW48K/j7fJ0x9q3iUo4Gva0coScglJWcgo/BBCwFDw8NVba + 7npxSRMiaS3qTv0dEFcRnvByc+7hyGxxlWdTE9tHisUI1eZVk9P9ziqNOZKscY8Z + X1+/C4M9X69Y7A8I74F5dO27IRycEgOrSo2z1NhfSwbqJr9a2TBtRsFinn8rjKBI + zNn0E5p9jO1WjxtkcjHfXXpLN8FFMvoYI9l/K+ZWDm9sboaF8jrgozSc004AFemA + H79mmCGVRKXn1vDAo4DLC6p3NiBFYQcYbW9V+beGD6srsF6xJtuY/UwtPROLWSzu + CCrZ/4BlmpNsR0ehIFFvzEKjX6rR2yp3YKlguDbMBMKMpfSGxAFwcZ7OiaxR20UH + AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADSveDS4 + y2V/N6Li2n9ChGNdCMr/45M0cl+GpL55aA36AWYMRLv0wip7MWV3yOj4mkjGBlTE + awKHH1FtetsE6B4a7M2hHhOXyXE60uUdptEx6ckGrJ1iyqu5cQUX1P+VnXbmOxfF + bl+Ugzjbgirx239rA4ezkDRuOvKcCbDOFV/gw3ZHfJ/IQeRXIQRl/y51wcnFUvFM + JEESYiijeDbEcY8r1/phmVQL0CO7WLMmTxlFj4X/TR3MTZWJQIap9GiLs5+n3QiO + jsZ3GuFOomB8oTebYkXniwbNu5hgLP/seRQzGA7B9VDZryAhCtvGgjtQh0eW2Qxt + sgmDJGOPKnKT3O5U0v3+IPLEYpe8JSzgAhhh6H1rAJRUNwP2gRcO4eOUJSkdl218 + fRNT0ILzosuWxwprER9ciMQF8q0JJKMhcfHRMH0S5mWVJAIkj68KY05oCy2zNyYa + oruopKSWXe0Bzr40znm40P7xIkui2BGQMlDPpbCaEfLsLqyctfbdmMlxac/QgIfY + TltrbqmI3MNy5uqGViGFpWPCB+kD8EsJF9nlKJXlu/i55qgUr/2/2CdeWlZDBP8A + 1fdzmpYpWnwhE0KobzLS2z3AwDxiY/RSWUfypLZA0K/lpaEtYB6UHMDZ0/8WqgZV + gNucCuty0cA4Kf7eX1TlAKVwH8hTkVmJc2rX + -----END CERTIFICATE----- + """.strip() + .. class:: PKCS7SignatureBuilder @@ -1174,11 +1205,72 @@ contain certificates, CRLs, and much more. PKCS7 files commonly have a ``p7b``, :returns bytes: The signed PKCS7 message. +.. class:: PKCS7EnvelopeBuilder + + The PKCS7 envelope builder can create encrypted S/MIME messages, + which are commonly used in email. S/MIME has multiple versions, + but this implements a subset of :rfc:`5751`, also known as S/MIME + Version 3.2. + + .. versionadded:: 43.0.0 + + .. doctest:: + + >>> from cryptography import x509 + >>> from cryptography.hazmat.primitives import serialization + >>> from cryptography.hazmat.primitives.serialization import pkcs7 + >>> cert = x509.load_pem_x509_certificate(ca_cert_rsa) + >>> options = [pkcs7.PKCS7Options.Text] + >>> pkcs7.PKCS7EnvelopeBuilder().set_data( + ... b"data to encrypt" + ... ).add_recipient( + ... cert + ... ).encrypt( + ... serialization.Encoding.SMIME, options + ... ) + b'...' + + .. method:: set_data(data) + + :param data: The data to be encrypted. + :type data: :term:`bytes-like` + + .. method:: add_recipient(certificate) + + Add a recipient for the message. Recipients will be able to use their private keys + to decrypt the message. This method may be called multiple times to add as many recipients + as desired. + + :param certificate: A :class:`~cryptography.x509.Certificate` for an intended + recipient of the encrypted message. Only certificates with public RSA keys + are currently supported. + + .. method:: encrypt(encoding, options) + + The message is encrypted using AES-128-CBC. The encryption key used is included in + the envelope, encrypted using the recipient's public RSA key. If multiple recipients + are specified, the key is encrypted once with each recipient's public key, and all + encrypted keys are included in the envelope (one per recipient). + + :param encoding: :attr:`~cryptography.hazmat.primitives.serialization.Encoding.PEM`, + :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`, + or :attr:`~cryptography.hazmat.primitives.serialization.Encoding.SMIME`. + + :param options: A list of + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options`. For + this operation only + :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Text` and + :attr:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7Options.Binary` + are supported. + + :returns bytes: The enveloped PKCS7 message. + + .. class:: PKCS7Options .. versionadded:: 3.2 - An enumeration of options for PKCS7 signature creation. + An enumeration of options for PKCS7 signature and envelope creation. .. attribute:: Text diff --git a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi index f7f9883eb311..a72120a762ec 100644 --- a/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi +++ b/src/cryptography/hazmat/bindings/_rust/pkcs7.pyi @@ -12,6 +12,11 @@ def serialize_certificates( certs: list[x509.Certificate], encoding: serialization.Encoding, ) -> bytes: ... +def encrypt_and_serialize( + builder: pkcs7.PKCS7EnvelopeBuilder, + encoding: serialization.Encoding, + options: typing.Iterable[pkcs7.PKCS7Options], +) -> bytes: ... def sign_and_serialize( builder: pkcs7.PKCS7SignatureBuilder, encoding: serialization.Encoding, diff --git a/src/cryptography/hazmat/bindings/_rust/test_support.pyi b/src/cryptography/hazmat/bindings/_rust/test_support.pyi index ef9f779f2ee9..a53ee25dd752 100644 --- a/src/cryptography/hazmat/bindings/_rust/test_support.pyi +++ b/src/cryptography/hazmat/bindings/_rust/test_support.pyi @@ -13,6 +13,13 @@ class TestCertificate: subject_value_tags: list[int] def test_parse_certificate(data: bytes) -> TestCertificate: ... +def pkcs7_decrypt( + encoding: serialization.Encoding, + msg: bytes, + pkey: serialization.pkcs7.PKCS7PrivateKeyTypes, + cert_recipient: x509.Certificate, + options: list[pkcs7.PKCS7Options], +) -> bytes: ... def pkcs7_verify( encoding: serialization.Encoding, sig: bytes, diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py index bae35c5f5988..97ea9db8e171 100644 --- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py +++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py @@ -12,6 +12,7 @@ import typing from cryptography import utils, x509 +from cryptography.exceptions import UnsupportedAlgorithm, _Reasons from cryptography.hazmat.bindings._rust import pkcs7 as rust_pkcs7 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa @@ -177,7 +178,92 @@ def sign( return rust_pkcs7.sign_and_serialize(self, encoding, options) -def _smime_encode( +class PKCS7EnvelopeBuilder: + def __init__( + self, + *, + _data: bytes | None = None, + _recipients: list[x509.Certificate] | None = None, + ): + from cryptography.hazmat.backends.openssl.backend import ( + backend as ossl, + ) + + if not ossl.rsa_encryption_supported(padding=padding.PKCS1v15()): + raise UnsupportedAlgorithm( + "RSA with PKCS1 v1.5 padding is not supported by this version" + " of OpenSSL.", + _Reasons.UNSUPPORTED_PADDING, + ) + self._data = _data + self._recipients = _recipients if _recipients is not None else [] + + def set_data(self, data: bytes) -> PKCS7EnvelopeBuilder: + _check_byteslike("data", data) + if self._data is not None: + raise ValueError("data may only be set once") + + return PKCS7EnvelopeBuilder(_data=data, _recipients=self._recipients) + + def add_recipient( + self, + certificate: x509.Certificate, + ) -> PKCS7EnvelopeBuilder: + if not isinstance(certificate, x509.Certificate): + raise TypeError("certificate must be a x509.Certificate") + + if not isinstance(certificate.public_key(), rsa.RSAPublicKey): + raise TypeError("Only RSA keys are supported at this time.") + + return PKCS7EnvelopeBuilder( + _data=self._data, + _recipients=[ + *self._recipients, + certificate, + ], + ) + + def encrypt( + self, + encoding: serialization.Encoding, + options: typing.Iterable[PKCS7Options], + ) -> bytes: + if len(self._recipients) == 0: + raise ValueError("Must have at least one recipient") + if self._data is None: + raise ValueError("You must add