10000 Comparing 42.0.3...42.0.4 · pyca/cryptography · GitHub
[go: up one dir, main page]
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: pyca/cryptography
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 42.0.3
Choose a base ref
...
head repository: pyca/cryptography
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 42.0.4
Choose a head ref
  • 4 commits
  • 11 files changed
  • 3 contributors

Commits on Feb 18, 2024

  1. backport actions m1 switch to 42.0.x (#10415) 

    * Check to see if we can use the hosted M1 runners (#10340)

* Stop pretending to be x64 on M1 in CI (#10341)

---------

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
    @reaperhulk @alex
    reaperhulk and alex authored Feb 18, 2024
    Configuration menu
    Copy the full SHA
    df314bb View commit details
    Browse the repository at this point in the history

Commits on Feb 19, 2024

  1. Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#… 

    …10423) (#10425)
    @alex
    alex authored Feb 19, 2024
    Configuration menu
    Copy the full SHA
    7a4d012 View commit details
    Browse the repository at this point in the history

Commits on Feb 21, 2024

  1. Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442) 

    * Fix ASN.1 for S/MIME capabilities.

The current implementation defines the SMIMECapabilities attribute
so that its value is a SEQUENCE of all the algorithm OIDs that are
supported.
However, the S/MIME v3 spec (RFC 2633) specifies that each algorithm
should be specified in its own SEQUENCE:

SMIMECapabilities ::= SEQUENCE OF SMIMECapability

SMIMECapability ::= SEQUENCE {
   capabilityID OBJECT IDENTIFIER,
   parameters ANY DEFINED BY capabilityID OPTIONAL }

(RFC 2633, Appendix A)

This commit changes the implementation so that each algorithm
is inside its own SEQUENCE. This also matches the OpenSSL
implementation.

* Fix the RSA OID used for signing PKCS#7/SMIME

The current implementation computes the algorithm identifier used
in the `digest_encryption_algorithm` PKCS#7 field
(or `SignatureAlgorithmIdentifier` in S/MIME) based on both the
algorithm used to sign (e.g. RSA) and the digest algorithm (e.g. SHA512).

This is correct for ECDSA signatures, where the OIDs used include the
digest algorithm (e.g: ecdsa-with-SHA512). However, due to historical
reasons, when signing with RSA the OID specified should be the one
corresponding to just RSA ("1.2.840.113549.1.1.1" rsaEncryption),
rather than OIDs which also include the digest algorithm (such as
"1.2.840.113549.1.1.13", sha512WithRSAEncryption).

This means that the logic to compute the algorithm identifier is the
same except when signing with RSA, in which case the OID will always
be `rsaEncryption`. This is consistent with the OpenSSL implementation,
and the RFCs that define PKCS#7 and S/MIME.

See RFC 3851 (section 2.2), and RFC 3370 (section 3.2) for more details.

* Add tests for the changes in PKCS7 signing

* PKCS7 fixes from code review

* Update CHANGELOG

Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
    @alex @facutuesca
    alex and facutuesca authored Feb 21, 2024
    Configuration menu
    Copy the full SHA
    aaa2dd0 View commit details
    Browse the repository at this point in the history

  2. Bump for 42.0.4 release (#10445)

    @alex
    alex authored Feb 21, 2024
    Configuration menu
    Copy the full SHA
    fe18470 View commit details
    Browse the repository at this point in the history
Loading
0