data to encrypt") + options = list(options) + if not all(isinstance(x, PKCS7Options) for x in options): + raise ValueError("options must be from the PKCS7Options enum") + if encoding not in ( + serialization.Encoding.PEM, + serialization.Encoding.DER, + serialization.Encoding.SMIME, + ): + raise ValueError( + "Must be PEM, DER, or SMIME from the Encoding enum" + ) + + # Only allow options that make sense for encryption + if any( + opt not in [PKCS7Options.Text, PKCS7Options.Binary] + for opt in options + ): + raise ValueError( + "Only the following options are supported for encryption: " + "Text, Binary" + ) + elif PKCS7Options.Text in options and PKCS7Options.Binary in options: + # OpenSSL accepts both options at the same time, but ignores Text. + # We fail defensively to avoid unexpected outputs. + raise ValueError( + "Cannot use Binary and Text options at the same time" + ) + + return rust_pkcs7.encrypt_and_serialize(self, encoding, options) + + +def _smime_signed_encode( data: bytes, signature: bytes, micalg: str, text_mode: bool ) -> bytes: # This function works pretty hard to replicate what OpenSSL does @@ -225,6 +311,23 @@ def _smime_encode( return fp.getvalue() +def _smime_enveloped_encode(data: bytes) -> bytes: + m = email.message.Message() + m.add_header("MIME-Version", "1.0") + m.add_header("Content-Disposition", "attachment", filename="smime.p7m") + m.add_header( + "Content-Type", + "application/pkcs7-mime", + smime_type="enveloped-data", + name="smime.p7m", + ) + m.add_header("Content-Transfer-Encoding", "base64") + + m.set_payload(email.base64mime.body_encode(data, maxlinelen=65)) + + return m.as_bytes(policy=m.policy.clone(linesep="\n", max_line_length=0)) + + class OpenSSLMimePart(email.message.MIMEPart): # A MIMEPart subclass that replicates OpenSSL's behavior of not including # a newline if there are no headers. diff --git a/src/rust/cryptography-x509/src/common.rs b/src/rust/cryptography-x509/src/common.rs index 1816e07896b6..0b9555314224 100644 --- a/src/rust/cryptography-x509/src/common.rs +++ b/src/rust/cryptography-x509/src/common.rs @@ -136,6 +136,16 @@ pub enum AlgorithmParameters<'a> { #[defined_by(oid::HMAC_WITH_SHA256_OID)] HmacWithSha256(asn1::Null), + // Used only in PKCS#7 AlgorithmIdentifiers + // https://datatracker.ietf.org/doc/html/rfc3565#section-4.1 + // + // From RFC 3565 section 4.1: + // The AlgorithmIdentifier parameters field MUST be present, and the + // parameters field MUST contain a AES-IV: + // + // AES-IV ::= OCTET STRING (SIZE(16)) + #[defined_by(oid::AES_128_CBC_OID)] + Aes128Cbc([u8; 16]), #[defined_by(oid::AES_256_CBC_OID)] Aes256Cbc([u8; 16]), diff --git a/src/rust/cryptography-x509/src/pkcs7.rs b/src/rust/cryptography-x509/src/pkcs7.rs index 31c7d097bab2..aff6ee2ad818 100644 --- a/src/rust/cryptography-x509/src/pkcs7.rs +++ b/src/rust/cryptography-x509/src/pkcs7.rs @@ -6,6 +6,7 @@ use crate::{certificate, common, csr, name}; pub const PKCS7_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 1); pub const PKCS7_SIGNED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 2); +pub const PKCS7_ENVELOPED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 3); pub const PKCS7_ENCRYPTED_DATA_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 1, 7, 6); #[derive(asn1::Asn1Write)] @@ -18,6 +19,8 @@ pub struct ContentInfo<'a> { #[derive(asn1::Asn1DefinedByWrite)] pub enum Content<'a> { + #[defined_by(PKCS7_ENVELOPED_DATA_OID)] + EnvelopedData(asn1::Explicit>, 0>), #[defined_by(PKCS7_SIGNED_DATA_OID)] SignedData(asn1::Explicit>, 0>), #[defined_by(PKCS7_DATA_OID)] @@ -56,6 +59,21 @@ pub struct SignerInfo<'a> { pub unauthenticated_attributes: Option>, } +#[derive(asn1::Asn1Write)] +pub struct EnvelopedData<'a> { + pub version: u8, + pub recipient_infos: asn1::SetOfWriter<'a, RecipientInfo<'a>>, + pub encrypted_content_info: EncryptedContentInfo<'a>, +} + +#[derive(asn1::Asn1Write)] +pub struct RecipientInfo<'a> { + pub version: u8, + pub issuer_and_serial_number: IssuerAndSerialNumber<'a>, + pub key_encryption_algorithm: common::AlgorithmIdentifier<'a>, + pub encrypted_key: &'a [u8], +} + #[derive(asn1::Asn1Write)] pub struct IssuerAndSerialNumber<'a> { pub issuer: name::Name<'a>, diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index d9547edb7f4f..45f8855bacf3 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -79,7 +79,7 @@ impl PKCS12Certificate { } } -fn symmetric_encrypt( +pub(crate) fn symmetric_encrypt( py: pyo3::Python<'_>, algorithm: pyo3::Bound<'_, pyo3::PyAny>, mode: pyo3::Bound<'_, pyo3::PyAny>, diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index ba6802aa8f71..40fbd9b97a11 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -6,7 +6,9 @@ use std::borrow::Cow; use std::collections::HashMap; use std::ops::Deref; +use cryptography_x509::common::{AlgorithmIdentifier, AlgorithmParameters}; use cryptography_x509::csr::Attribute; +use cryptography_x509::pkcs7::PKCS7_DATA_OID; use cryptography_x509::{common, oid, pkcs7}; use once_cell::sync::Lazy; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] @@ -18,6 +20,7 @@ use pyo3::IntoPy; use crate::asn1::encode_der_data; use crate::buf::CffiBuf; use crate::error::{CryptographyError, CryptographyResult}; +use crate::pkcs12::symmetric_encrypt; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use crate::x509::certificate::load_der_x509_certificate; use crate::{exceptions, types, x509}; @@ -75,6 +78,90 @@ fn serialize_certificates<'p>( encode_der_data(py, "PKCS7".to_string(), content_info_bytes, encoding) } +#[pyo3::pyfunction] +fn encrypt_and_serialize<'p>( + py: pyo3::Python<'p>, + builder: &pyo3::Bound<'p, pyo3::PyAny>, + encoding: &pyo3::Bound<'p, pyo3::PyAny>, + options: &pyo3::Bound<'p, pyo3::types::PyList>, +) -> CryptographyResult> { + let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?; + let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?; + let data_with_header = if options.contains(types::PKCS7_BINARY.get(py)?)? { + Cow::Borrowed(raw_data.as_bytes()) + } else { + smime_canonicalize(raw_data.as_bytes(), text_mode).0 + }; + + // The message is encrypted with AES-128-CBC, which the S/MIME v3.2 RFC + // specifies as MUST support (https://datatracker.ietf.org/doc/html/rfc5751#section-2.7) + let key = types::OS_URANDOM.get(py)?.call1((16,))?; + let aes128_algorithm = types::AES128.get(py)?.call1((&key,))?; + let iv = types::OS_URANDOM.get(py)?.call1((16,))?; + let cbc_mode = types::CBC.get(py)?.call1((&iv,))?; + + let encrypted_content = symmetric_encrypt(py, aes128_algorithm, cbc_mode, &data_with_header)?; + + let py_recipients: Vec> = builder + .getattr(pyo3::intern!(py, "_recipients"))? + .extract()?; + + let mut recipient_infos = vec![]; + let padding = types::PKCS1V15.get(py)?.call0()?; + let ka_bytes = cryptography_keepalive::KeepAlive::new(); + for cert in py_recipients.iter() { + // Currently, keys are encrypted with RSA (PKCS #1 v1.5), which the S/MIME v3.2 RFC + // specifies as MUST support (https://datatracker.ietf.org/doc/html/rfc5751#section-2.3) + let encrypted_key = cert + .call_method0(pyo3::intern!(py, "public_key"))? + .call_method1(pyo3::intern!(py, "encrypt"), (&key, &padding))? + .extract::()?; + + recipient_infos.push(pkcs7::RecipientInfo { + version: 0, + issuer_and_serial_number: pkcs7::IssuerAndSerialNumber { + issuer: cert.get().raw.borrow_dependent().tbs_cert.issuer.clone(), + serial_number: cert.get().raw.borrow_dependent().tbs_cert.serial, + }, + key_encryption_algorithm: AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Rsa(Some(())), + }, + encrypted_key: ka_bytes.add(encrypted_key), + }); + } + + let enveloped_data = pkcs7::EnvelopedData { + version: 0, + recipient_infos: asn1::SetOfWriter::new(&recipient_infos), + + encrypted_content_info: pkcs7::EncryptedContentInfo { + content_type: PKCS7_DATA_OID, + content_encryption_algorithm: AlgorithmIdentifier { + oid: asn1::DefinedByMarker::marker(), + params: AlgorithmParameters::Aes128Cbc(iv.extract()?), + }, + encrypted_content: Some(&encrypted_content), + }, + }; + + let content_info = pkcs7::ContentInfo { + _content_type: asn1::DefinedByMarker::marker(), + content: pkcs7::Content::EnvelopedData(asn1::Explicit::new(Box::new(enveloped_data))), + }; + let ci_bytes = asn1::write_single(&content_info)?; + + if encoding.is(&types::ENCODING_SMIME.get(py)?) { + Ok(types::SMIME_ENVELOPED_ENCODE + .get(py)? + .call1((&*ci_bytes,))? + .extract()?) + } else { + // Handles the DER, PEM, and error cases + encode_der_data(py, "PKCS7".to_string(), ci_bytes, encoding) + } +} + #[pyo3::pyfunction] fn sign_and_serialize<'p>( py: pyo3::Python<'p>, @@ -256,7 +343,7 @@ fn sign_and_serialize<'p>( .map(|d| OIDS_TO_MIC_NAME[&d.oid()]) .collect::>() .join(","); - Ok(types::SMIME_ENCODE + Ok(types::SMIME_SIGNED_ENCODE .get(py)? .call1((&*data_without_header, &*ci_bytes, mic_algs, text_mode))? .extract()?) @@ -412,8 +499,8 @@ fn load_der_pkcs7_certificates<'p>( pub(crate) mod pkcs7_mod { #[pymodule_export] use super::{ - load_der_pkcs7_certificates, load_pem_pkcs7_certificates, serialize_certificates, - sign_and_serialize, + encrypt_and_serialize, load_der_pkcs7_certificates, load_pem_pkcs7_certificates, + serialize_certificates, sign_and_serialize, }; } diff --git a/src/rust/src/test_support.rs b/src/rust/src/test_support.rs index 8f4599723680..9b37b6c51056 100644 --- a/src/rust/src/test_support.rs +++ b/src/rust/src/test_support.rs @@ -103,8 +103,55 @@ fn pkcs7_verify( Ok(()) } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] +#[pyo3::pyfunction] +#[pyo3(signature = (encoding, msg, pkey, cert_recipient, options))] +fn pkcs7_decrypt<'p>( + py: pyo3::Python<'p>, + encoding: pyo3::Bound<'p, pyo3::PyAny>, + msg: CffiBuf<'p>, + pkey: pyo3::Bound<'p, pyo3::PyAny>, + cert_recipient: pyo3::Bound<'p, PyCertificate>, + options: pyo3::Bound<'p, pyo3::types::PyList>, +) -> CryptographyResult> { + let p7 = if encoding.is(&types::ENCODING_DER.get(py)?) { + openssl::pkcs7::Pkcs7::from_der(msg.as_bytes())? + } else if encoding.is(&types::ENCODING_PEM.get(py)?) { + openssl::pkcs7::Pkcs7::from_pem(msg.as_bytes())? + } else { + openssl::pkcs7::Pkcs7::from_smime(msg.as_bytes())?.0 + }; + + let mut flags = openssl::pkcs7::Pkcs7Flags::empty(); + if options.contains(types::PKCS7_TEXT.get(py)?)? { + flags |= openssl::pkcs7::Pkcs7Flags::TEXT; + } + + let cert_der = asn1::write_single(cert_recipient.get().raw.borrow_dependent())?; + let cert_ossl = openssl::x509::X509::from_der(&cert_der)?; + + let der = types::ENCODING_DER.get(py)?; + let pkcs8 = types::PRIVATE_FORMAT_PKCS8.get(py)?; + let no_encryption = types::NO_ENCRYPTION.get(py)?.call0()?; + let pkey_bytes = pkey + .call_method1( + pyo3::intern!(py, "private_bytes"), + (der, pkcs8, no_encryption), + )? + .extract::()?; + + let pkey_ossl = openssl::pkey::PKey::private_key_from_der(&pkey_bytes)?; + + let result = p7.decrypt(&pkey_ossl, &cert_ossl, flags)?; + + Ok(pyo3::types::PyBytes::new_bound(py, &result)) +} + #[pyo3::pymodule] pub(crate) mod test_support { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] + #[pymodule_export] + use super::pkcs7_decrypt; #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] #[pymodule_export] use super::pkcs7_verify; diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index a6904398dfe8..5a32fa57d135 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -339,9 +339,14 @@ pub static PKCS7_DETACHED_SIGNATURE: LazyPyImport = LazyPyImport::new( &["PKCS7Options", "DetachedSignature"], ); -pub static SMIME_ENCODE: LazyPyImport = LazyPyImport::new( +pub static SMIME_ENVELOPED_ENCODE: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.serialization.pkcs7", - &["_smime_encode"], + &["_smime_enveloped_encode"], +); + +pub static SMIME_SIGNED_ENCODE: LazyPyImport = LazyPyImport::new( + "cryptography.hazmat.primitives.serialization.pkcs7", + &["_smime_signed_encode"], ); pub static PKCS12KEYANDCERTIFICATES: LazyPyImport = LazyPyImport::new( diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 3842fd3ff616..186962eaef73 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -117,7 +117,7 @@ def _load_cert_key(): only_if=lambda backend: backend.pkcs7_supported(), skip_message="Requires OpenSSL with PKCS7 support", ) -class TestPKCS7Builder: +class TestPKCS7SignatureBuilder: def test_invalid_data(self, backend): builder = pkcs7.PKCS7SignatureBuilder() with pytest.raises(TypeError): @@ -834,6 +834,242 @@ def test_add_multiple_additional_certs(self, backend): ) +def _load_rsa_cert_key(): + key = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_key.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read(), None, unsafe_skip_rsa_key_validation=True + ), + mode="rb", + ) + cert = load_vectors_from_file( + os.path.join("x509", "custom", "ca", "rsa_ca.pem"), + loader=lambda pemfile: x509.load_pem_x509_certificate(pemfile.read()), + mode="rb", + ) + return cert, key + + +@pytest.mark.supported( + only_if=lambda backend: backend.pkcs7_supported() + and backend.rsa_encryption_supported(padding.PKCS1v15()), + skip_message="Requires OpenSSL with PKCS7 support and PKCS1 v1.5 padding " + "support", +) +class TestPKCS7EnvelopeBuilder: + def test_invalid_data(self, backend): + builder = pkcs7.PKCS7EnvelopeBuilder() + with pytest.raises(TypeError): + builder.set_data("not bytes") # type: ignore[arg-type] + + def test_set_data_twice(self, backend): + builder = pkcs7.PKCS7EnvelopeBuilder().set_data(b"test") + with pytest.raises(ValueError): + builder.set_data(b"test") + + def test_encrypt_no_recipient(self, backend): + builder = pkcs7.PKCS7EnvelopeBuilder().set_data(b"test") + with pytest.raises(ValueError): + builder.encrypt(serialization.Encoding.SMIME, []) + + def test_encrypt_no_data(self, backend): + cert, _ = _load_rsa_cert_key() + builder = pkcs7.PKCS7EnvelopeBuilder().add_recipient(cert) + with pytest.raises(ValueError): + builder.encrypt(serialization.Encoding.SMIME, []) + + def test_unsupported_encryption(self, backend): + cert_non_rsa, _ = _load_cert_key() + with pytest.raises(TypeError): + pkcs7.PKCS7EnvelopeBuilder().add_recipient(cert_non_rsa) + + def test_not_a_cert(self, backend): + with pytest.raises(TypeError): + pkcs7.PKCS7EnvelopeBuilder().add_recipient( + b"notacert", # type: ignore[arg-type] + ) + + def test_encrypt_invalid_options(self, backend): + cert, _ = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(b"test").add_recipient(cert) + ) + with pytest.raises(ValueError): + builder.encrypt( + serialization.Encoding.SMIME, + [b"invalid"], # type: ignore[list-item] + ) + + def test_encrypt_invalid_encoding(self, backend): + cert, _ = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(b"test").add_recipient(cert) + ) + with pytest.raises(ValueError): + builder.encrypt(serialization.Encoding.Raw, []) + + @pytest.mark.parametrize( + "invalid_options", + [ + [pkcs7.PKCS7Options.NoAttributes], + [pkcs7.PKCS7Options.NoCapabilities], + [pkcs7.PKCS7Options.NoCerts], + [pkcs7.PKCS7Options.DetachedSignature], + [pkcs7.PKCS7Options.Binary, pkcs7.PKCS7Options.Text], + ], + ) + def test_encrypt_invalid_encryption_options( + self, backend, invalid_options + ): + cert, _ = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(b"test").add_recipient(cert) + ) + with pytest.raises(ValueError): + builder.encrypt(serialization.Encoding.DER, invalid_options) + + @pytest.mark.parametrize( + "options", + [ + [pkcs7.PKCS7Options.Text], + [pkcs7.PKCS7Options.Binary], + ], + ) + def test_smime_encrypt_smime_encoding(self, backend, options): + data = b"hello world\n" + cert, private_key = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) + enveloped = builder.encrypt(serialization.Encoding.SMIME, options) + assert b"MIME-Version: 1.0\n" in enveloped + assert b"Content-Transfer-Encoding: base64\n" in enveloped + message = email.parser.BytesParser().parsebytes(enveloped) + assert message.get_content_disposition() == "attachment" + assert message.get_filename() == "smime.p7m" + assert message.get_content_type() == "application/pkcs7-mime" + assert message.get_param("smime-type") == "enveloped-data" + assert message.get_param("name") == "smime.p7m" + + payload = message.get_payload(decode=True) + assert isinstance(payload, bytes) + + # We want to know if we've serialized something that has the parameters + # we expect, so we match on specific byte strings of OIDs & DER values. + # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) + assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in payload + # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) + assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in payload + # cryptography CA (the recipient's Common Name) + assert ( + b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" + b"\x20\x43\x41" + ) in payload + + decrypted_bytes = test_support.pkcs7_decrypt( + serialization.Encoding.SMIME, + enveloped, + private_key, + cert, + options, + ) + # New lines are canonicalized to '\r\n' when not using Binary + expected_data = ( + data + if pkcs7.PKCS7Options.Binary in options + else data.replace(b"\n", b"\r\n") + ) + assert decrypted_bytes == expected_data + + @pytest.mark.parametrize( + "options", + [ + [pkcs7.PKCS7Options.Text], + [pkcs7.PKCS7Options.Binary], + ], + ) + def test_smime_encrypt_der_encoding(self, backend, options): + data = b"hello world\n" + cert, private_key = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) + enveloped = builder.encrypt(serialization.Encoding.DER, options) + + # We want to know if we've serialized something that has the parameters + # we expect, so we match on specific byte strings of OIDs & DER values. + # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) + assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in enveloped + # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) + assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in enveloped + # cryptography CA (the recipient's Common Name) + assert ( + b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" + b"\x20\x43\x41" + ) in enveloped + + decrypted_bytes = test_support.pkcs7_decrypt( + serialization.Encoding.DER, + enveloped, + private_key, + cert, + options, + ) + # New lines are canonicalized to '\r\n' when not using Binary + expected_data = ( + data + if pkcs7.PKCS7Options.Binary in options + else data.replace(b"\n", b"\r\n") + ) + assert decrypted_bytes == expected_data + + @pytest.mark.parametrize( + "options", + [ + [pkcs7.PKCS7Options.Text], + [pkcs7.PKCS7Options.Binary], + ], + ) + def test_smime_encrypt_pem_encoding(self, backend, options): + data = b"hello world\n" + cert, private_key = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) + enveloped = builder.encrypt(serialization.Encoding.PEM, options) + decrypted_bytes = test_support.pkcs7_decrypt( + serialization.Encoding.PEM, + enveloped, + private_key, + cert, + options, + ) + # New lines are canonicalized to '\r\n' when not using Binary + expected_data = ( + data + if pkcs7.PKCS7Options.Binary in options + else data.replace(b"\n", b"\r\n") + ) + assert decrypted_bytes == expected_data + + def test_smime_encrypt_multiple_recipients(self, backend): + data = b"hello world\n" + cert, private_key = _load_rsa_cert_key() + builder = ( + pkcs7.PKCS7EnvelopeBuilder() + .set_data(data) + .add_recipient(cert) + .add_recipient(cert) + ) + enveloped = builder.encrypt(serialization.Encoding.DER, []) + # cryptography CA (the recipient's Common Name) + common_name_bytes = ( + b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61" + b"\x70\x68\x79\x20\x43\x41" + ) + assert enveloped.count(common_name_bytes) == 2 + + @pytest.mark.supported( only_if=lambda backend: backend.pkcs7_supported(), skip_message="Requires OpenSSL with PKCS7 support", @@ -921,3 +1157,14 @@ def test_pkcs7_functions_unsupported(self): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION): pkcs7.load_pem_pkcs7_certificates(b"nonsense") + + +@pytest.mark.supported( + only_if=lambda backend: backend.pkcs7_supported() + and not backend.rsa_encryption_supported(padding.PKCS1v15()), + skip_message="Requires OpenSSL with no PKCS1 v1.5 padding support", +) +class TestPKCS7EnvelopeBuilderUnsupported: + def test_envelope_builder_unsupported(self, backend): + with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): + pkcs7.PKCS7EnvelopeBuilder() From 6af06f339fa4d8150078c45041b04d124168275b Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 00:15:38 +0000 Subject: [PATCH 850/868] Bump BoringSSL and/or OpenSSL in CI (#11296) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 78fdf4e6c543..60ce535ff902 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 18, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "82f9853fc7d7360ae44f1e1357a6422c5244bbd8"}} - # Latest commit on the OpenSSL master branch, as of Jul 18, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "cf3d65b8664f11904ad34f21fe78a6694f23ae62"}} + # Latest commit on the OpenSSL master branch, as of Jul 19, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "50066236eb3b31c93aaa935ca38f5cc1ec056696"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From a8cf6b42e9b7b766b9310d841dd85de3bcb9ab5c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 07:04:16 -0400 Subject: [PATCH 851/868] Bump cc from 1.1.5 to 1.1.6 in /src/rust (#11297) Bumps [cc](https://github.com/rust-lang/cc-rs) from 1.1.5 to 1.1.6. - [Release notes](https://github.com/rust-lang/cc-rs/releases) - [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.1.5...cc-v1.1.6) --- updated-dependencies: - dependency-name: cc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/cryptography-cffi/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 93a0cdd29c5a..3b48a8027e9d 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -42,9 +42,9 @@ checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" [[package]] name = "cc" -version = "1.1.5" +version = "1.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "324c74f2155653c90b04f25b2a47a8a631360cb908f92a772695f430c7e31052" +checksum = "2aba8f4e9906c7ce3c73463f62a7f0c65183ada1a2d47e397cc8810827f9694f" [[package]] name = "cfg-if" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 38122b95b75c..1fe7f92e9e7b 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -11,4 +11,4 @@ pyo3 = { version = "0.22.2", features = ["abi3"] } openssl-sys = "0.9.102" [build-dependencies] -cc = "1.1.5" +cc = "1.1.6" From 64acba749db6992e9c8202ea31682b3096cb909c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 07:21:05 -0400 Subject: [PATCH 852/868] Bump setuptools from 71.0.1 to 71.0.3 in /.github/requirements (#11300) Bumps [setuptools](https://github.com/pypa/setuptools) from 71.0.1 to 71.0.3. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v71.0.1...v71.0.3) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index 2aebb5ca4e6c..cbcfc1f9f731 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==71.0.1 \ - --hash=sha256:1eb8ef012efae7f6acbc53ec0abde4bc6746c43087fd215ee09e1df48998711f \ - --hash=sha256:c51d7fd29843aa18dad362d4b4ecd917022131425438251f4e3d766c964dd1ad +setuptools==71.0.3 \ + --hash=sha256:3d8531791a27056f4a38cd3e54084d8b1c4228ff9cf3f2d7dd075ec99f9fd70d \ + --hash=sha256:f501b6e6db709818dc76882582d9c516bf3b67b948864c5fa1d1624c09a49207 # via -r build-requirements.in From cf8ac6da9e0974df32d30899db59fe9cc0eec3c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 07:21:36 -0400 Subject: [PATCH 853/868] Bump sphinx from 7.4.5 to 7.4.6 (#11299) Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 7.4.5 to 7.4.6. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v7.4.5...v7.4.6) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index a8103c276da4..93f6947e2c03 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -109,7 +109,7 @@ ruff==0.5.2 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx -sphinx==7.4.5 +sphinx==7.4.6 # via # cryptography (pyproject.toml) # sphinx-rtd-theme From d6dd0f4ba9d8cd89356741fd003db2527d6ce224 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 11:28:57 +0000 Subject: [PATCH 854/868] Bump ruff from 0.5.2 to 0.5.3 (#11298) Bumps [ruff](https://github.com/astral-sh/ruff) from 0.5.2 to 0.5.3. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](https://github.com/astral-sh/ruff/compare/0.5.2...0.5.3) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 93f6947e2c03..6f668ef05061 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -105,7 +105,7 @@ readme-renderer==43.0 # via cryptography (pyproject.toml) requests==2.32.3 # via sphinx -ruff==0.5.2 +ruff==0.5.3 # via cryptography (pyproject.toml) snowballstemmer==2.2.0 # via sphinx From 5fb13adf97e2fa68e71999e877deafeb80e83645 Mon Sep 17 00:00:00 2001 From: "pyca-boringbot[bot]" <106132319+pyca-boringbot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 00:15:47 +0000 Subject: [PATCH 855/868] Bump BoringSSL and/or OpenSSL in CI (#11301) Co-authored-by: pyca-boringbot[bot] --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 60ce535ff902..71e32e2a3afe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,8 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jul 18, 2024. - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "82f9853fc7d7360ae44f1e1357a6422c5244bbd8"}} - # Latest commit on the OpenSSL master branch, as of Jul 19, 2024. - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "50066236eb3b31c93aaa935ca38f5cc1ec056696"}} + # Latest commit on the OpenSSL master branch, as of Jul 20, 2024. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "98afa01f3e02fba18f9203b2451113df8f247f7c"}} # Builds with various Rust versions. Includes MSRV and next # potential future MSRV. - {VERSION: "3.12", NOXSESSION: "rust,tests", RUST: "1.65.0"} From 7249ccd5c658e2965909d970cc9735ae7f049d15 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 01:37:48 +0000 Subject: [PATCH 856/868] Bump portable-atomic from 1.6.0 to 1.7.0 in /src/rust (#11302) Bumps [portable-atomic](https://github.com/taiki-e/portable-atomic) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/taiki-e/portable-atomic/releases) - [Changelog](https://github.com/taiki-e/portable-atomic/blob/main/CHANGELOG.md) - [Commits](https://github.com/taiki-e/portable-atomic/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: portable-atomic dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 3b48a8027e9d..7a8f30f51a3c 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -232,9 +232,9 @@ checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" [[package]] name = "portable-atomic" -version = "1.6.0" +version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" +checksum = "da544ee218f0d287a911e9c99a39a8c9bc8fcad3cb8db5959940044ecfc67265" [[package]] name = "proc-macro2" From ee24e827fc226ad8dc9edacf3dbe1823602d0a8b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:40:16 -0400 Subject: [PATCH 857/868] Bump setuptools from 71.0.3 to 71.0.4 in /.github/requirements (#11304) Bumps [setuptools](https://github.com/pypa/setuptools) from 71.0.3 to 71.0.4. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v71.0.3...v71.0.4) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/requirements/build-requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/requirements/build-requirements.txt b/.github/requirements/build-requirements.txt index cbcfc1f9f731..39b8c2f5bf99 100644 --- a/.github/requirements/build-requirements.txt +++ b/.github/requirements/build-requirements.txt @@ -83,7 +83,7 @@ tomli==2.0.1 \ # via maturin # The following packages are considered to be unsafe in a requirements file: -setuptools==71.0.3 \ - --hash=sha256:3d8531791a27056f4a38cd3e54084d8b1c4228ff9cf3f2d7dd075ec99f9fd70d \ - --hash=sha256:f501b6e6db709818dc76882582d9c516bf3b67b948864c5fa1d1624c09a49207 +setuptools==71.0.4 \ + --hash=sha256:48297e5d393a62b7cb2a10b8f76c63a73af933bd809c9e0d0d6352a1a0135dd8 \ + --hash=sha256:ed2feca703be3bdbd94e6bb17365d91c6935c6b2a8d0bb09b66a2c435ba0b1a5 # via -r build-requirements.in From 2fe32b28b05d8918dda6f7a34e6d9d4148dde818 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 01:42:49 +0000 Subject: [PATCH 858/868] Bump mypy from 1.10.1 to 1.11.0 (#11303) Bumps [mypy](https://github.com/python/mypy) from 1.10.1 to 1.11.0. - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](https://github.com/python/mypy/compare/v1.10.1...v1.11) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 6f668ef05061..818725867f3b 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -52,7 +52,7 @@ jinja2==3.1.4 # via sphinx markupsafe==2.1.5 # via jinja2 -mypy==1.10.1 +mypy==1.11.0 # via cryptography (pyproject.toml) mypy-extensions==1.0.0 # via mypy From a8fcf18ee0bb0570bd4c9041cf387dc7a9c1968a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 13:42:57 +0000 Subject: [PATCH 859/868] Bump openssl-sys from 0.9.102 to 0.9.103 in /src/rust (#11305) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.102 to 0.9.103. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.102...openssl-sys-v0.9.103) --- updated-dependencies: - dependency-name: openssl-sys dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-cffi/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 7a8f30f51a3c..a041c8f77405 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -205,9 +205,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.102" +version = "0.9.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2" +checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6" dependencies = [ "cc", "libc", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index e3263a9ecbfa..aecbe37fc7f7 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -27,7 +27,7 @@ cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } openssl = "0.10.64" -openssl-sys = "0.9.102" +openssl-sys = "0.9.103" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 1fe7f92e9e7b..f983dbdda143 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -8,7 +8,7 @@ rust-version.workspace = true [dependencies] pyo3 = { version = "0.22.2", features = ["abi3"] } -openssl-sys = "0.9.102" +openssl-sys = "0.9.103" [build-dependencies] cc = "1.1.6" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index 6a9d6797b982..fadf07cc9e62 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -10,5 +10,5 @@ rust-version.workspace = true asn1 = { version = "0.16.2", default-features = false } cfg-if = "1" openssl = "0.10.64" -openssl-sys = "0.9.102" +openssl-sys = "0.9.103" cryptography-x509 = { path = "../cryptography-x509" } From f66a9c4b4fe9b87825872fef7a36c319b823f322 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 13:44:07 +0000 Subject: [PATCH 860/868] Bump sphinxcontrib-htmlhelp from 2.0.5 to 2.0.6 (#11306) Bumps [sphinxcontrib-htmlhelp](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp) from 2.0.5 to 2.0.6. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/compare/2.0.5...2.0.6) --- updated-dependencies: - dependency-name: sphinxcontrib-htmlhelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 818725867f3b..877d26c3f27d 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -126,7 +126,7 @@ sphinxcontrib-applehelp==1.0.8 # via sphinx sphinxcontrib-devhelp==1.0.6 # via sphinx -sphinxcontrib-htmlhelp==2.0.5 +sphinxcontrib-htmlhelp==2.0.6 # via sphinx sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme From 4310c8727b50fa5f713a0e863ee3defc0c831921 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 13:44:45 +0000 Subject: [PATCH 861/868] Bump sphinxcontrib-qthelp from 1.0.7 to 1.0.8 (#11307) Bumps [sphinxcontrib-qthelp](https://github.com/sphinx-doc/sphinxcontrib-qthelp) from 1.0.7 to 1.0.8. - [Release notes](https://github.com/sphinx-doc/sphinxcontrib-qthelp/releases) - [Changelog](https://github.com/sphinx-doc/sphinxcontrib-qthelp/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinxcontrib-qthelp/compare/1.0.7...1.0.8) --- updated-dependencies: - dependency-name: sphinxcontrib-qthelp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ci-constraints-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt index 877d26c3f27d..5470019ce0ef 100644 --- a/ci-constraints-requirements.txt +++ b/ci-constraints-requirements.txt @@ -132,7 +132,7 @@ sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-qthelp==1.0.7 +sphinxcontrib-qthelp==1.0.8 # via sphinx sphinxcontrib-serializinghtml==1.1.10 # via sphinx From ccc66e6cdf92f4c29012f86f44ad183161eccaad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jul 2024 14:07:47 +0000 Subject: [PATCH 862/868] Bump openssl from 0.10.64 to 0.10.65 in /src/rust (#11308) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.64 to 0.10.65. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.64...openssl-v0.10.65) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index a041c8f77405..fe3398f25393 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -179,9 +179,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "openssl" -version = "0.10.64" +version = "0.10.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" +checksum = "c2823eb4c6453ed64055057ea8bd416eda38c71018723869dd043a3b1186115e" dependencies = [ "bitflags", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index aecbe37fc7f7..d58ee9e7ec28 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -26,7 +26,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.64" +openssl = "0.10.65" openssl-sys = "0.9.103" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index fadf07cc9e62..d1f945f961a0 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -9,6 +9,6 @@ rust-version.workspace = true [dependencies] asn1 = { version = "0.16.2", default-features = false } cfg-if = "1" -openssl = "0.10.64" +openssl = "0.10.65" openssl-sys = "0.9.103" cryptography-x509 = { path = "../cryptography-x509" } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index f2dc5100e6fd..c0f3f5d72ce1 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ rust-version.workspace = true [dependencies] cfg-if = "1" -openssl = "0.10.64" +openssl = "0.10.65" ffi = { package = "openssl-sys", version = "0.9.101" } foreign-types = "0.3" foreign-types-shared = "0.1" From 2dbdfb8f3913cb9cef08218fcd48a9b4eaa8b57d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 20 Jul 2024 10:49:54 -0400 Subject: [PATCH 863/868] don't assign unused name (#11310) --- tests/hazmat/primitives/test_pkcs7.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 186962eaef73..63641d61d412 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -1054,7 +1054,7 @@ def test_smime_encrypt_pem_encoding(self, backend, options): def test_smime_encrypt_multiple_recipients(self, backend): data = b"hello world\n" - cert, private_key = _load_rsa_cert_key() + cert, _ = _load_rsa_cert_key() builder = ( pkcs7.PKCS7EnvelopeBuilder() .set_data(data) From 42788a0353e0ca0d922b6b8b9bde77cbb1c65984 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 20 Jul 2024 11:05:18 -0400 Subject: [PATCH 864/868] Fix exchange with keys that had Q automatically computed (#11309) fixes #10790 closes #10864 closes #11218 --- docs/development/test-vectors.rst | 4 +++ src/rust/cryptography-key-parsing/src/spki.rs | 8 +----- src/rust/src/backend/dh.rs | 26 ++++--------------- tests/hazmat/primitives/test_dh.py | 10 +++++++ .../asymmetric/DH/dhpub_cryptography_old.pem | 15 +++++++++++ 5 files changed, 35 insertions(+), 28 deletions(-) create mode 100644 vectors/cryptography_vectors/asymmetric/DH/dhpub_cryptography_old.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 4f564d79b24f..c906f611ceff 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -224,6 +224,10 @@ Key exchange * ``vectors/cryptoraphy_vectors/asymmetric/ECDH/brainpool.txt`` contains Brainpool vectors from :rfc:`7027`. +* ``vectors/cryptography_vectors/asymmetric/DH/dhpub_cryptography_old.pem`` + contains a Diffie-Hellman public key generated with a previous version of + ``cryptography``. + X.509 ~~~~~ diff --git a/src/rust/cryptography-key-parsing/src/spki.rs b/src/rust/cryptography-key-parsing/src/spki.rs index 68f2f33e06e3..db4f69d94d10 100644 --- a/src/rust/cryptography-key-parsing/src/spki.rs +++ b/src/rust/cryptography-key-parsing/src/spki.rs @@ -114,13 +114,7 @@ pub fn parse_public_key( let pub_key = openssl::bn::BigNum::from_slice(pub_key_int.as_bytes())?; let dh = dh.set_public_key(pub_key)?; - cfg_if::cfg_if! { - if #[cfg(CRYPTOGRAPHY_IS_LIBRESSL)] { - Ok(openssl::pkey::PKey::from_dh(dh)?) - } else { - Ok(openssl::pkey::PKey::from_dhx(dh)?) - } - } + Ok(openssl::pkey::PKey::from_dh(dh)?) } #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] AlgorithmParameters::DhKeyAgreement(dh_params) => { diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index 883277e35017..e6cdbb67c7c1 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -70,23 +70,6 @@ pub(crate) fn public_key_from_pkey( } } -#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] -fn pkey_from_dh( - dh: openssl::dh::Dh, -) -> CryptographyResult> { - cfg_if::cfg_if! { - if #[cfg(CRYPTOGRAPHY_IS_LIBRESSL)] { - Ok(openssl::pkey::PKey::from_dh(dh)?) - } else { - if dh.prime_q().is_some() { - Ok(openssl::pkey::PKey::from_dhx(dh)?) - } else { - Ok(openssl::pkey::PKey::from_dh(dh)?) - } - } - } -} - #[pyo3::pyfunction] #[pyo3(signature = (data, backend=None))] fn from_der_parameters( @@ -214,7 +197,8 @@ impl DHPrivateKey { let orig_dh = self.pkey.dh().unwrap(); let dh = clone_dh(&orig_dh)?; - let pkey = pkey_from_dh(dh.set_public_key(orig_dh.public_key().to_owned()?)?)?; + let pkey = + openssl::pkey::PKey::from_dh(dh.set_public_key(orig_dh.public_key().to_owned()?)?)?; Ok(DHPublicKey { pkey }) } @@ -322,7 +306,7 @@ impl DHParameters { fn generate_private_key(&self) -> CryptographyResult { let dh = clone_dh(&self.dh)?.generate_key()?; Ok(DHPrivateKey { - pkey: pkey_from_dh(dh)?, + pkey: openssl::pkey::PKey::from_dh(dh)?, }) } @@ -435,7 +419,7 @@ impl DHPrivateNumbers { )); } - let pkey = pkey_from_dh(dh)?; + let pkey = openssl::pkey::PKey::from_dh(dh)?; Ok(DHPrivateKey { pkey }) } @@ -478,7 +462,7 @@ impl DHPublicNumbers { let pub_key = utils::py_int_to_bn(py, self.y.bind(py))?; - let pkey = pkey_from_dh(dh.set_public_key(pub_key)?)?; + let pkey = openssl::pkey::PKey::from_dh(dh.set_public_key(pub_key)?)?; Ok(DHPublicKey { pkey }) } diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index d287d29460ae..c1f847a212a1 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -441,6 +441,16 @@ def test_dh_vectors_with_q(self, backend, vector): assert int.from_bytes(symkey1, "big") == int(vector["z"], 16) assert int.from_bytes(symkey2, "big") == int(vector["z"], 16) + def test_exchange_old_key(self, backend): + k = load_vectors_from_file( + os.path.join("asymmetric", "DH", "dhpub_cryptography_old.pem"), + lambda f: serialization.load_pem_public_key(f.read()), + mode="rb", + ) + assert isinstance(k, dh.DHPublicKey) + # Ensure this doesn't raise. + k.parameters().generate_private_key().exchange(k) + def test_public_key_equality(self, backend): key_bytes = load_vectors_from_file( os.path.join("asymmetric", "DH", "dhpub.pem"), diff --git a/vectors/cryptography_vectors/asymmetric/DH/dhpub_cryptography_old.pem b/vectors/cryptography_vectors/asymmetric/DH/dhpub_cryptography_old.pem new file mode 100644 index 000000000000..22f9caaa13e0 --- /dev/null +++ b/vectors/cryptography_vectors/asymmetric/DH/dhpub_cryptography_old.pem @@ -0,0 +1,15 @@ +-----BEGIN PUBLIC KEY----- +MIICJTCCARcGCSqGSIb3DQEDATCCAQgCggEBAP//////////yQ/aoiFowjTExmKL +gNwc0SkCTgiKZ8x0Agu+pjsTmyJRSgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVt +bVHCReSFtXZiXn7G9ExC6aY37WsL/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR +7ORbPcIAfLihY78FmNpINhxV05ppFj+o/STPX4NlXSPco62WHGLzViCFUrue1SkH +cJaWbWcMNU5KvJgE8XRsCMoYIXwykF5GLjbOO+OedywYDoY DmyeDouwHoo+1xV3w +b0xSyd4ry/aVWBcYOZVJfOqVauUV0iYYmPoFEBVyjlqKrKpo//////////8CAQID +ggEGAAKCAQEAoely6vSHw+/Q3zGYLaJj7eeQkfd25K8SvtC+FMY9D7jwS4g71pyr +U3FJ98Fi45Wdksh+d4u7U089trF5Xbgui29bZ0HcQZtfHEEz0Mh69tkipCm2/QIj +6eDlo6sPk9hhhvgg4MMGiWKhCtHrub3x1FHdmf7KjOhrGeb5apiudo7blGFzGhZ3 +NFnbff+ArVNd+rdVmSoZn0aMhXRConlDu/44IYe5/24VLl7G+BzZlIZO4P2M83fd +mBOvR13cmYssQjEFTbaZVQvQHa3t0+aywfdCgsXGmTTK6QDCBP8D+vf1bmhEswzs +oYn1GLtJ3VyYyMBPDBomd2ctchZgTzsX1w== +-----END PUBLIC KEY----- + From ebf14f2edc8536f36797979cb0e075e766d978c5 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 20 Jul 2024 09:28:42 -0700 Subject: [PATCH 865/868] bump for 43.0.0 and update changelog (#11311) * bump for 43.0.0 and update changelog * fix nox * fix flake and name better * more noxfile update --- CHANGELOG.rst | 7 +++---- noxfile.py | 13 ++++--------- pyproject.toml | 4 ++-- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 6 files changed, 12 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ea62a5351efd..1dcf602eebf8 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,14 +3,13 @@ Changelog .. _v43-0-0: -43.0.0 - `main`_ -~~~~~~~~~~~~~~~~ - -.. note:: This version is not yet released and is under active development. +43.0.0 - 2024-07-20 +~~~~~~~~~~~~~~~~~~~ * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1e has been removed. Users on older version of OpenSSL will need to upgrade. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.8. +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.3.1. * Updated the minimum supported Rust version (MSRV) to 1.65.0, from 1.63.0. * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key` now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still diff --git a/noxfile.py b/noxfile.py index 91fcb8710eb3..e3eb7274ae5a 100644 --- a/noxfile.py +++ b/noxfile.py @@ -65,8 +65,8 @@ def tests(session: nox.Session) -> None: } ) - install(session, f".[{extras}]") install(session, "-e", "./vectors") + install(session, f".[{extras}]") session.run("pip", "list") @@ -169,6 +169,7 @@ def flake(session: nox.Session) -> None: # TODO: Ideally there'd be a pip flag to install just our dependencies, # but not install us. pyproject_data = load_pyproject_toml() + install(session, "-e", "vectors/") install( session, *pyproject_data["build-system"]["requires"], @@ -177,7 +178,6 @@ def flake(session: nox.Session) -> None: *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], ) - install(session, "-e", "vectors/") session.run("ruff", "check", ".") session.run("ruff", "format", "--check", ".") @@ -254,19 +254,14 @@ def rust(session: nox.Session) -> None: @nox.session(venv_backend="uv") def local(session): pyproject_data = load_pyproject_toml() - test_dependencies = pyproject_data["project"]["optional-dependencies"][ - "test" - ] - test_dependencies.remove("cryptography_vectors") + install(session, "-e", "./vectors") install( session, *pyproject_data["build-system"]["requires"], *pyproject_data["project"]["optional-dependencies"]["pep8test"], - *test_dependencies, + *pyproject_data["project"]["optional-dependencies"]["test"], *pyproject_data["project"]["optional-dependencies"]["ssh"], *pyproject_data["project"]["optional-dependencies"]["nox"], - "-e", - "./vectors/", verbose=False, ) diff --git a/pyproject.toml b/pyproject.toml index 4cfc675e2556..5f1bcc75f511 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ build-backend = "maturin" [project] name = "cryptography" -version = "43.0.0.dev1" +version = "43.0.0" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] @@ -64,7 +64,7 @@ ssh = ["bcrypt >=3.1.5"] # All the following are used for our own testing. nox = ["nox"] test = [ - "cryptography_vectors", + "cryptography_vectors==43.0.0", "pytest >=6.2.0", "pytest-benchmark", "pytest-cov", diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 0087b1720f0e..4362aed1edfa 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__version__", ] -__version__ = "43.0.0.dev1" +__version__ = "43.0.0" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 4f859faec08c..8115d70aaaa8 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "43.0.0.dev1" +__version__ = "43.0.0" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 99021511a0cd..c2ae77d2c684 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "43.0.0.dev1" +version = "43.0.0" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] From 6687bab97aef31d6ee6cc94ecc87a972137b5d4a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 21 Jul 2024 10:31:24 -0700 Subject: [PATCH 866/868] Bump openssl from 0.10.65 to 0.10.66 in /src/rust (#11320) (#11324) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.65 to 0.10.66. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.65...openssl-v0.10.66) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- src/rust/Cargo.lock | 4 ++-- src/rust/Cargo.toml | 2 +- src/rust/cryptography-key-parsing/Cargo.toml | 2 +- src/rust/cryptography-openssl/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index fe3398f25393..c5a020fc8f10 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -179,9 +179,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "openssl" -version = "0.10.65" +version = "0.10.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2823eb4c6453ed64055057ea8bd416eda38c71018723869dd043a3b1186115e" +checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1" dependencies = [ "bitflags", "cfg-if", diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index d58ee9e7ec28..4a91705de96c 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -26,7 +26,7 @@ cryptography-x509 = { path = "cryptography-x509" } cryptography-x509-verification = { path = "cryptography-x509-verification" } cryptography-openssl = { path = "cryptography-openssl" } pem = { version = "3", default-features = false } -openssl = "0.10.65" +openssl = "0.10.66" openssl-sys = "0.9.103" foreign-types-shared = "0.1" self_cell = "1" diff --git a/src/rust/cryptography-key-parsing/Cargo.toml b/src/rust/cryptography-key-parsing/Cargo.toml index d1f945f961a0..e88e3bc9e691 100644 --- a/src/rust/cryptography-key-parsing/Cargo.toml +++ b/src/rust/cryptography-key-parsing/Cargo.toml @@ -9,6 +9,6 @@ rust-version.workspace = true [dependencies] asn1 = { version = "0.16.2", default-features = false } cfg-if = "1" -openssl = "0.10.65" +openssl = "0.10.66" openssl-sys = "0.9.103" cryptography-x509 = { path = "../cryptography-x509" } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index c0f3f5d72ce1..f340ed87cf53 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -8,7 +8,7 @@ rust-version.workspace = true [dependencies] cfg-if = "1" -openssl = "0.10.65" +openssl = "0.10.66" ffi = { package = "openssl-sys", version = "0.9.101" } foreign-types = "0.3" foreign-types-shared = "0.1" From 0393fef5758e55e3c7b3a3e6e5b77821c594a87f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 2 Sep 2024 20:07:56 -0400 Subject: [PATCH 867/868] Backport setuptools version ban (#11526) * Backport setuptools version ban * Added shorter intro paragraphs to doc comments for clippy (#11492) --- pyproject.toml | 2 +- src/rust/cryptography-x509-verification/src/types.rs | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 5f1bcc75f511..d023c52ad13a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,7 +8,7 @@ requires = [ "cffi>=1.12; platform_python_implementation != 'PyPy'", # Needed because cffi imports distutils, and in Python 3.12, distutils has # been removed from the stdlib, but installing setuptools puts it back. - "setuptools", + "setuptools!=74.0.0,!=74.1.0", ] build-backend = "maturin" diff --git a/src/rust/cryptography-x509-verification/src/types.rs b/src/rust/cryptography-x509-verification/src/types.rs index dfb05b9b52f2..0cd84489e089 100644 --- a/src/rust/cryptography-x509-verification/src/types.rs +++ b/src/rust/cryptography-x509-verification/src/types.rs @@ -10,6 +10,8 @@ use asn1::IA5String; // RFC 2822 3.2.4 static ATEXT_CHARS: &str = "!#$%&'*+-/=?^_`{|}~"; +/// Represents a DNS name can be used in X.509 name matching. +/// /// A `DNSName` is an `asn1::IA5String` with additional invariant preservations /// per [RFC 5280 4.2.1.6], which in turn uses the preferred name syntax defined /// in [RFC 1034 3.5] and amended in [RFC 1123 2.1]. @@ -100,6 +102,9 @@ impl PartialEq for DNSName<'_> { } } +/// Represents either a DNS name or a DNS wildcard for use in X.509 name +/// matching. +/// /// A `DNSPattern` represents a subset of the domain name wildcard matching /// behavior defined in [RFC 6125 6.4.3]. In particular, all DNS patterns /// must either be exact matches (post-normalization) *or* a single wildcard From a7733878281ca261c4ada04022fc706ba5de9d8b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 3 Sep 2024 12:45:08 -0700 Subject: [PATCH 868/868] bump for 43.0.1 (#11533) * bump for 43.0.1 * deny another setuptools version --- CHANGELOG.rst | 7 +++++++ pyproject.toml | 6 +++--- src/cryptography/__about__.py | 2 +- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 5 files changed, 13 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1dcf602eebf8..bb9043108185 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,13 @@ Changelog ========= +.. _v43-0-1: + +43.0.1 - 2024-09-03 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.3.2. + .. _v43-0-0: 43.0.0 - 2024-07-20 diff --git a/pyproject.toml b/pyproject.toml index d023c52ad13a..e5b801df72c6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,13 +8,13 @@ requires = [ "cffi>=1.12; platform_python_implementation != 'PyPy'", # Needed because cffi imports distutils, and in Python 3.12, distutils has # been removed from the stdlib, but installing setuptools puts it back. - "setuptools!=74.0.0,!=74.1.0", + "setuptools!=74.0.0,!=74.1.0,!=74.1.1", ] build-backend = "maturin" [project] name = "cryptography" -version = "43.0.0" +version = "43.0.1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] @@ -64,7 +64,7 @@ ssh = ["bcrypt >=3.1.5"] # All the following are used for our own testing. nox = ["nox"] test = [ - "cryptography_vectors==43.0.0", + "cryptography_vectors==43.0.1", "pytest >=6.2.0", "pytest-benchmark", "pytest-cov", diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 4362aed1edfa..d224b2fc6f24 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__version__", ] -__version__ = "43.0.0" +__version__ = "43.0.1" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 8115d70aaaa8..fb1bc4d96169 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "43.0.0" +__version__ = "43.0.1" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index c2ae77d2c684..23f52fcadba4 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "43.0.0" +version = "43.0.1" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ]